cobaltstrike | b663f4049653c0d99250404911288f9b4ed42c13ea3c26b61efde8e38d5deb04

Analysis

max time kernel
124s
max time network
134s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

091b914ccdf9cefeb659f95d68404b2f
SHA1

fa6564684573dd962d1f47344e6ac108ee48e417
SHA256

b663f4049653c0d99250404911288f9b4ed42c13ea3c26b61efde8e38d5deb04
SHA512

5035f7ea350ddd547725342a3edb21c83c3f05c2a7801c32e9e6b5438041e53faad68161517756e5000b4aa313a2e82a829573233c8d71aec4e0ade313692613
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUy:v+D56utgpPF8u/7y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\bmkUKQm.exe	cobalt_reflective_dll
C:\Windows\system\ecRGPzA.exe	cobalt_reflective_dll
C:\Windows\system\ytAKbnY.exe	cobalt_reflective_dll
\Windows\system\QVZETky.exe	cobalt_reflective_dll
C:\Windows\system\OswcgFk.exe	cobalt_reflective_dll
C:\Windows\system\sLEKpwX.exe	cobalt_reflective_dll
C:\Windows\system\oxHoalt.exe	cobalt_reflective_dll
C:\Windows\system\dlhwdHh.exe	cobalt_reflective_dll
\Windows\system\QaidTeV.exe	cobalt_reflective_dll
\Windows\system\HMEaygO.exe	cobalt_reflective_dll
C:\Windows\system\vJyPhlL.exe	cobalt_reflective_dll
C:\Windows\system\lXHmJGV.exe	cobalt_reflective_dll
C:\Windows\system\rjyzDHi.exe	cobalt_reflective_dll
\Windows\system\gJMlvsq.exe	cobalt_reflective_dll
C:\Windows\system\gaqGvCx.exe	cobalt_reflective_dll
C:\Windows\system\MoKSPBB.exe	cobalt_reflective_dll
C:\Windows\system\KSJEkxd.exe	cobalt_reflective_dll
C:\Windows\system\XbYuMgf.exe	cobalt_reflective_dll
C:\Windows\system\sZTeFMp.exe	cobalt_reflective_dll
C:\Windows\system\iurXShX.exe	cobalt_reflective_dll
\Windows\system\eeDGtZx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\bmkUKQm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ecRGPzA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ytAKbnY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QVZETky.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\OswcgFk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sLEKpwX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oxHoalt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dlhwdHh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\QaidTeV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\HMEaygO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vJyPhlL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lXHmJGV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rjyzDHi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\gJMlvsq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gaqGvCx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MoKSPBB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KSJEkxd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XbYuMgf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\sZTeFMp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iurXShX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eeDGtZx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2108-2-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
\Windows\system\bmkUKQm.exe	UPX
behavioral1/memory/1748-9-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\ecRGPzA.exe	UPX
C:\Windows\system\ytAKbnY.exe	UPX
\Windows\system\QVZETky.exe	UPX
behavioral1/memory/2612-27-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\OswcgFk.exe	UPX
C:\Windows\system\sLEKpwX.exe	UPX
behavioral1/memory/3012-48-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\oxHoalt.exe	UPX
behavioral1/memory/2516-62-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2100-65-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\dlhwdHh.exe	UPX
\Windows\system\QaidTeV.exe	UPX
behavioral1/memory/2392-79-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
\Windows\system\HMEaygO.exe	UPX
C:\Windows\system\vJyPhlL.exe	UPX
C:\Windows\system\lXHmJGV.exe	UPX
C:\Windows\system\rjyzDHi.exe	UPX
\Windows\system\gJMlvsq.exe	UPX
C:\Windows\system\gaqGvCx.exe	UPX
C:\Windows\system\MoKSPBB.exe	UPX
C:\Windows\system\KSJEkxd.exe	UPX
behavioral1/memory/2516-130-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2784-99-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2732-98-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\XbYuMgf.exe	UPX
C:\Windows\system\sZTeFMp.exe	UPX
behavioral1/memory/2584-131-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3016-55-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2584-64-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\iurXShX.exe	UPX
\Windows\system\eeDGtZx.exe	UPX
behavioral1/memory/2732-53-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2108-49-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2624-46-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3056-133-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2392-135-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2888-137-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2828-138-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/1748-139-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3016-140-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2612-141-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2100-142-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2624-143-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3012-144-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2732-145-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2584-147-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2516-146-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2784-148-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2392-149-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/3056-150-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2888-151-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2828-152-0x0000000140000000-0x0000000140352000-memory.dmp	UPX

