cobaltstrike | ce17babb4a3b210807c39de42c0e23cb3fca611439f47d9d27012bc6350c1e16

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

32575eaae95a51e89bdc0875ed2b0f37
SHA1

7770cb64cf9db4138a97c654b49fbaebf8574994
SHA256

ce17babb4a3b210807c39de42c0e23cb3fca611439f47d9d27012bc6350c1e16
SHA512

5581742f53ac64d6a059f3021cb8a3f2b53d5d0607818a004b01bf598952ce0feb55d7450e2b4b5504eace59dcafeb0aa163896937beb4a834e32821aa477ec8
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vtsKMHk.exe	cobalt_reflective_dll
C:\Windows\System\AuUJMmp.exe	cobalt_reflective_dll
C:\Windows\System\MYXWMRe.exe	cobalt_reflective_dll
C:\Windows\System\MZOcNki.exe	cobalt_reflective_dll
C:\Windows\System\AdHClHZ.exe	cobalt_reflective_dll
C:\Windows\System\niExOAI.exe	cobalt_reflective_dll
C:\Windows\System\qYkFgQc.exe	cobalt_reflective_dll
C:\Windows\System\juNrKrU.exe	cobalt_reflective_dll
C:\Windows\System\uLoNBit.exe	cobalt_reflective_dll
C:\Windows\System\gNMzoFI.exe	cobalt_reflective_dll
C:\Windows\System\IdHUoNp.exe	cobalt_reflective_dll
C:\Windows\System\rVDwUHh.exe	cobalt_reflective_dll
C:\Windows\System\gADrjYy.exe	cobalt_reflective_dll
C:\Windows\System\FVbWaXA.exe	cobalt_reflective_dll
C:\Windows\System\DQTNEXu.exe	cobalt_reflective_dll
C:\Windows\System\FqHUPjN.exe	cobalt_reflective_dll
C:\Windows\System\jmAuPtu.exe	cobalt_reflective_dll
C:\Windows\System\gtCOeeo.exe	cobalt_reflective_dll
C:\Windows\System\ADbxvuW.exe	cobalt_reflective_dll
C:\Windows\System\DgvyNVM.exe	cobalt_reflective_dll
C:\Windows\System\KIGaGxg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\vtsKMHk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AuUJMmp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MYXWMRe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MZOcNki.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AdHClHZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\niExOAI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qYkFgQc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\juNrKrU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uLoNBit.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gNMzoFI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IdHUoNp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rVDwUHh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gADrjYy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FVbWaXA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DQTNEXu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FqHUPjN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jmAuPtu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gtCOeeo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ADbxvuW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DgvyNVM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KIGaGxg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3680-0-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	UPX
C:\Windows\System\vtsKMHk.exe	UPX
C:\Windows\System\AuUJMmp.exe	UPX
C:\Windows\System\MYXWMRe.exe	UPX
C:\Windows\System\MZOcNki.exe	UPX
behavioral2/memory/3636-32-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	UPX
C:\Windows\System\AdHClHZ.exe	UPX
behavioral2/memory/1792-21-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	UPX
C:\Windows\System\niExOAI.exe	UPX
C:\Windows\System\qYkFgQc.exe	UPX
C:\Windows\System\juNrKrU.exe	UPX
behavioral2/memory/3640-13-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	UPX
C:\Windows\System\uLoNBit.exe	UPX
C:\Windows\System\gNMzoFI.exe	UPX
C:\Windows\System\IdHUoNp.exe	UPX
C:\Windows\System\rVDwUHh.exe	UPX
C:\Windows\System\gADrjYy.exe	UPX
behavioral2/memory/1264-118-0x00007FF792D40000-0x00007FF793091000-memory.dmp	UPX
behavioral2/memory/3624-121-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp	UPX
behavioral2/memory/116-125-0x00007FF668C10000-0x00007FF668F61000-memory.dmp	UPX
behavioral2/memory/2600-126-0x00007FF6507F0000-0x00007FF650B41000-memory.dmp	UPX
behavioral2/memory/64-124-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp	UPX
behavioral2/memory/4860-123-0x00007FF68F0C0000-0x00007FF68F411000-memory.dmp	UPX
behavioral2/memory/4468-122-0x00007FF76E370000-0x00007FF76E6C1000-memory.dmp	UPX
behavioral2/memory/4628-120-0x00007FF765030000-0x00007FF765381000-memory.dmp	UPX
behavioral2/memory/1272-119-0x00007FF642E50000-0x00007FF6431A1000-memory.dmp	UPX
behavioral2/memory/3896-117-0x00007FF6A0CF0000-0x00007FF6A1041000-memory.dmp	UPX
behavioral2/memory/660-116-0x00007FF775BD0000-0x00007FF775F21000-memory.dmp	UPX
behavioral2/memory/2316-114-0x00007FF67BF00000-0x00007FF67C251000-memory.dmp	UPX
C:\Windows\System\FVbWaXA.exe	UPX
behavioral2/memory/8-109-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	UPX
C:\Windows\System\DQTNEXu.exe	UPX
behavioral2/memory/3860-102-0x00007FF610390000-0x00007FF6106E1000-memory.dmp	UPX
C:\Windows\System\FqHUPjN.exe	UPX
C:\Windows\System\jmAuPtu.exe	UPX
behavioral2/memory/3488-95-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp	UPX
C:\Windows\System\gtCOeeo.exe	UPX
C:\Windows\System\ADbxvuW.exe	UPX
C:\Windows\System\DgvyNVM.exe	UPX
behavioral2/memory/880-76-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	UPX
C:\Windows\System\KIGaGxg.exe	UPX
behavioral2/memory/4048-58-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	UPX
behavioral2/memory/1008-48-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	UPX
behavioral2/memory/3680-128-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	UPX
behavioral2/memory/3640-129-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	UPX
behavioral2/memory/1792-131-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	UPX
behavioral2/memory/3636-133-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	UPX
