cobaltstrike | 9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

c783f8da2c0185459f11317a4ef1848c
SHA1

55820b053aa2af38399700042b6460b11acd979e
SHA256

9d68e22de91f42af030db75e111ad608a7afe88107431cd6c1158382e975473a
SHA512

766d537e649897db4a4203bfa3b165c2683d1fbf82213feb12c6e6b3e069a7e9020972eaf33393f986d9d1e51c396a8a7c036ea388c5f4dec75d87193dd5be46
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lUs

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\iESZxYd.exe	cobalt_reflective_dll
C:\Windows\System\wBKOuZx.exe	cobalt_reflective_dll
C:\Windows\System\CGEDJhH.exe	cobalt_reflective_dll
C:\Windows\System\HEkfkAr.exe	cobalt_reflective_dll
C:\Windows\System\NklsJFx.exe	cobalt_reflective_dll
C:\Windows\System\LtZBGtX.exe	cobalt_reflective_dll
C:\Windows\System\qZKbShf.exe	cobalt_reflective_dll
C:\Windows\System\grOCOKq.exe	cobalt_reflective_dll
C:\Windows\System\thddqFn.exe	cobalt_reflective_dll
C:\Windows\System\LrVRbTB.exe	cobalt_reflective_dll
C:\Windows\System\GxgoocZ.exe	cobalt_reflective_dll
C:\Windows\System\KHvcqxn.exe	cobalt_reflective_dll
C:\Windows\System\zYjbyJx.exe	cobalt_reflective_dll
C:\Windows\System\ZoZwIxc.exe	cobalt_reflective_dll
C:\Windows\System\oCpYRih.exe	cobalt_reflective_dll
C:\Windows\System\fPqkOdU.exe	cobalt_reflective_dll
C:\Windows\System\mSkeiTJ.exe	cobalt_reflective_dll
C:\Windows\System\hBYjvmR.exe	cobalt_reflective_dll
C:\Windows\System\IlWbAlg.exe	cobalt_reflective_dll
C:\Windows\System\alVYvwe.exe	cobalt_reflective_dll
C:\Windows\System\EsRBcoK.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\iESZxYd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wBKOuZx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CGEDJhH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HEkfkAr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NklsJFx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LtZBGtX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qZKbShf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\grOCOKq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\thddqFn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LrVRbTB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GxgoocZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KHvcqxn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zYjbyJx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZoZwIxc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oCpYRih.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fPqkOdU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mSkeiTJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hBYjvmR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IlWbAlg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\alVYvwe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EsRBcoK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/748-0-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	UPX
C:\Windows\System\iESZxYd.exe	UPX
behavioral2/memory/4788-7-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	UPX
C:\Windows\System\wBKOuZx.exe	UPX
behavioral2/memory/1404-14-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	UPX
C:\Windows\System\CGEDJhH.exe	UPX
C:\Windows\System\HEkfkAr.exe	UPX
C:\Windows\System\NklsJFx.exe	UPX
behavioral2/memory/3188-26-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp	UPX
C:\Windows\System\LtZBGtX.exe	UPX
C:\Windows\System\qZKbShf.exe	UPX
C:\Windows\System\grOCOKq.exe	UPX
C:\Windows\System\thddqFn.exe	UPX
C:\Windows\System\LrVRbTB.exe	UPX
C:\Windows\System\GxgoocZ.exe	UPX
C:\Windows\System\KHvcqxn.exe	UPX
C:\Windows\System\zYjbyJx.exe	UPX
C:\Windows\System\ZoZwIxc.exe	UPX
C:\Windows\System\oCpYRih.exe	UPX
C:\Windows\System\fPqkOdU.exe	UPX
C:\Windows\System\mSkeiTJ.exe	UPX
C:\Windows\System\hBYjvmR.exe	UPX
C:\Windows\System\IlWbAlg.exe	UPX
C:\Windows\System\alVYvwe.exe	UPX
C:\Windows\System\EsRBcoK.exe	UPX
behavioral2/memory/4088-38-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp	UPX
behavioral2/memory/772-32-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp	UPX
behavioral2/memory/2096-25-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp	UPX
behavioral2/memory/1404-115-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	UPX
behavioral2/memory/4788-114-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	UPX
behavioral2/memory/4348-127-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp	UPX
behavioral2/memory/1488-124-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp	UPX
behavioral2/memory/2620-121-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp	UPX
behavioral2/memory/3096-120-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp	UPX
behavioral2/memory/748-113-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	UPX
behavioral2/memory/2256-129-0x00007FF6995E0000-0x00007FF699931000-memory.dmp	UPX
behavioral2/memory/5100-131-0x00007FF607200000-0x00007FF607551000-memory.dmp	UPX
behavioral2/memory/4036-132-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp	UPX
behavioral2/memory/1712-134-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp	UPX
behavioral2/memory/4476-130-0x00007FF626430000-0x00007FF626781000-memory.dmp	UPX
behavioral2/memory/2796-133-0x00007FF755EF0000-0x00007FF756241000-memory.dmp	UPX
behavioral2/memory/2012-128-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp	UPX
behavioral2/memory/752-126-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp	UPX
behavioral2/memory/1636-125-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp	UPX
behavioral2/memory/2372-123-0x00007FF70C540000-0x00007FF70C891000-memory.dmp	UPX
