cobaltstrike | 53aa2abccd9967aa645323fdef3cf9e516f513a6b3669b8cb2606338ec6e6f8a

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

27536a56667a94b53b1765999d630c0d
SHA1

2c0d946167b0034847a4a369af451dfddf872bc3
SHA256

53aa2abccd9967aa645323fdef3cf9e516f513a6b3669b8cb2606338ec6e6f8a
SHA512

f46e06ef4e2dfff091c72933aa775257feaf701108b618102f2b3b7466ed16a92fc1d5e21afa5dab36258a2ec9dd65eaf10b02d0c604029fe61c62f3796c8581
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUj:Q+u56utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\bKJkLXS.exe	cobalt_reflective_dll
C:\Windows\system\bHGxBIK.exe	cobalt_reflective_dll
C:\Windows\system\wUQqNYs.exe	cobalt_reflective_dll
C:\Windows\system\CXMDJxq.exe	cobalt_reflective_dll
C:\Windows\system\LSZiOUb.exe	cobalt_reflective_dll
C:\Windows\system\kUfpmWZ.exe	cobalt_reflective_dll
C:\Windows\system\ZyTkJLm.exe	cobalt_reflective_dll
C:\Windows\system\QCtVfbI.exe	cobalt_reflective_dll
C:\Windows\system\wXOfGLF.exe	cobalt_reflective_dll
C:\Windows\system\AbJxchb.exe	cobalt_reflective_dll
C:\Windows\system\tYiCauZ.exe	cobalt_reflective_dll
C:\Windows\system\kzjmvPX.exe	cobalt_reflective_dll
C:\Windows\system\EsZMufv.exe	cobalt_reflective_dll
\Windows\system\IVtRFIA.exe	cobalt_reflective_dll
\Windows\system\aFfYSdi.exe	cobalt_reflective_dll
C:\Windows\system\KQXWtoD.exe	cobalt_reflective_dll
C:\Windows\system\IyeUQfD.exe	cobalt_reflective_dll
C:\Windows\system\DPanNgd.exe	cobalt_reflective_dll
C:\Windows\system\EOtkRJu.exe	cobalt_reflective_dll
C:\Windows\system\fWFZPBC.exe	cobalt_reflective_dll
\Windows\system\LCBntov.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\bKJkLXS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bHGxBIK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wUQqNYs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CXMDJxq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\LSZiOUb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kUfpmWZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZyTkJLm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\QCtVfbI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wXOfGLF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AbJxchb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\tYiCauZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kzjmvPX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EsZMufv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IVtRFIA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\aFfYSdi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KQXWtoD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IyeUQfD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DPanNgd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EOtkRJu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fWFZPBC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LCBntov.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp	UPX
\Windows\system\bKJkLXS.exe	UPX
C:\Windows\system\bHGxBIK.exe	UPX
behavioral1/memory/2588-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/2276-9-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
C:\Windows\system\wUQqNYs.exe	UPX
C:\Windows\system\CXMDJxq.exe	UPX
C:\Windows\system\LSZiOUb.exe	UPX
C:\Windows\system\kUfpmWZ.exe	UPX
C:\Windows\system\ZyTkJLm.exe	UPX
C:\Windows\system\QCtVfbI.exe	UPX
C:\Windows\system\wXOfGLF.exe	UPX
C:\Windows\system\AbJxchb.exe	UPX
C:\Windows\system\tYiCauZ.exe	UPX
C:\Windows\system\kzjmvPX.exe	UPX
behavioral1/memory/2504-97-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/2540-101-0x000000013FC00000-0x000000013FF54000-memory.dmp	UPX
behavioral1/memory/2592-99-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
C:\Windows\system\EsZMufv.exe	UPX
behavioral1/memory/1664-122-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/784-119-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/memory/2056-117-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2116-115-0x000000013FEF0000-0x0000000140244000-memory.dmp	UPX
behavioral1/memory/2408-113-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2440-111-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2548-109-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2624-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2620-91-0x000000013FAB0000-0x000000013FE04000-memory.dmp	UPX
behavioral1/memory/2568-89-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
\Windows\system\IVtRFIA.exe	UPX
\Windows\system\aFfYSdi.exe	UPX
C:\Windows\system\KQXWtoD.exe	UPX
C:\Windows\system\IyeUQfD.exe	UPX
C:\Windows\system\DPanNgd.exe	UPX
C:\Windows\system\EOtkRJu.exe	UPX
C:\Windows\system\fWFZPBC.exe	UPX
\Windows\system\LCBntov.exe	UPX
behavioral1/memory/2276-136-0x000000013F160000-0x000000013F4B4000-memory.dmp	UPX
behavioral1/memory/2588-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/2588-140-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/1664-141-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2568-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2620-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp	UPX
behavioral1/memory/2504-144-0x000000013F150000-0x000000013F4A4000-memory.dmp	UPX
behavioral1/memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp	UPX
behavioral1/memory/2540-146-0x000000013FC00000-0x000000013FF54000-memory.dmp	UPX
behavioral1/memory/2624-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2548-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2440-149-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2408-150-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2116-151-0x000000013FEF0000-0x0000000140244000-memory.dmp	UPX
behavioral1/memory/2056-152-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/784-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
\Windows\system\bKJkLXS.exe	xmrig
C:\Windows\system\bHGxBIK.exe	xmrig
behavioral1/memory/2588-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/2276-9-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
C:\Windows\system\wUQqNYs.exe	xmrig
C:\Windows\system\CXMDJxq.exe	xmrig
C:\Windows\system\LSZiOUb.exe	xmrig
C:\Windows\system\kUfpmWZ.exe	xmrig
C:\Windows\system\ZyTkJLm.exe	xmrig
C:\Windows\system\QCtVfbI.exe	xmrig
C:\Windows\system\wXOfGLF.exe	xmrig
C:\Windows\system\AbJxchb.exe	xmrig
C:\Windows\system\tYiCauZ.exe	xmrig
C:\Windows\system\kzjmvPX.exe	xmrig
behavioral1/memory/2504-97-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2540-101-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/2276-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2592-99-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/2276-98-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
C:\Windows\system\EsZMufv.exe	xmrig
behavioral1/memory/1664-122-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2276-120-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/784-119-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/memory/2056-117-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2276-116-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2116-115-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/memory/2408-113-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2276-112-0x0000000002280000-0x00000000025D4000-memory.dmp	xmrig
behavioral1/memory/2440-111-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2548-109-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2624-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2620-91-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2276-90-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2568-89-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
\Windows\system\IVtRFIA.exe	xmrig
\Windows\system\aFfYSdi.exe	xmrig
C:\Windows\system\KQXWtoD.exe	xmrig
C:\Windows\system\IyeUQfD.exe	xmrig
C:\Windows\system\DPanNgd.exe	xmrig
C:\Windows\system\EOtkRJu.exe	xmrig
C:\Windows\system\fWFZPBC.exe	xmrig
\Windows\system\LCBntov.exe	xmrig
behavioral1/memory/2276-136-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/2588-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/2588-140-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/1664-141-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2568-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2620-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2504-144-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/2540-146-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/2624-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2548-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2440-149-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2408-150-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2116-151-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/memory/2056-152-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/784-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bKJkLXS.exebHGxBIK.exewUQqNYs.exeCXMDJxq.exeLSZiOUb.exekUfpmWZ.exeZyTkJLm.exefWFZPBC.exeQCtVfbI.exewXOfGLF.exeEOtkRJu.exeDPanNgd.exeIyeUQfD.exeAbJxchb.exekzjmvPX.exetYiCauZ.exeKQXWtoD.exeIVtRFIA.exeEsZMufv.exeaFfYSdi.exeLCBntov.exe

