cobaltstrike | 627441b8fb74b80ea9dc0e3317b2fd868aad37082d095abfdac4677d406196cf

Analysis

max time kernel
136s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

4d2eb23d2f086e43dc4660cf5672a7f4
SHA1

3083efdb4b3bb401a3ec08f04edff76aeb59fb85
SHA256

627441b8fb74b80ea9dc0e3317b2fd868aad37082d095abfdac4677d406196cf
SHA512

d1e41512bb857f318bebd00acf41294886bd86d66a4cff3b0f2699927ce28ffe79446130976706df0e6767b68af44f0e83d213a750abcb0bfd462023a944f034
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUM:Q+856utgpPF8u/7M

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\HCQzyvS.exe	cobalt_reflective_dll
C:\Windows\system\YDwNhfP.exe	cobalt_reflective_dll
\Windows\system\AQfjBfv.exe	cobalt_reflective_dll
\Windows\system\bMHnmmc.exe	cobalt_reflective_dll
\Windows\system\OMJuTlP.exe	cobalt_reflective_dll
C:\Windows\system\lHuGhCb.exe	cobalt_reflective_dll
C:\Windows\system\xriNSIM.exe	cobalt_reflective_dll
C:\Windows\system\lUxArjW.exe	cobalt_reflective_dll
C:\Windows\system\DZmmyUW.exe	cobalt_reflective_dll
C:\Windows\system\zAOqOUt.exe	cobalt_reflective_dll
C:\Windows\system\PkWvyEM.exe	cobalt_reflective_dll
C:\Windows\system\ObuQarm.exe	cobalt_reflective_dll
C:\Windows\system\TdrHVhf.exe	cobalt_reflective_dll
C:\Windows\system\elUhchW.exe	cobalt_reflective_dll
C:\Windows\system\DBGasRf.exe	cobalt_reflective_dll
C:\Windows\system\bCvVObV.exe	cobalt_reflective_dll
C:\Windows\system\PFIEcLD.exe	cobalt_reflective_dll
C:\Windows\system\wDItKqg.exe	cobalt_reflective_dll
C:\Windows\system\wZCXwXh.exe	cobalt_reflective_dll
C:\Windows\system\FiMlJvs.exe	cobalt_reflective_dll
C:\Windows\system\SdZRQwu.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\HCQzyvS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YDwNhfP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\AQfjBfv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\bMHnmmc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OMJuTlP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lHuGhCb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xriNSIM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\lUxArjW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DZmmyUW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zAOqOUt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PkWvyEM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ObuQarm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TdrHVhf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\elUhchW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\DBGasRf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bCvVObV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\PFIEcLD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wDItKqg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wZCXwXh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FiMlJvs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\SdZRQwu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 53 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-1-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
\Windows\system\HCQzyvS.exe	UPX
C:\Windows\system\YDwNhfP.exe	UPX
behavioral1/memory/2956-12-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2492-16-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
\Windows\system\AQfjBfv.exe	UPX
\Windows\system\bMHnmmc.exe	UPX
behavioral1/memory/2004-29-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
\Windows\system\OMJuTlP.exe	UPX
behavioral1/memory/2624-22-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
C:\Windows\system\lHuGhCb.exe	UPX
C:\Windows\system\xriNSIM.exe	UPX
C:\Windows\system\lUxArjW.exe	UPX
C:\Windows\system\DZmmyUW.exe	UPX
C:\Windows\system\zAOqOUt.exe	UPX
C:\Windows\system\PkWvyEM.exe	UPX
C:\Windows\system\ObuQarm.exe	UPX
C:\Windows\system\TdrHVhf.exe	UPX
C:\Windows\system\elUhchW.exe	UPX
C:\Windows\system\DBGasRf.exe	UPX
C:\Windows\system\bCvVObV.exe	UPX
C:\Windows\system\PFIEcLD.exe	UPX
C:\Windows\system\wDItKqg.exe	UPX
C:\Windows\system\wZCXwXh.exe	UPX
C:\Windows\system\FiMlJvs.exe	UPX
C:\Windows\system\SdZRQwu.exe	UPX
behavioral1/memory/2656-116-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2412-120-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2428-123-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2360-122-0x000000013FFD0000-0x0000000140324000-memory.dmp	UPX
behavioral1/memory/2856-118-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2876-125-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2064-126-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2580-130-0x000000013F120000-0x000000013F474000-memory.dmp	UPX
behavioral1/memory/2432-129-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/384-128-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
behavioral1/memory/2240-132-0x000000013F2F0000-0x000000013F644000-memory.dmp	UPX
behavioral1/memory/2624-135-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2004-136-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
behavioral1/memory/2956-137-0x000000013FD60000-0x00000001400B4000-memory.dmp	UPX
behavioral1/memory/2492-138-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	UPX
behavioral1/memory/2624-139-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2004-140-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
behavioral1/memory/2656-141-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2856-143-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2412-142-0x000000013F270000-0x000000013F5C4000-memory.dmp	UPX
behavioral1/memory/2360-144-0x000000013FFD0000-0x0000000140324000-memory.dmp	UPX
behavioral1/memory/2428-145-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2876-146-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2064-147-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/384-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	UPX
behavioral1/memory/2432-149-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2580-150-0x000000013F120000-0x000000013F474000-memory.dmp	UPX