behavioral2/memory/1644-122-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp	UPX
behavioral2/memory/748-135-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	UPX
behavioral2/memory/4788-184-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	UPX
behavioral2/memory/1404-186-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	UPX
behavioral2/memory/2096-188-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp	UPX
behavioral2/memory/3188-190-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp	UPX
behavioral2/memory/772-192-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp	UPX
behavioral2/memory/4088-194-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp	UPX
behavioral2/memory/3096-196-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp	UPX
behavioral2/memory/2620-198-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp	UPX
behavioral2/memory/1644-200-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp	UPX
behavioral2/memory/2372-204-0x00007FF70C540000-0x00007FF70C891000-memory.dmp	UPX
behavioral2/memory/1488-203-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp	UPX
behavioral2/memory/2256-209-0x00007FF6995E0000-0x00007FF699931000-memory.dmp	UPX
behavioral2/memory/2012-212-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp	UPX
behavioral2/memory/752-214-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp	UPX
behavioral2/memory/4476-216-0x00007FF626430000-0x00007FF626781000-memory.dmp	UPX
behavioral2/memory/1636-211-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp	UPX
behavioral2/memory/4348-207-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1404-14-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	xmrig
behavioral2/memory/3188-26-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp	xmrig
behavioral2/memory/4088-38-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp	xmrig
behavioral2/memory/772-32-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp	xmrig
behavioral2/memory/2096-25-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp	xmrig
behavioral2/memory/1404-115-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	xmrig
behavioral2/memory/4788-114-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	xmrig
behavioral2/memory/4348-127-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp	xmrig
behavioral2/memory/1488-124-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp	xmrig
behavioral2/memory/2620-121-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp	xmrig
behavioral2/memory/3096-120-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp	xmrig
behavioral2/memory/748-113-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	xmrig
behavioral2/memory/2256-129-0x00007FF6995E0000-0x00007FF699931000-memory.dmp	xmrig
behavioral2/memory/5100-131-0x00007FF607200000-0x00007FF607551000-memory.dmp	xmrig
behavioral2/memory/4036-132-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp	xmrig
behavioral2/memory/1712-134-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp	xmrig
behavioral2/memory/4476-130-0x00007FF626430000-0x00007FF626781000-memory.dmp	xmrig
behavioral2/memory/2796-133-0x00007FF755EF0000-0x00007FF756241000-memory.dmp	xmrig
behavioral2/memory/2012-128-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp	xmrig
behavioral2/memory/752-126-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp	xmrig
behavioral2/memory/1636-125-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp	xmrig
behavioral2/memory/2372-123-0x00007FF70C540000-0x00007FF70C891000-memory.dmp	xmrig
behavioral2/memory/1644-122-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp	xmrig
behavioral2/memory/748-135-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	xmrig
behavioral2/memory/4788-184-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	xmrig
behavioral2/memory/1404-186-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	xmrig
behavioral2/memory/2096-188-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp	xmrig
behavioral2/memory/3188-190-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp	xmrig
behavioral2/memory/772-192-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp	xmrig
behavioral2/memory/4088-194-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp	xmrig
behavioral2/memory/3096-196-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp	xmrig
behavioral2/memory/2620-198-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp	xmrig
behavioral2/memory/1644-200-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp	xmrig
behavioral2/memory/2372-204-0x00007FF70C540000-0x00007FF70C891000-memory.dmp	xmrig
behavioral2/memory/1488-203-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp	xmrig
behavioral2/memory/2256-209-0x00007FF6995E0000-0x00007FF699931000-memory.dmp	xmrig
behavioral2/memory/2012-212-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp	xmrig
behavioral2/memory/752-214-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp	xmrig
behavioral2/memory/4476-216-0x00007FF626430000-0x00007FF626781000-memory.dmp	xmrig
behavioral2/memory/1636-211-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp	xmrig
behavioral2/memory/4348-207-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp	xmrig
behavioral2/memory/2796-221-0x00007FF755EF0000-0x00007FF756241000-memory.dmp	xmrig
behavioral2/memory/5100-224-0x00007FF607200000-0x00007FF607551000-memory.dmp	xmrig
behavioral2/memory/4036-223-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp	xmrig
behavioral2/memory/1712-219-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

