cobaltstrike | 83f98c9b7429b9cb96110499ae4685051a5e2dd61da882b6bf47f555cc4cb4d2

Analysis

max time kernel
140s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

42976fedf39030e8ea9b51a1d58f181d
SHA1

3909150b46103bd3201a4e5f1f17dc8c1bea2e7b
SHA256

83f98c9b7429b9cb96110499ae4685051a5e2dd61da882b6bf47f555cc4cb4d2
SHA512

9c60ed65fafcbc939e4fea6ad9faf2214828b47d57bca1f73862162ad47abad53393eb6009c9c75b8a68d49a8ba734e987b479ed03db279e7aa114d7a4fe6c78
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6la:RWWBibf56utgpPFotBER/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\omjGKqV.exe	cobalt_reflective_dll
C:\Windows\System\NCLNNGD.exe	cobalt_reflective_dll
C:\Windows\System\WPOwWfd.exe	cobalt_reflective_dll
C:\Windows\System\CTeTDEc.exe	cobalt_reflective_dll
C:\Windows\System\efADvIG.exe	cobalt_reflective_dll
C:\Windows\System\ysjiyJY.exe	cobalt_reflective_dll
C:\Windows\System\ixLVryA.exe	cobalt_reflective_dll
C:\Windows\System\OmfawnG.exe	cobalt_reflective_dll
C:\Windows\System\qCxmFDC.exe	cobalt_reflective_dll
C:\Windows\System\QMCBwfD.exe	cobalt_reflective_dll
C:\Windows\System\yvBQgEZ.exe	cobalt_reflective_dll
C:\Windows\System\dxLPguf.exe	cobalt_reflective_dll
C:\Windows\System\gwvfDhm.exe	cobalt_reflective_dll
C:\Windows\System\cUfmJpR.exe	cobalt_reflective_dll
C:\Windows\System\sUhljEi.exe	cobalt_reflective_dll
C:\Windows\System\XdRIspF.exe	cobalt_reflective_dll
C:\Windows\System\jEwrRge.exe	cobalt_reflective_dll
C:\Windows\System\qnhuCYz.exe	cobalt_reflective_dll
C:\Windows\System\LGCPslL.exe	cobalt_reflective_dll
C:\Windows\System\ieqhRFj.exe	cobalt_reflective_dll
C:\Windows\System\ZQcQawu.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\omjGKqV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NCLNNGD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WPOwWfd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CTeTDEc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\efADvIG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ysjiyJY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ixLVryA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OmfawnG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qCxmFDC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QMCBwfD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yvBQgEZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dxLPguf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gwvfDhm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cUfmJpR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sUhljEi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XdRIspF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jEwrRge.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qnhuCYz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LGCPslL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ieqhRFj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZQcQawu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4084-0-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	UPX
C:\Windows\System\omjGKqV.exe	UPX
C:\Windows\System\NCLNNGD.exe	UPX
behavioral2/memory/724-7-0x00007FF763910000-0x00007FF763C61000-memory.dmp	UPX
C:\Windows\System\WPOwWfd.exe	UPX
behavioral2/memory/3004-12-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp	UPX
C:\Windows\System\CTeTDEc.exe	UPX
C:\Windows\System\efADvIG.exe	UPX
behavioral2/memory/5112-33-0x00007FF797820000-0x00007FF797B71000-memory.dmp	UPX
C:\Windows\System\ysjiyJY.exe	UPX
behavioral2/memory/3920-56-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp	UPX
C:\Windows\System\ixLVryA.exe	UPX
C:\Windows\System\OmfawnG.exe	UPX
C:\Windows\System\qCxmFDC.exe	UPX
behavioral2/memory/1508-99-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp	UPX
C:\Windows\System\QMCBwfD.exe	UPX
C:\Windows\System\yvBQgEZ.exe	UPX
C:\Windows\System\dxLPguf.exe	UPX
behavioral2/memory/752-124-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp	UPX
behavioral2/memory/3468-126-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	UPX
C:\Windows\System\gwvfDhm.exe	UPX
behavioral2/memory/2340-121-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	UPX
behavioral2/memory/4464-118-0x00007FF7742F0000-0x00007FF774641000-memory.dmp	UPX
behavioral2/memory/3720-115-0x00007FF72F420000-0x00007FF72F771000-memory.dmp	UPX
C:\Windows\System\cUfmJpR.exe	UPX
C:\Windows\System\sUhljEi.exe	UPX
behavioral2/memory/3652-105-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp	UPX
behavioral2/memory/1236-96-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	UPX
C:\Windows\System\XdRIspF.exe	UPX
behavioral2/memory/4832-85-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	UPX
C:\Windows\System\jEwrRge.exe	UPX
behavioral2/memory/4392-76-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp	UPX
behavioral2/memory/4568-73-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp	UPX
C:\Windows\System\qnhuCYz.exe	UPX
behavioral2/memory/3108-64-0x00007FF777CB0000-0x00007FF778001000-memory.dmp	UPX
C:\Windows\System\LGCPslL.exe	UPX
behavioral2/memory/64-53-0x00007FF7591B0000-0x00007FF759501000-memory.dmp	UPX
C:\Windows\System\ieqhRFj.exe	UPX
behavioral2/memory/3804-49-0x00007FF761400000-0x00007FF761751000-memory.dmp	UPX
behavioral2/memory/1204-36-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp	UPX
C:\Windows\System\ZQcQawu.exe	UPX
behavioral2/memory/4456-27-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp	UPX
behavioral2/memory/1404-21-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp	UPX
behavioral2/memory/4084-128-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	UPX
behavioral2/memory/4084-129-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	UPX
behavioral2/memory/724-130-0x00007FF763910000-0x00007FF763C61000-memory.dmp	UPX
behavioral2/memory/3004-131-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp	UPX
behavioral2/memory/1404-132-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp	UPX
behavioral2/memory/5112-133-0x00007FF797820000-0x00007FF797B71000-memory.dmp	UPX
behavioral2/memory/4456-134-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp	UPX
behavioral2/memory/1204-135-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp	UPX
behavioral2/memory/3804-136-0x00007FF761400000-0x00007FF761751000-memory.dmp	UPX
behavioral2/memory/64-137-0x00007FF7591B0000-0x00007FF759501000-memory.dmp	UPX
behavioral2/memory/3920-138-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp	UPX
behavioral2/memory/3108-139-0x00007FF777CB0000-0x00007FF778001000-memory.dmp	UPX
behavioral2/memory/4832-140-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	UPX
behavioral2/memory/4568-141-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp	UPX
behavioral2/memory/4392-143-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp	UPX
behavioral2/memory/1236-142-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	UPX
behavioral2/memory/1508-145-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp	UPX
behavioral2/memory/3652-147-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp	UPX
behavioral2/memory/2340-148-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	UPX
behavioral2/memory/3468-149-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	UPX
behavioral2/memory/752-150-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp	UPX