pid	process
2588	bKJkLXS.exe
1664	bHGxBIK.exe
2568	wUQqNYs.exe
2620	CXMDJxq.exe
2504	LSZiOUb.exe
2592	kUfpmWZ.exe
2540	ZyTkJLm.exe
2624	fWFZPBC.exe
2548	QCtVfbI.exe
2440	wXOfGLF.exe
2408	EOtkRJu.exe
2116	DPanNgd.exe
2056	IyeUQfD.exe
784	AbJxchb.exe
2692	kzjmvPX.exe
2724	tYiCauZ.exe
1616	KQXWtoD.exe
1932	IVtRFIA.exe
1568	EsZMufv.exe
1432	aFfYSdi.exe
2996	LCBntov.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

pid	process
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
\Windows\system\bKJkLXS.exe	upx
C:\Windows\system\bHGxBIK.exe	upx
behavioral1/memory/2588-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2276-9-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
C:\Windows\system\wUQqNYs.exe	upx
C:\Windows\system\CXMDJxq.exe	upx
C:\Windows\system\LSZiOUb.exe	upx
C:\Windows\system\kUfpmWZ.exe	upx
C:\Windows\system\ZyTkJLm.exe	upx
C:\Windows\system\QCtVfbI.exe	upx
C:\Windows\system\wXOfGLF.exe	upx
C:\Windows\system\AbJxchb.exe	upx
C:\Windows\system\tYiCauZ.exe	upx
C:\Windows\system\kzjmvPX.exe	upx
behavioral1/memory/2504-97-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2540-101-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/2592-99-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
C:\Windows\system\EsZMufv.exe	upx
behavioral1/memory/1664-122-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/784-119-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/memory/2056-117-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2116-115-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/memory/2408-113-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2440-111-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2548-109-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2624-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2620-91-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2568-89-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
\Windows\system\IVtRFIA.exe	upx
\Windows\system\aFfYSdi.exe	upx
C:\Windows\system\KQXWtoD.exe	upx
C:\Windows\system\IyeUQfD.exe	upx
C:\Windows\system\DPanNgd.exe	upx
C:\Windows\system\EOtkRJu.exe	upx
C:\Windows\system\fWFZPBC.exe	upx
\Windows\system\LCBntov.exe	upx
behavioral1/memory/2276-136-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/memory/2588-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2588-140-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/1664-141-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2568-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2620-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2504-144-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/2540-146-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/2624-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2548-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2440-149-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2408-150-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2116-151-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/memory/2056-152-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/784-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\LCBntov.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AbJxchb.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KQXWtoD.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wXOfGLF.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IyeUQfD.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aFfYSdi.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wUQqNYs.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CXMDJxq.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZyTkJLm.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QCtVfbI.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tYiCauZ.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IVtRFIA.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EsZMufv.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bKJkLXS.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bHGxBIK.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fWFZPBC.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EOtkRJu.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DPanNgd.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kzjmvPX.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LSZiOUb.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kUfpmWZ.exe	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2276 wrote to memory of 2588	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bKJkLXS.exe
PID 2276 wrote to memory of 2588	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bKJkLXS.exe
PID 2276 wrote to memory of 2588	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bKJkLXS.exe
PID 2276 wrote to memory of 1664	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bHGxBIK.exe
PID 2276 wrote to memory of 1664	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bHGxBIK.exe
PID 2276 wrote to memory of 1664	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	bHGxBIK.exe
PID 2276 wrote to memory of 2568	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	wUQqNYs.exe
PID 2276 wrote to memory of 2568	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	wUQqNYs.exe
PID 2276 wrote to memory of 2568	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	wUQqNYs.exe
PID 2276 wrote to memory of 2620	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	CXMDJxq.exe