iESZxYd.exeCGEDJhH.exewBKOuZx.exeHEkfkAr.exeNklsJFx.exeLtZBGtX.exeqZKbShf.exegrOCOKq.exethddqFn.exeEsRBcoK.exeLrVRbTB.exeGxgoocZ.exealVYvwe.exeKHvcqxn.exeIlWbAlg.exehBYjvmR.exezYjbyJx.exeZoZwIxc.exemSkeiTJ.exeoCpYRih.exefPqkOdU.exe

pid	process
4788	iESZxYd.exe
1404	CGEDJhH.exe
2096	wBKOuZx.exe
3188	HEkfkAr.exe
772	NklsJFx.exe
4088	LtZBGtX.exe
3096	qZKbShf.exe
2620	grOCOKq.exe
1644	thddqFn.exe
2372	EsRBcoK.exe
1488	LrVRbTB.exe
1636	GxgoocZ.exe
752	alVYvwe.exe
4348	KHvcqxn.exe
2012	IlWbAlg.exe
2256	hBYjvmR.exe
4476	zYjbyJx.exe
5100	ZoZwIxc.exe
4036	mSkeiTJ.exe
2796	oCpYRih.exe
1712	fPqkOdU.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/748-0-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	upx
C:\Windows\System\iESZxYd.exe	upx
behavioral2/memory/4788-7-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	upx
C:\Windows\System\wBKOuZx.exe	upx
behavioral2/memory/1404-14-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	upx
C:\Windows\System\CGEDJhH.exe	upx
C:\Windows\System\HEkfkAr.exe	upx
C:\Windows\System\NklsJFx.exe	upx
behavioral2/memory/3188-26-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp	upx
C:\Windows\System\LtZBGtX.exe	upx
C:\Windows\System\qZKbShf.exe	upx
C:\Windows\System\grOCOKq.exe	upx
C:\Windows\System\thddqFn.exe	upx
C:\Windows\System\LrVRbTB.exe	upx
C:\Windows\System\GxgoocZ.exe	upx
C:\Windows\System\KHvcqxn.exe	upx
C:\Windows\System\zYjbyJx.exe	upx
C:\Windows\System\ZoZwIxc.exe	upx
C:\Windows\System\oCpYRih.exe	upx
C:\Windows\System\fPqkOdU.exe	upx
C:\Windows\System\mSkeiTJ.exe	upx
C:\Windows\System\hBYjvmR.exe	upx
C:\Windows\System\IlWbAlg.exe	upx
C:\Windows\System\alVYvwe.exe	upx
C:\Windows\System\EsRBcoK.exe	upx
behavioral2/memory/4088-38-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp	upx
behavioral2/memory/772-32-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp	upx
behavioral2/memory/2096-25-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp	upx
behavioral2/memory/1404-115-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	upx
behavioral2/memory/4788-114-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	upx
behavioral2/memory/4348-127-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp	upx
behavioral2/memory/1488-124-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp	upx
behavioral2/memory/2620-121-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp	upx
behavioral2/memory/3096-120-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp	upx
behavioral2/memory/748-113-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	upx
behavioral2/memory/2256-129-0x00007FF6995E0000-0x00007FF699931000-memory.dmp	upx
behavioral2/memory/5100-131-0x00007FF607200000-0x00007FF607551000-memory.dmp	upx
behavioral2/memory/4036-132-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp	upx
behavioral2/memory/1712-134-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp	upx
behavioral2/memory/4476-130-0x00007FF626430000-0x00007FF626781000-memory.dmp	upx
behavioral2/memory/2796-133-0x00007FF755EF0000-0x00007FF756241000-memory.dmp	upx
behavioral2/memory/2012-128-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp	upx
behavioral2/memory/752-126-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp	upx
behavioral2/memory/1636-125-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp	upx
behavioral2/memory/2372-123-0x00007FF70C540000-0x00007FF70C891000-memory.dmp	upx
behavioral2/memory/1644-122-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp	upx
behavioral2/memory/748-135-0x00007FF771FD0000-0x00007FF772321000-memory.dmp	upx
behavioral2/memory/4788-184-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp	upx
behavioral2/memory/1404-186-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp	upx
behavioral2/memory/2096-188-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp	upx
behavioral2/memory/3188-190-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp	upx
behavioral2/memory/772-192-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp	upx
behavioral2/memory/4088-194-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp	upx
behavioral2/memory/3096-196-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp	upx
behavioral2/memory/2620-198-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp	upx
behavioral2/memory/1644-200-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp	upx
behavioral2/memory/2372-204-0x00007FF70C540000-0x00007FF70C891000-memory.dmp	upx
behavioral2/memory/1488-203-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp	upx
behavioral2/memory/2256-209-0x00007FF6995E0000-0x00007FF699931000-memory.dmp	upx
behavioral2/memory/2012-212-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp	upx
behavioral2/memory/752-214-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp	upx
behavioral2/memory/4476-216-0x00007FF626430000-0x00007FF626781000-memory.dmp	upx
behavioral2/memory/1636-211-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp	upx
