cobaltstrike | 210c14376fe4c46e030641ca52fc24eb13cd8db591402988e3c28bd4a8d8b08b

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

982a89d0398e0202f8a743a016d5764e
SHA1

33f8e2c7b1031e6b112488f40d650193c64c443c
SHA256

210c14376fe4c46e030641ca52fc24eb13cd8db591402988e3c28bd4a8d8b08b
SHA512

6058d8afb5f6c81123fde951000d3ba92f0c453e41ec8c03924ac18e75f963937a1ed7ac1fdffb1fdbd0c599a779b2df89cda8dbb17c559d85e1d23d58a9ad96
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUI:E+v56utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\AloIQmu.exe	cobalt_reflective_dll
C:\Windows\system\obYxVIB.exe	cobalt_reflective_dll
\Windows\system\BzPUrGH.exe	cobalt_reflective_dll
C:\Windows\system\tCJsWGk.exe	cobalt_reflective_dll
C:\Windows\system\hRbvGSH.exe	cobalt_reflective_dll
\Windows\system\EnsCrlY.exe	cobalt_reflective_dll
C:\Windows\system\kJzbdRs.exe	cobalt_reflective_dll
C:\Windows\system\zXqHVjm.exe	cobalt_reflective_dll
C:\Windows\system\WejqkTE.exe	cobalt_reflective_dll
C:\Windows\system\EKCcoGe.exe	cobalt_reflective_dll
C:\Windows\system\DxeldeN.exe	cobalt_reflective_dll
\Windows\system\oFyRJGR.exe	cobalt_reflective_dll
C:\Windows\system\PBJfAwM.exe	cobalt_reflective_dll
C:\Windows\system\uKnhzfD.exe	cobalt_reflective_dll
C:\Windows\system\eFjFjsT.exe	cobalt_reflective_dll
C:\Windows\system\bGLelpU.exe	cobalt_reflective_dll
\Windows\system\DSJNylY.exe	cobalt_reflective_dll
C:\Windows\system\lUNUQBY.exe	cobalt_reflective_dll
C:\Windows\system\xhLfPtu.exe	cobalt_reflective_dll
C:\Windows\system\cXxqkmp.exe	cobalt_reflective_dll
C:\Windows\system\jlbQFUx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\AloIQmu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\obYxVIB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BzPUrGH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tCJsWGk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hRbvGSH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\EnsCrlY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kJzbdRs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zXqHVjm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WejqkTE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EKCcoGe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DxeldeN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\oFyRJGR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PBJfAwM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\uKnhzfD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\eFjFjsT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bGLelpU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\DSJNylY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lUNUQBY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xhLfPtu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cXxqkmp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jlbQFUx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 54 IoCs

Processes:

resource	yara_rule
\Windows\system\AloIQmu.exe	UPX
behavioral1/memory/3044-16-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
C:\Windows\system\obYxVIB.exe	UPX
\Windows\system\BzPUrGH.exe	UPX
behavioral1/memory/2132-22-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/memory/3000-21-0x000000013F810000-0x000000013FB64000-memory.dmp	UPX
behavioral1/memory/2528-4-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
C:\Windows\system\tCJsWGk.exe	UPX
behavioral1/memory/2596-38-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
C:\Windows\system\hRbvGSH.exe	UPX
behavioral1/memory/2888-41-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
behavioral1/memory/2668-40-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
\Windows\system\EnsCrlY.exe	UPX
C:\Windows\system\kJzbdRs.exe	UPX
behavioral1/memory/2872-50-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
C:\Windows\system\zXqHVjm.exe	UPX
behavioral1/memory/2468-57-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
C:\Windows\system\WejqkTE.exe	UPX
behavioral1/memory/1672-64-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
C:\Windows\system\EKCcoGe.exe	UPX
C:\Windows\system\DxeldeN.exe	UPX
\Windows\system\oFyRJGR.exe	UPX
C:\Windows\system\PBJfAwM.exe	UPX
C:\Windows\system\uKnhzfD.exe	UPX
C:\Windows\system\eFjFjsT.exe	UPX
C:\Windows\system\bGLelpU.exe	UPX
\Windows\system\DSJNylY.exe	UPX
C:\Windows\system\lUNUQBY.exe	UPX
C:\Windows\system\xhLfPtu.exe	UPX
C:\Windows\system\cXxqkmp.exe	UPX
C:\Windows\system\jlbQFUx.exe	UPX
behavioral1/memory/2528-123-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	UPX
behavioral1/memory/1340-127-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/1632-129-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2516-131-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2168-132-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2960-126-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/3044-135-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2668-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/2468-137-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/memory/3000-138-0x000000013F810000-0x000000013FB64000-memory.dmp	UPX
behavioral1/memory/3044-139-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2132-140-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/memory/2596-141-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/2888-142-0x000000013F190000-0x000000013F4E4000-memory.dmp	UPX
behavioral1/memory/2668-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp	UPX
behavioral1/memory/2872-144-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2468-145-0x000000013F250000-0x000000013F5A4000-memory.dmp	UPX
behavioral1/memory/1672-146-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2960-147-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/1632-148-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2516-149-0x000000013FFE0000-0x0000000140334000-memory.dmp	UPX
behavioral1/memory/2168-150-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/1340-151-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX

XMRig Miner payload 56 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\AloIQmu.exe	xmrig
behavioral1/memory/3044-16-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
C:\Windows\system\obYxVIB.exe	xmrig
\Windows\system\BzPUrGH.exe	xmrig
behavioral1/memory/2132-22-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/memory/3000-21-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2528-20-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2528-4-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
C:\Windows\system\tCJsWGk.exe	xmrig
behavioral1/memory/2596-38-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
C:\Windows\system\hRbvGSH.exe	xmrig
behavioral1/memory/2528-42-0x00000000022A0000-0x00000000025F4000-memory.dmp	xmrig
behavioral1/memory/2888-41-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2668-40-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
\Windows\system\EnsCrlY.exe	xmrig
C:\Windows\system\kJzbdRs.exe	xmrig
behavioral1/memory/2872-50-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
C:\Windows\system\zXqHVjm.exe	xmrig
behavioral1/memory/2468-57-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
C:\Windows\system\WejqkTE.exe	xmrig
behavioral1/memory/1672-64-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
C:\Windows\system\EKCcoGe.exe	xmrig
C:\Windows\system\DxeldeN.exe	xmrig
\Windows\system\oFyRJGR.exe	xmrig
C:\Windows\system\PBJfAwM.exe	xmrig
C:\Windows\system\uKnhzfD.exe	xmrig
C:\Windows\system\eFjFjsT.exe	xmrig
C:\Windows\system\bGLelpU.exe	xmrig
\Windows\system\DSJNylY.exe	xmrig
C:\Windows\system\lUNUQBY.exe	xmrig
C:\Windows\system\xhLfPtu.exe	xmrig
C:\Windows\system\cXxqkmp.exe	xmrig
C:\Windows\system\jlbQFUx.exe	xmrig
behavioral1/memory/2528-123-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/1340-127-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/1632-129-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2516-131-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2168-132-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2960-126-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/3044-135-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2668-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2468-137-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/3000-138-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/3044-139-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2132-140-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/memory/2596-141-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2888-142-0x000000013F190000-0x000000013F4E4000-memory.dmp	xmrig
behavioral1/memory/2668-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2872-144-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2468-145-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/1672-146-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2960-147-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/1632-148-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2516-149-0x000000013FFE0000-0x0000000140334000-memory.dmp	xmrig
behavioral1/memory/2168-150-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/1340-151-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

