cobaltstrike | 5e278a66866d6f8400feed8ce39ddd054ca66f44eb4863e8413be3747c75fc47

Analysis

max time kernel
134s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

bdcf7011b39693b29005641888b51532
SHA1

022c614ccd250c2a3d98e9d18dd506420a40263f
SHA256

5e278a66866d6f8400feed8ce39ddd054ca66f44eb4863e8413be3747c75fc47
SHA512

b0a3a883bb84fc2ffc0f51f51ca5b63280a0e29c4406e4ec3889c44e875bd1ace5ec3285100186be8f58ed519c7760fc20dfe900f3363567b4a21d02a0a34c33
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUz:v+D56utgpPF8u/7z

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\qyuYkJz.exe	cobalt_reflective_dll
\Windows\system\ensKbla.exe	cobalt_reflective_dll
C:\Windows\system\qtewrDV.exe	cobalt_reflective_dll
\Windows\system\LDznGHQ.exe	cobalt_reflective_dll
C:\Windows\system\MRiImes.exe	cobalt_reflective_dll
C:\Windows\system\XlzmtYd.exe	cobalt_reflective_dll
C:\Windows\system\gJxqCtX.exe	cobalt_reflective_dll
C:\Windows\system\hPJyYbY.exe	cobalt_reflective_dll
C:\Windows\system\rJBIZBG.exe	cobalt_reflective_dll
C:\Windows\system\ITMttCt.exe	cobalt_reflective_dll
C:\Windows\system\SrZynRX.exe	cobalt_reflective_dll
C:\Windows\system\NNjqCiB.exe	cobalt_reflective_dll
\Windows\system\mtTqoNY.exe	cobalt_reflective_dll
C:\Windows\system\SclEoyF.exe	cobalt_reflective_dll
C:\Windows\system\ZisYrhc.exe	cobalt_reflective_dll
C:\Windows\system\PydGwnm.exe	cobalt_reflective_dll
C:\Windows\system\hPlkFgw.exe	cobalt_reflective_dll
C:\Windows\system\GEmWtKn.exe	cobalt_reflective_dll
C:\Windows\system\HgyZCko.exe	cobalt_reflective_dll
C:\Windows\system\ioajoFv.exe	cobalt_reflective_dll
C:\Windows\system\CYVVdzx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\qyuYkJz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ensKbla.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qtewrDV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LDznGHQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MRiImes.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XlzmtYd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gJxqCtX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hPJyYbY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rJBIZBG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ITMttCt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SrZynRX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NNjqCiB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\mtTqoNY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SclEoyF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZisYrhc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PydGwnm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\hPlkFgw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GEmWtKn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HgyZCko.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ioajoFv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CYVVdzx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
\Windows\system\qyuYkJz.exe	UPX
behavioral1/memory/2952-9-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
\Windows\system\ensKbla.exe	UPX
C:\Windows\system\qtewrDV.exe	UPX
\Windows\system\LDznGHQ.exe	UPX
C:\Windows\system\MRiImes.exe	UPX
C:\Windows\system\XlzmtYd.exe	UPX
C:\Windows\system\gJxqCtX.exe	UPX
C:\Windows\system\hPJyYbY.exe	UPX
C:\Windows\system\rJBIZBG.exe	UPX
C:\Windows\system\ITMttCt.exe	UPX
C:\Windows\system\SrZynRX.exe	UPX
C:\Windows\system\NNjqCiB.exe	UPX
\Windows\system\mtTqoNY.exe	UPX
C:\Windows\system\SclEoyF.exe	UPX
C:\Windows\system\ZisYrhc.exe	UPX
C:\Windows\system\PydGwnm.exe	UPX
C:\Windows\system\hPlkFgw.exe	UPX
behavioral1/memory/2136-110-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2576-112-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2668-114-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2596-116-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2480-118-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2468-119-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2704-120-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2500-121-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2496-122-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/868-124-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2740-125-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2376-123-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2848-117-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
C:\Windows\system\GEmWtKn.exe	UPX
C:\Windows\system\HgyZCko.exe	UPX
C:\Windows\system\ioajoFv.exe	UPX
C:\Windows\system\CYVVdzx.exe	UPX
behavioral1/memory/2112-126-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2952-127-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2740-128-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2576-129-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2136-130-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2668-131-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2596-132-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2848-133-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2480-134-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2468-135-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2704-136-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2500-137-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2496-138-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/2376-139-0x0000000140000000-0x0000000140352000-memory.dmp	UPX
behavioral1/memory/868-140-0x0000000140000000-0x0000000140352000-memory.dmp	UPX

