cobaltstrike | 15f24b5aa5013c6881d9c0802a27af972e42de5047472d32d827acbf8f5308e3

Analysis

max time kernel
134s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
11-06-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

5b2c5dabf9197182f332b41ce31aef09
SHA1

ee9aec982d9d9695c1ea5376275b8cb34154eab5
SHA256

15f24b5aa5013c6881d9c0802a27af972e42de5047472d32d827acbf8f5308e3
SHA512

e067d0d70bcabbac3ac759fbfc5ab44bf240dca4663d79325d67bd8545f448b777e77cc8e95fd498f035b6133045cfc752b3d69c1eef7b22f99ccfab1e6ef666
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUa:Q+856utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\ynqQhtp.exe	cobalt_reflective_dll
\Windows\system\uaxEckK.exe	cobalt_reflective_dll
C:\Windows\system\kzadwvi.exe	cobalt_reflective_dll
\Windows\system\aJKdwxj.exe	cobalt_reflective_dll
\Windows\system\aqGiCoS.exe	cobalt_reflective_dll
C:\Windows\system\yrcCBwE.exe	cobalt_reflective_dll
C:\Windows\system\RisSEHb.exe	cobalt_reflective_dll
C:\Windows\system\AOQNAzX.exe	cobalt_reflective_dll
\Windows\system\kkeNjfz.exe	cobalt_reflective_dll
\Windows\system\eitQrJI.exe	cobalt_reflective_dll
\Windows\system\HIRKxBT.exe	cobalt_reflective_dll
C:\Windows\system\vuwTlUl.exe	cobalt_reflective_dll
C:\Windows\system\zHFdpgr.exe	cobalt_reflective_dll
C:\Windows\system\ZytHwtD.exe	cobalt_reflective_dll
\Windows\system\liimblG.exe	cobalt_reflective_dll
C:\Windows\system\cwzgjyg.exe	cobalt_reflective_dll
\Windows\system\MjchaFr.exe	cobalt_reflective_dll
\Windows\system\OHsInon.exe	cobalt_reflective_dll
C:\Windows\system\kYJhcWk.exe	cobalt_reflective_dll
C:\Windows\system\NMrMNei.exe	cobalt_reflective_dll
C:\Windows\system\loEeGQc.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\system\ynqQhtp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uaxEckK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kzadwvi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\aJKdwxj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\aqGiCoS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\yrcCBwE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\RisSEHb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\AOQNAzX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kkeNjfz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\eitQrJI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\HIRKxBT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\vuwTlUl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zHFdpgr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\ZytHwtD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\liimblG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cwzgjyg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\MjchaFr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\OHsInon.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\kYJhcWk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NMrMNei.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\loEeGQc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 48 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1368-0-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
C:\Windows\system\ynqQhtp.exe	UPX
\Windows\system\uaxEckK.exe	UPX
C:\Windows\system\kzadwvi.exe	UPX
behavioral1/memory/2688-13-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
\Windows\system\aJKdwxj.exe	UPX
\Windows\system\aqGiCoS.exe	UPX
C:\Windows\system\yrcCBwE.exe	UPX
C:\Windows\system\RisSEHb.exe	UPX
C:\Windows\system\AOQNAzX.exe	UPX
behavioral1/memory/2716-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2628-45-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
\Windows\system\kkeNjfz.exe	UPX
\Windows\system\eitQrJI.exe	UPX
\Windows\system\HIRKxBT.exe	UPX
C:\Windows\system\vuwTlUl.exe	UPX
C:\Windows\system\zHFdpgr.exe	UPX
C:\Windows\system\ZytHwtD.exe	UPX
\Windows\system\liimblG.exe	UPX
C:\Windows\system\cwzgjyg.exe	UPX
\Windows\system\MjchaFr.exe	UPX
\Windows\system\OHsInon.exe	UPX
behavioral1/memory/2984-113-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2420-111-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/3000-110-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/2708-109-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/2632-106-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2512-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
C:\Windows\system\kYJhcWk.exe	UPX
C:\Windows\system\NMrMNei.exe	UPX
C:\Windows\system\loEeGQc.exe	UPX
behavioral1/memory/2868-63-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/3044-40-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/memory/2884-57-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/1368-131-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2868-132-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2688-133-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
behavioral1/memory/2628-135-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/3044-134-0x000000013FE90000-0x00000001401E4000-memory.dmp	UPX
behavioral1/memory/2716-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2884-137-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2868-138-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2420-142-0x000000013FF70000-0x00000001402C4000-memory.dmp	UPX
behavioral1/memory/2512-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2632-139-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2984-140-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/3000-143-0x000000013F4D0000-0x000000013F824000-memory.dmp	UPX
behavioral1/memory/2708-144-0x000000013F510000-0x000000013F864000-memory.dmp	UPX

