cobaltstrike | 6f363651bc0816e6207946884514f4777457a05222915859aa0da6ed4e939d99

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

288f7dc4adce13ca2b84d1d3c62f2390
SHA1

4fc8b672f3e37361d2b4312076e1101f52924516
SHA256

6f363651bc0816e6207946884514f4777457a05222915859aa0da6ed4e939d99
SHA512

8974ddbe0a579e3e2754f19d3f55c08f02ae9a1afbb1d56cdea2f032d1dab0294b7420e1d61d84e3f232d5c231cb40f7b4fa554e4d55efa2f2b81547a60596d6
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUK:Q+856utgpPF8u/7K

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\NoAXlQA.exe	cobalt_reflective_dll
C:\Windows\system\oLkCJep.exe	cobalt_reflective_dll
\Windows\system\hgBAowV.exe	cobalt_reflective_dll
C:\Windows\system\xXzKgap.exe	cobalt_reflective_dll
C:\Windows\system\HCCGZda.exe	cobalt_reflective_dll
\Windows\system\YdUKNlB.exe	cobalt_reflective_dll
C:\Windows\system\plgELNO.exe	cobalt_reflective_dll
C:\Windows\system\UGLTmwW.exe	cobalt_reflective_dll
C:\Windows\system\IiPpfPr.exe	cobalt_reflective_dll
\Windows\system\BtYKlAF.exe	cobalt_reflective_dll
C:\Windows\system\bTSkbeW.exe	cobalt_reflective_dll
\Windows\system\gRnWxPW.exe	cobalt_reflective_dll
\Windows\system\LMVgkiO.exe	cobalt_reflective_dll
C:\Windows\system\rkGFcaU.exe	cobalt_reflective_dll
C:\Windows\system\VSMhQdV.exe	cobalt_reflective_dll
C:\Windows\system\FXlXucX.exe	cobalt_reflective_dll
C:\Windows\system\wShGKHA.exe	cobalt_reflective_dll
C:\Windows\system\BMISCkt.exe	cobalt_reflective_dll
C:\Windows\system\MsFHdNY.exe	cobalt_reflective_dll
C:\Windows\system\KGUTYPX.exe	cobalt_reflective_dll
C:\Windows\system\TcMCIKc.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\NoAXlQA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oLkCJep.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\hgBAowV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\xXzKgap.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HCCGZda.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\YdUKNlB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\plgELNO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\UGLTmwW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\IiPpfPr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\BtYKlAF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bTSkbeW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\gRnWxPW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\LMVgkiO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\rkGFcaU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VSMhQdV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\FXlXucX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wShGKHA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\BMISCkt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\MsFHdNY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\KGUTYPX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\TcMCIKc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 51 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1700-0-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
\Windows\system\NoAXlQA.exe	UPX
behavioral1/memory/2284-7-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
C:\Windows\system\oLkCJep.exe	UPX
behavioral1/memory/2616-15-0x000000013F1D0000-0x000000013F524000-memory.dmp	UPX
\Windows\system\hgBAowV.exe	UPX
C:\Windows\system\xXzKgap.exe	UPX
behavioral1/memory/2732-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/1700-19-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
C:\Windows\system\HCCGZda.exe	UPX
\Windows\system\YdUKNlB.exe	UPX
C:\Windows\system\plgELNO.exe	UPX
behavioral1/memory/2716-110-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
C:\Windows\system\UGLTmwW.exe	UPX
C:\Windows\system\IiPpfPr.exe	UPX
\Windows\system\BtYKlAF.exe	UPX
C:\Windows\system\bTSkbeW.exe	UPX
\Windows\system\gRnWxPW.exe	UPX
\Windows\system\LMVgkiO.exe	UPX
behavioral1/memory/2576-114-0x000000013F620000-0x000000013F974000-memory.dmp	UPX
behavioral1/memory/2544-112-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2744-109-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
C:\Windows\system\rkGFcaU.exe	UPX
C:\Windows\system\VSMhQdV.exe	UPX
C:\Windows\system\FXlXucX.exe	UPX
behavioral1/memory/2284-133-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
C:\Windows\system\wShGKHA.exe	UPX
C:\Windows\system\BMISCkt.exe	UPX
behavioral1/memory/1700-63-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
C:\Windows\system\MsFHdNY.exe	UPX
behavioral1/memory/2768-57-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
C:\Windows\system\KGUTYPX.exe	UPX
behavioral1/memory/2472-51-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2776-38-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2616-135-0x000000013F1D0000-0x000000013F524000-memory.dmp	UPX
C:\Windows\system\TcMCIKc.exe	UPX
behavioral1/memory/2668-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/2732-139-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/2472-141-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2768-142-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2284-145-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/memory/2616-146-0x000000013F1D0000-0x000000013F524000-memory.dmp	UPX
behavioral1/memory/2668-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp	UPX
behavioral1/memory/2732-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/2776-149-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2472-150-0x000000013FD00000-0x0000000140054000-memory.dmp	UPX
behavioral1/memory/2768-151-0x000000013FD70000-0x00000001400C4000-memory.dmp	UPX
behavioral1/memory/2716-152-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2544-153-0x000000013F240000-0x000000013F594000-memory.dmp	UPX
behavioral1/memory/2744-154-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2576-155-0x000000013F620000-0x000000013F974000-memory.dmp	UPX

