cobaltstrike | b280ce8371fe4f3667da2c3fb29b7e71ff944330ce4e3547bd3b0eb3bc010f35

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 03:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

493e5f16ae4963318897783ba98e535c
SHA1

0ca00c7ccfdc4c8454cb931689b68001a1776aad
SHA256

b280ce8371fe4f3667da2c3fb29b7e71ff944330ce4e3547bd3b0eb3bc010f35
SHA512

70c79c9b2b3b6aedba10bb3afce5260bc74b0a2286ffb8fff08de466d6058965d71eef431b32a9fec4e3a6bba770a0ef61ab9e3ac2433bee6ad148d33cf9a238
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibf56utgpPFotBER/mQ32lUJ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\EAwYVeY.exe	cobalt_reflective_dll
C:\Windows\System\mFCfncu.exe	cobalt_reflective_dll
C:\Windows\System\iYOPWsL.exe	cobalt_reflective_dll
C:\Windows\System\UWovdTm.exe	cobalt_reflective_dll
C:\Windows\System\MwxcfMI.exe	cobalt_reflective_dll
C:\Windows\System\eqHpvRU.exe	cobalt_reflective_dll
C:\Windows\System\GSlPCub.exe	cobalt_reflective_dll
C:\Windows\System\QUOnUHE.exe	cobalt_reflective_dll
C:\Windows\System\WVkOuRu.exe	cobalt_reflective_dll
C:\Windows\System\UjMPaWu.exe	cobalt_reflective_dll
C:\Windows\System\jaTwyWt.exe	cobalt_reflective_dll
C:\Windows\System\RMLceiw.exe	cobalt_reflective_dll
C:\Windows\System\zskgVjf.exe	cobalt_reflective_dll
C:\Windows\System\urEWMjf.exe	cobalt_reflective_dll
C:\Windows\System\ynHXoxZ.exe	cobalt_reflective_dll
C:\Windows\System\CxhUmoo.exe	cobalt_reflective_dll
C:\Windows\System\jIweXlN.exe	cobalt_reflective_dll
C:\Windows\System\IPXNnXK.exe	cobalt_reflective_dll
C:\Windows\System\zXpctuU.exe	cobalt_reflective_dll
C:\Windows\System\IHyigxd.exe	cobalt_reflective_dll
C:\Windows\System\uSDwuyl.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\EAwYVeY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mFCfncu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iYOPWsL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UWovdTm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MwxcfMI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eqHpvRU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GSlPCub.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QUOnUHE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WVkOuRu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UjMPaWu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jaTwyWt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RMLceiw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zskgVjf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\urEWMjf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ynHXoxZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CxhUmoo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jIweXlN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IPXNnXK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zXpctuU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IHyigxd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uSDwuyl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4740-0-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	UPX
C:\Windows\System\EAwYVeY.exe	UPX
C:\Windows\System\mFCfncu.exe	UPX
C:\Windows\System\iYOPWsL.exe	UPX
C:\Windows\System\UWovdTm.exe	UPX
C:\Windows\System\MwxcfMI.exe	UPX
C:\Windows\System\eqHpvRU.exe	UPX
C:\Windows\System\GSlPCub.exe	UPX
C:\Windows\System\QUOnUHE.exe	UPX
C:\Windows\System\WVkOuRu.exe	UPX
C:\Windows\System\UjMPaWu.exe	UPX
C:\Windows\System\jaTwyWt.exe	UPX
behavioral2/memory/2440-114-0x00007FF65D1C0000-0x00007FF65D511000-memory.dmp	UPX
behavioral2/memory/4540-117-0x00007FF6CA2B0000-0x00007FF6CA601000-memory.dmp	UPX
behavioral2/memory/3448-120-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp	UPX
behavioral2/memory/3404-122-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp	UPX
behavioral2/memory/4424-125-0x00007FF7B7320000-0x00007FF7B7671000-memory.dmp	UPX
behavioral2/memory/4276-126-0x00007FF78D9F0000-0x00007FF78DD41000-memory.dmp	UPX
behavioral2/memory/5116-124-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	UPX
behavioral2/memory/4448-123-0x00007FF685850000-0x00007FF685BA1000-memory.dmp	UPX
behavioral2/memory/3748-121-0x00007FF77A020000-0x00007FF77A371000-memory.dmp	UPX
behavioral2/memory/1260-119-0x00007FF706850000-0x00007FF706BA1000-memory.dmp	UPX
behavioral2/memory/404-118-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp	UPX
C:\Windows\System\RMLceiw.exe	UPX
behavioral2/memory/1808-113-0x00007FF7190B0000-0x00007FF719401000-memory.dmp	UPX
behavioral2/memory/4168-112-0x00007FF652FB0000-0x00007FF653301000-memory.dmp	UPX
C:\Windows\System\zskgVjf.exe	UPX
behavioral2/memory/1892-107-0x00007FF735CB0000-0x00007FF736001000-memory.dmp	UPX
C:\Windows\System\urEWMjf.exe	UPX
C:\Windows\System\ynHXoxZ.exe	UPX
C:\Windows\System\CxhUmoo.exe	UPX
behavioral2/memory/4788-88-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	UPX
C:\Windows\System\jIweXlN.exe	UPX
C:\Windows\System\IPXNnXK.exe	UPX
behavioral2/memory/3892-69-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp	UPX
C:\Windows\System\zXpctuU.exe	UPX
C:\Windows\System\IHyigxd.exe	UPX
behavioral2/memory/3692-49-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	UPX
behavioral2/memory/500-61-0x00007FF759710000-0x00007FF759A61000-memory.dmp	UPX
behavioral2/memory/3780-35-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	UPX
C:\Windows\System\uSDwuyl.exe	UPX
behavioral2/memory/5108-19-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	UPX
behavioral2/memory/4120-10-0x00007FF659630000-0x00007FF659981000-memory.dmp	UPX
behavioral2/memory/4740-128-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	UPX
behavioral2/memory/4120-129-0x00007FF659630000-0x00007FF659981000-memory.dmp	UPX
