cobaltstrike | 0e775569043bf16b256b65e9c8e5c205f6ffd4e3a5fecfb8359c6eccb6d031ed

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

d3f9a34739d22843f97613159071acaa
SHA1

f1499c62d20dc46261703071367b716dba9e56d8
SHA256

0e775569043bf16b256b65e9c8e5c205f6ffd4e3a5fecfb8359c6eccb6d031ed
SHA512

865dd98a604ceb5e69172bd60f954c03d98358cb7be87135c67b055e42db18d3a2a85f09938ea559fdf9b06df7480426250875c2e8b4db9f8d05e0304854bcaa
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lG:RWWBibf56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\GTJAwbl.exe	cobalt_reflective_dll
C:\Windows\system\qYXgFfl.exe	cobalt_reflective_dll
C:\Windows\system\MMowffS.exe	cobalt_reflective_dll
C:\Windows\system\GHnumdu.exe	cobalt_reflective_dll
\Windows\system\nWBxuOs.exe	cobalt_reflective_dll
C:\Windows\system\iHYvsyS.exe	cobalt_reflective_dll
C:\Windows\system\CZIBjPP.exe	cobalt_reflective_dll
C:\Windows\system\UnAbUNs.exe	cobalt_reflective_dll
C:\Windows\system\ZoKUuad.exe	cobalt_reflective_dll
C:\Windows\system\ShgZinz.exe	cobalt_reflective_dll
C:\Windows\system\JSkMRkk.exe	cobalt_reflective_dll
C:\Windows\system\UNKUROm.exe	cobalt_reflective_dll
C:\Windows\system\ZjepaBB.exe	cobalt_reflective_dll
C:\Windows\system\TJBObKa.exe	cobalt_reflective_dll
C:\Windows\system\gYSELfm.exe	cobalt_reflective_dll
C:\Windows\system\XcshEBm.exe	cobalt_reflective_dll
C:\Windows\system\NqeYIBU.exe	cobalt_reflective_dll
C:\Windows\system\BMUypHP.exe	cobalt_reflective_dll
C:\Windows\system\NXtbKaG.exe	cobalt_reflective_dll
C:\Windows\system\tOdpVQl.exe	cobalt_reflective_dll
C:\Windows\system\leAccAn.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\GTJAwbl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\qYXgFfl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MMowffS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\GHnumdu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\nWBxuOs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iHYvsyS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CZIBjPP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UnAbUNs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZoKUuad.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ShgZinz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JSkMRkk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UNKUROm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZjepaBB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TJBObKa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\gYSELfm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\XcshEBm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NqeYIBU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BMUypHP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NXtbKaG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tOdpVQl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\leAccAn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/788-0-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
\Windows\system\GTJAwbl.exe	UPX
C:\Windows\system\qYXgFfl.exe	UPX
behavioral1/memory/852-16-0x000000013F840000-0x000000013FB91000-memory.dmp	UPX
C:\Windows\system\MMowffS.exe	UPX
behavioral1/memory/2820-22-0x000000013FF30000-0x0000000140281000-memory.dmp	UPX
C:\Windows\system\GHnumdu.exe	UPX
\Windows\system\nWBxuOs.exe	UPX
behavioral1/memory/2624-40-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/2776-46-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
C:\Windows\system\iHYvsyS.exe	UPX
behavioral1/memory/2656-58-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
behavioral1/memory/788-69-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
C:\Windows\system\CZIBjPP.exe	UPX
C:\Windows\system\UnAbUNs.exe	UPX
C:\Windows\system\ZoKUuad.exe	UPX
C:\Windows\system\ShgZinz.exe	UPX
C:\Windows\system\JSkMRkk.exe	UPX
C:\Windows\system\UNKUROm.exe	UPX
behavioral1/memory/1656-91-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
C:\Windows\system\ZjepaBB.exe	UPX
C:\Windows\system\TJBObKa.exe	UPX
behavioral1/memory/2748-89-0x000000013F240000-0x000000013F591000-memory.dmp	UPX
behavioral1/memory/2012-87-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/2132-78-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
C:\Windows\system\gYSELfm.exe	UPX
C:\Windows\system\XcshEBm.exe	UPX
behavioral1/memory/2568-72-0x000000013F660000-0x000000013F9B1000-memory.dmp	UPX
behavioral1/memory/2488-64-0x000000013F870000-0x000000013FBC1000-memory.dmp	UPX
behavioral1/memory/852-70-0x000000013F840000-0x000000013FB91000-memory.dmp	UPX
C:\Windows\system\NqeYIBU.exe	UPX
C:\Windows\system\BMUypHP.exe	UPX
C:\Windows\system\NXtbKaG.exe	UPX
behavioral1/memory/2664-52-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2656-137-0x000000013FA10000-0x000000013FD61000-memory.dmp	UPX
C:\Windows\system\tOdpVQl.exe	UPX
behavioral1/memory/2648-37-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/2748-28-0x000000013F240000-0x000000013F591000-memory.dmp	UPX
C:\Windows\system\leAccAn.exe	UPX
behavioral1/memory/2304-20-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/2624-144-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/2748-142-0x000000013F240000-0x000000013F591000-memory.dmp	UPX
behavioral1/memory/788-138-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
behavioral1/memory/2488-153-0x000000013F870000-0x000000013FBC1000-memory.dmp	UPX
behavioral1/memory/1656-152-0x000000013F580000-0x000000013F8D1000-memory.dmp	UPX
behavioral1/memory/2012-151-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX
behavioral1/memory/2132-150-0x000000013F170000-0x000000013F4C1000-memory.dmp	UPX
behavioral1/memory/2568-149-0x000000013F660000-0x000000013F9B1000-memory.dmp	UPX
behavioral1/memory/2664-146-0x000000013F740000-0x000000013FA91000-memory.dmp	UPX
behavioral1/memory/2776-145-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
behavioral1/memory/2404-159-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/2780-160-0x000000013FA20000-0x000000013FD71000-memory.dmp	UPX
behavioral1/memory/2208-157-0x000000013F020000-0x000000013F371000-memory.dmp	UPX
behavioral1/memory/1984-156-0x000000013F3C0000-0x000000013F711000-memory.dmp	UPX
behavioral1/memory/1576-155-0x000000013F600000-0x000000013F951000-memory.dmp	UPX
behavioral1/memory/2704-154-0x000000013F1B0000-0x000000013F501000-memory.dmp	UPX
behavioral1/memory/1928-158-0x000000013F0D0000-0x000000013F421000-memory.dmp	UPX
behavioral1/memory/788-164-0x000000013FE00000-0x0000000140151000-memory.dmp	UPX
behavioral1/memory/852-210-0x000000013F840000-0x000000013FB91000-memory.dmp	UPX
behavioral1/memory/2304-212-0x000000013F440000-0x000000013F791000-memory.dmp	UPX
behavioral1/memory/2820-214-0x000000013FF30000-0x0000000140281000-memory.dmp	UPX
behavioral1/memory/2648-216-0x000000013FF00000-0x0000000140251000-memory.dmp	UPX
behavioral1/memory/2776-236-0x000000013FD30000-0x0000000140081000-memory.dmp	UPX
behavioral1/memory/2012-242-0x000000013FB80000-0x000000013FED1000-memory.dmp	UPX

