cobaltstrike | 52790220da8cdba2de94087766cfa2d6ee4d0e1ae2823275c7ccfe037cf71731

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

d99fbd896cee47679d13aa76c73fc30e
SHA1

289dfafc1bffd18a8189c8bb86aa81526cc16a99
SHA256

52790220da8cdba2de94087766cfa2d6ee4d0e1ae2823275c7ccfe037cf71731
SHA512

4ae820d3fc701ab40fda0d3737738d5fa2b5a03a43de210ac8b7be3709c89858acb1ae0a0e296551e5127455e59d5a5918ff168a25ae94cc704afb0374100fcf
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l3:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ExGnXgR.exe	cobalt_reflective_dll
C:\Windows\System\YFckdKf.exe	cobalt_reflective_dll
C:\Windows\System\MLATJTx.exe	cobalt_reflective_dll
C:\Windows\System\CIWNyFN.exe	cobalt_reflective_dll
C:\Windows\System\duGpqDj.exe	cobalt_reflective_dll
C:\Windows\System\dwZRnIG.exe	cobalt_reflective_dll
C:\Windows\System\aoxnjus.exe	cobalt_reflective_dll
C:\Windows\System\euSHKaM.exe	cobalt_reflective_dll
C:\Windows\System\hdpzCXn.exe	cobalt_reflective_dll
C:\Windows\System\agUrNWz.exe	cobalt_reflective_dll
C:\Windows\System\nVpBDOh.exe	cobalt_reflective_dll
C:\Windows\System\olrELfi.exe	cobalt_reflective_dll
C:\Windows\System\dwVokXc.exe	cobalt_reflective_dll
C:\Windows\System\mWEFrnE.exe	cobalt_reflective_dll
C:\Windows\System\MNXjnfp.exe	cobalt_reflective_dll
C:\Windows\System\XDZuNrV.exe	cobalt_reflective_dll
C:\Windows\System\UvwTxen.exe	cobalt_reflective_dll
C:\Windows\System\IdTeKyw.exe	cobalt_reflective_dll
C:\Windows\System\uaCxooM.exe	cobalt_reflective_dll
C:\Windows\System\QXvmmzQ.exe	cobalt_reflective_dll
C:\Windows\System\pEwmfyB.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\ExGnXgR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YFckdKf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MLATJTx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CIWNyFN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\duGpqDj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dwZRnIG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aoxnjus.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\euSHKaM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hdpzCXn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\agUrNWz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nVpBDOh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\olrELfi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dwVokXc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mWEFrnE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MNXjnfp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XDZuNrV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UvwTxen.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IdTeKyw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uaCxooM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QXvmmzQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pEwmfyB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1176-0-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	UPX
C:\Windows\System\ExGnXgR.exe	UPX
C:\Windows\System\YFckdKf.exe	UPX
C:\Windows\System\MLATJTx.exe	UPX
behavioral2/memory/1808-16-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	UPX
behavioral2/memory/3968-25-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	UPX
C:\Windows\System\CIWNyFN.exe	UPX
C:\Windows\System\duGpqDj.exe	UPX
behavioral2/memory/4708-30-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	UPX
C:\Windows\System\dwZRnIG.exe	UPX
C:\Windows\System\aoxnjus.exe	UPX
behavioral2/memory/5028-39-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	UPX
C:\Windows\System\euSHKaM.exe	UPX
C:\Windows\System\hdpzCXn.exe	UPX
C:\Windows\System\agUrNWz.exe	UPX
C:\Windows\System\nVpBDOh.exe	UPX
C:\Windows\System\olrELfi.exe	UPX
C:\Windows\System\dwVokXc.exe	UPX
C:\Windows\System\mWEFrnE.exe	UPX
behavioral2/memory/1496-96-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp	UPX
behavioral2/memory/2200-117-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	UPX
behavioral2/memory/456-120-0x00007FF650E80000-0x00007FF6511D1000-memory.dmp	UPX
behavioral2/memory/4472-124-0x00007FF654650000-0x00007FF6549A1000-memory.dmp	UPX
behavioral2/memory/2156-125-0x00007FF7E8DA0000-0x00007FF7E90F1000-memory.dmp	UPX
behavioral2/memory/4992-123-0x00007FF6191E0000-0x00007FF619531000-memory.dmp	UPX
behavioral2/memory/4012-122-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	UPX
behavioral2/memory/436-121-0x00007FF76B4C0000-0x00007FF76B811000-memory.dmp	UPX
behavioral2/memory/1804-119-0x00007FF69EC70000-0x00007FF69EFC1000-memory.dmp	UPX
C:\Windows\System\MNXjnfp.exe	UPX
behavioral2/memory/2892-118-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp	UPX
C:\Windows\System\XDZuNrV.exe	UPX
C:\Windows\System\UvwTxen.exe	UPX
C:\Windows\System\IdTeKyw.exe	UPX
behavioral2/memory/5096-103-0x00007FF656E30000-0x00007FF657181000-memory.dmp	UPX
C:\Windows\System\uaCxooM.exe	UPX
behavioral2/memory/4100-89-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp	UPX
behavioral2/memory/1580-85-0x00007FF776180000-0x00007FF7764D1000-memory.dmp	UPX
behavioral2/memory/1356-78-0x00007FF648740000-0x00007FF648A91000-memory.dmp	UPX
behavioral2/memory/4908-69-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	UPX
C:\Windows\System\QXvmmzQ.exe	UPX
C:\Windows\System\pEwmfyB.exe	UPX
behavioral2/memory/3100-43-0x00007FF780710000-0x00007FF780A61000-memory.dmp	UPX
behavioral2/memory/4824-8-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	UPX
behavioral2/memory/1176-128-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	UPX
behavioral2/memory/4824-129-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	UPX
behavioral2/memory/1808-130-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	UPX
behavioral2/memory/3968-131-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	UPX
behavioral2/memory/5028-132-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	UPX
behavioral2/memory/4708-133-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	UPX
behavioral2/memory/4908-137-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	UPX
behavioral2/memory/4100-141-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp	UPX
behavioral2/memory/1496-143-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp	UPX
behavioral2/memory/5096-144-0x00007FF656E30000-0x00007FF657181000-memory.dmp	UPX
behavioral2/memory/2200-148-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	UPX
behavioral2/memory/2892-149-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp	UPX
behavioral2/memory/1176-150-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	UPX
behavioral2/memory/1176-194-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	UPX
behavioral2/memory/4824-205-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	UPX
behavioral2/memory/1808-207-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	UPX
behavioral2/memory/3968-209-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	UPX
behavioral2/memory/5028-211-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	UPX
behavioral2/memory/4708-213-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	UPX
behavioral2/memory/3100-215-0x00007FF780710000-0x00007FF780A61000-memory.dmp	UPX
behavioral2/memory/4908-220-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	UPX