XMRig Miner payload 57 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2108-2-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
\Windows\system\bmkUKQm.exe	xmrig
behavioral1/memory/1748-9-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\ecRGPzA.exe	xmrig
C:\Windows\system\ytAKbnY.exe	xmrig
\Windows\system\QVZETky.exe	xmrig
behavioral1/memory/2612-27-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\OswcgFk.exe	xmrig
C:\Windows\system\sLEKpwX.exe	xmrig
behavioral1/memory/2108-47-0x00000000025E0000-0x0000000002932000-memory.dmp	xmrig
behavioral1/memory/3012-48-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\oxHoalt.exe	xmrig
behavioral1/memory/2516-62-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2100-65-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\dlhwdHh.exe	xmrig
\Windows\system\QaidTeV.exe	xmrig
behavioral1/memory/2392-79-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
\Windows\system\HMEaygO.exe	xmrig
C:\Windows\system\vJyPhlL.exe	xmrig
C:\Windows\system\lXHmJGV.exe	xmrig
C:\Windows\system\rjyzDHi.exe	xmrig
\Windows\system\gJMlvsq.exe	xmrig
C:\Windows\system\gaqGvCx.exe	xmrig
C:\Windows\system\MoKSPBB.exe	xmrig
C:\Windows\system\KSJEkxd.exe	xmrig
behavioral1/memory/2516-130-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2784-99-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2732-98-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\XbYuMgf.exe	xmrig
C:\Windows\system\sZTeFMp.exe	xmrig
behavioral1/memory/2584-131-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3016-55-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2584-64-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\iurXShX.exe	xmrig
\Windows\system\eeDGtZx.exe	xmrig
behavioral1/memory/2732-53-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2108-49-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2624-46-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2108-132-0x00000000025E0000-0x0000000002932000-memory.dmp	xmrig
behavioral1/memory/3056-133-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2392-135-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2888-137-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2828-138-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/1748-139-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3016-140-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2612-141-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2100-142-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2624-143-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3012-144-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2732-145-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2584-147-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2516-146-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2784-148-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2392-149-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/3056-150-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2888-151-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2828-152-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bmkUKQm.exeecRGPzA.exeytAKbnY.exeQVZETky.exeOswcgFk.exesLEKpwX.exeeeDGtZx.exeoxHoalt.exeQaidTeV.exeiurXShX.exesZTeFMp.exedlhwdHh.exeHMEaygO.exeXbYuMgf.exevJyPhlL.exeKSJEkxd.exeMoKSPBB.exelXHmJGV.exegaqGvCx.exerjyzDHi.exegJMlvsq.exe

pid	process
1748	bmkUKQm.exe
3016	ecRGPzA.exe
2100	ytAKbnY.exe
2612	QVZETky.exe
2624	OswcgFk.exe
3012	sLEKpwX.exe
2732	eeDGtZx.exe
2784	oxHoalt.exe
2516	QaidTeV.exe
2584	iurXShX.exe
3056	sZTeFMp.exe
2392	dlhwdHh.exe
2888	HMEaygO.exe
2828	XbYuMgf.exe
2916	vJyPhlL.exe
3020	KSJEkxd.exe
2244	MoKSPBB.exe
1192	lXHmJGV.exe
1996	gaqGvCx.exe
1920	rjyzDHi.exe
2824	gJMlvsq.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