behavioral2/memory/4048-135-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	UPX
behavioral2/memory/1008-134-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	UPX
behavioral2/memory/880-139-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	UPX
behavioral2/memory/3488-140-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp	UPX
behavioral2/memory/8-144-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	UPX
behavioral2/memory/1264-147-0x00007FF792D40000-0x00007FF793091000-memory.dmp	UPX
behavioral2/memory/3680-150-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	UPX
behavioral2/memory/3680-190-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	UPX
behavioral2/memory/3640-211-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	UPX
behavioral2/memory/4628-213-0x00007FF765030000-0x00007FF765381000-memory.dmp	UPX
behavioral2/memory/1792-216-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	UPX
behavioral2/memory/3624-217-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp	UPX
behavioral2/memory/3636-219-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	UPX
behavioral2/memory/4048-221-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	UPX
behavioral2/memory/1008-224-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	UPX
behavioral2/memory/64-227-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp	UPX
behavioral2/memory/880-231-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3640-13-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	xmrig
behavioral2/memory/3624-121-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp	xmrig
behavioral2/memory/116-125-0x00007FF668C10000-0x00007FF668F61000-memory.dmp	xmrig
behavioral2/memory/2600-126-0x00007FF6507F0000-0x00007FF650B41000-memory.dmp	xmrig
behavioral2/memory/64-124-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp	xmrig
behavioral2/memory/4860-123-0x00007FF68F0C0000-0x00007FF68F411000-memory.dmp	xmrig
behavioral2/memory/4468-122-0x00007FF76E370000-0x00007FF76E6C1000-memory.dmp	xmrig
behavioral2/memory/4628-120-0x00007FF765030000-0x00007FF765381000-memory.dmp	xmrig
behavioral2/memory/1272-119-0x00007FF642E50000-0x00007FF6431A1000-memory.dmp	xmrig
behavioral2/memory/3896-117-0x00007FF6A0CF0000-0x00007FF6A1041000-memory.dmp	xmrig
behavioral2/memory/660-116-0x00007FF775BD0000-0x00007FF775F21000-memory.dmp	xmrig
behavioral2/memory/2316-114-0x00007FF67BF00000-0x00007FF67C251000-memory.dmp	xmrig
behavioral2/memory/8-109-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	xmrig
behavioral2/memory/3860-102-0x00007FF610390000-0x00007FF6106E1000-memory.dmp	xmrig
behavioral2/memory/3680-128-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	xmrig
behavioral2/memory/3640-129-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	xmrig
behavioral2/memory/1792-131-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	xmrig
behavioral2/memory/3636-133-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	xmrig
behavioral2/memory/4048-135-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	xmrig
behavioral2/memory/1008-134-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	xmrig
behavioral2/memory/880-139-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	xmrig
behavioral2/memory/3488-140-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp	xmrig
behavioral2/memory/8-144-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	xmrig
behavioral2/memory/1264-147-0x00007FF792D40000-0x00007FF793091000-memory.dmp	xmrig
behavioral2/memory/3680-150-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	xmrig
behavioral2/memory/3680-190-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	xmrig
behavioral2/memory/3640-211-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	xmrig
behavioral2/memory/4628-213-0x00007FF765030000-0x00007FF765381000-memory.dmp	xmrig
behavioral2/memory/1792-216-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	xmrig
behavioral2/memory/3624-217-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp	xmrig
behavioral2/memory/3636-219-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	xmrig
behavioral2/memory/4048-221-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	xmrig
behavioral2/memory/1008-224-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	xmrig
behavioral2/memory/64-227-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp	xmrig
behavioral2/memory/880-231-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	xmrig
behavioral2/memory/660-234-0x00007FF775BD0000-0x00007FF775F21000-memory.dmp	xmrig
behavioral2/memory/3860-230-0x00007FF610390000-0x00007FF6106E1000-memory.dmp	xmrig
behavioral2/memory/4468-226-0x00007FF76E370000-0x00007FF76E6C1000-memory.dmp	xmrig
behavioral2/memory/4860-236-0x00007FF68F0C0000-0x00007FF68F411000-memory.dmp	xmrig
behavioral2/memory/116-243-0x00007FF668C10000-0x00007FF668F61000-memory.dmp	xmrig
behavioral2/memory/2600-248-0x00007FF6507F0000-0x00007FF650B41000-memory.dmp	xmrig
behavioral2/memory/3896-249-0x00007FF6A0CF0000-0x00007FF6A1041000-memory.dmp	xmrig
behavioral2/memory/1272-247-0x00007FF642E50000-0x00007FF6431A1000-memory.dmp	xmrig
behavioral2/memory/8-242-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	xmrig
behavioral2/memory/2316-241-0x00007FF67BF00000-0x00007FF67C251000-memory.dmp	xmrig
behavioral2/memory/3488-237-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp	xmrig
behavioral2/memory/1264-253-0x00007FF792D40000-0x00007FF793091000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vtsKMHk.exejuNrKrU.exeAuUJMmp.exeMYXWMRe.exeqYkFgQc.exeniExOAI.exeAdHClHZ.exegNMzoFI.exeMZOcNki.exeKIGaGxg.exeuLoNBit.exeDgvyNVM.exeADbxvuW.exejmAuPtu.exeDQTNEXu.exeFqHUPjN.exegtCOeeo.exeFVbWaXA.exeIdHUoNp.exegADrjYy.exerVDwUHh.exe