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1368-0-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
C:\Windows\system\ynqQhtp.exe	xmrig
\Windows\system\uaxEckK.exe	xmrig
C:\Windows\system\kzadwvi.exe	xmrig
behavioral1/memory/2688-13-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
\Windows\system\aJKdwxj.exe	xmrig
\Windows\system\aqGiCoS.exe	xmrig
C:\Windows\system\yrcCBwE.exe	xmrig
C:\Windows\system\RisSEHb.exe	xmrig
C:\Windows\system\AOQNAzX.exe	xmrig
behavioral1/memory/2716-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/1368-46-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2628-45-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
\Windows\system\kkeNjfz.exe	xmrig
\Windows\system\eitQrJI.exe	xmrig
\Windows\system\HIRKxBT.exe	xmrig
C:\Windows\system\vuwTlUl.exe	xmrig
C:\Windows\system\zHFdpgr.exe	xmrig
C:\Windows\system\ZytHwtD.exe	xmrig
\Windows\system\liimblG.exe	xmrig
C:\Windows\system\cwzgjyg.exe	xmrig
\Windows\system\MjchaFr.exe	xmrig
\Windows\system\OHsInon.exe	xmrig
behavioral1/memory/2984-113-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2420-111-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/3000-110-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2708-109-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/2632-106-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/1368-105-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2512-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
C:\Windows\system\kYJhcWk.exe	xmrig
C:\Windows\system\NMrMNei.exe	xmrig
C:\Windows\system\loEeGQc.exe	xmrig
behavioral1/memory/2868-63-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/3044-40-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2884-57-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/1368-131-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2868-132-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2688-133-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/memory/2628-135-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/3044-134-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2716-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2884-137-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2868-138-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2420-142-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/2512-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2632-139-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2984-140-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/3000-143-0x000000013F4D0000-0x000000013F824000-memory.dmp	xmrig
behavioral1/memory/2708-144-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ynqQhtp.exeuaxEckK.exeaJKdwxj.exekzadwvi.exeRisSEHb.exeyrcCBwE.exeaqGiCoS.exeAOQNAzX.execwzgjyg.exeZytHwtD.exezHFdpgr.exevuwTlUl.exeloEeGQc.exeNMrMNei.exekYJhcWk.exeOHsInon.exeMjchaFr.exekkeNjfz.exeliimblG.exeHIRKxBT.exeeitQrJI.exe

pid	process
2688	ynqQhtp.exe
3044	uaxEckK.exe
2628	aJKdwxj.exe
2716	kzadwvi.exe
2884	RisSEHb.exe
2868	yrcCBwE.exe
2984	aqGiCoS.exe
2512	AOQNAzX.exe
2632	cwzgjyg.exe
2708	ZytHwtD.exe
3000	zHFdpgr.exe
2420	vuwTlUl.exe
1504	loEeGQc.exe
1760	NMrMNei.exe
376	kYJhcWk.exe
2556	OHsInon.exe
2620	MjchaFr.exe
1932	kkeNjfz.exe
1664	liimblG.exe
1416	HIRKxBT.exe
2400	eitQrJI.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