XMRig Miner payload 51 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
\Windows\system\qyuYkJz.exe	xmrig
behavioral1/memory/2952-9-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
\Windows\system\ensKbla.exe	xmrig
C:\Windows\system\qtewrDV.exe	xmrig
\Windows\system\LDznGHQ.exe	xmrig
C:\Windows\system\MRiImes.exe	xmrig
C:\Windows\system\XlzmtYd.exe	xmrig
C:\Windows\system\gJxqCtX.exe	xmrig
C:\Windows\system\hPJyYbY.exe	xmrig
C:\Windows\system\rJBIZBG.exe	xmrig
C:\Windows\system\ITMttCt.exe	xmrig
C:\Windows\system\SrZynRX.exe	xmrig
C:\Windows\system\NNjqCiB.exe	xmrig
\Windows\system\mtTqoNY.exe	xmrig
C:\Windows\system\SclEoyF.exe	xmrig
C:\Windows\system\ZisYrhc.exe	xmrig
C:\Windows\system\PydGwnm.exe	xmrig
C:\Windows\system\hPlkFgw.exe	xmrig
behavioral1/memory/2136-110-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2576-112-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2668-114-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2596-116-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2480-118-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2468-119-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2704-120-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2500-121-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2496-122-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/868-124-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2740-125-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2376-123-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2848-117-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
C:\Windows\system\GEmWtKn.exe	xmrig
C:\Windows\system\HgyZCko.exe	xmrig
C:\Windows\system\ioajoFv.exe	xmrig
C:\Windows\system\CYVVdzx.exe	xmrig
behavioral1/memory/2112-126-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2952-127-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2740-128-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2576-129-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2136-130-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2668-131-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2596-132-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2848-133-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2480-134-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2468-135-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2704-136-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2500-137-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2496-138-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/2376-139-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig
behavioral1/memory/868-140-0x0000000140000000-0x0000000140352000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

qyuYkJz.exeensKbla.exeqtewrDV.exeLDznGHQ.exeMRiImes.exeXlzmtYd.exeCYVVdzx.exegJxqCtX.exehPJyYbY.exerJBIZBG.exeITMttCt.exeSrZynRX.exeioajoFv.exeHgyZCko.exeGEmWtKn.exehPlkFgw.exePydGwnm.exeZisYrhc.exeSclEoyF.exeNNjqCiB.exemtTqoNY.exe

pid	process
2952	qyuYkJz.exe
2740	ensKbla.exe
2136	qtewrDV.exe
2576	LDznGHQ.exe
2668	MRiImes.exe
2596	XlzmtYd.exe
2848	CYVVdzx.exe
2480	gJxqCtX.exe
2468	hPJyYbY.exe
2704	rJBIZBG.exe
2500	ITMttCt.exe
2496	SrZynRX.exe
2376	ioajoFv.exe
868	HgyZCko.exe
1932	GEmWtKn.exe
2688	hPlkFgw.exe
2792	PydGwnm.exe
2752	ZisYrhc.exe
2812	SclEoyF.exe
2824	NNjqCiB.exe
1324	mtTqoNY.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

