cobaltstrike | 43371cc678b7685292c9a7d4c0f86d1984ee7b753ecc4c54e500d05f95a1fc12

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

ec8f9d24cfa46452d041768cf4652409
SHA1

b31c56d81174121c1f34c22fb3131faaaf854098
SHA256

43371cc678b7685292c9a7d4c0f86d1984ee7b753ecc4c54e500d05f95a1fc12
SHA512

1c3792036d372374725f51f76c15add524dcf219c2eeb7633f9606fef538d102464222470c3d773f0f0006753b7b4245183021b52a82b1e567f75b8c26c7dc3a
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUB:E+v56utgpPF8u/7B

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\tpeIkbw.exe	cobalt_reflective_dll
C:\Windows\system\adzzBNS.exe	cobalt_reflective_dll
C:\Windows\system\LPdHDni.exe	cobalt_reflective_dll
C:\Windows\system\MmSCfqC.exe	cobalt_reflective_dll
C:\Windows\system\RtyeNxo.exe	cobalt_reflective_dll
\Windows\system\YRqutbj.exe	cobalt_reflective_dll
\Windows\system\MiPQxco.exe	cobalt_reflective_dll
C:\Windows\system\vCSbAyP.exe	cobalt_reflective_dll
\Windows\system\pfiOxuh.exe	cobalt_reflective_dll
\Windows\system\FiXAzpx.exe	cobalt_reflective_dll
C:\Windows\system\iOhYLZI.exe	cobalt_reflective_dll
\Windows\system\YVieCTm.exe	cobalt_reflective_dll
\Windows\system\dtDfgUG.exe	cobalt_reflective_dll
\Windows\system\tCrlVAC.exe	cobalt_reflective_dll
C:\Windows\system\MICdbws.exe	cobalt_reflective_dll
C:\Windows\system\kjwfljQ.exe	cobalt_reflective_dll
C:\Windows\system\WwTEXQX.exe	cobalt_reflective_dll
C:\Windows\system\VfZrgCX.exe	cobalt_reflective_dll
C:\Windows\system\rXcrwtb.exe	cobalt_reflective_dll
C:\Windows\system\dMlUPIM.exe	cobalt_reflective_dll
C:\Windows\system\GZRLmqD.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\tpeIkbw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\adzzBNS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LPdHDni.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MmSCfqC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RtyeNxo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YRqutbj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MiPQxco.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vCSbAyP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\pfiOxuh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\FiXAzpx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iOhYLZI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YVieCTm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\dtDfgUG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\tCrlVAC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MICdbws.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kjwfljQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\WwTEXQX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VfZrgCX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rXcrwtb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dMlUPIM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GZRLmqD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 50 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2876-0-0x000000013FC20000-0x000000013FF74000-memory.dmp	UPX
C:\Windows\system\tpeIkbw.exe	UPX
C:\Windows\system\adzzBNS.exe	UPX
C:\Windows\system\LPdHDni.exe	UPX
C:\Windows\system\MmSCfqC.exe	UPX
C:\Windows\system\RtyeNxo.exe	UPX
\Windows\system\YRqutbj.exe	UPX
\Windows\system\MiPQxco.exe	UPX
C:\Windows\system\vCSbAyP.exe	UPX
\Windows\system\pfiOxuh.exe	UPX
\Windows\system\FiXAzpx.exe	UPX
C:\Windows\system\iOhYLZI.exe	UPX
behavioral1/memory/2544-51-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
\Windows\system\YVieCTm.exe	UPX
\Windows\system\dtDfgUG.exe	UPX
behavioral1/memory/2656-37-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
\Windows\system\tCrlVAC.exe	UPX
behavioral1/memory/1112-107-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/1864-104-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
C:\Windows\system\MICdbws.exe	UPX
behavioral1/memory/2788-101-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
C:\Windows\system\kjwfljQ.exe	UPX
behavioral1/memory/2540-86-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
C:\Windows\system\WwTEXQX.exe	UPX
behavioral1/memory/2404-69-0x000000013F7E0000-0x000000013FB34000-memory.dmp	UPX
C:\Windows\system\VfZrgCX.exe	UPX
behavioral1/memory/2876-131-0x000000013FC20000-0x000000013FF74000-memory.dmp	UPX
C:\Windows\system\rXcrwtb.exe	UPX
C:\Windows\system\dMlUPIM.exe	UPX
C:\Windows\system\GZRLmqD.exe	UPX
behavioral1/memory/2616-27-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/3036-24-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/2956-23-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2464-22-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2616-132-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2544-133-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2788-134-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/1864-135-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/1112-136-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/3036-137-0x000000013F640000-0x000000013F994000-memory.dmp	UPX
behavioral1/memory/2956-138-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2464-139-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2656-141-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2616-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2544-142-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2404-143-0x000000013F7E0000-0x000000013FB34000-memory.dmp	UPX
behavioral1/memory/2540-144-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/memory/2788-145-0x000000013F340000-0x000000013F694000-memory.dmp	UPX
behavioral1/memory/1112-146-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/1864-147-0x000000013F340000-0x000000013F694000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2876-0-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
C:\Windows\system\tpeIkbw.exe	xmrig
C:\Windows\system\adzzBNS.exe	xmrig
C:\Windows\system\LPdHDni.exe	xmrig
C:\Windows\system\MmSCfqC.exe	xmrig
C:\Windows\system\RtyeNxo.exe	xmrig
\Windows\system\YRqutbj.exe	xmrig
\Windows\system\MiPQxco.exe	xmrig
C:\Windows\system\vCSbAyP.exe	xmrig
\Windows\system\pfiOxuh.exe	xmrig
\Windows\system\FiXAzpx.exe	xmrig
C:\Windows\system\iOhYLZI.exe	xmrig
behavioral1/memory/2544-51-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
\Windows\system\YVieCTm.exe	xmrig
\Windows\system\dtDfgUG.exe	xmrig
behavioral1/memory/2656-37-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
\Windows\system\tCrlVAC.exe	xmrig
behavioral1/memory/1112-107-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/1864-104-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2876-103-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
C:\Windows\system\MICdbws.exe	xmrig
behavioral1/memory/2788-101-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
C:\Windows\system\kjwfljQ.exe	xmrig
behavioral1/memory/2876-93-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2540-86-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
C:\Windows\system\WwTEXQX.exe	xmrig
behavioral1/memory/2404-69-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
C:\Windows\system\VfZrgCX.exe	xmrig
behavioral1/memory/2876-131-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
C:\Windows\system\rXcrwtb.exe	xmrig
C:\Windows\system\dMlUPIM.exe	xmrig
C:\Windows\system\GZRLmqD.exe	xmrig
behavioral1/memory/2616-27-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2876-25-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/3036-24-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2956-23-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2464-22-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2616-132-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2544-133-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2788-134-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/1864-135-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/1112-136-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/3036-137-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2956-138-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2464-139-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2656-141-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2616-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2544-142-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2404-143-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2540-144-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/2788-145-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/1112-146-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/1864-147-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