XMRig Miner payload 53 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2240-1-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
\Windows\system\HCQzyvS.exe	xmrig
C:\Windows\system\YDwNhfP.exe	xmrig
behavioral1/memory/2956-12-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2492-16-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
\Windows\system\AQfjBfv.exe	xmrig
\Windows\system\bMHnmmc.exe	xmrig
behavioral1/memory/2004-29-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
\Windows\system\OMJuTlP.exe	xmrig
behavioral1/memory/2624-22-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
C:\Windows\system\lHuGhCb.exe	xmrig
C:\Windows\system\xriNSIM.exe	xmrig
C:\Windows\system\lUxArjW.exe	xmrig
C:\Windows\system\DZmmyUW.exe	xmrig
C:\Windows\system\zAOqOUt.exe	xmrig
C:\Windows\system\PkWvyEM.exe	xmrig
C:\Windows\system\ObuQarm.exe	xmrig
C:\Windows\system\TdrHVhf.exe	xmrig
C:\Windows\system\elUhchW.exe	xmrig
C:\Windows\system\DBGasRf.exe	xmrig
C:\Windows\system\bCvVObV.exe	xmrig
C:\Windows\system\PFIEcLD.exe	xmrig
C:\Windows\system\wDItKqg.exe	xmrig
C:\Windows\system\wZCXwXh.exe	xmrig
C:\Windows\system\FiMlJvs.exe	xmrig
C:\Windows\system\SdZRQwu.exe	xmrig
behavioral1/memory/2656-116-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2412-120-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2428-123-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2360-122-0x000000013FFD0000-0x0000000140324000-memory.dmp	xmrig
behavioral1/memory/2856-118-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2876-125-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2064-126-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2580-130-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig
behavioral1/memory/2432-129-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/384-128-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2240-132-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2624-135-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2004-136-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2956-137-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2492-138-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2624-139-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2004-140-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2656-141-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2856-143-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2412-142-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2360-144-0x000000013FFD0000-0x0000000140324000-memory.dmp	xmrig
behavioral1/memory/2428-145-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2876-146-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2064-147-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/384-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2432-149-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2580-150-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

