cobaltstrike | fbd54c2f3784ddd36045fae5db3907fc111ea3f66b7ab122aa3a4dff87bef653

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

02ae74c082adccc8f0d80c8930067d5b
SHA1

82ca12b9d33db9942bb40467b15d53c535bd8bc0
SHA256

fbd54c2f3784ddd36045fae5db3907fc111ea3f66b7ab122aa3a4dff87bef653
SHA512

be0fd7a6beec89b520a61e18dec1e24a1c19af1925300d9e967cebfcdf80630cba41a06a60a8bf2e5400cf7a9802a96f547c3224a5e2c523983e4d1964328584
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\QuBIvJe.exe	cobalt_reflective_dll
C:\Windows\System\AMLQrZF.exe	cobalt_reflective_dll
C:\Windows\System\whIvTpr.exe	cobalt_reflective_dll
C:\Windows\System\PiJLrmf.exe	cobalt_reflective_dll
C:\Windows\System\zEOkDSa.exe	cobalt_reflective_dll
C:\Windows\System\YTtfsJe.exe	cobalt_reflective_dll
C:\Windows\System\hQtJhGl.exe	cobalt_reflective_dll
C:\Windows\System\SjxmJwU.exe	cobalt_reflective_dll
C:\Windows\System\zrhvgeH.exe	cobalt_reflective_dll
C:\Windows\System\FWbdBKX.exe	cobalt_reflective_dll
C:\Windows\System\gYgkiaU.exe	cobalt_reflective_dll
C:\Windows\System\TQHNxcz.exe	cobalt_reflective_dll
C:\Windows\System\MTCjVEA.exe	cobalt_reflective_dll
C:\Windows\System\gmiRpJE.exe	cobalt_reflective_dll
C:\Windows\System\oiPrrOB.exe	cobalt_reflective_dll
C:\Windows\System\mlWXZuR.exe	cobalt_reflective_dll
C:\Windows\System\IgrMrcl.exe	cobalt_reflective_dll
C:\Windows\System\trYAVax.exe	cobalt_reflective_dll
C:\Windows\System\mPvUtbi.exe	cobalt_reflective_dll
C:\Windows\System\EymuGNQ.exe	cobalt_reflective_dll
C:\Windows\System\eabUMaw.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\QuBIvJe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AMLQrZF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\whIvTpr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PiJLrmf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zEOkDSa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YTtfsJe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hQtJhGl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SjxmJwU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zrhvgeH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FWbdBKX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gYgkiaU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TQHNxcz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MTCjVEA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gmiRpJE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oiPrrOB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mlWXZuR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IgrMrcl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\trYAVax.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mPvUtbi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EymuGNQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eabUMaw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1288-0-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	UPX
C:\Windows\System\QuBIvJe.exe	UPX
behavioral2/memory/3620-7-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	UPX
C:\Windows\System\AMLQrZF.exe	UPX
C:\Windows\System\whIvTpr.exe	UPX
C:\Windows\System\PiJLrmf.exe	UPX
behavioral2/memory/2428-20-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	UPX
behavioral2/memory/1916-24-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	UPX
C:\Windows\System\zEOkDSa.exe	UPX
C:\Windows\System\YTtfsJe.exe	UPX
behavioral2/memory/2356-37-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp	UPX
C:\Windows\System\hQtJhGl.exe	UPX
C:\Windows\System\SjxmJwU.exe	UPX
behavioral2/memory/4088-44-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	UPX
behavioral2/memory/2244-38-0x00007FF748950000-0x00007FF748CA1000-memory.dmp	UPX
behavioral2/memory/4080-12-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	UPX
C:\Windows\System\zrhvgeH.exe	UPX
C:\Windows\System\FWbdBKX.exe	UPX
C:\Windows\System\gYgkiaU.exe	UPX
C:\Windows\System\TQHNxcz.exe	UPX
C:\Windows\System\MTCjVEA.exe	UPX
C:\Windows\System\gmiRpJE.exe	UPX
C:\Windows\System\oiPrrOB.exe	UPX
C:\Windows\System\mlWXZuR.exe	UPX
C:\Windows\System\IgrMrcl.exe	UPX
C:\Windows\System\trYAVax.exe	UPX
C:\Windows\System\mPvUtbi.exe	UPX
C:\Windows\System\EymuGNQ.exe	UPX
C:\Windows\System\eabUMaw.exe	UPX
behavioral2/memory/3620-115-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	UPX
behavioral2/memory/1288-114-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	UPX
behavioral2/memory/4080-116-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	UPX
behavioral2/memory/2428-117-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	UPX
behavioral2/memory/1916-118-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	UPX
behavioral2/memory/4088-121-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	UPX
behavioral2/memory/3308-122-0x00007FF7214F0000-0x00007FF721841000-memory.dmp	UPX
behavioral2/memory/2608-123-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp	UPX
behavioral2/memory/4556-124-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp	UPX
behavioral2/memory/4256-125-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp	UPX
behavioral2/memory/4964-126-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp	UPX
behavioral2/memory/4232-127-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp	UPX
behavioral2/memory/4720-128-0x00007FF72A070000-0x00007FF72A3C1000-memory.dmp	UPX
behavioral2/memory/3160-129-0x00007FF625320000-0x00007FF625671000-memory.dmp	UPX
behavioral2/memory/3752-130-0x00007FF614B90000-0x00007FF614EE1000-memory.dmp	UPX
behavioral2/memory/3320-131-0x00007FF6B5D60000-0x00007FF6B60B1000-memory.dmp	UPX
behavioral2/memory/792-132-0x00007FF6D7730000-0x00007FF6D7A81000-memory.dmp	UPX