tpeIkbw.exeadzzBNS.exeLPdHDni.exeMmSCfqC.exeGZRLmqD.exedMlUPIM.exeiOhYLZI.exerXcrwtb.exeVfZrgCX.exevCSbAyP.exeWwTEXQX.exekjwfljQ.exeMICdbws.exetCrlVAC.exedtDfgUG.exeYVieCTm.exeRtyeNxo.exeFiXAzpx.exepfiOxuh.exeMiPQxco.exeYRqutbj.exe

pid	process
3036	tpeIkbw.exe
2464	adzzBNS.exe
2956	LPdHDni.exe
2616	MmSCfqC.exe
2656	GZRLmqD.exe
2544	dMlUPIM.exe
2540	iOhYLZI.exe
2404	rXcrwtb.exe
2788	VfZrgCX.exe
1112	vCSbAyP.exe
1864	WwTEXQX.exe
1588	kjwfljQ.exe
2696	MICdbws.exe
2712	tCrlVAC.exe
2472	dtDfgUG.exe
1696	YVieCTm.exe
1872	RtyeNxo.exe
1052	FiXAzpx.exe
1648	pfiOxuh.exe
1624	MiPQxco.exe
2680	YRqutbj.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

pid	process
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2876-0-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
C:\Windows\system\tpeIkbw.exe	upx
C:\Windows\system\adzzBNS.exe	upx
C:\Windows\system\LPdHDni.exe	upx
C:\Windows\system\MmSCfqC.exe	upx
C:\Windows\system\RtyeNxo.exe	upx
\Windows\system\YRqutbj.exe	upx
\Windows\system\MiPQxco.exe	upx
C:\Windows\system\vCSbAyP.exe	upx
\Windows\system\pfiOxuh.exe	upx
\Windows\system\FiXAzpx.exe	upx
C:\Windows\system\iOhYLZI.exe	upx
behavioral1/memory/2544-51-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
\Windows\system\YVieCTm.exe	upx
\Windows\system\dtDfgUG.exe	upx
behavioral1/memory/2656-37-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
\Windows\system\tCrlVAC.exe	upx
behavioral1/memory/1112-107-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/1864-104-0x000000013F340000-0x000000013F694000-memory.dmp	upx
C:\Windows\system\MICdbws.exe	upx
behavioral1/memory/2788-101-0x000000013F340000-0x000000013F694000-memory.dmp	upx
C:\Windows\system\kjwfljQ.exe	upx
behavioral1/memory/2540-86-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
C:\Windows\system\WwTEXQX.exe	upx
behavioral1/memory/2404-69-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
C:\Windows\system\VfZrgCX.exe	upx
behavioral1/memory/2876-131-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
C:\Windows\system\rXcrwtb.exe	upx
C:\Windows\system\dMlUPIM.exe	upx
C:\Windows\system\GZRLmqD.exe	upx
behavioral1/memory/2616-27-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/3036-24-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2956-23-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2464-22-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2616-132-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2544-133-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2788-134-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/1864-135-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/1112-136-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/3036-137-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2956-138-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2464-139-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2656-141-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2616-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2544-142-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2404-143-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2540-144-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/2788-145-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/1112-146-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/1864-147-0x000000013F340000-0x000000013F694000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\VfZrgCX.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MiPQxco.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\adzzBNS.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iOhYLZI.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YVieCTm.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LPdHDni.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tCrlVAC.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rXcrwtb.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dMlUPIM.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RtyeNxo.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pfiOxuh.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YRqutbj.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MICdbws.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tpeIkbw.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MmSCfqC.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GZRLmqD.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WwTEXQX.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kjwfljQ.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dtDfgUG.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FiXAzpx.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vCSbAyP.exe	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2876 wrote to memory of 3036	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	tpeIkbw.exe
PID 2876 wrote to memory of 3036	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	tpeIkbw.exe
PID 2876 wrote to memory of 3036	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	tpeIkbw.exe
PID 2876 wrote to memory of 2464	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	adzzBNS.exe
PID 2876 wrote to memory of 2464	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	adzzBNS.exe
PID 2876 wrote to memory of 2464	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	adzzBNS.exe
PID 2876 wrote to memory of 2956	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	LPdHDni.exe
PID 2876 wrote to memory of 2956	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	LPdHDni.exe
PID 2876 wrote to memory of 2956	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	LPdHDni.exe