behavioral2/memory/5108-131-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	UPX
behavioral2/memory/3780-132-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	UPX
behavioral2/memory/3692-135-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	UPX
behavioral2/memory/500-136-0x00007FF759710000-0x00007FF759A61000-memory.dmp	UPX
behavioral2/memory/4788-138-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	UPX
behavioral2/memory/404-148-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp	UPX
behavioral2/memory/4740-150-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	UPX
behavioral2/memory/4740-172-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	UPX
behavioral2/memory/4120-201-0x00007FF659630000-0x00007FF659981000-memory.dmp	UPX
behavioral2/memory/3448-218-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp	UPX
behavioral2/memory/3780-219-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	UPX
behavioral2/memory/1260-221-0x00007FF706850000-0x00007FF706BA1000-memory.dmp	UPX
behavioral2/memory/5108-226-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	UPX
behavioral2/memory/3748-230-0x00007FF77A020000-0x00007FF77A371000-memory.dmp	UPX
behavioral2/memory/3892-229-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp	UPX
behavioral2/memory/5116-235-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	UPX
behavioral2/memory/500-238-0x00007FF759710000-0x00007FF759A61000-memory.dmp	UPX
behavioral2/memory/3692-237-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	UPX
behavioral2/memory/3404-241-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2440-114-0x00007FF65D1C0000-0x00007FF65D511000-memory.dmp	xmrig
behavioral2/memory/4540-117-0x00007FF6CA2B0000-0x00007FF6CA601000-memory.dmp	xmrig
behavioral2/memory/3448-120-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp	xmrig
behavioral2/memory/3404-122-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp	xmrig
behavioral2/memory/4424-125-0x00007FF7B7320000-0x00007FF7B7671000-memory.dmp	xmrig
behavioral2/memory/4276-126-0x00007FF78D9F0000-0x00007FF78DD41000-memory.dmp	xmrig
behavioral2/memory/5116-124-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	xmrig
behavioral2/memory/4448-123-0x00007FF685850000-0x00007FF685BA1000-memory.dmp	xmrig
behavioral2/memory/3748-121-0x00007FF77A020000-0x00007FF77A371000-memory.dmp	xmrig
behavioral2/memory/1260-119-0x00007FF706850000-0x00007FF706BA1000-memory.dmp	xmrig
behavioral2/memory/1808-113-0x00007FF7190B0000-0x00007FF719401000-memory.dmp	xmrig
behavioral2/memory/4168-112-0x00007FF652FB0000-0x00007FF653301000-memory.dmp	xmrig
behavioral2/memory/1892-107-0x00007FF735CB0000-0x00007FF736001000-memory.dmp	xmrig
behavioral2/memory/4788-88-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	xmrig
behavioral2/memory/3892-69-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp	xmrig
behavioral2/memory/3780-35-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	xmrig
behavioral2/memory/4120-10-0x00007FF659630000-0x00007FF659981000-memory.dmp	xmrig
behavioral2/memory/4740-128-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	xmrig
behavioral2/memory/4120-129-0x00007FF659630000-0x00007FF659981000-memory.dmp	xmrig
behavioral2/memory/5108-131-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	xmrig
behavioral2/memory/3780-132-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	xmrig
behavioral2/memory/3692-135-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	xmrig
behavioral2/memory/500-136-0x00007FF759710000-0x00007FF759A61000-memory.dmp	xmrig
behavioral2/memory/4788-138-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	xmrig
behavioral2/memory/404-148-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp	xmrig
behavioral2/memory/4740-150-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	xmrig
behavioral2/memory/4740-172-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	xmrig
behavioral2/memory/4120-201-0x00007FF659630000-0x00007FF659981000-memory.dmp	xmrig
behavioral2/memory/3448-218-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp	xmrig
behavioral2/memory/3780-219-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	xmrig
behavioral2/memory/1260-221-0x00007FF706850000-0x00007FF706BA1000-memory.dmp	xmrig
behavioral2/memory/5108-226-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	xmrig
behavioral2/memory/3748-230-0x00007FF77A020000-0x00007FF77A371000-memory.dmp	xmrig
behavioral2/memory/3892-229-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp	xmrig
behavioral2/memory/5116-235-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	xmrig
behavioral2/memory/500-238-0x00007FF759710000-0x00007FF759A61000-memory.dmp	xmrig
behavioral2/memory/3692-237-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	xmrig
behavioral2/memory/3404-241-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp	xmrig
behavioral2/memory/4448-246-0x00007FF685850000-0x00007FF685BA1000-memory.dmp	xmrig
behavioral2/memory/1892-245-0x00007FF735CB0000-0x00007FF736001000-memory.dmp	xmrig
behavioral2/memory/4540-253-0x00007FF6CA2B0000-0x00007FF6CA601000-memory.dmp	xmrig
behavioral2/memory/2440-252-0x00007FF65D1C0000-0x00007FF65D511000-memory.dmp	xmrig
behavioral2/memory/4276-255-0x00007FF78D9F0000-0x00007FF78DD41000-memory.dmp	xmrig
behavioral2/memory/4424-249-0x00007FF7B7320000-0x00007FF7B7671000-memory.dmp	xmrig
behavioral2/memory/1808-244-0x00007FF7190B0000-0x00007FF719401000-memory.dmp	xmrig
behavioral2/memory/4788-236-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	xmrig
behavioral2/memory/404-257-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp	xmrig
behavioral2/memory/4168-260-0x00007FF652FB0000-0x00007FF653301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