XMRig Miner payload 54 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1700-0-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
\Windows\system\NoAXlQA.exe	xmrig
behavioral1/memory/2284-7-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
C:\Windows\system\oLkCJep.exe	xmrig
behavioral1/memory/2616-15-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
\Windows\system\hgBAowV.exe	xmrig
C:\Windows\system\xXzKgap.exe	xmrig
behavioral1/memory/2732-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/1700-19-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
C:\Windows\system\HCCGZda.exe	xmrig
\Windows\system\YdUKNlB.exe	xmrig
C:\Windows\system\plgELNO.exe	xmrig
behavioral1/memory/2716-110-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
C:\Windows\system\UGLTmwW.exe	xmrig
C:\Windows\system\IiPpfPr.exe	xmrig
\Windows\system\BtYKlAF.exe	xmrig
C:\Windows\system\bTSkbeW.exe	xmrig
\Windows\system\gRnWxPW.exe	xmrig
\Windows\system\LMVgkiO.exe	xmrig
behavioral1/memory/2576-114-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2544-112-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2744-109-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
C:\Windows\system\rkGFcaU.exe	xmrig
C:\Windows\system\VSMhQdV.exe	xmrig
C:\Windows\system\FXlXucX.exe	xmrig
behavioral1/memory/2284-133-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
C:\Windows\system\wShGKHA.exe	xmrig
behavioral1/memory/1700-89-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
C:\Windows\system\BMISCkt.exe	xmrig
behavioral1/memory/1700-63-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
C:\Windows\system\MsFHdNY.exe	xmrig
behavioral1/memory/2768-57-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
C:\Windows\system\KGUTYPX.exe	xmrig
behavioral1/memory/2472-51-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/1700-46-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2776-38-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/1700-36-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2616-135-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
C:\Windows\system\TcMCIKc.exe	xmrig
behavioral1/memory/2668-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2732-139-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/2472-141-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2768-142-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2284-145-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2616-146-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
behavioral1/memory/2668-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp	xmrig
behavioral1/memory/2732-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/2776-149-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2472-150-0x000000013FD00000-0x0000000140054000-memory.dmp	xmrig
behavioral1/memory/2768-151-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2716-152-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2544-153-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2744-154-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2576-155-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

NoAXlQA.exeoLkCJep.exehgBAowV.exexXzKgap.exeTcMCIKc.exeHCCGZda.exeKGUTYPX.exeMsFHdNY.exeplgELNO.exeBMISCkt.exeYdUKNlB.exewShGKHA.exeFXlXucX.exeVSMhQdV.exerkGFcaU.exeUGLTmwW.exeLMVgkiO.exegRnWxPW.exeIiPpfPr.exebTSkbeW.exeBtYKlAF.exe

pid	process
2284	NoAXlQA.exe
2616	oLkCJep.exe
2668	hgBAowV.exe
2732	xXzKgap.exe
2776	TcMCIKc.exe
2472	HCCGZda.exe
2768	KGUTYPX.exe
2716	MsFHdNY.exe
2544	plgELNO.exe
2744	BMISCkt.exe
2576	YdUKNlB.exe
3016	wShGKHA.exe
2512	FXlXucX.exe
2824	VSMhQdV.exe
2892	rkGFcaU.exe
1800	UGLTmwW.exe
2812	LMVgkiO.exe
2788	gRnWxPW.exe
272	IiPpfPr.exe
1712	bTSkbeW.exe
1216	BtYKlAF.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