YDwNhfP.exeHCQzyvS.exeAQfjBfv.exebMHnmmc.exeOMJuTlP.exeSdZRQwu.exelHuGhCb.exeFiMlJvs.exexriNSIM.exewZCXwXh.exewDItKqg.exePFIEcLD.exebCvVObV.exelUxArjW.exeDBGasRf.exeDZmmyUW.exeelUhchW.exezAOqOUt.exeTdrHVhf.exeObuQarm.exePkWvyEM.exe

pid	process
2956	YDwNhfP.exe
2492	HCQzyvS.exe
2624	AQfjBfv.exe
2004	bMHnmmc.exe
2656	OMJuTlP.exe
2856	SdZRQwu.exe
2412	lHuGhCb.exe
2360	FiMlJvs.exe
2428	xriNSIM.exe
2876	wZCXwXh.exe
2064	wDItKqg.exe
384	PFIEcLD.exe
2432	bCvVObV.exe
2580	lUxArjW.exe
2720	DBGasRf.exe
1600	DZmmyUW.exe
2244	elUhchW.exe
1620	zAOqOUt.exe
2252	TdrHVhf.exe
240	ObuQarm.exe
1796	PkWvyEM.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

pid	process
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2240-1-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
\Windows\system\HCQzyvS.exe	upx
C:\Windows\system\YDwNhfP.exe	upx
behavioral1/memory/2956-12-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2492-16-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
\Windows\system\AQfjBfv.exe	upx
\Windows\system\bMHnmmc.exe	upx
behavioral1/memory/2004-29-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
\Windows\system\OMJuTlP.exe	upx
behavioral1/memory/2624-22-0x000000013F030000-0x000000013F384000-memory.dmp	upx
C:\Windows\system\lHuGhCb.exe	upx
C:\Windows\system\xriNSIM.exe	upx
C:\Windows\system\lUxArjW.exe	upx
C:\Windows\system\DZmmyUW.exe	upx
C:\Windows\system\zAOqOUt.exe	upx
C:\Windows\system\PkWvyEM.exe	upx
C:\Windows\system\ObuQarm.exe	upx
C:\Windows\system\TdrHVhf.exe	upx
C:\Windows\system\elUhchW.exe	upx
C:\Windows\system\DBGasRf.exe	upx
C:\Windows\system\bCvVObV.exe	upx
C:\Windows\system\PFIEcLD.exe	upx
C:\Windows\system\wDItKqg.exe	upx
C:\Windows\system\wZCXwXh.exe	upx
C:\Windows\system\FiMlJvs.exe	upx
C:\Windows\system\SdZRQwu.exe	upx
behavioral1/memory/2656-116-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2412-120-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2428-123-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2360-122-0x000000013FFD0000-0x0000000140324000-memory.dmp	upx
behavioral1/memory/2856-118-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2876-125-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2064-126-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2580-130-0x000000013F120000-0x000000013F474000-memory.dmp	upx
behavioral1/memory/2432-129-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/384-128-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2240-132-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2624-135-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2004-136-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2956-137-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2492-138-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2624-139-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2004-140-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2656-141-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2856-143-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2412-142-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2360-144-0x000000013FFD0000-0x0000000140324000-memory.dmp	upx
behavioral1/memory/2428-145-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2876-146-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2064-147-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/384-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2432-149-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2580-150-0x000000013F120000-0x000000013F474000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\HCQzyvS.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bMHnmmc.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lHuGhCb.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wDItKqg.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PFIEcLD.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DZmmyUW.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YDwNhfP.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OMJuTlP.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FiMlJvs.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xriNSIM.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bCvVObV.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DBGasRf.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PkWvyEM.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lUxArjW.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\elUhchW.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TdrHVhf.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ObuQarm.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AQfjBfv.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SdZRQwu.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wZCXwXh.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zAOqOUt.exe	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2240 wrote to memory of 2956	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	YDwNhfP.exe
PID 2240 wrote to memory of 2956	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	YDwNhfP.exe
PID 2240 wrote to memory of 2956	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	YDwNhfP.exe
PID 2240 wrote to memory of 2492	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	HCQzyvS.exe
PID 2240 wrote to memory of 2492	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	HCQzyvS.exe
PID 2240 wrote to memory of 2492	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	HCQzyvS.exe
PID 2240 wrote to memory of 2624	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	AQfjBfv.exe
PID 2240 wrote to memory of 2624	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	AQfjBfv.exe
PID 2240 wrote to memory of 2624	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	AQfjBfv.exe