PID 2876 wrote to memory of 2616	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MmSCfqC.exe
PID 2876 wrote to memory of 2616	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MmSCfqC.exe
PID 2876 wrote to memory of 2616	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MmSCfqC.exe
PID 2876 wrote to memory of 2656	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	GZRLmqD.exe
PID 2876 wrote to memory of 2656	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	GZRLmqD.exe
PID 2876 wrote to memory of 2656	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	GZRLmqD.exe
PID 2876 wrote to memory of 2712	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	tCrlVAC.exe
PID 2876 wrote to memory of 2712	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	tCrlVAC.exe
PID 2876 wrote to memory of 2712	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	tCrlVAC.exe
PID 2876 wrote to memory of 2544	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	dMlUPIM.exe
PID 2876 wrote to memory of 2544	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	dMlUPIM.exe
PID 2876 wrote to memory of 2544	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	dMlUPIM.exe
PID 2876 wrote to memory of 2472	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	dtDfgUG.exe
PID 2876 wrote to memory of 2472	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	dtDfgUG.exe
PID 2876 wrote to memory of 2472	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	dtDfgUG.exe
PID 2876 wrote to memory of 2540	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	iOhYLZI.exe
PID 2876 wrote to memory of 2540	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	iOhYLZI.exe
PID 2876 wrote to memory of 2540	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	iOhYLZI.exe
PID 2876 wrote to memory of 1696	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	YVieCTm.exe
PID 2876 wrote to memory of 1696	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	YVieCTm.exe
PID 2876 wrote to memory of 1696	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	YVieCTm.exe
PID 2876 wrote to memory of 2404	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	rXcrwtb.exe
PID 2876 wrote to memory of 2404	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	rXcrwtb.exe
PID 2876 wrote to memory of 2404	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	rXcrwtb.exe
PID 2876 wrote to memory of 1872	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	RtyeNxo.exe
PID 2876 wrote to memory of 1872	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	RtyeNxo.exe
PID 2876 wrote to memory of 1872	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	RtyeNxo.exe
PID 2876 wrote to memory of 2788	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	VfZrgCX.exe
PID 2876 wrote to memory of 2788	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	VfZrgCX.exe
PID 2876 wrote to memory of 2788	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	VfZrgCX.exe
PID 2876 wrote to memory of 1052	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	FiXAzpx.exe
PID 2876 wrote to memory of 1052	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	FiXAzpx.exe
PID 2876 wrote to memory of 1052	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	FiXAzpx.exe
PID 2876 wrote to memory of 1112	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	vCSbAyP.exe
PID 2876 wrote to memory of 1112	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	vCSbAyP.exe
PID 2876 wrote to memory of 1112	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	vCSbAyP.exe
PID 2876 wrote to memory of 1648	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	pfiOxuh.exe
PID 2876 wrote to memory of 1648	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	pfiOxuh.exe
PID 2876 wrote to memory of 1648	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	pfiOxuh.exe
PID 2876 wrote to memory of 1864	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	WwTEXQX.exe
PID 2876 wrote to memory of 1864	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	WwTEXQX.exe
PID 2876 wrote to memory of 1864	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	WwTEXQX.exe
PID 2876 wrote to memory of 1624	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MiPQxco.exe
PID 2876 wrote to memory of 1624	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MiPQxco.exe
PID 2876 wrote to memory of 1624	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MiPQxco.exe
PID 2876 wrote to memory of 1588	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	kjwfljQ.exe
PID 2876 wrote to memory of 1588	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	kjwfljQ.exe
PID 2876 wrote to memory of 1588	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	kjwfljQ.exe
PID 2876 wrote to memory of 2680	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	YRqutbj.exe
PID 2876 wrote to memory of 2680	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	YRqutbj.exe
PID 2876 wrote to memory of 2680	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	YRqutbj.exe
PID 2876 wrote to memory of 2696	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MICdbws.exe
PID 2876 wrote to memory of 2696	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MICdbws.exe
PID 2876 wrote to memory of 2696	2876	2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe	MICdbws.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_ec8f9d24cfa46452d041768cf4652409_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\System\tpeIkbw.exe
C:\Windows\System\tpeIkbw.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\adzzBNS.exe
C:\Windows\System\adzzBNS.exe
2⤵
- Executes dropped EXE
PID:2464

