cobaltstrike | dbff180c1cd14428a03c7e1699faa9e758c80d0eb31edf04189abfbd2f2f14c9

Analysis

max time kernel
148s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

543b6e2284fbdb0fb9057a455d7e8e68
SHA1

8958c3bbf404dc5ce572a1a24d1e6c41e66ddf56
SHA256

dbff180c1cd14428a03c7e1699faa9e758c80d0eb31edf04189abfbd2f2f14c9
SHA512

9c05c36c83224e9458a003d4af8cf0e94a7a0d26f914741e642ea09b4aff3137dbf268a61f3a32b30f94598ea9040f598f82953e6b60049b1fb611c051f262ed
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUh

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\OhIGbEU.exe	cobalt_reflective_dll
C:\Windows\System\aPIGGfI.exe	cobalt_reflective_dll
C:\Windows\System\CDsbTgH.exe	cobalt_reflective_dll
C:\Windows\System\UkQCvNQ.exe	cobalt_reflective_dll
C:\Windows\System\zgTOqjH.exe	cobalt_reflective_dll
C:\Windows\System\JMzSTji.exe	cobalt_reflective_dll
C:\Windows\System\LbumsFg.exe	cobalt_reflective_dll
C:\Windows\System\pLNVKkj.exe	cobalt_reflective_dll
C:\Windows\System\iYacyFU.exe	cobalt_reflective_dll
C:\Windows\System\OPSKbOS.exe	cobalt_reflective_dll
C:\Windows\System\LHUNMjm.exe	cobalt_reflective_dll
C:\Windows\System\VyHfYxQ.exe	cobalt_reflective_dll
C:\Windows\System\BSrIaPG.exe	cobalt_reflective_dll
C:\Windows\System\wpwFyIL.exe	cobalt_reflective_dll
C:\Windows\System\ufiBaGN.exe	cobalt_reflective_dll
C:\Windows\System\rnGjGxr.exe	cobalt_reflective_dll
C:\Windows\System\MjWGvVv.exe	cobalt_reflective_dll
C:\Windows\System\vOZeJqo.exe	cobalt_reflective_dll
C:\Windows\System\Fufcude.exe	cobalt_reflective_dll
C:\Windows\System\vgLbjKL.exe	cobalt_reflective_dll
C:\Windows\System\XeqCzsq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\OhIGbEU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aPIGGfI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CDsbTgH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UkQCvNQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zgTOqjH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JMzSTji.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LbumsFg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pLNVKkj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iYacyFU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OPSKbOS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LHUNMjm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VyHfYxQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BSrIaPG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wpwFyIL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ufiBaGN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rnGjGxr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MjWGvVv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vOZeJqo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Fufcude.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vgLbjKL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XeqCzsq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3396-0-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	UPX
C:\Windows\System\OhIGbEU.exe	UPX
C:\Windows\System\aPIGGfI.exe	UPX
C:\Windows\System\CDsbTgH.exe	UPX
behavioral2/memory/1872-9-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	UPX
behavioral2/memory/4008-20-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	UPX
C:\Windows\System\UkQCvNQ.exe	UPX
C:\Windows\System\zgTOqjH.exe	UPX
C:\Windows\System\JMzSTji.exe	UPX
C:\Windows\System\LbumsFg.exe	UPX
C:\Windows\System\pLNVKkj.exe	UPX
C:\Windows\System\iYacyFU.exe	UPX
C:\Windows\System\OPSKbOS.exe	UPX
C:\Windows\System\LHUNMjm.exe	UPX
C:\Windows\System\VyHfYxQ.exe	UPX
C:\Windows\System\BSrIaPG.exe	UPX
C:\Windows\System\wpwFyIL.exe	UPX
C:\Windows\System\ufiBaGN.exe	UPX
C:\Windows\System\rnGjGxr.exe	UPX
C:\Windows\System\MjWGvVv.exe	UPX
C:\Windows\System\vOZeJqo.exe	UPX
C:\Windows\System\Fufcude.exe	UPX
behavioral2/memory/2100-57-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp	UPX
C:\Windows\System\vgLbjKL.exe	UPX
C:\Windows\System\XeqCzsq.exe	UPX
behavioral2/memory/2212-26-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	UPX
behavioral2/memory/4808-12-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	UPX
behavioral2/memory/1120-112-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp	UPX
behavioral2/memory/3396-113-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	UPX
behavioral2/memory/1872-114-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	UPX
behavioral2/memory/4808-115-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	UPX
behavioral2/memory/4008-116-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	UPX
behavioral2/memory/2212-117-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	UPX
behavioral2/memory/4684-120-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp	UPX
behavioral2/memory/848-121-0x00007FF738750000-0x00007FF738AA1000-memory.dmp	UPX
behavioral2/memory/1724-122-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp	UPX
behavioral2/memory/2544-123-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp	UPX
behavioral2/memory/1988-124-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp	UPX
behavioral2/memory/2044-125-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp	UPX
behavioral2/memory/2348-126-0x00007FF607180000-0x00007FF6074D1000-memory.dmp	UPX
behavioral2/memory/1588-128-0x00007FF6AEBE0000-0x00007FF6AEF31000-memory.dmp	UPX
behavioral2/memory/884-127-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp	UPX
behavioral2/memory/2952-129-0x00007FF77B8D0000-0x00007FF77BC21000-memory.dmp	UPX
behavioral2/memory/3024-130-0x00007FF7497E0000-0x00007FF749B31000-memory.dmp	UPX
behavioral2/memory/4744-131-0x00007FF7ABD50000-0x00007FF7AC0A1000-memory.dmp	UPX
