cobaltstrike | eb0fcabf990a1728a83da8a32cf22e9c7cb806d6a289ce92fede9e6847d5e3a9

Analysis

max time kernel
143s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

d0642307143408f7450e396cfdf78876
SHA1

4aff75165cb3069bc98823ce3695ad7399af49a0
SHA256

eb0fcabf990a1728a83da8a32cf22e9c7cb806d6a289ce92fede9e6847d5e3a9
SHA512

af3d9162085e6645116087cd26f55f9bf490cd791bccfb3edee6b11f2ebed03c7f850794c9068584c22d35ca47d7d31f8873be175e81cbd02d42f0c9c4e0042e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibf56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\DwURltB.exe	cobalt_reflective_dll
C:\Windows\System\DIXvvku.exe	cobalt_reflective_dll
C:\Windows\System\aHfTWSb.exe	cobalt_reflective_dll
C:\Windows\System\yiRTtxR.exe	cobalt_reflective_dll
C:\Windows\System\oANurFI.exe	cobalt_reflective_dll
C:\Windows\System\kMNMCBy.exe	cobalt_reflective_dll
C:\Windows\System\SniOGSy.exe	cobalt_reflective_dll
C:\Windows\System\vWICvqG.exe	cobalt_reflective_dll
C:\Windows\System\DHbtWwH.exe	cobalt_reflective_dll
C:\Windows\System\bCzlmkn.exe	cobalt_reflective_dll
C:\Windows\System\ksAcSCU.exe	cobalt_reflective_dll
C:\Windows\System\nsPdfUV.exe	cobalt_reflective_dll
C:\Windows\System\nvesfLr.exe	cobalt_reflective_dll
C:\Windows\System\HJyAZji.exe	cobalt_reflective_dll
C:\Windows\System\oTaLnwX.exe	cobalt_reflective_dll
C:\Windows\System\snEwZcP.exe	cobalt_reflective_dll
C:\Windows\System\WnyAYgh.exe	cobalt_reflective_dll
C:\Windows\System\zieocRc.exe	cobalt_reflective_dll
C:\Windows\System\ucpwvJC.exe	cobalt_reflective_dll
C:\Windows\System\ruFuORI.exe	cobalt_reflective_dll
C:\Windows\System\zMGTRUZ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\DwURltB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DIXvvku.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aHfTWSb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yiRTtxR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oANurFI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kMNMCBy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SniOGSy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vWICvqG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DHbtWwH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bCzlmkn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ksAcSCU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nsPdfUV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nvesfLr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HJyAZji.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oTaLnwX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\snEwZcP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WnyAYgh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zieocRc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ucpwvJC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ruFuORI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zMGTRUZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1468-0-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	UPX
C:\Windows\System\DwURltB.exe	UPX
behavioral2/memory/3448-8-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	UPX
C:\Windows\System\DIXvvku.exe	UPX
C:\Windows\System\aHfTWSb.exe	UPX
behavioral2/memory/4504-19-0x00007FF648D00000-0x00007FF649051000-memory.dmp	UPX
behavioral2/memory/380-12-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	UPX
C:\Windows\System\yiRTtxR.exe	UPX
behavioral2/memory/3336-26-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	UPX
C:\Windows\System\oANurFI.exe	UPX
behavioral2/memory/1784-32-0x00007FF712230000-0x00007FF712581000-memory.dmp	UPX
C:\Windows\System\kMNMCBy.exe	UPX
C:\Windows\System\SniOGSy.exe	UPX
C:\Windows\System\vWICvqG.exe	UPX
behavioral2/memory/2744-49-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	UPX
behavioral2/memory/2452-52-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp	UPX
C:\Windows\System\DHbtWwH.exe	UPX
behavioral2/memory/1520-55-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp	UPX
C:\Windows\System\bCzlmkn.exe	UPX
C:\Windows\System\ksAcSCU.exe	UPX
behavioral2/memory/1620-62-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	UPX
behavioral2/memory/3760-58-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp	UPX
behavioral2/memory/748-68-0x00007FF652300000-0x00007FF652651000-memory.dmp	UPX
C:\Windows\System\nsPdfUV.exe	UPX
behavioral2/memory/1468-74-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	UPX
C:\Windows\System\nvesfLr.exe	UPX
C:\Windows\System\HJyAZji.exe	UPX
behavioral2/memory/3448-82-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	UPX
behavioral2/memory/4784-85-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp	UPX
C:\Windows\System\oTaLnwX.exe	UPX
C:\Windows\System\snEwZcP.exe	UPX
C:\Windows\System\WnyAYgh.exe	UPX
C:\Windows\System\zieocRc.exe	UPX
C:\Windows\System\ucpwvJC.exe	UPX
C:\Windows\System\ruFuORI.exe	UPX
C:\Windows\System\zMGTRUZ.exe	UPX
behavioral2/memory/928-81-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp	UPX
behavioral2/memory/4828-78-0x00007FF67C660000-0x00007FF67C9B1000-memory.dmp	UPX
behavioral2/memory/380-123-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	UPX
behavioral2/memory/4596-124-0x00007FF758D00000-0x00007FF759051000-memory.dmp	UPX
behavioral2/memory/1488-125-0x00007FF7AB300000-0x00007FF7AB651000-memory.dmp	UPX
behavioral2/memory/1468-126-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	UPX
behavioral2/memory/3188-129-0x00007FF761BE0000-0x00007FF761F31000-memory.dmp	UPX
behavioral2/memory/4504-130-0x00007FF648D00000-0x00007FF649051000-memory.dmp	UPX
behavioral2/memory/3336-131-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	UPX