C:\Windows\System\LPdHDni.exe
C:\Windows\System\LPdHDni.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\MmSCfqC.exe
C:\Windows\System\MmSCfqC.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\GZRLmqD.exe
C:\Windows\System\GZRLmqD.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\tCrlVAC.exe
C:\Windows\System\tCrlVAC.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\dMlUPIM.exe
C:\Windows\System\dMlUPIM.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\dtDfgUG.exe
C:\Windows\System\dtDfgUG.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\iOhYLZI.exe
C:\Windows\System\iOhYLZI.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\YVieCTm.exe
C:\Windows\System\YVieCTm.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\rXcrwtb.exe
C:\Windows\System\rXcrwtb.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\RtyeNxo.exe
C:\Windows\System\RtyeNxo.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\VfZrgCX.exe
C:\Windows\System\VfZrgCX.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\FiXAzpx.exe
C:\Windows\System\FiXAzpx.exe
2⤵
- Executes dropped EXE
PID:1052

C:\Windows\System\vCSbAyP.exe
C:\Windows\System\vCSbAyP.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\System\pfiOxuh.exe
C:\Windows\System\pfiOxuh.exe
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\System\WwTEXQX.exe
C:\Windows\System\WwTEXQX.exe
2⤵
- Executes dropped EXE
PID:1864