pid	process
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2112-0-0x0000000140000000-0x0000000140352000-memory.dmp	upx
\Windows\system\qyuYkJz.exe	upx
behavioral1/memory/2112-8-0x0000000002670000-0x00000000029C2000-memory.dmp	upx
behavioral1/memory/2952-9-0x0000000140000000-0x0000000140352000-memory.dmp	upx
\Windows\system\ensKbla.exe	upx
C:\Windows\system\qtewrDV.exe	upx
\Windows\system\LDznGHQ.exe	upx
C:\Windows\system\MRiImes.exe	upx
C:\Windows\system\XlzmtYd.exe	upx
C:\Windows\system\gJxqCtX.exe	upx
C:\Windows\system\hPJyYbY.exe	upx
C:\Windows\system\rJBIZBG.exe	upx
C:\Windows\system\ITMttCt.exe	upx
C:\Windows\system\SrZynRX.exe	upx
C:\Windows\system\NNjqCiB.exe	upx
\Windows\system\mtTqoNY.exe	upx
C:\Windows\system\SclEoyF.exe	upx
C:\Windows\system\ZisYrhc.exe	upx
C:\Windows\system\PydGwnm.exe	upx
C:\Windows\system\hPlkFgw.exe	upx
behavioral1/memory/2136-110-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2576-112-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2668-114-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2596-116-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2480-118-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2468-119-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2704-120-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2500-121-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2496-122-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/868-124-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2740-125-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2376-123-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2848-117-0x0000000140000000-0x0000000140352000-memory.dmp	upx
C:\Windows\system\GEmWtKn.exe	upx
C:\Windows\system\HgyZCko.exe	upx
C:\Windows\system\ioajoFv.exe	upx
C:\Windows\system\CYVVdzx.exe	upx
behavioral1/memory/2112-126-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2952-127-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2740-128-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2576-129-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2136-130-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2668-131-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2596-132-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2848-133-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2480-134-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2468-135-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2704-136-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2500-137-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2496-138-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/2376-139-0x0000000140000000-0x0000000140352000-memory.dmp	upx
behavioral1/memory/868-140-0x0000000140000000-0x0000000140352000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\MRiImes.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XlzmtYd.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hPlkFgw.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GEmWtKn.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PydGwnm.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SclEoyF.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LDznGHQ.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gJxqCtX.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hPJyYbY.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rJBIZBG.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ioajoFv.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SrZynRX.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HgyZCko.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NNjqCiB.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qyuYkJz.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ensKbla.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qtewrDV.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CYVVdzx.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ITMttCt.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZisYrhc.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mtTqoNY.exe	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2112 wrote to memory of 2952	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	qyuYkJz.exe
PID 2112 wrote to memory of 2952	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	qyuYkJz.exe
PID 2112 wrote to memory of 2952	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	qyuYkJz.exe
PID 2112 wrote to memory of 2740	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ensKbla.exe
PID 2112 wrote to memory of 2740	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ensKbla.exe
PID 2112 wrote to memory of 2740	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ensKbla.exe
PID 2112 wrote to memory of 2136	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	qtewrDV.exe
PID 2112 wrote to memory of 2136	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	qtewrDV.exe
PID 2112 wrote to memory of 2136	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	qtewrDV.exe
PID 2112 wrote to memory of 2576	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	LDznGHQ.exe
PID 2112 wrote to memory of 2576	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	LDznGHQ.exe
PID 2112 wrote to memory of 2576	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	LDznGHQ.exe
PID 2112 wrote to memory of 2668	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	MRiImes.exe
PID 2112 wrote to memory of 2668	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	MRiImes.exe
PID 2112 wrote to memory of 2668	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	MRiImes.exe
PID 2112 wrote to memory of 2596	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	XlzmtYd.exe
PID 2112 wrote to memory of 2596	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	XlzmtYd.exe
PID 2112 wrote to memory of 2596	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	XlzmtYd.exe
PID 2112 wrote to memory of 2848	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	CYVVdzx.exe
PID 2112 wrote to memory of 2848	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	CYVVdzx.exe
PID 2112 wrote to memory of 2848	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	CYVVdzx.exe
PID 2112 wrote to memory of 2480	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	gJxqCtX.exe
PID 2112 wrote to memory of 2480	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	gJxqCtX.exe
PID 2112 wrote to memory of 2480	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	gJxqCtX.exe
PID 2112 wrote to memory of 2468	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	hPJyYbY.exe
PID 2112 wrote to memory of 2468	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	hPJyYbY.exe
PID 2112 wrote to memory of 2468	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	hPJyYbY.exe
PID 2112 wrote to memory of 2704	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	rJBIZBG.exe
PID 2112 wrote to memory of 2704	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	rJBIZBG.exe
PID 2112 wrote to memory of 2704	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	rJBIZBG.exe
PID 2112 wrote to memory of 2500	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ITMttCt.exe
PID 2112 wrote to memory of 2500	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ITMttCt.exe
PID 2112 wrote to memory of 2500	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ITMttCt.exe
PID 2112 wrote to memory of 2496	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	SrZynRX.exe
PID 2112 wrote to memory of 2496	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	SrZynRX.exe
PID 2112 wrote to memory of 2496	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	SrZynRX.exe
PID 2112 wrote to memory of 2376	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ioajoFv.exe
PID 2112 wrote to memory of 2376	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ioajoFv.exe
PID 2112 wrote to memory of 2376	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ioajoFv.exe
PID 2112 wrote to memory of 868	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	HgyZCko.exe
PID 2112 wrote to memory of 868	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	HgyZCko.exe
PID 2112 wrote to memory of 868	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	HgyZCko.exe
PID 2112 wrote to memory of 1932	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	GEmWtKn.exe
PID 2112 wrote to memory of 1932	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	GEmWtKn.exe
PID 2112 wrote to memory of 1932	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	GEmWtKn.exe
PID 2112 wrote to memory of 2688	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	hPlkFgw.exe
PID 2112 wrote to memory of 2688	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	hPlkFgw.exe
PID 2112 wrote to memory of 2688	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	hPlkFgw.exe
PID 2112 wrote to memory of 2792	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	PydGwnm.exe
PID 2112 wrote to memory of 2792	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	PydGwnm.exe
PID 2112 wrote to memory of 2792	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	PydGwnm.exe
PID 2112 wrote to memory of 2752	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ZisYrhc.exe
PID 2112 wrote to memory of 2752	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ZisYrhc.exe
PID 2112 wrote to memory of 2752	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	ZisYrhc.exe
PID 2112 wrote to memory of 2812	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	SclEoyF.exe
PID 2112 wrote to memory of 2812	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	SclEoyF.exe
PID 2112 wrote to memory of 2812	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	SclEoyF.exe
PID 2112 wrote to memory of 2824	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	NNjqCiB.exe
PID 2112 wrote to memory of 2824	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	NNjqCiB.exe
PID 2112 wrote to memory of 2824	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	NNjqCiB.exe
PID 2112 wrote to memory of 1324	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	mtTqoNY.exe
PID 2112 wrote to memory of 1324	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	mtTqoNY.exe
PID 2112 wrote to memory of 1324	2112	2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe	mtTqoNY.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_bdcf7011b39693b29005641888b51532_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\System\qyuYkJz.exe
C:\Windows\System\qyuYkJz.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\ensKbla.exe
C:\Windows\System\ensKbla.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System\qtewrDV.exe
C:\Windows\System\qtewrDV.exe
2⤵
- Executes dropped EXE
PID:2136