behavioral2/memory/1480-132-0x00007FF76F1C0000-0x00007FF76F511000-memory.dmp	UPX
behavioral2/memory/5056-133-0x00007FF606120000-0x00007FF606471000-memory.dmp	UPX
behavioral2/memory/4720-134-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	UPX
behavioral2/memory/3396-135-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	UPX
behavioral2/memory/3396-173-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	UPX
behavioral2/memory/1872-182-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	UPX
behavioral2/memory/4808-184-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	UPX
behavioral2/memory/4008-187-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	UPX
behavioral2/memory/2212-188-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	UPX
behavioral2/memory/2100-190-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp	UPX
behavioral2/memory/1724-197-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp	UPX
behavioral2/memory/4684-203-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp	UPX
behavioral2/memory/848-206-0x00007FF738750000-0x00007FF738AA1000-memory.dmp	UPX
behavioral2/memory/1120-204-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp	UPX
behavioral2/memory/1988-211-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp	UPX
behavioral2/memory/2544-213-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp	UPX
behavioral2/memory/2348-217-0x00007FF607180000-0x00007FF6074D1000-memory.dmp	UPX
behavioral2/memory/884-222-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp	UPX
behavioral2/memory/2044-219-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4008-20-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	xmrig
behavioral2/memory/2100-57-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp	xmrig
behavioral2/memory/2212-26-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	xmrig
behavioral2/memory/1120-112-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp	xmrig
behavioral2/memory/3396-113-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	xmrig
behavioral2/memory/1872-114-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	xmrig
behavioral2/memory/4808-115-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	xmrig
behavioral2/memory/4008-116-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	xmrig
behavioral2/memory/2212-117-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	xmrig
behavioral2/memory/4684-120-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp	xmrig
behavioral2/memory/848-121-0x00007FF738750000-0x00007FF738AA1000-memory.dmp	xmrig
behavioral2/memory/1724-122-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp	xmrig
behavioral2/memory/2544-123-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp	xmrig
behavioral2/memory/1988-124-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp	xmrig
behavioral2/memory/2044-125-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp	xmrig
behavioral2/memory/2348-126-0x00007FF607180000-0x00007FF6074D1000-memory.dmp	xmrig
behavioral2/memory/1588-128-0x00007FF6AEBE0000-0x00007FF6AEF31000-memory.dmp	xmrig
behavioral2/memory/884-127-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp	xmrig
behavioral2/memory/2952-129-0x00007FF77B8D0000-0x00007FF77BC21000-memory.dmp	xmrig
behavioral2/memory/3024-130-0x00007FF7497E0000-0x00007FF749B31000-memory.dmp	xmrig
behavioral2/memory/4744-131-0x00007FF7ABD50000-0x00007FF7AC0A1000-memory.dmp	xmrig
behavioral2/memory/1480-132-0x00007FF76F1C0000-0x00007FF76F511000-memory.dmp	xmrig
behavioral2/memory/5056-133-0x00007FF606120000-0x00007FF606471000-memory.dmp	xmrig
behavioral2/memory/4720-134-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	xmrig
behavioral2/memory/3396-135-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	xmrig
behavioral2/memory/3396-173-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	xmrig
behavioral2/memory/1872-182-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	xmrig
behavioral2/memory/4808-184-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	xmrig
behavioral2/memory/4008-187-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	xmrig
behavioral2/memory/2212-188-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	xmrig
behavioral2/memory/2100-190-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp	xmrig
behavioral2/memory/1724-197-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp	xmrig
behavioral2/memory/4684-203-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp	xmrig
behavioral2/memory/848-206-0x00007FF738750000-0x00007FF738AA1000-memory.dmp	xmrig
behavioral2/memory/1120-204-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp	xmrig
behavioral2/memory/1988-211-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp	xmrig
behavioral2/memory/2544-213-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp	xmrig
behavioral2/memory/2348-217-0x00007FF607180000-0x00007FF6074D1000-memory.dmp	xmrig
behavioral2/memory/884-222-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp	xmrig
behavioral2/memory/2044-219-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp	xmrig
behavioral2/memory/2952-227-0x00007FF77B8D0000-0x00007FF77BC21000-memory.dmp	xmrig
behavioral2/memory/1588-226-0x00007FF6AEBE0000-0x00007FF6AEF31000-memory.dmp	xmrig
behavioral2/memory/4744-232-0x00007FF7ABD50000-0x00007FF7AC0A1000-memory.dmp	xmrig
behavioral2/memory/5056-236-0x00007FF606120000-0x00007FF606471000-memory.dmp	xmrig
behavioral2/memory/3024-235-0x00007FF7497E0000-0x00007FF749B31000-memory.dmp	xmrig
behavioral2/memory/1480-233-0x00007FF76F1C0000-0x00007FF76F511000-memory.dmp	xmrig
behavioral2/memory/4720-238-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