PID 2240 wrote to memory of 2004	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	bMHnmmc.exe
PID 2240 wrote to memory of 2004	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	bMHnmmc.exe
PID 2240 wrote to memory of 2004	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	bMHnmmc.exe
PID 2240 wrote to memory of 2656	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	OMJuTlP.exe
PID 2240 wrote to memory of 2656	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	OMJuTlP.exe
PID 2240 wrote to memory of 2656	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	OMJuTlP.exe
PID 2240 wrote to memory of 2856	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	SdZRQwu.exe
PID 2240 wrote to memory of 2856	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	SdZRQwu.exe
PID 2240 wrote to memory of 2856	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	SdZRQwu.exe
PID 2240 wrote to memory of 2412	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	lHuGhCb.exe
PID 2240 wrote to memory of 2412	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	lHuGhCb.exe
PID 2240 wrote to memory of 2412	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	lHuGhCb.exe
PID 2240 wrote to memory of 2360	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	FiMlJvs.exe
PID 2240 wrote to memory of 2360	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	FiMlJvs.exe
PID 2240 wrote to memory of 2360	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	FiMlJvs.exe
PID 2240 wrote to memory of 2428	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	xriNSIM.exe
PID 2240 wrote to memory of 2428	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	xriNSIM.exe
PID 2240 wrote to memory of 2428	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	xriNSIM.exe
PID 2240 wrote to memory of 2876	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wZCXwXh.exe
PID 2240 wrote to memory of 2876	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wZCXwXh.exe
PID 2240 wrote to memory of 2876	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wZCXwXh.exe
PID 2240 wrote to memory of 2064	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wDItKqg.exe
PID 2240 wrote to memory of 2064	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wDItKqg.exe
PID 2240 wrote to memory of 2064	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	wDItKqg.exe
PID 2240 wrote to memory of 384	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	PFIEcLD.exe
PID 2240 wrote to memory of 384	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	PFIEcLD.exe
PID 2240 wrote to memory of 384	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	PFIEcLD.exe
PID 2240 wrote to memory of 2432	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	bCvVObV.exe
PID 2240 wrote to memory of 2432	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	bCvVObV.exe
PID 2240 wrote to memory of 2432	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	bCvVObV.exe
PID 2240 wrote to memory of 2580	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	lUxArjW.exe
PID 2240 wrote to memory of 2580	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	lUxArjW.exe
PID 2240 wrote to memory of 2580	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	lUxArjW.exe
PID 2240 wrote to memory of 2720	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	DBGasRf.exe
PID 2240 wrote to memory of 2720	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	DBGasRf.exe
PID 2240 wrote to memory of 2720	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	DBGasRf.exe
PID 2240 wrote to memory of 1600	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	DZmmyUW.exe
PID 2240 wrote to memory of 1600	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	DZmmyUW.exe
PID 2240 wrote to memory of 1600	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	DZmmyUW.exe
PID 2240 wrote to memory of 2244	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	elUhchW.exe
PID 2240 wrote to memory of 2244	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	elUhchW.exe
PID 2240 wrote to memory of 2244	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	elUhchW.exe
PID 2240 wrote to memory of 1620	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	zAOqOUt.exe
PID 2240 wrote to memory of 1620	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	zAOqOUt.exe
PID 2240 wrote to memory of 1620	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	zAOqOUt.exe
PID 2240 wrote to memory of 2252	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	TdrHVhf.exe
PID 2240 wrote to memory of 2252	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	TdrHVhf.exe
PID 2240 wrote to memory of 2252	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	TdrHVhf.exe
PID 2240 wrote to memory of 240	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	ObuQarm.exe
PID 2240 wrote to memory of 240	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	ObuQarm.exe
PID 2240 wrote to memory of 240	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	ObuQarm.exe
PID 2240 wrote to memory of 1796	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	PkWvyEM.exe
PID 2240 wrote to memory of 1796	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	PkWvyEM.exe
PID 2240 wrote to memory of 1796	2240	2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe	PkWvyEM.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_4d2eb23d2f086e43dc4660cf5672a7f4_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\System\YDwNhfP.exe
C:\Windows\System\YDwNhfP.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\HCQzyvS.exe
C:\Windows\System\HCQzyvS.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\AQfjBfv.exe
C:\Windows\System\AQfjBfv.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\bMHnmmc.exe
C:\Windows\System\bMHnmmc.exe
2⤵
- Executes dropped EXE
PID:2004