pid	process
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2108-2-0x0000000140000000-0x0000000140352000-memory.dmp	upx
\Windows\system\bmkUKQm.exe	upx
behavioral1/memory/1748-9-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\ecRGPzA.exe	upx
C:\Windows\system\ytAKbnY.exe	upx
\Windows\system\QVZETky.exe	upx
behavioral1/memory/2612-27-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\OswcgFk.exe	upx
C:\Windows\system\sLEKpwX.exe	upx
behavioral1/memory/3012-48-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\oxHoalt.exe	upx
behavioral1/memory/2516-62-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2100-65-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\dlhwdHh.exe	upx
\Windows\system\QaidTeV.exe	upx
behavioral1/memory/2392-79-0x0000000140000000-0x0000000140352000-memory.dmp	upx
\Windows\system\HMEaygO.exe	upx
C:\Windows\system\vJyPhlL.exe	upx
C:\Windows\system\lXHmJGV.exe	upx
C:\Windows\system\rjyzDHi.exe	upx
\Windows\system\gJMlvsq.exe	upx
C:\Windows\system\gaqGvCx.exe	upx
C:\Windows\system\MoKSPBB.exe	upx
C:\Windows\system\KSJEkxd.exe	upx
behavioral1/memory/2516-130-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2784-99-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2732-98-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\XbYuMgf.exe	upx
C:\Windows\system\sZTeFMp.exe	upx
behavioral1/memory/2584-131-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3016-55-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2584-64-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\iurXShX.exe	upx
\Windows\system\eeDGtZx.exe	upx
behavioral1/memory/2732-53-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2108-49-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2624-46-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3056-133-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2392-135-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2888-137-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2828-138-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/1748-139-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3016-140-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2612-141-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2100-142-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2624-143-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3012-144-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2732-145-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2584-147-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2516-146-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2784-148-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2392-149-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/3056-150-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2888-151-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2828-152-0x0000000140000000-0x0000000140352000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\oxHoalt.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XbYuMgf.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MoKSPBB.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gJMlvsq.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bmkUKQm.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QVZETky.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eeDGtZx.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iurXShX.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vJyPhlL.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rjyzDHi.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ecRGPzA.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sLEKpwX.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QaidTeV.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ytAKbnY.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sZTeFMp.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KSJEkxd.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lXHmJGV.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gaqGvCx.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OswcgFk.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dlhwdHh.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HMEaygO.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2108 wrote to memory of 1748	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	bmkUKQm.exe
PID 2108 wrote to memory of 1748	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	bmkUKQm.exe
PID 2108 wrote to memory of 1748	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	bmkUKQm.exe
PID 2108 wrote to memory of 3016	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	ecRGPzA.exe
PID 2108 wrote to memory of 3016	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	ecRGPzA.exe
PID 2108 wrote to memory of 3016	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	ecRGPzA.exe
PID 2108 wrote to memory of 2100	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	ytAKbnY.exe
PID 2108 wrote to memory of 2100	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	ytAKbnY.exe
PID 2108 wrote to memory of 2100	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	ytAKbnY.exe
PID 2108 wrote to memory of 2612	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QVZETky.exe
PID 2108 wrote to memory of 2612	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QVZETky.exe
PID 2108 wrote to memory of 2612	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QVZETky.exe
PID 2108 wrote to memory of 2732	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	eeDGtZx.exe
PID 2108 wrote to memory of 2732	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	eeDGtZx.exe
PID 2108 wrote to memory of 2732	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	eeDGtZx.exe
PID 2108 wrote to memory of 2624	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OswcgFk.exe
PID 2108 wrote to memory of 2624	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OswcgFk.exe
PID 2108 wrote to memory of 2624	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OswcgFk.exe
PID 2108 wrote to memory of 2784	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	oxHoalt.exe
PID 2108 wrote to memory of 2784	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	oxHoalt.exe
PID 2108 wrote to memory of 2784	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	oxHoalt.exe
PID 2108 wrote to memory of 3012	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sLEKpwX.exe
PID 2108 wrote to memory of 3012	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sLEKpwX.exe
PID 2108 wrote to memory of 3012	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sLEKpwX.exe
PID 2108 wrote to memory of 2516	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QaidTeV.exe
PID 2108 wrote to memory of 2516	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QaidTeV.exe
PID 2108 wrote to memory of 2516	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QaidTeV.exe
PID 2108 wrote to memory of 2584	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	iurXShX.exe
PID 2108 wrote to memory of 2584	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	iurXShX.exe
PID 2108 wrote to memory of 2584	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	iurXShX.exe
PID 2108 wrote to memory of 3056	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sZTeFMp.exe
PID 2108 wrote to memory of 3056	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sZTeFMp.exe
PID 2108 wrote to memory of 3056	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sZTeFMp.exe
PID 2108 wrote to memory of 2392	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dlhwdHh.exe
PID 2108 wrote to memory of 2392	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dlhwdHh.exe
PID 2108 wrote to memory of 2392	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dlhwdHh.exe
PID 2108 wrote to memory of 2888	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	HMEaygO.exe
PID 2108 wrote to memory of 2888	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	HMEaygO.exe
PID 2108 wrote to memory of 2888	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	HMEaygO.exe
PID 2108 wrote to memory of 2828	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	XbYuMgf.exe
PID 2108 wrote to memory of 2828	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	XbYuMgf.exe
PID 2108 wrote to memory of 2828	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	XbYuMgf.exe
PID 2108 wrote to memory of 2916	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	vJyPhlL.exe
PID 2108 wrote to memory of 2916	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	vJyPhlL.exe
PID 2108 wrote to memory of 2916	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	vJyPhlL.exe
PID 2108 wrote to memory of 3020	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	KSJEkxd.exe
PID 2108 wrote to memory of 3020	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	KSJEkxd.exe
PID 2108 wrote to memory of 3020	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	KSJEkxd.exe
PID 2108 wrote to memory of 2244	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	MoKSPBB.exe
PID 2108 wrote to memory of 2244	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	MoKSPBB.exe
PID 2108 wrote to memory of 2244	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	MoKSPBB.exe
PID 2108 wrote to memory of 1192	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	lXHmJGV.exe
PID 2108 wrote to memory of 1192	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	lXHmJGV.exe
PID 2108 wrote to memory of 1192	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	lXHmJGV.exe
PID 2108 wrote to memory of 1996	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	gaqGvCx.exe
PID 2108 wrote to memory of 1996	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	gaqGvCx.exe
PID 2108 wrote to memory of 1996	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	gaqGvCx.exe
PID 2108 wrote to memory of 1920	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	rjyzDHi.exe
PID 2108 wrote to memory of 1920	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	rjyzDHi.exe
PID 2108 wrote to memory of 1920	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	rjyzDHi.exe
PID 2108 wrote to memory of 2824	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	gJMlvsq.exe
PID 2108 wrote to memory of 2824	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	gJMlvsq.exe
PID 2108 wrote to memory of 2824	2108	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	gJMlvsq.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108

