cobaltstrike | 68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

63be4bb8d339b8fa420874457468b200
SHA1

0bd72110c1f0bb300674e510d2b75ef4744370ac
SHA256

68ec096ed3ebef262ccad229af10d48bd4df27c078201313b8157d028b6336b5
SHA512

4e5e1dfaf4a1dd1898f0b831991d93013e1ccf8d67b129123b8e84894561dfc3b5f874a3b71a4503df6a492ab8f9985e1124d934b2e198e42580f2349e7ecc69
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lS:RWWBibf56utgpPFotBER/mQ32lUe

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 18 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\pfZmdcN.exe	cobalt_reflective_dll
C:\Windows\System\skXPBEt.exe	cobalt_reflective_dll
C:\Windows\System\jOKjuea.exe	cobalt_reflective_dll
C:\Windows\System\eXGwyst.exe	cobalt_reflective_dll
C:\Windows\System\gQdLYZt.exe	cobalt_reflective_dll
C:\Windows\System\HHSboEd.exe	cobalt_reflective_dll
C:\Windows\System\fHAKeow.exe	cobalt_reflective_dll
C:\Windows\System\qlZxEjO.exe	cobalt_reflective_dll
C:\Windows\System\cEEnfDY.exe	cobalt_reflective_dll
C:\Windows\System\gakAMib.exe	cobalt_reflective_dll
C:\Windows\System\Pvqabbv.exe	cobalt_reflective_dll
C:\Windows\System\lrMneRx.exe	cobalt_reflective_dll
C:\Windows\System\ZnxSxNv.exe	cobalt_reflective_dll
C:\Windows\System\dgLVtLW.exe	cobalt_reflective_dll
C:\Windows\System\jCpcczm.exe	cobalt_reflective_dll
C:\Windows\System\SAkEoJa.exe	cobalt_reflective_dll
C:\Windows\System\lBEHSza.exe	cobalt_reflective_dll
C:\Windows\System\yRoBikk.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 18 IoCs

Processes:

resource	yara_rule
C:\Windows\System\pfZmdcN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\skXPBEt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jOKjuea.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eXGwyst.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gQdLYZt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HHSboEd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fHAKeow.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qlZxEjO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cEEnfDY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gakAMib.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Pvqabbv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lrMneRx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZnxSxNv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dgLVtLW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jCpcczm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SAkEoJa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lBEHSza.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yRoBikk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1496-0-0x00007FF782F40000-0x00007FF783291000-memory.dmp	UPX
C:\Windows\System\pfZmdcN.exe	UPX
behavioral2/memory/3580-9-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	UPX
C:\Windows\System\skXPBEt.exe	UPX
C:\Windows\System\jOKjuea.exe	UPX
behavioral2/memory/896-17-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp	UPX
C:\Windows\System\eXGwyst.exe	UPX
behavioral2/memory/4284-22-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	UPX
behavioral2/memory/2192-20-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	UPX
C:\Windows\System\gQdLYZt.exe	UPX
C:\Windows\System\HHSboEd.exe	UPX
behavioral2/memory/3988-34-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp	UPX
C:\Windows\System\fHAKeow.exe	UPX
behavioral2/memory/4092-42-0x00007FF686920000-0x00007FF686C71000-memory.dmp	UPX
behavioral2/memory/2652-44-0x00007FF700F70000-0x00007FF7012C1000-memory.dmp	UPX
C:\Windows\System\qlZxEjO.exe	UPX
behavioral2/memory/1044-50-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp	UPX
C:\Windows\System\Pvqabbv.exe	UPX
behavioral2/memory/4100-56-0x00007FF743650000-0x00007FF7439A1000-memory.dmp	UPX
behavioral2/memory/4208-67-0x00007FF6A5170000-0x00007FF6A54C1000-memory.dmp	UPX
behavioral2/memory/3580-72-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	UPX
behavioral2/memory/3996-73-0x00007FF6DB470000-0x00007FF6DB7C1000-memory.dmp	UPX
C:\Windows\System\cEEnfDY.exe	UPX
behavioral2/memory/1504-74-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp	UPX
C:\Windows\System\gakAMib.exe	UPX
behavioral2/memory/1496-64-0x00007FF782F40000-0x00007FF783291000-memory.dmp	UPX
C:\Windows\System\Pvqabbv.exe	UPX
C:\Windows\System\lrMneRx.exe	UPX
C:\Windows\System\ZnxSxNv.exe	UPX
C:\Windows\System\yRoBikk.exe	UPX
behavioral2/memory/1668-81-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp	UPX
behavioral2/memory/2192-80-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	UPX
C:\Windows\System\tYweAMm.exe	UPX
C:\Windows\System\dgLVtLW.exe	UPX
behavioral2/memory/2164-108-0x00007FF7A8950000-0x00007FF7A8CA1000-memory.dmp	UPX
behavioral2/memory/4460-109-0x00007FF71E0A0000-0x00007FF71E3F1000-memory.dmp	UPX
behavioral2/memory/3988-107-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp	UPX
C:\Windows\System\jCpcczm.exe	UPX
C:\Windows\System\dgLVtLW.exe	UPX
C:\Windows\System\tYweAMm.exe	UPX
C:\Windows\System\SAkEoJa.exe	UPX
behavioral2/memory/4908-113-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp	UPX
C:\Windows\System\mEpffCW.exe	UPX
behavioral2/memory/4752-134-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	UPX
C:\Windows\System\lBEHSza.exe	UPX
C:\Windows\System\ewKVTrt.exe	UPX
behavioral2/memory/1440-121-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp	UPX
C:\Windows\System\SAkEoJa.exe	UPX
C:\Windows\System\yRoBikk.exe	UPX
behavioral2/memory/4284-92-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	UPX
behavioral2/memory/2868-87-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp	UPX
behavioral2/memory/1504-135-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp	UPX
behavioral2/memory/1496-136-0x00007FF782F40000-0x00007FF783291000-memory.dmp	UPX
behavioral2/memory/1668-150-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp	UPX
behavioral2/memory/4908-155-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp	UPX
behavioral2/memory/1440-156-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp	UPX
behavioral2/memory/2284-152-0x00007FF604480000-0x00007FF6047D1000-memory.dmp	UPX
behavioral2/memory/2868-151-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp	UPX
behavioral2/memory/4732-157-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp	UPX
behavioral2/memory/1496-159-0x00007FF782F40000-0x00007FF783291000-memory.dmp	UPX
behavioral2/memory/3580-210-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	UPX
behavioral2/memory/896-212-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp	UPX
behavioral2/memory/4284-214-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	UPX
behavioral2/memory/2192-216-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/896-17-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp	xmrig
behavioral2/memory/4092-42-0x00007FF686920000-0x00007FF686C71000-memory.dmp	xmrig
behavioral2/memory/2652-44-0x00007FF700F70000-0x00007FF7012C1000-memory.dmp	xmrig
behavioral2/memory/4208-67-0x00007FF6A5170000-0x00007FF6A54C1000-memory.dmp	xmrig
behavioral2/memory/3580-72-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	xmrig
behavioral2/memory/3996-73-0x00007FF6DB470000-0x00007FF6DB7C1000-memory.dmp	xmrig
behavioral2/memory/1496-64-0x00007FF782F40000-0x00007FF783291000-memory.dmp	xmrig
behavioral2/memory/2192-80-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	xmrig
behavioral2/memory/2164-108-0x00007FF7A8950000-0x00007FF7A8CA1000-memory.dmp	xmrig
behavioral2/memory/4460-109-0x00007FF71E0A0000-0x00007FF71E3F1000-memory.dmp	xmrig
behavioral2/memory/3988-107-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp	xmrig
behavioral2/memory/4752-134-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	xmrig
behavioral2/memory/4100-133-0x00007FF743650000-0x00007FF7439A1000-memory.dmp	xmrig
behavioral2/memory/1044-126-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp	xmrig
behavioral2/memory/4284-92-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	xmrig
behavioral2/memory/1504-135-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp	xmrig
behavioral2/memory/1496-136-0x00007FF782F40000-0x00007FF783291000-memory.dmp	xmrig
behavioral2/memory/1668-150-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp	xmrig
behavioral2/memory/4908-155-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp	xmrig
behavioral2/memory/1440-156-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp	xmrig
behavioral2/memory/2284-152-0x00007FF604480000-0x00007FF6047D1000-memory.dmp	xmrig
behavioral2/memory/2868-151-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp	xmrig
behavioral2/memory/4732-157-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp	xmrig
behavioral2/memory/1496-159-0x00007FF782F40000-0x00007FF783291000-memory.dmp	xmrig
behavioral2/memory/3580-210-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	xmrig
behavioral2/memory/896-212-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp	xmrig
behavioral2/memory/4284-214-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	xmrig
behavioral2/memory/2192-216-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	xmrig
behavioral2/memory/3988-218-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp	xmrig
behavioral2/memory/4092-220-0x00007FF686920000-0x00007FF686C71000-memory.dmp	xmrig
behavioral2/memory/2652-222-0x00007FF700F70000-0x00007FF7012C1000-memory.dmp	xmrig
behavioral2/memory/1044-224-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp	xmrig
behavioral2/memory/4208-226-0x00007FF6A5170000-0x00007FF6A54C1000-memory.dmp	xmrig
behavioral2/memory/4100-228-0x00007FF743650000-0x00007FF7439A1000-memory.dmp	xmrig
behavioral2/memory/3996-230-0x00007FF6DB470000-0x00007FF6DB7C1000-memory.dmp	xmrig
behavioral2/memory/1504-232-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp	xmrig
behavioral2/memory/1668-236-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp	xmrig
behavioral2/memory/2868-238-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp	xmrig
behavioral2/memory/2284-240-0x00007FF604480000-0x00007FF6047D1000-memory.dmp	xmrig
behavioral2/memory/2164-242-0x00007FF7A8950000-0x00007FF7A8CA1000-memory.dmp	xmrig
behavioral2/memory/4460-244-0x00007FF71E0A0000-0x00007FF71E3F1000-memory.dmp	xmrig
behavioral2/memory/4908-246-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp	xmrig
behavioral2/memory/1440-248-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp	xmrig
behavioral2/memory/4752-252-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	xmrig
behavioral2/memory/4732-251-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pfZmdcN.exeskXPBEt.exejOKjuea.exeeXGwyst.exegQdLYZt.exeHHSboEd.exefHAKeow.exeqlZxEjO.exelrMneRx.exePvqabbv.exegakAMib.execEEnfDY.exeZnxSxNv.exeyRoBikk.exetYweAMm.exejCpcczm.exedgLVtLW.exeSAkEoJa.exemEpffCW.exeewKVTrt.exelBEHSza.exe