XMRig Miner payload 41 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/852-16-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2820-22-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/788-21-0x0000000002160000-0x00000000024B1000-memory.dmp	xmrig
behavioral1/memory/788-69-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/788-71-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/852-70-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2656-137-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2648-37-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2304-20-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2624-144-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2748-142-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/788-138-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2488-153-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/1656-152-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2012-151-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2132-150-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2568-149-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2664-146-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2776-145-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2404-159-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2780-160-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2208-157-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/1984-156-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/1576-155-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2704-154-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/1928-158-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/788-164-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/852-210-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2304-212-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2820-214-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2648-216-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2776-236-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2012-242-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2568-241-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2656-238-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2624-250-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/1656-257-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2664-254-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2488-253-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2748-249-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2132-261-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

GTJAwbl.exeqYXgFfl.exeMMowffS.exeleAccAn.exeGHnumdu.exenWBxuOs.exetOdpVQl.exeiHYvsyS.exeNXtbKaG.exeBMUypHP.exeNqeYIBU.exegYSELfm.exeXcshEBm.exeTJBObKa.exeZjepaBB.exeCZIBjPP.exeUNKUROm.exeJSkMRkk.exeShgZinz.exeUnAbUNs.exeZoKUuad.exe

pid	process
852	GTJAwbl.exe
2820	qYXgFfl.exe
2304	MMowffS.exe
2748	leAccAn.exe
2648	GHnumdu.exe
2624	nWBxuOs.exe
2776	tOdpVQl.exe
2664	iHYvsyS.exe
2656	NXtbKaG.exe
2488	BMUypHP.exe
2568	NqeYIBU.exe
2132	gYSELfm.exe
2012	XcshEBm.exe
1656	TJBObKa.exe
2704	ZjepaBB.exe
1576	CZIBjPP.exe
1984	UNKUROm.exe
2208	JSkMRkk.exe
1928	ShgZinz.exe
2404	UnAbUNs.exe
2780	ZoKUuad.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