XMRig Miner payload 50 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3468-126-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	xmrig
behavioral2/memory/2340-121-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	xmrig
behavioral2/memory/4464-118-0x00007FF7742F0000-0x00007FF774641000-memory.dmp	xmrig
behavioral2/memory/3720-115-0x00007FF72F420000-0x00007FF72F771000-memory.dmp	xmrig
behavioral2/memory/1236-96-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	xmrig
behavioral2/memory/4832-85-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	xmrig
behavioral2/memory/3804-49-0x00007FF761400000-0x00007FF761751000-memory.dmp	xmrig
behavioral2/memory/4084-128-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	xmrig
behavioral2/memory/4084-129-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	xmrig
behavioral2/memory/724-130-0x00007FF763910000-0x00007FF763C61000-memory.dmp	xmrig
behavioral2/memory/3004-131-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp	xmrig
behavioral2/memory/1404-132-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp	xmrig
behavioral2/memory/5112-133-0x00007FF797820000-0x00007FF797B71000-memory.dmp	xmrig
behavioral2/memory/4456-134-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp	xmrig
behavioral2/memory/1204-135-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp	xmrig
behavioral2/memory/3804-136-0x00007FF761400000-0x00007FF761751000-memory.dmp	xmrig
behavioral2/memory/64-137-0x00007FF7591B0000-0x00007FF759501000-memory.dmp	xmrig
behavioral2/memory/3920-138-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp	xmrig
behavioral2/memory/3108-139-0x00007FF777CB0000-0x00007FF778001000-memory.dmp	xmrig
behavioral2/memory/4832-140-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	xmrig
behavioral2/memory/4568-141-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp	xmrig
behavioral2/memory/4392-143-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp	xmrig
behavioral2/memory/1236-142-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	xmrig
behavioral2/memory/1508-145-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp	xmrig
behavioral2/memory/3652-147-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp	xmrig
behavioral2/memory/2340-148-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	xmrig
behavioral2/memory/3468-149-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	xmrig
behavioral2/memory/752-150-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp	xmrig
behavioral2/memory/4084-151-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	xmrig
behavioral2/memory/724-196-0x00007FF763910000-0x00007FF763C61000-memory.dmp	xmrig
behavioral2/memory/3004-198-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp	xmrig
behavioral2/memory/1404-200-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp	xmrig
behavioral2/memory/5112-205-0x00007FF797820000-0x00007FF797B71000-memory.dmp	xmrig
behavioral2/memory/4456-204-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp	xmrig
behavioral2/memory/3804-211-0x00007FF761400000-0x00007FF761751000-memory.dmp	xmrig
behavioral2/memory/1204-215-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp	xmrig
behavioral2/memory/64-221-0x00007FF7591B0000-0x00007FF759501000-memory.dmp	xmrig
behavioral2/memory/3108-227-0x00007FF777CB0000-0x00007FF778001000-memory.dmp	xmrig
behavioral2/memory/3920-226-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp	xmrig
behavioral2/memory/4392-232-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp	xmrig
behavioral2/memory/4568-235-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp	xmrig
behavioral2/memory/3720-243-0x00007FF72F420000-0x00007FF72F771000-memory.dmp	xmrig
behavioral2/memory/2340-249-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	xmrig
behavioral2/memory/3468-252-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	xmrig
behavioral2/memory/4464-244-0x00007FF7742F0000-0x00007FF774641000-memory.dmp	xmrig
behavioral2/memory/752-254-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp	xmrig
behavioral2/memory/3652-242-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp	xmrig
behavioral2/memory/1508-241-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp	xmrig
behavioral2/memory/4832-234-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	xmrig
behavioral2/memory/1236-233-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