pid	process
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1368-0-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
C:\Windows\system\ynqQhtp.exe	upx
\Windows\system\uaxEckK.exe	upx
C:\Windows\system\kzadwvi.exe	upx
behavioral1/memory/2688-13-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
\Windows\system\aJKdwxj.exe	upx
\Windows\system\aqGiCoS.exe	upx
C:\Windows\system\yrcCBwE.exe	upx
C:\Windows\system\RisSEHb.exe	upx
C:\Windows\system\AOQNAzX.exe	upx
behavioral1/memory/2716-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2628-45-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
\Windows\system\kkeNjfz.exe	upx
\Windows\system\eitQrJI.exe	upx
\Windows\system\HIRKxBT.exe	upx
C:\Windows\system\vuwTlUl.exe	upx
C:\Windows\system\zHFdpgr.exe	upx
C:\Windows\system\ZytHwtD.exe	upx
\Windows\system\liimblG.exe	upx
C:\Windows\system\cwzgjyg.exe	upx
\Windows\system\MjchaFr.exe	upx
\Windows\system\OHsInon.exe	upx
behavioral1/memory/2984-113-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2420-111-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/3000-110-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2708-109-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/2632-106-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2512-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
C:\Windows\system\kYJhcWk.exe	upx
C:\Windows\system\NMrMNei.exe	upx
C:\Windows\system\loEeGQc.exe	upx
behavioral1/memory/2868-63-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/3044-40-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2884-57-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/1368-131-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2868-132-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2688-133-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/memory/2628-135-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/3044-134-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2716-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2884-137-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2868-138-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2420-142-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/2512-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2632-139-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2984-140-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/3000-143-0x000000013F4D0000-0x000000013F824000-memory.dmp	upx
behavioral1/memory/2708-144-0x000000013F510000-0x000000013F864000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\yrcCBwE.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kkeNjfz.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kzadwvi.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\loEeGQc.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HIRKxBT.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kYJhcWk.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MjchaFr.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ynqQhtp.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uaxEckK.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aJKdwxj.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RisSEHb.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cwzgjyg.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aqGiCoS.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OHsInon.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vuwTlUl.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NMrMNei.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eitQrJI.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZytHwtD.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AOQNAzX.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zHFdpgr.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\liimblG.exe	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1368 wrote to memory of 2688	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ynqQhtp.exe
PID 1368 wrote to memory of 2688	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ynqQhtp.exe
PID 1368 wrote to memory of 2688	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ynqQhtp.exe
PID 1368 wrote to memory of 3044	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	uaxEckK.exe
PID 1368 wrote to memory of 3044	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	uaxEckK.exe
PID 1368 wrote to memory of 3044	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	uaxEckK.exe
PID 1368 wrote to memory of 2628	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	aJKdwxj.exe
PID 1368 wrote to memory of 2628	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	aJKdwxj.exe
PID 1368 wrote to memory of 2628	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	aJKdwxj.exe
PID 1368 wrote to memory of 2716	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kzadwvi.exe
PID 1368 wrote to memory of 2716	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kzadwvi.exe
PID 1368 wrote to memory of 2716	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kzadwvi.exe
PID 1368 wrote to memory of 2884	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	RisSEHb.exe
PID 1368 wrote to memory of 2884	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	RisSEHb.exe
PID 1368 wrote to memory of 2884	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	RisSEHb.exe
PID 1368 wrote to memory of 2632	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	cwzgjyg.exe
PID 1368 wrote to memory of 2632	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	cwzgjyg.exe