pid	process
3580	pfZmdcN.exe
896	skXPBEt.exe
2192	jOKjuea.exe
4284	eXGwyst.exe
3988	gQdLYZt.exe
4092	HHSboEd.exe
2652	fHAKeow.exe
1044	qlZxEjO.exe
4100	lrMneRx.exe
4208	Pvqabbv.exe
3996	gakAMib.exe
1504	cEEnfDY.exe
1668	ZnxSxNv.exe
2868	yRoBikk.exe
2284	tYweAMm.exe
2164	jCpcczm.exe
4460	dgLVtLW.exe
4908	SAkEoJa.exe
1440	mEpffCW.exe
4732	ewKVTrt.exe
4752	lBEHSza.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1496-0-0x00007FF782F40000-0x00007FF783291000-memory.dmp	upx
C:\Windows\System\pfZmdcN.exe	upx
behavioral2/memory/3580-9-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	upx
C:\Windows\System\skXPBEt.exe	upx
C:\Windows\System\jOKjuea.exe	upx
behavioral2/memory/896-17-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp	upx
C:\Windows\System\eXGwyst.exe	upx
behavioral2/memory/4284-22-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	upx
behavioral2/memory/2192-20-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	upx
C:\Windows\System\gQdLYZt.exe	upx
C:\Windows\System\HHSboEd.exe	upx
behavioral2/memory/3988-34-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp	upx
C:\Windows\System\fHAKeow.exe	upx
behavioral2/memory/4092-42-0x00007FF686920000-0x00007FF686C71000-memory.dmp	upx
behavioral2/memory/2652-44-0x00007FF700F70000-0x00007FF7012C1000-memory.dmp	upx
C:\Windows\System\qlZxEjO.exe	upx
behavioral2/memory/1044-50-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp	upx
C:\Windows\System\Pvqabbv.exe	upx
behavioral2/memory/4100-56-0x00007FF743650000-0x00007FF7439A1000-memory.dmp	upx
behavioral2/memory/4208-67-0x00007FF6A5170000-0x00007FF6A54C1000-memory.dmp	upx
behavioral2/memory/3580-72-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp	upx
behavioral2/memory/3996-73-0x00007FF6DB470000-0x00007FF6DB7C1000-memory.dmp	upx
C:\Windows\System\cEEnfDY.exe	upx
behavioral2/memory/1504-74-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp	upx
C:\Windows\System\gakAMib.exe	upx
behavioral2/memory/1496-64-0x00007FF782F40000-0x00007FF783291000-memory.dmp	upx
C:\Windows\System\Pvqabbv.exe	upx
C:\Windows\System\lrMneRx.exe	upx
C:\Windows\System\ZnxSxNv.exe	upx
C:\Windows\System\yRoBikk.exe	upx
behavioral2/memory/1668-81-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp	upx
behavioral2/memory/2192-80-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp	upx
C:\Windows\System\tYweAMm.exe	upx
C:\Windows\System\dgLVtLW.exe	upx
behavioral2/memory/2164-108-0x00007FF7A8950000-0x00007FF7A8CA1000-memory.dmp	upx
behavioral2/memory/4460-109-0x00007FF71E0A0000-0x00007FF71E3F1000-memory.dmp	upx
behavioral2/memory/3988-107-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp	upx
C:\Windows\System\jCpcczm.exe	upx
C:\Windows\System\dgLVtLW.exe	upx
C:\Windows\System\tYweAMm.exe	upx
C:\Windows\System\SAkEoJa.exe	upx
behavioral2/memory/4908-113-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp	upx
C:\Windows\System\mEpffCW.exe	upx
behavioral2/memory/4752-134-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp	upx
behavioral2/memory/4100-133-0x00007FF743650000-0x00007FF7439A1000-memory.dmp	upx
behavioral2/memory/4732-131-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp	upx
C:\Windows\System\lBEHSza.exe	upx
C:\Windows\System\ewKVTrt.exe	upx
behavioral2/memory/1440-121-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp	upx
behavioral2/memory/1044-126-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp	upx
C:\Windows\System\SAkEoJa.exe	upx
behavioral2/memory/2284-96-0x00007FF604480000-0x00007FF6047D1000-memory.dmp	upx
C:\Windows\System\yRoBikk.exe	upx
behavioral2/memory/4284-92-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp	upx
behavioral2/memory/2868-87-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp	upx
behavioral2/memory/1504-135-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp	upx
behavioral2/memory/1496-136-0x00007FF782F40000-0x00007FF783291000-memory.dmp	upx
behavioral2/memory/1668-150-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp	upx
behavioral2/memory/4908-155-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp	upx
behavioral2/memory/1440-156-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp	upx
behavioral2/memory/2284-152-0x00007FF604480000-0x00007FF6047D1000-memory.dmp	upx
behavioral2/memory/2868-151-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp	upx
behavioral2/memory/4732-157-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp	upx
behavioral2/memory/1496-159-0x00007FF782F40000-0x00007FF783291000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\dgLVtLW.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ewKVTrt.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qlZxEjO.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lrMneRx.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Pvqabbv.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yRoBikk.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZnxSxNv.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mEpffCW.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lBEHSza.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pfZmdcN.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\skXPBEt.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gQdLYZt.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cEEnfDY.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jCpcczm.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SAkEoJa.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gakAMib.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tYweAMm.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jOKjuea.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eXGwyst.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HHSboEd.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fHAKeow.exe	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1496 wrote to memory of 3580	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	pfZmdcN.exe
PID 1496 wrote to memory of 3580	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	pfZmdcN.exe
PID 1496 wrote to memory of 896	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	skXPBEt.exe
PID 1496 wrote to memory of 896	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	skXPBEt.exe
PID 1496 wrote to memory of 2192	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	jOKjuea.exe
PID 1496 wrote to memory of 2192	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	jOKjuea.exe
PID 1496 wrote to memory of 4284	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	eXGwyst.exe
PID 1496 wrote to memory of 4284	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	eXGwyst.exe
PID 1496 wrote to memory of 3988	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	gQdLYZt.exe
PID 1496 wrote to memory of 3988	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	gQdLYZt.exe
PID 1496 wrote to memory of 4092	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	HHSboEd.exe
PID 1496 wrote to memory of 4092	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	HHSboEd.exe
PID 1496 wrote to memory of 2652	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	fHAKeow.exe
PID 1496 wrote to memory of 2652	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	fHAKeow.exe
PID 1496 wrote to memory of 1044	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	qlZxEjO.exe
PID 1496 wrote to memory of 1044	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	qlZxEjO.exe
PID 1496 wrote to memory of 4100	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	lrMneRx.exe
PID 1496 wrote to memory of 4100	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	lrMneRx.exe
PID 1496 wrote to memory of 4208	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	Pvqabbv.exe
PID 1496 wrote to memory of 4208	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	Pvqabbv.exe
PID 1496 wrote to memory of 3996	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	gakAMib.exe
PID 1496 wrote to memory of 3996	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	gakAMib.exe
PID 1496 wrote to memory of 1504	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	cEEnfDY.exe
PID 1496 wrote to memory of 1504	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	cEEnfDY.exe
PID 1496 wrote to memory of 1668	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZnxSxNv.exe
PID 1496 wrote to memory of 1668	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ZnxSxNv.exe
PID 1496 wrote to memory of 2868	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	yRoBikk.exe
PID 1496 wrote to memory of 2868	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	yRoBikk.exe
PID 1496 wrote to memory of 2284	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	tYweAMm.exe
PID 1496 wrote to memory of 2284	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	tYweAMm.exe
PID 1496 wrote to memory of 2164	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	jCpcczm.exe
PID 1496 wrote to memory of 2164	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	jCpcczm.exe
PID 1496 wrote to memory of 4460	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	dgLVtLW.exe
PID 1496 wrote to memory of 4460	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	dgLVtLW.exe
PID 1496 wrote to memory of 4908	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	SAkEoJa.exe
PID 1496 wrote to memory of 4908	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	SAkEoJa.exe
PID 1496 wrote to memory of 1440	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	mEpffCW.exe
PID 1496 wrote to memory of 1440	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	mEpffCW.exe
PID 1496 wrote to memory of 4732	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ewKVTrt.exe
PID 1496 wrote to memory of 4732	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	ewKVTrt.exe
PID 1496 wrote to memory of 4752	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	lBEHSza.exe
PID 1496 wrote to memory of 4752	1496	2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe	lBEHSza.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_63be4bb8d339b8fa420874457468b200_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\System\pfZmdcN.exe
C:\Windows\System\pfZmdcN.exe
2⤵
- Executes dropped EXE
PID:3580