AloIQmu.exeBzPUrGH.exeobYxVIB.exetCJsWGk.exehRbvGSH.exeEnsCrlY.exekJzbdRs.exezXqHVjm.exeWejqkTE.exeEKCcoGe.exeDxeldeN.exejlbQFUx.exeoFyRJGR.exePBJfAwM.exeuKnhzfD.execXxqkmp.exexhLfPtu.exeeFjFjsT.exelUNUQBY.exebGLelpU.exeDSJNylY.exe

pid	process
3000	AloIQmu.exe
3044	BzPUrGH.exe
2132	obYxVIB.exe
2596	tCJsWGk.exe
2668	hRbvGSH.exe
2888	EnsCrlY.exe
2872	kJzbdRs.exe
2468	zXqHVjm.exe
1672	WejqkTE.exe
2960	EKCcoGe.exe
1340	DxeldeN.exe
1632	jlbQFUx.exe
2516	oFyRJGR.exe
2168	PBJfAwM.exe
1276	uKnhzfD.exe
636	cXxqkmp.exe
1572	xhLfPtu.exe
2044	eFjFjsT.exe
2736	lUNUQBY.exe
2784	bGLelpU.exe
2536	DSJNylY.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

pid	process
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\system\AloIQmu.exe	upx
behavioral1/memory/3044-16-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
C:\Windows\system\obYxVIB.exe	upx
\Windows\system\BzPUrGH.exe	upx
behavioral1/memory/2132-22-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/memory/3000-21-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2528-4-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
C:\Windows\system\tCJsWGk.exe	upx
behavioral1/memory/2596-38-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
C:\Windows\system\hRbvGSH.exe	upx
behavioral1/memory/2888-41-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2668-40-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
\Windows\system\EnsCrlY.exe	upx
C:\Windows\system\kJzbdRs.exe	upx
behavioral1/memory/2872-50-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
C:\Windows\system\zXqHVjm.exe	upx
behavioral1/memory/2468-57-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
C:\Windows\system\WejqkTE.exe	upx
behavioral1/memory/1672-64-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
C:\Windows\system\EKCcoGe.exe	upx
C:\Windows\system\DxeldeN.exe	upx
\Windows\system\oFyRJGR.exe	upx
C:\Windows\system\PBJfAwM.exe	upx
C:\Windows\system\uKnhzfD.exe	upx
C:\Windows\system\eFjFjsT.exe	upx
C:\Windows\system\bGLelpU.exe	upx
\Windows\system\DSJNylY.exe	upx
C:\Windows\system\lUNUQBY.exe	upx
C:\Windows\system\xhLfPtu.exe	upx
C:\Windows\system\cXxqkmp.exe	upx
C:\Windows\system\jlbQFUx.exe	upx
behavioral1/memory/2528-123-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/1340-127-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/1632-129-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2516-131-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2168-132-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2960-126-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/3044-135-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2668-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2468-137-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/3000-138-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/3044-139-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2132-140-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/memory/2596-141-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2888-142-0x000000013F190000-0x000000013F4E4000-memory.dmp	upx
behavioral1/memory/2668-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2872-144-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2468-145-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/1672-146-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2960-147-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/1632-148-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2516-149-0x000000013FFE0000-0x0000000140334000-memory.dmp	upx
behavioral1/memory/2168-150-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/1340-151-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\WejqkTE.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oFyRJGR.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bGLelpU.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tCJsWGk.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jlbQFUx.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PBJfAwM.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cXxqkmp.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DSJNylY.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\obYxVIB.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lUNUQBY.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EnsCrlY.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BzPUrGH.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hRbvGSH.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kJzbdRs.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zXqHVjm.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EKCcoGe.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DxeldeN.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uKnhzfD.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AloIQmu.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eFjFjsT.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xhLfPtu.exe	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2528 wrote to memory of 3000	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	AloIQmu.exe
PID 2528 wrote to memory of 3000	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	AloIQmu.exe
PID 2528 wrote to memory of 3000	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	AloIQmu.exe
PID 2528 wrote to memory of 3044	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	BzPUrGH.exe
PID 2528 wrote to memory of 3044	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	BzPUrGH.exe
PID 2528 wrote to memory of 3044	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	BzPUrGH.exe
PID 2528 wrote to memory of 2132	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	obYxVIB.exe
PID 2528 wrote to memory of 2132	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	obYxVIB.exe