behavioral2/memory/2208-132-0x00007FF63D7E0000-0x00007FF63DB31000-memory.dmp	UPX
behavioral2/memory/5092-134-0x00007FF6616C0000-0x00007FF661A11000-memory.dmp	UPX
behavioral2/memory/1712-135-0x00007FF684C80000-0x00007FF684FD1000-memory.dmp	UPX
behavioral2/memory/1548-136-0x00007FF666110000-0x00007FF666461000-memory.dmp	UPX
behavioral2/memory/2744-137-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	UPX
behavioral2/memory/1620-141-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	UPX
behavioral2/memory/928-145-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp	UPX
behavioral2/memory/4784-144-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp	UPX
behavioral2/memory/1468-153-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	UPX
behavioral2/memory/3448-203-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	UPX
behavioral2/memory/380-205-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	UPX
behavioral2/memory/4504-207-0x00007FF648D00000-0x00007FF649051000-memory.dmp	UPX
behavioral2/memory/3336-209-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	UPX
behavioral2/memory/1784-211-0x00007FF712230000-0x00007FF712581000-memory.dmp	UPX
behavioral2/memory/2744-213-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	UPX
behavioral2/memory/1520-219-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp	UPX
behavioral2/memory/2452-223-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp	UPX
behavioral2/memory/3760-225-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp	UPX
behavioral2/memory/1620-227-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4504-19-0x00007FF648D00000-0x00007FF649051000-memory.dmp	xmrig
behavioral2/memory/3336-26-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	xmrig
behavioral2/memory/1784-32-0x00007FF712230000-0x00007FF712581000-memory.dmp	xmrig
behavioral2/memory/2744-49-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	xmrig
behavioral2/memory/2452-52-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp	xmrig
behavioral2/memory/1520-55-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp	xmrig
behavioral2/memory/3760-58-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp	xmrig
behavioral2/memory/748-68-0x00007FF652300000-0x00007FF652651000-memory.dmp	xmrig
behavioral2/memory/1468-74-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	xmrig
behavioral2/memory/3448-82-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	xmrig
behavioral2/memory/4828-78-0x00007FF67C660000-0x00007FF67C9B1000-memory.dmp	xmrig
behavioral2/memory/380-123-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	xmrig
behavioral2/memory/4596-124-0x00007FF758D00000-0x00007FF759051000-memory.dmp	xmrig
behavioral2/memory/1488-125-0x00007FF7AB300000-0x00007FF7AB651000-memory.dmp	xmrig
behavioral2/memory/1468-126-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	xmrig
behavioral2/memory/3188-129-0x00007FF761BE0000-0x00007FF761F31000-memory.dmp	xmrig
behavioral2/memory/4504-130-0x00007FF648D00000-0x00007FF649051000-memory.dmp	xmrig
behavioral2/memory/3336-131-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	xmrig
behavioral2/memory/2208-132-0x00007FF63D7E0000-0x00007FF63DB31000-memory.dmp	xmrig
behavioral2/memory/5092-134-0x00007FF6616C0000-0x00007FF661A11000-memory.dmp	xmrig
behavioral2/memory/1712-135-0x00007FF684C80000-0x00007FF684FD1000-memory.dmp	xmrig
behavioral2/memory/1548-136-0x00007FF666110000-0x00007FF666461000-memory.dmp	xmrig
behavioral2/memory/2744-137-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	xmrig
behavioral2/memory/1620-141-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	xmrig
behavioral2/memory/928-145-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp	xmrig
behavioral2/memory/4784-144-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp	xmrig
behavioral2/memory/1468-153-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	xmrig
behavioral2/memory/3448-203-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	xmrig
behavioral2/memory/380-205-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	xmrig
behavioral2/memory/4504-207-0x00007FF648D00000-0x00007FF649051000-memory.dmp	xmrig
behavioral2/memory/3336-209-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	xmrig
behavioral2/memory/1784-211-0x00007FF712230000-0x00007FF712581000-memory.dmp	xmrig
behavioral2/memory/2744-213-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	xmrig
behavioral2/memory/1520-219-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp	xmrig
behavioral2/memory/2452-223-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp	xmrig
behavioral2/memory/3760-225-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp	xmrig
behavioral2/memory/1620-227-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	xmrig
behavioral2/memory/748-229-0x00007FF652300000-0x00007FF652651000-memory.dmp	xmrig
behavioral2/memory/4828-231-0x00007FF67C660000-0x00007FF67C9B1000-memory.dmp	xmrig
behavioral2/memory/928-233-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp	xmrig
behavioral2/memory/4596-235-0x00007FF758D00000-0x00007FF759051000-memory.dmp	xmrig
behavioral2/memory/1488-238-0x00007FF7AB300000-0x00007FF7AB651000-memory.dmp	xmrig
behavioral2/memory/3188-239-0x00007FF761BE0000-0x00007FF761F31000-memory.dmp	xmrig
behavioral2/memory/1712-243-0x00007FF684C80000-0x00007FF684FD1000-memory.dmp	xmrig
behavioral2/memory/2208-245-0x00007FF63D7E0000-0x00007FF63DB31000-memory.dmp	xmrig
behavioral2/memory/5092-244-0x00007FF6616C0000-0x00007FF661A11000-memory.dmp	xmrig
behavioral2/memory/1548-247-0x00007FF666110000-0x00007FF666461000-memory.dmp	xmrig
behavioral2/memory/4784-251-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