C:\Windows\System\OMJuTlP.exe
C:\Windows\System\OMJuTlP.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\SdZRQwu.exe
C:\Windows\System\SdZRQwu.exe
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\System\lHuGhCb.exe
C:\Windows\System\lHuGhCb.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\FiMlJvs.exe
C:\Windows\System\FiMlJvs.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\System\xriNSIM.exe
C:\Windows\System\xriNSIM.exe
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\System\wZCXwXh.exe
C:\Windows\System\wZCXwXh.exe
2⤵
- Executes dropped EXE
PID:2876

C:\Windows\System\wDItKqg.exe
C:\Windows\System\wDItKqg.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\System\PFIEcLD.exe
C:\Windows\System\PFIEcLD.exe
2⤵
- Executes dropped EXE
PID:384

C:\Windows\System\bCvVObV.exe
C:\Windows\System\bCvVObV.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\lUxArjW.exe
C:\Windows\System\lUxArjW.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\DBGasRf.exe
C:\Windows\System\DBGasRf.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\DZmmyUW.exe
C:\Windows\System\DZmmyUW.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\elUhchW.exe
C:\Windows\System\elUhchW.exe
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\System\zAOqOUt.exe
C:\Windows\System\zAOqOUt.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\TdrHVhf.exe
C:\Windows\System\TdrHVhf.exe
2⤵
- Executes dropped EXE
PID:2252

C:\Windows\System\ObuQarm.exe
C:\Windows\System\ObuQarm.exe
2⤵
- Executes dropped EXE
PID:240

C:\Windows\System\PkWvyEM.exe
C:\Windows\System\PkWvyEM.exe
2⤵
- Executes dropped EXE
PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DBGasRf.exe
Filesize
5.9MB

MD5
4efad9af39a03a284106769e05a701b0

SHA1
2e026b004707b679f4121a3884bf92de8175f60b

SHA256
6ecfc158167a9c0edc698e9e0a3da7b89cc535f48dbb0a59d08fda6d691e853d

SHA512
1394f235f3f75d57f3d13178dd70f0ce609a83af9f7a1e6031a358447da0bdc3515cad9548a090ed7a4c286ef86d12b588646ba892738a2e9bcf48f7dfac7957

Download Submit
C:\Windows\system\DZmmyUW.exe
Filesize
5.9MB

MD5
e9e07d9101810713fdf542361c977628

SHA1
8d31b48be0c5334d5fd56e5da88bf3c6a0297c97

SHA256
a72b1771260ba12f21fc57f4820869a59dd8d61adc453d30dd8a497e3db2feab

SHA512
3cfb2d8fca56263b3622a388e6618db387ef6eb3e512973dad9ced7b6c3bc689166806b28da1ff778a10333f980fcca92f114288fcb5b3d60e39247b1a8af2dd