PID 2528 wrote to memory of 2132	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	obYxVIB.exe
PID 2528 wrote to memory of 2596	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	tCJsWGk.exe
PID 2528 wrote to memory of 2596	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	tCJsWGk.exe
PID 2528 wrote to memory of 2596	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	tCJsWGk.exe
PID 2528 wrote to memory of 2668	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	hRbvGSH.exe
PID 2528 wrote to memory of 2668	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	hRbvGSH.exe
PID 2528 wrote to memory of 2668	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	hRbvGSH.exe
PID 2528 wrote to memory of 2888	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	EnsCrlY.exe
PID 2528 wrote to memory of 2888	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	EnsCrlY.exe
PID 2528 wrote to memory of 2888	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	EnsCrlY.exe
PID 2528 wrote to memory of 2872	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	kJzbdRs.exe
PID 2528 wrote to memory of 2872	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	kJzbdRs.exe
PID 2528 wrote to memory of 2872	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	kJzbdRs.exe
PID 2528 wrote to memory of 2468	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	zXqHVjm.exe
PID 2528 wrote to memory of 2468	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	zXqHVjm.exe
PID 2528 wrote to memory of 2468	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	zXqHVjm.exe
PID 2528 wrote to memory of 1672	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	WejqkTE.exe
PID 2528 wrote to memory of 1672	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	WejqkTE.exe
PID 2528 wrote to memory of 1672	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	WejqkTE.exe
PID 2528 wrote to memory of 2960	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	EKCcoGe.exe
PID 2528 wrote to memory of 2960	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	EKCcoGe.exe
PID 2528 wrote to memory of 2960	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	EKCcoGe.exe
PID 2528 wrote to memory of 1340	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	DxeldeN.exe
PID 2528 wrote to memory of 1340	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	DxeldeN.exe
PID 2528 wrote to memory of 1340	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	DxeldeN.exe
PID 2528 wrote to memory of 1632	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	jlbQFUx.exe
PID 2528 wrote to memory of 1632	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	jlbQFUx.exe
PID 2528 wrote to memory of 1632	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	jlbQFUx.exe
PID 2528 wrote to memory of 2516	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	oFyRJGR.exe
PID 2528 wrote to memory of 2516	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	oFyRJGR.exe
PID 2528 wrote to memory of 2516	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	oFyRJGR.exe
PID 2528 wrote to memory of 2168	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	PBJfAwM.exe
PID 2528 wrote to memory of 2168	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	PBJfAwM.exe
PID 2528 wrote to memory of 2168	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	PBJfAwM.exe
PID 2528 wrote to memory of 1276	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	uKnhzfD.exe
PID 2528 wrote to memory of 1276	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	uKnhzfD.exe
PID 2528 wrote to memory of 1276	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	uKnhzfD.exe
PID 2528 wrote to memory of 636	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	cXxqkmp.exe
PID 2528 wrote to memory of 636	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	cXxqkmp.exe
PID 2528 wrote to memory of 636	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	cXxqkmp.exe
PID 2528 wrote to memory of 1572	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	xhLfPtu.exe
PID 2528 wrote to memory of 1572	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	xhLfPtu.exe
PID 2528 wrote to memory of 1572	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	xhLfPtu.exe
PID 2528 wrote to memory of 2044	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	eFjFjsT.exe
PID 2528 wrote to memory of 2044	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	eFjFjsT.exe
PID 2528 wrote to memory of 2044	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	eFjFjsT.exe
PID 2528 wrote to memory of 2736	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	lUNUQBY.exe
PID 2528 wrote to memory of 2736	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	lUNUQBY.exe
PID 2528 wrote to memory of 2736	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	lUNUQBY.exe
PID 2528 wrote to memory of 2784	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	bGLelpU.exe
PID 2528 wrote to memory of 2784	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	bGLelpU.exe
PID 2528 wrote to memory of 2784	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	bGLelpU.exe
PID 2528 wrote to memory of 2536	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	DSJNylY.exe
PID 2528 wrote to memory of 2536	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	DSJNylY.exe
PID 2528 wrote to memory of 2536	2528	2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe	DSJNylY.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_982a89d0398e0202f8a743a016d5764e_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\System\AloIQmu.exe
C:\Windows\System\AloIQmu.exe
2⤵
- Executes dropped EXE
PID:3000