pid	process
3640	vtsKMHk.exe
4628	juNrKrU.exe
1792	AuUJMmp.exe
3624	MYXWMRe.exe
3636	qYkFgQc.exe
1008	niExOAI.exe
4048	AdHClHZ.exe
4468	gNMzoFI.exe
4860	MZOcNki.exe
880	KIGaGxg.exe
3488	uLoNBit.exe
64	DgvyNVM.exe
3860	ADbxvuW.exe
116	jmAuPtu.exe
8	DQTNEXu.exe
2316	FqHUPjN.exe
660	gtCOeeo.exe
3896	FVbWaXA.exe
1264	IdHUoNp.exe
2600	gADrjYy.exe
1272	rVDwUHh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3680-0-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	upx
C:\Windows\System\vtsKMHk.exe	upx
C:\Windows\System\AuUJMmp.exe	upx
C:\Windows\System\MYXWMRe.exe	upx
C:\Windows\System\MZOcNki.exe	upx
behavioral2/memory/3636-32-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	upx
C:\Windows\System\AdHClHZ.exe	upx
behavioral2/memory/1792-21-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	upx
C:\Windows\System\niExOAI.exe	upx
C:\Windows\System\qYkFgQc.exe	upx
C:\Windows\System\juNrKrU.exe	upx
behavioral2/memory/3640-13-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	upx
C:\Windows\System\uLoNBit.exe	upx
C:\Windows\System\gNMzoFI.exe	upx
C:\Windows\System\IdHUoNp.exe	upx
C:\Windows\System\rVDwUHh.exe	upx
C:\Windows\System\gADrjYy.exe	upx
behavioral2/memory/1264-118-0x00007FF792D40000-0x00007FF793091000-memory.dmp	upx
behavioral2/memory/3624-121-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp	upx
behavioral2/memory/116-125-0x00007FF668C10000-0x00007FF668F61000-memory.dmp	upx
behavioral2/memory/2600-126-0x00007FF6507F0000-0x00007FF650B41000-memory.dmp	upx
behavioral2/memory/64-124-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp	upx
behavioral2/memory/4860-123-0x00007FF68F0C0000-0x00007FF68F411000-memory.dmp	upx
behavioral2/memory/4468-122-0x00007FF76E370000-0x00007FF76E6C1000-memory.dmp	upx
behavioral2/memory/4628-120-0x00007FF765030000-0x00007FF765381000-memory.dmp	upx
behavioral2/memory/1272-119-0x00007FF642E50000-0x00007FF6431A1000-memory.dmp	upx
behavioral2/memory/3896-117-0x00007FF6A0CF0000-0x00007FF6A1041000-memory.dmp	upx
behavioral2/memory/660-116-0x00007FF775BD0000-0x00007FF775F21000-memory.dmp	upx
behavioral2/memory/2316-114-0x00007FF67BF00000-0x00007FF67C251000-memory.dmp	upx
C:\Windows\System\FVbWaXA.exe	upx
behavioral2/memory/8-109-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	upx
C:\Windows\System\DQTNEXu.exe	upx
behavioral2/memory/3860-102-0x00007FF610390000-0x00007FF6106E1000-memory.dmp	upx
C:\Windows\System\FqHUPjN.exe	upx
C:\Windows\System\jmAuPtu.exe	upx
behavioral2/memory/3488-95-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp	upx
C:\Windows\System\gtCOeeo.exe	upx
C:\Windows\System\ADbxvuW.exe	upx
C:\Windows\System\DgvyNVM.exe	upx
behavioral2/memory/880-76-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	upx
C:\Windows\System\KIGaGxg.exe	upx
behavioral2/memory/4048-58-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	upx
behavioral2/memory/1008-48-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	upx
behavioral2/memory/3680-128-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	upx
behavioral2/memory/3640-129-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	upx
behavioral2/memory/1792-131-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	upx
behavioral2/memory/3636-133-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	upx
behavioral2/memory/4048-135-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	upx
behavioral2/memory/1008-134-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	upx
behavioral2/memory/880-139-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	upx
behavioral2/memory/3488-140-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp	upx
behavioral2/memory/8-144-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp	upx
behavioral2/memory/1264-147-0x00007FF792D40000-0x00007FF793091000-memory.dmp	upx
behavioral2/memory/3680-150-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	upx
behavioral2/memory/3680-190-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp	upx
behavioral2/memory/3640-211-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp	upx
behavioral2/memory/4628-213-0x00007FF765030000-0x00007FF765381000-memory.dmp	upx
behavioral2/memory/1792-216-0x00007FF622480000-0x00007FF6227D1000-memory.dmp	upx
behavioral2/memory/3624-217-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp	upx
behavioral2/memory/3636-219-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp	upx
behavioral2/memory/4048-221-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp	upx
behavioral2/memory/1008-224-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp	upx
behavioral2/memory/64-227-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp	upx