pid	process
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1700-0-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
\Windows\system\NoAXlQA.exe	upx
behavioral1/memory/2284-7-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
C:\Windows\system\oLkCJep.exe	upx
behavioral1/memory/2616-15-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
\Windows\system\hgBAowV.exe	upx
C:\Windows\system\xXzKgap.exe	upx
behavioral1/memory/2732-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/1700-19-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
C:\Windows\system\HCCGZda.exe	upx
\Windows\system\YdUKNlB.exe	upx
C:\Windows\system\plgELNO.exe	upx
behavioral1/memory/2716-110-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
C:\Windows\system\UGLTmwW.exe	upx
C:\Windows\system\IiPpfPr.exe	upx
\Windows\system\BtYKlAF.exe	upx
C:\Windows\system\bTSkbeW.exe	upx
\Windows\system\gRnWxPW.exe	upx
\Windows\system\LMVgkiO.exe	upx
behavioral1/memory/2576-114-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2544-112-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2744-109-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
C:\Windows\system\rkGFcaU.exe	upx
C:\Windows\system\VSMhQdV.exe	upx
C:\Windows\system\FXlXucX.exe	upx
behavioral1/memory/2284-133-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
C:\Windows\system\wShGKHA.exe	upx
C:\Windows\system\BMISCkt.exe	upx
behavioral1/memory/1700-63-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
C:\Windows\system\MsFHdNY.exe	upx
behavioral1/memory/2768-57-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
C:\Windows\system\KGUTYPX.exe	upx
behavioral1/memory/2472-51-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2776-38-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2616-135-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
C:\Windows\system\TcMCIKc.exe	upx
behavioral1/memory/2668-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2732-139-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2472-141-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2768-142-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2284-145-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2616-146-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
behavioral1/memory/2668-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp	upx
behavioral1/memory/2732-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2776-149-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2472-150-0x000000013FD00000-0x0000000140054000-memory.dmp	upx
behavioral1/memory/2768-151-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2716-152-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2544-153-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2744-154-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2576-155-0x000000013F620000-0x000000013F974000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\gRnWxPW.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bTSkbeW.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\plgELNO.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wShGKHA.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TcMCIKc.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MsFHdNY.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KGUTYPX.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YdUKNlB.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FXlXucX.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rkGFcaU.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NoAXlQA.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xXzKgap.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IiPpfPr.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UGLTmwW.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VSMhQdV.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BtYKlAF.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oLkCJep.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hgBAowV.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LMVgkiO.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HCCGZda.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BMISCkt.exe	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1700 wrote to memory of 2284	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	NoAXlQA.exe
PID 1700 wrote to memory of 2284	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	NoAXlQA.exe
PID 1700 wrote to memory of 2284	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	NoAXlQA.exe
PID 1700 wrote to memory of 2616	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	oLkCJep.exe
PID 1700 wrote to memory of 2616	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	oLkCJep.exe
PID 1700 wrote to memory of 2616	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	oLkCJep.exe
PID 1700 wrote to memory of 2668	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	hgBAowV.exe
PID 1700 wrote to memory of 2668	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	hgBAowV.exe
PID 1700 wrote to memory of 2668	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	hgBAowV.exe
PID 1700 wrote to memory of 2732	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	xXzKgap.exe
PID 1700 wrote to memory of 2732	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	xXzKgap.exe
PID 1700 wrote to memory of 2732	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	xXzKgap.exe
PID 1700 wrote to memory of 2776	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	TcMCIKc.exe
PID 1700 wrote to memory of 2776	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	TcMCIKc.exe
PID 1700 wrote to memory of 2776	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	TcMCIKc.exe
PID 1700 wrote to memory of 2472	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	HCCGZda.exe
PID 1700 wrote to memory of 2472	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	HCCGZda.exe
PID 1700 wrote to memory of 2472	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	HCCGZda.exe
PID 1700 wrote to memory of 2716	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	MsFHdNY.exe
PID 1700 wrote to memory of 2716	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	MsFHdNY.exe
PID 1700 wrote to memory of 2716	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	MsFHdNY.exe
PID 1700 wrote to memory of 2768	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	KGUTYPX.exe
PID 1700 wrote to memory of 2768	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	KGUTYPX.exe
PID 1700 wrote to memory of 2768	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	KGUTYPX.exe
PID 1700 wrote to memory of 2744	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BMISCkt.exe
PID 1700 wrote to memory of 2744	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BMISCkt.exe
PID 1700 wrote to memory of 2744	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BMISCkt.exe
PID 1700 wrote to memory of 2544	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	plgELNO.exe
PID 1700 wrote to memory of 2544	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	plgELNO.exe
PID 1700 wrote to memory of 2544	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	plgELNO.exe
PID 1700 wrote to memory of 2576	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	YdUKNlB.exe
PID 1700 wrote to memory of 2576	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	YdUKNlB.exe
PID 1700 wrote to memory of 2576	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	YdUKNlB.exe
PID 1700 wrote to memory of 3016	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	wShGKHA.exe
PID 1700 wrote to memory of 3016	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	wShGKHA.exe
PID 1700 wrote to memory of 3016	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	wShGKHA.exe
PID 1700 wrote to memory of 1800	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	UGLTmwW.exe
PID 1700 wrote to memory of 1800	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	UGLTmwW.exe
PID 1700 wrote to memory of 1800	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	UGLTmwW.exe
PID 1700 wrote to memory of 2512	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	FXlXucX.exe
PID 1700 wrote to memory of 2512	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	FXlXucX.exe
PID 1700 wrote to memory of 2512	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	FXlXucX.exe
PID 1700 wrote to memory of 2812	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	LMVgkiO.exe
PID 1700 wrote to memory of 2812	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	LMVgkiO.exe
PID 1700 wrote to memory of 2812	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	LMVgkiO.exe
PID 1700 wrote to memory of 2824	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	VSMhQdV.exe
PID 1700 wrote to memory of 2824	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	VSMhQdV.exe
PID 1700 wrote to memory of 2824	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	VSMhQdV.exe
PID 1700 wrote to memory of 2788	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	gRnWxPW.exe
PID 1700 wrote to memory of 2788	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	gRnWxPW.exe
PID 1700 wrote to memory of 2788	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	gRnWxPW.exe
PID 1700 wrote to memory of 2892	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	rkGFcaU.exe
PID 1700 wrote to memory of 2892	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	rkGFcaU.exe
PID 1700 wrote to memory of 2892	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	rkGFcaU.exe
PID 1700 wrote to memory of 272	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	IiPpfPr.exe
PID 1700 wrote to memory of 272	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	IiPpfPr.exe
PID 1700 wrote to memory of 272	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	IiPpfPr.exe
PID 1700 wrote to memory of 1712	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	bTSkbeW.exe
PID 1700 wrote to memory of 1712	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	bTSkbeW.exe
PID 1700 wrote to memory of 1712	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	bTSkbeW.exe
PID 1700 wrote to memory of 1216	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BtYKlAF.exe
PID 1700 wrote to memory of 1216	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BtYKlAF.exe
PID 1700 wrote to memory of 1216	1700	2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe	BtYKlAF.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_288f7dc4adce13ca2b84d1d3c62f2390_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System\NoAXlQA.exe
C:\Windows\System\NoAXlQA.exe
2⤵
- Executes dropped EXE
PID:2284