behavioral2/memory/4348-207-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\HEkfkAr.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NklsJFx.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LtZBGtX.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\grOCOKq.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oCpYRih.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iESZxYd.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CGEDJhH.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wBKOuZx.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KHvcqxn.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hBYjvmR.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mSkeiTJ.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\thddqFn.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LrVRbTB.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GxgoocZ.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IlWbAlg.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qZKbShf.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EsRBcoK.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\alVYvwe.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zYjbyJx.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZoZwIxc.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fPqkOdU.exe	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 748 wrote to memory of 4788	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	iESZxYd.exe
PID 748 wrote to memory of 4788	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	iESZxYd.exe
PID 748 wrote to memory of 1404	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	CGEDJhH.exe
PID 748 wrote to memory of 1404	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	CGEDJhH.exe
PID 748 wrote to memory of 2096	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	wBKOuZx.exe
PID 748 wrote to memory of 2096	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	wBKOuZx.exe
PID 748 wrote to memory of 3188	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	HEkfkAr.exe
PID 748 wrote to memory of 3188	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	HEkfkAr.exe
PID 748 wrote to memory of 772	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	NklsJFx.exe
PID 748 wrote to memory of 772	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	NklsJFx.exe
PID 748 wrote to memory of 4088	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	LtZBGtX.exe
PID 748 wrote to memory of 4088	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	LtZBGtX.exe
PID 748 wrote to memory of 3096	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	qZKbShf.exe
PID 748 wrote to memory of 3096	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	qZKbShf.exe
PID 748 wrote to memory of 2620	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	grOCOKq.exe
PID 748 wrote to memory of 2620	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	grOCOKq.exe
PID 748 wrote to memory of 1644	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	thddqFn.exe
PID 748 wrote to memory of 1644	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	thddqFn.exe
PID 748 wrote to memory of 2372	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	EsRBcoK.exe
PID 748 wrote to memory of 2372	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	EsRBcoK.exe
PID 748 wrote to memory of 1488	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	LrVRbTB.exe
PID 748 wrote to memory of 1488	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	LrVRbTB.exe
PID 748 wrote to memory of 1636	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	GxgoocZ.exe
PID 748 wrote to memory of 1636	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	GxgoocZ.exe
PID 748 wrote to memory of 752	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	alVYvwe.exe
PID 748 wrote to memory of 752	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	alVYvwe.exe
PID 748 wrote to memory of 4348	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	KHvcqxn.exe
PID 748 wrote to memory of 4348	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	KHvcqxn.exe
PID 748 wrote to memory of 2012	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	IlWbAlg.exe
PID 748 wrote to memory of 2012	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	IlWbAlg.exe
PID 748 wrote to memory of 2256	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hBYjvmR.exe
PID 748 wrote to memory of 2256	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	hBYjvmR.exe
PID 748 wrote to memory of 4476	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	zYjbyJx.exe
PID 748 wrote to memory of 4476	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	zYjbyJx.exe
PID 748 wrote to memory of 5100	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ZoZwIxc.exe
PID 748 wrote to memory of 5100	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	ZoZwIxc.exe
PID 748 wrote to memory of 4036	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	mSkeiTJ.exe
PID 748 wrote to memory of 4036	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	mSkeiTJ.exe
PID 748 wrote to memory of 2796	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	oCpYRih.exe
PID 748 wrote to memory of 2796	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	oCpYRih.exe
PID 748 wrote to memory of 1712	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	fPqkOdU.exe
PID 748 wrote to memory of 1712	748	2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe	fPqkOdU.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c783f8da2c0185459f11317a4ef1848c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\System\iESZxYd.exe
C:\Windows\System\iESZxYd.exe
2⤵
- Executes dropped EXE
PID:4788

C:\Windows\System\CGEDJhH.exe
C:\Windows\System\CGEDJhH.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\wBKOuZx.exe
C:\Windows\System\wBKOuZx.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\System\HEkfkAr.exe
C:\Windows\System\HEkfkAr.exe
2⤵
- Executes dropped EXE
PID:3188