pid	process
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/788-0-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
\Windows\system\GTJAwbl.exe	upx
C:\Windows\system\qYXgFfl.exe	upx
behavioral1/memory/852-16-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
C:\Windows\system\MMowffS.exe	upx
behavioral1/memory/2820-22-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
C:\Windows\system\GHnumdu.exe	upx
\Windows\system\nWBxuOs.exe	upx
behavioral1/memory/2624-40-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2776-46-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
C:\Windows\system\iHYvsyS.exe	upx
behavioral1/memory/2656-58-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/788-69-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
C:\Windows\system\CZIBjPP.exe	upx
C:\Windows\system\UnAbUNs.exe	upx
C:\Windows\system\ZoKUuad.exe	upx
C:\Windows\system\ShgZinz.exe	upx
C:\Windows\system\JSkMRkk.exe	upx
C:\Windows\system\UNKUROm.exe	upx
behavioral1/memory/1656-91-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
C:\Windows\system\ZjepaBB.exe	upx
C:\Windows\system\TJBObKa.exe	upx
behavioral1/memory/2748-89-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2012-87-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2132-78-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
C:\Windows\system\gYSELfm.exe	upx
C:\Windows\system\XcshEBm.exe	upx
behavioral1/memory/2568-72-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2488-64-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/852-70-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
C:\Windows\system\NqeYIBU.exe	upx
C:\Windows\system\BMUypHP.exe	upx
C:\Windows\system\NXtbKaG.exe	upx
behavioral1/memory/2664-52-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2656-137-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
C:\Windows\system\tOdpVQl.exe	upx
behavioral1/memory/2648-37-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2748-28-0x000000013F240000-0x000000013F591000-memory.dmp	upx
C:\Windows\system\leAccAn.exe	upx
behavioral1/memory/2304-20-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2624-144-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2748-142-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/788-138-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2488-153-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/1656-152-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2012-151-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2132-150-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2568-149-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2664-146-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2776-145-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2404-159-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2780-160-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2208-157-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/1984-156-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/1576-155-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/2704-154-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/1928-158-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/788-164-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/852-210-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/2304-212-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2820-214-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/memory/2648-216-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2776-236-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2012-242-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\iHYvsyS.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gYSELfm.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZjepaBB.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CZIBjPP.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ShgZinz.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\leAccAn.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BMUypHP.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NqeYIBU.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XcshEBm.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UNKUROm.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MMowffS.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nWBxuOs.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NXtbKaG.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZoKUuad.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GTJAwbl.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GHnumdu.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tOdpVQl.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TJBObKa.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JSkMRkk.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UnAbUNs.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qYXgFfl.exe	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 788 wrote to memory of 852	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	GTJAwbl.exe
PID 788 wrote to memory of 852	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	GTJAwbl.exe
PID 788 wrote to memory of 852	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	GTJAwbl.exe
PID 788 wrote to memory of 2820	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	qYXgFfl.exe
PID 788 wrote to memory of 2820	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	qYXgFfl.exe
PID 788 wrote to memory of 2820	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	qYXgFfl.exe
PID 788 wrote to memory of 2304	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	MMowffS.exe
PID 788 wrote to memory of 2304	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	MMowffS.exe
PID 788 wrote to memory of 2304	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	MMowffS.exe
PID 788 wrote to memory of 2748	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	leAccAn.exe
PID 788 wrote to memory of 2748	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	leAccAn.exe
PID 788 wrote to memory of 2748	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	leAccAn.exe
PID 788 wrote to memory of 2648	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	GHnumdu.exe