behavioral2/memory/3748-133-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	UPX
behavioral2/memory/2316-134-0x00007FF758020000-0x00007FF758371000-memory.dmp	UPX
behavioral2/memory/1384-135-0x00007FF733C30000-0x00007FF733F81000-memory.dmp	UPX
behavioral2/memory/1288-136-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	UPX
behavioral2/memory/1288-158-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	UPX
behavioral2/memory/3620-183-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	UPX
behavioral2/memory/4080-186-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	UPX
behavioral2/memory/2428-187-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	UPX
behavioral2/memory/2244-192-0x00007FF748950000-0x00007FF748CA1000-memory.dmp	UPX
behavioral2/memory/1916-191-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	UPX
behavioral2/memory/4088-195-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	UPX
behavioral2/memory/2356-194-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp	UPX
behavioral2/memory/3308-197-0x00007FF7214F0000-0x00007FF721841000-memory.dmp	UPX
behavioral2/memory/2608-205-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp	UPX
behavioral2/memory/4556-207-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp	UPX
behavioral2/memory/4256-209-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp	UPX
behavioral2/memory/4964-212-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp	UPX
behavioral2/memory/4232-214-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2428-20-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	xmrig
behavioral2/memory/2356-37-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp	xmrig
behavioral2/memory/4088-44-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	xmrig
behavioral2/memory/2244-38-0x00007FF748950000-0x00007FF748CA1000-memory.dmp	xmrig
behavioral2/memory/3620-115-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	xmrig
behavioral2/memory/1288-114-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	xmrig
behavioral2/memory/4080-116-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	xmrig
behavioral2/memory/2428-117-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	xmrig
behavioral2/memory/1916-118-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	xmrig
behavioral2/memory/4088-121-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	xmrig
behavioral2/memory/3308-122-0x00007FF7214F0000-0x00007FF721841000-memory.dmp	xmrig
behavioral2/memory/2608-123-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp	xmrig
behavioral2/memory/4556-124-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp	xmrig
behavioral2/memory/4256-125-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp	xmrig
behavioral2/memory/4964-126-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp	xmrig
behavioral2/memory/4232-127-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp	xmrig
behavioral2/memory/4720-128-0x00007FF72A070000-0x00007FF72A3C1000-memory.dmp	xmrig
behavioral2/memory/3160-129-0x00007FF625320000-0x00007FF625671000-memory.dmp	xmrig
behavioral2/memory/3752-130-0x00007FF614B90000-0x00007FF614EE1000-memory.dmp	xmrig
behavioral2/memory/3320-131-0x00007FF6B5D60000-0x00007FF6B60B1000-memory.dmp	xmrig
behavioral2/memory/792-132-0x00007FF6D7730000-0x00007FF6D7A81000-memory.dmp	xmrig
behavioral2/memory/3748-133-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	xmrig
behavioral2/memory/2316-134-0x00007FF758020000-0x00007FF758371000-memory.dmp	xmrig
behavioral2/memory/1384-135-0x00007FF733C30000-0x00007FF733F81000-memory.dmp	xmrig
behavioral2/memory/1288-136-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	xmrig
behavioral2/memory/1288-158-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	xmrig
behavioral2/memory/3620-183-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	xmrig
behavioral2/memory/4080-186-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	xmrig
behavioral2/memory/2428-187-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	xmrig
behavioral2/memory/2244-192-0x00007FF748950000-0x00007FF748CA1000-memory.dmp	xmrig
behavioral2/memory/1916-191-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	xmrig
behavioral2/memory/4088-195-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	xmrig
behavioral2/memory/2356-194-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp	xmrig
behavioral2/memory/3308-197-0x00007FF7214F0000-0x00007FF721841000-memory.dmp	xmrig
behavioral2/memory/2608-205-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp	xmrig
behavioral2/memory/4556-207-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp	xmrig
behavioral2/memory/4256-209-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp	xmrig
behavioral2/memory/4964-212-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp	xmrig
behavioral2/memory/4232-214-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp	xmrig
behavioral2/memory/4720-216-0x00007FF72A070000-0x00007FF72A3C1000-memory.dmp	xmrig
behavioral2/memory/3160-217-0x00007FF625320000-0x00007FF625671000-memory.dmp	xmrig
behavioral2/memory/3320-221-0x00007FF6B5D60000-0x00007FF6B60B1000-memory.dmp	xmrig
behavioral2/memory/792-223-0x00007FF6D7730000-0x00007FF6D7A81000-memory.dmp	xmrig
behavioral2/memory/3752-222-0x00007FF614B90000-0x00007FF614EE1000-memory.dmp	xmrig
behavioral2/memory/1384-227-0x00007FF733C30000-0x00007FF733F81000-memory.dmp	xmrig
behavioral2/memory/3748-229-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	xmrig
behavioral2/memory/2316-228-0x00007FF758020000-0x00007FF758371000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