omjGKqV.exeWPOwWfd.exeNCLNNGD.exeZQcQawu.exeCTeTDEc.exeefADvIG.exeysjiyJY.exeieqhRFj.exeLGCPslL.exeqnhuCYz.exeixLVryA.exejEwrRge.exeOmfawnG.exeqCxmFDC.exeXdRIspF.exeQMCBwfD.exesUhljEi.execUfmJpR.exedxLPguf.exegwvfDhm.exeyvBQgEZ.exe

pid	process
724	omjGKqV.exe
3004	WPOwWfd.exe
1404	NCLNNGD.exe
5112	ZQcQawu.exe
4456	CTeTDEc.exe
1204	efADvIG.exe
3804	ysjiyJY.exe
64	ieqhRFj.exe
3920	LGCPslL.exe
3108	qnhuCYz.exe
4832	ixLVryA.exe
4568	jEwrRge.exe
1236	OmfawnG.exe
4392	qCxmFDC.exe
3720	XdRIspF.exe
1508	QMCBwfD.exe
4464	sUhljEi.exe
3652	cUfmJpR.exe
2340	dxLPguf.exe
3468	gwvfDhm.exe
752	yvBQgEZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4084-0-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	upx
C:\Windows\System\omjGKqV.exe	upx
C:\Windows\System\NCLNNGD.exe	upx
behavioral2/memory/724-7-0x00007FF763910000-0x00007FF763C61000-memory.dmp	upx
C:\Windows\System\WPOwWfd.exe	upx
behavioral2/memory/3004-12-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp	upx
C:\Windows\System\CTeTDEc.exe	upx
C:\Windows\System\efADvIG.exe	upx
behavioral2/memory/5112-33-0x00007FF797820000-0x00007FF797B71000-memory.dmp	upx
C:\Windows\System\ysjiyJY.exe	upx
behavioral2/memory/3920-56-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp	upx
C:\Windows\System\ixLVryA.exe	upx
C:\Windows\System\OmfawnG.exe	upx
C:\Windows\System\qCxmFDC.exe	upx
behavioral2/memory/1508-99-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp	upx
C:\Windows\System\QMCBwfD.exe	upx
C:\Windows\System\yvBQgEZ.exe	upx
C:\Windows\System\dxLPguf.exe	upx
behavioral2/memory/752-124-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp	upx
behavioral2/memory/3468-126-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	upx
C:\Windows\System\gwvfDhm.exe	upx
behavioral2/memory/2340-121-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	upx
behavioral2/memory/4464-118-0x00007FF7742F0000-0x00007FF774641000-memory.dmp	upx
behavioral2/memory/3720-115-0x00007FF72F420000-0x00007FF72F771000-memory.dmp	upx
C:\Windows\System\cUfmJpR.exe	upx
C:\Windows\System\sUhljEi.exe	upx
behavioral2/memory/3652-105-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp	upx
behavioral2/memory/1236-96-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	upx
C:\Windows\System\XdRIspF.exe	upx
behavioral2/memory/4832-85-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	upx
C:\Windows\System\jEwrRge.exe	upx
behavioral2/memory/4392-76-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp	upx
behavioral2/memory/4568-73-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp	upx
C:\Windows\System\qnhuCYz.exe	upx
behavioral2/memory/3108-64-0x00007FF777CB0000-0x00007FF778001000-memory.dmp	upx
C:\Windows\System\LGCPslL.exe	upx
behavioral2/memory/64-53-0x00007FF7591B0000-0x00007FF759501000-memory.dmp	upx
C:\Windows\System\ieqhRFj.exe	upx
behavioral2/memory/3804-49-0x00007FF761400000-0x00007FF761751000-memory.dmp	upx
behavioral2/memory/1204-36-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp	upx
C:\Windows\System\ZQcQawu.exe	upx
behavioral2/memory/4456-27-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp	upx
behavioral2/memory/1404-21-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp	upx
behavioral2/memory/4084-128-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	upx
behavioral2/memory/4084-129-0x00007FF791770000-0x00007FF791AC1000-memory.dmp	upx
behavioral2/memory/724-130-0x00007FF763910000-0x00007FF763C61000-memory.dmp	upx
behavioral2/memory/3004-131-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp	upx
behavioral2/memory/1404-132-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp	upx
behavioral2/memory/5112-133-0x00007FF797820000-0x00007FF797B71000-memory.dmp	upx
behavioral2/memory/4456-134-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp	upx
behavioral2/memory/1204-135-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp	upx
behavioral2/memory/3804-136-0x00007FF761400000-0x00007FF761751000-memory.dmp	upx
behavioral2/memory/64-137-0x00007FF7591B0000-0x00007FF759501000-memory.dmp	upx
behavioral2/memory/3920-138-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp	upx
behavioral2/memory/3108-139-0x00007FF777CB0000-0x00007FF778001000-memory.dmp	upx
behavioral2/memory/4832-140-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp	upx
behavioral2/memory/4568-141-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp	upx
behavioral2/memory/4392-143-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp	upx
behavioral2/memory/1236-142-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp	upx
behavioral2/memory/1508-145-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp	upx
behavioral2/memory/3652-147-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp	upx
behavioral2/memory/2340-148-0x00007FF671CF0000-0x00007FF672041000-memory.dmp	upx
behavioral2/memory/3468-149-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp	upx