behavioral2/memory/880-231-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\FqHUPjN.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gADrjYy.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DgvyNVM.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AuUJMmp.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MYXWMRe.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gNMzoFI.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gtCOeeo.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DQTNEXu.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FVbWaXA.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IdHUoNp.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\juNrKrU.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rVDwUHh.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AdHClHZ.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KIGaGxg.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ADbxvuW.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vtsKMHk.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\niExOAI.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MZOcNki.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uLoNBit.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jmAuPtu.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qYkFgQc.exe	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3680 wrote to memory of 3640	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	vtsKMHk.exe
PID 3680 wrote to memory of 3640	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	vtsKMHk.exe
PID 3680 wrote to memory of 4628	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	juNrKrU.exe
PID 3680 wrote to memory of 4628	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	juNrKrU.exe
PID 3680 wrote to memory of 1792	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	AuUJMmp.exe
PID 3680 wrote to memory of 1792	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	AuUJMmp.exe
PID 3680 wrote to memory of 3624	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MYXWMRe.exe
PID 3680 wrote to memory of 3624	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MYXWMRe.exe
PID 3680 wrote to memory of 3636	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	qYkFgQc.exe
PID 3680 wrote to memory of 3636	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	qYkFgQc.exe
PID 3680 wrote to memory of 1008	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	niExOAI.exe
PID 3680 wrote to memory of 1008	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	niExOAI.exe
PID 3680 wrote to memory of 4048	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	AdHClHZ.exe
PID 3680 wrote to memory of 4048	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	AdHClHZ.exe
PID 3680 wrote to memory of 4468	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gNMzoFI.exe
PID 3680 wrote to memory of 4468	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gNMzoFI.exe
PID 3680 wrote to memory of 64	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DgvyNVM.exe
PID 3680 wrote to memory of 64	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DgvyNVM.exe
PID 3680 wrote to memory of 4860	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MZOcNki.exe
PID 3680 wrote to memory of 4860	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	MZOcNki.exe
PID 3680 wrote to memory of 880	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	KIGaGxg.exe
PID 3680 wrote to memory of 880	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	KIGaGxg.exe
PID 3680 wrote to memory of 3488	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	uLoNBit.exe
PID 3680 wrote to memory of 3488	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	uLoNBit.exe
PID 3680 wrote to memory of 3860	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	ADbxvuW.exe
PID 3680 wrote to memory of 3860	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	ADbxvuW.exe
PID 3680 wrote to memory of 660	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gtCOeeo.exe
PID 3680 wrote to memory of 660	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gtCOeeo.exe
PID 3680 wrote to memory of 116	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	jmAuPtu.exe
PID 3680 wrote to memory of 116	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	jmAuPtu.exe
PID 3680 wrote to memory of 8	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DQTNEXu.exe
PID 3680 wrote to memory of 8	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	DQTNEXu.exe
PID 3680 wrote to memory of 2316	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FqHUPjN.exe
PID 3680 wrote to memory of 2316	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FqHUPjN.exe
PID 3680 wrote to memory of 3896	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FVbWaXA.exe
PID 3680 wrote to memory of 3896	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	FVbWaXA.exe
PID 3680 wrote to memory of 1264	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	IdHUoNp.exe
PID 3680 wrote to memory of 1264	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	IdHUoNp.exe
PID 3680 wrote to memory of 2600	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gADrjYy.exe
PID 3680 wrote to memory of 2600	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	gADrjYy.exe
PID 3680 wrote to memory of 1272	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	rVDwUHh.exe
PID 3680 wrote to memory of 1272	3680	2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe	rVDwUHh.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_32575eaae95a51e89bdc0875ed2b0f37_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\System\vtsKMHk.exe
C:\Windows\System\vtsKMHk.exe
2⤵
- Executes dropped EXE
PID:3640