EAwYVeY.exeiYOPWsL.exemFCfncu.exeUWovdTm.exeuSDwuyl.exeMwxcfMI.exeIHyigxd.exeIPXNnXK.exezXpctuU.exeeqHpvRU.exejIweXlN.exeQUOnUHE.exeWVkOuRu.exeynHXoxZ.exeGSlPCub.exeCxhUmoo.exeUjMPaWu.exejaTwyWt.exeurEWMjf.exezskgVjf.exeRMLceiw.exe

pid	process
4120	EAwYVeY.exe
1260	iYOPWsL.exe
5108	mFCfncu.exe
3780	UWovdTm.exe
3448	uSDwuyl.exe
3748	MwxcfMI.exe
3692	IHyigxd.exe
500	IPXNnXK.exe
3892	zXpctuU.exe
4788	eqHpvRU.exe
3404	jIweXlN.exe
1892	QUOnUHE.exe
4448	WVkOuRu.exe
4168	ynHXoxZ.exe
5116	GSlPCub.exe
1808	CxhUmoo.exe
4424	UjMPaWu.exe
2440	jaTwyWt.exe
4540	urEWMjf.exe
404	zskgVjf.exe
4276	RMLceiw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4740-0-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	upx
C:\Windows\System\EAwYVeY.exe	upx
C:\Windows\System\mFCfncu.exe	upx
C:\Windows\System\iYOPWsL.exe	upx
C:\Windows\System\UWovdTm.exe	upx
C:\Windows\System\MwxcfMI.exe	upx
C:\Windows\System\eqHpvRU.exe	upx
C:\Windows\System\GSlPCub.exe	upx
C:\Windows\System\QUOnUHE.exe	upx
C:\Windows\System\WVkOuRu.exe	upx
C:\Windows\System\UjMPaWu.exe	upx
C:\Windows\System\jaTwyWt.exe	upx
behavioral2/memory/2440-114-0x00007FF65D1C0000-0x00007FF65D511000-memory.dmp	upx
behavioral2/memory/4540-117-0x00007FF6CA2B0000-0x00007FF6CA601000-memory.dmp	upx
behavioral2/memory/3448-120-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp	upx
behavioral2/memory/3404-122-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp	upx
behavioral2/memory/4424-125-0x00007FF7B7320000-0x00007FF7B7671000-memory.dmp	upx
behavioral2/memory/4276-126-0x00007FF78D9F0000-0x00007FF78DD41000-memory.dmp	upx
behavioral2/memory/5116-124-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	upx
behavioral2/memory/4448-123-0x00007FF685850000-0x00007FF685BA1000-memory.dmp	upx
behavioral2/memory/3748-121-0x00007FF77A020000-0x00007FF77A371000-memory.dmp	upx
behavioral2/memory/1260-119-0x00007FF706850000-0x00007FF706BA1000-memory.dmp	upx
behavioral2/memory/404-118-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp	upx
C:\Windows\System\RMLceiw.exe	upx
behavioral2/memory/1808-113-0x00007FF7190B0000-0x00007FF719401000-memory.dmp	upx
behavioral2/memory/4168-112-0x00007FF652FB0000-0x00007FF653301000-memory.dmp	upx
C:\Windows\System\zskgVjf.exe	upx
behavioral2/memory/1892-107-0x00007FF735CB0000-0x00007FF736001000-memory.dmp	upx
C:\Windows\System\urEWMjf.exe	upx
C:\Windows\System\ynHXoxZ.exe	upx
C:\Windows\System\CxhUmoo.exe	upx
behavioral2/memory/4788-88-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	upx
C:\Windows\System\jIweXlN.exe	upx
C:\Windows\System\IPXNnXK.exe	upx
behavioral2/memory/3892-69-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp	upx
C:\Windows\System\zXpctuU.exe	upx
C:\Windows\System\IHyigxd.exe	upx
behavioral2/memory/3692-49-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	upx
behavioral2/memory/500-61-0x00007FF759710000-0x00007FF759A61000-memory.dmp	upx
behavioral2/memory/3780-35-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	upx
C:\Windows\System\uSDwuyl.exe	upx
behavioral2/memory/5108-19-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	upx
behavioral2/memory/4120-10-0x00007FF659630000-0x00007FF659981000-memory.dmp	upx
behavioral2/memory/4740-128-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	upx
behavioral2/memory/4120-129-0x00007FF659630000-0x00007FF659981000-memory.dmp	upx
behavioral2/memory/5108-131-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	upx
behavioral2/memory/3780-132-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	upx
behavioral2/memory/3692-135-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	upx
behavioral2/memory/500-136-0x00007FF759710000-0x00007FF759A61000-memory.dmp	upx
behavioral2/memory/4788-138-0x00007FF671FF0000-0x00007FF672341000-memory.dmp	upx
behavioral2/memory/404-148-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp	upx
behavioral2/memory/4740-150-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	upx
behavioral2/memory/4740-172-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp	upx
behavioral2/memory/4120-201-0x00007FF659630000-0x00007FF659981000-memory.dmp	upx
behavioral2/memory/3448-218-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp	upx
behavioral2/memory/3780-219-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp	upx
behavioral2/memory/1260-221-0x00007FF706850000-0x00007FF706BA1000-memory.dmp	upx
behavioral2/memory/5108-226-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp	upx
behavioral2/memory/3748-230-0x00007FF77A020000-0x00007FF77A371000-memory.dmp	upx
behavioral2/memory/3892-229-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp	upx
behavioral2/memory/5116-235-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp	upx
behavioral2/memory/500-238-0x00007FF759710000-0x00007FF759A61000-memory.dmp	upx
behavioral2/memory/3692-237-0x00007FF697260000-0x00007FF6975B1000-memory.dmp	upx
behavioral2/memory/3404-241-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\iYOPWsL.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mFCfncu.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UWovdTm.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uSDwuyl.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GSlPCub.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jIweXlN.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CxhUmoo.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UjMPaWu.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zskgVjf.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EAwYVeY.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MwxcfMI.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IHyigxd.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zXpctuU.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eqHpvRU.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QUOnUHE.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WVkOuRu.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jaTwyWt.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IPXNnXK.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ynHXoxZ.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\urEWMjf.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RMLceiw.exe	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4740 wrote to memory of 4120	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	EAwYVeY.exe