PID 2276 wrote to memory of 2620	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	CXMDJxq.exe
PID 2276 wrote to memory of 2620	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	CXMDJxq.exe
PID 2276 wrote to memory of 2504	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	LSZiOUb.exe
PID 2276 wrote to memory of 2504	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	LSZiOUb.exe
PID 2276 wrote to memory of 2504	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	LSZiOUb.exe
PID 2276 wrote to memory of 2592	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	kUfpmWZ.exe
PID 2276 wrote to memory of 2592	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	kUfpmWZ.exe
PID 2276 wrote to memory of 2592	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	kUfpmWZ.exe
PID 2276 wrote to memory of 2540	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ZyTkJLm.exe
PID 2276 wrote to memory of 2540	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ZyTkJLm.exe
PID 2276 wrote to memory of 2540	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	ZyTkJLm.exe
PID 2276 wrote to memory of 2624	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	fWFZPBC.exe
PID 2276 wrote to memory of 2624	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	fWFZPBC.exe
PID 2276 wrote to memory of 2624	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	fWFZPBC.exe
PID 2276 wrote to memory of 2548	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QCtVfbI.exe
PID 2276 wrote to memory of 2548	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QCtVfbI.exe
PID 2276 wrote to memory of 2548	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	QCtVfbI.exe
PID 2276 wrote to memory of 2440	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	wXOfGLF.exe
PID 2276 wrote to memory of 2440	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	wXOfGLF.exe
PID 2276 wrote to memory of 2440	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	wXOfGLF.exe
PID 2276 wrote to memory of 2408	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	EOtkRJu.exe
PID 2276 wrote to memory of 2408	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	EOtkRJu.exe
PID 2276 wrote to memory of 2408	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	EOtkRJu.exe
PID 2276 wrote to memory of 2116	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	DPanNgd.exe
PID 2276 wrote to memory of 2116	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	DPanNgd.exe
PID 2276 wrote to memory of 2116	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	DPanNgd.exe
PID 2276 wrote to memory of 2056	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	IyeUQfD.exe
PID 2276 wrote to memory of 2056	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	IyeUQfD.exe
PID 2276 wrote to memory of 2056	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	IyeUQfD.exe
PID 2276 wrote to memory of 784	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	AbJxchb.exe
PID 2276 wrote to memory of 784	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	AbJxchb.exe
PID 2276 wrote to memory of 784	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	AbJxchb.exe
PID 2276 wrote to memory of 2692	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	kzjmvPX.exe
PID 2276 wrote to memory of 2692	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	kzjmvPX.exe
PID 2276 wrote to memory of 2692	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	kzjmvPX.exe
PID 2276 wrote to memory of 2724	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	tYiCauZ.exe
PID 2276 wrote to memory of 2724	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	tYiCauZ.exe
PID 2276 wrote to memory of 2724	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	tYiCauZ.exe
PID 2276 wrote to memory of 1932	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	IVtRFIA.exe
PID 2276 wrote to memory of 1932	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	IVtRFIA.exe
PID 2276 wrote to memory of 1932	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	IVtRFIA.exe
PID 2276 wrote to memory of 1616	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	KQXWtoD.exe
PID 2276 wrote to memory of 1616	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	KQXWtoD.exe
PID 2276 wrote to memory of 1616	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	KQXWtoD.exe
PID 2276 wrote to memory of 1568	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	EsZMufv.exe
PID 2276 wrote to memory of 1568	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	EsZMufv.exe
PID 2276 wrote to memory of 1568	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	EsZMufv.exe
PID 2276 wrote to memory of 1432	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	aFfYSdi.exe
PID 2276 wrote to memory of 1432	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	aFfYSdi.exe
PID 2276 wrote to memory of 1432	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	aFfYSdi.exe
PID 2276 wrote to memory of 2996	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	LCBntov.exe
PID 2276 wrote to memory of 2996	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	LCBntov.exe
PID 2276 wrote to memory of 2996	2276	2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe	LCBntov.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_27536a56667a94b53b1765999d630c0d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\System\bKJkLXS.exe
C:\Windows\System\bKJkLXS.exe
2⤵
- Executes dropped EXE
PID:2588