behavioral2/memory/752-150-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\qCxmFDC.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sUhljEi.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yvBQgEZ.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\omjGKqV.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CTeTDEc.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ieqhRFj.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qnhuCYz.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ixLVryA.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OmfawnG.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XdRIspF.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QMCBwfD.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cUfmJpR.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gwvfDhm.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WPOwWfd.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NCLNNGD.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\efADvIG.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LGCPslL.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZQcQawu.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ysjiyJY.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jEwrRge.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dxLPguf.exe	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4084 wrote to memory of 724	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	omjGKqV.exe
PID 4084 wrote to memory of 724	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	omjGKqV.exe
PID 4084 wrote to memory of 3004	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	WPOwWfd.exe
PID 4084 wrote to memory of 3004	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	WPOwWfd.exe
PID 4084 wrote to memory of 1404	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	NCLNNGD.exe
PID 4084 wrote to memory of 1404	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	NCLNNGD.exe
PID 4084 wrote to memory of 5112	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ZQcQawu.exe
PID 4084 wrote to memory of 5112	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ZQcQawu.exe
PID 4084 wrote to memory of 4456	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	CTeTDEc.exe
PID 4084 wrote to memory of 4456	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	CTeTDEc.exe
PID 4084 wrote to memory of 1204	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	efADvIG.exe
PID 4084 wrote to memory of 1204	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	efADvIG.exe
PID 4084 wrote to memory of 3804	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ysjiyJY.exe
PID 4084 wrote to memory of 3804	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ysjiyJY.exe
PID 4084 wrote to memory of 64	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ieqhRFj.exe
PID 4084 wrote to memory of 64	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ieqhRFj.exe
PID 4084 wrote to memory of 3920	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	LGCPslL.exe
PID 4084 wrote to memory of 3920	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	LGCPslL.exe
PID 4084 wrote to memory of 3108	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	qnhuCYz.exe
PID 4084 wrote to memory of 3108	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	qnhuCYz.exe
PID 4084 wrote to memory of 4832	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ixLVryA.exe
PID 4084 wrote to memory of 4832	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	ixLVryA.exe
PID 4084 wrote to memory of 4568	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	jEwrRge.exe
PID 4084 wrote to memory of 4568	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	jEwrRge.exe
PID 4084 wrote to memory of 1236	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	OmfawnG.exe
PID 4084 wrote to memory of 1236	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	OmfawnG.exe
PID 4084 wrote to memory of 4392	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	qCxmFDC.exe
PID 4084 wrote to memory of 4392	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	qCxmFDC.exe
PID 4084 wrote to memory of 3720	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	XdRIspF.exe
PID 4084 wrote to memory of 3720	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	XdRIspF.exe
PID 4084 wrote to memory of 1508	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	QMCBwfD.exe
PID 4084 wrote to memory of 1508	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	QMCBwfD.exe
PID 4084 wrote to memory of 4464	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	sUhljEi.exe
PID 4084 wrote to memory of 4464	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	sUhljEi.exe
PID 4084 wrote to memory of 3652	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	cUfmJpR.exe
PID 4084 wrote to memory of 3652	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	cUfmJpR.exe
PID 4084 wrote to memory of 2340	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	dxLPguf.exe
PID 4084 wrote to memory of 2340	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	dxLPguf.exe
PID 4084 wrote to memory of 3468	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	gwvfDhm.exe
PID 4084 wrote to memory of 3468	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	gwvfDhm.exe
PID 4084 wrote to memory of 752	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	yvBQgEZ.exe
PID 4084 wrote to memory of 752	4084	2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe	yvBQgEZ.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_42976fedf39030e8ea9b51a1d58f181d_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\System\omjGKqV.exe
C:\Windows\System\omjGKqV.exe
2⤵
- Executes dropped EXE
PID:724

C:\Windows\System\WPOwWfd.exe
C:\Windows\System\WPOwWfd.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\NCLNNGD.exe
C:\Windows\System\NCLNNGD.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\ZQcQawu.exe
C:\Windows\System\ZQcQawu.exe
2⤵
- Executes dropped EXE
PID:5112