PID 4740 wrote to memory of 4120	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	EAwYVeY.exe
PID 4740 wrote to memory of 1260	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	iYOPWsL.exe
PID 4740 wrote to memory of 1260	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	iYOPWsL.exe
PID 4740 wrote to memory of 5108	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	mFCfncu.exe
PID 4740 wrote to memory of 5108	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	mFCfncu.exe
PID 4740 wrote to memory of 3780	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UWovdTm.exe
PID 4740 wrote to memory of 3780	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UWovdTm.exe
PID 4740 wrote to memory of 3448	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	uSDwuyl.exe
PID 4740 wrote to memory of 3448	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	uSDwuyl.exe
PID 4740 wrote to memory of 3748	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	MwxcfMI.exe
PID 4740 wrote to memory of 3748	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	MwxcfMI.exe
PID 4740 wrote to memory of 3692	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IHyigxd.exe
PID 4740 wrote to memory of 3692	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IHyigxd.exe
PID 4740 wrote to memory of 500	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IPXNnXK.exe
PID 4740 wrote to memory of 500	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	IPXNnXK.exe
PID 4740 wrote to memory of 3892	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	zXpctuU.exe
PID 4740 wrote to memory of 3892	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	zXpctuU.exe
PID 4740 wrote to memory of 4788	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	eqHpvRU.exe
PID 4740 wrote to memory of 4788	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	eqHpvRU.exe
PID 4740 wrote to memory of 1892	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QUOnUHE.exe
PID 4740 wrote to memory of 1892	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	QUOnUHE.exe
PID 4740 wrote to memory of 3404	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	jIweXlN.exe
PID 4740 wrote to memory of 3404	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	jIweXlN.exe
PID 4740 wrote to memory of 4448	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	WVkOuRu.exe
PID 4740 wrote to memory of 4448	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	WVkOuRu.exe
PID 4740 wrote to memory of 4168	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	ynHXoxZ.exe
PID 4740 wrote to memory of 4168	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	ynHXoxZ.exe
PID 4740 wrote to memory of 5116	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	GSlPCub.exe
PID 4740 wrote to memory of 5116	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	GSlPCub.exe
PID 4740 wrote to memory of 1808	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	CxhUmoo.exe
PID 4740 wrote to memory of 1808	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	CxhUmoo.exe
PID 4740 wrote to memory of 4424	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UjMPaWu.exe
PID 4740 wrote to memory of 4424	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	UjMPaWu.exe
PID 4740 wrote to memory of 2440	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	jaTwyWt.exe
PID 4740 wrote to memory of 2440	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	jaTwyWt.exe
PID 4740 wrote to memory of 4540	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	urEWMjf.exe
PID 4740 wrote to memory of 4540	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	urEWMjf.exe
PID 4740 wrote to memory of 404	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	zskgVjf.exe
PID 4740 wrote to memory of 404	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	zskgVjf.exe
PID 4740 wrote to memory of 4276	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	RMLceiw.exe
PID 4740 wrote to memory of 4276	4740	2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe	RMLceiw.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_493e5f16ae4963318897783ba98e535c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System\EAwYVeY.exe
  C:\Windows\System\EAwYVeY.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\iYOPWsL.exe
  C:\Windows\System\iYOPWsL.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\mFCfncu.exe
  C:\Windows\System\mFCfncu.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\UWovdTm.exe
  C:\Windows\System\UWovdTm.exe
  2⤵
  - Executes dropped EXE
  PID:3780
- C:\Windows\System\uSDwuyl.exe
  C:\Windows\System\uSDwuyl.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\MwxcfMI.exe
  C:\Windows\System\MwxcfMI.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\IHyigxd.exe
  C:\Windows\System\IHyigxd.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\IPXNnXK.exe
  C:\Windows\System\IPXNnXK.exe
  2⤵
  - Executes dropped EXE
  PID:500
- C:\Windows\System\zXpctuU.exe
  C:\Windows\System\zXpctuU.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\eqHpvRU.exe
  C:\Windows\System\eqHpvRU.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\QUOnUHE.exe
  C:\Windows\System\QUOnUHE.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\jIweXlN.exe
  C:\Windows\System\jIweXlN.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\WVkOuRu.exe
  C:\Windows\System\WVkOuRu.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\ynHXoxZ.exe
  C:\Windows\System\ynHXoxZ.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\GSlPCub.exe
  C:\Windows\System\GSlPCub.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\CxhUmoo.exe
  C:\Windows\System\CxhUmoo.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\UjMPaWu.exe
  C:\Windows\System\UjMPaWu.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\jaTwyWt.exe
  C:\Windows\System\jaTwyWt.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\urEWMjf.exe
  C:\Windows\System\urEWMjf.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\zskgVjf.exe
  C:\Windows\System\zskgVjf.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\RMLceiw.exe
  C:\Windows\System\RMLceiw.exe
  2⤵
  - Executes dropped EXE
  PID:4276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CxhUmoo.exe