C:\Windows\System\skXPBEt.exe
C:\Windows\System\skXPBEt.exe
2⤵
- Executes dropped EXE
PID:896

C:\Windows\System\jOKjuea.exe
C:\Windows\System\jOKjuea.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\eXGwyst.exe
C:\Windows\System\eXGwyst.exe
2⤵
- Executes dropped EXE
PID:4284

C:\Windows\System\gQdLYZt.exe
C:\Windows\System\gQdLYZt.exe
2⤵
- Executes dropped EXE
PID:3988

C:\Windows\System\HHSboEd.exe
C:\Windows\System\HHSboEd.exe
2⤵
- Executes dropped EXE
PID:4092

C:\Windows\System\fHAKeow.exe
C:\Windows\System\fHAKeow.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\qlZxEjO.exe
C:\Windows\System\qlZxEjO.exe
2⤵
- Executes dropped EXE
PID:1044

C:\Windows\System\lrMneRx.exe
C:\Windows\System\lrMneRx.exe
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\System\Pvqabbv.exe
C:\Windows\System\Pvqabbv.exe
2⤵
- Executes dropped EXE
PID:4208

C:\Windows\System\gakAMib.exe
C:\Windows\System\gakAMib.exe
2⤵
- Executes dropped EXE
PID:3996