PID 1368 wrote to memory of 2632	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	cwzgjyg.exe
PID 1368 wrote to memory of 2868	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	yrcCBwE.exe
PID 1368 wrote to memory of 2868	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	yrcCBwE.exe
PID 1368 wrote to memory of 2868	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	yrcCBwE.exe
PID 1368 wrote to memory of 2708	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ZytHwtD.exe
PID 1368 wrote to memory of 2708	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ZytHwtD.exe
PID 1368 wrote to memory of 2708	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	ZytHwtD.exe
PID 1368 wrote to memory of 2984	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	aqGiCoS.exe
PID 1368 wrote to memory of 2984	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	aqGiCoS.exe
PID 1368 wrote to memory of 2984	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	aqGiCoS.exe
PID 1368 wrote to memory of 2556	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	OHsInon.exe
PID 1368 wrote to memory of 2556	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	OHsInon.exe
PID 1368 wrote to memory of 2556	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	OHsInon.exe
PID 1368 wrote to memory of 2512	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	AOQNAzX.exe
PID 1368 wrote to memory of 2512	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	AOQNAzX.exe
PID 1368 wrote to memory of 2512	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	AOQNAzX.exe
PID 1368 wrote to memory of 2620	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	MjchaFr.exe
PID 1368 wrote to memory of 2620	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	MjchaFr.exe
PID 1368 wrote to memory of 2620	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	MjchaFr.exe
PID 1368 wrote to memory of 3000	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	zHFdpgr.exe
PID 1368 wrote to memory of 3000	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	zHFdpgr.exe
PID 1368 wrote to memory of 3000	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	zHFdpgr.exe
PID 1368 wrote to memory of 1932	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kkeNjfz.exe
PID 1368 wrote to memory of 1932	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kkeNjfz.exe
PID 1368 wrote to memory of 1932	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kkeNjfz.exe
PID 1368 wrote to memory of 2420	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	vuwTlUl.exe
PID 1368 wrote to memory of 2420	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	vuwTlUl.exe
PID 1368 wrote to memory of 2420	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	vuwTlUl.exe
PID 1368 wrote to memory of 1664	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	liimblG.exe
PID 1368 wrote to memory of 1664	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	liimblG.exe
PID 1368 wrote to memory of 1664	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	liimblG.exe
PID 1368 wrote to memory of 1504	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	loEeGQc.exe
PID 1368 wrote to memory of 1504	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	loEeGQc.exe
PID 1368 wrote to memory of 1504	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	loEeGQc.exe
PID 1368 wrote to memory of 1416	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	HIRKxBT.exe
PID 1368 wrote to memory of 1416	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	HIRKxBT.exe
PID 1368 wrote to memory of 1416	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	HIRKxBT.exe
PID 1368 wrote to memory of 1760	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NMrMNei.exe
PID 1368 wrote to memory of 1760	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NMrMNei.exe
PID 1368 wrote to memory of 1760	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	NMrMNei.exe
PID 1368 wrote to memory of 2400	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	eitQrJI.exe
PID 1368 wrote to memory of 2400	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	eitQrJI.exe
PID 1368 wrote to memory of 2400	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	eitQrJI.exe
PID 1368 wrote to memory of 376	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kYJhcWk.exe
PID 1368 wrote to memory of 376	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kYJhcWk.exe
PID 1368 wrote to memory of 376	1368	2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe	kYJhcWk.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_5b2c5dabf9197182f332b41ce31aef09_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\System\ynqQhtp.exe
C:\Windows\System\ynqQhtp.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\uaxEckK.exe
C:\Windows\System\uaxEckK.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\aJKdwxj.exe
C:\Windows\System\aJKdwxj.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\kzadwvi.exe
C:\Windows\System\kzadwvi.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\RisSEHb.exe
C:\Windows\System\RisSEHb.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\cwzgjyg.exe
C:\Windows\System\cwzgjyg.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\yrcCBwE.exe
C:\Windows\System\yrcCBwE.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\ZytHwtD.exe
C:\Windows\System\ZytHwtD.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\aqGiCoS.exe
C:\Windows\System\aqGiCoS.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\OHsInon.exe
C:\Windows\System\OHsInon.exe
2⤵
- Executes dropped EXE
PID:2556