Filesize
5.2MB

MD5
bab88970155744e39008fb5c901eeb42

SHA1
8c4a0e36a35f9c54cb50e4b171781af909e00cc8

SHA256
5dba7c3b2ebfc215aab383faba78b35148ccb83ff2057962a1b6eb7ca2e4e1aa

SHA512
22310f9e058d58c795e876845e421692d7f551338319e6cf4e593536cbf918de6846ed5220dd86710b6543153b6e18c566584d9341d33e8b118e5c02a2bc6b25

Download Submit
C:\Windows\System\EAwYVeY.exe

Filesize
5.2MB

MD5
3ea0b5ee5807a47425ceb8a16ecf8b8e

SHA1
fecd01815740e5edf4b35d75dd62c19273254ae1

SHA256
40b117c1f21450617462f6398dbc94d3848d221666270d6e8a2f1cbbce158ddc

SHA512
bdacd12c9d40e14830974f1698544b0b2835224a78518d29d7c7fadbc491ea21a4a7765b32e90f509629952cf92127eaf1a299174c85d32c262a6eb65c7b5c48

Download Submit
C:\Windows\System\GSlPCub.exe

Filesize
5.2MB

MD5
1754f737a8f073f043214471003daa3e

SHA1
328bca958a80b711d5acce5755d8a38de17b7939

SHA256
0474875b6f0619024169b43c08307a62ebda16d4f55aec96681dd926df3957fc

SHA512
5d912a006e026868564db253adbd3244faa96b8dc456927ba8ef04fde80e6879fb80afe8dd95778ee6ac8c38955b80dd9e792004d512f9ab0d10d3e78a5d3a96

Download Submit
C:\Windows\System\IHyigxd.exe

Filesize
5.2MB

MD5
a1b847c0a09863fc678ff39195dda9a1

SHA1
fa38d35b20a1abc81533448a09d630cc32859344

SHA256
a75181f8b6df0f42507cb9f8f935e9fe4e01b2fa8d9bead07574f330d854a632

SHA512
9082459b9438cac78092baec98d7d3cb20081f8a91bb5b36d06dcf8f5463ef6d95543cf7f96d4999b864f1ae4a62c0c6aaa66fed246395b3c06edcf3430ba7eb

Download Submit
C:\Windows\System\IPXNnXK.exe

Filesize
5.2MB

MD5
c443bf348f8a281feadcf3dcbc2ffcea

SHA1
806a134fb310a57d8375e8f8d9a978da9156840e

SHA256
a41ea3f522bdfb2a7c0b5bb6c86c27b72ded79883f108efe899631c08f827685

SHA512
2dc736095526392b62e842155da058419e1f8ab06ed763feffc330fbf2ea66ba41a1c505b76b96e39d5bde191dbd6f0e86bc05b8ca4714ec1580ba2570797167