C:\Windows\System\MiPQxco.exe
C:\Windows\System\MiPQxco.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\System\kjwfljQ.exe
C:\Windows\System\kjwfljQ.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\System\YRqutbj.exe
C:\Windows\System\YRqutbj.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\System\MICdbws.exe
C:\Windows\System\MICdbws.exe
2⤵
- Executes dropped EXE
PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GZRLmqD.exe
Filesize
6.0MB

MD5
7cdd23752990f3c500304f66bbc4d2df

SHA1
4f586b5e42cdcd1b5139cd194d8d9efed3de439c

SHA256
cdb1d169816067c3756af64e16eb83de223e85575404f288421c8737dc1d1b84

SHA512
99ad2216802911798fd4d53cfa3efb3d0439a02612c248f37a55c9168047de10ab95a3e0eba8de50dbf779bd3ef443c720a7cd9450ea782bbbcc0680283a51c7

Download Submit
C:\Windows\system\LPdHDni.exe
Filesize
6.0MB

MD5
5b8328b74330d6644d5d4057dbbae4b4

SHA1
c7260dd166e34276efe9714c0b5c185c7911e221

SHA256
846df5397099c89935d6ccc3442dda563846cfab95c6001dc5ad4361c799dd05

SHA512
5e3c9428a861b454e9fd1226d0852bf9cdb253980e8815f538188772bc1aa208b22e4cabea2664ae6168f9bf3dad7a8a37a82ce997cf34512970b23107a8feb3

Download Submit
C:\Windows\system\MICdbws.exe
Filesize
6.0MB

MD5
4e1994ef030e7ade32016d1b2114fd6a

SHA1
96df5f8cf04bea8466f7ed58d5438000801c89ce

SHA256
0db5ba56053c077781ef806acb97b27877d228e5f71a5fe9a66d4da18f0dd1f1

SHA512
8ffc85573417a305c41996584b9ea4797db7e145d28328fb3405e98046055e356fdc2804ad64e7c045bf72eedc2f74b78509cdeed2440453e857c47d4180d6f8

Download Submit
C:\Windows\system\MmSCfqC.exe
Filesize
6.0MB

MD5
be8671139fe9ec615f9f0bd90e48b626

SHA1
fd4b25b8e2a0751b7132ea07e852a02602b9b60b

SHA256
0e5fa8bf1b4a538931c0fc24e7045430a6c41aeadbaca7fabcce85679c941eaf

SHA512
7e4acdcf4e55510933f380aa4eddf725fcac993a460204995615df25b8ac1519bffa4c4904da07cd3820fa14417f07fef461578e4ab5ea341e94bc4ac4fe00d7

Download Submit
C:\Windows\system\RtyeNxo.exe
Filesize
6.0MB

MD5
af9b3a48c69dcc2f956d245e1ceafc35

SHA1
51165d73c8703ad7cbfab393f3933aeb01fe6772

SHA256
51943702a5e33d94c7fe0f81e6848767f564a7be82dc4e30176fad59ca87b97f

SHA512
dd6c55111e14d063605c36690a6c130a194fb1b6262646089192bbe0af76d4b0283960c5efba0d6ebdd9d4f567b2e964bc59157723a4ec2c6e2bd30d04183b97

Download Submit
C:\Windows\system\VfZrgCX.exe
Filesize
6.0MB

MD5
040e93527360845503e7734957e5f0d4

SHA1
9263a056a5a150b5a0bae85dab8cb496931f9708

SHA256
160b6c306b11d32b14ca7b546b1c66e49a11e66d8d9df433126d4229fbe86330

SHA512
10e6f5cd583a40a576456dd0bc2e33bde38194ef86ac005d5ecbf07b201c0779a4f9682d9e458222301f92f66d0a101416fa8f7c42faa5ea8f7d2d9806ce7408

Download Submit
C:\Windows\system\WwTEXQX.exe
Filesize
6.0MB

MD5
1dfe6d60cfff1670c2e8c1729769a582

SHA1
154076095cca40a5782dbb35f321a6f70638ca49

SHA256
f8312e8f736fed548db0f724162e0d9f85231cb65873c6d05fa410419ee25baa

SHA512
1fda2e9d81150e1c36295d23b32c5ae8d93a1e7a8e9a81d232893695c6f356e5785c99759b855ee58895a37def016c0b5cab8e074075ef592ad90de61adf6ddf