OhIGbEU.exeCDsbTgH.exeaPIGGfI.exeUkQCvNQ.exezgTOqjH.exeJMzSTji.exeXeqCzsq.exevgLbjKL.exeLbumsFg.exeFufcude.exepLNVKkj.exeiYacyFU.exeOPSKbOS.exevOZeJqo.exeMjWGvVv.exernGjGxr.exeLHUNMjm.exeufiBaGN.exeVyHfYxQ.exewpwFyIL.exeBSrIaPG.exe

pid	process
1872	OhIGbEU.exe
4808	CDsbTgH.exe
4008	aPIGGfI.exe
2212	UkQCvNQ.exe
2100	zgTOqjH.exe
1120	JMzSTji.exe
4684	XeqCzsq.exe
848	vgLbjKL.exe
1724	LbumsFg.exe
2544	Fufcude.exe
1988	pLNVKkj.exe
2348	iYacyFU.exe
2044	OPSKbOS.exe
884	vOZeJqo.exe
1588	MjWGvVv.exe
2952	rnGjGxr.exe
3024	LHUNMjm.exe
4744	ufiBaGN.exe
1480	VyHfYxQ.exe
5056	wpwFyIL.exe
4720	BSrIaPG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3396-0-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	upx
C:\Windows\System\OhIGbEU.exe	upx
C:\Windows\System\aPIGGfI.exe	upx
C:\Windows\System\CDsbTgH.exe	upx
behavioral2/memory/1872-9-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	upx
behavioral2/memory/4008-20-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	upx
C:\Windows\System\UkQCvNQ.exe	upx
C:\Windows\System\zgTOqjH.exe	upx
C:\Windows\System\JMzSTji.exe	upx
C:\Windows\System\LbumsFg.exe	upx
C:\Windows\System\pLNVKkj.exe	upx
C:\Windows\System\iYacyFU.exe	upx
C:\Windows\System\OPSKbOS.exe	upx
C:\Windows\System\LHUNMjm.exe	upx
C:\Windows\System\VyHfYxQ.exe	upx
C:\Windows\System\BSrIaPG.exe	upx
C:\Windows\System\wpwFyIL.exe	upx
C:\Windows\System\ufiBaGN.exe	upx
C:\Windows\System\rnGjGxr.exe	upx
C:\Windows\System\MjWGvVv.exe	upx
C:\Windows\System\vOZeJqo.exe	upx
C:\Windows\System\Fufcude.exe	upx
behavioral2/memory/2100-57-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp	upx
C:\Windows\System\vgLbjKL.exe	upx
C:\Windows\System\XeqCzsq.exe	upx
behavioral2/memory/2212-26-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	upx
behavioral2/memory/4808-12-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	upx
behavioral2/memory/1120-112-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp	upx
behavioral2/memory/3396-113-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	upx
behavioral2/memory/1872-114-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	upx
behavioral2/memory/4808-115-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	upx
behavioral2/memory/4008-116-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	upx
behavioral2/memory/2212-117-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	upx
behavioral2/memory/4684-120-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp	upx
behavioral2/memory/848-121-0x00007FF738750000-0x00007FF738AA1000-memory.dmp	upx
behavioral2/memory/1724-122-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp	upx
behavioral2/memory/2544-123-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp	upx
behavioral2/memory/1988-124-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp	upx
behavioral2/memory/2044-125-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp	upx
behavioral2/memory/2348-126-0x00007FF607180000-0x00007FF6074D1000-memory.dmp	upx
behavioral2/memory/1588-128-0x00007FF6AEBE0000-0x00007FF6AEF31000-memory.dmp	upx
behavioral2/memory/884-127-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp	upx
behavioral2/memory/2952-129-0x00007FF77B8D0000-0x00007FF77BC21000-memory.dmp	upx
behavioral2/memory/3024-130-0x00007FF7497E0000-0x00007FF749B31000-memory.dmp	upx
behavioral2/memory/4744-131-0x00007FF7ABD50000-0x00007FF7AC0A1000-memory.dmp	upx
behavioral2/memory/1480-132-0x00007FF76F1C0000-0x00007FF76F511000-memory.dmp	upx
behavioral2/memory/5056-133-0x00007FF606120000-0x00007FF606471000-memory.dmp	upx
behavioral2/memory/4720-134-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp	upx
behavioral2/memory/3396-135-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	upx
behavioral2/memory/3396-173-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp	upx
behavioral2/memory/1872-182-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp	upx
behavioral2/memory/4808-184-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp	upx
behavioral2/memory/4008-187-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp	upx
behavioral2/memory/2212-188-0x00007FF75A220000-0x00007FF75A571000-memory.dmp	upx
behavioral2/memory/2100-190-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp	upx
behavioral2/memory/1724-197-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp	upx
behavioral2/memory/4684-203-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp	upx
behavioral2/memory/848-206-0x00007FF738750000-0x00007FF738AA1000-memory.dmp	upx
behavioral2/memory/1120-204-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp	upx
behavioral2/memory/1988-211-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp	upx
behavioral2/memory/2544-213-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp	upx
behavioral2/memory/2348-217-0x00007FF607180000-0x00007FF6074D1000-memory.dmp	upx
behavioral2/memory/884-222-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp	upx