C:\Windows\System\CTeTDEc.exe
C:\Windows\System\CTeTDEc.exe
2⤵
- Executes dropped EXE
PID:4456

C:\Windows\System\efADvIG.exe
C:\Windows\System\efADvIG.exe
2⤵
- Executes dropped EXE
PID:1204

C:\Windows\System\ysjiyJY.exe
C:\Windows\System\ysjiyJY.exe
2⤵
- Executes dropped EXE
PID:3804

C:\Windows\System\ieqhRFj.exe
C:\Windows\System\ieqhRFj.exe
2⤵
- Executes dropped EXE
PID:64

C:\Windows\System\LGCPslL.exe
C:\Windows\System\LGCPslL.exe
2⤵
- Executes dropped EXE
PID:3920

C:\Windows\System\qnhuCYz.exe
C:\Windows\System\qnhuCYz.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Windows\System\ixLVryA.exe
C:\Windows\System\ixLVryA.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Windows\System\jEwrRge.exe
C:\Windows\System\jEwrRge.exe
2⤵
- Executes dropped EXE
PID:4568

C:\Windows\System\OmfawnG.exe
C:\Windows\System\OmfawnG.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Windows\System\qCxmFDC.exe
C:\Windows\System\qCxmFDC.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Windows\System\XdRIspF.exe
C:\Windows\System\XdRIspF.exe
2⤵
- Executes dropped EXE
PID:3720

C:\Windows\System\QMCBwfD.exe
C:\Windows\System\QMCBwfD.exe
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\System\sUhljEi.exe
C:\Windows\System\sUhljEi.exe
2⤵
- Executes dropped EXE
PID:4464

C:\Windows\System\cUfmJpR.exe
C:\Windows\System\cUfmJpR.exe
2⤵
- Executes dropped EXE
PID:3652

C:\Windows\System\dxLPguf.exe
C:\Windows\System\dxLPguf.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\gwvfDhm.exe
C:\Windows\System\gwvfDhm.exe
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\System\yvBQgEZ.exe
C:\Windows\System\yvBQgEZ.exe
2⤵
- Executes dropped EXE
PID:752

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CTeTDEc.exe
Filesize
5.2MB

MD5
914cbfb478150af068b9fe02e4de125e

SHA1
0d286a79cba2d665f1e6c4138c4df2eb50ce0b8b

SHA256
998c16aad727adbda6af5834f21d393662a095a463c44caad6c66875d9626a31

SHA512
fabf4c346b7273d07721143472e37d25df1c6bb8582901824ab52eefb85a853369cc100519abcb114ed7b9701ae161c9e5b165154e80a34d4cf28a326c6d8eec

Download Submit
C:\Windows\System\LGCPslL.exe
Filesize
5.2MB

MD5
822c4fd9f451cebc498a0658567e5bb8

SHA1
2e1baf0d217174af4f4d943c239c7b1be4f43454

SHA256
d67b5c3efcca9062dd3ee676d99e05ebc73a0521242a4b9028bcba71adea7031

SHA512
29b523385c4f042fbf781f25d8e41f96bb27106b7cb3b7ef9d059705ca4b8639b86e653b6049d6ee804980bf479e19a5df6bf88909db8bef2695fbabbcf0f7ef

Download Submit
C:\Windows\System\NCLNNGD.exe
Filesize
5.2MB

MD5
a29d9270e15ec03cd26efe23c2c9a980

SHA1
75f2e10f72f14cdfe244144d513397ea20a1e054

SHA256
a87654f7001895faafc37d95d217c325789ea4ace9e35dd484a84708a16ae7e5

SHA512
95199f5eb533367bfbc54cac328b78bb14bed90224434cb2b970408a9df05ff7cca331c4ad8e6d7b0e35c2c41cc7bc2211225858faed571ffb0751053328c572

Download Submit
C:\Windows\System\OmfawnG.exe
Filesize
5.2MB

MD5
64fd642cf559e502a876ae5deb7cf921

SHA1
1e38d3181f505cd96c88780338be75973a55eb4d

SHA256
90ba65a59aad20009d9937897be466c678054a8062c860241e545ab84e554a67

SHA512
d2fb8e649c832fe362445e15bad904a181d24e1dcba30e016edf72cd05eb1f5db5877cc51206b610ceec0cd652d74f672a90a16a84c9cc265a9d9df191bc4589

Download Submit
C:\Windows\System\QMCBwfD.exe
Filesize
5.2MB

MD5
bd1497d8c153a9505c91f4456101da6f

SHA1
aa24b7fc959509e8912fad1b680c421a96adcc4a

SHA256
ec13c2349a602f73082bda4ebb50b08297c721999a5fe1092c57d8c0ed18fb53

SHA512
07fda297d6b0db5eadc85c0d1a3c80c1033c963cf3be25d03292496a68d256cd9f5990a9115561d0d8eb8b262b71a58b2d20d666fc48b7f2455d244808e7d420