DwURltB.exeDIXvvku.exeaHfTWSb.exeyiRTtxR.exeoANurFI.exekMNMCBy.exeSniOGSy.exevWICvqG.exeDHbtWwH.exebCzlmkn.exeksAcSCU.exensPdfUV.exenvesfLr.exeHJyAZji.exeoTaLnwX.exezMGTRUZ.exesnEwZcP.exeWnyAYgh.exeruFuORI.exezieocRc.exeucpwvJC.exe

pid	process
3448	DwURltB.exe
380	DIXvvku.exe
4504	aHfTWSb.exe
3336	yiRTtxR.exe
1784	oANurFI.exe
2744	kMNMCBy.exe
1520	SniOGSy.exe
2452	vWICvqG.exe
3760	DHbtWwH.exe
1620	bCzlmkn.exe
748	ksAcSCU.exe
4828	nsPdfUV.exe
4784	nvesfLr.exe
928	HJyAZji.exe
4596	oTaLnwX.exe
1488	zMGTRUZ.exe
3188	snEwZcP.exe
2208	WnyAYgh.exe
5092	ruFuORI.exe
1712	zieocRc.exe
1548	ucpwvJC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1468-0-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	upx
C:\Windows\System\DwURltB.exe	upx
behavioral2/memory/3448-8-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	upx
C:\Windows\System\DIXvvku.exe	upx
C:\Windows\System\aHfTWSb.exe	upx
behavioral2/memory/4504-19-0x00007FF648D00000-0x00007FF649051000-memory.dmp	upx
behavioral2/memory/380-12-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	upx
C:\Windows\System\yiRTtxR.exe	upx
behavioral2/memory/3336-26-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	upx
C:\Windows\System\oANurFI.exe	upx
behavioral2/memory/1784-32-0x00007FF712230000-0x00007FF712581000-memory.dmp	upx
C:\Windows\System\kMNMCBy.exe	upx
C:\Windows\System\SniOGSy.exe	upx
C:\Windows\System\vWICvqG.exe	upx
behavioral2/memory/2744-49-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	upx
behavioral2/memory/2452-52-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp	upx
C:\Windows\System\DHbtWwH.exe	upx
behavioral2/memory/1520-55-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp	upx
C:\Windows\System\bCzlmkn.exe	upx
C:\Windows\System\ksAcSCU.exe	upx
behavioral2/memory/1620-62-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	upx
behavioral2/memory/3760-58-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp	upx
behavioral2/memory/748-68-0x00007FF652300000-0x00007FF652651000-memory.dmp	upx
C:\Windows\System\nsPdfUV.exe	upx
behavioral2/memory/1468-74-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	upx
C:\Windows\System\nvesfLr.exe	upx
C:\Windows\System\HJyAZji.exe	upx
behavioral2/memory/3448-82-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	upx
behavioral2/memory/4784-85-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp	upx
C:\Windows\System\oTaLnwX.exe	upx
C:\Windows\System\snEwZcP.exe	upx
C:\Windows\System\WnyAYgh.exe	upx
C:\Windows\System\zieocRc.exe	upx
C:\Windows\System\ucpwvJC.exe	upx
C:\Windows\System\ruFuORI.exe	upx
C:\Windows\System\zMGTRUZ.exe	upx
behavioral2/memory/928-81-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp	upx
behavioral2/memory/4828-78-0x00007FF67C660000-0x00007FF67C9B1000-memory.dmp	upx
behavioral2/memory/380-123-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	upx
behavioral2/memory/4596-124-0x00007FF758D00000-0x00007FF759051000-memory.dmp	upx
behavioral2/memory/1488-125-0x00007FF7AB300000-0x00007FF7AB651000-memory.dmp	upx
behavioral2/memory/1468-126-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	upx
behavioral2/memory/3188-129-0x00007FF761BE0000-0x00007FF761F31000-memory.dmp	upx
behavioral2/memory/4504-130-0x00007FF648D00000-0x00007FF649051000-memory.dmp	upx
behavioral2/memory/3336-131-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	upx
behavioral2/memory/2208-132-0x00007FF63D7E0000-0x00007FF63DB31000-memory.dmp	upx
behavioral2/memory/5092-134-0x00007FF6616C0000-0x00007FF661A11000-memory.dmp	upx
behavioral2/memory/1712-135-0x00007FF684C80000-0x00007FF684FD1000-memory.dmp	upx
behavioral2/memory/1548-136-0x00007FF666110000-0x00007FF666461000-memory.dmp	upx
behavioral2/memory/2744-137-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	upx
behavioral2/memory/1620-141-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	upx
behavioral2/memory/928-145-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp	upx
behavioral2/memory/4784-144-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp	upx
behavioral2/memory/1468-153-0x00007FF7960C0000-0x00007FF796411000-memory.dmp	upx
behavioral2/memory/3448-203-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp	upx
behavioral2/memory/380-205-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp	upx
behavioral2/memory/4504-207-0x00007FF648D00000-0x00007FF649051000-memory.dmp	upx
behavioral2/memory/3336-209-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp	upx
behavioral2/memory/1784-211-0x00007FF712230000-0x00007FF712581000-memory.dmp	upx
behavioral2/memory/2744-213-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp	upx
behavioral2/memory/1520-219-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp	upx
behavioral2/memory/2452-223-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp	upx
behavioral2/memory/3760-225-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp	upx
