cobaltstrike | 1eea0162e4eaaeca9de33097851d95244286f45887b3860c0a2b2b2b2c009b75

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

24fa24f74fc275ae0bb7e8a872368d39
SHA1

7bcc09fdc3b6cb3cbe4cccd99c07c4e5a235d830
SHA256

1eea0162e4eaaeca9de33097851d95244286f45887b3860c0a2b2b2b2c009b75
SHA512

97232fff82416a36be61eda147e7d7b303c3af1bb334f9e7fd8464b2a095a0d7d3bf71e80ac1f4f3d17d7e2db3b7e47a5f8dae71a7411d1f5036b02e37746375
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lo:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\GRYMbEs.exe	cobalt_reflective_dll
C:\Windows\System\WlpIkom.exe	cobalt_reflective_dll
C:\Windows\System\jZWjKwq.exe	cobalt_reflective_dll
C:\Windows\System\ocdwbPP.exe	cobalt_reflective_dll
C:\Windows\System\BgDEKKI.exe	cobalt_reflective_dll
C:\Windows\System\xTNrzqD.exe	cobalt_reflective_dll
C:\Windows\System\vhEiEMW.exe	cobalt_reflective_dll
C:\Windows\System\BEdNvnD.exe	cobalt_reflective_dll
C:\Windows\System\YsThmDK.exe	cobalt_reflective_dll
C:\Windows\System\ppyaGne.exe	cobalt_reflective_dll
C:\Windows\System\gXHDZoC.exe	cobalt_reflective_dll
C:\Windows\System\EXqtDQv.exe	cobalt_reflective_dll
C:\Windows\System\CstmKZi.exe	cobalt_reflective_dll
C:\Windows\System\eykldWR.exe	cobalt_reflective_dll
C:\Windows\System\yETVIiE.exe	cobalt_reflective_dll
C:\Windows\System\EpebqnE.exe	cobalt_reflective_dll
C:\Windows\System\vhdyQko.exe	cobalt_reflective_dll
C:\Windows\System\WOBontB.exe	cobalt_reflective_dll
C:\Windows\System\gFCVpwv.exe	cobalt_reflective_dll
C:\Windows\System\YMuTEaR.exe	cobalt_reflective_dll
C:\Windows\System\SpqvPZV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\GRYMbEs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WlpIkom.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jZWjKwq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ocdwbPP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BgDEKKI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xTNrzqD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vhEiEMW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BEdNvnD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YsThmDK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ppyaGne.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gXHDZoC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EXqtDQv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CstmKZi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eykldWR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yETVIiE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EpebqnE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vhdyQko.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WOBontB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gFCVpwv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YMuTEaR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SpqvPZV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4224-0-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	UPX
C:\Windows\System\GRYMbEs.exe	UPX
behavioral2/memory/5108-8-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	UPX
C:\Windows\System\WlpIkom.exe	UPX
behavioral2/memory/3288-12-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	UPX
C:\Windows\System\jZWjKwq.exe	UPX
behavioral2/memory/3456-18-0x00007FF764000000-0x00007FF764351000-memory.dmp	UPX
C:\Windows\System\ocdwbPP.exe	UPX
behavioral2/memory/3560-26-0x00007FF739410000-0x00007FF739761000-memory.dmp	UPX
C:\Windows\System\BgDEKKI.exe	UPX
C:\Windows\System\xTNrzqD.exe	UPX
C:\Windows\System\vhEiEMW.exe	UPX
behavioral2/memory/1512-39-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	UPX
C:\Windows\System\BEdNvnD.exe	UPX
C:\Windows\System\YsThmDK.exe	UPX
behavioral2/memory/2732-48-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	UPX
behavioral2/memory/5012-53-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp	UPX
C:\Windows\System\ppyaGne.exe	UPX
behavioral2/memory/1756-56-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	UPX
C:\Windows\System\gXHDZoC.exe	UPX
C:\Windows\System\EXqtDQv.exe	UPX
C:\Windows\System\CstmKZi.exe	UPX
C:\Windows\System\eykldWR.exe	UPX
behavioral2/memory/3232-94-0x00007FF66E7E0000-0x00007FF66EB31000-memory.dmp	UPX
C:\Windows\System\yETVIiE.exe	UPX
C:\Windows\System\EpebqnE.exe	UPX
behavioral2/memory/4224-107-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	UPX
behavioral2/memory/5108-114-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	UPX
C:\Windows\System\vhdyQko.exe	UPX
behavioral2/memory/3728-124-0x00007FF6ABCA0000-0x00007FF6ABFF1000-memory.dmp	UPX
behavioral2/memory/1108-130-0x00007FF71A390000-0x00007FF71A6E1000-memory.dmp	UPX
behavioral2/memory/3288-129-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	UPX
behavioral2/memory/2496-128-0x00007FF611410000-0x00007FF611761000-memory.dmp	UPX
C:\Windows\System\WOBontB.exe	UPX
behavioral2/memory/3416-125-0x00007FF716E80000-0x00007FF7171D1000-memory.dmp	UPX
C:\Windows\System\gFCVpwv.exe	UPX
behavioral2/memory/852-120-0x00007FF6A3670000-0x00007FF6A39C1000-memory.dmp	UPX
behavioral2/memory/4812-116-0x00007FF767940000-0x00007FF767C91000-memory.dmp	UPX
behavioral2/memory/2672-110-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp	UPX
C:\Windows\System\YMuTEaR.exe	UPX
behavioral2/memory/4848-104-0x00007FF61C580000-0x00007FF61C8D1000-memory.dmp	UPX
behavioral2/memory/660-98-0x00007FF78B4D0000-0x00007FF78B821000-memory.dmp	UPX
behavioral2/memory/2028-91-0x00007FF69D980000-0x00007FF69DCD1000-memory.dmp	UPX
behavioral2/memory/2884-87-0x00007FF6AC170000-0x00007FF6AC4C1000-memory.dmp	UPX