QuBIvJe.exeAMLQrZF.exewhIvTpr.exePiJLrmf.exezEOkDSa.exeYTtfsJe.exehQtJhGl.exeSjxmJwU.exezrhvgeH.exeFWbdBKX.exegYgkiaU.exeeabUMaw.exeTQHNxcz.exeMTCjVEA.exegmiRpJE.exeoiPrrOB.exemlWXZuR.exeIgrMrcl.exeEymuGNQ.exetrYAVax.exemPvUtbi.exe

pid	process
3620	QuBIvJe.exe
4080	AMLQrZF.exe
2428	whIvTpr.exe
1916	PiJLrmf.exe
2356	zEOkDSa.exe
2244	YTtfsJe.exe
4088	hQtJhGl.exe
3308	SjxmJwU.exe
2608	zrhvgeH.exe
4556	FWbdBKX.exe
4256	gYgkiaU.exe
4964	eabUMaw.exe
4232	TQHNxcz.exe
4720	MTCjVEA.exe
3160	gmiRpJE.exe
3752	oiPrrOB.exe
3320	mlWXZuR.exe
792	IgrMrcl.exe
3748	EymuGNQ.exe
2316	trYAVax.exe
1384	mPvUtbi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1288-0-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	upx
C:\Windows\System\QuBIvJe.exe	upx
behavioral2/memory/3620-7-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	upx
C:\Windows\System\AMLQrZF.exe	upx
C:\Windows\System\whIvTpr.exe	upx
C:\Windows\System\PiJLrmf.exe	upx
behavioral2/memory/2428-20-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	upx
behavioral2/memory/1916-24-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	upx
C:\Windows\System\zEOkDSa.exe	upx
C:\Windows\System\YTtfsJe.exe	upx
behavioral2/memory/2356-37-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp	upx
C:\Windows\System\hQtJhGl.exe	upx
C:\Windows\System\SjxmJwU.exe	upx
behavioral2/memory/4088-44-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	upx
behavioral2/memory/2244-38-0x00007FF748950000-0x00007FF748CA1000-memory.dmp	upx
behavioral2/memory/4080-12-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	upx
C:\Windows\System\zrhvgeH.exe	upx
C:\Windows\System\FWbdBKX.exe	upx
C:\Windows\System\gYgkiaU.exe	upx
C:\Windows\System\TQHNxcz.exe	upx
C:\Windows\System\MTCjVEA.exe	upx
C:\Windows\System\gmiRpJE.exe	upx
C:\Windows\System\oiPrrOB.exe	upx
C:\Windows\System\mlWXZuR.exe	upx
C:\Windows\System\IgrMrcl.exe	upx
C:\Windows\System\trYAVax.exe	upx
C:\Windows\System\mPvUtbi.exe	upx
C:\Windows\System\EymuGNQ.exe	upx
C:\Windows\System\eabUMaw.exe	upx
behavioral2/memory/3620-115-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	upx
behavioral2/memory/1288-114-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	upx
behavioral2/memory/4080-116-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	upx
behavioral2/memory/2428-117-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	upx
behavioral2/memory/1916-118-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	upx
behavioral2/memory/4088-121-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	upx
behavioral2/memory/3308-122-0x00007FF7214F0000-0x00007FF721841000-memory.dmp	upx
behavioral2/memory/2608-123-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp	upx
behavioral2/memory/4556-124-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp	upx
behavioral2/memory/4256-125-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp	upx
behavioral2/memory/4964-126-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp	upx
behavioral2/memory/4232-127-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp	upx
behavioral2/memory/4720-128-0x00007FF72A070000-0x00007FF72A3C1000-memory.dmp	upx
behavioral2/memory/3160-129-0x00007FF625320000-0x00007FF625671000-memory.dmp	upx
behavioral2/memory/3752-130-0x00007FF614B90000-0x00007FF614EE1000-memory.dmp	upx
behavioral2/memory/3320-131-0x00007FF6B5D60000-0x00007FF6B60B1000-memory.dmp	upx
behavioral2/memory/792-132-0x00007FF6D7730000-0x00007FF6D7A81000-memory.dmp	upx
behavioral2/memory/3748-133-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp	upx
behavioral2/memory/2316-134-0x00007FF758020000-0x00007FF758371000-memory.dmp	upx
behavioral2/memory/1384-135-0x00007FF733C30000-0x00007FF733F81000-memory.dmp	upx
behavioral2/memory/1288-136-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	upx
behavioral2/memory/1288-158-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp	upx
behavioral2/memory/3620-183-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp	upx
behavioral2/memory/4080-186-0x00007FF6413C0000-0x00007FF641711000-memory.dmp	upx
behavioral2/memory/2428-187-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp	upx
behavioral2/memory/2244-192-0x00007FF748950000-0x00007FF748CA1000-memory.dmp	upx
behavioral2/memory/1916-191-0x00007FF760050000-0x00007FF7603A1000-memory.dmp	upx
behavioral2/memory/4088-195-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp	upx
behavioral2/memory/2356-194-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp	upx
behavioral2/memory/3308-197-0x00007FF7214F0000-0x00007FF721841000-memory.dmp	upx
behavioral2/memory/2608-205-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp	upx
behavioral2/memory/4556-207-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp	upx
behavioral2/memory/4256-209-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp	upx
behavioral2/memory/4964-212-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp	upx