behavioral2/memory/1620-227-0x00007FF637DD0000-0x00007FF638121000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\DwURltB.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DIXvvku.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SniOGSy.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vWICvqG.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nsPdfUV.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ucpwvJC.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aHfTWSb.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DHbtWwH.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HJyAZji.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ruFuORI.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\snEwZcP.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WnyAYgh.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oANurFI.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kMNMCBy.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bCzlmkn.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ksAcSCU.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nvesfLr.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oTaLnwX.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zieocRc.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yiRTtxR.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zMGTRUZ.exe	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1468 wrote to memory of 3448	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	DwURltB.exe
PID 1468 wrote to memory of 3448	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	DwURltB.exe
PID 1468 wrote to memory of 380	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	DIXvvku.exe
PID 1468 wrote to memory of 380	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	DIXvvku.exe
PID 1468 wrote to memory of 4504	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	aHfTWSb.exe
PID 1468 wrote to memory of 4504	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	aHfTWSb.exe
PID 1468 wrote to memory of 3336	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	yiRTtxR.exe
PID 1468 wrote to memory of 3336	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	yiRTtxR.exe
PID 1468 wrote to memory of 1784	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	oANurFI.exe
PID 1468 wrote to memory of 1784	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	oANurFI.exe
PID 1468 wrote to memory of 2744	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	kMNMCBy.exe
PID 1468 wrote to memory of 2744	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	kMNMCBy.exe
PID 1468 wrote to memory of 1520	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	SniOGSy.exe
PID 1468 wrote to memory of 1520	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	SniOGSy.exe
PID 1468 wrote to memory of 2452	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	vWICvqG.exe
PID 1468 wrote to memory of 2452	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	vWICvqG.exe
PID 1468 wrote to memory of 3760	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	DHbtWwH.exe
PID 1468 wrote to memory of 3760	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	DHbtWwH.exe
PID 1468 wrote to memory of 1620	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	bCzlmkn.exe
PID 1468 wrote to memory of 1620	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	bCzlmkn.exe
PID 1468 wrote to memory of 748	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ksAcSCU.exe
PID 1468 wrote to memory of 748	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ksAcSCU.exe
PID 1468 wrote to memory of 4828	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	nsPdfUV.exe
PID 1468 wrote to memory of 4828	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	nsPdfUV.exe
PID 1468 wrote to memory of 4784	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	nvesfLr.exe
PID 1468 wrote to memory of 4784	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	nvesfLr.exe
PID 1468 wrote to memory of 928	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	HJyAZji.exe
PID 1468 wrote to memory of 928	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	HJyAZji.exe
PID 1468 wrote to memory of 4596	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	oTaLnwX.exe
PID 1468 wrote to memory of 4596	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	oTaLnwX.exe
PID 1468 wrote to memory of 1488	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	zMGTRUZ.exe
PID 1468 wrote to memory of 1488	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	zMGTRUZ.exe
PID 1468 wrote to memory of 3188	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	snEwZcP.exe
PID 1468 wrote to memory of 3188	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	snEwZcP.exe
PID 1468 wrote to memory of 2208	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	WnyAYgh.exe
PID 1468 wrote to memory of 2208	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	WnyAYgh.exe
PID 1468 wrote to memory of 5092	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ruFuORI.exe
PID 1468 wrote to memory of 5092	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ruFuORI.exe
PID 1468 wrote to memory of 1712	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	zieocRc.exe
PID 1468 wrote to memory of 1712	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	zieocRc.exe
PID 1468 wrote to memory of 1548	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ucpwvJC.exe
PID 1468 wrote to memory of 1548	1468	2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe	ucpwvJC.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_d0642307143408f7450e396cfdf78876_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\System\DwURltB.exe
C:\Windows\System\DwURltB.exe
2⤵
- Executes dropped EXE
PID:3448