C:\Windows\System\SpqvPZV.exe	UPX
behavioral2/memory/844-33-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	UPX
behavioral2/memory/4224-131-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	UPX
behavioral2/memory/3456-134-0x00007FF764000000-0x00007FF764351000-memory.dmp	UPX
behavioral2/memory/3560-135-0x00007FF739410000-0x00007FF739761000-memory.dmp	UPX
behavioral2/memory/844-136-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	UPX
behavioral2/memory/1512-137-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	UPX
behavioral2/memory/2732-138-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	UPX
behavioral2/memory/1756-140-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	UPX
behavioral2/memory/4224-153-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	UPX
behavioral2/memory/5108-198-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	UPX
behavioral2/memory/3288-202-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	UPX
behavioral2/memory/3456-207-0x00007FF764000000-0x00007FF764351000-memory.dmp	UPX
behavioral2/memory/3560-209-0x00007FF739410000-0x00007FF739761000-memory.dmp	UPX
behavioral2/memory/844-212-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	UPX
behavioral2/memory/1512-214-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	UPX
behavioral2/memory/5012-217-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp	UPX
behavioral2/memory/2732-219-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	UPX
behavioral2/memory/1756-220-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	UPX
behavioral2/memory/2672-223-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3560-26-0x00007FF739410000-0x00007FF739761000-memory.dmp	xmrig
behavioral2/memory/5012-53-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp	xmrig
behavioral2/memory/3232-94-0x00007FF66E7E0000-0x00007FF66EB31000-memory.dmp	xmrig
behavioral2/memory/4224-107-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	xmrig
behavioral2/memory/5108-114-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	xmrig
behavioral2/memory/3728-124-0x00007FF6ABCA0000-0x00007FF6ABFF1000-memory.dmp	xmrig
behavioral2/memory/1108-130-0x00007FF71A390000-0x00007FF71A6E1000-memory.dmp	xmrig
behavioral2/memory/3288-129-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	xmrig
behavioral2/memory/2496-128-0x00007FF611410000-0x00007FF611761000-memory.dmp	xmrig
behavioral2/memory/3416-125-0x00007FF716E80000-0x00007FF7171D1000-memory.dmp	xmrig
behavioral2/memory/852-120-0x00007FF6A3670000-0x00007FF6A39C1000-memory.dmp	xmrig
behavioral2/memory/4812-116-0x00007FF767940000-0x00007FF767C91000-memory.dmp	xmrig
behavioral2/memory/2672-110-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp	xmrig
behavioral2/memory/4848-104-0x00007FF61C580000-0x00007FF61C8D1000-memory.dmp	xmrig
behavioral2/memory/660-98-0x00007FF78B4D0000-0x00007FF78B821000-memory.dmp	xmrig
behavioral2/memory/2028-91-0x00007FF69D980000-0x00007FF69DCD1000-memory.dmp	xmrig
behavioral2/memory/2884-87-0x00007FF6AC170000-0x00007FF6AC4C1000-memory.dmp	xmrig
behavioral2/memory/4224-131-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	xmrig
behavioral2/memory/3456-134-0x00007FF764000000-0x00007FF764351000-memory.dmp	xmrig
behavioral2/memory/3560-135-0x00007FF739410000-0x00007FF739761000-memory.dmp	xmrig
behavioral2/memory/844-136-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	xmrig
behavioral2/memory/1512-137-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	xmrig
behavioral2/memory/2732-138-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	xmrig
behavioral2/memory/1756-140-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	xmrig
behavioral2/memory/4224-153-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	xmrig
behavioral2/memory/5108-198-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	xmrig
behavioral2/memory/3288-202-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	xmrig
behavioral2/memory/3456-207-0x00007FF764000000-0x00007FF764351000-memory.dmp	xmrig
behavioral2/memory/3560-209-0x00007FF739410000-0x00007FF739761000-memory.dmp	xmrig
behavioral2/memory/844-212-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	xmrig
behavioral2/memory/1512-214-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	xmrig
behavioral2/memory/5012-217-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp	xmrig
behavioral2/memory/2732-219-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	xmrig
behavioral2/memory/1756-220-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	xmrig
behavioral2/memory/2672-223-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp	xmrig
behavioral2/memory/2884-225-0x00007FF6AC170000-0x00007FF6AC4C1000-memory.dmp	xmrig
behavioral2/memory/2028-227-0x00007FF69D980000-0x00007FF69DCD1000-memory.dmp	xmrig
behavioral2/memory/660-230-0x00007FF78B4D0000-0x00007FF78B821000-memory.dmp	xmrig
behavioral2/memory/3232-229-0x00007FF66E7E0000-0x00007FF66EB31000-memory.dmp	xmrig
behavioral2/memory/4848-232-0x00007FF61C580000-0x00007FF61C8D1000-memory.dmp	xmrig
behavioral2/memory/852-236-0x00007FF6A3670000-0x00007FF6A39C1000-memory.dmp	xmrig
behavioral2/memory/3728-237-0x00007FF6ABCA0000-0x00007FF6ABFF1000-memory.dmp	xmrig
behavioral2/memory/4812-238-0x00007FF767940000-0x00007FF767C91000-memory.dmp	xmrig
behavioral2/memory/2496-241-0x00007FF611410000-0x00007FF611761000-memory.dmp	xmrig
behavioral2/memory/1108-242-0x00007FF71A390000-0x00007FF71A6E1000-memory.dmp	xmrig
behavioral2/memory/3416-244-0x00007FF716E80000-0x00007FF7171D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