Download Submit
C:\Windows\System\MwxcfMI.exe

Filesize
5.2MB

MD5
556aaf30a549fae40db4b5e4f925294c

SHA1
d53dacdbe5b7609f58186aae7df82532d4aa3e6c

SHA256
2abc916c7f54d533e6b9b127e5407f65d54a912b91f39247582efaade371c5ad

SHA512
fa3532f1680be05c73df449e9b958d6edfd2c210aa08285b63559762f3bb3a58a229ba7d75ffdc8822545998d717d40178b42b7784c1830de691628fb3f3f4de

Download Submit
C:\Windows\System\QUOnUHE.exe

Filesize
5.2MB

MD5
de66e93747aaed637c1edb088d9a8f8d

SHA1
0880e3a004a242d532e300655ed2abfd0e555aa6

SHA256
e5afad3fe45ae1ef90c6ee05e632aa0c4bd92378a41fb9979bd5a390bcd3f44b

SHA512
13e49305cc4a953a425df71cddf5128e70efd8484da47d20f0efcbfdeda5047f31741f98aa9674359ca53d458c60d5d91c2b6f44f07b1573450abd7748d1c53b

Download Submit
C:\Windows\System\RMLceiw.exe

Filesize
5.2MB

MD5
57b3beb7b78630b238a533b92e9489cc

SHA1
24bffbfe31794ee767bf352f78a053fbf6c1563f

SHA256
300bc1e49275626e7c526ccd1a1faecabf1eb9a730c400a1b1bddd8938cd99f4

SHA512
56e20b3fa75f7ca85184d1f5195fb54e5b629db8e3c18b6f3189452e6c677849bd4f01c46269558d117de0b9d54822198e97f0a1077fa2d554f9e6e4fedacd2a

Download Submit
C:\Windows\System\UWovdTm.exe

Filesize
5.2MB

MD5
cdddf0e73b3adba7ba1950ecd2c92e03

SHA1
ae026d41ea76b7d86ce98aef05d286298ee7b9ba

SHA256
b5cf7d6dc4c59cb5599dcde41146aaef9cfc7903225add8d5a372cbd0651922e

SHA512
05b6c817a414292c3ab0b4095ba824b89480b9656d25724546a6ad7a099e54600aff16a3e66a14ca4645e4c88e99294470a1b79dd4300e63c85bed6fe94b52a5

Download Submit
C:\Windows\System\UjMPaWu.exe

Filesize
5.2MB

MD5
f73d0635d92c60320a5c06c122327e59

SHA1
1f13ce00074ebfaa89694cbf96c4d5997872b52c

SHA256
3a706c30eb4fcb180f285c1242a75a64c702c8011bf9fd69ab322c79e0560192

SHA512
45cffa5c81842c004d2c4e3082266088338eebbcb836c2a164390ccc32011664fdf752fb3bcbe8cb0a3bf0becb09d028de529f3eea6f30428a8dd47b6989074f

Download Submit
C:\Windows\System\WVkOuRu.exe

Filesize
5.2MB

MD5
2837ea7c2f91326a37c24e3d40f23621

SHA1
2762c9ca57fbe6a0f9c976c086c0c19050948ad5

SHA256
306db23729b4e36d0e717ecc0be6d3246194c45a21e4ad66836d5053d683bbea

SHA512
df5a40e0d61b71c465b839e6093e9f7ceccf4b9f5b0e6bf458a60a8d6548b5ac379a73f6100f7de46740681705dac98d053819fd227214ad54c507a5341a8d9e

Download Submit
C:\Windows\System\eqHpvRU.exe

Filesize
5.2MB

MD5
4443f7b38f5b55d3f10b0e98658d6cab

SHA1
eee0a2a672f5dad54f1afc6ed1ee67752d99efed

SHA256
be3fa2aabcea2c3d8790434d6d23889bccf3ca35a6701f8c346802dc486423c9

SHA512
dc36814c090026782c149dff8ac84c4bb5970af9da974dc8801019ee655ea8766161088c511f2c1e3d6564d45290f1604255ff81ef3fa991ee7efa14b9242ed5

Download Submit
C:\Windows\System\iYOPWsL.exe

Filesize
5.2MB

MD5
99686075d8fe5fbca6b301cc94778761

SHA1
0505bf93e505b1b4e40b4c80200b43834ac85d82

SHA256
f6182f000b165f7ae68644f21a2024c25865e636cf0153cd6664de33e59ed4e8

SHA512
53d096ae36604481276722fec266bf46f38c2a52fe4d0f26de4d0d50661a3654368d5c5410ce90af2d0d63111e10da7ecc4afdb20487e0c0ceccb5757c0ab52e