behavioral2/memory/2044-219-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\VyHfYxQ.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wpwFyIL.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BSrIaPG.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XeqCzsq.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rnGjGxr.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vOZeJqo.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pLNVKkj.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iYacyFU.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UkQCvNQ.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JMzSTji.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LHUNMjm.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OhIGbEU.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CDsbTgH.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vgLbjKL.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LbumsFg.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Fufcude.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OPSKbOS.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MjWGvVv.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ufiBaGN.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aPIGGfI.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zgTOqjH.exe	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3396 wrote to memory of 1872	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	OhIGbEU.exe
PID 3396 wrote to memory of 1872	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	OhIGbEU.exe
PID 3396 wrote to memory of 4808	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	CDsbTgH.exe
PID 3396 wrote to memory of 4808	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	CDsbTgH.exe
PID 3396 wrote to memory of 4008	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	aPIGGfI.exe
PID 3396 wrote to memory of 4008	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	aPIGGfI.exe
PID 3396 wrote to memory of 2212	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	UkQCvNQ.exe
PID 3396 wrote to memory of 2212	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	UkQCvNQ.exe
PID 3396 wrote to memory of 2100	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	zgTOqjH.exe
PID 3396 wrote to memory of 2100	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	zgTOqjH.exe
PID 3396 wrote to memory of 1120	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	JMzSTji.exe
PID 3396 wrote to memory of 1120	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	JMzSTji.exe
PID 3396 wrote to memory of 4684	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	XeqCzsq.exe
PID 3396 wrote to memory of 4684	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	XeqCzsq.exe
PID 3396 wrote to memory of 848	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	vgLbjKL.exe
PID 3396 wrote to memory of 848	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	vgLbjKL.exe
PID 3396 wrote to memory of 1724	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	LbumsFg.exe
PID 3396 wrote to memory of 1724	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	LbumsFg.exe
PID 3396 wrote to memory of 2544	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	Fufcude.exe
PID 3396 wrote to memory of 2544	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	Fufcude.exe
PID 3396 wrote to memory of 1988	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	pLNVKkj.exe
PID 3396 wrote to memory of 1988	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	pLNVKkj.exe
PID 3396 wrote to memory of 2044	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	OPSKbOS.exe
PID 3396 wrote to memory of 2044	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	OPSKbOS.exe
PID 3396 wrote to memory of 2348	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	iYacyFU.exe
PID 3396 wrote to memory of 2348	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	iYacyFU.exe
PID 3396 wrote to memory of 884	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	vOZeJqo.exe
PID 3396 wrote to memory of 884	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	vOZeJqo.exe
PID 3396 wrote to memory of 1588	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	MjWGvVv.exe
PID 3396 wrote to memory of 1588	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	MjWGvVv.exe
PID 3396 wrote to memory of 2952	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	rnGjGxr.exe
PID 3396 wrote to memory of 2952	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	rnGjGxr.exe
PID 3396 wrote to memory of 3024	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	LHUNMjm.exe
PID 3396 wrote to memory of 3024	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	LHUNMjm.exe
PID 3396 wrote to memory of 4744	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	ufiBaGN.exe
PID 3396 wrote to memory of 4744	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	ufiBaGN.exe
PID 3396 wrote to memory of 1480	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	VyHfYxQ.exe
PID 3396 wrote to memory of 1480	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	VyHfYxQ.exe
PID 3396 wrote to memory of 5056	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	wpwFyIL.exe
PID 3396 wrote to memory of 5056	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	wpwFyIL.exe
PID 3396 wrote to memory of 4720	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	BSrIaPG.exe
PID 3396 wrote to memory of 4720	3396	2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe	BSrIaPG.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4088,i,7343566111344912903,8618626735805026283,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:8
1⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_543b6e2284fbdb0fb9057a455d7e8e68_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3396