PID 788 wrote to memory of 2648	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	GHnumdu.exe
PID 788 wrote to memory of 2648	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	GHnumdu.exe
PID 788 wrote to memory of 2624	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	nWBxuOs.exe
PID 788 wrote to memory of 2624	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	nWBxuOs.exe
PID 788 wrote to memory of 2624	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	nWBxuOs.exe
PID 788 wrote to memory of 2776	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	tOdpVQl.exe
PID 788 wrote to memory of 2776	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	tOdpVQl.exe
PID 788 wrote to memory of 2776	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	tOdpVQl.exe
PID 788 wrote to memory of 2664	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	iHYvsyS.exe
PID 788 wrote to memory of 2664	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	iHYvsyS.exe
PID 788 wrote to memory of 2664	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	iHYvsyS.exe
PID 788 wrote to memory of 2656	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	NXtbKaG.exe
PID 788 wrote to memory of 2656	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	NXtbKaG.exe
PID 788 wrote to memory of 2656	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	NXtbKaG.exe
PID 788 wrote to memory of 2488	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	BMUypHP.exe
PID 788 wrote to memory of 2488	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	BMUypHP.exe
PID 788 wrote to memory of 2488	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	BMUypHP.exe
PID 788 wrote to memory of 2568	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	NqeYIBU.exe
PID 788 wrote to memory of 2568	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	NqeYIBU.exe
PID 788 wrote to memory of 2568	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	NqeYIBU.exe
PID 788 wrote to memory of 2132	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	gYSELfm.exe
PID 788 wrote to memory of 2132	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	gYSELfm.exe
PID 788 wrote to memory of 2132	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	gYSELfm.exe
PID 788 wrote to memory of 2012	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	XcshEBm.exe
PID 788 wrote to memory of 2012	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	XcshEBm.exe
PID 788 wrote to memory of 2012	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	XcshEBm.exe
PID 788 wrote to memory of 1656	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	TJBObKa.exe
PID 788 wrote to memory of 1656	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	TJBObKa.exe
PID 788 wrote to memory of 1656	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	TJBObKa.exe
PID 788 wrote to memory of 2704	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ZjepaBB.exe
PID 788 wrote to memory of 2704	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ZjepaBB.exe
PID 788 wrote to memory of 2704	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ZjepaBB.exe
PID 788 wrote to memory of 1576	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	CZIBjPP.exe
PID 788 wrote to memory of 1576	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	CZIBjPP.exe
PID 788 wrote to memory of 1576	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	CZIBjPP.exe
PID 788 wrote to memory of 1984	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	UNKUROm.exe
PID 788 wrote to memory of 1984	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	UNKUROm.exe
PID 788 wrote to memory of 1984	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	UNKUROm.exe
PID 788 wrote to memory of 2208	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	JSkMRkk.exe
PID 788 wrote to memory of 2208	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	JSkMRkk.exe
PID 788 wrote to memory of 2208	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	JSkMRkk.exe
PID 788 wrote to memory of 1928	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ShgZinz.exe
PID 788 wrote to memory of 1928	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ShgZinz.exe
PID 788 wrote to memory of 1928	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ShgZinz.exe
PID 788 wrote to memory of 2404	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	UnAbUNs.exe
PID 788 wrote to memory of 2404	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	UnAbUNs.exe
PID 788 wrote to memory of 2404	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	UnAbUNs.exe
PID 788 wrote to memory of 2780	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ZoKUuad.exe
PID 788 wrote to memory of 2780	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ZoKUuad.exe
PID 788 wrote to memory of 2780	788	2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe	ZoKUuad.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_d3f9a34739d22843f97613159071acaa_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\System\GTJAwbl.exe
C:\Windows\System\GTJAwbl.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\qYXgFfl.exe
C:\Windows\System\qYXgFfl.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\MMowffS.exe
C:\Windows\System\MMowffS.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\leAccAn.exe
C:\Windows\System\leAccAn.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\GHnumdu.exe
C:\Windows\System\GHnumdu.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\nWBxuOs.exe
C:\Windows\System\nWBxuOs.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\tOdpVQl.exe
C:\Windows\System\tOdpVQl.exe
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\System\iHYvsyS.exe
C:\Windows\System\iHYvsyS.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\NXtbKaG.exe
C:\Windows\System\NXtbKaG.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\BMUypHP.exe
C:\Windows\System\BMUypHP.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\NqeYIBU.exe
C:\Windows\System\NqeYIBU.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\gYSELfm.exe
C:\Windows\System\gYSELfm.exe
2⤵
- Executes dropped EXE
PID:2132