C:\Windows\System\oLkCJep.exe
C:\Windows\System\oLkCJep.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\hgBAowV.exe
C:\Windows\System\hgBAowV.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\xXzKgap.exe
C:\Windows\System\xXzKgap.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\TcMCIKc.exe
C:\Windows\System\TcMCIKc.exe
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\System\HCCGZda.exe
C:\Windows\System\HCCGZda.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System\MsFHdNY.exe
C:\Windows\System\MsFHdNY.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\KGUTYPX.exe
C:\Windows\System\KGUTYPX.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\BMISCkt.exe
C:\Windows\System\BMISCkt.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\plgELNO.exe
C:\Windows\System\plgELNO.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\YdUKNlB.exe
C:\Windows\System\YdUKNlB.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\wShGKHA.exe
C:\Windows\System\wShGKHA.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\UGLTmwW.exe
C:\Windows\System\UGLTmwW.exe
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\System\FXlXucX.exe
C:\Windows\System\FXlXucX.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\LMVgkiO.exe
C:\Windows\System\LMVgkiO.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\VSMhQdV.exe
C:\Windows\System\VSMhQdV.exe
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\System\gRnWxPW.exe
C:\Windows\System\gRnWxPW.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\rkGFcaU.exe
C:\Windows\System\rkGFcaU.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System\IiPpfPr.exe
C:\Windows\System\IiPpfPr.exe
2⤵
- Executes dropped EXE
PID:272