C:\Windows\System\OhIGbEU.exe
C:\Windows\System\OhIGbEU.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\CDsbTgH.exe
C:\Windows\System\CDsbTgH.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\System\aPIGGfI.exe
C:\Windows\System\aPIGGfI.exe
2⤵
- Executes dropped EXE
PID:4008

C:\Windows\System\UkQCvNQ.exe
C:\Windows\System\UkQCvNQ.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Windows\System\zgTOqjH.exe
C:\Windows\System\zgTOqjH.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\JMzSTji.exe
C:\Windows\System\JMzSTji.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\XeqCzsq.exe
C:\Windows\System\XeqCzsq.exe
2⤵
- Executes dropped EXE
PID:4684

C:\Windows\System\vgLbjKL.exe
C:\Windows\System\vgLbjKL.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System\LbumsFg.exe
C:\Windows\System\LbumsFg.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\System\Fufcude.exe
C:\Windows\System\Fufcude.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\pLNVKkj.exe
C:\Windows\System\pLNVKkj.exe
2⤵
- Executes dropped EXE
PID:1988

C:\Windows\System\OPSKbOS.exe
C:\Windows\System\OPSKbOS.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\iYacyFU.exe
C:\Windows\System\iYacyFU.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\System\vOZeJqo.exe
C:\Windows\System\vOZeJqo.exe
2⤵
- Executes dropped EXE
PID:884

C:\Windows\System\MjWGvVv.exe
C:\Windows\System\MjWGvVv.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\System\rnGjGxr.exe
C:\Windows\System\rnGjGxr.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\LHUNMjm.exe
C:\Windows\System\LHUNMjm.exe
2⤵
- Executes dropped EXE
PID:3024

C:\Windows\System\ufiBaGN.exe
C:\Windows\System\ufiBaGN.exe
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\System\VyHfYxQ.exe
C:\Windows\System\VyHfYxQ.exe
2⤵
- Executes dropped EXE
PID:1480

C:\Windows\System\wpwFyIL.exe
C:\Windows\System\wpwFyIL.exe
2⤵
- Executes dropped EXE
PID:5056

C:\Windows\System\BSrIaPG.exe
C:\Windows\System\BSrIaPG.exe
2⤵
- Executes dropped EXE
PID:4720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BSrIaPG.exe
Filesize
5.2MB

MD5
5e760f8dd11ebd0a9a60986095b50c4f

SHA1
a02464f6620f3485e1cbb9f60dca979d2c0ec76e

SHA256
09748bc2e7954ec1a4f5d3d968c4e0defab896f36e51a4bb353098e4e3ffd28a

SHA512
cd1c2f0f82c6e6ac058377975983354ee5960c2c03b65db9c6cacca40fc026c1fa22da8704caf3616b92f2ba0c3620568a98cd41003fd052b107fa881ca468d4

Download Submit
C:\Windows\System\CDsbTgH.exe
Filesize
5.2MB

MD5
b5e327e2a0df2c4a8bbd50f27dee3b75

SHA1
a3053214d6b94072524830065400d50774c9cc5a

SHA256
27b68d61771058faccf262300310f34bc503c2be6a6799591d833aa342a616b6

SHA512
ffb344e3674d8d96b92e388f1d9d2c7fc5eccb03701c02f0012b7961350adce85cb4e0d58c68e273a776980037af7aec7949199fb86c09701801fab339017084

Download Submit
C:\Windows\System\Fufcude.exe
Filesize
5.2MB

MD5
2837bf144682e469fb6ecb420eee211a

SHA1
7a8ea7d49eb3b0b028cb285005f89638695f60dc

SHA256
27417a832ab2caa682372bb85214795b1517818b6ed0dd4cc8c7bc3b4c126a2e

SHA512
c71a333380c59b7c630fc9f3ff16fe601cf7536b36bbcee96507d49b153428976c92afe7857ae937903c89574cf7b1b705829fd119f6dc8569454a981c5b1ecc

Download Submit
C:\Windows\System\JMzSTji.exe
Filesize
5.2MB

MD5
a705418bb6d0052aa7d40aa5c4aa807f

SHA1
00fb08f956f73fe1c2f5ff5ab76337df036a9132

SHA256
574da704983bae2bb7b5c685c9425ffc57659687926336512aefff4cbcc22ae5

SHA512
04a1a9e86bd9f5e9d3c65ca550b64e24c5eafea3e8cb60d04b951a8f3fa9e33bc71aeba5f3c380203130d1f77805756d04f76014acc97a618e48edb982d08036