C:\Windows\System\XcshEBm.exe
C:\Windows\System\XcshEBm.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\TJBObKa.exe
C:\Windows\System\TJBObKa.exe
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\System\ZjepaBB.exe
C:\Windows\System\ZjepaBB.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\CZIBjPP.exe
C:\Windows\System\CZIBjPP.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Windows\System\UNKUROm.exe
C:\Windows\System\UNKUROm.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\JSkMRkk.exe
C:\Windows\System\JSkMRkk.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\System\ShgZinz.exe
C:\Windows\System\ShgZinz.exe
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\System\UnAbUNs.exe
C:\Windows\System\UnAbUNs.exe
2⤵
- Executes dropped EXE
PID:2404

C:\Windows\System\ZoKUuad.exe
C:\Windows\System\ZoKUuad.exe
2⤵
- Executes dropped EXE
PID:2780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BMUypHP.exe
Filesize
5.2MB

MD5
0d48d5b8bbd5ce6713956db706dbbcc0

SHA1
0ce88194cb847d7548e19814f2d852d6cc58f3df

SHA256
efdfc1e016f8135e7eaed67c82bb09ce586cba3f4e88bf910010f8f036e86024

SHA512
c8d99a335da133a32b647b275ac76d0dc3fd3163949465b0d47b1f09bfbb462dd886f194ba1f9eda1aba4557b88b169093ca46d92c01ed40d12b33f627336dfb

Download Submit
C:\Windows\system\CZIBjPP.exe
Filesize
5.2MB

MD5
40f8a42d205da79801ebdc1a8f04c934

SHA1
406126e18c27b4070f76ce52cbfee9b759714b93

SHA256
cc8a6506015d7f9ad74a4d8760a2455adf1b8d6537f05e76d5638357bc354530

SHA512
8bf74585b0e0fd106bf35b88f5329e9104e5ead1bf1a978c71638f537ea2281f1898f4c1c727fa55ac87daa0f968d53609fd3cd904f055b414c0880f51fcd7a4