Download Submit
C:\Windows\system\adzzBNS.exe
Filesize
5.9MB

MD5
4a629875b7b829a78b6f993374c818fc

SHA1
e95b1108a8561591e782edbe724f9ae6f80d9709

SHA256
1d185d6f838ffc68a6e746fdcdd3704ceeaced0a8503b35e6915e3495e7b8b71

SHA512
d0d0061616ca36fa2b3881fe828b8be73d6519134361acb136e9f3ccc0f86d1332bc3d047be5a6e13638acfe45d47576f1b1672939d4ef3ec0958c5c967af1d0

Download Submit
C:\Windows\system\dMlUPIM.exe
Filesize
6.0MB

MD5
41b00593721361579d40ec4e787e3307

SHA1
362f562a7ba228f80c4edcc0a97806f155e6a05a

SHA256
db2c6e94fd283984a9197be3fa67f6d2c0b2f76af87dd9a6fdb9030248788e5c

SHA512
f1213e71035f62d9f9872bc6958585dca67b388f59657bccf3a24447f970ab77609c1fea7a83a1bfa700967ab7a4af6b8cdbfa540caddfcc240ac5a44ede66f2

Download Submit
C:\Windows\system\iOhYLZI.exe
Filesize
6.0MB

MD5
76289ecae2451266d40abbfe3ec05688

SHA1
e0043419703ae2db27ad0d9b558898a750157922

SHA256
f12cb4e46ed08ff11fa099f941e17701da96c5fc98e1ab9e560014e22fc1371c

SHA512
1eb420a304ae460416db7915ee877d7ab09f16cb099852acaf68d185e9eeea79927ca36434d1a86c186f384ee986509718ad24ce62a6cb174f23a732a925c844

Download Submit
C:\Windows\system\kjwfljQ.exe
Filesize
6.0MB

MD5
d21732078523dd324eb2aec87f03fb9e

SHA1
a18ff141e16c00c7d79b7df64d0fbcdcb6c134ef

SHA256
eda333ce94be2830c5b36595c3488d3ec724f4daf75c716cb0cd3682caef538a

SHA512
0e0394501bce9fd9ea3b9d5a52d29e9d35f7dcfa06893542abd1f1064b6af1f3a7858785666274ef5bfdfa0a3377dc71b8558d464af9f3ba7709321e53f53efc

Download Submit
C:\Windows\system\rXcrwtb.exe
Filesize
6.0MB

MD5
bcf821153ea868abe28bdc28b9adda68

SHA1
6e0597bcf8e2155e0b9cf5133934d0c213c548d1

SHA256
5a4794d8f62aa87511cac948e9854eb36eb6aaad85a7062ff7346357ed3d161f

SHA512
864b9e968e10c0356168b19e8791a742b833e8582c803439fd81389f04a6e82fa84346931527549fbf917007fde167dd418400ba8a53ffc1b1c5edbda10d9e86

Download Submit
C:\Windows\system\tpeIkbw.exe
Filesize
5.9MB

MD5
87e0edb40c16ac99aa6064c7bcf42f38

SHA1
3d8a45c0a693d9be38af45b4cd795a00c11d6dcb

SHA256
aa854cbd53bf6c328715634328d7a79db8e06a3f4a7aa7846de01e09f0be89c1

SHA512
fdb0be9e97ad30250930edb09133142e94bacd28d247bcb773f7f149daf60699d15438b3fd3ebc5eb20dee367194fab8231d71e372c4d0106742ba0ef95717e0

Download Submit
C:\Windows\system\vCSbAyP.exe
Filesize
6.0MB

MD5
2f417297cbef0fb296ce6e587459040c

SHA1
44a89e1687fe3f0061b705afc62fb27f3ba9dd2e

SHA256
39c07c01f83580e53378c2fcc3f11edc964d293366b0d75d884c355536b6fc6c

SHA512
1f3672f09f50de56e11617bac4e3f2ea25f913aa3ddf146803e8421ed19012e888743cb9108b6ede37c8fe1b3cfb4a6a5d7b4d3418a8576faedf7baa7eb40c38

Download Submit
\Windows\system\FiXAzpx.exe
Filesize
6.0MB

MD5
22f7cd6998720064c2106a8141494079

SHA1
af04162651ce0b618a5db38d662980bc61fd77cc

SHA256
39846ba82446b8a11c89990c6da2b1a896b1307c2d11fe0b66ae3f2fef8b6456

SHA512
89ef7df89470a2788caf779b69424b889bc02e80ae4561faac6ec14ff69a49d2bc2636da8e457d58d718ca882689a74b5e1f6730eaa7400e19e79fe66c61c919