C:\Windows\System\juNrKrU.exe
C:\Windows\System\juNrKrU.exe
2⤵
- Executes dropped EXE
PID:4628

C:\Windows\System\AuUJMmp.exe
C:\Windows\System\AuUJMmp.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\MYXWMRe.exe
C:\Windows\System\MYXWMRe.exe
2⤵
- Executes dropped EXE
PID:3624

C:\Windows\System\qYkFgQc.exe
C:\Windows\System\qYkFgQc.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\niExOAI.exe
C:\Windows\System\niExOAI.exe
2⤵
- Executes dropped EXE
PID:1008

C:\Windows\System\AdHClHZ.exe
C:\Windows\System\AdHClHZ.exe
2⤵
- Executes dropped EXE
PID:4048

C:\Windows\System\gNMzoFI.exe
C:\Windows\System\gNMzoFI.exe
2⤵
- Executes dropped EXE
PID:4468

C:\Windows\System\DgvyNVM.exe
C:\Windows\System\DgvyNVM.exe
2⤵
- Executes dropped EXE
PID:64

C:\Windows\System\MZOcNki.exe
C:\Windows\System\MZOcNki.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Windows\System\KIGaGxg.exe
C:\Windows\System\KIGaGxg.exe
2⤵
- Executes dropped EXE
PID:880

C:\Windows\System\uLoNBit.exe
C:\Windows\System\uLoNBit.exe
2⤵
- Executes dropped EXE
PID:3488

C:\Windows\System\ADbxvuW.exe
C:\Windows\System\ADbxvuW.exe
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\System\gtCOeeo.exe
C:\Windows\System\gtCOeeo.exe
2⤵
- Executes dropped EXE
PID:660

C:\Windows\System\jmAuPtu.exe
C:\Windows\System\jmAuPtu.exe
2⤵
- Executes dropped EXE
PID:116

C:\Windows\System\DQTNEXu.exe
C:\Windows\System\DQTNEXu.exe
2⤵
- Executes dropped EXE
PID:8

C:\Windows\System\FqHUPjN.exe
C:\Windows\System\FqHUPjN.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\FVbWaXA.exe
C:\Windows\System\FVbWaXA.exe
2⤵
- Executes dropped EXE
PID:3896

C:\Windows\System\IdHUoNp.exe
C:\Windows\System\IdHUoNp.exe
2⤵
- Executes dropped EXE
PID:1264

C:\Windows\System\gADrjYy.exe
C:\Windows\System\gADrjYy.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\rVDwUHh.exe
C:\Windows\System\rVDwUHh.exe
2⤵
- Executes dropped EXE
PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADbxvuW.exe
Filesize
5.2MB

MD5
1f579b78e403567fcefd0a9274d47244

SHA1
a2114cc1d432e40b0b6ec761c088cf1e06dceaac

SHA256
ab06cf9fafdb50894a390db8d05b5249ab3bdc15ab4c91ba7aa4802304382801

SHA512
d11990ec9d5666dcc8ed35b52e2c1544204a77012a6266ca697e15efd5bd0dee8dcca3af34acf7eb356a191002c5c8610b5d3547d787907cd6a1009cd9a6ef39

Download Submit
C:\Windows\System\AdHClHZ.exe
Filesize
5.2MB

MD5
f24f51ff7b8a87b9d788d9ac99d5ea49

SHA1
96459c023d4dc7def60d9a56806b8026ba98a82a

SHA256
435ca35913270053adf46fccd5693938a26bcfa88ee1fa1c52c7faaba8d31ce1

SHA512
3318ef0a5dd900eb255d79bb5abe2ec9e8b12a61840384a81f16d4ce1e3c35b78a251796354d9aacb9cb4b5a522cc6397a5cdda6d2946611b6049d5f8b726be2

Download Submit
C:\Windows\System\AuUJMmp.exe
Filesize
5.2MB

MD5
0d8de844073d0f09f48712812347d8fd

SHA1
db02073578b93a4eacbecd17b265713c4f642213

SHA256
aa625d33410933472deeb1ee7be47cf8435fa56d9d1690a57539210baa372b12

SHA512
651c61a5669208b35d4e061aa83789bc92b80393dc9030f421f1751b98530e1012ed443c8d6724d9a0004a9f70bc856eef7d510b384b81a61ec1fac13a991c2d

Download Submit
C:\Windows\System\DQTNEXu.exe
Filesize
5.2MB

MD5
b1f3031e84cda5fcec8073973465d44d

SHA1
6c04021b08950900fcb321b375ca063c85f634b6

SHA256
c536669664eaafae46b2e9cf9b089cb5163235b6c658d41ee2884b1d3bf44542

SHA512
ef29d5db3b379733148c325ad29b44538fa724309af0598b3c34865381b2055c753a8b811f9956051ff10ae9fd05c7f845ef20baebfb06d9f500dd0177ffb224

Download Submit
C:\Windows\System\DgvyNVM.exe
Filesize
5.2MB

MD5
18c21940f6254ca7b5f7b8a872f0661b

SHA1
2df4db118e1c559e038454aff40a395159d7a66e

SHA256
73f3161133766b51638f01e796b9cbab6403938372f7ef524ad679a398536aec

SHA512
42ad4049e04b664f2743cd230003d7c55d7161bc42452a7548e21de9a354f6514e825d90bbc2545507db42460300be18905ba8bc66d7b11d02a5e20aba5cd2f1