C:\Windows\System\NklsJFx.exe
C:\Windows\System\NklsJFx.exe
2⤵
- Executes dropped EXE
PID:772

C:\Windows\System\LtZBGtX.exe
C:\Windows\System\LtZBGtX.exe
2⤵
- Executes dropped EXE
PID:4088

C:\Windows\System\qZKbShf.exe
C:\Windows\System\qZKbShf.exe
2⤵
- Executes dropped EXE
PID:3096

C:\Windows\System\grOCOKq.exe
C:\Windows\System\grOCOKq.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\thddqFn.exe
C:\Windows\System\thddqFn.exe
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\System\EsRBcoK.exe
C:\Windows\System\EsRBcoK.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\System\LrVRbTB.exe
C:\Windows\System\LrVRbTB.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\GxgoocZ.exe
C:\Windows\System\GxgoocZ.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\alVYvwe.exe
C:\Windows\System\alVYvwe.exe
2⤵
- Executes dropped EXE
PID:752

C:\Windows\System\KHvcqxn.exe
C:\Windows\System\KHvcqxn.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\System\IlWbAlg.exe
C:\Windows\System\IlWbAlg.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\hBYjvmR.exe
C:\Windows\System\hBYjvmR.exe
2⤵
- Executes dropped EXE
PID:2256

C:\Windows\System\zYjbyJx.exe
C:\Windows\System\zYjbyJx.exe
2⤵
- Executes dropped EXE
PID:4476

C:\Windows\System\ZoZwIxc.exe
C:\Windows\System\ZoZwIxc.exe
2⤵
- Executes dropped EXE
PID:5100

C:\Windows\System\mSkeiTJ.exe
C:\Windows\System\mSkeiTJ.exe
2⤵
- Executes dropped EXE
PID:4036

C:\Windows\System\oCpYRih.exe
C:\Windows\System\oCpYRih.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\fPqkOdU.exe
C:\Windows\System\fPqkOdU.exe
2⤵
- Executes dropped EXE
PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CGEDJhH.exe
Filesize
5.2MB

MD5
cea6502b1277d9919c01d82b66a549aa

SHA1
baa6504275bac30084dc7053a0c6b1b50439b7b2

SHA256
8ab2b5698ff8d4086d549eca430b0fbb1036abe34cbaa02ba55ad6f333dcd9a9

SHA512
7c58fbae35d30eb0daea53f758b3d5b7fa7d94f0e7d3f0016e13d2399e8035372b0071def8fc391579ad7a37c6e993e6c73ce54f4a3420963997778019ed2831

Download Submit
C:\Windows\System\EsRBcoK.exe
Filesize
5.2MB

MD5
b07ef4a5a1cd9b01d2e389acb34f13c8

SHA1
aa5d2625e534b505a8ca6cb6554a8f3df8bfdb2d

SHA256
f9957bb81f599ca22e41f84a6611802ea3c0fb35a5c9731943d21830cb777562

SHA512
ca605eb0a4247cb2afb170193e973a71f6e9ec7c63234a5681fa968a42eb35140a1d7b87ab261dd84c521d5895bfa306d525a3d7b0c9a048f7df0b058affef4a

Download Submit
C:\Windows\System\GxgoocZ.exe
Filesize
5.2MB

MD5
5ed152469f775d22eb833fdbd60485e5

SHA1
8a0604306f3d3ceea7d3d92b98187ac2598a26eb

SHA256
d93ef0fd8a1dad32d039a5abc360c83f75e04f5d84cdf4ca83524aaa314518f7

SHA512
4adc4312ca85f261ed53c564a28ee73b6698ed65a7cab36de5c8cf60049e303e115365797d792c00ece530d180e7ee62835bf59ca1c8e4a7770d05de1931617c

Download Submit
C:\Windows\System\HEkfkAr.exe
Filesize
5.2MB

MD5
9da102b655ae538d64136ac2b72a10d4

SHA1
8058596651ec4a06881019d04d34a8d19f3ddf8c

SHA256
ac6d7ea362459c2d41c5b5db2d87ba2792c7c00c6c81cd509d311cb590740dd2

SHA512
3b5f032b30125ba7628712b73344428ff65e6d96e1ac023ccbf6ec8a1dc9705b976614c2c1c2c99236d11011234db1cf9f7a948605ba7e2c825bce73c1920963