C:\Windows\System\cEEnfDY.exe
C:\Windows\System\cEEnfDY.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Windows\System\ZnxSxNv.exe
C:\Windows\System\ZnxSxNv.exe
2⤵
- Executes dropped EXE
PID:1668

C:\Windows\System\yRoBikk.exe
C:\Windows\System\yRoBikk.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\tYweAMm.exe
C:\Windows\System\tYweAMm.exe
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\System\jCpcczm.exe
C:\Windows\System\jCpcczm.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\System\dgLVtLW.exe
C:\Windows\System\dgLVtLW.exe
2⤵
- Executes dropped EXE
PID:4460

C:\Windows\System\SAkEoJa.exe
C:\Windows\System\SAkEoJa.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System\mEpffCW.exe
C:\Windows\System\mEpffCW.exe
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\System\ewKVTrt.exe
C:\Windows\System\ewKVTrt.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System\lBEHSza.exe
C:\Windows\System\lBEHSza.exe
2⤵
- Executes dropped EXE
PID:4752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HHSboEd.exe
Filesize
5.2MB

MD5
d5ba328aa415c5f2b637500daeadd952

SHA1
48e01b7b6e7f92cb96af8bbb8c1ea960bab8b88b

SHA256
4874d327745259127bc818a1664ed0e0e2ece85a5bd8cb29f5cbac11ac49858b

SHA512
6233d55d0656b4f6d98228191efc266b0972be84060609a861e44f44dad1fc3c0c3f1cf92438f17ec57171a64f69fffc9e047aef78cc412afa7da66a357c9f76

Download Submit
C:\Windows\System\Pvqabbv.exe
Filesize
5.1MB

MD5
91df922314a4caab432bba0c590ca3c0

SHA1
b91e20ca4d9be7c8e6fd75ac2830eb878c22eb76

SHA256
0cf813b51717aab8d4bf85c804cd17451a9e8a3cc11f9cb8db55a7f62fc7b809

SHA512
41834d81c15003ab88fdc17f65dd4d58bf778aa7f748c1778b8b4cf1f00ba4e25cbf41434779e3783c6b2862972c82761d5a6dbf80e22770db840e6a09a40184

Download Submit
C:\Windows\System\Pvqabbv.exe
Filesize
5.2MB

MD5
a331b848f5f31c2ffc39c9b36e56633e

SHA1
ffc3a0fb3f71532c3bedf5f06e8a6a2f435863c4

SHA256
364faf88a0c67f71272ed18e758f8b61fb3cae3c4eb229006b9b9dcf2fe4bcc4

SHA512
9dd770b0dd4e57f1acf5974a9f0939f2ae90d0266e74057aa94683b1ef6d70a7083e8e0e5711ea1faf2d7b228a6d269f8232a0cdefe5eeb42e30464808b82d6f

Download Submit
C:\Windows\System\SAkEoJa.exe
Filesize
1.8MB

MD5
127fc12f6faae6241480d3135e552500

SHA1
801e5edf3a087a26f7d10e6bccde102f07d029e4

SHA256
825915c16780b599c32204b48d20a1fbcb4baf2eb57960853aa1679574121fb8

SHA512
c859058e54b6a916c73c8cfc81b0347195ddc770d4112c2189cb2dc9a6aa8574b3ee3ca67deb659ca1901ed5c0c543ddc2ed6de390260167651487d0bed263fe

Download Submit
C:\Windows\System\SAkEoJa.exe
Filesize
5.2MB

MD5
3a6bd9c3ae945000974e3d0dc06fd70e

SHA1
58e3eb73d4f6a05b7d529bea61cd2147afa7d5da

SHA256
a6e4727f475f08c4f012de67c826735b5100507791ee6bcac5b793fb34a938af

SHA512
9be74c755ac25df4a3a61feed7b65a3e6a5ad1d94e6397ad3c61f12529611c92b45dc4f92537094e4221df280e12d770c8f7f52031f508c288f8772129d9d85f

Download Submit
C:\Windows\System\ZnxSxNv.exe
Filesize
5.2MB

MD5
04adbc96d70a186c0835f2266f0053f2

SHA1
825c3633d858b37bae741a881b12af8e80490ea1

SHA256
5e3919491f9e25a99980f7ed4fda22559a6dd67134b26d7f0bd7a52baae5e20f

SHA512
ef0a384f7033b3f23bf2c814dcd25324eea3c3660c8b134f0fb67efe336795e479dde5ff4fce5f0a6f10e63aa2064287c1eecbdc63f7ff74dc03806d0012857e

Download Submit
C:\Windows\System\cEEnfDY.exe
Filesize
5.2MB

MD5
9af183dbf4237f0c6c3ee96b6af985e9

SHA1
e5a954b03bd99d501f56a76a024dbd193618bb0f

SHA256
5042874073ebc069e4672df514c41a98e9eeb74cc174b2bdfba818b68b6ef25f

SHA512
a7d9ffe541299fd3eabd5f29d4ba63ff5dc236d5d3a1213d5ec998611ab03a90e2be6134165c17e9a7083b14c1c001b060e5cf1a45e458d7afa9700dce279188