Download Submit
C:\Windows\System\LHUNMjm.exe
Filesize
5.2MB

MD5
0d0fd3f3b38ac1e3394cecd4578d2716

SHA1
95886f2b7258c7ee68a844a93e97b9357d834c22

SHA256
8b7e8db2df9fdd7b9644ca4da54aa3d9ac96f1cc08a3c67cef9ff50a1ecc8876

SHA512
fd41c2d9033e35a335ca124de4b54df19ab5724810e14be064189f05734ef8c5110843879d164b026acffd090fabd83d247a57be984f442fb9d901d0730985c1

Download Submit
C:\Windows\System\LbumsFg.exe
Filesize
5.2MB

MD5
99e66bacd8e00afcb44a7369f5394aa1

SHA1
8f000cd867e47d2c37a841c9d5098fc9d06785ec

SHA256
30a359a9e576ce25031db55d3c0545667788644bf8f93e39aa95485ecdb3626b

SHA512
584d5762f501a5eea3c8e39d3fe5c6febfb90b9fdd93f0ed5aa87e94371767a714d922681a87f17c81982588dc9af9fc3d688189841d532b95abd079c5e8b590

Download Submit
C:\Windows\System\MjWGvVv.exe
Filesize
5.2MB

MD5
600f0392346befde5ee7ecffebc2a96f

SHA1
bd1e058b942a953fac231a5c459b48df60f9156c

SHA256
e1d889392bf5c6ed74da7111a73772db541c456fa3d3d37d43442125347c3098

SHA512
8a88a286023c7a7ea44f01a3d2a82f64dd1c1c139f583b89a5f3d7744aedc9352e9610835dc6e0e9cd2d8950b15a7c9caafd4253109436230cb0b20430c7a0ef

Download Submit
C:\Windows\System\OPSKbOS.exe
Filesize
5.2MB

MD5
419208abbfa862f9da3efb1449efcd08

SHA1
e354c08bcd306140c9c2dffd8b4b3f3f326ab437

SHA256
ee94e515ea6a9e59fe6f9ff49e584dd0681dc079aeaa6946762f50f97787aa89

SHA512
f042db18b64ce8cda54ba124a303593c7455d60bf0b11d9b9f9147614299d9ed041dfca38b7ee4b1121e720b7305df56e9dd7b61fe71706456b50de438b92957

Download Submit
C:\Windows\System\OhIGbEU.exe
Filesize
5.2MB

MD5
7c959ed3c525103d04dfb08c71f37381

SHA1
a8472d770249e8705e61d7bfe4ff37fb788c561f

SHA256
0f745aa5931e11fdf4f0548beaf6352f9e66ad2d8108428c8eb77e4c2c8d792f

SHA512
c90276d2861ba31debd377b797a46e9864b4de46907246f303c0c9ed8621ebbc73dfba41d3d8e3084b9289ebd8aed1283739b71be4c6934ad87ed37175f9a9d7

Download Submit
C:\Windows\System\UkQCvNQ.exe
Filesize
5.2MB

MD5
d4e0ee68e62b183e29631283bb6698fb

SHA1
e42afe4bb12c5bb47cec3a656464cf5453813125

SHA256
fa3aa9842f2206d41291aff0fa6a4c3e930e399c9bac870b225caf73118d22ac

SHA512
9ffcfde16165e53011c9fbf873adfadef3e383771ebfa4d1bd3ebd4dacc04769ceaa230dfee827712f79be8974a367efa6f706981b01e7fda065acf0f0db3fd5

Download Submit
C:\Windows\System\VyHfYxQ.exe
Filesize
5.2MB

MD5
48d7a4b3fc9ce1d8bc3361772a04b98c

SHA1
f7d30b4dd7e70af4db1e5857f3602be3f5434975

SHA256
078639156108152976a226941ceb5b5324c7bc0c107aa1a4b9bfe9803f854277

SHA512
3fa351f213f2e04fc463b5040ff9e5e2247f733e9eae9b6c97d8948a81716cfee74018f6a9eb45b6e7538f4a53381118bb00ec6685574f57801c7ced675d1e24

Download Submit
C:\Windows\System\XeqCzsq.exe
Filesize
5.2MB

MD5
4a0ac2114ed7449129270b2948db5802

SHA1
9348a81feafddc2e7cfb7af08fb913af1ce27dd9

SHA256
891ba02b43869074f9d803b6da8707677d119d2792d34e4c687c04cc36378269

SHA512
fab1a4de1307aa6171b2418299e64bf9c7597b6e984b798d6c22aa526f7dffa07d73504e322f157738ff384343c1dd2b4ef780c5a8f5036b6953b3ab8a1c1962