GRYMbEs.exejZWjKwq.exeWlpIkom.exeocdwbPP.exeBgDEKKI.exexTNrzqD.exevhEiEMW.exeBEdNvnD.exeYsThmDK.exeppyaGne.exegXHDZoC.exeEXqtDQv.exeSpqvPZV.exeCstmKZi.exeeykldWR.exeyETVIiE.exeEpebqnE.exeYMuTEaR.exevhdyQko.exegFCVpwv.exeWOBontB.exe

pid	process
5108	GRYMbEs.exe
3288	jZWjKwq.exe
3456	WlpIkom.exe
3560	ocdwbPP.exe
844	BgDEKKI.exe
1512	xTNrzqD.exe
2732	vhEiEMW.exe
5012	BEdNvnD.exe
1756	YsThmDK.exe
2672	ppyaGne.exe
2884	gXHDZoC.exe
2028	EXqtDQv.exe
3232	SpqvPZV.exe
660	CstmKZi.exe
4848	eykldWR.exe
4812	yETVIiE.exe
852	EpebqnE.exe
3728	YMuTEaR.exe
3416	vhdyQko.exe
2496	gFCVpwv.exe
1108	WOBontB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4224-0-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	upx
C:\Windows\System\GRYMbEs.exe	upx
behavioral2/memory/5108-8-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	upx
C:\Windows\System\WlpIkom.exe	upx
behavioral2/memory/3288-12-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	upx
C:\Windows\System\jZWjKwq.exe	upx
behavioral2/memory/3456-18-0x00007FF764000000-0x00007FF764351000-memory.dmp	upx
C:\Windows\System\ocdwbPP.exe	upx
behavioral2/memory/3560-26-0x00007FF739410000-0x00007FF739761000-memory.dmp	upx
C:\Windows\System\BgDEKKI.exe	upx
C:\Windows\System\xTNrzqD.exe	upx
C:\Windows\System\vhEiEMW.exe	upx
behavioral2/memory/1512-39-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	upx
C:\Windows\System\BEdNvnD.exe	upx
C:\Windows\System\YsThmDK.exe	upx
behavioral2/memory/2732-48-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	upx
behavioral2/memory/5012-53-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp	upx
C:\Windows\System\ppyaGne.exe	upx
behavioral2/memory/1756-56-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	upx
C:\Windows\System\gXHDZoC.exe	upx
C:\Windows\System\EXqtDQv.exe	upx
C:\Windows\System\CstmKZi.exe	upx
C:\Windows\System\eykldWR.exe	upx
behavioral2/memory/3232-94-0x00007FF66E7E0000-0x00007FF66EB31000-memory.dmp	upx
C:\Windows\System\yETVIiE.exe	upx
C:\Windows\System\EpebqnE.exe	upx
behavioral2/memory/4224-107-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	upx
behavioral2/memory/5108-114-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	upx
C:\Windows\System\vhdyQko.exe	upx
behavioral2/memory/3728-124-0x00007FF6ABCA0000-0x00007FF6ABFF1000-memory.dmp	upx
behavioral2/memory/1108-130-0x00007FF71A390000-0x00007FF71A6E1000-memory.dmp	upx
behavioral2/memory/3288-129-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	upx
behavioral2/memory/2496-128-0x00007FF611410000-0x00007FF611761000-memory.dmp	upx
C:\Windows\System\WOBontB.exe	upx
behavioral2/memory/3416-125-0x00007FF716E80000-0x00007FF7171D1000-memory.dmp	upx
C:\Windows\System\gFCVpwv.exe	upx
behavioral2/memory/852-120-0x00007FF6A3670000-0x00007FF6A39C1000-memory.dmp	upx
behavioral2/memory/4812-116-0x00007FF767940000-0x00007FF767C91000-memory.dmp	upx
behavioral2/memory/2672-110-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp	upx
C:\Windows\System\YMuTEaR.exe	upx
behavioral2/memory/4848-104-0x00007FF61C580000-0x00007FF61C8D1000-memory.dmp	upx
behavioral2/memory/660-98-0x00007FF78B4D0000-0x00007FF78B821000-memory.dmp	upx
behavioral2/memory/2028-91-0x00007FF69D980000-0x00007FF69DCD1000-memory.dmp	upx
behavioral2/memory/2884-87-0x00007FF6AC170000-0x00007FF6AC4C1000-memory.dmp	upx
C:\Windows\System\SpqvPZV.exe	upx
behavioral2/memory/844-33-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	upx
behavioral2/memory/4224-131-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	upx
behavioral2/memory/3456-134-0x00007FF764000000-0x00007FF764351000-memory.dmp	upx
behavioral2/memory/3560-135-0x00007FF739410000-0x00007FF739761000-memory.dmp	upx
behavioral2/memory/844-136-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	upx
behavioral2/memory/1512-137-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	upx
behavioral2/memory/2732-138-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	upx
behavioral2/memory/1756-140-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	upx
behavioral2/memory/4224-153-0x00007FF6462B0000-0x00007FF646601000-memory.dmp	upx
behavioral2/memory/5108-198-0x00007FF770C00000-0x00007FF770F51000-memory.dmp	upx
behavioral2/memory/3288-202-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp	upx
behavioral2/memory/3456-207-0x00007FF764000000-0x00007FF764351000-memory.dmp	upx
behavioral2/memory/3560-209-0x00007FF739410000-0x00007FF739761000-memory.dmp	upx
behavioral2/memory/844-212-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp	upx
behavioral2/memory/1512-214-0x00007FF695CF0000-0x00007FF696041000-memory.dmp	upx
behavioral2/memory/5012-217-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp	upx
behavioral2/memory/2732-219-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp	upx
behavioral2/memory/1756-220-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp	upx