Download Submit
C:\Windows\System\dgLVtLW.exe
Filesize
3.6MB

MD5
d84891106dad0d7b4c34af85835ec4a8

SHA1
9665f97e962cdc4144cc100086ef9767ced5a5b4

SHA256
e8a5f91c8c2782a6bcd21f33eab10bf4224beef644a32d7ad28b3f57f788882d

SHA512
99ae93fd510de7cfcef873c985249199410b4395cf47a95aa3cb62c05fffe82e1b6c91a6f0f0d5f663e3d94c1f85eb70bf420495bec4261acf83c98b566255fe

Download Submit
C:\Windows\System\dgLVtLW.exe
Filesize
5.2MB

MD5
d0ad1ad1e7f521cc2e6f8018ee8e8d11

SHA1
64c17f0dad98ba18164f247b8a293ecb5132b9c6

SHA256
289f722c42ce2d89f01897ca8279db2b7b65fd29f85b62675c28bf8d77ece2d3

SHA512
e3d318ce5e3649166a905479335c4f1cd0714ad099d57b1bae78975877ae44b16ebecafe1d83b00959f81b21f0cdaef6b0691dd96a4bba8a000caad66b918bbe

Download Submit
C:\Windows\System\eXGwyst.exe
Filesize
5.2MB

MD5
587f6d95be3b3e566add7b722fa8d9d2

SHA1
7ebb938c52f492df10e6dc0b22f2c2b6c69e5ef5

SHA256
735f9715098bbdc428586bc2355ca157db0ef0977e943ebe53e1934e0aa2e2b5

SHA512
ec82df78cb06f26ab1c5f1f0e1bfbcd75378247195c275f0e25a60799f2781162b5c2e1b020383d41c5d26a05fa7a8b188357f14f40881262261bef0856f0431

Download Submit
C:\Windows\System\ewKVTrt.exe
Filesize
1.2MB

MD5
dfd2c67e54cfdf354e8bbb29e332ac4c

SHA1
f24c275731b407476a6020a51b76ab1e2e179598

SHA256
c0be5d6112649ab730dd260148056a01227d051b9d17131042f6515fe6c2f010

SHA512
deec41c10fe0e2347f5445324da636126b3be5f85c230d035d5b6983b80abdc078e082d7a6098e2344c9a31a02e70ce3299e88c86063ee89cb6f4bc8de2697ce

Download Submit
C:\Windows\System\fHAKeow.exe
Filesize
5.2MB

MD5
cdb57ad028b2edef7f3a04794aca246d

SHA1
26f8633fbfca47a4f30e87c44ba6196003400267

SHA256
47206c3c5eaa7d76e9d8ea804475e247fc1b49433c4956c7944c0a841e1cf9ca

SHA512
f95cef66dadf54acdc676d655f81b8565089ac42a6bee9aecf097b212bd0f1ecf3889fba766a526de08f2cd437e9998b4fd2f7afe45dbd5b1f12a5dd5eb0c277

Download Submit
C:\Windows\System\gQdLYZt.exe
Filesize
5.2MB

MD5
b6c76679acd14d0da09740e076151c57

SHA1
b2fda3994d19958cdb33da78d9245fb7ae017dad

SHA256
568fada3d289a6accfdb04abf7e3020a292ab7473bf4466307650a9db9e36e1f

SHA512
6fe71a7a888d8ee1e833cded086b892a80806ba60f8c33783d71b221ed0683777b9dd98c10de60692337758e4259505ddf0f2d098aed832bbdd00ec4eac833e7

Download Submit
C:\Windows\System\gakAMib.exe
Filesize
5.2MB

MD5
c466a5b02b617979146b79742386f3b4

SHA1
1f19ee13bc2078232f6c5f72814a535d4cc9bc3f

SHA256
8198ccf0a3193b93997b90633e490184422d7736916a126cdc0f6cce48fb7f12

SHA512
85f7f6f1035c5f2a671ba5c8fe049a2226f8ddf6a5ed4a5a29fbc947093f9b87c68c4885dfe9effff54ccebaed67e509bdfb16787c989e78ef49144a1a00f1a6

Download Submit
C:\Windows\System\jCpcczm.exe
Filesize
5.2MB

MD5
d3050d7df36f823782c58ac92d145866

SHA1
d927b7c26c38f6f7314e7d17efd70c74586fa286

SHA256
033861ba88abefe5364f0cc33d096739a4161cece91ed678bf80bc82eebd5087

SHA512
708a5d4a969efc2deed318a573bbc305afdfd403f7101405fcf5c859f8602d9358740ecf38f1c50922da1b4739d16f9dc193c8439a843cfb00e3b1e9eafa92c7

Download Submit
C:\Windows\System\jOKjuea.exe
Filesize
5.2MB

MD5
adaecab4f8748d9e28ccd2fef94f3de5

SHA1
426d1569692f4b015ad74d08b9b715dce5828ff8

SHA256
d3bd1971b21a63abd0ef2d78888e898ce6d9a009081981f444ba8eb838eede35

SHA512
c218028d20a8bb3609ae931f94dbae5e59cdf41aa8a58b1abb4925dfb47462baa29ad4c86d7ea03907233edd8090c6984a02e134282e444ac990c1cb9fa4efc8