behavioral2/memory/4232-214-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\EymuGNQ.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FWbdBKX.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gYgkiaU.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gmiRpJE.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oiPrrOB.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IgrMrcl.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SjxmJwU.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zrhvgeH.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\trYAVax.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eabUMaw.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TQHNxcz.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MTCjVEA.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuBIvJe.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AMLQrZF.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PiJLrmf.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zEOkDSa.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hQtJhGl.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mlWXZuR.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\whIvTpr.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YTtfsJe.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mPvUtbi.exe	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1288 wrote to memory of 3620	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	QuBIvJe.exe
PID 1288 wrote to memory of 3620	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	QuBIvJe.exe
PID 1288 wrote to memory of 4080	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	AMLQrZF.exe
PID 1288 wrote to memory of 4080	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	AMLQrZF.exe
PID 1288 wrote to memory of 2428	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	whIvTpr.exe
PID 1288 wrote to memory of 2428	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	whIvTpr.exe
PID 1288 wrote to memory of 1916	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	PiJLrmf.exe
PID 1288 wrote to memory of 1916	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	PiJLrmf.exe
PID 1288 wrote to memory of 2356	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	zEOkDSa.exe
PID 1288 wrote to memory of 2356	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	zEOkDSa.exe
PID 1288 wrote to memory of 2244	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	YTtfsJe.exe
PID 1288 wrote to memory of 2244	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	YTtfsJe.exe
PID 1288 wrote to memory of 4088	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	hQtJhGl.exe
PID 1288 wrote to memory of 4088	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	hQtJhGl.exe
PID 1288 wrote to memory of 3308	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	SjxmJwU.exe
PID 1288 wrote to memory of 3308	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	SjxmJwU.exe
PID 1288 wrote to memory of 2608	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	zrhvgeH.exe
PID 1288 wrote to memory of 2608	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	zrhvgeH.exe
PID 1288 wrote to memory of 4556	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	FWbdBKX.exe
PID 1288 wrote to memory of 4556	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	FWbdBKX.exe
PID 1288 wrote to memory of 4256	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gYgkiaU.exe
PID 1288 wrote to memory of 4256	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gYgkiaU.exe
PID 1288 wrote to memory of 4964	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	eabUMaw.exe
PID 1288 wrote to memory of 4964	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	eabUMaw.exe
PID 1288 wrote to memory of 4232	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	TQHNxcz.exe
PID 1288 wrote to memory of 4232	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	TQHNxcz.exe
PID 1288 wrote to memory of 4720	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	MTCjVEA.exe
PID 1288 wrote to memory of 4720	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	MTCjVEA.exe
PID 1288 wrote to memory of 3160	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gmiRpJE.exe
PID 1288 wrote to memory of 3160	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	gmiRpJE.exe
PID 1288 wrote to memory of 3752	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	oiPrrOB.exe
PID 1288 wrote to memory of 3752	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	oiPrrOB.exe
PID 1288 wrote to memory of 3320	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mlWXZuR.exe
PID 1288 wrote to memory of 3320	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mlWXZuR.exe
PID 1288 wrote to memory of 792	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	IgrMrcl.exe
PID 1288 wrote to memory of 792	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	IgrMrcl.exe
PID 1288 wrote to memory of 3748	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	EymuGNQ.exe
PID 1288 wrote to memory of 3748	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	EymuGNQ.exe
PID 1288 wrote to memory of 2316	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	trYAVax.exe
PID 1288 wrote to memory of 2316	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	trYAVax.exe
PID 1288 wrote to memory of 1384	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mPvUtbi.exe
PID 1288 wrote to memory of 1384	1288	2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe	mPvUtbi.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_02ae74c082adccc8f0d80c8930067d5b_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\System\QuBIvJe.exe
C:\Windows\System\QuBIvJe.exe
2⤵
- Executes dropped EXE
PID:3620