C:\Windows\System\bmkUKQm.exe
C:\Windows\System\bmkUKQm.exe
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\System\ecRGPzA.exe
C:\Windows\System\ecRGPzA.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\ytAKbnY.exe
C:\Windows\System\ytAKbnY.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\QVZETky.exe
C:\Windows\System\QVZETky.exe
2⤵
- Executes dropped EXE
PID:2612

C:\Windows\System\eeDGtZx.exe
C:\Windows\System\eeDGtZx.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\OswcgFk.exe
C:\Windows\System\OswcgFk.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\oxHoalt.exe
C:\Windows\System\oxHoalt.exe
2⤵
- Executes dropped EXE
PID:2784

C:\Windows\System\sLEKpwX.exe
C:\Windows\System\sLEKpwX.exe
2⤵
- Executes dropped EXE
PID:3012

C:\Windows\System\QaidTeV.exe
C:\Windows\System\QaidTeV.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\iurXShX.exe
C:\Windows\System\iurXShX.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\sZTeFMp.exe
C:\Windows\System\sZTeFMp.exe
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\System\dlhwdHh.exe
C:\Windows\System\dlhwdHh.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\HMEaygO.exe
C:\Windows\System\HMEaygO.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\XbYuMgf.exe
C:\Windows\System\XbYuMgf.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\vJyPhlL.exe
C:\Windows\System\vJyPhlL.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\KSJEkxd.exe
C:\Windows\System\KSJEkxd.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\System\MoKSPBB.exe
C:\Windows\System\MoKSPBB.exe
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\System\lXHmJGV.exe
C:\Windows\System\lXHmJGV.exe
2⤵
- Executes dropped EXE
PID:1192

C:\Windows\System\gaqGvCx.exe
C:\Windows\System\gaqGvCx.exe
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\System\rjyzDHi.exe
C:\Windows\System\rjyzDHi.exe
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\System\gJMlvsq.exe
C:\Windows\System\gJMlvsq.exe
2⤵
- Executes dropped EXE
PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KSJEkxd.exe
Filesize
8.3MB