C:\Windows\System\BzPUrGH.exe
C:\Windows\System\BzPUrGH.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\obYxVIB.exe
C:\Windows\System\obYxVIB.exe
2⤵
- Executes dropped EXE
PID:2132

C:\Windows\System\tCJsWGk.exe
C:\Windows\System\tCJsWGk.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\hRbvGSH.exe
C:\Windows\System\hRbvGSH.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\EnsCrlY.exe
C:\Windows\System\EnsCrlY.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\kJzbdRs.exe
C:\Windows\System\kJzbdRs.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\System\zXqHVjm.exe
C:\Windows\System\zXqHVjm.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\WejqkTE.exe
C:\Windows\System\WejqkTE.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\EKCcoGe.exe
C:\Windows\System\EKCcoGe.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\DxeldeN.exe
C:\Windows\System\DxeldeN.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\System\jlbQFUx.exe
C:\Windows\System\jlbQFUx.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\System\oFyRJGR.exe
C:\Windows\System\oFyRJGR.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\PBJfAwM.exe
C:\Windows\System\PBJfAwM.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\uKnhzfD.exe
C:\Windows\System\uKnhzfD.exe
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\System\cXxqkmp.exe
C:\Windows\System\cXxqkmp.exe
2⤵
- Executes dropped EXE
PID:636

C:\Windows\System\xhLfPtu.exe
C:\Windows\System\xhLfPtu.exe
2⤵
- Executes dropped EXE
PID:1572

C:\Windows\System\eFjFjsT.exe
C:\Windows\System\eFjFjsT.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\lUNUQBY.exe
C:\Windows\System\lUNUQBY.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\System\bGLelpU.exe
C:\Windows\System\bGLelpU.exe
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System\DSJNylY.exe
C:\Windows\System\DSJNylY.exe
2⤵
- Executes dropped EXE
PID:2536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DxeldeN.exe
Filesize
6.0MB

MD5
45eea314270d6b5903f722aa302962fa

SHA1
b3c5775b3d176f8fb89270b649e28b94c06b472d

SHA256
e889a780bd370f2664b7692f819f3de08a8cad2b2d1620db513c17a906e9b85a

SHA512
891c7f92fff73f8c2c49ea83c608711e9d0e9015638d7da5c4961b61443c71495bc2a85ff3cacd4ce73ddb56a3cfa8f669ed859d583db1f86fc2b05fb49d445f

Download Submit
C:\Windows\system\EKCcoGe.exe
Filesize
6.0MB

MD5
2a3999f166e08057fb35ba0cef0b6ea3

SHA1
2c5ab3751fbe15388f3a72cbb080701faac47cc9

SHA256
26eeaa2fb3579da97ec66fa3d82f668aad8774a9d617627d8ce221754fb242a8

SHA512
38294ee0d52b9fb949d2b33cc8bb3deba2ae83a4100abe810ba37de35842e413a5f56a5524bf9f02aebac76b5b53149bdace2cf751f165e2487be79a25f600e6