Download Submit
C:\Windows\System\FVbWaXA.exe
Filesize
5.2MB

MD5
a7759b2ab13b17b0e698ab800ded6a64

SHA1
75e9cc56f12542e4f2ad90a1cb182f901034cfe0

SHA256
e274d68f9617b839e2ef10ed28122fd93c44994f40aefea7fd0bd2c4d9ec6411

SHA512
91d07ef5014f3af1b6a22f1a8509944ca008f1d9087be5c63cf523547e6c217d9590d0fc50b90043c40c838adbac4d849a83b64c6c3de25135a8cadc6c2c375c

Download Submit
C:\Windows\System\FqHUPjN.exe
Filesize
5.2MB

MD5
9851e7953c6b3c32906561181c00a20d

SHA1
e5ce7d477476526fdfb46ec8ebe95b694e96144e

SHA256
b51b615f02f92b7c78e201623d130761a128c3ee7234e661609ea66ff5475ce7

SHA512
07f33122a2e9fa72e5a1a25939be34149a524e7bbd82da652f6b0a3117ddba701b425de8b6f1b3e6b07725e84541e16a4c9b8e1a458fb33b9a41cb2f4ebbbebb

Download Submit
C:\Windows\System\IdHUoNp.exe
Filesize
5.2MB

MD5
9242e5b2421092dbcca9c9aa27dc14b1

SHA1
f47e7214904b9e4d86e26176ab3407d4bf8619b9

SHA256
3dfbac414554dba88a0464ba61471c9e56d14f4513364dc4557dbdbd6f1e2f76

SHA512
ce92dbef47bac75edee879e24ddc877e06eca736a245c76a22c3584177c02cf2f7037ed6cef77065fbb2ecd147a398b092f35aa7a657e82ed2f879c8fe905690

Download Submit
C:\Windows\System\KIGaGxg.exe
Filesize
5.2MB

MD5
adfad4c2632d10aadbd02d5b4638cdb8

SHA1
bbbccedf2726866531c0fd58e7864f8aba3d78bd

SHA256
5e7c653e6971e7789ad5a896fbdcb345e81807d4aad6d26391994fe65b7adba3

SHA512
0e4fcdfb8aeadbdfa8949ad10cf51680d3f4556de621a8532bea22986d6b61d970604249f9f3ded421ff19fa25f7b0cdf81b46a8cf90b3c6bcb45c4ce5731e27

Download Submit
C:\Windows\System\MYXWMRe.exe
Filesize
5.2MB

MD5
aeb3b6252fe7cf61b97abb2a8b66d3ce

SHA1
1e16de67467641e4e0e63d5e715b6c8eefcb8c02

SHA256
e18e0ea8d839e1136b795bfc1f2e60218fa41e37f2d0780c8c04027602147c49

SHA512
ba3d2ac0115b5ce2c4099752f0d73a37ea9594eea53dcbda768d033d6e8a64a6eec334c99cd9166a2436e67b007860c9931b3d848a480aa117407c371c13fbd7

Download Submit
C:\Windows\System\MZOcNki.exe
Filesize
5.2MB

MD5
d1ab3ec26c2672948637c70f1b848f32

SHA1
ba17653033207e57403d6980f1502d298a571352

SHA256
bad82ff90322990c73a436b94cec09ec44f8de84d12e18ccf5727e909b80d463

SHA512
1772b5518a5b6d9561cf010f0a973144708f1d3e3b630a5fd1772cf0a7d6191e0330c6fa029761f27342ea5143ccc8e28a827ccc1312cc92e6bea66b1ea42b07

Download Submit
C:\Windows\System\gADrjYy.exe
Filesize
5.2MB

MD5
e3b78af7919e7e787d8e552141b34d9c

SHA1
f5c07d25935655bcd4751d43987d2badca03db31

SHA256
021fa6431318485c5fb4d95924bdfde18b57d60fd889b0368d137a6567670a85

SHA512
cecc96b657b5c8ede4a337f12c65466d24dc9d7ef1ee7f1c714b1c6e93fa790a2c140e53d7233cb4086635db7deeceb4d5e79b3039160b5deaa57541507120c7

Download Submit
C:\Windows\System\gNMzoFI.exe
Filesize
5.2MB

MD5
2a202bfa5e005e38b099b99ba695d8bd

SHA1
91b692f007cfae5bca381ae82ed07b6bc053650f

SHA256
448d25270f9565103c61190a4c151a37dfb801acd50b9c111ea250e51c3c0b61

SHA512
ceb75df7ab7d8397de83c9b2c70104beb565154ee062d755558e7eddb6bd91b8ecb7712c2b1cc87f7d91e9b07d0b86f86b10e6b54bea21f38c8b5f2ba21a92b2