Download Submit
\Windows\system\MiPQxco.exe
Filesize
6.0MB

MD5
2f81a7d6d084b335c85fb4a62ff6bdba

SHA1
6935f5e1917c92d50e5b8b9e35fc03f4002f08b0

SHA256
7804726795f81afc90ab9696f3b1771a876e0f529c15350edbf559b8dd6b54b1

SHA512
c6819e1f6b911291a9228eb1b9c3bf5831e16e9a50e6aad94dac6da44522f7a4c8ff4266fd758888bd40ec17d916a17239eb67e6daf3279d0209dc9f009162f3

Download Submit
\Windows\system\YRqutbj.exe
Filesize
6.0MB

MD5
e322f0ace18a65427cc4d181669f0644

SHA1
2e10b2a8d530300b9926cc53067a64ee632c36b2

SHA256
8cc4cf160173f4dacd11ffbc98dde37ac827f707b012ac67f7266b1cb44277c7

SHA512
2a3169efbb76edef1c73f64dfa6cb252bd8714bdb42bf25e807c4fe0fe54db99bf512a2ccd0b07b1665055a8cb6cd529d6f21af9b281bf40a7e16c0d65ebbf95

Download Submit
\Windows\system\YVieCTm.exe
Filesize
6.0MB

MD5
87391361c4b6146e11b8b1d884e8cb9e

SHA1
25f5160015454bcdc7ee341e0e5bd3728bfc0a74

SHA256
1db44b1d6382dfdeeadcc9c80e07d819a021ed837314b8d686704a67650cb384

SHA512
db77b4a1502fef280fc22a5a1976a46e02be6f9b76e74c73d6ed9c3b50179146d00a24739ca6f556024c2ba011e092ddf9d7a49f80002c046f5b59de16ae5969

Download Submit
\Windows\system\dtDfgUG.exe
Filesize
6.0MB

MD5
743b781177e5f48d330c506396218bca

SHA1
76c71cf9ca0fb73d15ff2bff25df3408e137fcd5

SHA256
7eaaa1ecdda25b1cd571646783b37a96b6e2be703722de43f8db6bffa1beeb66

SHA512
3ca6c47833f5878a0401f5cb8176f5cecba9a67f35eb2ac1b814908b61683c6b8f2676dbe576ffd05fd3cfc7fc1d6a80787ffb4a2a54ddfa825b324261494d48

Download Submit
\Windows\system\pfiOxuh.exe
Filesize
6.0MB

MD5
ceb73fdf743e656e82ee4a1b223b92ee

SHA1
0128d916865360c9633a25d97a3086c42a522850

SHA256
240d28619394ca0369e9602726dcc9ee76e419e6ca43070d327fbe6aa3046a40

SHA512
22197560cca7c935c0e424a6e26397a916ffab9b28d930bb62154555ac0cae386c9db57bdc20e47fb98734700ef77f243c2f291a293b3d6eef13991d9a9d2390

Download Submit
\Windows\system\tCrlVAC.exe
Filesize
6.0MB

MD5
19fbf22dd15214dbabc470faba78e11a

SHA1
a90c3bfde797e0a91bf25322af2b461e2f18b258

SHA256
ead6ce583ad90b6ae666a4dfbe10053125111fb38fb552d9904a769c7a007c7a

SHA512
a0c001a4126b1440da2fa74c730ca360db062d79d093acecf264391de4fdeb72b96b2db37e1fe3816a63b3393d2e97fa9d4dfc866823c3fb98a198c8d861b979

Download Submit
memory/1112-146-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-107-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-136-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-135-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1864-104-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1864-147-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2404-69-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2404-143-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2464-22-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2464-139-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2540-144-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2540-86-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2544-133-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2544-142-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2544-51-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2616-140-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-132-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-27-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-37-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-141-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-145-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2788-101-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2788-134-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2876-109-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2876-105-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2876-1-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2876-25-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-35-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-0-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2876-93-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2876-106-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2876-55-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2876-18-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2876-95-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2876-72-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2876-131-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2876-108-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2876-103-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-81-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2956-138-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-23-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-24-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/3036-137-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download