Download Submit
C:\Windows\system\FiMlJvs.exe
Filesize
5.9MB

MD5
172f7443a31cc792996661ab59c78058

SHA1
f355fd359dc0c4a0e54eb560de74e423443534c8

SHA256
d6d87aa55af3b914cfee5ea9459d2f779cee8716dbefe29587add208f22e0855

SHA512
d58674754bb926819c0c99bdb4b10eedbde9867ee6dd6ca80b66daf4b5665c71262d10d7d0e118bd919e67c34d9cd934814c0bcce3e705298d23472fb96bd580

Download Submit
C:\Windows\system\ObuQarm.exe
Filesize
5.9MB

MD5
12bae223439beb189e74c9012681c0f2

SHA1
f6a869afc9b267d0a4d6d53beafc8dc507988350

SHA256
6f1161d1022d3a0d3b144fe9a010dc11c3931fbab6070eb6b460368fc25f9bc1

SHA512
b138bca32a58a8eb08a9c4fad1742c59170e657960fc46bdb2f66fbf5809f286a42db67eb1315d5a492514a89bdb840805a3250bd4a1e45204ca2861c738bfa0

Download Submit
C:\Windows\system\PFIEcLD.exe
Filesize
5.9MB

MD5
922cda9de7a3c24a7fdadb5812a75f52

SHA1
06f14f915ef3aa6ec017beedcde08e9afb02cd0b

SHA256
d4f6ccdaa9850a2977840ebc8c5ba00129cff9e57c936b96b1c97df1afd66ce7

SHA512
1ea03278c9f851cf9c7d4a5e08acd1c41f6f74b4f82ed5970959d136bb5e81c3c38fe434f3017daa98e1411b57244f153696de17cb15845e80c1bbea74a87069

Download Submit
C:\Windows\system\PkWvyEM.exe
Filesize
5.9MB

MD5
cd1dae44f8ab4c1971cca8e9a76a168c

SHA1
ea9215de7d00550bce24e393d5329bc040ac3e53

SHA256
3b653476247cfda63e4fd95adbd1d3af154c35f7ca233c7800f0e3144eeb4c54

SHA512
223a2da3bbae7404f2e12e8368b5a1438cccc51293c78f76d6a635ef9bc69def7c52cd202a7d3e740e7e161f8a62d3c91f64e28ae9b0dbf7d5a96ea78237d0bd

Download Submit
C:\Windows\system\SdZRQwu.exe
Filesize
5.9MB

MD5
75be8efaa0f6bd43d70adbdba012b125

SHA1
fed4505e1668bafccdebb455ec9d409d741e9110

SHA256
c4b1dd1937588befd2902ceba424ac0e2ccd833616cfd6f43080319d9034fefc

SHA512
da6e8a7ea61684e3f674b1287b03f2f931f44eb2cd39127bd7655cde4678cd2f0d0db777a1123723f862d2ff10fa3e6739a6be952e48313bf6161cd63dcdecfb

Download Submit
C:\Windows\system\TdrHVhf.exe
Filesize
5.9MB

MD5
8519fe64409b32e861c2c5c69a829215

SHA1
deb99d6e5424a322f910757ec9ecfbb5f180c0f8

SHA256
aa0e76b007f63ad2cd2fc60d37475be27b00c1b28485bf76fa4e4b4be9317019

SHA512
e532accd3e72fd0ec4f096d2d9ca96769a64d6a18735350725c2a5798b64186e7a5bdf58ce2f02e06f938f84e5f72fc7296ada3edc2d03ecd365518dadea6a6e

Download Submit
C:\Windows\system\YDwNhfP.exe
Filesize
5.9MB

MD5
72b5b6803380da15532b27cfcf161cbb

SHA1
bf69618aeca1547809f8fb5a4556503859b39126

SHA256
ce57424a73135dd06fc379173e64d81e6a2f5ab7278516a4b23f8c2522c4763f

SHA512
452199571fdb6a77ea538cbf89e7214fa5d7d3b13b669eef1d33cc9a27a773e64ae38c5c916d339d12a13fa83ddfd54eac4d4992acea6124b674929387a17dd6