C:\Windows\System\LDznGHQ.exe
C:\Windows\System\LDznGHQ.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\MRiImes.exe
C:\Windows\System\MRiImes.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\XlzmtYd.exe
C:\Windows\System\XlzmtYd.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\CYVVdzx.exe
C:\Windows\System\CYVVdzx.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System\gJxqCtX.exe
C:\Windows\System\gJxqCtX.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\hPJyYbY.exe
C:\Windows\System\hPJyYbY.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\rJBIZBG.exe
C:\Windows\System\rJBIZBG.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\ITMttCt.exe
C:\Windows\System\ITMttCt.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\SrZynRX.exe
C:\Windows\System\SrZynRX.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\ioajoFv.exe
C:\Windows\System\ioajoFv.exe
2⤵
- Executes dropped EXE
PID:2376

C:\Windows\System\HgyZCko.exe
C:\Windows\System\HgyZCko.exe
2⤵
- Executes dropped EXE
PID:868

C:\Windows\System\GEmWtKn.exe
C:\Windows\System\GEmWtKn.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\hPlkFgw.exe
C:\Windows\System\hPlkFgw.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\PydGwnm.exe
C:\Windows\System\PydGwnm.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\ZisYrhc.exe
C:\Windows\System\ZisYrhc.exe
2⤵
- Executes dropped EXE
PID:2752

C:\Windows\System\SclEoyF.exe
C:\Windows\System\SclEoyF.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\NNjqCiB.exe
C:\Windows\System\NNjqCiB.exe
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\System\mtTqoNY.exe
C:\Windows\System\mtTqoNY.exe
2⤵
- Executes dropped EXE
PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CYVVdzx.exe
Filesize
8.3MB

MD5
2c32ae535daaa855a24b2d20372a8535

SHA1
7825a07a225db4627e7deec5a0852b8d3d32c0c5

SHA256
f3d18b72d4f71aa498f7340b90a9a55ee27281510586a4e8071eabb2832ee8ed

SHA512
b8c715e266a36cc3703c6f3a24caf52f7a41e3a2df0636afc78cc7c60c8a3eafee664724f2dd23f72fab8ce5e56253eb86c72937cde55b1a3c644aefe3d388ea