C:\Windows\System\bHGxBIK.exe
C:\Windows\System\bHGxBIK.exe
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\System\wUQqNYs.exe
C:\Windows\System\wUQqNYs.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\CXMDJxq.exe
C:\Windows\System\CXMDJxq.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\LSZiOUb.exe
C:\Windows\System\LSZiOUb.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\kUfpmWZ.exe
C:\Windows\System\kUfpmWZ.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\ZyTkJLm.exe
C:\Windows\System\ZyTkJLm.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\fWFZPBC.exe
C:\Windows\System\fWFZPBC.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\QCtVfbI.exe
C:\Windows\System\QCtVfbI.exe
2⤵
- Executes dropped EXE
PID:2548

C:\Windows\System\wXOfGLF.exe
C:\Windows\System\wXOfGLF.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\EOtkRJu.exe
C:\Windows\System\EOtkRJu.exe
2⤵
- Executes dropped EXE
PID:2408

C:\Windows\System\DPanNgd.exe
C:\Windows\System\DPanNgd.exe
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\System\IyeUQfD.exe
C:\Windows\System\IyeUQfD.exe
2⤵
- Executes dropped EXE
PID:2056

C:\Windows\System\AbJxchb.exe
C:\Windows\System\AbJxchb.exe
2⤵
- Executes dropped EXE
PID:784

C:\Windows\System\kzjmvPX.exe
C:\Windows\System\kzjmvPX.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\tYiCauZ.exe
C:\Windows\System\tYiCauZ.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\IVtRFIA.exe
C:\Windows\System\IVtRFIA.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\KQXWtoD.exe
C:\Windows\System\KQXWtoD.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\System\EsZMufv.exe
C:\Windows\System\EsZMufv.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System\aFfYSdi.exe
C:\Windows\System\aFfYSdi.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\LCBntov.exe
C:\Windows\System\LCBntov.exe
2⤵
- Executes dropped EXE
PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AbJxchb.exe
Filesize
5.9MB