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5028-39-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	xmrig
behavioral2/memory/2200-117-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	xmrig
behavioral2/memory/456-120-0x00007FF650E80000-0x00007FF6511D1000-memory.dmp	xmrig
behavioral2/memory/4472-124-0x00007FF654650000-0x00007FF6549A1000-memory.dmp	xmrig
behavioral2/memory/2156-125-0x00007FF7E8DA0000-0x00007FF7E90F1000-memory.dmp	xmrig
behavioral2/memory/4992-123-0x00007FF6191E0000-0x00007FF619531000-memory.dmp	xmrig
behavioral2/memory/4012-122-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	xmrig
behavioral2/memory/436-121-0x00007FF76B4C0000-0x00007FF76B811000-memory.dmp	xmrig
behavioral2/memory/1804-119-0x00007FF69EC70000-0x00007FF69EFC1000-memory.dmp	xmrig
behavioral2/memory/1580-85-0x00007FF776180000-0x00007FF7764D1000-memory.dmp	xmrig
behavioral2/memory/1356-78-0x00007FF648740000-0x00007FF648A91000-memory.dmp	xmrig
behavioral2/memory/3100-43-0x00007FF780710000-0x00007FF780A61000-memory.dmp	xmrig
behavioral2/memory/4824-8-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	xmrig
behavioral2/memory/1176-128-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	xmrig
behavioral2/memory/4824-129-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	xmrig
behavioral2/memory/1808-130-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	xmrig
behavioral2/memory/3968-131-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	xmrig
behavioral2/memory/5028-132-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	xmrig
behavioral2/memory/4708-133-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	xmrig
behavioral2/memory/4908-137-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	xmrig
behavioral2/memory/4100-141-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp	xmrig
behavioral2/memory/1496-143-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp	xmrig
behavioral2/memory/5096-144-0x00007FF656E30000-0x00007FF657181000-memory.dmp	xmrig
behavioral2/memory/2200-148-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	xmrig
behavioral2/memory/2892-149-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp	xmrig
behavioral2/memory/1176-150-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	xmrig
behavioral2/memory/1176-194-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	xmrig
behavioral2/memory/4824-205-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	xmrig
behavioral2/memory/1808-207-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	xmrig
behavioral2/memory/3968-209-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	xmrig
behavioral2/memory/5028-211-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	xmrig
behavioral2/memory/4708-213-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	xmrig
behavioral2/memory/3100-215-0x00007FF780710000-0x00007FF780A61000-memory.dmp	xmrig
behavioral2/memory/4908-220-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	xmrig
behavioral2/memory/1804-219-0x00007FF69EC70000-0x00007FF69EFC1000-memory.dmp	xmrig
behavioral2/memory/456-222-0x00007FF650E80000-0x00007FF6511D1000-memory.dmp	xmrig
behavioral2/memory/1356-224-0x00007FF648740000-0x00007FF648A91000-memory.dmp	xmrig
behavioral2/memory/1580-227-0x00007FF776180000-0x00007FF7764D1000-memory.dmp	xmrig
behavioral2/memory/436-226-0x00007FF76B4C0000-0x00007FF76B811000-memory.dmp	xmrig
behavioral2/memory/4100-230-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp	xmrig
behavioral2/memory/4012-238-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	xmrig
behavioral2/memory/1496-233-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp	xmrig
behavioral2/memory/4992-243-0x00007FF6191E0000-0x00007FF619531000-memory.dmp	xmrig
behavioral2/memory/2200-242-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	xmrig
behavioral2/memory/4472-241-0x00007FF654650000-0x00007FF6549A1000-memory.dmp	xmrig
behavioral2/memory/5096-240-0x00007FF656E30000-0x00007FF657181000-memory.dmp	xmrig
behavioral2/memory/2156-239-0x00007FF7E8DA0000-0x00007FF7E90F1000-memory.dmp	xmrig
behavioral2/memory/2892-245-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ExGnXgR.exeYFckdKf.exeMLATJTx.exeCIWNyFN.exedwZRnIG.exeduGpqDj.exeaoxnjus.exepEwmfyB.exeeuSHKaM.exehdpzCXn.exeQXvmmzQ.exeagUrNWz.exenVpBDOh.exeolrELfi.exeIdTeKyw.exeXDZuNrV.exedwVokXc.exemWEFrnE.exeuaCxooM.exeUvwTxen.exeMNXjnfp.exe