behavioral2/memory/2672-223-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\ppyaGne.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gXHDZoC.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eykldWR.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yETVIiE.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WlpIkom.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ocdwbPP.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xTNrzqD.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YsThmDK.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EXqtDQv.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YMuTEaR.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gFCVpwv.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WOBontB.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GRYMbEs.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BgDEKKI.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vhEiEMW.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EpebqnE.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jZWjKwq.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BEdNvnD.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SpqvPZV.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CstmKZi.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vhdyQko.exe	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4224 wrote to memory of 5108	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	GRYMbEs.exe
PID 4224 wrote to memory of 5108	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	GRYMbEs.exe
PID 4224 wrote to memory of 3288	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	jZWjKwq.exe
PID 4224 wrote to memory of 3288	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	jZWjKwq.exe
PID 4224 wrote to memory of 3456	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	WlpIkom.exe
PID 4224 wrote to memory of 3456	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	WlpIkom.exe
PID 4224 wrote to memory of 3560	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ocdwbPP.exe
PID 4224 wrote to memory of 3560	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ocdwbPP.exe
PID 4224 wrote to memory of 844	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	BgDEKKI.exe
PID 4224 wrote to memory of 844	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	BgDEKKI.exe
PID 4224 wrote to memory of 1512	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	xTNrzqD.exe
PID 4224 wrote to memory of 1512	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	xTNrzqD.exe
PID 4224 wrote to memory of 2732	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	vhEiEMW.exe
PID 4224 wrote to memory of 2732	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	vhEiEMW.exe
PID 4224 wrote to memory of 5012	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	BEdNvnD.exe
PID 4224 wrote to memory of 5012	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	BEdNvnD.exe
PID 4224 wrote to memory of 1756	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	YsThmDK.exe
PID 4224 wrote to memory of 1756	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	YsThmDK.exe
PID 4224 wrote to memory of 2672	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ppyaGne.exe
PID 4224 wrote to memory of 2672	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	ppyaGne.exe
PID 4224 wrote to memory of 2884	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	gXHDZoC.exe
PID 4224 wrote to memory of 2884	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	gXHDZoC.exe
PID 4224 wrote to memory of 2028	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EXqtDQv.exe
PID 4224 wrote to memory of 2028	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EXqtDQv.exe
PID 4224 wrote to memory of 3232	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	SpqvPZV.exe
PID 4224 wrote to memory of 3232	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	SpqvPZV.exe
PID 4224 wrote to memory of 660	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	CstmKZi.exe
PID 4224 wrote to memory of 660	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	CstmKZi.exe
PID 4224 wrote to memory of 4848	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	eykldWR.exe
PID 4224 wrote to memory of 4848	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	eykldWR.exe
PID 4224 wrote to memory of 4812	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	yETVIiE.exe
PID 4224 wrote to memory of 4812	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	yETVIiE.exe
PID 4224 wrote to memory of 852	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EpebqnE.exe
PID 4224 wrote to memory of 852	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	EpebqnE.exe
PID 4224 wrote to memory of 3728	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	YMuTEaR.exe
PID 4224 wrote to memory of 3728	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	YMuTEaR.exe
PID 4224 wrote to memory of 3416	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	vhdyQko.exe
PID 4224 wrote to memory of 3416	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	vhdyQko.exe
PID 4224 wrote to memory of 2496	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	gFCVpwv.exe
PID 4224 wrote to memory of 2496	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	gFCVpwv.exe
PID 4224 wrote to memory of 1108	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	WOBontB.exe
PID 4224 wrote to memory of 1108	4224	2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe	WOBontB.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_24fa24f74fc275ae0bb7e8a872368d39_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\System\GRYMbEs.exe
C:\Windows\System\GRYMbEs.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Windows\System\jZWjKwq.exe
C:\Windows\System\jZWjKwq.exe
2⤵
- Executes dropped EXE
PID:3288