MD5
520bcc7a099f5cb55ba6f6465aa7e451

SHA1
60279408daf4ab2ced22c1fc96d2f6a1e8d5ac25

SHA256
c00faf2ae55a323fbff92b362b9ea8680848b9961d31da9f7eef4cd17e6c0930

SHA512
d41e4b5442a61eda82480416f83a53a7dc6f6ab50e6a25b567198b796f74754f324bd452e321d5135ba949db59cae3f33e06eb8ac11a96a0271fd26774a657fc

Download Submit
C:\Windows\system\CXMDJxq.exe
Filesize
5.9MB

MD5
475db29d706f9a938014b46c844f6d5e

SHA1
2cc1090dd106aab0ca21ffe6addc11aba02cfa64

SHA256
151fe7dfe900b45c214b10230866b36793995f0074999215869b534f6bdfffb7

SHA512
1c6f9fb12dc9d89214ab5f08e8fe15311d4021fd97ca5785d1ff61f65471aa8966f0a09c4fb956f86118c3dd987632e723c0678264cc15b0b54f501d4a0b6745

Download Submit
C:\Windows\system\DPanNgd.exe
Filesize
5.9MB

MD5
c7224d636430fc4755514f51a0258466

SHA1
b529fcbf0627595d85695f3946cc97a2076f5c84

SHA256
3c1bd8a20aa36ae806fa899a92f54dda0b5632b21e8250dc9cd86b9e4e196495

SHA512
44cc4d03f2c048c1c1bc4a1b7a9eda469249524aea57460315d9ccdd9053da34537512ebb54475cee72ffc5986a5265af9e69da5c0e44a7f4ee48339dea3a32f

Download Submit
C:\Windows\system\EOtkRJu.exe
Filesize
5.9MB

MD5
e273b87e7fcc67ebbab9aec60fb33b51

SHA1
651ad68d389cafb47c32b3a3da55aea70ddc4da3

SHA256
68416524a768bc562e0547d713fbd035a07ac63ccddc8c7d9f62c682f69acbb5

SHA512
7207c17589a1147923be2ed94f5befe7741b44dd958b5efd5713c8b25187e2eae8e7a78a92104dc883e5bcb256b2c74fc83fefbb924ec302e1e40bbfe6d8d32c

Download Submit
C:\Windows\system\EsZMufv.exe
Filesize
5.9MB

MD5
e040a03258934497b52867a6918a11d7

SHA1
2a88e150ba4570793fae2ce7430e375115cafa82

SHA256
22c243d9c752b3550abafaa0ef08bf14211d31ee33e3ce767b3a4e94843144ac

SHA512
f4a1c581eb4f421514fab92c6512b38fbfddd8ab76aa7fd0a18e848c166348030bfad1d496d1427a247a5f0003df74ac0dca54b1a3f82a4f580a03a07d09fc5f

Download Submit
C:\Windows\system\IyeUQfD.exe
Filesize
5.9MB

MD5
c17817de18dacb9678df7f7291518451

SHA1
9a7a83bca807607a550f08181b2553a6ad07a172

SHA256
7e8f70b2cfac9359259df766b89942ef0eb1ccc713801a3935c81dbafe041984

SHA512
515b1420c19995e1785160c41d6d5e33a09b0f1bc80ce08aacd7135bb43acbb7fd721986c0ab8eb22e6b1fd5800d0a2fb1911fb6ca39c4e285801593c61d3737

Download Submit
C:\Windows\system\KQXWtoD.exe
Filesize
5.9MB

MD5
28078b9f29d07151fbfd92c2c22b6889

SHA1
1901e7518ca550f298a1c684c4bb6d83586d29c6

SHA256
bd30ddf9300123ebe69fff07a14760b9323a173999e830c7721889e72844c155

SHA512
e59b52b73577223fcd1b4ec25ba6b331935a23271655e3bdfb0b80cc034cd13b29a903e85cc9b995c5de6592a7f5d2128083a4979445d0ab091dc9ee7f1084f3