MD5
8e6ed0d68e6edb072b39aaa4d725a207

SHA1
4f59b7cc23f6ea3445ceb53bf9f8678bb67e6fcd

SHA256
065030434273e70c5ae2f3fb71c947ba45d8c70dbe6ba98180407a867b5b347b

SHA512
320f213637ab0a0c970a32f620a01c9aaf3f6806c742bc199b8b270a624bee3bd410b491e52c1cb163252274e205f8f9193a2dfda1fdba03cd2fb9b5b54f8384

Download Submit
C:\Windows\system\MoKSPBB.exe
Filesize
8.3MB

MD5
bd837bba7b9b96309240084eabffcfdc

SHA1
0680d632bc1014f2989805c6a7afac9dbbf91f02

SHA256
febb01aea2a641fd33cdffe19698d89cba3d6d868f44f4760fc12cbe4f5d3cb5

SHA512
d62236655d9eb6238b5b43740d9c61ba9dd71fdaafbb0c01ad8e2e4634dc11a6f5c14d8d8578b751b99e31aeb91cbf0a7c5053cc1ae12b8d2da8bd70608e1d75

Download Submit
C:\Windows\system\OswcgFk.exe
Filesize
8.3MB

MD5
536ec6e791c022668a997fa59ba11dcf

SHA1
da90625aed550ac5cbb078d25f3b3d6161fb582a

SHA256
e96402b418625e55df6c7df18dee4ce8c47a974026f16728a71ba975441128b4

SHA512
e667c3c67d5b88e201c289a25204d217ac6c8945d5c3e01162a3aa0c8c484aa43799ebc6226d2d17927c88d634d7ce41ac762a19407c92f0b075c643975e7751

Download Submit
C:\Windows\system\XbYuMgf.exe
Filesize
8.3MB

MD5
8fbbc4e12ff24de8229f701529679709

SHA1
a5098f6e98a2a1c9880288a720b9cb61717437b6

SHA256
369b794e7cbdd5e8c29db3f4e047be6b25c303f0a9cc2d214bab5dfd137d200b

SHA512
d0979d1efd7bbbbd65eb1ee2518a9bbcb67fbf0e4e3ff72b3f269f48cd597f61a22ffac14eb628f8e668300b0783be1675a8361bd16135a6ae76d401089ee73e

Download Submit
C:\Windows\system\dlhwdHh.exe
Filesize
8.3MB

MD5
100305138440719f7721c44eb4d8fb7f

SHA1
417690daaecb38aa0c010afb44242d5ac934a532

SHA256
a141c220baed24cc7aaa34f4d5023ac65e6739247c5fb81665dfe27250067fee

SHA512
0140030b7e007e5117d2fc36d72100431f15bdbb35cdd91e7bc7912cac5e3af6a8538c61366781b57bfda115ded6d1e99968ac8f341b14591bcaff42f5fcb7c4

Download Submit
C:\Windows\system\ecRGPzA.exe
Filesize
8.3MB

MD5
46c9fd827917d554c6d72a8c030fed88

SHA1
6ff59fc0c66390c7c8428b7e443c6e94056dcac0

SHA256
270bed44fa395c498d402af8be5f5250f1b733d932a3c369f72f7cae5b3fce37

SHA512
5f3a5fc57f57792f93c1c65ba5a219e0278f8fb145fc1965433c523cb5d7fb1e6dd1891f16efea44af9634bdf0a6438369f35abf6668ffe0ce8c991fa8239302

Download Submit
C:\Windows\system\gaqGvCx.exe
Filesize
8.3MB

MD5
d7ee4fddc2f3adaae29661dc50226b05

SHA1
6c52ddd3963980dbec6baf2b8e343b8e72f27704

SHA256
126da0306c95d541faef0809fd8a0d6ac975b898999be59cc4b2257ac06fb45b

SHA512
04641829145be00a8adc57be9fdfde649ac2661d3a31325b0cb8efb758c27501c34254f42fe4312e183e99d47ac2225fb76ea6ac0f0a8805a4f6b61d09a806b6

Download Submit
C:\Windows\system\iurXShX.exe
Filesize
8.3MB

MD5
9e4ca354bd5342e306459508d3e2072c

SHA1
24e296fc2c71f7ae861a7229238f8fa5d54eb62e

SHA256
9f84bec65fb9136f325226bc356a6869d3e24ec85fe343d8e1a9dd1b30c416e5

SHA512
935bb93704e573b77f463f4629a661d2470ceb2cead3e1ede6caffcbfe3e1bb7e96b0d83840e0b06c2d75b0da8825900b9608b28216404d3042ee08c297c286a