Download Submit
C:\Windows\System\jIweXlN.exe

Filesize
5.2MB

MD5
9de2b2840efbaaa307f6d7dafd0000ab

SHA1
146c0b7c9ef7e516931a71d6815b965d5666d3c0

SHA256
579c3367c898db9f57bf3eb26340c7a07b5cb6f84760f3ab140967f9813b7245

SHA512
cc851a586d7d56de4b95b327f2194e7d981bc945c2e210350e5970de6c8bb6f9f98c7fe472d6c4f7930654e54008bfa6cc27553d56c6934498ba814b15dd2739

Download Submit
C:\Windows\System\jaTwyWt.exe

Filesize
5.2MB

MD5
e6b523bd7d2c15d817af52cd4d7e18db

SHA1
4622dd47e6c81e69e006f8bd87d7267466b5d4d7

SHA256
7605eafe0a2b47dd47df7565d0e1d85d7dc9289f9098884cb531f7a34494ea17

SHA512
058e7a1650132e2476c0c31009175573872b4c63504e230381857ee68a8fc68b26232d59ec910c40b96f017e7d0b3d3922d8ff02aa05d0387d385dcc406c62a2

Download Submit
C:\Windows\System\mFCfncu.exe

Filesize
5.2MB

MD5
57079cec063f75b970264ed9d26fc868

SHA1
90dc07a74ac158da6db86f7d88dd0ca766a63868

SHA256
a812e9cc4b260b4a5766822a5b03302a8cb0b3a5cc7034edc71927bd46784f76

SHA512
7f0a013049c44d42b428b024ab21a691019e43106381e01e512b6d38dbbecb922c0a7362186e59db465f13ec03caf49b8aca21700d4f85a997bafa5002c9b5c6

Download Submit
C:\Windows\System\uSDwuyl.exe

Filesize
5.2MB

MD5
33d8abcd289df119ddc18b96eae4bb68

SHA1
3efaa1ea0c09584840507aab0c4a5d714033c7b6

SHA256
77153aa969d34c7eb22bbda1b3b429efbc4c72c0d3a065a2af39be8425a32f1d

SHA512
bd073acde32ceedbcb0184f3233f0743f3e81ba7582795d8623311bf4948790e7a8c2ae8503060c587afb9ef514c9341592231972504ddd9b5e9ba4f07177689

Download Submit
C:\Windows\System\urEWMjf.exe

Filesize
5.2MB

MD5
834fd0eb67adfa0c238f29cdb95762cf

SHA1
0e661e9da95198f60307b81f7d855ff0b09474a9

SHA256
7818bb5259ce09317aeefc35f6861dbbc01467fbc334505743ddeee581ea3089

SHA512
a248b0fd4971e2bd65a706a236c61892e40ca415874b48421762c79f3564f9bce68a461e6040e912f5f3f8df4747a5736a96e6a223e709923d9ca3ba0d599fe0

Download Submit
C:\Windows\System\ynHXoxZ.exe

Filesize
5.2MB

MD5
7cb051cbbed105234ff5b62b82db037a

SHA1
0fe04e34b442a5efafa121386107e521be945833

SHA256
0cd8f9e79a110c2a5a5eeea516279ad402235c57c90a90e056cd972bfb98de32

SHA512
ebb1bc109ee24f68c8b36d992257a1e8592f5eb5f5a493494a53fa6d577b2f6dfad9f9d320f95afa1ad261afa49cfcf0779858dd5c079b23273f302116a4a03e

Download Submit
C:\Windows\System\zXpctuU.exe

Filesize
5.2MB

MD5
ea1b45542cea03412c06dca9ce4baae9

SHA1
761e13d213439b944f0304d174bf94eaf11be6cf

SHA256
be469d6c3f36e37bd66061825eaff7d06b5b68b00c6cf0cecabf223c5d5b2bef

SHA512
f9fc6172d984d3c84565fab93b6201fcc2a941e616a9c7650a990ecbc3568effb203790b34dd585ac948ea96754e1debeb6e31069bb9eda839c8cd3398b0b0ee

Download Submit
C:\Windows\System\zskgVjf.exe

Filesize
5.2MB

MD5
42f17357c25b2f534898afddb784ffbd

SHA1
adeb8d18b12eb79dc0fbfcf5e4b8e622131d4f60

SHA256
b345972f40e8a479783c9501664e9c40d31958149a5b6f739f04b789e0484b90

SHA512
77cbb54f02876f491a8fede242fbdc87d4b0ea49a64001d1ee80923df3516c8d1a05755286b6efeb1771da022cdeea22a587854fcac88b57ca4a4939a7fcb026

Download Submit
memory/404-148-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp

Filesize
3.3MB

Download
memory/404-257-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp

Filesize
3.3MB

Download
memory/404-118-0x00007FF7FD9C0000-0x00007FF7FDD11000-memory.dmp

Filesize
3.3MB

Download
memory/500-61-0x00007FF759710000-0x00007FF759A61000-memory.dmp

Filesize
3.3MB

Download
memory/500-136-0x00007FF759710000-0x00007FF759A61000-memory.dmp

Filesize
3.3MB

Download
memory/500-238-0x00007FF759710000-0x00007FF759A61000-memory.dmp

Filesize
3.3MB

Download
memory/1260-221-0x00007FF706850000-0x00007FF706BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1260-119-0x00007FF706850000-0x00007FF706BA1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-244-0x00007FF7190B0000-0x00007FF719401000-memory.dmp