Download Submit
C:\Windows\system\GEmWtKn.exe
Filesize
8.3MB

MD5
4e5a0578643a1647824c2c5a6adddd51

SHA1
a7a1053eb23ca550e4955f85625117418c12e818

SHA256
2bb8cfc8e1b0ea3d2ee04264d3c12eddf5931ecfbe2e21009d3b7354f2202976

SHA512
7f580e29bdbed85f7b9c6ca7613f496e21bdb3c3f5119de05178bed18dd8eca3611dfe8ac2c4a821e4c99ff8afacdb5076a8a5548771e69e68321ef6ca5095a5

Download Submit
C:\Windows\system\HgyZCko.exe
Filesize
8.3MB

MD5
3be6b0c90658341ab587cf20ea485142

SHA1
b4fa0a08d352b98ee962c0e753b554015c85f2e0

SHA256
51c7fc201fe7d5e99b52b45220364b120f68072ab5d5a0778bd4164419a5e6da

SHA512
1117779df795e79040515929d1050a270e345a96fabfea798061ad6e14fe65da227244acc568491b32fbca550ee097e3a6bd72a4829731f9c2952f24724642ec

Download Submit
C:\Windows\system\ITMttCt.exe
Filesize
8.3MB

MD5
0e1fbaf8f38ab90f8d2ecadacb7f7173

SHA1
9f86eb410583b3d7fa56d6f5a05bdade34d745a7

SHA256
438895dcad0fcac3e48c9bb0104379b362d824df08046f07786d91ec04cc32e0

SHA512
5244067148415e0335b22b15009e39fdc368504146bc8f2c700737cdb32fdbc2126e4e6aaea5f9b60b70775aa903929eb26d80a3803dce89edb275079bfb9f12

Download Submit
C:\Windows\system\MRiImes.exe
Filesize
8.3MB

MD5
296ad67bcfff02d9fcb4c5f2bf6d0d08

SHA1
67f5737e9573e4c51ecd0bd5759780965701b1dd

SHA256
9530ea0c2a8d2e621d57421419c1f271acb60781824b562ab685c115fe1b107e

SHA512
2492326dd435419708684000af59005c7c6449ec1021869f797b520ebd2444cf9c72f9474c52ade9a733c6eacb3f0decc66d181304d7c3f73f3cf4c7c1dcbf3b

Download Submit
C:\Windows\system\NNjqCiB.exe
Filesize
8.3MB

MD5
f36a1605d7fabfc34d88e3bcdf9e343d

SHA1
75e6f87660b4fd48e1fff4450cc0f2ce3a84551a

SHA256
bb65a9d731f8ea9a42f49b8dca35dbd243dcfec07af0112711b5cfe3f212703d

SHA512
d90b36c3d0b20cb3aac33546a345d0027072ecb837b6b5318fbf8de8c3ba707f1182e4779ccef61f6d3ddd15660d1b886927d50193826373f9138bfc206e0ad0

Download Submit
C:\Windows\system\PydGwnm.exe
Filesize
8.3MB

MD5
3263f17e650cadf8a68964f9710cfd42

SHA1
8218f8a4d95896909df2f1bb27f59546d1012bbb

SHA256
79701484ee61109e846c511b2d65cd8ac125f3543dac8cbfae801353d307d432

SHA512
9f33f693c33204b45d93e53bb5dcfe0955e4954f059d4518aefb81e74a6e67083ff6486d205bf48b8bcb6b1fa01fedd901e5063efb36e190dca3d316b7044358

Download Submit
C:\Windows\system\SclEoyF.exe
Filesize
8.3MB

MD5
d46b1e811727268b5b62596aeea27c7e

SHA1
04af03a49db722dc0c1009ccac00b9abe575fc07

SHA256
e0652f1737dbffec9c439d852a85245d06390e92280ac212431d044500898452

SHA512
ff880b8dbaf6a3ce18ec138d7c01a082fab28273de60cb03f23ab6fee40f9dffa2170a5d8ad25406c0092fe24d0a2bb1e946efc2ccf187587aa0a430e61d0cf0