C:\Windows\System\WlpIkom.exe
C:\Windows\System\WlpIkom.exe
2⤵
- Executes dropped EXE
PID:3456

C:\Windows\System\ocdwbPP.exe
C:\Windows\System\ocdwbPP.exe
2⤵
- Executes dropped EXE
PID:3560

C:\Windows\System\BgDEKKI.exe
C:\Windows\System\BgDEKKI.exe
2⤵
- Executes dropped EXE
PID:844

C:\Windows\System\xTNrzqD.exe
C:\Windows\System\xTNrzqD.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\System\vhEiEMW.exe
C:\Windows\System\vhEiEMW.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\BEdNvnD.exe
C:\Windows\System\BEdNvnD.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System\YsThmDK.exe
C:\Windows\System\YsThmDK.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\ppyaGne.exe
C:\Windows\System\ppyaGne.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\gXHDZoC.exe
C:\Windows\System\gXHDZoC.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\EXqtDQv.exe
C:\Windows\System\EXqtDQv.exe
2⤵
- Executes dropped EXE
PID:2028

C:\Windows\System\SpqvPZV.exe
C:\Windows\System\SpqvPZV.exe
2⤵
- Executes dropped EXE
PID:3232

C:\Windows\System\CstmKZi.exe
C:\Windows\System\CstmKZi.exe
2⤵
- Executes dropped EXE
PID:660

C:\Windows\System\eykldWR.exe
C:\Windows\System\eykldWR.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\yETVIiE.exe
C:\Windows\System\yETVIiE.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\System\EpebqnE.exe
C:\Windows\System\EpebqnE.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\YMuTEaR.exe
C:\Windows\System\YMuTEaR.exe
2⤵
- Executes dropped EXE
PID:3728

C:\Windows\System\vhdyQko.exe
C:\Windows\System\vhdyQko.exe
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\System\gFCVpwv.exe
C:\Windows\System\gFCVpwv.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\WOBontB.exe
C:\Windows\System\WOBontB.exe
2⤵
- Executes dropped EXE
PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BEdNvnD.exe
Filesize
5.2MB

MD5
8ae8ee45b9b27be18d85267bc10dccdc

SHA1
304a5424056b16e726dac301058fd8db91b2e969

SHA256
219351813a051264177f63785944575126375ea1bf6b2e5ffeb856726a26945b

SHA512
cb559a58f1bd0420c3f30a4f8b3503c8e66b168ce6e77ee5b015ad324a866c375338b1eaf56494b3969de5c35e5ed95704766aa540a9326aeefb99e3435c0779

Download Submit
C:\Windows\System\BgDEKKI.exe
Filesize
5.2MB

MD5
3461bf51a560d78157b73e387ce5953b

SHA1
af078287b2fbea93a0c39f208c25dbb74b346216

SHA256
45957183f03ea9b779bbb441ac3fd0cf74ee5b53b759520ae71f2f3848926cf3

SHA512
515a1736c287cbbb7dc0e487ddc9ef04e4909cc9cbd9371541a54d3c3365402499aa95ff6d491d4dc40e10ff25d3111aed8f2de5a96b3da148b02396ff5a087e

Download Submit
C:\Windows\System\CstmKZi.exe
Filesize
5.2MB

MD5
faed66f6ef3049d0476455526f27b868

SHA1
be9626d27d3a5457f50e4b3cc525054766e03957

SHA256
56dc68c74543f7da3318883fbde6e9b9c6efe2692fc5d7de6b72c26b741805ff

SHA512
7356330aab82ea51d4935cb9e9e299eb8e52cbcbf7d19c3c382af6048a8294df8c3c054a59ac0fedaa26612f866c41a7987b37284aea2fadb771ce703c1ca285

Download Submit
C:\Windows\System\EXqtDQv.exe
Filesize
5.2MB

MD5
09c9298daebf0d72e5c963fb6933398d

SHA1
fc0fcb3ee8386ab45d0f5666dc557b25f9009278

SHA256
d9f740d678de18431de6bb3e75a914827d2a2ce7f3e7855ad9db834d790a78f5

SHA512
779e2468fd5bd5f2fbb492a8a5ba4c8e5a4629c8439c3d5043d86f5eba33b7a8b1372acdc3a2453d7b46e18a84c6d8bfe9b6fa3db8f571c70dcc78bf552a13a8