Download Submit
C:\Windows\System\IlWbAlg.exe
Filesize
5.2MB

MD5
f05e809c46642ba3aa7ef9e304092de9

SHA1
44240e7d325e76d7900723578c5bc04b089085a4

SHA256
72f4ba6e1d3d9077b3cd89d4d2d357f6ea897fd8c13bfbf204aba51c63737136

SHA512
ecb0d5eae10071b890381024ee739f9b953f4cb787d593367bca4fa55a364494583ee04d9679e8b15e1ce7f2a93adc62232be546d77b6b4c5cabfedfc4ad0c37

Download Submit
C:\Windows\System\KHvcqxn.exe
Filesize
5.2MB

MD5
f8204e11d852bf9fe0edbff1e30f9e39

SHA1
018671c89cf95cd92252356142a27a6055f6f58a

SHA256
c8c1913acdd00413052602045c2f11e2531688c30ccedb38061e0a435bbf6346

SHA512
a6df314e06e65a3bb3fab17e7dd131b44dfb4aae5462c1b109ea1db29b9d21ecb6e6efe061788e0a0af5e35fb9fddacb0b876688a5be4ee8a539b696427b5cea

Download Submit
C:\Windows\System\LrVRbTB.exe
Filesize
5.2MB

MD5
cb83e9a007cf5df3cdeade56b5ff7fa8

SHA1
0290dd8acfd9e4154490456399f766e2d7ab54b4

SHA256
ef70b1411929252f5915e7b337cc11df48496dfa6cfc68c186c20dc984bdb249

SHA512
65fefee1b7ea74a4a5e2ac57bce01780891b93dca81fc999e1cafbe6bfa2c1a9bddc3e93df489615f91fa5c54f7e2bd6f28047376f0db1c67b85dd6f91a5fc4f

Download Submit
C:\Windows\System\LtZBGtX.exe
Filesize
5.2MB

MD5
4c7823e95417bb6ee85ba0840e82c5b5

SHA1
a6cd76aa95f3172a04a695b70813c8936a00c260

SHA256
e82faf366a1981468f7285a0270f9e7630ad4691799c25e3712e5f552a091f31

SHA512
d8107c6618044227d562b34e44f9e5647997320eb7b2a371854515669d10c259f188afc797ac2e55c4a9136cef8d79b953152482319e945ae3596c1c9d41c400

Download Submit
C:\Windows\System\NklsJFx.exe
Filesize
5.2MB

MD5
e9259a901df6de5e30e76c0f7b8393e2

SHA1
80331116b863b24a7bec7c87a9a11c4d1f2a5ea7

SHA256
0a1d7d634499483762c7d50f368785903e0ff96aa6fcb0dbaea50d324f1cd51b

SHA512
38fae0d9ace03af56633ca4d006ebdfb9d09df033fe6c559b32da1eda45c3b840500b91c880738efa85ce099ca6f7efd4b203b74bc89f84df65bd8813a5dc275

Download Submit
C:\Windows\System\ZoZwIxc.exe
Filesize
5.2MB

MD5
78c9facc2466840c356e01cfe6a7b098

SHA1
d031fc7f598c2c90dba0613d114f84d12b86817b

SHA256
8bfc26dc1610f74b36c237c81ec0bc0c667edee9129752c5bf0c5f1acf74ac39

SHA512
5a5f3f61816cfffc0d7062a131babbad417b18bad26d40f240b168bce7bcf494001ffe6e41274163e688b7ff232bb143e13a8e44448b177ab7eb15d71efd1ec1

Download Submit
C:\Windows\System\alVYvwe.exe
Filesize
5.2MB

MD5
143c58d70d491ff821098ef9584dc43b

SHA1
2f3ea0b06b91ed1439b2bb2df3cb0573c96d8f4e

SHA256
6640610a46141c9668543417678fb9e5975249d20a074c3afa6fdd67c233ec59

SHA512
11d29b2557be7fed9d33b8c70c6b6e821d56beaad4ca81a90a505cddebcc5e7bc8de89c4ab920d110dc755b7ee0a49a3900ab26be64cd02cef66fd4db0b576e0

Download Submit
C:\Windows\System\fPqkOdU.exe
Filesize
5.2MB

MD5
4c665c1dbd393856f72a69fafbed5a1d

SHA1
7cf5892f764f2ff7b67b8c910268cf784015e3a6

SHA256
1baa8a85901c3623e5ad7fe5020cb2aa6807e5187262ce73c9621f54ab0fb89f

SHA512
296a8770a306cee513b645eb92a4802389caba390ad75be13e0a13260e6e37d0c2c54454ab8338559d689f347b17ce553726e53b644d473fc4743b1c3a57d3f9