Download Submit
C:\Windows\system\LSZiOUb.exe
Filesize
5.9MB

MD5
671ccb53becb8e06a9721e325c77486d

SHA1
8b014ec415b4723d2258004eb096a48454687a3d

SHA256
16bf638c2ef3105eb539ce92a74a0123ddc9986121b27db6a48349d5f7f2fef8

SHA512
d0c5b759c5cb0df0fa07f43912e72d90acf042b34bc48a2aa0204e0cd12bed74847fd7ad92aa2e5979c7557ae64b2d4b02db7134db0623b6e87660a9409f4c0c

Download Submit
C:\Windows\system\QCtVfbI.exe
Filesize
5.9MB

MD5
89f0dca0de6db005d16f248776383251

SHA1
237fd836e92ed9b1c96ca85b202836d7b66210bb

SHA256
aee989d0ff5fa0aa753c61ae1d67f5c036bcef5425c1a92d6a567f54cff8afe3

SHA512
fd3069104787ff17cb481a01bfd7f02805059fbe1c50ee5191840b887e8f8dca82fb6d64ba0a68f65cdf47a934ff9ff5123f59843a698410420f3bac3edd77ed

Download Submit
C:\Windows\system\ZyTkJLm.exe
Filesize
5.9MB

MD5
9fe84efd546ec998da7f5d901777894b

SHA1
78728d7fdab562af50dd47131aee3e04f1eaa830

SHA256
ace13c10e0360582d00fa7085512ef205e5d08003f6af7c9c982d32694205ae8

SHA512
712b9f53a272b39bb8a57f210c982455e70bf0914e67e1a03d00fe197fcb8ddea2015fc451c6820f95fa699cf9d8124abd5bb042b67693e14e27d70197be3337

Download Submit
C:\Windows\system\bHGxBIK.exe
Filesize
5.9MB

MD5
1c4ea5744fa82ba693d6034d82c5163e

SHA1
1b772d4ce4f40e4c5042d390f01ae506f642cb9b

SHA256
e9e3c5a625aa55fb8b4178f3da417e9fd7963e780e89d30d7859cebd99e16c86

SHA512
cbe5de9ecd54c4e5bb53e2a81df0967a5119b76034298978b1e174fb37fb6e5cb54273015261bda5af6c6e14924c9a189c9a6e0d6e1ba4bdf52de71653c81370

Download Submit
C:\Windows\system\fWFZPBC.exe
Filesize
5.9MB

MD5
d331755e315bb6f22c06aca8f7b7d339

SHA1
51d73e4046944bc86ccec2eb86a8675a53df565d

SHA256
b174b0164f5988c26283931f79a89736102c6924a7ca50b36e5b863fc30b1d73

SHA512
26211570c179a21bd2951c04571e2cc618318e94850205a63271ea1b0b2aa14c65160ffe90cee759d6bddb82cc91e58444e499262e5f1ade8ca4f53250b01586

Download Submit
C:\Windows\system\kUfpmWZ.exe
Filesize
5.9MB

MD5
f50549f33724b942a572722489350fd2

SHA1
ec94abc920c7e6718d4bc6b52103d54895e97b9e

SHA256
1f1bc9619b47d43fe2684cf1ba5543b5dd33c8842ccdf1439331e85dafee9073

SHA512
54d903c1619b95e98362b4facce132360309dc68ee40119ebebed275cefab05cf5f9c654462abbd251babb9394d46ce86ceb1a4652587400ebad45e6be5a231f

Download Submit
C:\Windows\system\kzjmvPX.exe
Filesize
5.9MB

MD5
0786195cadc0fa41eb78a95b6722ec2e

SHA1
38716692ad625830c235af61d3a037ea074a49f6

SHA256
eaf1a9010ab1108bde102e773253339e485e9768d90827dccd3a7c16551570b0

SHA512
2b0cdbf81dbd3878ed60670f860f79458aea56709db33ac950ba43bd8eb688a5c6b3247fdabd1e7bb5c8c3f5e149b71d03e17f1d7aa28973dea0eb113b26f9d1

Download Submit
C:\Windows\system\tYiCauZ.exe
Filesize
5.9MB

MD5
37821aff103e3de89b2f8e25066d71b3

SHA1
da4c3b2426cd147614f221c02a6d5b1e39b57ce9

SHA256
df2458f4506a1e5aabb438a9ceda686123d780b22c6e245bce2956ea9759754f

SHA512
8d879124629e8a1c0e9c401c8d5b3aff6ad0fafa1ad6af24ba1a32a6cb53265ebf3250804d1926e729484ad1aa954eccc759c446b4f130efadd112d2c76bcdfc