C:\Windows\System\DIXvvku.exe
C:\Windows\System\DIXvvku.exe
2⤵
- Executes dropped EXE
PID:380

C:\Windows\System\aHfTWSb.exe
C:\Windows\System\aHfTWSb.exe
2⤵
- Executes dropped EXE
PID:4504

C:\Windows\System\yiRTtxR.exe
C:\Windows\System\yiRTtxR.exe
2⤵
- Executes dropped EXE
PID:3336

C:\Windows\System\oANurFI.exe
C:\Windows\System\oANurFI.exe
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\System\kMNMCBy.exe
C:\Windows\System\kMNMCBy.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\SniOGSy.exe
C:\Windows\System\SniOGSy.exe
2⤵
- Executes dropped EXE
PID:1520

C:\Windows\System\vWICvqG.exe
C:\Windows\System\vWICvqG.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\DHbtWwH.exe
C:\Windows\System\DHbtWwH.exe
2⤵
- Executes dropped EXE
PID:3760

C:\Windows\System\bCzlmkn.exe
C:\Windows\System\bCzlmkn.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\ksAcSCU.exe
C:\Windows\System\ksAcSCU.exe
2⤵
- Executes dropped EXE
PID:748

C:\Windows\System\nsPdfUV.exe
C:\Windows\System\nsPdfUV.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Windows\System\nvesfLr.exe
C:\Windows\System\nvesfLr.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\HJyAZji.exe
C:\Windows\System\HJyAZji.exe
2⤵
- Executes dropped EXE
PID:928

C:\Windows\System\oTaLnwX.exe
C:\Windows\System\oTaLnwX.exe
2⤵
- Executes dropped EXE
PID:4596

C:\Windows\System\zMGTRUZ.exe
C:\Windows\System\zMGTRUZ.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\snEwZcP.exe
C:\Windows\System\snEwZcP.exe
2⤵
- Executes dropped EXE
PID:3188

C:\Windows\System\WnyAYgh.exe
C:\Windows\System\WnyAYgh.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\System\ruFuORI.exe
C:\Windows\System\ruFuORI.exe
2⤵
- Executes dropped EXE
PID:5092

C:\Windows\System\zieocRc.exe
C:\Windows\System\zieocRc.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\ucpwvJC.exe
C:\Windows\System\ucpwvJC.exe
2⤵
- Executes dropped EXE
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DHbtWwH.exe
Filesize
5.2MB

MD5
524b43c7946b8a0b5277a573d65e7da4

SHA1
1f3b7ed7a0dd6e69b3b36c5b5f35f6a8c32fe1a8

SHA256
02e5e18e937cb605649fec59b032d4d13d9e02c50f39dfa0e504fc19a152668d

SHA512
cb9cfcb32206aa79d5345fd319fbbc3bfb39579aeeb5fb448c2cc9aa6138b378084005a6ccef6dca366f51ec281947b51d8abd168a439ee9edde73692a4116b6

Download Submit
C:\Windows\System\DIXvvku.exe
Filesize
5.2MB

MD5
58bd1cc27bf7fd63a79d70278b0cd992

SHA1
f59dc345b4869c76dcb49a0e4e06c85dbe289f58

SHA256
82fa10879cc2f1c1d3e7e74eb5cc220453ed665f01012688bd8034abd8d77e7e

SHA512
7e335b509478f980de5df1eb84560bd62d3e77659a3ce83f6ce01eb71164ff453acdfb2ac4fe168f42ba2d2d50f05e4afbcab4c6c7da1bd6aa2e18dcd27ce220

Download Submit
C:\Windows\System\DwURltB.exe
Filesize
5.2MB

MD5
d4c6e0de8ed55d73212ac5b771c5f9eb

SHA1
73e5bd5d3dc7601bbd020c06c8992288c111176a

SHA256
bc20da32b8f5f75bbd8c69e20c0bb941636a1fb76a2e32d5b900c3eed308508d

SHA512
15f0a546343e672903b03a59ad93ed6fff04f1fa0a0ae7bd87f02ae8160be5ceaf06da3d55c64200eb9ae33e6cce2b004fa0b80019e1f234ca2ea9f1c2a47bd8

Download Submit
C:\Windows\System\HJyAZji.exe
Filesize
5.2MB

MD5
6afda4da542acd5d10aa9d6c087ed61e

SHA1
f6af5fae4a0c772844c3346a2b93c69d1670c305

SHA256
ed680217eadb4d107256b362b344ab9af424e4532997d79f0a294173ce4ad91c

SHA512
7f73671fa60185f4f396f7b94a8c63824d82b6153dc49951d31be2c6cec1fecfae9cfda8e971a4831b15ba040417789fca839e1de78d617b081b2b72b4b023de

Download Submit
C:\Windows\System\SniOGSy.exe
Filesize
5.2MB

MD5
2530992af4d1d6433bd7e80bb59e1d68

SHA1
90b9e8382b71814bb37e05ff054db111bf238abe

SHA256
2a905bf372d3a618a3d0b56b0a20388923e4d742969aca42d0cf946cf0c9e4ff

SHA512
2dfd5fa5767107481cb8f5086e488f90ed234100d14298d0a56caad6544baf27d1828deaec487bb54646293f42b563ba087b6052d3736cdac6cdb31b1cd1a50d