Download Submit
C:\Windows\System\EpebqnE.exe
Filesize
5.2MB

MD5
404306a5588681c85c89d9167ce7a6ae

SHA1
3b27e27b1d319250ae47e2567d12a156cfcd55fa

SHA256
cecbdfebfd367bbf3b08183c7d790adc83e45f466816b66e188f1d7327b2365f

SHA512
124f86022e48c26cda6806921a15b1c01cb641dcfec2dbde39ffecdbc82148bc58b05092c91d7a275bfbda064cf19e28eb71962f4cbfbddcf6cde5da7036d415

Download Submit
C:\Windows\System\GRYMbEs.exe
Filesize
5.2MB

MD5
1457b99cc41df6ee0473c111d3ecea1a

SHA1
bbf4f44fc4c031f0d36a67fe5855a430d165a4dc

SHA256
5f8c139f88a19aca1d9c6562d3b33b22b1eddc437e589ace5b89597a40b00fbf

SHA512
94f9ec073592d477847ca7fe436463d538dbbaf98306502d114827889a28e849ef3e70a8ac7814de21838253b3f6d4b413c6770ce3f1696ef4238fb849e78e33

Download Submit
C:\Windows\System\SpqvPZV.exe
Filesize
5.2MB

MD5
b70c1f8645d5e7b9cd544edb1a3b4f18

SHA1
fda9241c6d91b0b31ea2998fd8b2c65990b3c738

SHA256
45d96684f4061bc676fc3328ed8b90a95219153846571786a502f68c09a5bafc

SHA512
5dbc95ee64d26c83b675c99b43e05f6bfbef3c4dd3d456f2e3a3f38d6aeccef7a50c275224c1358d51f8a929721bfe9fe40016d972089fedcf1164cdd8c920bb

Download Submit
C:\Windows\System\WOBontB.exe
Filesize
5.2MB

MD5
f834fd4ba45f94ea160255443e063da0

SHA1
381b40b6889be11d0657d60c33581a2829ab2546

SHA256
0b7f593de3935f0dec4b8df59eb0117a51f3492ba5341f06ab1a79f2f5f61f72

SHA512
05ffcaad483d894f691e0e3e2916408ac96927d1fd225dd39646207a9331e88b06bb050b9042359b9960ee3d21a9891d5f769dfabc50f5c94e1d0cd9b9d8d2da

Download Submit
C:\Windows\System\WlpIkom.exe
Filesize
5.2MB

MD5
781225c225bb5db62ce72ab2c864484a

SHA1
3b3def5777b58569c33b2c7559c5676747d06d53

SHA256
8cc85ff92d9dbe5a40b3bd5988dc6b345cbf87998d13b1f74b79e6e005ca1e83

SHA512
706a8d3095c27c038a1975d740cacc780113b49bca5a303d597f3da7167a1cc584eacace62fe4bdb1b8bf86ef0e8556d2336b71db6394aa188b2e4ab78ff6bbe

Download Submit
C:\Windows\System\YMuTEaR.exe
Filesize
5.2MB

MD5
9ac2d709c0cbca58118a79e4cfc93920

SHA1
43561a07092c9f128509dda17fbe1f98284d89d1

SHA256
27659aa08aee931935bea3dddbcb85292c71ab8ffa1147d52c7ec052e1d327ea

SHA512
561feb1365f7153036178be218d52df625d4eaa08c94752e1f0059a7c9195be459e5c1f662829ae5d09d68f5cd8f0c311c6c2e0744ffd02b06cfe7dd8e393228

Download Submit
C:\Windows\System\YsThmDK.exe
Filesize
5.2MB

MD5
c9a21ebf59d84e99c9f6e4a08be198fa

SHA1
86789d756ac1ce83d4153004e9e2ef2e61d75cf0

SHA256
42bae53b21694a39914986d4895d2620b396e21a41bbdc912dc4deabb7c67ea7

SHA512
bee71afb22f9a7fe31817f2ece632924854e92b0e6d834854601fe2ef3e3b477e72fa0d26407550e3e42c65589287f79fcdff03435559b0b28810261dc497544

Download Submit
C:\Windows\System\eykldWR.exe
Filesize
5.2MB

MD5
cb3caa31a80a2c88e4388f574edde821

SHA1
b22a9f6aebb25d5da68ad62e130603d3ef08e911

SHA256
5c946dafd61c0dccb76a80dc6f5c7994d97e2d8004cf228db15af2a6c6692f3c

SHA512
2d4f389f00d9d23768e41022ea2d5070929bfd155c674994d9909e33e2d35cfb419ef7f7e731076f3c9a6bf2614bb25554891171bb0a6ada61f44a8dbd74c448

Download Submit
C:\Windows\System\gFCVpwv.exe
Filesize
5.2MB

MD5
d4497aa3827224c713ec4ca0dc9f0df5

SHA1
8fd45ed3be2c3f2a91855fa0b6f9568024dae3f7

SHA256
18df80f0401352f83a52027e0154ea7fec4acf7f334ed828bacf35f4edcd4f78

SHA512
6fb186237f9fa8f853689213fadc338a9962b25bec6ce16c73209f5981c655f912f70fda2e920956cc9dc67e107525e51bf6ea5a6c1d767f8332231df37712ae