Download Submit
C:\Windows\system\PBJfAwM.exe
Filesize
6.0MB

MD5
24cd3d472f167ba75566ac8f28108fc1

SHA1
d9c53115da7af63608419cdf60975b6dfca2d862

SHA256
12091ce6cdd57d9aa69587254bc4cd0d041b42b4437d8e75d19314ffa6cf4f8b

SHA512
8e09d4060f1b45ab0548e93c10309bc7fc5c1b9d217affc99cdf7399edc6ea1ec4810b30479f31658bc55d5c014237441a1efe4c13feae06eb76fe852168db30

Download Submit
C:\Windows\system\WejqkTE.exe
Filesize
6.0MB

MD5
e3f6db77dbd5f23543f27293d62af1bf

SHA1
e78d1ebe6c3a4da76bdc61edb2d2608aae8e11b0

SHA256
a614a9b441726a55dbdd3481443e46f9db08affdcfd3a9b934d1c93f59196561

SHA512
6de0b3ea7edf77172335979589557c10e5ca5b02d4f1327d2e043f47fab6614fec0bdaa17df69f0132104df1a5295e40836b16437050744f00fde2163b36a61e

Download Submit
C:\Windows\system\bGLelpU.exe
Filesize
6.0MB

MD5
5c5831160afc7889012336a0b2d64062

SHA1
17e75a9a03362a1d1d8a92140dc77df555867984

SHA256
97d6cf563eee6feb39ac9b0f9240673105a240455ac6f44fef0e910293bf90c0

SHA512
c299f9059d68fb52d8706b22219f08d794aa4daefe8c39784d8d9fa2f82bf676e7ffc5fe143fdc6657df29a01efe45427a94194458a33daf1c7a2405a7034559

Download Submit
C:\Windows\system\cXxqkmp.exe
Filesize
6.0MB

MD5
31dfb3ead2aa3a95c952c472dcef2092

SHA1
286b7bf800d5ae62a4484d57a84e118576040786

SHA256
94e74efce0337e00a9ddf13270257ef05c88e1dc217d551bfa9fb8760fc19e9c

SHA512
c22d5479b605136d1e7b2ea0785fddd500615b525020fba8dfe9a3447cf4520980755223bd7eddf88efa436983fe8502797969f1c75f5aaf2ee09234a88cfc1a

Download Submit
C:\Windows\system\eFjFjsT.exe
Filesize
6.0MB

MD5
9e5ca1b527a077f6dd0f82bb8ee74316

SHA1
20e482462fd2ed972214dccaaf595ef9d0ffdbb7

SHA256
05f26142105f29a2f90041099095f7b4272063fdcb6c95639497bd755d24fcd2

SHA512
10d3ed789a27e9b38fc25dc18377a30b29868fdd545e3d1b18cf0ee3f87126ea21f832d2bfd0787ebca356b6ab89eef74dcb362decd34848b034f3522b532a8b

Download Submit
C:\Windows\system\hRbvGSH.exe
Filesize
6.0MB

MD5
68cf1bae611f89ff80cd8f0cc2b71d14

SHA1
fae62d0c83c773822b2c9d49188fc0660ef47f15

SHA256
fe57cadb154c5849b02efc64d4cd78f30c791e2a51ccb200090ffe6d238e06fa

SHA512
955ae30c2c4db38c2d2b8940e0c0137fce7f52c9831a495e74996bdee31cae2794e9349d455a3fa963b535415bdef6bc4669ad18784d1662b5610942e46045da

Download Submit
C:\Windows\system\jlbQFUx.exe
Filesize
6.0MB

MD5
f570c717614c04f2d61e90c041fc92b9

SHA1
a57294304d8ea7e8e0bf2b1d07670098895386c5

SHA256
3fa6d76fbfc2d3dbf22b7a9787b060b2aab74be8dd914433f5f95dbefd78f78a

SHA512
1d4636bebb30a0af8a050caa0e52895784ad85f88792454cb76095de0a3c1abf61ff55cda02e0dcfeefb10fdd4b6de7a2ccf4f8961cf2a4cc2c9fae7e0bc00d7