Download Submit
C:\Windows\System\WnyAYgh.exe
Filesize
5.2MB

MD5
7e7ac3c99171395b0c3d9044fcb96be2

SHA1
61a916c8c085c431e4e967447cdb190a424ba86d

SHA256
faf82d980c85c6c31141d17c1dec3113fdf907cb2fc0fe1b6c85c9d043799731

SHA512
38b035b488851695d8e799aeba52f16a383a7b25b8b08d3360f91000814d8e3d0d49a48b7d9574d3b62fa099f7bbfdb9a7ca15acbb113854a745c012be668b5b

Download Submit
C:\Windows\System\aHfTWSb.exe
Filesize
5.2MB

MD5
e28ce7e1979f25d0949ad1ea6210635e

SHA1
94d93cd86176f7fb485818bd8503d71474d437ac

SHA256
e7afc5bccbb8972391cd3bfef17a0ecb31130fafe8a0521778870d67ed532cad

SHA512
686bf577d871cc938d76177899d495097332c6c3a37fb35c42279d0e2a85ad8a8a4cf62e55596fdc4f6e1a329f118b3e13f03d9cf93e49f0a22b0d7490addf51

Download Submit
C:\Windows\System\bCzlmkn.exe
Filesize
5.2MB

MD5
e08db24b28b8222861f1820092587af9

SHA1
57ba587aac7fcce408294da9ef0db0a606e2c645

SHA256
2b81f8f475857aa3aa5fd78461c4a8326bab8744b71a9697d03eef0a1cfa1f5a

SHA512
39e0e018dcd72d9064a9a290f773b2a7d196b15a8b86ff14d68a5a1fc968b9cff517b1dc1920d4d593316a5468e9c0be4a7ec93daff69e53ba18f4764d8656a2

Download Submit
C:\Windows\System\kMNMCBy.exe
Filesize
5.2MB

MD5
b9283d8fd5cdce3c87190495e1640759

SHA1
5dae19c0900d9e06d74303a7cc2fba43d3de1449

SHA256
424384a8c6d48d9fc59503a821dd8f476d43286305ca65ddcb0d523682a387e0

SHA512
1db8334c06f2f8c02de8d5a5e02b2cbcc8a5180ccc1507d973f00700a49f0274f0fc2fafaab712caddf232c63afdeebaf299bb03eeaf493b0fa7b4b8e46fae31

Download Submit
C:\Windows\System\ksAcSCU.exe
Filesize
5.2MB

MD5
324e8ca083d7bdcf933cd0fab161f8fb

SHA1
675b490e88d74d36265eeba91f320eb4694329b7

SHA256
6bd6cf96fdfd526695f9140e8bea4063579dc0e2815f40db8cc5d136077946c1

SHA512
9220cc85fa9397d06fad2ddac432b0bc0d81b22bf0108355a740bf69fcff1172ab6b763da313bfeb03e9761dd879f0cc32f772d7d4e4edfc33fc3dbbb87caed4

Download Submit
C:\Windows\System\nsPdfUV.exe
Filesize
5.2MB

MD5
b58e3158e1a089aa5d90562cb7456e84

SHA1
20bd05aac179b28af402ea4040f6fba3f1de1151

SHA256
c212b6b7aed260b146925f662ede9d10f8d45b422797a035981582eefdd03180

SHA512
892bf3ad421f8122f1d35ea5bbbd6f3380aab12d0f186dcbc5083062b75cf86ccae953c069728386c66cceef4c872d49b430e7d0ff8fc6867b3be6d6fb033bdc

Download Submit
C:\Windows\System\nvesfLr.exe
Filesize
5.2MB

MD5
bef41c86ddde97ec381ed28ef7c30cf8

SHA1
0b9e02e4a2ab6be49f5adea0790e9502ea61b0ed

SHA256
9aacb2150f015ea61a7a9a9c99734be99de7053374f86789504fdc4d1c1701ee

SHA512
b96b33ca16104dbf93b2822e61cbf78622e9b3f0d0f7a7d4afef694ed562d33c7a324464a5f3d68bca471927a06375b9cc0e31ea90449c3f2000e4cc3b037d4f

Download Submit
C:\Windows\System\oANurFI.exe
Filesize
5.2MB

MD5
a9262fcbc2f4abd6819386e881a3e97a

SHA1
7639e2ebd662c4dbf88861ad55125a3de3174459

SHA256
76c6b26925c96124f0640d998d6c99196ddcee4ccb019fc36a0e9534c075e03d

SHA512
2000a10cf8dbb7b573051d29ab330e4754afc3b9688b0443d1a1cb59665902453547f2da10e983fcabbb18ef626f00adfb05507d4835282660222a107f4c7add