Download Submit
C:\Windows\system\GHnumdu.exe
Filesize
5.2MB

MD5
6b6a5a8da79b24344d5d1101cdff0ac0

SHA1
5f13cfa0675b7803f15d81b79203b530aee49f1c

SHA256
28cfc4bda7b4e0b641a3621fd67cd6e19c786b5ec1e44ef67c6cd9941dfaebfa

SHA512
631ba9ea400d0dd4a10bf3d33d56ca888c5063d667df4979ba98497ff176301c1de959e2c75b347d071e2f7e4bb4debdbef0ebb535742e79e106a3622a414dcb

Download Submit
C:\Windows\system\JSkMRkk.exe
Filesize
5.2MB

MD5
a1669373784dfeaf9cad2c20609c5429

SHA1
a84202b1c6b2c892af7100a2b692fd8218df0b63

SHA256
1b910b739288aa911301c06e54c6b1be640f76f9f0eb2b741affe6fb191531fe

SHA512
81699607a5a07c55cef6b95d1f04d2978fe8f6d5c19755ab55aaaeca4d8e3bc4f091cc344297adad80352630f37cc998efaff30cf57a08189551a85c78c10c2d

Download Submit
C:\Windows\system\MMowffS.exe
Filesize
5.2MB

MD5
6274d2d2b298b1b7868fdce717b12f3b

SHA1
d8a500af98535243dbd8bcaaf9b404e19b404650

SHA256
e95ed9ebc5c66763559f7c285b911b9fa27530ee053892ac7b9500d73b1e78d3

SHA512
1e74480f891479662f37f50872373c18af6692a4b3c3347820d6bda32c277621973e36f5de0b1cd785d660153aac1e5a377a05fa61d062089f97f1b959cb36ce

Download Submit
C:\Windows\system\NXtbKaG.exe
Filesize
5.2MB

MD5
c42727f25b74e83404a806a8eb37ca53

SHA1
12492ca62069a996d95f37d9017cacba4d0d5827

SHA256
6e98e07439d15305fffff50fdaa1e31122bd89d96675e62d5e3d1db54b454419

SHA512
cfca1ebc3516ca585b4bc0bb465c6b4d7a8a5e7f2b2932229b7f31a2256c87619824f44a7b112c8ffd927f988584e289c281e436e7712644fd7add6ac75c9458

Download Submit
C:\Windows\system\NqeYIBU.exe
Filesize
5.2MB

MD5
13503a4bdca56ac5ea4c7cdb6516336e

SHA1
1c99cd4322fdb3cdfa126df17384481337e5a5be

SHA256
609412ef433bd3f470981090bfa28bf012976db5095334d2c2b1574d015f0b4d

SHA512
0e6810d0c7542857fc41922f42ace351a370a252c78cf29d7f1e13d9e18a880acfb5947c3b538b8cff1adfa5ae0f78a388b686cf9abf21e88fefc925796a0347

Download Submit
C:\Windows\system\ShgZinz.exe
Filesize
5.2MB

MD5
d86b65befd09236d067f7da55085d2d4

SHA1
0c5f091ffced08d6cd9f323c8b612eb7b017b7f4

SHA256
c805fd860c82d33e719ce677642ed27a18d6d59743675247f738df70edaf3197

SHA512
d941120382f315194632cb1162a0b516fcb08a78cdfa40c0f796844ef4ea1e5710e8e0ef4c64ac15f2f161c3c9c6d9c3f3c018e1688bb18208a4ef9411b70034

Download Submit
C:\Windows\system\TJBObKa.exe
Filesize
5.2MB

MD5
bd30d2f2758ad2f3185d09884632eb0f

SHA1
0c0e9ca530b25c4632a57605add5277f96cdad95

SHA256
4116eb344adca46ac444e84cb749dfc2c3026fecd4e6b356b7ba290c35c0c02b

SHA512
b61d0bb45e8ce030069b35b04b83d164bb626ee0e5711a69db42ca29e0356260a719f5675a5a0bdd1ace225cc18c9b9eb5d971d4bef334788e5d409e2e2a4330