C:\Windows\System\AMLQrZF.exe
C:\Windows\System\AMLQrZF.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\System\whIvTpr.exe
C:\Windows\System\whIvTpr.exe
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\System\PiJLrmf.exe
C:\Windows\System\PiJLrmf.exe
2⤵
- Executes dropped EXE
PID:1916

C:\Windows\System\zEOkDSa.exe
C:\Windows\System\zEOkDSa.exe
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\System\YTtfsJe.exe
C:\Windows\System\YTtfsJe.exe
2⤵
- Executes dropped EXE
PID:2244

C:\Windows\System\hQtJhGl.exe
C:\Windows\System\hQtJhGl.exe
2⤵
- Executes dropped EXE
PID:4088

C:\Windows\System\SjxmJwU.exe
C:\Windows\System\SjxmJwU.exe
2⤵
- Executes dropped EXE
PID:3308

C:\Windows\System\zrhvgeH.exe
C:\Windows\System\zrhvgeH.exe
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\System\FWbdBKX.exe
C:\Windows\System\FWbdBKX.exe
2⤵
- Executes dropped EXE
PID:4556

C:\Windows\System\gYgkiaU.exe
C:\Windows\System\gYgkiaU.exe
2⤵
- Executes dropped EXE
PID:4256

C:\Windows\System\eabUMaw.exe
C:\Windows\System\eabUMaw.exe
2⤵
- Executes dropped EXE
PID:4964

C:\Windows\System\TQHNxcz.exe
C:\Windows\System\TQHNxcz.exe
2⤵
- Executes dropped EXE
PID:4232

C:\Windows\System\MTCjVEA.exe
C:\Windows\System\MTCjVEA.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\System\gmiRpJE.exe
C:\Windows\System\gmiRpJE.exe
2⤵
- Executes dropped EXE
PID:3160

C:\Windows\System\oiPrrOB.exe
C:\Windows\System\oiPrrOB.exe
2⤵
- Executes dropped EXE
PID:3752

C:\Windows\System\mlWXZuR.exe
C:\Windows\System\mlWXZuR.exe
2⤵
- Executes dropped EXE
PID:3320

C:\Windows\System\IgrMrcl.exe
C:\Windows\System\IgrMrcl.exe
2⤵
- Executes dropped EXE
PID:792

C:\Windows\System\EymuGNQ.exe
C:\Windows\System\EymuGNQ.exe
2⤵
- Executes dropped EXE
PID:3748

C:\Windows\System\trYAVax.exe
C:\Windows\System\trYAVax.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\mPvUtbi.exe
C:\Windows\System\mPvUtbi.exe
2⤵
- Executes dropped EXE
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:2380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AMLQrZF.exe
Filesize
5.2MB

MD5
028fde67bb55467634945fbdadc45fe2

SHA1
842c8e9a14515c871e6525e143a78563a8b6581d

SHA256
acf90d7db6c887a32ec6fd8b70671f1134039d2c74e9f06043fa3178fb2bac33

SHA512
e2e80025f86e12f9515d84dcb72d50e53625de995e5665b5bf80f94efb0964685f662bc76a2c4710a16e19b413ad66dbc1058398d897d479f805836d56cf6afe

Download Submit
C:\Windows\System\EymuGNQ.exe
Filesize
5.2MB

MD5
867c81a2cb6d89db376dcea61d5fa1e3

SHA1
65aae30d9c35d68f183957e129de315b24e3a32b

SHA256
bb886e7ee6e0ad0732f1a2ff7164d4ff910a45377904380990fead28d5f48aa6

SHA512
fd132becd408fcb2bb4931441c9d72a88988c66b5f597728ed22be1f8b3165dc447a00919a17285e80fe8ebfd78e9ab7e87647d426099a9c3bc6806ec3eb5be3

Download Submit
C:\Windows\System\FWbdBKX.exe
Filesize
5.2MB

MD5
3889991e4627cd3b7ed52d7b67a7e24b

SHA1
75014b99334675dba8df4d255cb8b75199edad2e

SHA256
554354fd11e43b3f6f2441621421fac1fe2eca7f573573e8789d0f7de0fb5bf8

SHA512
9f645e74b47a640d58bf0a68d9791d59cd529f0087206284e1d5f2f31b1df258c1736bfe0d1b5053f64971cab2e8ca1ed9092861190d45aa779f45e3b7cee4a6

Download Submit
C:\Windows\System\IgrMrcl.exe
Filesize
5.2MB

MD5
1e74aa5dc54de68f0b6840b5e092ecd4

SHA1
204d83c3059c2c509939a733fdaf7422618b15fd

SHA256
61303a9ff4c142f9b0c19e9469dfd71b358157e624e914f04100835ec711477f

SHA512
1aa7d180f920f058f7e4b5e9b177feb555ba56bd647b36d093281eb4e2c6dd7e7037b15445a79d9496e3e2615c4b68e4db230749d1a36ee9f47203b6c8d3a82b