Filesize
3.3MB

Download
memory/1808-113-0x00007FF7190B0000-0x00007FF719401000-memory.dmp

Filesize
3.3MB

Download
memory/1892-245-0x00007FF735CB0000-0x00007FF736001000-memory.dmp

Filesize
3.3MB

Download
memory/1892-107-0x00007FF735CB0000-0x00007FF736001000-memory.dmp

Filesize
3.3MB

Download
memory/2440-114-0x00007FF65D1C0000-0x00007FF65D511000-memory.dmp

Filesize
3.3MB

Download
memory/2440-252-0x00007FF65D1C0000-0x00007FF65D511000-memory.dmp

Filesize
3.3MB

Download
memory/3404-241-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp

Filesize
3.3MB

Download
memory/3404-122-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp

Filesize
3.3MB

Download
memory/3448-218-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp

Filesize
3.3MB

Download
memory/3448-120-0x00007FF6ED520000-0x00007FF6ED871000-memory.dmp

Filesize
3.3MB

Download
memory/3692-237-0x00007FF697260000-0x00007FF6975B1000-memory.dmp

Filesize
3.3MB

Download
memory/3692-135-0x00007FF697260000-0x00007FF6975B1000-memory.dmp

Filesize
3.3MB

Download
memory/3692-49-0x00007FF697260000-0x00007FF6975B1000-memory.dmp

Filesize
3.3MB

Download
memory/3748-121-0x00007FF77A020000-0x00007FF77A371000-memory.dmp

Filesize
3.3MB

Download
memory/3748-230-0x00007FF77A020000-0x00007FF77A371000-memory.dmp

Filesize
3.3MB

Download
memory/3780-35-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp

Filesize
3.3MB

Download
memory/3780-219-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp

Filesize
3.3MB

Download
memory/3780-132-0x00007FF70DA40000-0x00007FF70DD91000-memory.dmp

Filesize
3.3MB

Download
memory/3892-229-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp

Filesize
3.3MB

Download
memory/3892-69-0x00007FF6B2330000-0x00007FF6B2681000-memory.dmp

Filesize
3.3MB

Download
memory/4120-201-0x00007FF659630000-0x00007FF659981000-memory.dmp

Filesize
3.3MB

Download
memory/4120-10-0x00007FF659630000-0x00007FF659981000-memory.dmp

Filesize
3.3MB

Download
memory/4120-129-0x00007FF659630000-0x00007FF659981000-memory.dmp

Filesize
3.3MB

Download
memory/4168-260-0x00007FF652FB0000-0x00007FF653301000-memory.dmp

Filesize
3.3MB

Download
memory/4168-112-0x00007FF652FB0000-0x00007FF653301000-memory.dmp

Filesize
3.3MB

Download
memory/4276-255-0x00007FF78D9F0000-0x00007FF78DD41000-memory.dmp

Filesize
3.3MB

Download
memory/4276-126-0x00007FF78D9F0000-0x00007FF78DD41000-memory.dmp

Filesize
3.3MB

Download
memory/4424-125-0x00007FF7B7320000-0x00007FF7B7671000-memory.dmp

Filesize
3.3MB

Download
memory/4424-249-0x00007FF7B7320000-0x00007FF7B7671000-memory.dmp

Filesize
3.3MB

Download
memory/4448-123-0x00007FF685850000-0x00007FF685BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4448-246-0x00007FF685850000-0x00007FF685BA1000-memory.dmp

Filesize
3.3MB

Download
memory/4540-117-0x00007FF6CA2B0000-0x00007FF6CA601000-memory.dmp

Filesize
3.3MB

Download
memory/4540-253-0x00007FF6CA2B0000-0x00007FF6CA601000-memory.dmp

Filesize
3.3MB

Download
memory/4740-150-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp

Filesize
3.3MB

Download
memory/4740-0-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp

Filesize
3.3MB

Download
memory/4740-172-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp

Filesize
3.3MB

Download
memory/4740-128-0x00007FF6F9720000-0x00007FF6F9A71000-memory.dmp

Filesize
3.3MB

Download
memory/4740-1-0x000001B7EF710000-0x000001B7EF720000-memory.dmp

Filesize
64KB

Download
memory/4788-88-0x00007FF671FF0000-0x00007FF672341000-memory.dmp

Filesize
3.3MB

Download
memory/4788-138-0x00007FF671FF0000-0x00007FF672341000-memory.dmp

Filesize
3.3MB

Download
memory/4788-236-0x00007FF671FF0000-0x00007FF672341000-memory.dmp

Filesize
3.3MB

Download
memory/5108-19-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp

Filesize
3.3MB

Download
memory/5108-226-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp

Filesize
3.3MB

Download
memory/5108-131-0x00007FF6D1D00000-0x00007FF6D2051000-memory.dmp

Filesize
3.3MB

Download
memory/5116-124-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp

Filesize
3.3MB

Download
memory/5116-235-0x00007FF629FC0000-0x00007FF62A311000-memory.dmp

Filesize
3.3MB

Download