Download Submit
C:\Windows\System\lBEHSza.exe
Filesize
5.2MB

MD5
950f2fe724d6f8da7c1e9f64d9837dee

SHA1
01b4e3c12fbfa8963dc35a5a3d6c306efa9c4644

SHA256
4fa728d0a8c2b601ad5cce8bd3c2de0c95c785fa374cbf271c359b1781f29520

SHA512
ae333445f60c10c5ebdb2552f5d9c87c79d71da4a550adf4be51788f3103147a71bcfb1a47caa5758e9448eb8e07a2db957f67a035cd9398d8c90ff3c61d17b7

Download Submit
C:\Windows\System\lrMneRx.exe
Filesize
5.2MB

MD5
2b1da25af62aafcd233e5c24b61fccb9

SHA1
a07c1478c1ca7f9b68e95d1144e46ab757fc4c5a

SHA256
9b58da286642d81ad06f30c8356a1c380383b2fde240e2e5831af5cc854a95d0

SHA512
c9bffb2792ceaa235e2cf45ffae016c05e65e417b84b0bb9ef832050706e49297a21a015315297ba3f7524dd0e5c7dc4da8b9d4a10266a048bb7b58808aa0300

Download Submit
C:\Windows\System\mEpffCW.exe
Filesize
2.4MB

MD5
4fd4eaa35cf158855340e60f1fa72ae8

SHA1
49367182df8fe77e2a08ddf4ed1ca919470f1fd5

SHA256
09f03c6408afe1dab300843ebb388ce04ca9906542b3f85c9f6a5d6776aed034

SHA512
7057883c1c17ed1de0647d8e460662e2c1ac547d93dd543d07a6c1347325bb4421a07f8c58ebbf617a6a7993d8a05d0dac46b1ac16089b5460ca873e0732d5c6

Download Submit
C:\Windows\System\pfZmdcN.exe
Filesize
5.2MB

MD5
1122c787ff3431643d2239216baec909

SHA1
ba998020b8ae55f5e5fa7a0caedac463ad96a232

SHA256
176ef9a9577660f21b1cbde82648f0475a89bf9d1113d3ba3a7f1c69e7e27e7f

SHA512
e15cf1fa429e64758c96ccceca30e726092f6a7bfbe5ca23fd57e63e2e78482685a98769480e3562aeae488e658afcbf2ad2cf622745b6138e34652041b417bd

Download Submit
C:\Windows\System\qlZxEjO.exe
Filesize
5.2MB

MD5
823b9261f2f1053dc7d3088c1a4edd6c

SHA1
f3351534de25582489a75ef9d3b8edc811cab563

SHA256
daf71498c0f7e0710122cef9e16a4f6bbc68d6678afb42d19ab06753685d6f01

SHA512
6d646e79da14888752ffbd9e999ebe24948146004191ce110178ceac46e6c77350f992446610136e2a62656324c1e59919efa3e2861285ef2034aec8fcc65cd9

Download Submit
C:\Windows\System\skXPBEt.exe
Filesize
5.2MB

MD5
c811db3060f9eb9be73fca7b422cc2e8

SHA1
b9e99da0593b5e673cca939233a787eaa67bba72

SHA256
12026ebda31d7a2a96757d43a99b07b81714aca8c53f9385e612164fe59bde85

SHA512
eadfb8b5045a276cd2bdebb178af51ec8711fe321f8f5659bc361e4ed10ab33d8c641bbfde4a76480b85f2f0847777002c1e816d9a9b6dfc663efe86b8ec1687

Download Submit
C:\Windows\System\tYweAMm.exe
Filesize
3.3MB

MD5
db421353b7c13e361f76f291c8c3db2e

SHA1
2fb65386ebdd75d8eda757d36d6183762cc0202e

SHA256
a76f6b0474019c712be92f63551ace57a75f87fdb29f6c6150c9156b3014193f

SHA512
dd7a0b739d7e3f94f9b10d37a317911f96c7de004a9530313f872a3f93838f2f6dc14910c15fc518b1a1c8c932255ed78acb63bb3327ada0763ac89012d62223

Download Submit
C:\Windows\System\tYweAMm.exe
Filesize
2.1MB

MD5
8bcb05d9bcfba893b0c9a24fb80f6614

SHA1
5787929aa9a028156eff17f3dc6b3534a614751f

SHA256
c2b85fec940454260304826248a9c8767c8fd8661f4d8f9df2d49d53f354b177

SHA512
cd49e4319053da319c5e4d9adfd75fa0a3fa018ac7044e6437f9e748d51fcc424c57ff6b17d63db1f771e2d6057cb98e8c453c049529195658cea1958c0e6804

Download Submit
C:\Windows\System\yRoBikk.exe
Filesize
2.7MB

MD5
e079a532debf2aa09ed43399f7482a78

SHA1
d64d769e3852c50693e4939ff3c40188d985ada3

SHA256
f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11

SHA512
8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e

Download Submit
C:\Windows\System\yRoBikk.exe
Filesize
5.2MB

MD5
8041cd1d33eda3da17c6a6111fdebf42

SHA1
c968b5834aed99e63988d09b49d5ddf3b106eb67

SHA256
1ad7e5c3c801e1027c57b3419819b5298e871c81568515c09c9c8faaa4977508

SHA512
0fb50c9a57ac02a1f0cab200f5292e84c233a355be7c9d428090c127e44126363526ed290be39b8efd73f2d3eccffb81e8f5de1b839d4fcdb72f9c410baca68f