C:\Windows\System\bTSkbeW.exe
C:\Windows\System\bTSkbeW.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\BtYKlAF.exe
C:\Windows\System\BtYKlAF.exe
2⤵
- Executes dropped EXE
PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BMISCkt.exe
Filesize
5.9MB

MD5
043769397add040efc93d91ebe4c5e68

SHA1
aab58f2e4908b633dfbf4baf0b540f1d94b723e9

SHA256
1c0f413c98cc1a1004745ebed8bd23d39b05d8944a6c771babd44e61b453d41d

SHA512
b1bfa09b2dc4c525082e5a42e8cdddfc64d31b7bda027b98a8952f77ad1d4832b8bdce111742c2c604c8a2c5836da8e345d6d8d3feb3255c36e9f95aff9f47bd

Download Submit
C:\Windows\system\FXlXucX.exe
Filesize
5.9MB

MD5
93fa994ac424a9fc48b10787c57baec5

SHA1
429e4ebbeceb3a31d4bbb658043dc9b1115f205b

SHA256
c83f7889cea4624fc391476bf9c22ea4efa562b42b5e0b4e1d1195ea0f3847ce

SHA512
348e7590033fa34dabc30a601b715885e2f3676f14b0f84109904029e700a5cef85442495d6b82909cd5b19bfc599da3b3296b6e633ee97a6b0814289c8255e6

Download Submit
C:\Windows\system\HCCGZda.exe
Filesize
5.9MB

MD5
4a3484ed38fd2c447a2784152d7777ae

SHA1
5534053d22737056c0f05fe323b505690b7bcb1e

SHA256
a72596e9ed0731a81f2ed61443de1422e7d71d113cc4ded63849c7fcb4650829

SHA512
b1c7da43704932d75d4a3a82c7ee60c27a758fbc6cb51b22023e0bf077e824f9bd122703f868dd2ae042627c0a83fa40ea84d577264f6861d1f211aec9b22ec7

Download Submit
C:\Windows\system\IiPpfPr.exe
Filesize
5.9MB

MD5
a6f5456b0f8c1317f69aee0e2b26c1ba

SHA1
fef10ed230b6c9cb3f77c3feae0f13a47183b0a8

SHA256
d9eba2b4a590d2a77588bfae7171d47062c2e178db39871978814ea08efc0165

SHA512
b121de9810ee96513b8215a11dbc4ca0dc4ee45b86aa4488a013ad2c6c83c1e23dbbdce68f683b8daff7925ac2213d3fb7cb6f8b386ed967474454e05586ac36

Download Submit
C:\Windows\system\KGUTYPX.exe
Filesize
5.9MB

MD5
8b67ea49e4d48225e558cd632c1a6f78

SHA1
f3446795da8b34c655c6871b4c8b791d5ed99499

SHA256
6687b8b068147182bcfcbcdf41dce2cc7d473e2e930cccc2cc48d55c399423ac

SHA512
805f19838268d68001b5c51264970b6089b60a6cfc5423c9fe10cffae1d84ff7f9fd9da526df0f6e097b0123fc15ab2f3a68206c3359044cf8e1d1529936ec1d

Download Submit
C:\Windows\system\MsFHdNY.exe
Filesize
5.9MB

MD5
c804925dc0bc959a7fde989960a38289

SHA1
4df88397aada73ea3ace10397decc3f51b69728b

SHA256
6915aa0681476865ac288af3b5a04525da1ba1144b0e5783d0e594b6fccc89b3

SHA512
113be8b2c022e7c9a85f9dcd2cd15d694fc0bd2beeb9bc4bb524740c061346b3ee1a4067b0be8cdcd96dc1534ce4bf281fb745bb2789e6fe09cee12ab7f35823

Download Submit
C:\Windows\system\TcMCIKc.exe
Filesize
5.9MB

MD5
0c2c23b6508576ecdeed8edcd4548977

SHA1
a3d548c9ac1d98e19bac9decbf2562be0702b46b

SHA256
cf503f9da23456e06b6690db2066fd0290be56189591f7f9258ae4b30caca764

SHA512
5faab8600456c4310886aadfb01ecbbb0330ee9573f7c9d79f35b386525c1f8c1770c7c21cc2285ec615a16799f5dabec2b10e8669680084cc0bd21a5678086d