Download Submit
C:\Windows\System\MTCjVEA.exe
Filesize
5.2MB

MD5
097c33d1c41198e483da2989b0918d11

SHA1
b6430a0e0cf7cba6e242808d64042e678f920000

SHA256
dbdfe80df0aa1b63ecabccb5b8be4c8002875b3ddf496dee8e918876499da0ed

SHA512
c20ea6e087336f1f5a4bc16240dc4f6c5f661a25f78a9a3da3c62ac8c4e0a77a1acf04a103d2845dbea5f5775974c76e3bfa1b4d033c21120a6edece5219a0b3

Download Submit
C:\Windows\System\PiJLrmf.exe
Filesize
5.2MB

MD5
25495dc3d292a244790d80754b78fe02

SHA1
62c1093c8fc47c7e89e8e8faafe84ea3f2a04f0f

SHA256
d2a831d9078e7c221d9696899eb8733c618f37ffb95c74d1acb53c1b99c166b4

SHA512
05dc05b9569ecfbb96fb06d0b1473ab8684c407165277c45df06555dfbbcfcf4d8791dc746714cb7cfa9c4c3874ae0a5d86d09643e40961e0a16488af8646e40

Download Submit
C:\Windows\System\QuBIvJe.exe
Filesize
5.2MB

MD5
885ea501b96402e4261ec8252c39747f

SHA1
27850b6a03037b1fea680cf3f25bd2429174041e

SHA256
160522852ae4ec842c49581b72236d8c81a612609a2c015a011691e91f83fd9b

SHA512
75d6ff79b7174eabbf010219bd3d58cde4f1e431fed465ebc657a779be40cddc4922ef4a668226472ceea29339723d0a2c58186ab3dd02bd05b957cfebb5d999

Download Submit
C:\Windows\System\SjxmJwU.exe
Filesize
5.2MB

MD5
4c144375ab44247d1a4281f49d049eab

SHA1
b223d6a11445cdb84e4d2231e7e7836e6e37705d

SHA256
83ea8bbe51811cd72a350049939f8e15a0371a5b60a6d73f9ebc167eddc63061

SHA512
d171e93948004447dc9d91513664ae3dce342e2a9b2ac2dc62527a5fb997010f7b67a7f4864cd21cea207da97cb88f457a48382227fbff4a5f8b3fdda9fa4b06

Download Submit
C:\Windows\System\TQHNxcz.exe
Filesize
5.2MB

MD5
0258236462ea02af0785ddfbdc146dff

SHA1
c7a4a02b3ccb7af77f8b0c16baf31b7fe8d067f6

SHA256
0e313ae70af8808f55d7ea1cc5d47b5f95e17c74a319082154fcbe0c79e14d0b

SHA512
c149608931273a095ad3c8c6a9a24f862397a18dca6973dfc8541e434616c89cad215fe41ed16eee16f26c1db61c094f530d04bdc9de164924c487eb0c492d4d

Download Submit
C:\Windows\System\YTtfsJe.exe
Filesize
5.2MB

MD5
8e469be52a7aa4124355d882d6503c34

SHA1
f793e367fc567701ece94f935a07b156f0f706e8

SHA256
36ceb9c6d13d75434eb486d8506b5ea37f5c8357e74f1e0085d29a991aac9de3

SHA512
384a177a2cb539ce9adcc73f50912407cdd3edd2b5ddcf6b8b83edad6ef8050b0f94f16c464f11fb8d5aba12a3c28583f4d96a09595e0df9b783615e6ee94581

Download Submit
C:\Windows\System\eabUMaw.exe
Filesize
5.2MB

MD5
ec268903283ed9b91d0e2e0c02e440db

SHA1
9123c743492b63ff5a2004845763fe824c8d1aff

SHA256
e04f687ad533c1793e208593999d5fd7ce45ee38f8dd29ea17b2cfd5b1c18d6f

SHA512
4fbe3b2a587422d7757b4a82cf46ebe732a148982ee710320c43e9f981a1c6b053aaca546ed51fa624200288597e0a8b51b6a254e1b3c3b8606d93685c7827db

Download Submit
C:\Windows\System\gYgkiaU.exe
Filesize
5.2MB

MD5
fb6513635ce103a2778955afa0a5f821

SHA1
198cd225c2898913b7d467ba21f5a4a0bb75d02a

SHA256
421709865ce82adc0c4621bc9be980d35fb1a4e6a1168a0567b231ed69a19b2c

SHA512
0067e1be73a0270afd52d3361fd3a0cf8cf912d8cf82b32450b4e719ff5ecbc2fc85648cc032730db631509ad02b67aa73f9f44d8e09a8f3e32fb2909dcf27d5