Download Submit
C:\Windows\System\gtCOeeo.exe
Filesize
5.2MB

MD5
82ea24e1a22e529e6a824223fe62f48e

SHA1
39e8ab60c31020b5a9ab9c51abcb5e78481161eb

SHA256
d5f243c55e4a2dddadb526ccbd7cec9d585fb1971ec29a4e0bc269f99908be12

SHA512
3ea18e21f6fe224366fbba4ca7f31fbb769e850bdebef3fb386506723e302eb48faacc869c8d8160ff6a23c3074f31e0324bb83af0f9c9aeddb9dcf461444170

Download Submit
C:\Windows\System\jmAuPtu.exe
Filesize
5.2MB

MD5
1aa8d0b9dfcdca3de76e1e09d4e2b18a

SHA1
f7a4d16cc6206d88b9dfdbcdc1ee2abd093fc3e2

SHA256
2fddd3787cc2548b1e710e8e0d83fbcef93b9ca63ab9e26083b7118d7385535f

SHA512
89081d0c7c0bcbc0212a689b8d45ccfc29afa02d9ce1e1b72cac25f0c8f3dbc974c4feac3c2356dc466404de4babf23bd12f492f1e3efcdb1c30cf5834ca5b61

Download Submit
C:\Windows\System\juNrKrU.exe
Filesize
5.2MB

MD5
ca9b39a9f5adfa26751c165f2162c778

SHA1
9d8078b44ff537726b211b975f341b3331a16d80

SHA256
43aa6e1481750d662fa514c108ab163602984f31cae8892e7f2b81be762cdcfd

SHA512
78a9b76eef14483ba832e832dd6a0d161babced60b6ac15c5e81159c4fbfb994348bfeeb3c37f332a4d097a15090cf616d130d685b92b3db4b8b52be6b5d72ac

Download Submit
C:\Windows\System\niExOAI.exe
Filesize
5.2MB

MD5
7c076a9f40d04483a1634012466ba305

SHA1
0e50abeb288a91cb7d678d14be317ab4ffef6852

SHA256
1aa7eda6008c9e48d983137e366507f1852557c0b72a9394c1ea744e2838205f

SHA512
b5192541cab42e1bb1faf5120aef9b7f7cafbfa742d30732197c03596922cef82a1ae6d24d93937497f8a79a4098b6d9a503cd2cccd8c57b4ce124f232c928f4

Download Submit
C:\Windows\System\qYkFgQc.exe
Filesize
5.2MB

MD5
5c47fd6d744674a5e8dc1368d30acbba

SHA1
6b2701a26af8c46b4aaf31d15c050c151bf1e51d

SHA256
c080b9a8f86dcb0f6a278a558ec9fea474d36a68b6fc22f8f169a7be7360d9d8

SHA512
e18773ed768285e089d556e9d1364a721e532aba03134775c4924b2b6623915b00543c0bbd90ff3a8ca471d13d838c3c4f42e3704dabd2c2bb3cf64fb958c12b

Download Submit
C:\Windows\System\rVDwUHh.exe
Filesize
5.2MB

MD5
656353b67c54f65aad0d3362f23df1cb

SHA1
4f5c79ca79f239bbff56ec49d83d3fa000e8f11d

SHA256
5f9afc9c368f8442c60d8d915fe078a481a4dc835f0e3f9fd8b90b843fd8dacd

SHA512
e4dd1d1a234ee333a04dd5ae7b57c9f1aa8d95ebd522e09ecf61854ac89892a3995528de7eb877baf7064e163a704ad07ca37d818b9b8fdc3316806e23fb1630

Download Submit
C:\Windows\System\uLoNBit.exe
Filesize
5.2MB

MD5
8b49c437001a29536b3b0740ee2d33a4

SHA1
53ed3c03d26cf962ad6ed70cc5cd678653ea961b

SHA256
3aedf0db08296e6b9f4541c7855e6afa899e8320111ca2db6e7d1d93e31ff008

SHA512
9cdad223e8be5677de94de964a30073b8a465197b76e0086ae82d338ac2cab920dacd33a89ab7399b7fe7ea7c3c93cc23782030b083c8186c39e1add2266b2f9

Download Submit
C:\Windows\System\vtsKMHk.exe
Filesize
5.2MB

MD5
4be66518ecc5fc489ac03d090a3a3d53

SHA1
1e82c1adf3b5c8033a24408a59bc94e0292c7fc5

SHA256
c4f93f5bf86725e785da3ae6b338dc7ad149a026bed457c65056c299652446b4

SHA512
67f1b1e4c6ea7a99499b109e0b38ef1b65d48522f1c757e5d500909b94cfc13936e38528704054d3fcf2d947a2a2581e02bb428f41572c4b1369339028b6b5e0

Download Submit
memory/8-109-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp

Filesize
3.3MB

Download
memory/8-144-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp

Filesize
3.3MB

Download
memory/8-242-0x00007FF601A70000-0x00007FF601DC1000-memory.dmp

Filesize
3.3MB

Download
memory/64-227-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp

Filesize
3.3MB

Download
memory/64-124-0x00007FF6C6620000-0x00007FF6C6971000-memory.dmp

Filesize
3.3MB

Download
memory/116-125-0x00007FF668C10000-0x00007FF668F61000-memory.dmp

Filesize
3.3MB

Download
memory/116-243-0x00007FF668C10000-0x00007FF668F61000-memory.dmp

Filesize
3.3MB

Download
memory/660-116-0x00007FF775BD0000-0x00007FF775F21000-memory.dmp

Filesize
3.3MB

Download
memory/660-234-0x00007FF775BD0000-0x00007FF775F21000-memory.dmp

Filesize
3.3MB

Download
memory/880-76-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp

Filesize
3.3MB

Download
memory/880-139-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp

Filesize
3.3MB

Download
memory/880-231-0x00007FF7C9AB0000-0x00007FF7C9E01000-memory.dmp

Filesize
3.3MB

Download
memory/1008-48-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp

Filesize
3.3MB

Download
memory/1008-134-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp

Filesize
3.3MB

Download
memory/1008-224-0x00007FF7B6710000-0x00007FF7B6A61000-memory.dmp

Filesize
3.3MB

Download
memory/1264-118-0x00007FF792D40000-0x00007FF793091000-memory.dmp

Filesize
3.3MB

Download
memory/1264-147-0x00007FF792D40000-0x00007FF793091000-memory.dmp

Filesize
3.3MB

Download
memory/1264-253-0x00007FF792D40000-0x00007FF793091000-memory.dmp

Filesize
3.3MB

Download
memory/1272-119-0x00007FF642E50000-0x00007FF6431A1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-247-0x00007FF642E50000-0x00007FF6431A1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-21-0x00007FF622480000-0x00007FF6227D1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-216-0x00007FF622480000-0x00007FF6227D1000-memory.dmp

Filesize
3.3MB

Download
memory/1792-131-0x00007FF622480000-0x00007FF6227D1000-memory.dmp

Filesize
3.3MB

Download
memory/2316-241-0x00007FF67BF00000-0x00007FF67C251000-memory.dmp

Filesize
3.3MB

Download
memory/2316-114-0x00007FF67BF00000-0x00007FF67C251000-memory.dmp

Filesize
3.3MB

Download
memory/2600-248-0x00007FF6507F0000-0x00007FF650B41000-memory.dmp

Filesize
3.3MB

Download
memory/2600-126-0x00007FF6507F0000-0x00007FF650B41000-memory.dmp

Filesize
3.3MB

Download
memory/3488-140-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-237-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3488-95-0x00007FF642C60000-0x00007FF642FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-121-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp

Filesize
3.3MB

Download
memory/3624-217-0x00007FF7558B0000-0x00007FF755C01000-memory.dmp

Filesize
3.3MB

Download
memory/3636-32-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3636-133-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3636-219-0x00007FF7FBF70000-0x00007FF7FC2C1000-memory.dmp

Filesize
3.3MB

Download
memory/3640-129-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp

Filesize
3.3MB

Download
memory/3640-13-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp

Filesize
3.3MB

Download
memory/3640-211-0x00007FF6A96F0000-0x00007FF6A9A41000-memory.dmp

Filesize
3.3MB

Download
memory/3680-0-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp

Filesize
3.3MB

Download
memory/3680-150-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp

Filesize
3.3MB

Download
memory/3680-1-0x000002659CA70000-0x000002659CA80000-memory.dmp

Filesize
64KB

Download
memory/3680-190-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp

Filesize
3.3MB

Download
memory/3680-128-0x00007FF6D40F0000-0x00007FF6D4441000-memory.dmp

Filesize
3.3MB

Download
memory/3860-230-0x00007FF610390000-0x00007FF6106E1000-memory.dmp

Filesize
3.3MB

Download
memory/3860-102-0x00007FF610390000-0x00007FF6106E1000-memory.dmp

Filesize
3.3MB

Download
memory/3896-249-0x00007FF6A0CF0000-0x00007FF6A1041000-memory.dmp

Filesize
3.3MB

Download
memory/3896-117-0x00007FF6A0CF0000-0x00007FF6A1041000-memory.dmp

Filesize
3.3MB

Download
memory/4048-221-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp

Filesize
3.3MB

Download
memory/4048-135-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp

Filesize
3.3MB

Download
memory/4048-58-0x00007FF6DE3C0000-0x00007FF6DE711000-memory.dmp

Filesize
3.3MB

Download
memory/4468-226-0x00007FF76E370000-0x00007FF76E6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-122-0x00007FF76E370000-0x00007FF76E6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-213-0x00007FF765030000-0x00007FF765381000-memory.dmp

Filesize
3.3MB

Download
memory/4628-120-0x00007FF765030000-0x00007FF765381000-memory.dmp

Filesize
3.3MB

Download
memory/4860-236-0x00007FF68F0C0000-0x00007FF68F411000-memory.dmp

Filesize
3.3MB

Download
memory/4860-123-0x00007FF68F0C0000-0x00007FF68F411000-memory.dmp

Filesize
3.3MB

Download