Download Submit
C:\Windows\System\grOCOKq.exe
Filesize
5.2MB

MD5
2cb1a0fd7fa7686004e3b519a3c65c56

SHA1
489ffaf1f16581c1735e02641283db8db1ac7d5e

SHA256
3e5e0ad1105efc44bca84b586f8a20e63190db6bb56ca407bfe530c8f723635f

SHA512
2886476fd9f53e741169bdf90b9c923e5b825df698aafda241e1547f04d63160aa6b2d7b9ce74464a877b6388db1a2a440a6fbc0eae6ba3f9c9f26daaf22a697

Download Submit
C:\Windows\System\hBYjvmR.exe
Filesize
5.2MB

MD5
d80ef78674ba84bdcf357e3702d1a867

SHA1
96742e0b832e61ffe605faf9e2af2d9fe651658c

SHA256
df93a4e008258d943e22de532c5b971fece939d843574e1dbf3557c836b16c9d

SHA512
b2bf337fcb2a4191ac1789e70bb3785017c6802934cd29cbb1d45a4e12717cb6813689cdafcc59add9d92b796d9e1bae326aff41b2267232b72d5755f6a707b5

Download Submit
C:\Windows\System\iESZxYd.exe
Filesize
5.2MB

MD5
b3971e1317e2d31d14a406d1c0b2d8fb

SHA1
52b3ee5a619ff10fc0539665d8f783f98926ba50

SHA256
8befb05a3536fc3d1db3c2c415a270df52c711dbda425324e95119a1c23735a2

SHA512
def9b36fc599f50eff1ae1cc7c8685f7710107e75e8ca74c61265fb239f64ccba6bc756c0c06f38b4acacb4dcaa72ea36ebffdbfb01e13e03e4eb9ffb3e7f509

Download Submit
C:\Windows\System\mSkeiTJ.exe
Filesize
5.2MB

MD5
972df430b591e9addd79a02d6b0da356

SHA1
9eb95546d1a62ecd707d909bdcddee2d187af1d2

SHA256
4991bcfd3b9ca280142d1f7377055b4cb31bf60abb4aad39e48c2e67a4e9b696

SHA512
ac11afea4de6c67f9ade1868a61bf35722c271f54c4b8e48a288d3a13a2856a7f2a123ebc6258d484b0efc6c46b1c9c33d27fd1aed769e702a0f8dc5fa1558dd

Download Submit
C:\Windows\System\oCpYRih.exe
Filesize
5.2MB

MD5
6901ec577b94c4da7e4830e3dad6a72a

SHA1
263890e77df1218817843a987b32fc4e48f0962d

SHA256
8b8c843849cd39bd2ca511ff2e6e017f2eb21c4f4cfd981675fe811b67b06a71

SHA512
4f35a1b652139666dc9e1e1b54dc66405c4cc264232da24d316036fc3e3a939e69d445b474d7b7efb0c3907dc4ddc651b6ad84061e02c26589a55b15e3386a83

Download Submit
C:\Windows\System\qZKbShf.exe
Filesize
5.2MB

MD5
dafaee27e204df2cf95395174bd04d88

SHA1
797da11736f883d8fae4580fbfc446da84230ed4

SHA256
2bfd21c7ccbc88058274285a628bd9ab099b3f8681fb2cbe9aa932a41b689346

SHA512
8520c6d13cc95c1dd6610f224dd7c9df9316c0c90d5e84bb373072fc1c7d7a4d46710cd3ba7946b86bace4230256c7cf587273388304fc8c3032eae565fc2ae0

Download Submit
C:\Windows\System\thddqFn.exe
Filesize
5.2MB

MD5
0e9ad77de0907fd14e36ca3004a6d609

SHA1
749aa234bebe3f2df1138ff00a4eaa0929b3621e

SHA256
67377ad17f668fe3028fb8ca7ae9cd8dac510293d59256bca18c84db08f943f8

SHA512
5dd99f07645f7cffdfd06fd5c3981f01db3804ae4a45a6273da9fc38a11bc603fb8ee66528ccb0d8630c902c0babee58ff2493fcf4dbbecad4313d519d6504e8

Download Submit
C:\Windows\System\wBKOuZx.exe
Filesize
5.2MB

MD5
8a248dc667310319e56f0f1fced33b69

SHA1
d026a31867f29307528292f6e00639ffad99b44e

SHA256
707f8f20ee1ce976a62eb4313f4157b91edbd80640222dfdd04f10a6ad783cae

SHA512
373a39f7bd1b55e9cbf3fb40873d1325f04bfed386f31a7d4abb435c0018d749b2542037a9719959264d1da9b1efba99eeeb0a40a75098737ec5bcc819b7b024