Download Submit
C:\Windows\system\UGLTmwW.exe
Filesize
5.9MB

MD5
71ae28a010f30c9c6544cc51fde9fc6b

SHA1
9b521ed5defb6a9af6b65ca9c46b9fa3887d0214

SHA256
25fd7f0244cd4eb772be3418f8764c4e8d9fd8a8e61a11fa09fd00470f60ad78

SHA512
528c247882595c9b303618f04cd6af6d4e54bba081318fdc7f3617b5bfce414243e181638215477e7eb1abae27f84dcf1c9c28b4d1e419f476510831b8f0566d

Download Submit
C:\Windows\system\VSMhQdV.exe
Filesize
5.9MB

MD5
fb6968ab069cdb7b3f9b79bef1af5f1d

SHA1
e9362362c1a33c8049e953f2f25e80be22c914bf

SHA256
4111d6ad6a0bc17b52f12bff743fabfb78f5d84a0218fc40a489742b34d48f7d

SHA512
9b84e851d31ae8695d4caf4463d8eb2914bfeaa64405c1cf780ac5a2e7badbdfefedd47ee7a7f6bd39d6afee42ea813a59bb455f02a6d2a213c945df86e4edc1

Download Submit
C:\Windows\system\bTSkbeW.exe
Filesize
5.9MB

MD5
40a77d2fd59f5f2d827ff9e4e806528b

SHA1
ab7209d84209b9bbcb13c475ceca4e98fe9bc262

SHA256
5eb9b5d981a413a9e911a036b6929be340b8b0f039a6111ccbef4192364017c2

SHA512
7cc76005749ed82f0d7f4299a645e82b19033d98d510d64ae11be12aa72bdf1eedfc60fc28989c1348cc798159482b3b414d8c2f9c50c6fa99d6ad73648c39b6

Download Submit
C:\Windows\system\oLkCJep.exe
Filesize
5.9MB

MD5
0c3d478dfc69a19e90ce3ec133455bdd

SHA1
35a06f09036c2f60af1483b58fcc9b52e1b8db55

SHA256
6b4d8a74388fc64ae48673c2c2b3438adfc4ce1bf57166a2e845e02284e72763

SHA512
059b41f3009368e10cab3229a5297eb9362d3f23a947af7229a774cab78eb78d4c48fb2fc423299cf232bc5a0a9060ff86264360d7f531ce30bc6dad78faab6a

Download Submit
C:\Windows\system\plgELNO.exe
Filesize
5.9MB

MD5
d4ed70814c1631499bf59a2ab6c1f2be

SHA1
8049402316e5fbd462b6ea9d467a5bc142f03a0e

SHA256
e700c014d3d09fe099cba8d9083fc2800432fbc6bc098f628a15a643e7f46571

SHA512
ff7c1cdd36b83c094f9567dd4a6bac32ee80495387e086c6162e2ccdeb8678a8d8731c2499099a999094d747787f5ff36e063c585e682258c01c028b6c878de4

Download Submit
C:\Windows\system\rkGFcaU.exe
Filesize
5.9MB

MD5
c23aa4e5d1a8404e439b0576e2f413d5

SHA1
5b50be106fda5cc1e533826b48d67b5c64362534

SHA256
83f0e236add33b0c1da4ba4c15d01e9c9aa225c7dabc44a932510184d853bf8a

SHA512
92972eadd73c027f1d20669f5204d343e2ac098ab4075320577df4f728c4a0d2b2efba4f783135b33f681dbed821a09610cf660d346955fe50aa27edca8e3173

Download Submit
C:\Windows\system\wShGKHA.exe
Filesize
5.9MB

MD5
0cc7c9a386237f1515618de02c8c8f64

SHA1
63bd76d0ab7848006c2e08a9e4a5e6fdd81f78a8

SHA256
667633788434ec0843441ed042ac96a38a5d177bde01001c8cc62750a2cebd06

SHA512
1df5915c7452133f57fcc263856039b066e4b3f811baab6a26889b85cca4b6f5e7ea92a79d894a116eb560642ba44fea514d19b2f70ac77c65f53b24ec26fb0e

Download Submit
C:\Windows\system\xXzKgap.exe
Filesize
5.9MB

MD5
afefd679d9a95db689bf745e1e9c3192

SHA1
94ae5af3bb8cd546c3c3a7fb201a29930082e39a

SHA256
d9fe01ca5e3dcf89e072f36221f03a7ccded08a33a80110892c2785158360855

SHA512
127659ffbe56677b99d3e6376f06b02377dfd5622e2f47116f63975d881d66ec84f5a01aa2757e5f8204c2acd4c0789fe29c35a695bc45e5c469b8c6a1f2fbdd