Download Submit
C:\Windows\System\gXHDZoC.exe
Filesize
5.2MB

MD5
8770ef67ec90986716f225356bc6e780

SHA1
5c93fcd2ff8cbdf2762a7188ca1881dd18c4d6e0

SHA256
dfcd1fc15a1ae519f8f117da01618d70ba8b37e543380de6a5d4322faff2beba

SHA512
58d6f4e8bdf62d8b670c2692675ff0a92f644b1863305fc74566ded24b26ad86e068a384921f0c779b37e2a7209ab16a7974fb3eb99a6702cb394029f6784a4b

Download Submit
C:\Windows\System\jZWjKwq.exe
Filesize
5.2MB

MD5
44a3afa431e552b04e2eceab2827f9f8

SHA1
e51ff2624a585d2d68faf7f27482a38ebd223368

SHA256
a65014e47dd34abc01db3db0b00acf8c922e95cff22549555598842b19b0d34e

SHA512
e6ba5967978e462602709e7a191e505864a79a8674f31aff2eab38cf4ae3695cb99fb7e4c7eafaebe3558fa19561ddf57f6e7403dc2414cf14268c8e04d82760

Download Submit
C:\Windows\System\ocdwbPP.exe
Filesize
5.2MB

MD5
21fd20a568145bf2b2ba023e6c733b13

SHA1
6e2958b08d1307c22cc06354ef749dc21e7959db

SHA256
351f6d1c761920b16dd3c6b06c7bb913c71d630948b2a71f21cb84194caaa473

SHA512
5411f6b2b9f4aeea7c74e2993b6c7a1e5fdf0f7cc8628f7e170b5f4b99f5a4e691288231b4cf6cb096143a13405b3719475b6182aa0ad88bf2e002c074e93c04

Download Submit
C:\Windows\System\ppyaGne.exe
Filesize
5.2MB

MD5
0a69bdd66ebc09ac49c75ada5dcc134f

SHA1
418d4cbec7b401f3ea9f15db50bd912ae6cfdb23

SHA256
1d79c9f38006eab4b3333a3ae42bbe5aa5ace1a82284b886dcc93f586ea223a8

SHA512
f3651e9bc74240bc94f5f67ca43a52e2d1db26ddeae133d2bb5fa1de51f3aafc1284527f19e01326c02961eeb002723286c52353490bac3878e94ab82744de95

Download Submit
C:\Windows\System\vhEiEMW.exe
Filesize
5.2MB

MD5
352ca8e415bd8c46edec224105ac35ad

SHA1
69eec96368a61461ed8b73e79aff4aa5cf76eeb3

SHA256
6254f8c31eeb9594d3239821c0fe531551c1f0d376edee36667b6960c6546d48

SHA512
6655cc27ba24a12a88fcbf33e1797ecabfafa1db55aeb62e96dc1ec19529036c603fcfa84066f3680b277da487df92b1a589901d61a0eadfb67e36d6aaa3e2c3

Download Submit
C:\Windows\System\vhdyQko.exe
Filesize
5.2MB

MD5
f62bb879b895fbe2e626841b6dd4e115

SHA1
b5da9a8a5ffbfe4b864a3432e8c138eca014289f

SHA256
7bc3e7a476fe3f1bd90922dad7b3598f8e8471542398dc4ee76f9d2d952c6451

SHA512
73aa5ade54162a7b07484ca09ae635f10663acb4ab9d2abd2db6ffb80fbeb1bb1a273aa024dd1568ed8a97c61c9c7309ae9786c59e431d6c8648fd72edc9d3e0

Download Submit
C:\Windows\System\xTNrzqD.exe
Filesize
5.2MB

MD5
969ec5c1c894692271425f20c5275023

SHA1
75c338e81aef65e7973e5fba53cae4ad986c793a

SHA256
7be9eefd3033c89336ac3eadd1ae46b36be2dbfdac0c800a59b7ac8016c21bf3

SHA512
4b674dc2616cda2befff73bc5a8ff62a26268a0f6b00b88f641340a55acf463e7834bf7818480fe17743574f2305806601220dae7d648c28e34b3470cf1a3af7

Download Submit
C:\Windows\System\yETVIiE.exe
Filesize
5.2MB

MD5
54985aaf2b1c88cfcb808c17a584c505

SHA1
10330409038a647b4189bd31c02093c73b0f704b

SHA256
ddd7cfcedcb0751f659396aa446ceca9e3b3e3509df0d605815c8aeb06c40925

SHA512
97f83b51bacbdafed262f76ee5dbaad1066a4928f43fac7de5cab36b24416735ef36fa1939bd83cf5fb2e3c04039e2a19ce4987b971f9d3f0cc13dcfa5e98b43

Download Submit
memory/660-230-0x00007FF78B4D0000-0x00007FF78B821000-memory.dmp

Filesize
3.3MB

Download
memory/660-98-0x00007FF78B4D0000-0x00007FF78B821000-memory.dmp

Filesize
3.3MB

Download
memory/844-136-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp

Filesize
3.3MB

Download
memory/844-33-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp

Filesize
3.3MB

Download
memory/844-212-0x00007FF7D1D80000-0x00007FF7D20D1000-memory.dmp

Filesize
3.3MB

Download
memory/852-120-0x00007FF6A3670000-0x00007FF6A39C1000-memory.dmp

Filesize
3.3MB

Download
memory/852-236-0x00007FF6A3670000-0x00007FF6A39C1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-242-0x00007FF71A390000-0x00007FF71A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-130-0x00007FF71A390000-0x00007FF71A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1512-39-0x00007FF695CF0000-0x00007FF696041000-memory.dmp