Download Submit
C:\Windows\system\UNKUROm.exe
Filesize
5.2MB

MD5
ac93cff2aaf61434a96bf675e22603c0

SHA1
c7f461135eb665cc6fe21b31dba6c2d59e79d5b2

SHA256
7a376c383e1c06eec00d4c3c7917161a8f64343ff2af010aac48e8aa9583b84d

SHA512
64bb7a28ef81bfb30e35966d72ff0bdfbff0e99f11d88a5b92e93378a38ff275e1b11ca330ebdd4197258f2d8a98b8c365d7c32c040862a9fc62a21d59c37c8b

Download Submit
C:\Windows\system\UnAbUNs.exe
Filesize
5.2MB

MD5
948c27da639cbc35afc0d7a73d9e5a93

SHA1
72fdb2e86f44a8411a4f9e5ea97c8aa421446a4a

SHA256
3d25bc2a3249eb7bf794a3093556eaa7845fdcfba2e16a8d529431e68714ea53

SHA512
bd97a2a59dd2b263dc2d4e54212c6c281c85f68a739256db8bae8faa75b3d1551862f029592c4001fc609b13e241fd6ae85d24cd3d5e49880c6e7f46adb78ada

Download Submit
C:\Windows\system\XcshEBm.exe
Filesize
5.2MB

MD5
53d879964b37f1cf7ab6cc5f56fd9f4f

SHA1
da4821f0098587d91f283572d031f214c49dbe24

SHA256
d5c2966fd13fd87012d5956c90a42df33f864b0400042ebc95872afd76c2c9fb

SHA512
bb2f53ac7b1036bf8af65e701f4db6cb5da36e3de8f047871d7521ac525af585e916c1171cda58d3805f34cdd607236600178a534616ebd2ccf3412a59db808c

Download Submit
C:\Windows\system\ZjepaBB.exe
Filesize
5.2MB

MD5
33a140d66d7a1998b36b4267c1fef54f

SHA1
74e65cad5a105bc435955d5d06b8067edf67c310

SHA256
6e7105640d8e5b71510529c1b8fbf5fc8260defc1be2f4065e67d7783b9d3d77

SHA512
b8e5f82933ff59974349807c1a68f10dca19e68c051f9148566f6f8861aca6fed1655bab2750667abe9ba59492c8b3309eb8ce74ecacec2efbec110a2062bd3e

Download Submit
C:\Windows\system\ZoKUuad.exe
Filesize
5.2MB

MD5
398a79a00525b895c7f0f1450e73490a

SHA1
8bddb6d3f95aafc3bc2c2462d4b8beca9308aa2a

SHA256
b776b5e6ae2e992938b9f900254ec8f668c57ee615b7f8c852f0116372fb2279

SHA512
b479005559e4a6358efdc9dd9b7111df7bc372cb7c015b1a00d50930997a5f975ca81a3da46354fe27de2824e34dd5a30ddcfb68aa96e2766d88da513a4f0d82

Download Submit
C:\Windows\system\gYSELfm.exe
Filesize
5.2MB

MD5
88db0ecae319a62d7a20bcda6d1a6d67

SHA1
68bcd89a9374e2ad77d5bfb2c547075b16fa4f12

SHA256
38cba8bd159b9e35b6ff04df1c2afb7d4de1cadd32413c20d051abbfca4ed178

SHA512
4a3bccd1685ecd5326e79ea45db6112e74257fce0a0eb4b3f33aa75b6ed9b39a629d78d6574c4b33f40c5528d6812a4d5b2ce5ef5ed7eb914addf028d9fb1837

Download Submit
C:\Windows\system\iHYvsyS.exe
Filesize
5.2MB

MD5
cb8db0c1b232ff55c61e155883487e3c

SHA1
a05aa936f36a7013352c0bbc866bb0ab9fd32dd7

SHA256
6236727a4d8b231940359543f60e02fb7e271c0581681203d829d732b6b71687

SHA512
7dd67e576f3f6e527ef1580267f372e9f20bb9e28bec2698be2c0605109fee1d86dd941b5891ae31e96d3512d9d65f58696f45c6ebfcd16defcca8d4cb8a75cb