Download Submit
\Windows\system\BtYKlAF.exe
Filesize
5.9MB

MD5
502288e5ec657baa76d0dae30edb0d54

SHA1
38cb478428ebbcd029f48cd8447c6d57620ddfb7

SHA256
ee601c8a8c4a1f8704fed91725437dea0c054d002d42a7e9fbdc3b7e8bb0ae63

SHA512
c0840c8cd3e6e0226b0da546522badaaa22de9e9bbbedb9eae6d35fddcdf7bfbbda7921288454ec692083ee4635aa8e038cc23b6901e04ef7ccf5c6d46dbdeb8

Download Submit
\Windows\system\LMVgkiO.exe
Filesize
5.9MB

MD5
782d4f66a6945335683658667cd14b2b

SHA1
ee0ddabb293b0dbb59a2d77f3dc61033714ec0e0

SHA256
2a1d6a5933f57e0047e8e647bb5c137c09c870aa84e1c8f9bb5db8b507193040

SHA512
fed22ba9259ff101093c3ddc11d1f2cb3805c6fcef61cf6f0a73011c7c1de49a8dd47abf15cf2a894682c172af0423da44896d77be919547c666393558ad7ccb

Download Submit
\Windows\system\NoAXlQA.exe
Filesize
5.9MB

MD5
f2b7cd01f92f3fb09c1bc540a0997149

SHA1
2a621f15643d38ddf6d1fc31993fd4f7ca675bd9

SHA256
ae3e85744f1fcaaf032ffe00dee3069e3c30da0d73f631ace5f0126be95d6655

SHA512
a31d7b05ccaeb720bb657fb073cc1ab576683e6e1514495f09198bf1599475d469279c6c844f3811b2d4b7e6854a514646dd5bc49801cc001b5038cdaee616cf

Download Submit
\Windows\system\YdUKNlB.exe
Filesize
5.9MB

MD5
523603c851b06e6cbafb9a93d56c4ef2

SHA1
d0f175f8d837b68a9b645c73086d0bbb3a7a2b7d

SHA256
0a3232563bf7264c554a77d13ef21177cf196a98285e42d6152bb18d24ab62df

SHA512
3a2ed0117e41a6bd9120d22083bf70f09f7a61ba5d5667ff371ec785e0e65c70d08c9d4d60b443544aa6ee1603926c07efadba87f792f313a81df9df32a13457

Download Submit
\Windows\system\gRnWxPW.exe
Filesize
5.9MB

MD5
9665d7afefb8e26089bef39f5ad0226f

SHA1
f67c3bd76a6d1a8fb0aaac2232348a817d16abf1

SHA256
00829da1893a220ac41ce7e917e370bf6176294e88f048b973f5be1461fef465

SHA512
a752bd0b6865c119c6f8965f339dff26055719db1b303d13557e941e2da363c3ef9b02d4d6282ee1bd1c572502472654c8f666a5be8c4bbc616473a1b4803401

Download Submit
\Windows\system\hgBAowV.exe
Filesize
5.9MB

MD5
88a9b623ea198052c5cbd710f473a3f7

SHA1
20463b313994be7fb679544ecc1f8ba744c3f67b

SHA256
7cf56fb0c05b41401a27302810af1a950608dba64b232ffff2e3e58c6b306b66

SHA512
4f3328d0ffcacaa8b5c94bd674c29979b1ee314484bf895515ec02c7dcd31be93e4ce1f3c581ee2724f84c1ac53bc3da1eee08e021105d5decd392f219947717

Download Submit
memory/1700-103-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1700-46-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/1700-0-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/1700-98-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1700-144-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1700-143-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-111-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-140-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1700-108-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1700-107-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/1700-101-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-100-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1700-93-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/1700-19-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1700-138-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/1700-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1700-24-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/1700-91-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-89-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-134-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/1700-63-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/1700-13-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/1700-36-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1700-54-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-7-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-133-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2284-145-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-150-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2472-51-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2472-141-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/2544-112-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2544-153-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2576-114-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2576-155-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2616-146-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/2616-15-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/2616-135-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/2668-137-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2668-147-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2716-152-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-110-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2732-139-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2732-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2744-109-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-154-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-151-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-142-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-57-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-38-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2776-149-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download