Filesize
3.3MB

Download
memory/1512-137-0x00007FF695CF0000-0x00007FF696041000-memory.dmp

Filesize
3.3MB

Download
memory/1512-214-0x00007FF695CF0000-0x00007FF696041000-memory.dmp

Filesize
3.3MB

Download
memory/1756-220-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-140-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp

Filesize
3.3MB

Download
memory/1756-56-0x00007FF7D5D80000-0x00007FF7D60D1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-91-0x00007FF69D980000-0x00007FF69DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-227-0x00007FF69D980000-0x00007FF69DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2496-128-0x00007FF611410000-0x00007FF611761000-memory.dmp

Filesize
3.3MB

Download
memory/2496-241-0x00007FF611410000-0x00007FF611761000-memory.dmp

Filesize
3.3MB

Download
memory/2672-110-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2672-223-0x00007FF676C70000-0x00007FF676FC1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-138-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp

Filesize
3.3MB

Download
memory/2732-219-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp

Filesize
3.3MB

Download
memory/2732-48-0x00007FF7FB9C0000-0x00007FF7FBD11000-memory.dmp

Filesize
3.3MB

Download
memory/2884-87-0x00007FF6AC170000-0x00007FF6AC4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-225-0x00007FF6AC170000-0x00007FF6AC4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3232-229-0x00007FF66E7E0000-0x00007FF66EB31000-memory.dmp

Filesize
3.3MB

Download
memory/3232-94-0x00007FF66E7E0000-0x00007FF66EB31000-memory.dmp

Filesize
3.3MB

Download
memory/3288-129-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp

Filesize
3.3MB

Download
memory/3288-202-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp

Filesize
3.3MB

Download
memory/3288-12-0x00007FF693AB0000-0x00007FF693E01000-memory.dmp

Filesize
3.3MB

Download
memory/3416-125-0x00007FF716E80000-0x00007FF7171D1000-memory.dmp

Filesize
3.3MB

Download
memory/3416-244-0x00007FF716E80000-0x00007FF7171D1000-memory.dmp

Filesize
3.3MB

Download
memory/3456-207-0x00007FF764000000-0x00007FF764351000-memory.dmp

Filesize
3.3MB

Download
memory/3456-18-0x00007FF764000000-0x00007FF764351000-memory.dmp

Filesize
3.3MB

Download
memory/3456-134-0x00007FF764000000-0x00007FF764351000-memory.dmp

Filesize
3.3MB

Download
memory/3560-209-0x00007FF739410000-0x00007FF739761000-memory.dmp

Filesize
3.3MB

Download
memory/3560-135-0x00007FF739410000-0x00007FF739761000-memory.dmp

Filesize
3.3MB

Download
memory/3560-26-0x00007FF739410000-0x00007FF739761000-memory.dmp

Filesize
3.3MB

Download
memory/3728-237-0x00007FF6ABCA0000-0x00007FF6ABFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3728-124-0x00007FF6ABCA0000-0x00007FF6ABFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4224-153-0x00007FF6462B0000-0x00007FF646601000-memory.dmp

Filesize
3.3MB

Download
memory/4224-0-0x00007FF6462B0000-0x00007FF646601000-memory.dmp

Filesize
3.3MB

Download
memory/4224-107-0x00007FF6462B0000-0x00007FF646601000-memory.dmp

Filesize
3.3MB

Download
memory/4224-1-0x000001637A300000-0x000001637A310000-memory.dmp

Filesize
64KB

Download
memory/4224-131-0x00007FF6462B0000-0x00007FF646601000-memory.dmp

Filesize
3.3MB

Download
memory/4812-116-0x00007FF767940000-0x00007FF767C91000-memory.dmp

Filesize
3.3MB

Download
memory/4812-238-0x00007FF767940000-0x00007FF767C91000-memory.dmp

Filesize
3.3MB

Download
memory/4848-232-0x00007FF61C580000-0x00007FF61C8D1000-memory.dmp

Filesize
3.3MB

Download
memory/4848-104-0x00007FF61C580000-0x00007FF61C8D1000-memory.dmp

Filesize
3.3MB

Download
memory/5012-217-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp

Filesize
3.3MB

Download
memory/5012-53-0x00007FF7E2440000-0x00007FF7E2791000-memory.dmp

Filesize
3.3MB

Download
memory/5108-114-0x00007FF770C00000-0x00007FF770F51000-memory.dmp

Filesize
3.3MB

Download
memory/5108-198-0x00007FF770C00000-0x00007FF770F51000-memory.dmp

Filesize
3.3MB

Download
memory/5108-8-0x00007FF770C00000-0x00007FF770F51000-memory.dmp

Filesize
3.3MB

Download