Download Submit
C:\Windows\system\SrZynRX.exe
Filesize
8.3MB

MD5
b911fe613196a78a417719194a3c8cfa

SHA1
73254f76a2ba8d45fa44f29d84ee075b05c92b1e

SHA256
43e24ef0bc60991fca216cabd0e89c99c2d6cf4fdec98cd96ad2058d5a1e1c68

SHA512
379ff4bbb9975fb0669af07f440a2f471227886ce5b571badbb8fe7a23b4e7a6c0d6469f5174ca5356f2c092208e7f2b59d6aa2895f5d1d1061bc7cbc26ced06

Download Submit
C:\Windows\system\XlzmtYd.exe
Filesize
8.3MB

MD5
baa28936a6f1af1e55ac01236ce08772

SHA1
5d1b5c5eb7f9578f99eac50fc9ae28294c2e277a

SHA256
d1d28f8afe403e5e3cea3e8f9c77f9f62864f13c51489c8cd39d806c389ae595

SHA512
7347efd2c51e4338d6457cf47de8fc870f385f4fc9d6ef3b777ada16826b9b6d0732130250fa499a77eb7d50dc3dd8aad3ffb962199e7c7f3e788fecf34afa9d

Download Submit
C:\Windows\system\ZisYrhc.exe
Filesize
8.3MB

MD5
e67541c0107a7a9bbd8e073b536c3fed

SHA1
b8da30e89cf7e2e8c1cecbb8776fe12428733b9b

SHA256
1854ad3f15cab1b673d77dcd7323180677398500b4a86992a49bcf5f3e9eb9f9

SHA512
ae60cc00ddc45b45cdedb669ea9db6818ef0ea18c464be010b831b4a7bcb079a700fd0a21f95e38fc01f50d54c8f9f90a769043fa0988418e14acd67c3d684bb

Download Submit
C:\Windows\system\gJxqCtX.exe
Filesize
8.3MB

MD5
d9068ffbaee8bef3a94cdeaafbdb9b1c

SHA1
fdc30931b0b9dc01bfa3a39f97c5db2b111f34e5

SHA256
e59b5017d57935a350d54b91bfe6aaa3862a6d7f78896401a66564cb9aa13348

SHA512
861585e487c24402b67f9562430bb3bd8f665adf2f0e538a6eea2aa290c12a5113d2ade7aff05d4505bb19d94898fadc33d0483f73ce9df8034ce1104ac9816d

Download Submit
C:\Windows\system\hPJyYbY.exe
Filesize
8.3MB

MD5
5a0b510ff45813c86645714bc7eb2e8e

SHA1
640f5bb6f2645cfe2f7ae37b217321542e2f5828

SHA256
9db034a927f5d312ee4e627bf052d13ada209fb94fe1f22acc49e8a692e05585

SHA512
857ead4e4e353f3ccbea6d4f7ffc006a2a4c5abef17b9a101c618b16c8d903e6bbba40258d4242d219a42ad3673afe0fc26a400454a13a5fc2de70de22b70ccf

Download Submit
C:\Windows\system\hPlkFgw.exe
Filesize
8.3MB

MD5
71473d1cff4af9b1ecd560034a027375

SHA1
491f9f6b8574a35827f1efaf4d1163f17a288d86

SHA256
05c5ede292c6954efbcfe0ea6782784b994b2b00ae5bbf766363f9f7f0c34572

SHA512
5fdd449f57d9377f6f99684ec649ed36e45836579fe3effe3c109a9a5e6251f5c0caa1ea277087105e3326d969e479e2e065447ac339fe52939bd94b40d63e43

Download Submit
C:\Windows\system\ioajoFv.exe
Filesize
8.3MB

MD5
03934bedc20171c5f1800d825a71c1fd

SHA1
512a1d7cccd715bd7257f9682042d0a67a8cfae6

SHA256
ca7fd9950e49db32110ffd9663cd70e4c95b5b1006325db520f38131ee316081

SHA512
7fa044acad9d867eca40557e504c575c90f4e750cdf0578d86210dc3e2f09ca9979d4459e4679456ab1a14d4916b4e52a76feef5001576d46929020ba4c53942

Download Submit
C:\Windows\system\qtewrDV.exe
Filesize
8.3MB

MD5
4c26da7007850bc3326c9f8fd829c201

SHA1
a8a0261c4222634465f1261cbf532fa8a84d0db0

SHA256
049a24392e2671a7e6e506ad776a7cb5665d5d11e5de2d6ef67879e7d5293fc3

SHA512
1f73a4a0bc19184264e48313c157bf67c1ca9eed843dd5ce881b437728514ab43c4da1c701ae0b98b4eaa97066cdf8c4edc847ec498a7ddfad3337527406c565