Download Submit
C:\Windows\System\gmiRpJE.exe
Filesize
5.2MB

MD5
a7546e4c4180c6b86addb71f35ce7fde

SHA1
bf140100bfd6594202957f148d158dc8eeb326f6

SHA256
936a19872f1b329dd69a2932c481667e5cd849fb29b96d51160a28dcb642cedb

SHA512
0a27bcf80dce8e87d15b465cbea580ccc08e9c7cd4d51ecdc77079a4e4e3c22a4b1385078ca3c17c60bc946e7533143318fd4208cc3aaf1c1d40c644e9f28bfe

Download Submit
C:\Windows\System\hQtJhGl.exe
Filesize
5.2MB

MD5
81ce93d49b97d46c3318c82aa9b164bd

SHA1
c64c2527c92b205da2b46e1c58fcf53055eac85f

SHA256
fe5a12c5affb1646f1b9524480e91904cde3c1ff72bdc1337d38ddac382f5933

SHA512
8d585ccc36b554e949b9ca627de8d88713fe0fcba8d3b9e5d3a2d80b97568690f2d5068818a3072a37be0037869ffae51529e3365bbf829eefb2ab663e78ac89

Download Submit
C:\Windows\System\mPvUtbi.exe
Filesize
5.2MB

MD5
e979619c1b4f4770178ffd3b5e417211

SHA1
71e626705f4166eb5d58dbb2c20335b9c599cec3

SHA256
27178adb824feb0b68ecf2c75f5c5cc8ac3efdcf8812abe0b3b966bb320a62ad

SHA512
b7669d8032c52b4ffefe6a6526ecea7126e8f06d0b2701fd539f8e24d9092a09b4d6dde000279dac11722894a17dfd082148102941636f8f0e6bcbdb55245701

Download Submit
C:\Windows\System\mlWXZuR.exe
Filesize
5.2MB

MD5
92bc105c35d617c1f41b98fb81224a95

SHA1
6a45c19743b34a0421925a2d6ac6d305d614d371

SHA256
fc90ce5fc19708744ffec22c87b55a9f7f9785dc025c731792387f75f87c0def

SHA512
c6ac4a115b482998652ec3e19bb40b2b0f3a396f54923944c7d9f5da8d14024ff96e23784ba52144b6c5c9461bd74a242ab090e983206754c76eb9ee766f066e

Download Submit
C:\Windows\System\oiPrrOB.exe
Filesize
5.2MB

MD5
edbf6b36992d3ca17c0e9cc3c425c15f

SHA1
a8f97dcbe7c3da999e35c31707140503a5ecbe0e

SHA256
4d09a98c14f55a852a6e47c85af315d0ce37fb82b3621ebf498fa16642932205

SHA512
2f04cb13408f396ccc54dc62747cecb2795969fd8d7e37bfffdae18383050aa3ce036fa81a8903fc463eabbb4b140dac013018c5dfa3cfdb86468081b18506ee

Download Submit
C:\Windows\System\trYAVax.exe
Filesize
5.2MB

MD5
cda35918725685b4a9467f64e38a58d9

SHA1
721ad5385c1c99b7af61d234aab4df1a52c61358

SHA256
bfcd85a9f7c4877baa03de46949e88c72f77d73cae61fb03f40ca01a257652fe

SHA512
0f911241e51f4a19be5d0fa90bb86de9eb26695a66427a016a135f987d2f06a8a52dd421aabf19f1bb38c16e1263b00ef4de4622e9c4f41d4f7ecf8776ab2ad7

Download Submit
C:\Windows\System\whIvTpr.exe
Filesize
5.2MB

MD5
9ddf6a17c0c29791687d7bac7d448ec3

SHA1
c9e008819e801088126e3aab5ee47d5333ff575e

SHA256
8ab8f71b13074da59faf89be127cb651fd99d37fe1ef011401c5070ad6d6b7e7

SHA512
e9bafb81bf38cf48971d673cef8c4039dba824f9beb9d474e853917c881845040b33cb2097d0861ba40febdace13344f277da2cdca14ec7ecc45153857efd2a6

Download Submit
C:\Windows\System\zEOkDSa.exe
Filesize
5.2MB

MD5
ca7db9be4b6d7122f87df0f820118e99

SHA1
e0941311e0fd5322e0ba07b80009f22887b0244f

SHA256
ed86d3c7740b9610b53067bf49a271444f794ada0d51c39c657c5ab555a9915a

SHA512
e7d9b6be618d8381efc73ec898922a47ce4d865149257d0bd65ff9e700f80fbfce9b123a78a04a9aa271b1d60c54b17020262237e868da4a90fbb00b834d85db

Download Submit
C:\Windows\System\zrhvgeH.exe
Filesize
5.2MB

MD5
4c49ab4402337a17111ced73f5986eb5

SHA1
d20090ba989b67843decbb352e602f1ee628e081

SHA256
3086e33c538cecb58878a8c1f9160937dce0097e00ff2bfc191c821c7f2b430a

SHA512
cabd56a1a19bc08af52efd7772d716c1fc350f92936337dd87f8dc4932dd2cabe55667dd61f802b142b3a66b5d20e419edad9e08003ca060becd5c47ed4ce5b7