Download Submit
C:\Windows\system\leAccAn.exe
Filesize
5.2MB

MD5
f0ab45ffdb8ec84e6a330a6573e6e715

SHA1
f7d57a54f3752589a2e60efdee1f7aa81cbec084

SHA256
c59a7fa967ac7faead802aa812ba424d04c1aa48c941dd03bf0e57b0a5411476

SHA512
1bb78008ec009815f11956d91657e2f47d7c7c0c10c06f9b405dc10ac8c1748070b63583c8daba5b4eb86560282eeb0ad3d36972c6f2c29016a68783ff1b15de

Download Submit
C:\Windows\system\qYXgFfl.exe
Filesize
5.2MB

MD5
ab107b7dde19bb0e88224de46fbe2b44

SHA1
84063344a5ae3969e7bed71a6fb603d126012dd1

SHA256
473bd7eb81f66edf31bb583d5545b80cc4f5aafa20221e2ebd305dd88318ab80

SHA512
ca9514f7f1c1daf746a96a8180ee2655669f94642f261185d3e87fd38f47dc5f7ce7c10fe4c573126f6b708d006a436117b1a8c202636d5c7f252f28acdc34d4

Download Submit
C:\Windows\system\tOdpVQl.exe
Filesize
5.2MB

MD5
7656e14919dee4715258b00fd3a8ee12

SHA1
47f743ec48d2a434f4cde17ed8501db7775ed961

SHA256
b4c1ec4dbf2bb8ae07c5cc839cf874d34445f30ecfd474cd05368125e49a41da

SHA512
b2ad8ea43280d865cac6caa41cd3e830d4df49cd03d700a3a88b9e888af06044eb2830c82fa2e2c0901c50bfdfae7edb7b3751d38e9f3b02c81d043ff40a3c59

Download Submit
\Windows\system\GTJAwbl.exe
Filesize
5.2MB

MD5
643e92ab45e31e37a81bcf3e5d6e3bf4

SHA1
782e761bc654085f7bbf8d73196cf221d7bedb28

SHA256
ce21a3f3e863e8b1379e55b88535ac6e26808f338625cf8f74745dc8bdac81f9

SHA512
39f45a0128cb5dd7a300b0a6626224cbeaf79f4fca17621be852265f8b451d364bdd397866c49c18f5bed0e738d4c810327dee466e31b2b183c169edce5369c3

Download Submit
\Windows\system\nWBxuOs.exe
Filesize
5.2MB

MD5
13884227c4f664eb80e153f93c5082de

SHA1
724443b59a44f6ae8a5af41faf9c394e9367abda

SHA256
1357cba2b6eeff03516ea434f518fdac86766da358c7eacce926eadbd895cabd

SHA512
95ef4792544c4a54a29a72b7dc38d6000ca638a04593225efb9deae4671f6623eda90bd7a27dc13dc68807e49cad44dd417b97ab822f3dfa908204fcec7ede9d

Download Submit
memory/788-51-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/788-163-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/788-96-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/788-186-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/788-77-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/788-69-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/788-164-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/788-88-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/788-86-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/788-162-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/788-161-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/788-138-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/788-18-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/788-71-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/788-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/788-63-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/788-27-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/788-36-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/788-21-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/788-57-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/788-38-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/788-0-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/852-210-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/852-16-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/852-70-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/1576-155-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/1656-257-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1656-152-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1656-91-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1928-158-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/1984-156-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2012-242-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-87-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-151-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-150-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-261-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-78-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-157-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2304-20-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2304-212-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2404-159-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2488-253-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-64-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-153-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-241-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-72-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-149-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-144-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2624-40-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2624-250-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2648-216-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2648-37-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2656-58-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2656-137-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2656-238-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2664-146-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2664-254-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2664-52-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2704-154-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2748-142-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2748-28-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2748-249-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2748-89-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2776-236-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2776-145-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2776-46-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2780-160-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2820-214-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2820-22-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download