Download Submit
C:\Windows\system\wUQqNYs.exe
Filesize
5.9MB

MD5
d0bb47802c626cfdb0c3c513376f209d

SHA1
d41c4fab88ade28304b61bb8173af2bd0d8cb123

SHA256
ba32d6b7d10b986946cb4a4b131e36d5cb8a82ea9ed1c69983662dab7099fbe1

SHA512
8d1717f5eeceef471a736a24a5f6759298b52d423cf67f0362a010ebc6ec73d19f9d8b031690820347640c6f947677201399252ee30b1936ec270542a3324a97

Download Submit
C:\Windows\system\wXOfGLF.exe
Filesize
5.9MB

MD5
889d629aeaed660b39d0a42c414a7c6a

SHA1
924a32cf7d41ba873cb13c21f687e14be6aed0e8

SHA256
fd6aac5666ac33d9abeb97883a3379acb6a77e437d0ff925f973ec804cd5e0cc

SHA512
5c23fd51c6043a8c1bbb07051874343bf871b277cb01274290f68d2b2a2cc1bb7cc58104940597e46b78da10e0aed5af0f166052027faf387008fb2c30821ad1

Download Submit
\Windows\system\IVtRFIA.exe
Filesize
5.9MB

MD5
e2750a77b9ce489cb7dea0a7c90dd930

SHA1
98259b1a14ad9ab4493d8e52022ac36d8f769cbb

SHA256
6896ecc8e6ef9479277ac9a579d760309bab2bce49c634543a80ad5833ff477c

SHA512
e2f9120d556cfb3583477293e999f10d1be06e0222502e4e2575aba1ec4cb796042dcfbd1b125a81224dc6a4ba78aaff7ba6e424d0b6d122e364ba25efb05324

Download Submit
\Windows\system\LCBntov.exe
Filesize
5.9MB

MD5
b2b4a8fe470db6acaae70730ee64ba0d

SHA1
eb6d6e54a819282331ec543cd0805dcbb7e27677

SHA256
f6aa17cce221a8ecbee37879dd09c670d0ac92d94e1e42ef2a35a73ae01d9825

SHA512
ac2f4171edf6c2395ddbaa41bd73556bd03f2541e49c3a93bc978643638d88e3b7b5ca0532ce0678c77d53078a59128471d90497bcc134860bc850c981262970

Download Submit
\Windows\system\aFfYSdi.exe
Filesize
5.9MB

MD5
8c93929ee3b1798487bf92e72c9f6d02

SHA1
b6ab72988429b74c6e602febcecb70046ed389c0

SHA256
133705e6267af289c8ea8ead9e0712947f827e1a6fc08e035c7cddcb48e94bef

SHA512
042f5138a600f15507ec163255fc25229a18029916d948a7a62c096f64b7c6b0963be41e9fde7155e370da94c0717fd96382bf51395bf7e6e6b498e6e87ec55e

Download Submit
\Windows\system\bKJkLXS.exe
Filesize
5.9MB

MD5
d02cfe09e8dae742e0bb2310fdaddb1b

SHA1
431ae36e0fa608f65249eab002d82b3f81625cc6

SHA256
c31e22d022f92251d1e761f5c724724ec8caac3846b10ac2ead474bad6b28c4a

SHA512
bd7b1ea995375ea04bf486b5c696ded1201e9f91615b69df504cdf645797c5da4d8ea321fb234a38b5c3fe8f7e333aa3397568312f02c708b15ebd133622cfa6

Download Submit
memory/784-153-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/784-119-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/1664-122-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1664-141-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2056-117-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-152-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-151-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2116-115-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2276-110-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2276-108-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-118-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2276-114-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2276-0-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-112-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-139-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2276-96-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-138-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-116-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-136-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-98-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2276-90-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2276-100-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2276-88-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-103-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2276-120-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2276-121-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-9-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2276-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2408-113-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2408-150-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2440-149-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2440-111-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2504-144-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-97-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-146-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2540-101-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2548-109-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-142-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2568-89-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-140-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2588-14-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2588-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2592-145-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2592-99-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2620-91-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2620-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2624-147-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2624-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download