Download Submit
memory/792-132-0x00007FF6D7730000-0x00007FF6D7A81000-memory.dmp

Filesize
3.3MB

Download
memory/792-223-0x00007FF6D7730000-0x00007FF6D7A81000-memory.dmp

Filesize
3.3MB

Download
memory/1288-0-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-136-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-158-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1288-1-0x00000224CBA70000-0x00000224CBA80000-memory.dmp

Filesize
64KB

Download
memory/1288-114-0x00007FF61B8A0000-0x00007FF61BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/1384-227-0x00007FF733C30000-0x00007FF733F81000-memory.dmp

Filesize
3.3MB

Download
memory/1384-135-0x00007FF733C30000-0x00007FF733F81000-memory.dmp

Filesize
3.3MB

Download
memory/1916-24-0x00007FF760050000-0x00007FF7603A1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-191-0x00007FF760050000-0x00007FF7603A1000-memory.dmp

Filesize
3.3MB

Download
memory/1916-118-0x00007FF760050000-0x00007FF7603A1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-38-0x00007FF748950000-0x00007FF748CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-192-0x00007FF748950000-0x00007FF748CA1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-228-0x00007FF758020000-0x00007FF758371000-memory.dmp

Filesize
3.3MB

Download
memory/2316-134-0x00007FF758020000-0x00007FF758371000-memory.dmp

Filesize
3.3MB

Download
memory/2356-194-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp

Filesize
3.3MB

Download
memory/2356-37-0x00007FF79C740000-0x00007FF79CA91000-memory.dmp

Filesize
3.3MB

Download
memory/2428-187-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp

Filesize
3.3MB

Download
memory/2428-117-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp

Filesize
3.3MB

Download
memory/2428-20-0x00007FF6AE930000-0x00007FF6AEC81000-memory.dmp

Filesize
3.3MB

Download
memory/2608-123-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp

Filesize
3.3MB

Download
memory/2608-205-0x00007FF6CEF20000-0x00007FF6CF271000-memory.dmp

Filesize
3.3MB

Download
memory/3160-129-0x00007FF625320000-0x00007FF625671000-memory.dmp

Filesize
3.3MB

Download
memory/3160-217-0x00007FF625320000-0x00007FF625671000-memory.dmp

Filesize
3.3MB

Download
memory/3308-197-0x00007FF7214F0000-0x00007FF721841000-memory.dmp

Filesize
3.3MB

Download
memory/3308-122-0x00007FF7214F0000-0x00007FF721841000-memory.dmp

Filesize
3.3MB

Download
memory/3320-131-0x00007FF6B5D60000-0x00007FF6B60B1000-memory.dmp

Filesize
3.3MB

Download
memory/3320-221-0x00007FF6B5D60000-0x00007FF6B60B1000-memory.dmp

Filesize
3.3MB

Download
memory/3620-183-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp

Filesize
3.3MB

Download
memory/3620-7-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp

Filesize
3.3MB

Download
memory/3620-115-0x00007FF67D090000-0x00007FF67D3E1000-memory.dmp

Filesize
3.3MB

Download
memory/3748-229-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3748-133-0x00007FF7E0960000-0x00007FF7E0CB1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-130-0x00007FF614B90000-0x00007FF614EE1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-222-0x00007FF614B90000-0x00007FF614EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-116-0x00007FF6413C0000-0x00007FF641711000-memory.dmp

Filesize
3.3MB

Download
memory/4080-12-0x00007FF6413C0000-0x00007FF641711000-memory.dmp

Filesize
3.3MB

Download
memory/4080-186-0x00007FF6413C0000-0x00007FF641711000-memory.dmp

Filesize
3.3MB

Download
memory/4088-195-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-44-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4088-121-0x00007FF66F150000-0x00007FF66F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/4232-214-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp

Filesize
3.3MB

Download
memory/4232-127-0x00007FF740AE0000-0x00007FF740E31000-memory.dmp

Filesize
3.3MB

Download
memory/4256-209-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp

Filesize
3.3MB

Download
memory/4256-125-0x00007FF76CCD0000-0x00007FF76D021000-memory.dmp

Filesize
3.3MB

Download
memory/4556-207-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp

Filesize
3.3MB

Download
memory/4556-124-0x00007FF7D4D40000-0x00007FF7D5091000-memory.dmp

Filesize
3.3MB

Download
memory/4720-216-0x00007FF72A070000-0x00007FF72A3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-128-0x00007FF72A070000-0x00007FF72A3C1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-126-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp

Filesize
3.3MB

Download
memory/4964-212-0x00007FF7E8030000-0x00007FF7E8381000-memory.dmp

Filesize
3.3MB

Download