Download Submit
C:\Windows\system\bCvVObV.exe
Filesize
5.9MB

MD5
8c331fed192d2cd78034b1d62cfe5bc9

SHA1
3c73562c357df3beaffca94d41e08832525077a0

SHA256
8a318303a9d09030df7d6b88806a71abdd276c5223820790e5e3cbcfd61a2f49

SHA512
06868eaedd21404996458b3df692733bb90f0f72116e4a8c914c70ceea78ec19e8a3c4d665b7bbd32e1df3f96c6eb22c655bd25e32fb73a798737b15971dadb9

Download Submit
C:\Windows\system\elUhchW.exe
Filesize
5.9MB

MD5
bbb79a48b5eec47b15bc7fd0cc78f9b8

SHA1
5e77e6b8b3fefe08a10ba0cf76ea0f979247c8fd

SHA256
0e6e698f723df4cbe8ce119609c7e70514b15f100926600b60d6998eb4664be1

SHA512
750f6b0c6326571dacc2694210cd36cdad7fa558ee78fb5d36226649180899c1a779d892a2afc8b04ec8b08efc4a7e1682ab2a417f80ee81a4ed3b8f4dcdd1f9

Download Submit
C:\Windows\system\lHuGhCb.exe
Filesize
5.9MB

MD5
feb4465a1be6ad485414e50e4747b764

SHA1
0ea84bd43c9510e07614ce68672dea341ff9f24d

SHA256
382e255a66d32016a9618853ae8a066ea0b57a15281a0e4515b03fdede7a7219

SHA512
f6480cb6147b2a8858a9987706a6140a51b53a22ed7e346fdcec1a3e7c991a1f33fb72733d6a0b8b2d5c84ca5dcb34c64d4df0b2432e144b790403cf0d8b2917

Download Submit
C:\Windows\system\lUxArjW.exe
Filesize
5.9MB

MD5
7f3962f17cb59366bc04de283ab4c854

SHA1
1acefb1dcb6428f89c2be8c6cc6f1ddbac40d424

SHA256
9158d6ad1f28b73e439c20d876b7569ecc6f036d06c4a58d12b261ea8b94b7cc

SHA512
4c95af578fd7592317efedaaf3248835567beee988d568a6098a029a4886e348be773c622bf4415e2c6cea3874944d9797eaf55544c5cc2c8c2e2e72c0e04cff

Download Submit
C:\Windows\system\wDItKqg.exe
Filesize
5.9MB

MD5
7aff54d07746c3e558ba58abb42e484f

SHA1
25a46129108a930d00a75f95fb32d4138b0ca84d

SHA256
fb81169783626ef0801c17218d8f4e742751f8721dfb022d5e7a500fbfdf4501

SHA512
7541f72cc5f5d25bc93d9d7b6fbbab79292ea15fd4b0cc7dc28a392bc72fda44596e4d6a66e51a901547a2f858ded367bebaba26b25109b6e79dfa73da1cbc85

Download Submit
C:\Windows\system\wZCXwXh.exe
Filesize
5.9MB

MD5
4a77e92954f2bfe36eb87389bdefce01

SHA1
89c1dc352dcacf39624a2bd754f01c0fa78ff04f

SHA256
be3d1c3b37332b4b27665095fc7371621c795de5eec13850f97d5c2be3593f80

SHA512
2825a51c638e137ef9e4bd0925679374e8ee2061aa932e4c275d91e0fd379510167f9cf4b8b5af60e5f497d75cbe2ebfa222036f1fe6c5dc415972c4120b5129