Download Submit
C:\Windows\system\kJzbdRs.exe
Filesize
6.0MB

MD5
e74a54a60239db86f8de0c78ae6daaa8

SHA1
ed2259ffbdd98e877ddfdf7b9f7adcfaf6976d0f

SHA256
501e6a11a3a70099902f1e8bbd5ceb7ba301e8d73ef4e237c52d83c880dc4b11

SHA512
8595c2f39f57077fb6c58a72bfea0964aff648e7e7c011741979b98965e6034558b1bf88b1e8264cbd571487b08a11a06554947e5a38d54baf1577c8fae3fb9e

Download Submit
C:\Windows\system\lUNUQBY.exe
Filesize
6.0MB

MD5
d7c79ee47b1d35ef523fd377112fe2a8

SHA1
c28a79dd792ae2ad3358b092a9a12f7d81cb711c

SHA256
a0fe7c1b3b881d64ecfa129c15661f71933905d2cee5a8d08b80b300539b1967

SHA512
1ee8ef55bb73c1e142f0d61d1ec71187481bad9d4c60b177082d74838aab4b5de839d775765b5ba33104ba1e2f43b549f824dc7d9045c0152b7180a6e635489f

Download Submit
C:\Windows\system\obYxVIB.exe
Filesize
5.9MB

MD5
1b3246e7afc88bac3fda4be198ab021e

SHA1
af9afee7150a6aaf6b2616ca65a755dab07a1697

SHA256
2cef7caec67c35765861fb2e5a27a644201366f7ddbd457375f1e303dfb4b4e7

SHA512
ade61868ede1fa3d027b8c771fb8ed9eb4688f048c20dfda7c8a90bfcac0c29faa14b4a6b31b25b95904eaf02c2d5e10759e8b475803451781f4938c73da02a4

Download Submit
C:\Windows\system\tCJsWGk.exe
Filesize
5.9MB

MD5
c3f9663a4277063e7c996cd4aea95226

SHA1
19dbbebe1ea44492bae0defbcd7befd82712543f

SHA256
2f3e5f796c2bc942a52902d876a4ad9fa98204f8ae3e71c892ac1eafb2a1a091

SHA512
954f7337b083b1d6067172bd2cb671436298f9341b77bef64fe260914b270265749e3abc15a615836ac6aa3d45d9419fd4b344bab2bd1f835e637240e0ada548

Download Submit
C:\Windows\system\uKnhzfD.exe
Filesize
6.0MB

MD5
8a1f60136347771f5ee2689ca3854507

SHA1
60468d39d6435a42111d1092c9def323ce59df0a

SHA256
7a2fe88508fdd514b6b3d55350dd35227d96254f940bca93db46201b7988b46e

SHA512
91ddcb710e0319396b956460450373b4eb46296ad6b0ef4d6f1d5e0e0c12ce252b2c3535817aceca801bd41915ef895cb9dd0dd139666d67f59dbab9e2165894

Download Submit
C:\Windows\system\xhLfPtu.exe
Filesize
6.0MB

MD5
c2d69eded791cbbde7c960fe7f80c525

SHA1
e448645ae9a512c28fbd27f0241fa21f9d6fc3ab

SHA256
e89635debc9e7a167804f52a06d983819e45c896150262b7e91c03b20722f4fd

SHA512
0b4eb480913e292472269ac41498ec417f21175f8f3d278608acf7cc66885508a21566abe9766ca75de3d3316042b1e7fbc366fd2d8b11a9fa6771a9749e9d25

Download Submit
C:\Windows\system\zXqHVjm.exe
Filesize
6.0MB

MD5
26716fbde67de2421de0846ecca17cf6

SHA1
db50105137ecb846d7f90a17ef26d4de9e6e1890

SHA256
63fff3148f4e696a18399ac019af922020d18ef9041bf47b75026954c096177e

SHA512
99ec86fabf3c7ae1d6755fd4671e8f51aa1494fbce6531d476503fd589286e5ccf77d0e7af230ceac23249fbe31a3529869e637f176d9e55ef64c1ef79472394