Download Submit
C:\Windows\System\aPIGGfI.exe
Filesize
5.2MB

MD5
11a6f43ac376caac3170268bf355a290

SHA1
bb1403dc0a9d806a6dc17633698920ce93461fde

SHA256
39933ba9fb8fc70b827ff0700a1e9ae4dc2e58f6543d7d26647638b2fb2ff9ae

SHA512
147101a8d24bbf429a12738147aee70369c24e78d4e6ec078947f6e885fbbf387f0b29dc9aea1a7645e12efd9ec91f4f14ed92ed20a536b4225fd56f22d24a90

Download Submit
C:\Windows\System\iYacyFU.exe
Filesize
5.2MB

MD5
7af58ada3d9c2d83b92b267aed36c964

SHA1
38c29784064fe4af1915f51d2c33eec20a28519b

SHA256
f0588ee34f5e53bccfdd331593ed229915a0f18e705196185aa54fc9e684a06d

SHA512
7f684cf8cf8eb2aff078997f0cba0436f6d7008919f6804f661e5f7dd9ffa6608878192bbce38f663ce00a6b6d69e09f81833c1ffd4a3ff44392deeded5fafdc

Download Submit
C:\Windows\System\pLNVKkj.exe
Filesize
5.2MB

MD5
7d2be12bc2c83b855575ae0e4f296743

SHA1
530371310aa99158bc260c0f0517b316e784fe62

SHA256
ebca832d5afa44a4a32d1165f9d96e304504324fc1c4dbb242bbfbdef758cd08

SHA512
7d83eb066fb62189eb05aca67e882daaaf91d9c85ced258481288030557613d33e0788166d0c5579d44124b1a7117e6609845ee21d4cecf17d84ce5d01710262

Download Submit
C:\Windows\System\rnGjGxr.exe
Filesize
5.2MB

MD5
3dbc80321d19ccd9bb5cdbdb6336b866

SHA1
448ab9dad5b48f2dfad7f9a1213a3cf83da4d944

SHA256
a9fcb650b50c88e2aca6c04ebfdab5c148ea718b2ba0387937d023f732456400

SHA512
c5d9061ec592d6f2852414fac926b0e8e15b542c6c25a0c5e993a555e88eb3b7799ea0e4c235a496720d4b4791017eee2389c11484cc62b05a3dc4aa45183543

Download Submit
C:\Windows\System\ufiBaGN.exe
Filesize
5.2MB

MD5
10c86a51f0cd031132546558fabd65dc

SHA1
b7dc5f99f0218fc2d35156f0e3ba12118874f6ae

SHA256
2d58f530638ebff89671f1dcfed06f2cca4403f451b6846d405dbd651ec1f7d7

SHA512
0155e5abc5207c30e99b186690adb7318ec02797cf6a404f526bb3d11ba8a85e2bba51c9a0c39e55ba5807e104810e3c1032036b97c1d33030ad2f0d5435ad83

Download Submit
C:\Windows\System\vOZeJqo.exe
Filesize
5.2MB

MD5
aafae5a6149ef0a2d706fd7612c83951

SHA1
c358d75a2ed85eb5a5eda02ff7622bbb532e00c3

SHA256
8cf0b583c3be9bc03be730bef35bbeb290aeb2e791da16f1394bc3791d17c767

SHA512
a0fa1fe1b15f485851bdca199b18899ffe27736caf1554ab78f45ac3181164b251ead258d0c2e3aa37ea6a987b734632278d32eefb0253aad2e356ed9a045911

Download Submit
C:\Windows\System\vgLbjKL.exe
Filesize
5.2MB

MD5
17188475621b908532053ab5e00cd0ce

SHA1
a294c4d76df6f36e647b9029647d58704e63c98a

SHA256
0c4169ac76dc2c1ff89b9f4eb6e891659e8f0598c078102119d2bb6aed38ed2c

SHA512
1be87b7f92031eb2a4b669ad8bd337ad5ade46505db908e014b9de041450235902a96e51393902ff6da199f340b20d22b1fd3144d69e1570132dd93af5f8ee9e

Download Submit
C:\Windows\System\wpwFyIL.exe
Filesize
5.2MB

MD5
dac3e5b95ed7e84bf63db96fa600f5b1

SHA1
e6b5c5516b01e2e799e7d6b6c54d091b409cb5a5

SHA256
59b4c00128bc46bd5857428a64fbe5acbf5ab762e9d5d3f8be2383060f2a631e

SHA512
7357d34aa7242dc0ac6538c78c766f990b533cd0e613d538e37d1d391037959ab3d686985b996ab7e1e80439346752c9795a2038319a02e1c2b481f95da48101