C:\Windows\System\AOQNAzX.exe
C:\Windows\System\AOQNAzX.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\MjchaFr.exe
C:\Windows\System\MjchaFr.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\zHFdpgr.exe
C:\Windows\System\zHFdpgr.exe
2⤵
- Executes dropped EXE
PID:3000

C:\Windows\System\kkeNjfz.exe
C:\Windows\System\kkeNjfz.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\vuwTlUl.exe
C:\Windows\System\vuwTlUl.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\liimblG.exe
C:\Windows\System\liimblG.exe
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\System\loEeGQc.exe
C:\Windows\System\loEeGQc.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Windows\System\HIRKxBT.exe
C:\Windows\System\HIRKxBT.exe
2⤵
- Executes dropped EXE
PID:1416

C:\Windows\System\NMrMNei.exe
C:\Windows\System\NMrMNei.exe
2⤵
- Executes dropped EXE
PID:1760

C:\Windows\System\eitQrJI.exe
C:\Windows\System\eitQrJI.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\kYJhcWk.exe
C:\Windows\System\kYJhcWk.exe
2⤵
- Executes dropped EXE
PID:376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AOQNAzX.exe
Filesize
5.9MB

MD5
c545177fead0c467771959cf4ab34f3b

SHA1
e3ae35aaaa42ea12c5f0b0552d66bbff9513c557

SHA256
4d689beba75bbfdb5f94295edafadc89344febc7295f48f519c761b7f1694c19

SHA512
569697b08a97f50cc7ea8d3236f96db8a90aecf831526dae5450adf850acff7c5091bfa0a5ebead709f5404a03594c3cbfb2592b4958ef1888b85235e44360c6

Download Submit
C:\Windows\system\NMrMNei.exe
Filesize
5.9MB

MD5
ded0e90332d07db04b5c706e8b6fbca8

SHA1
0df7065ee1896701414191a1d238b0142fa2245a

SHA256
559712ab8f5f1390ba0735f6208eea0aabb3a52d867b61944c892fbb139c663a

SHA512
9a7eac0955d0accd9eb5d79a1a390b77124f206572288b80c48e0ac396938905b4426cc9b151b458f8f6e3ca20356ef214d1dc1e292118258fe21f271251a2bd

Download Submit
C:\Windows\system\RisSEHb.exe
Filesize
5.9MB

MD5
c0f9261ee22d20ce262ea0b7418d4df7

SHA1
70ab3d21eecac0693f054c5ef6d4909346ec4749

SHA256
949e924f61dbc74334902cd0eece6c28b4516aa6031e4da12d39035bd0195632

SHA512
0671ce802f1a8b4418d8497ef267012edef40087e0f57953c40102bc75c6f43450034bcd698b35930b939096eb15b4dd426bd36c72074f17009cc7e3624d1980

Download Submit
C:\Windows\system\ZytHwtD.exe
Filesize
5.9MB

MD5
be9e59253a05810ee64b1c47c04b6a0e

SHA1
76df9733b57a59a142b13db01857c5b65fefd3f0

SHA256
9a8896ba69d422ede3da69def9c0628c83e996ed99ca61a3530ef7abc9e9ee3c

SHA512
6aa43e39844d09b9c50fadfcd963a9682f348f7c8abe339ddfb2c4d0d6127b2428177d2db36fccc321fce38e96d6fc0b36a97d5ffdbcab44d576e0230526f7cb

Download Submit
C:\Windows\system\cwzgjyg.exe
Filesize
5.9MB

MD5
1e05d19411d42a4854318f142998bcd4

SHA1
4c10042510a07417ad3a1c1604a7fc09732fec71

SHA256
8302b4e140055e2bf9827af230b707ddda5c2f3533abd0b4c2bfc914dc93a440

SHA512
1e934adff38cf89417841fae97491009b5e452f039e27517c97d3fab0a0eb811c168bb7529dea9310a4c19e2831f8bd5e098ef99e9daf34b1eda62033590f666

Download Submit
C:\Windows\system\kYJhcWk.exe
Filesize
5.9MB

MD5
a941d4f48b00452fb81404be927289dd

SHA1
f183f1d62ee866863da8fff3661dbb216cd09228

SHA256
590a2afa816cfe2f4bebae95956fd4ed638370eae25325c3436ac3f420197ddf

SHA512
acda9cf9577c25dfbedbde15210fa54af34522c61564497beeab816d6c6196367a879f24c4ade49bfe290b6eed35f091ab7094c6921443108716fdc94dbfdea8

Download Submit
C:\Windows\system\kzadwvi.exe
Filesize
5.9MB

MD5
43d531bc1eb134c5a563995aa393dad2

SHA1
f22fe25eb23c96b55ad334cf39bd7b90632448cc

SHA256
84b1e715d67a93c3d3da824df4edf2aabe7a94b9849bd05e0f1ffe75a882ddc2

SHA512
8c8b0809485e0526a9c4b974846cf5ca18a524aa66843eaa1a3be90b4bf71bb9d170d2aabdcebfd34b432fa206591e32d9a40e98045c07ac748326c35a0537ec