Download Submit
C:\Windows\system\rJBIZBG.exe
Filesize
8.3MB

MD5
d0e4ec855c1e70bb8295b59c342f765e

SHA1
e26117235b7f7b54abdb361dda8fbd375986c724

SHA256
5e32b1527e4c11c963099907842e6ad143e3b6258af01051f81985bb3921012d

SHA512
01ee3628e3dd87373c4023c724e79e543ec822013aaf2b415b02c4053996556549e120959fdae93713e466d7b290eded18838622cdea53c6b782505baffbcd49

Download Submit
\Windows\system\LDznGHQ.exe
Filesize
8.3MB

MD5
038d1b4495d47a40766d7f04f7fad9b2

SHA1
4b6e5776d0bc8b93054412f08514e222deff47a2

SHA256
b711fbbbd167ead68611631e27d773e5322acfcb9c8f52f1a1c97dfcaf88f65b

SHA512
034924144d12b1f0768f9f4a867a1442ab41db54c9965ae60df199b8ff5d90709289c0f1b25f13fcf2937b237b9376caf1c1322e1fd68c86710d5a44ea6d7a7e

Download Submit
\Windows\system\ensKbla.exe
Filesize
8.3MB

MD5
2b4511ad722fcf62827722da26457935

SHA1
0e86c1d694b70e19143a56922f143e4e15426cb8

SHA256
a411bc8d3c641339ae4d11826ba572772ee8f0237c69a0bd9ba5987c7b173a34

SHA512
707937dd14a7d17bd3b9c3dcbe39b79014e0a1daca6ef9717c811f93609cf705eec7eb6043a0526fa7136a05a4c03956e234d91694622bc55bf05b7ea0019220

Download Submit
\Windows\system\mtTqoNY.exe
Filesize
8.3MB

MD5
de0904b54fe3fbdaac2a663acf2b1194

SHA1
1c37489836a0f48c9ae72d1fd9b454fe728f0bfc

SHA256
50e5611e87ddbec443132ecf36d0ef4d60ac3cbe616bd1ef9592e11e383b53ea

SHA512
425a9806bd51c9640b3143952f594de62f92289cd26f6a3690aecbac14239e94a1ee47bb0e2c7c15808495e2cd82ba8ac5281147cc77d1253a10e00423cc01b3

Download Submit
\Windows\system\qyuYkJz.exe
Filesize
8.3MB

MD5
7672519e9a5b4efb4d00207105c8b638

SHA1
0010bf0e843085bed2b442acb4b29a63f7deaba8

SHA256
6fa26ec0dea8f78f2518db93b24230315bfd8f9b437c3076582542bb374ea68d

SHA512
e101bf7aa078c2012590c72e9c128c5d7cb96de56cd076ca63f26d8fff14561051bcd363926df27d1245c48d7f14f93609d7cc580c6bd7429e4d7aef6046fe1c

Download Submit
memory/868-124-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/868-140-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2112-126-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2112-113-0x0000000002670000-0x00000000029C2000-memory.dmp

Filesize
3.3MB

Download
memory/2112-115-0x0000000002670000-0x00000000029C2000-memory.dmp

Filesize
3.3MB

Download
memory/2112-0-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2112-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2112-8-0x0000000002670000-0x00000000029C2000-memory.dmp

Filesize
3.3MB

Download
memory/2112-109-0x0000000002670000-0x00000000029C2000-memory.dmp

Filesize
3.3MB

Download
memory/2112-111-0x0000000002670000-0x00000000029C2000-memory.dmp

Filesize
3.3MB

Download
memory/2136-130-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2136-110-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2376-139-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2376-123-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2468-135-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2468-119-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2480-134-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2480-118-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2496-138-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2496-122-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2500-137-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2500-121-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2576-112-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2576-129-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2596-132-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2596-116-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2668-131-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2668-114-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2704-136-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2704-120-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2740-128-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2740-125-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2848-133-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2848-117-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2952-127-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download
memory/2952-9-0x0000000140000000-0x0000000140352000-memory.dmp

Filesize
3.3MB

Download