Download Submit
C:\Windows\System\zgTOqjH.exe
Filesize
5.2MB

MD5
e101f71a52776f7af7813077b82693fe

SHA1
761d84af7f2e4009f33783b4b9040b650360c356

SHA256
c5123796fae8eaf9e3ac846744f1270dde2f10ffc7857aa680114406f31b5b4d

SHA512
dfdebbfd431cfbcb01ebcc92b3839e36f13f070068e8e3ee60ecaae9fd70e055cfb290080ae65bc12c9391a5217357082d5b16ae1d646cdd6b782bc698f65b13

Download Submit
memory/848-121-0x00007FF738750000-0x00007FF738AA1000-memory.dmp

Filesize
3.3MB

Download
memory/848-206-0x00007FF738750000-0x00007FF738AA1000-memory.dmp

Filesize
3.3MB

Download
memory/884-127-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp

Filesize
3.3MB

Download
memory/884-222-0x00007FF777DA0000-0x00007FF7780F1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-112-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp

Filesize
3.3MB

Download
memory/1120-204-0x00007FF6810A0000-0x00007FF6813F1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-132-0x00007FF76F1C0000-0x00007FF76F511000-memory.dmp

Filesize
3.3MB

Download
memory/1480-233-0x00007FF76F1C0000-0x00007FF76F511000-memory.dmp

Filesize
3.3MB

Download
memory/1588-128-0x00007FF6AEBE0000-0x00007FF6AEF31000-memory.dmp

Filesize
3.3MB

Download
memory/1588-226-0x00007FF6AEBE0000-0x00007FF6AEF31000-memory.dmp

Filesize
3.3MB

Download
memory/1724-122-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp

Filesize
3.3MB

Download
memory/1724-197-0x00007FF6A3F60000-0x00007FF6A42B1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-182-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-9-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-114-0x00007FF67C570000-0x00007FF67C8C1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-124-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-211-0x00007FF6D0FA0000-0x00007FF6D12F1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-219-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp

Filesize
3.3MB

Download
memory/2044-125-0x00007FF6219B0000-0x00007FF621D01000-memory.dmp

Filesize
3.3MB

Download
memory/2100-190-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2100-57-0x00007FF75CE50000-0x00007FF75D1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-188-0x00007FF75A220000-0x00007FF75A571000-memory.dmp

Filesize
3.3MB

Download
memory/2212-26-0x00007FF75A220000-0x00007FF75A571000-memory.dmp

Filesize
3.3MB

Download
memory/2212-117-0x00007FF75A220000-0x00007FF75A571000-memory.dmp

Filesize
3.3MB

Download
memory/2348-217-0x00007FF607180000-0x00007FF6074D1000-memory.dmp

Filesize
3.3MB

Download
memory/2348-126-0x00007FF607180000-0x00007FF6074D1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-213-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp

Filesize
3.3MB

Download
memory/2544-123-0x00007FF6A1BC0000-0x00007FF6A1F11000-memory.dmp

Filesize
3.3MB

Download
memory/2952-129-0x00007FF77B8D0000-0x00007FF77BC21000-memory.dmp

Filesize
3.3MB

Download
memory/2952-227-0x00007FF77B8D0000-0x00007FF77BC21000-memory.dmp

Filesize
3.3MB

Download
memory/3024-130-0x00007FF7497E0000-0x00007FF749B31000-memory.dmp

Filesize
3.3MB

Download
memory/3024-235-0x00007FF7497E0000-0x00007FF749B31000-memory.dmp

Filesize
3.3MB

Download
memory/3396-113-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3396-0-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3396-173-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3396-135-0x00007FF7E39A0000-0x00007FF7E3CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3396-1-0x000002B1BDE50000-0x000002B1BDE60000-memory.dmp

Filesize
64KB

Download
memory/4008-187-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp

Filesize
3.3MB

Download
memory/4008-20-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp

Filesize
3.3MB

Download
memory/4008-116-0x00007FF69A8E0000-0x00007FF69AC31000-memory.dmp

Filesize
3.3MB

Download
memory/4684-203-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4684-120-0x00007FF7A9B90000-0x00007FF7A9EE1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-238-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-134-0x00007FF71A560000-0x00007FF71A8B1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-131-0x00007FF7ABD50000-0x00007FF7AC0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4744-232-0x00007FF7ABD50000-0x00007FF7AC0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4808-115-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp

Filesize
3.3MB

Download
memory/4808-12-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp

Filesize
3.3MB

Download
memory/4808-184-0x00007FF61B840000-0x00007FF61BB91000-memory.dmp

Filesize
3.3MB

Download
memory/5056-236-0x00007FF606120000-0x00007FF606471000-memory.dmp

Filesize
3.3MB

Download
memory/5056-133-0x00007FF606120000-0x00007FF606471000-memory.dmp

Filesize
3.3MB

Download