Download Submit
C:\Windows\system\loEeGQc.exe
Filesize
5.9MB

MD5
550fa75b0d2893aed796d5dc30afdae0

SHA1
6e503ee017bf6824fc45307bb5900492027b3693

SHA256
491252df6c126a008cdc46315f2f5bba474e9f82cf420c2287551714bb9c651b

SHA512
fd11881f540f608540a572418ec637ee480e7421af2bd4c8889953e7aa36e4c522f956c661b3df5dcf61ec043c06acd609ed7077f234599057abf21d78a3f55b

Download Submit
C:\Windows\system\vuwTlUl.exe
Filesize
5.9MB

MD5
020bd63b5509b9c6a0a94771c5ca50d9

SHA1
0d7478b4c998400596fe031c4cf257a85ecceb57

SHA256
d5137a8648302139f8f604d1f09d31c9c5540a1faf67b4a840cd0193dcff7618

SHA512
893c1ed5f1b72b14619cdfbcbee6d27b303612b89003e40e823ba2349d83e2b04f0cce548483f514d3d18fb7b986da0ac8f3460bcbd4ca50561696f7d4506049

Download Submit
C:\Windows\system\ynqQhtp.exe
Filesize
5.9MB

MD5
068f92b91abbebb716975ea038f7130f

SHA1
c82498ee64216d32b51a3f9c569062f472498924

SHA256
58b94b4a847d643ad2c4cb45c42a1bf69036c77cf5a4110d69d07c42685a5f70

SHA512
2c83c04598aeb4bf3c1c7d6a5b86470bd47bc5763ed5a628e1d7187381ad1747fba14c231e7a4b47a3a069d3dd16bc9bca185589852c672ec6a895349be573ea

Download Submit
C:\Windows\system\yrcCBwE.exe
Filesize
5.9MB

MD5
657c53e0916bb1e6f7586d874a39095a

SHA1
f8b9ddff3f4cfe6a8042fda8ba8c3b3b86fcc87b

SHA256
4db93dec14148d6bd90d035e0bf252b1a1755bb00b5a015beec23143f82bb56c

SHA512
cb84f996db1bec3e850a43551685272c6c07412d2c50c682607450a06957a73bc5b86644b40c5506d8ddd6d7087facc06b777e8c50e4f760dcd1df0875176298

Download Submit
C:\Windows\system\zHFdpgr.exe
Filesize
5.9MB

MD5
5b26442481fb657f0a92cb731d487b85

SHA1
5c8020f02a266fc0cbba5325b48135a4c327b215

SHA256
ddb30cb9601a95526813159654df6bf6ae2135836e7cfc64468898e1b547b038

SHA512
8e0830936dd354d99b0c260e9523ed18f65b99910a062daef1dee161c92321c1921da841f557dd007fff828912b5312c51f743b7572dc5e3cedea63c03adcbfc

Download Submit
\Windows\system\HIRKxBT.exe
Filesize
5.9MB

MD5
f31feb19b0212b9240b497b351f566bc

SHA1
526541a25a39a1da863334fb7bc1fb125fea4606

SHA256
580af207a8c6528f31b0d660f65692d8d17a543c3c848cbaca4bd4abd74e9ced

SHA512
65deb9fd4f04a6b2bb8cf2557c93ab4d002122e8077361b629612d287034079f2279f9531dfc0061750b341bff9cd7e767be55861375a9b6f3a6b07c816a7801

Download Submit
\Windows\system\MjchaFr.exe
Filesize
5.9MB

MD5
df507bce532580e78b0c5f1eb08456aa

SHA1
dcebc7e99f8ed00aea3f3b4558e86d5baf3b5cc7

SHA256
6eea5584614ab3042190f61bbf4bc1fcd8dda58f39a59f3b0194c5b4886bd3a6

SHA512
108965cc2b7bcef115b2c1e658d5a7ceb9d53cfb1ee2857b468d5bb4602c3502f4759100d587a45214b8d33aa82ba73093b5398bda1627683298fdd14b5493e5

Download Submit
\Windows\system\OHsInon.exe
Filesize
5.9MB

MD5
ccd73f8685aa4a93afd031db5b4b41e0

SHA1
d87492c70bcc393f67f4a723e9065b55310a2e26

SHA256
8efa808cee3b993afcfb0f89f5bfc9325814339344681bef0d20cdc24e9b8d63

SHA512
7ae016565beaf512b2abe09dc6231ce7e552d066c2e7e27971e3fd86a87535576e596a686fe7105b1e4c86688d7e980ce724876bf3332f6fba6a1560b288b9ea