Download Submit
C:\Windows\System\WPOwWfd.exe
Filesize
5.2MB

MD5
424f98ab7140fc89fd0496d446c95caf

SHA1
e6f4c89621ab9b6f08e32482dba5bc199a1f975b

SHA256
97ba93b8643c9998c7905dfc8551806a912556a51384eac070ce75f3a9209318

SHA512
15e88ba9104c32f3608b97cf694ad518ee0ffc9deba506c89a7ca0d00bd398cb7215d2283b4c9ade77c7dea45fb02cd30d528d5bedb941505320950ba1414519

Download Submit
C:\Windows\System\XdRIspF.exe
Filesize
5.2MB

MD5
d7c41ab23fed4302044fb4d4d3bf057f

SHA1
4b619ff5cf77eb3e60c5baf31736d6a18bc4a46a

SHA256
389d573462a2f210936b91e57c8033b1c9d368cca21c3ce8db318ad23aa83f7e

SHA512
249204c8a51a10f67c835e820c5892f625fa26e8fc8c1d2820b1f98fc89a37722b41ee6d244c280a2f71c6d6e44d6766a3b6feeec5d57e8228a6c4e2e7e197b5

Download Submit
C:\Windows\System\ZQcQawu.exe
Filesize
5.2MB

MD5
f74a3901c9c49cbda2944ed0167a1d07

SHA1
61f0d862edb2e3e010ea87d3d589369e17f6b4a4

SHA256
85262071adf54cf5e9c057a3571da3fd07a8530551410a75b4b9af8ce32cc99b

SHA512
4638341467d54cd00c626eae7d66a300c6c474241ea30c3d419c35a9663b27ed2f04bf187e372238486ff5a1e9870d944893e125d8f9439b14c8ed642705b66f

Download Submit
C:\Windows\System\cUfmJpR.exe
Filesize
5.2MB

MD5
157622d350d429c3d8c673c25ddd1825

SHA1
fedc4a8f591c2a26d80bf32655f785025c51c017

SHA256
1bb369fad1267a99d13b2c9ed82dcd53ddc4b481fd39488946080adaa0f7365f

SHA512
4687d2295faeb712ad67c868bb66a63aaf3e9b4a194b7ccc6e824f0d8140cd3e1c9a50629686ee7959a08ac7af98fc07f983ae21f2066bd8e251ad8ab8dbc26b

Download Submit
C:\Windows\System\dxLPguf.exe
Filesize
5.2MB

MD5
268a2af31749ecb023cb8ee28bdda3fe

SHA1
14cc20e15cea48d281403f5d9d8974fbcd416908

SHA256
8823e37e3f223b3b6fe675ee05be697b4fac81d58745d75a0cc145e41a6e19d2

SHA512
f54438e9392c07f09776da8419b02409081dcd67ac22ee2297fec9e1073c70acc624b73599c83dced456cda5bd298459ffdc04c9a413f90d3180c3e622422ddd

Download Submit
C:\Windows\System\efADvIG.exe
Filesize
5.2MB

MD5
bbf472faa8046c2b0fe1b1af52b161cf

SHA1
3489c289641a717be2c5a97bbbc23aa131eb3a76

SHA256
9520e79d6b009d606d4e3b5b5503db81dfbdad3d323f481595c983afeadc1b58

SHA512
fe2e9a27980d2ad1ba59a66148c66ef5015c1599175e00c87afb5f5844796a27711db7d31356ea3a0d7c78a7956e9b059057b48bc44d2d4aa347eabf25c29a14

Download Submit
C:\Windows\System\gwvfDhm.exe
Filesize
5.2MB

MD5
36fa7fa13c07e53aac2ed1f7843c1f53

SHA1
50d285af6dee2f8a2d5d4551935ee1064be98ac4

SHA256
f23ff590524688b558444a11385a335a6fb8fddb5416a35e2c76ee01b067e376

SHA512
f1ce93f312177fb430dfbb4e55b6b9a2195a35d56ce917b929af5d948df30b42fd87a584519678372431f6a4f64f17697e2c0855d22790100d3899bffe18d719

Download Submit
C:\Windows\System\ieqhRFj.exe
Filesize
5.2MB

MD5
224bd1a814baef186ea6326b9fdf46ca

SHA1
8773e3b9630e73c88da7905873e879637d553c3f

SHA256
80447bc31f6d7b26979fa9105c88dc8767234b01c4c5533d1958fa6cb0166b97

SHA512
34c8f29f31ef7cc5f2b23888f034728029f084bac38feee3fd3a0ef5d47af06f1a58901a474796e8f2517e855cac376e05d4ec415fcd22c37819355d621cdd20

Download Submit
C:\Windows\System\ixLVryA.exe
Filesize
5.2MB

MD5
a7ec4986b38e74b6ab951946314ca054

SHA1
4d1bfe7236e67a95580decbdd00f3d717c211a70

SHA256
55bc0d86403e7f5f4dc7a01b0620692c1541d5e687b144f76e26ecf26aa1719c

SHA512
855e827d953138b2cdfc795d94ebb96e871b0deb05a629cfe3aaa59e65a7a66db02ba85cdeaec3c7717d1c68228e4aaecdc0221fd3515c678a84174aa36c6ad1