Download Submit
C:\Windows\System\zYjbyJx.exe
Filesize
5.2MB

MD5
d04615d1b3decebf4bdce9ea62c8c343

SHA1
96c9272d76ffe3422eaff89091b3de9155e50c95

SHA256
8893702b7a4d3b00594f7d653f4b4938121445aa569000f18b1d77744b03f4c2

SHA512
db37984e6812ab68cb78381c42cff26c052e050fb3d8140c63c18fbf6f631ff4a55c5107eb111547679e29135af9584d2360c7102f9415566a64bf8518582d3a

Download Submit
memory/748-0-0x00007FF771FD0000-0x00007FF772321000-memory.dmp

Filesize
3.3MB

Download
memory/748-1-0x00000234A4410000-0x00000234A4420000-memory.dmp

Filesize
64KB

Download
memory/748-113-0x00007FF771FD0000-0x00007FF772321000-memory.dmp

Filesize
3.3MB

Download
memory/748-135-0x00007FF771FD0000-0x00007FF772321000-memory.dmp

Filesize
3.3MB

Download
memory/752-214-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/752-126-0x00007FF6EE270000-0x00007FF6EE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/772-32-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp

Filesize
3.3MB

Download
memory/772-192-0x00007FF6EC450000-0x00007FF6EC7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-186-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp

Filesize
3.3MB

Download
memory/1404-115-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp

Filesize
3.3MB

Download
memory/1404-14-0x00007FF7389C0000-0x00007FF738D11000-memory.dmp

Filesize
3.3MB

Download
memory/1488-203-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-124-0x00007FF7EB760000-0x00007FF7EBAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1636-125-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp

Filesize
3.3MB

Download
memory/1636-211-0x00007FF767AF0000-0x00007FF767E41000-memory.dmp

Filesize
3.3MB

Download
memory/1644-122-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp

Filesize
3.3MB

Download
memory/1644-200-0x00007FF7D7CF0000-0x00007FF7D8041000-memory.dmp

Filesize
3.3MB

Download
memory/1712-219-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-134-0x00007FF677E80000-0x00007FF6781D1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-128-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-212-0x00007FF734E80000-0x00007FF7351D1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-188-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-25-0x00007FF6F7F70000-0x00007FF6F82C1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-129-0x00007FF6995E0000-0x00007FF699931000-memory.dmp

Filesize
3.3MB

Download
memory/2256-209-0x00007FF6995E0000-0x00007FF699931000-memory.dmp

Filesize
3.3MB

Download
memory/2372-123-0x00007FF70C540000-0x00007FF70C891000-memory.dmp

Filesize
3.3MB

Download
memory/2372-204-0x00007FF70C540000-0x00007FF70C891000-memory.dmp

Filesize
3.3MB

Download
memory/2620-198-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-121-0x00007FF69B5A0000-0x00007FF69B8F1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-221-0x00007FF755EF0000-0x00007FF756241000-memory.dmp

Filesize
3.3MB

Download
memory/2796-133-0x00007FF755EF0000-0x00007FF756241000-memory.dmp

Filesize
3.3MB

Download
memory/3096-120-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp

Filesize
3.3MB

Download
memory/3096-196-0x00007FF744D60000-0x00007FF7450B1000-memory.dmp

Filesize
3.3MB

Download
memory/3188-26-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp

Filesize
3.3MB

Download
memory/3188-190-0x00007FF6D7FC0000-0x00007FF6D8311000-memory.dmp

Filesize
3.3MB

Download
memory/4036-132-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4036-223-0x00007FF67D050000-0x00007FF67D3A1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-38-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp

Filesize
3.3MB

Download
memory/4088-194-0x00007FF7B1C20000-0x00007FF7B1F71000-memory.dmp

Filesize
3.3MB

Download
memory/4348-127-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp

Filesize
3.3MB

Download
memory/4348-207-0x00007FF64AFE0000-0x00007FF64B331000-memory.dmp

Filesize
3.3MB

Download
memory/4476-130-0x00007FF626430000-0x00007FF626781000-memory.dmp

Filesize
3.3MB

Download
memory/4476-216-0x00007FF626430000-0x00007FF626781000-memory.dmp

Filesize
3.3MB

Download
memory/4788-114-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp

Filesize
3.3MB

Download
memory/4788-184-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp

Filesize
3.3MB

Download
memory/4788-7-0x00007FF73DEF0000-0x00007FF73E241000-memory.dmp

Filesize
3.3MB

Download
memory/5100-131-0x00007FF607200000-0x00007FF607551000-memory.dmp

Filesize
3.3MB

Download
memory/5100-224-0x00007FF607200000-0x00007FF607551000-memory.dmp

Filesize
3.3MB

Download