Download Submit
\Windows\system\aJKdwxj.exe
Filesize
5.9MB

MD5
99fd856bedb1e35abe017c3c2903b716

SHA1
8a631436d193d61cc6d286a7ecccb995eefdc221

SHA256
1a16152df60649727fa4891243d3c45c5120400863552787c52e8cf05baf1020

SHA512
2dbacd2f7f2ee39b5c6cccb1f03eecc0729ec7ed0f4c56afbcd17047e59f7a8d197c21a3e6663f06c48e69949e37333b087757a26cc67b795a904031aae23bf0

Download Submit
\Windows\system\aqGiCoS.exe
Filesize
5.9MB

MD5
7625529086167d075d048e95b4dfb84b

SHA1
7d510f156950a050efb06e591ee26244f2230348

SHA256
2683caed1bff6861d13f670fc79e9f21fb8db6ddc134883515dedf5c3dcc560d

SHA512
c9381099ccff988af65e75b74580f519220555d1f705e1c1500176f26145ca96f4be4a0f4d86063f410af2722ee54e0b53446369132474164c3c91759955e525

Download Submit
\Windows\system\eitQrJI.exe
Filesize
5.9MB

MD5
5435b539d64db51d176a744b2a6f8089

SHA1
ccde6a853c4ee536451bd319653c6f1c3a2ae47c

SHA256
cff0885a1f5c8fbda0671bee9693dea13157301f85a7be1eff1e67b9646dcd52

SHA512
82d31ae5a2368cf732d571b65fc6682299db5faf4de89ce77c41ea6d55dd60e736503da7af4ad28f1d031445de33d032178320961bbfc1899cf3eb48277d1045

Download Submit
\Windows\system\kkeNjfz.exe
Filesize
5.9MB

MD5
07ed965d6dfd42aeb3ba390540c37a28

SHA1
39524935b0d56d594c255a6c3245252ef511399c

SHA256
9a55bc354dd57ac7d6dc851112ada5a9041db848cdd4420945427697f9f3a814

SHA512
4f747b01fd526f097f9d69e2a809a1b52ff68da7dade5531ef8a81d345cc9270c3539a8a1c4469d9e0295be81f85c500a67e26b98dd030a3aae643d27d4e8a46

Download Submit
\Windows\system\liimblG.exe
Filesize
5.9MB

MD5
c481ee3f767ef885c181569bd442bf6c

SHA1
dfee8aabb9d343ad41a01335c3ad5e369b6ab28f

SHA256
ce41a1d498783ec10e90ab0e7ab1e70c7955652431543638a3ebdafa9bb1643d

SHA512
d2a692d039cdcc72e719dc30dee2acd990f0ae3d0cf2318dadc207c780dcc2088e775d5578474289acd5860a446577c764d1d5688c238121a0421a1ebb343ac9

Download Submit
\Windows\system\uaxEckK.exe
Filesize
5.9MB

MD5
9ddc8584ccf11c26b84ca82a06e5caa7

SHA1
3c177d8e07fa23a2d1f0b0e62b2354e60962e041

SHA256
f2119edc69c1cd4837d8c801802dc520c9bb07854b70aa223c216dddb1c76175

SHA512
51759b5bc1828576f1a57fa15e7648bc316af15497564a5e1ef137a9adfa4b730410dccb9ea697e0e76972052d12593daee5ad3d6c010650e6c9e54851300852

Download Submit
memory/1368-131-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-114-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/1368-105-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/1368-116-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/1368-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1368-0-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-46-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1368-117-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1368-115-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/1368-27-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1368-56-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-112-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1368-107-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/1368-108-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1368-8-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-142-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-111-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-141-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2512-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2628-45-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2628-135-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2632-139-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-106-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-13-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2688-133-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-109-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/2708-144-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/2716-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-136-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-138-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2868-63-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2868-132-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2884-57-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2884-137-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2984-113-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2984-140-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/3000-143-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/3000-110-0x000000013F4D0000-0x000000013F824000-memory.dmp

Filesize
3.3MB

Download
memory/3044-134-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-40-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download