Download Submit
memory/896-17-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp

Filesize
3.3MB

Download
memory/896-212-0x00007FF74B9F0000-0x00007FF74BD41000-memory.dmp

Filesize
3.3MB

Download
memory/1044-126-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp

Filesize
3.3MB

Download
memory/1044-50-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp

Filesize
3.3MB

Download
memory/1044-224-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp

Filesize
3.3MB

Download
memory/1440-121-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp

Filesize
3.3MB

Download
memory/1440-156-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp

Filesize
3.3MB

Download
memory/1440-248-0x00007FF6E3A30000-0x00007FF6E3D81000-memory.dmp

Filesize
3.3MB

Download
memory/1496-64-0x00007FF782F40000-0x00007FF783291000-memory.dmp

Filesize
3.3MB

Download
memory/1496-0-0x00007FF782F40000-0x00007FF783291000-memory.dmp

Filesize
3.3MB

Download
memory/1496-1-0x000001545A490000-0x000001545A4A0000-memory.dmp

Filesize
64KB

Download
memory/1496-136-0x00007FF782F40000-0x00007FF783291000-memory.dmp

Filesize
3.3MB

Download
memory/1496-159-0x00007FF782F40000-0x00007FF783291000-memory.dmp

Filesize
3.3MB

Download
memory/1504-232-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp

Filesize
3.3MB

Download
memory/1504-135-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp

Filesize
3.3MB

Download
memory/1504-74-0x00007FF7C3D30000-0x00007FF7C4081000-memory.dmp

Filesize
3.3MB

Download
memory/1668-236-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp

Filesize
3.3MB

Download
memory/1668-81-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp

Filesize
3.3MB

Download
memory/1668-150-0x00007FF70A8D0000-0x00007FF70AC21000-memory.dmp

Filesize
3.3MB

Download
memory/2164-108-0x00007FF7A8950000-0x00007FF7A8CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-242-0x00007FF7A8950000-0x00007FF7A8CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-80-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-20-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-216-0x00007FF76C370000-0x00007FF76C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-152-0x00007FF604480000-0x00007FF6047D1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-240-0x00007FF604480000-0x00007FF6047D1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-96-0x00007FF604480000-0x00007FF6047D1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-44-0x00007FF700F70000-0x00007FF7012C1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-222-0x00007FF700F70000-0x00007FF7012C1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-151-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp

Filesize
3.3MB

Download
memory/2868-238-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp

Filesize
3.3MB

Download
memory/2868-87-0x00007FF7B9510000-0x00007FF7B9861000-memory.dmp

Filesize
3.3MB

Download
memory/3580-9-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp

Filesize
3.3MB

Download
memory/3580-72-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp

Filesize
3.3MB

Download
memory/3580-210-0x00007FF62B920000-0x00007FF62BC71000-memory.dmp

Filesize
3.3MB

Download
memory/3988-34-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp

Filesize
3.3MB

Download
memory/3988-218-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp

Filesize
3.3MB

Download
memory/3988-107-0x00007FF64C1B0000-0x00007FF64C501000-memory.dmp

Filesize
3.3MB

Download
memory/3996-73-0x00007FF6DB470000-0x00007FF6DB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-230-0x00007FF6DB470000-0x00007FF6DB7C1000-memory.dmp

Filesize
3.3MB

Download
memory/4092-42-0x00007FF686920000-0x00007FF686C71000-memory.dmp

Filesize
3.3MB

Download
memory/4092-220-0x00007FF686920000-0x00007FF686C71000-memory.dmp

Filesize
3.3MB

Download
memory/4100-56-0x00007FF743650000-0x00007FF7439A1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-228-0x00007FF743650000-0x00007FF7439A1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-133-0x00007FF743650000-0x00007FF7439A1000-memory.dmp

Filesize
3.3MB

Download
memory/4208-67-0x00007FF6A5170000-0x00007FF6A54C1000-memory.dmp

Filesize
3.3MB

Download
memory/4208-226-0x00007FF6A5170000-0x00007FF6A54C1000-memory.dmp

Filesize
3.3MB

Download
memory/4284-214-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp

Filesize
3.3MB

Download
memory/4284-92-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp

Filesize
3.3MB

Download
memory/4284-22-0x00007FF6128B0000-0x00007FF612C01000-memory.dmp

Filesize
3.3MB

Download
memory/4460-109-0x00007FF71E0A0000-0x00007FF71E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-244-0x00007FF71E0A0000-0x00007FF71E3F1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-157-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-251-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4732-131-0x00007FF7BEE90000-0x00007FF7BF1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-134-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp

Filesize
3.3MB

Download
memory/4752-252-0x00007FF6D7EA0000-0x00007FF6D81F1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-246-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp

Filesize
3.3MB

Download
memory/4908-155-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp

Filesize
3.3MB

Download
memory/4908-113-0x00007FF7A2DD0000-0x00007FF7A3121000-memory.dmp

Filesize
3.3MB

Download