Download Submit
\Windows\system\AloIQmu.exe
Filesize
5.9MB

MD5
a40208267de0e07498d2f5a6a9c22896

SHA1
54c21aef1f969d2adfd380e9581f765c1bd4c15a

SHA256
699eb0ffc080fbd892d34f8d6641b0a7101ec5cd9a3a3399158140c8ece9651f

SHA512
644883c18fb371f8869f30cfb1ba59afc509473e51fe4651191c35e6b076a1cf1a0bef45e78f21008da53a2e7bde7fe1271eafdca3b14f2b979213c760040d0d

Download Submit
\Windows\system\BzPUrGH.exe
Filesize
5.9MB

MD5
07ee13a9fe7be26b2fcaf957192956a8

SHA1
bf42c67cd626216c83d5c87ba319d1c670cc74a4

SHA256
2a5c53b18dcdddeed58779466699faf1516e7905af4dd9b33edebc3b46cf7ba6

SHA512
db7e7062be15627324406875c43138fd374e2d79fa83eea6c813221447785ab8d5346feaee5c94b79bb234617be17009cdefda5b8841b460615a3afda4f2e959

Download Submit
\Windows\system\DSJNylY.exe
Filesize
6.0MB

MD5
1cbe9061d56cdfa73b620def2a664670

SHA1
a49579368c5260727e7a9972e7d1502153da8fc3

SHA256
cd688d6509a504f0cf594ddbdc78da2e6faa533eca621a603f4d85a5b8a28ca7

SHA512
f12e81eee216ed150f6bd17d3bd2207aff5876204e3ad036c55f944fbacc74c2b0f668eab682a9f42fec154e6e21944fca832f16262b0c4fb57c7eb532a7ac98

Download Submit
\Windows\system\EnsCrlY.exe
Filesize
6.0MB

MD5
3eed48f3e56c25a5231e5377bcec27c7

SHA1
05f8fa5f68d9f38fd630199eb2914f9b0554265d

SHA256
2c9885222df6139cd8960bb49e7c4a1be9ef89d2faac19789aabd03b327af55d

SHA512
94d2edb92a919bc6d8dca7ed3ba9f06fc5453b3de74f2a008caaed48264a7d3f3f8fe60a42cc0b305150e40f9ee5b40ab09849b1ebc74114db826ed92e104887

Download Submit
\Windows\system\oFyRJGR.exe
Filesize
6.0MB

MD5
feef9f19f456a436dcbd22a06273637e

SHA1
4403468348be54b9fa3176f2ef19fe7f43efbbc1

SHA256
2583b74130f6a6d624f716af16e7275b69c6e916f36dd41f01f824769fa1d9e3

SHA512
7bd673c4575f1f3eb80307c6170bbba9492d23d673c30f268140a1dfa78adb3efa7eb312f285301040d159e0419dc837a6136f071b006906968ca3a4b750a624

Download Submit
memory/1340-127-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-151-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-129-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-148-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/1672-64-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1672-146-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-140-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2132-22-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2168-132-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2168-150-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2468-57-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-137-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-145-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2516-131-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2516-149-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2528-30-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-133-0x000000013F770000-0x000000013FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-55-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-63-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-123-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-125-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-49-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2528-0-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2528-130-0x000000013FFE0000-0x0000000140334000-memory.dmp

Filesize
3.3MB

Download
memory/2528-42-0x00000000022A0000-0x00000000025F4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-134-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-43-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-9-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2528-128-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-20-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2528-4-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-38-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-141-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-136-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-143-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-40-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-144-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2872-50-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2888-142-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-41-0x000000013F190000-0x000000013F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-147-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-126-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3000-138-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/3000-21-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/3044-139-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/3044-135-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/3044-16-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download