Download Submit
C:\Windows\System\jEwrRge.exe
Filesize
5.2MB

MD5
07233a414c99933c67ed91e073088d87

SHA1
6581df1dbcb6d76ec0214e83e8b00d529179e5b0

SHA256
ca0df5747a459b1f4170b46ba177efdf18a789bf32fc6fdf7b1c307a3e574fe6

SHA512
cab32ded8a4d9e1a9ee9c8bb68707f7a34da38f95ca511b93f62facd457c66e60fa939831e7ec56a5be36e0a57314c438a6dad96c3107b53c2d6c754d106f0b6

Download Submit
C:\Windows\System\omjGKqV.exe
Filesize
5.2MB

MD5
0efe126df7e78f2e2a39dd22e1830c69

SHA1
f7d4eb1359001e09fb79cd1f92778a429d850847

SHA256
dec8852937408c49b7eacf6cfe9d40bcff1eb80b17a039095c01abaa6edbe7b9

SHA512
58306ae782a230f6fe2d890b27aebf826c8dc28caaae4f68224a7c432be409ec70f988e715ac55010258c25f633ab61e36f6954ca38fd210c678222be54c807c

Download Submit
C:\Windows\System\qCxmFDC.exe
Filesize
5.2MB

MD5
e1540ab08a68d0f827a58471430397b7

SHA1
73d75f936b50707ed70e4639f52547a6233e3672

SHA256
d2a7a7b3a66dc1d62f18c97e4a6dc0770f1556cd1734631256ad1d229b0e8850

SHA512
3a051d55bbbe119061dc3f12137a58210d61dcb1df7dac763993b19c062487b2a83177f1a877b43e2a50752ec8c9806da3ce91324616818dcd1a804843a498a6

Download Submit
C:\Windows\System\qnhuCYz.exe
Filesize
5.2MB

MD5
80a0f2dac8b444940c0bc15d7f99ae75

SHA1
50a90d5575caf3eda745495568f8ff6a66f3656f

SHA256
40eb657634f756a4e0b02187a47103ff4e482482c73dafea814b8f121032f85b

SHA512
66e4979022f8fb87079213175f42b6cbe22346ffc0d478b47a0f0442bffddf373b7c525012966b48ce8032778f3f04dccae996d92bc577635c394c6ac8b0c3fd

Download Submit
C:\Windows\System\sUhljEi.exe
Filesize
5.2MB

MD5
4e7866477a07c17b25255301a476b6c3

SHA1
af7a60e52d47f77bddc60eb772bd0d62d04c0de5

SHA256
158bdb2b9899f86b3c1815a6a537eae08ac14b23fc23ae39075296acec0c0a51

SHA512
8d69584f720392b90b5d377a148ad70540fb0665d96d7037b37833937e6cecd643f3ad886208dfa5b710503b325e51c51c1d9bb899a84ae25e7940c4cc1b8c12

Download Submit
C:\Windows\System\ysjiyJY.exe
Filesize
5.2MB

MD5
a17e9ff85ff266a318a458bf0e868e26

SHA1
1245ede0cbcf3d198b7de2f5c7fba51e2744bcd5

SHA256
da25591b2781615ab2ab1b6ab749930b056332c33e38d5d663277c67e181ab37

SHA512
a05b09f3de4cac1008d1c7ea1057b074115b3675e1fb19c00720d9dadd1534cdf89de9cd463ff862d8f7ebff5ce76f9df56365aefb07c5d6287ce2fe2595a541

Download Submit
C:\Windows\System\yvBQgEZ.exe
Filesize
5.2MB

MD5
05758bb9814eb7731303b54bf29ee08e

SHA1
6bd041fe1c46352ab0a8f06d854149a77cc24183

SHA256
8cd3de0697ddddf582617ab56269cbb661cbc612766c2c2d4ac591a5f4633c2f

SHA512
8fccd9dfd3979bca9313195e6eb27ebd1dfc8faf46f9c6edab8ee8ca7bb50101929d0b7fe94722c3c9378d2beb31958eb096dacb36398b23794d79b228827159

Download Submit
memory/64-53-0x00007FF7591B0000-0x00007FF759501000-memory.dmp

Filesize
3.3MB

Download
memory/64-137-0x00007FF7591B0000-0x00007FF759501000-memory.dmp

Filesize
3.3MB

Download
memory/64-221-0x00007FF7591B0000-0x00007FF759501000-memory.dmp

Filesize
3.3MB

Download
memory/724-130-0x00007FF763910000-0x00007FF763C61000-memory.dmp

Filesize
3.3MB

Download
memory/724-196-0x00007FF763910000-0x00007FF763C61000-memory.dmp

Filesize
3.3MB

Download
memory/724-7-0x00007FF763910000-0x00007FF763C61000-memory.dmp

Filesize
3.3MB

Download
memory/752-150-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp

Filesize
3.3MB

Download
memory/752-124-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp

Filesize
3.3MB

Download
memory/752-254-0x00007FF7EA8A0000-0x00007FF7EABF1000-memory.dmp

Filesize
3.3MB

Download
memory/1204-215-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp

Filesize
3.3MB

Download
memory/1204-135-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp

Filesize
3.3MB

Download
memory/1204-36-0x00007FF6626B0000-0x00007FF662A01000-memory.dmp

Filesize
3.3MB

Download
memory/1236-142-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-96-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-233-0x00007FF69B550000-0x00007FF69B8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1404-132-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp

Filesize
3.3MB

Download
memory/1404-200-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp

Filesize
3.3MB

Download
memory/1404-21-0x00007FF73D720000-0x00007FF73DA71000-memory.dmp

Filesize
3.3MB

Download
memory/1508-145-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp

Filesize
3.3MB

Download
memory/1508-99-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp

Filesize
3.3MB

Download
memory/1508-241-0x00007FF6A1F10000-0x00007FF6A2261000-memory.dmp

Filesize
3.3MB

Download
memory/2340-121-0x00007FF671CF0000-0x00007FF672041000-memory.dmp

Filesize
3.3MB

Download
memory/2340-148-0x00007FF671CF0000-0x00007FF672041000-memory.dmp

Filesize
3.3MB

Download
memory/2340-249-0x00007FF671CF0000-0x00007FF672041000-memory.dmp

Filesize
3.3MB

Download
memory/3004-12-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp

Filesize
3.3MB

Download
memory/3004-198-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp

Filesize
3.3MB

Download
memory/3004-131-0x00007FF70DF00000-0x00007FF70E251000-memory.dmp

Filesize
3.3MB

Download
memory/3108-139-0x00007FF777CB0000-0x00007FF778001000-memory.dmp

Filesize
3.3MB

Download
memory/3108-64-0x00007FF777CB0000-0x00007FF778001000-memory.dmp

Filesize
3.3MB

Download
memory/3108-227-0x00007FF777CB0000-0x00007FF778001000-memory.dmp

Filesize
3.3MB

Download
memory/3468-126-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp

Filesize
3.3MB

Download
memory/3468-149-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp

Filesize
3.3MB

Download
memory/3468-252-0x00007FF6CBBB0000-0x00007FF6CBF01000-memory.dmp

Filesize
3.3MB

Download
memory/3652-105-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-242-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3652-147-0x00007FF7529A0000-0x00007FF752CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-243-0x00007FF72F420000-0x00007FF72F771000-memory.dmp

Filesize
3.3MB

Download
memory/3720-115-0x00007FF72F420000-0x00007FF72F771000-memory.dmp

Filesize
3.3MB

Download
memory/3804-49-0x00007FF761400000-0x00007FF761751000-memory.dmp

Filesize
3.3MB

Download
memory/3804-211-0x00007FF761400000-0x00007FF761751000-memory.dmp

Filesize
3.3MB

Download
memory/3804-136-0x00007FF761400000-0x00007FF761751000-memory.dmp

Filesize
3.3MB

Download
memory/3920-56-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp

Filesize
3.3MB

Download
memory/3920-138-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp

Filesize
3.3MB

Download
memory/3920-226-0x00007FF6BCE30000-0x00007FF6BD181000-memory.dmp

Filesize
3.3MB

Download
memory/4084-151-0x00007FF791770000-0x00007FF791AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-0-0x00007FF791770000-0x00007FF791AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-1-0x0000028A10480000-0x0000028A10490000-memory.dmp

Filesize
64KB

Download
memory/4084-128-0x00007FF791770000-0x00007FF791AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4084-129-0x00007FF791770000-0x00007FF791AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-232-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-143-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-76-0x00007FF79C370000-0x00007FF79C6C1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-27-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp

Filesize
3.3MB

Download
memory/4456-204-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp

Filesize
3.3MB

Download
memory/4456-134-0x00007FF6FA2E0000-0x00007FF6FA631000-memory.dmp

Filesize
3.3MB

Download
memory/4464-244-0x00007FF7742F0000-0x00007FF774641000-memory.dmp

Filesize
3.3MB

Download
memory/4464-118-0x00007FF7742F0000-0x00007FF774641000-memory.dmp

Filesize
3.3MB

Download
memory/4568-235-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp

Filesize
3.3MB

Download
memory/4568-73-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp

Filesize
3.3MB

Download
memory/4568-141-0x00007FF63DDD0000-0x00007FF63E121000-memory.dmp

Filesize
3.3MB

Download
memory/4832-140-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-85-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/4832-234-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp

Filesize
3.3MB

Download
memory/5112-133-0x00007FF797820000-0x00007FF797B71000-memory.dmp

Filesize
3.3MB

Download
memory/5112-33-0x00007FF797820000-0x00007FF797B71000-memory.dmp

Filesize
3.3MB

Download
memory/5112-205-0x00007FF797820000-0x00007FF797B71000-memory.dmp

Filesize
3.3MB

Download