Download Submit
C:\Windows\System\oTaLnwX.exe
Filesize
5.2MB

MD5
a426e008ff77f411f3081db163935747

SHA1
d3ab5de1cbde293f034f1415c754c8b80214a39b

SHA256
762c73c90eb6fe5277778f218224a26fe491e3dab55f24277472fca6f6272892

SHA512
ad35f67ca9ac13fe4105ed33a8b07d3271882799050dd27c1c706106676aa26f2adf79b225df86509a03368ec6910d24168e4f9564faa2537d18ed93981f68b2

Download Submit
C:\Windows\System\ruFuORI.exe
Filesize
5.2MB

MD5
a4dfa75befb197d832248080cc51f4e7

SHA1
a1c66876f2a298e955495bab0f218e174020ef14

SHA256
1dc2f32f64aa9b5bcbfc38939012644a3593f449241e26572b9e2e4de12962a5

SHA512
cb39e8c82c7ed213f21cae64404d5694bc7cbfd3857a5cab52cebd01236056453b6f006cb2795564676260845ecce36b7b78e4c3bafbb946eb844139695a7867

Download Submit
C:\Windows\System\snEwZcP.exe
Filesize
5.2MB

MD5
a96856d560ce8c7d72005c719f895526

SHA1
705b445c42b1d164e34b63c5a06335a5243d546b

SHA256
04df80969529cea6d2d0d4e20e4443ab766fa121d6523d369d2f9f5b0466ed09

SHA512
05192e10ce2492b9faf1ee72b2f9869d2cf511e48e4c7ad64350e4a8559c96c6c6b63b9171fb639c6b6498164c8dcbe88735b9d9103db209bc839846852a42d0

Download Submit
C:\Windows\System\ucpwvJC.exe
Filesize
5.2MB

MD5
b1e63a8f315058a98d48d9fecf110a14

SHA1
3fe19ec58d33d23c71f7e73be3e69a5498e9677f

SHA256
fe0cb549b5ca2396f183f30cfbb019d841914cc4c5f8966f63b16ff7472ece23

SHA512
3b328d6a8a727a0ad9c5764a1d21e270616264ed5227261e2d916b07f3c9a4e162f09e546b711f21d3f128658e602d12500f64e77baf8181a367b53fa744b742

Download Submit
C:\Windows\System\vWICvqG.exe
Filesize
5.2MB

MD5
8466b24f40acb2c74c450f668f2031a8

SHA1
8b3ee7a20bd06340f477d649629a9a96f60e2531

SHA256
8439852a9657b09399996596532390dbc718af64e81722ecf3ed67f668c1deae

SHA512
d304aadfd6790fc46a32fb36b22af8d599881465b450e9bb4e838252b75f2fb25c219eeeb28c66560ff3a8069c010fa76ea9970d2dec8958915938e7e10200dd

Download Submit
C:\Windows\System\yiRTtxR.exe
Filesize
5.2MB

MD5
ff2e3dcf5414c76c6c8bec92902369fd

SHA1
8f7ad5400dd2faae5677a12cdcd598f4e5924940

SHA256
163d2f693370dd008e3df0be3f9dffb2021a292d73ac6d166d0d837df282eff5

SHA512
ba3c52c8fdadc4cd0ae67a0bf308cbf78e882d7147eeb9accc6479f7656fd0411f2c20ec8ec6fea4ac0a8e6bc7a173373dc9b7aa50bbe9e0918c07ba5cabb72f

Download Submit
C:\Windows\System\zMGTRUZ.exe
Filesize
5.2MB

MD5
ca89f1dadd3427c2eb46c8b1a4b2e8b4

SHA1
1cd66f348e9f1858eceabf990d83ecf22552007b

SHA256
3eb002779e15e8816acfd530b12cc22b2de73a1e7185531b7ce64216258cd4f3

SHA512
f1d34921e20539d0ed99a16fa3662213bfc27a72090d9a746c118df26bd329d6de6eed1afd9fc594ec4c29caa87e25c36ac7147640272ece582def715eedd9e7

Download Submit
C:\Windows\System\zieocRc.exe
Filesize
5.2MB

MD5
1784ee22b43a2fa7d68beef335fda55b

SHA1
6d9562f8dccad7961e43e440c51f46c97916ca79

SHA256
a23b9f3d23134f5f991852ee981814cd11754d1d08f1e97356e493d3cb5d92c0

SHA512
ae63349d9ecc6931923e1aadef22bf03742a3a0112136a11a43355d85595e534e5438733013707b540662cb4c25907bd88d660abc81c13cf07f9c26e7a2b4272

Download Submit
memory/380-205-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp

Filesize
3.3MB

Download
memory/380-123-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp

Filesize
3.3MB

Download
memory/380-12-0x00007FF6D8F60000-0x00007FF6D92B1000-memory.dmp

Filesize
3.3MB

Download
memory/748-68-0x00007FF652300000-0x00007FF652651000-memory.dmp

Filesize
3.3MB

Download
memory/748-229-0x00007FF652300000-0x00007FF652651000-memory.dmp

Filesize
3.3MB

Download
memory/928-81-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp

Filesize
3.3MB

Download
memory/928-233-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp

Filesize
3.3MB

Download
memory/928-145-0x00007FF7F7340000-0x00007FF7F7691000-memory.dmp

Filesize
3.3MB

Download
memory/1468-1-0x000001DA3BB10000-0x000001DA3BB20000-memory.dmp

Filesize
64KB

Download
memory/1468-74-0x00007FF7960C0000-0x00007FF796411000-memory.dmp

Filesize
3.3MB

Download
memory/1468-126-0x00007FF7960C0000-0x00007FF796411000-memory.dmp

Filesize
3.3MB

Download
memory/1468-153-0x00007FF7960C0000-0x00007FF796411000-memory.dmp

Filesize
3.3MB

Download
memory/1468-0-0x00007FF7960C0000-0x00007FF796411000-memory.dmp

Filesize
3.3MB

Download
memory/1488-125-0x00007FF7AB300000-0x00007FF7AB651000-memory.dmp

Filesize
3.3MB

Download
memory/1488-238-0x00007FF7AB300000-0x00007FF7AB651000-memory.dmp

Filesize
3.3MB

Download
memory/1520-219-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-55-0x00007FF76C660000-0x00007FF76C9B1000-memory.dmp

Filesize
3.3MB

Download
memory/1548-136-0x00007FF666110000-0x00007FF666461000-memory.dmp

Filesize
3.3MB

Download
memory/1548-247-0x00007FF666110000-0x00007FF666461000-memory.dmp

Filesize
3.3MB

Download
memory/1620-141-0x00007FF637DD0000-0x00007FF638121000-memory.dmp

Filesize
3.3MB

Download
memory/1620-227-0x00007FF637DD0000-0x00007FF638121000-memory.dmp

Filesize
3.3MB

Download
memory/1620-62-0x00007FF637DD0000-0x00007FF638121000-memory.dmp

Filesize
3.3MB

Download
memory/1712-243-0x00007FF684C80000-0x00007FF684FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1712-135-0x00007FF684C80000-0x00007FF684FD1000-memory.dmp

Filesize
3.3MB

Download
memory/1784-32-0x00007FF712230000-0x00007FF712581000-memory.dmp

Filesize
3.3MB

Download
memory/1784-211-0x00007FF712230000-0x00007FF712581000-memory.dmp

Filesize
3.3MB

Download
memory/2208-245-0x00007FF63D7E0000-0x00007FF63DB31000-memory.dmp

Filesize
3.3MB

Download
memory/2208-132-0x00007FF63D7E0000-0x00007FF63DB31000-memory.dmp

Filesize
3.3MB

Download
memory/2452-223-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp

Filesize
3.3MB

Download
memory/2452-52-0x00007FF6C68B0000-0x00007FF6C6C01000-memory.dmp

Filesize
3.3MB

Download
memory/2744-137-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp

Filesize
3.3MB

Download
memory/2744-49-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp

Filesize
3.3MB

Download
memory/2744-213-0x00007FF7C34B0000-0x00007FF7C3801000-memory.dmp

Filesize
3.3MB

Download
memory/3188-239-0x00007FF761BE0000-0x00007FF761F31000-memory.dmp

Filesize
3.3MB

Download
memory/3188-129-0x00007FF761BE0000-0x00007FF761F31000-memory.dmp

Filesize
3.3MB

Download
memory/3336-26-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3336-209-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3336-131-0x00007FF7AB190000-0x00007FF7AB4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-203-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-8-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/3448-82-0x00007FF60E960000-0x00007FF60ECB1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-225-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp

Filesize
3.3MB

Download
memory/3760-58-0x00007FF6B93A0000-0x00007FF6B96F1000-memory.dmp

Filesize
3.3MB

Download
memory/4504-130-0x00007FF648D00000-0x00007FF649051000-memory.dmp

Filesize
3.3MB

Download
memory/4504-19-0x00007FF648D00000-0x00007FF649051000-memory.dmp

Filesize
3.3MB

Download
memory/4504-207-0x00007FF648D00000-0x00007FF649051000-memory.dmp

Filesize
3.3MB

Download
memory/4596-124-0x00007FF758D00000-0x00007FF759051000-memory.dmp

Filesize
3.3MB

Download
memory/4596-235-0x00007FF758D00000-0x00007FF759051000-memory.dmp

Filesize
3.3MB

Download
memory/4784-144-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp

Filesize
3.3MB

Download
memory/4784-85-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp

Filesize
3.3MB

Download
memory/4784-251-0x00007FF7DF1D0000-0x00007FF7DF521000-memory.dmp

Filesize
3.3MB

Download
memory/4828-231-0x00007FF67C660000-0x00007FF67C9B1000-memory.dmp

Filesize
3.3MB

Download
memory/4828-78-0x00007FF67C660000-0x00007FF67C9B1000-memory.dmp

Filesize
3.3MB

Download
memory/5092-134-0x00007FF6616C0000-0x00007FF661A11000-memory.dmp

Filesize
3.3MB

Download
memory/5092-244-0x00007FF6616C0000-0x00007FF661A11000-memory.dmp

Filesize
3.3MB

Download