Download Submit
C:\Windows\system\lXHmJGV.exe
Filesize
8.3MB

MD5
fa2cd06262afcbdcdc79b6b5925db243

SHA1
4d09211110914bbba18ec5e6594f32fb67b72476

SHA256
c18ae558edacf2c39e6b32c535599f4ac6291356c417cd3c5272e6e7f2eec691

SHA512
409706e76843121899f5b16d2fc1fd680bf75769c30be1944574e72c43d94f822de63bff0bd36ea11d816e539176d6660ae7fe89e0c2894345d2fb895ed58790

Download Submit
C:\Windows\system\oxHoalt.exe
Filesize
8.3MB

MD5
5072e8b65eeddb981c7a0c571f3480eb

SHA1
0ca9b8981e3e4ed1f723e2fcbf76545f1dc428a5

SHA256
23bfd87e87368d7833f1aa55665beac652572215ade3081304582a73c2ed406f

SHA512
5b60d85870808891f3d0b8480fd7f140cd0222d487f7ca0fbea96e4495ec5630aa0fbab532dc5069623b622ccb57622c821ecff1ab6badac869d02e3e11d1175

Download Submit
C:\Windows\system\rjyzDHi.exe
Filesize
8.3MB

MD5
8bf040cbc61b5b2151b30d8b72023870

SHA1
57c754df144daa96a50baebd82725662951b12d6

SHA256
65aa4692f6c615bcde5f0fe23c079d254e950b8edb182588785c874426a60f6a

SHA512
0777016450de7ed210039a3db0dde492eb898c59be60e313edd2cb982f8829a7ad031982339f115bf4f79c7282aacc9119dadaaed6440e36dda2b3a6634e6ccc

Download Submit
C:\Windows\system\sLEKpwX.exe
Filesize
8.3MB

MD5
7619ae1358929ca074f82d3573efed2b

SHA1
a71d1cc110aa9afbf9d0e4c5a64df9a4581d9518

SHA256
2d65b93282c9d3bef44bd181cbcb3ddba59822fdde586aa41087748a4d62820d

SHA512
0febcceb978e90a3ff679c48b3c174bef52e5598ad80dbe9e1a23dfaf9d062276e0efc50a3f4b9bf4b1355a36098297cda71e72e7ef28a7e5ae673c2c8310666

Download Submit
C:\Windows\system\sZTeFMp.exe
Filesize
8.3MB

MD5
885e9e77d0eb658ef7ebedc7a2160fc8

SHA1
13b85fa0c50cfb8559a2cf89d89a155d173ca1b1

SHA256
f56f502ce3aebbc1815ffdee1327f9f055ea0e028626ce90e93d774f44d732b4

SHA512
46bd857da4adce63429ca46cce91153805db02a661505dbb567405816a5ae5f9610a29e1fd510caf9235435c4fdaf2cd4f0d6ac15fccc69d3e298f6b66ce1a90

Download Submit
C:\Windows\system\vJyPhlL.exe
Filesize
8.3MB

MD5
f791d2ab05c17dbd578574b99ee4632d

SHA1
8dec0ebece2c4539297cd69397dfa5f1bbaaa649

SHA256
f0b8757f7cae414f8ac88a2081a72b90b0f3740b34452eb31e8d6fe6c6f572ef

SHA512
8eeb0995c90d3c6240102253b40807185b2cc0160d46ab8ae56181f53ec9f74f19e6334efe4038395feb5435908d6e6b941cf2aca2947fbcb336ba0bd86c6a28

Download Submit
C:\Windows\system\ytAKbnY.exe
Filesize
8.3MB

MD5
41afe342d70b162480b059382188d15f

SHA1
4aa20447964d60071f6e8b1c815de47f1d034817

SHA256
a9a615abce0e2085aa46b417f7a699617bd882fac4fa23c0a79d023c0f998a78

SHA512
e24401411cd86b10a28b53a98567fab62521d0aa0d754b5e310eb79fd38f969bb6d2a9e2fe52c8f564b2e9d698ad0a1d8f0d54a0a6f24acc404173a32496b5a8