Download Submit
C:\Windows\system\xriNSIM.exe
Filesize
5.9MB

MD5
21eb51ce8ddb80e7b1b03c74bca91d31

SHA1
ccfb39cecd9f7857e988aa5367d2a8b39c2bce17

SHA256
218758364cd4aac5646d1cd037e63d59b7654c4de09432c387f7d22c219379e9

SHA512
fc44b7ea350b9be504faca07381b3d7659492153d02d628fa15399c339fe19ec0e9aac2e6a9a96b83fb7aec2f5996a0bc65e664f91d1ae8ca1fc10921bc6ad65

Download Submit
C:\Windows\system\zAOqOUt.exe
Filesize
5.9MB

MD5
ae38663bbb7d819ac921dde648ad27f1

SHA1
e806b13cdb856f108a28d699287ee01ec03c3c9f

SHA256
fad388f4a38d8d9e783891be6778e4e1de15c348875e47c769ac9febb34b2bd2

SHA512
c82de09691c5a167ed2b023e5e4599dd71773ddf942fe87972875ebd3e72527975b30a1ce953cb02ce607524221a83511ebac5f624e35989f35d563bbe2e96fb

Download Submit
\Windows\system\AQfjBfv.exe
Filesize
5.9MB

MD5
f00c97667b98f922a7dbf1872ae0d9f4

SHA1
b669a8f59a791634a61a383f37ebb88674415b1e

SHA256
7d6d87f73deaae5d30b2c357fb8b26b03e4e91b187406a22f126778eb060bda4

SHA512
f3a3e61839010b4a21a509bf631056c52d22bee875c8d90d892b0a8a8344e34fcc2f33b12f8cbe4905629c240c860179a3e5151b362eddd1df32227c18a72fe8

Download Submit
\Windows\system\HCQzyvS.exe
Filesize
5.9MB

MD5
be983e16c270b2fd093cc8f85477ba5c

SHA1
f94f018ab238b47141c6aab20eb846a57def4765

SHA256
744ffc0b4c287b8bda1fa78df9b85dac01ce36b2583058b17b0415741b72bcdb

SHA512
f5860deecf114078c479b91b526a60a7f1b4e5e75852cba25d1351a7b5df51ccf4e5f5eddb851f48e20b22cfaaa06fd2d91a78479c10ecb1feba801fdedd91d1

Download Submit
\Windows\system\OMJuTlP.exe
Filesize
5.9MB

MD5
d071a3e4c6570b2a470e6c8181163086

SHA1
3e59cfd8660ea3bcef799bb1237ec26591249c99

SHA256
ce95d9fd735fe530efcaa6c43211f896b63e9db9154d4da8af48752543b4784d

SHA512
71ed904253e566054271954a6370321a992030a1d2ac5b43622ab2ad04457eff283d26658639e26d879e38d8c1a7afbebf33865dec1b91986e59a55acbd21f03

Download Submit
\Windows\system\bMHnmmc.exe
Filesize
5.9MB

MD5
360b491bf7ab83454b71857665607880

SHA1
ace1416a0d52659e70617fb31690e2ab34dce07a

SHA256
59ce1638c70fabae9e639faa203f2b06ec27d7f452d7706df1c350f555de6a74

SHA512
6a78c8011c7995b08f9575fbf8b437f49ba3e4dce367e4f692aed03e1d171a2ead158ec4a91cc0295ac1735413b475c2693ae2c66825ddca9dc96081959b3525

Download Submit
memory/384-128-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/384-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2004-140-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2004-136-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2004-29-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-126-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2064-147-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2240-117-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-11-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2240-26-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-1-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2240-20-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-121-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2240-134-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-124-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2240-133-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-132-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2240-119-0x0000000002290000-0x00000000025E4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-14-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-131-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2240-32-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2240-127-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2360-122-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2360-144-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/2412-142-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-120-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-123-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2428-145-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2432-129-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2432-149-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-16-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-138-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-150-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2580-130-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2624-135-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2624-139-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2624-22-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2656-141-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2656-116-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2856-143-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-118-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-125-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2876-146-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2956-12-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-137-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download