Download Submit
\Windows\system\HMEaygO.exe
Filesize
8.3MB

MD5
237ddfd6496d6187004532f494f2976d

SHA1
1ed412d6a9c352491cd89ecfe5ce8540aaedb063

SHA256
d797b6e0f5f413d9d1de6c11dd220e1c5c9430d370017ecf2321c3d572f2cef4

SHA512
6cdfe59cb8c7ec4a0eaa0534e321282179f3f7c3937c6018d6a51085dbe61acb1b14ebf03b1df56c0d2f549fb0c2b6918d12643e53d9864b25ff8ea5dc261cb3

Download Submit
\Windows\system\QVZETky.exe
Filesize
8.3MB

MD5
514996bdef85ff1ebf00c60af069ce56

SHA1
b524f1e5ee53272d3e97b6ed1a0ae8ff520a400c

SHA256
9e750e5017d188e141b7787b1ece9c64f2d72f428aa1a6fe06ff9805c5262e61

SHA512
af01dc147461b7f19dc6eaf6d863f04d232e5ea3fde695c09fcfc1621fc359394f73256e678b0e3bf715fbaa8646d9fe836b8b5758cb542561b14bb21a0abb8e

Download Submit
\Windows\system\QaidTeV.exe
Filesize
8.3MB

MD5
50d95bc745e2e55d07a13f86e07c9630

SHA1
c97dffd9b60f7c7cc2b67e867eb5d1b785f12625

SHA256
f8cfb0c7b0a22b759b8174cd1e951b8099dbf92b99830e240a91db6e333172d8

SHA512
509ddcd9453e16f97d7758f249a1c79dc66290276e50010921f9c3b2be2d2eeae1fac9c4597d8d9dea6206b7676b73f09258e1722b0c16568cd189a439694dba

Download Submit
\Windows\system\bmkUKQm.exe
Filesize
8.3MB

MD5
0f7d6cd02698305cb57dbba35b69e7db

SHA1
9fd704af0d49b6bc0120fa1f189916f5b0f8fdf4

SHA256
4973e6dac4d5436033f800ce08417e7cc86e77e2edd0aa76b9fc1cc4f07904eb

SHA512
1f632c3c2e02c5191d0bcbc4d9027d5e23dbac360a5112d4d5b8dc56f579211966cfb36a061b0b3bc2efcc2ade999843e90e194cbfa52f48065dda5a5b659c40

Download Submit
\Windows\system\eeDGtZx.exe
Filesize
8.3MB

MD5
461909fe4ad64fcf15b7018e605ae2cc

SHA1
fd4d7c284e119bb3a68427404f55f50d13a6e5fe

SHA256
72aaba4cfc750ca67e7c2bd8e3bdb94c52a33acd3e9412b63b59623bac4740de

SHA512
bd767be2e0d3f3b792cd38a686a1ea39eecf25a5bd39d1daff329c48d58a80d7b85a0ae9586660e34986379fff035b51c46a0c118acef48983998f8df10d96fc

Download Submit
\Windows\system\gJMlvsq.exe
Filesize
8.3MB

MD5
e600acf9cb9919726199a8c445cd4e94

SHA1
59b5d668cb901455a2c65b8e7b391ca5a6a9090b

SHA256
5b5490ef8800a6f9dc6dce7f013682dcd71518dcd2c64e678a9be5124034d4e5

SHA512
f04bc63848e1ee1d85e735f7fee35729711af415952b69c7ec37f3308ff4b535311fc6447ec91a30ef1a0b6803472242a8be3ee3192106ddad9f345b17168604

Download Submit
memory/1748-139-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/1748-9-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2100-142-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2100-65-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2108-136-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-7-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-66-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-2-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2108-47-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-45-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-0-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2108-26-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-19-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-49-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2108-86-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-91-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-14-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-132-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-71-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2108-134-0x00000000025E0000-0x0000000002932000-memory.dmp

Filesize
3.3MB

Download
memory/2392-79-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2392-135-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2392-149-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2516-62-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2516-146-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2516-130-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2584-131-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2584-64-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2584-147-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2612-141-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2612-27-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2624-46-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2624-143-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2732-53-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2732-98-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2732-145-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2784-99-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2784-148-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2828-138-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2828-152-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2888-137-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2888-151-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3012-48-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3012-144-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3016-55-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3016-140-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3056-133-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/3056-150-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download