pid	process
4824	ExGnXgR.exe
1808	YFckdKf.exe
3968	MLATJTx.exe
5028	CIWNyFN.exe
4708	dwZRnIG.exe
3100	duGpqDj.exe
1804	aoxnjus.exe
456	pEwmfyB.exe
4908	euSHKaM.exe
436	hdpzCXn.exe
1356	QXvmmzQ.exe
1580	agUrNWz.exe
4100	nVpBDOh.exe
4012	olrELfi.exe
1496	IdTeKyw.exe
5096	XDZuNrV.exe
4992	dwVokXc.exe
4472	mWEFrnE.exe
2156	uaCxooM.exe
2200	UvwTxen.exe
2892	MNXjnfp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1176-0-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	upx
C:\Windows\System\ExGnXgR.exe	upx
C:\Windows\System\YFckdKf.exe	upx
C:\Windows\System\MLATJTx.exe	upx
behavioral2/memory/1808-16-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	upx
behavioral2/memory/3968-25-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	upx
C:\Windows\System\CIWNyFN.exe	upx
C:\Windows\System\duGpqDj.exe	upx
behavioral2/memory/4708-30-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	upx
C:\Windows\System\dwZRnIG.exe	upx
C:\Windows\System\aoxnjus.exe	upx
behavioral2/memory/5028-39-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	upx
C:\Windows\System\euSHKaM.exe	upx
C:\Windows\System\hdpzCXn.exe	upx
C:\Windows\System\agUrNWz.exe	upx
C:\Windows\System\nVpBDOh.exe	upx
C:\Windows\System\olrELfi.exe	upx
C:\Windows\System\dwVokXc.exe	upx
C:\Windows\System\mWEFrnE.exe	upx
behavioral2/memory/1496-96-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp	upx
behavioral2/memory/2200-117-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	upx
behavioral2/memory/456-120-0x00007FF650E80000-0x00007FF6511D1000-memory.dmp	upx
behavioral2/memory/4472-124-0x00007FF654650000-0x00007FF6549A1000-memory.dmp	upx
behavioral2/memory/2156-125-0x00007FF7E8DA0000-0x00007FF7E90F1000-memory.dmp	upx
behavioral2/memory/4992-123-0x00007FF6191E0000-0x00007FF619531000-memory.dmp	upx
behavioral2/memory/4012-122-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp	upx
behavioral2/memory/436-121-0x00007FF76B4C0000-0x00007FF76B811000-memory.dmp	upx
behavioral2/memory/1804-119-0x00007FF69EC70000-0x00007FF69EFC1000-memory.dmp	upx
C:\Windows\System\MNXjnfp.exe	upx
behavioral2/memory/2892-118-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp	upx
C:\Windows\System\XDZuNrV.exe	upx
C:\Windows\System\UvwTxen.exe	upx
C:\Windows\System\IdTeKyw.exe	upx
behavioral2/memory/5096-103-0x00007FF656E30000-0x00007FF657181000-memory.dmp	upx
C:\Windows\System\uaCxooM.exe	upx
behavioral2/memory/4100-89-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp	upx
behavioral2/memory/1580-85-0x00007FF776180000-0x00007FF7764D1000-memory.dmp	upx
behavioral2/memory/1356-78-0x00007FF648740000-0x00007FF648A91000-memory.dmp	upx
behavioral2/memory/4908-69-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	upx
C:\Windows\System\QXvmmzQ.exe	upx
C:\Windows\System\pEwmfyB.exe	upx
behavioral2/memory/3100-43-0x00007FF780710000-0x00007FF780A61000-memory.dmp	upx
behavioral2/memory/4824-8-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	upx
behavioral2/memory/1176-128-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	upx
behavioral2/memory/4824-129-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	upx
behavioral2/memory/1808-130-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	upx
behavioral2/memory/3968-131-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	upx
behavioral2/memory/5028-132-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	upx
behavioral2/memory/4708-133-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	upx
behavioral2/memory/4908-137-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	upx
behavioral2/memory/4100-141-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp	upx
behavioral2/memory/1496-143-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp	upx
behavioral2/memory/5096-144-0x00007FF656E30000-0x00007FF657181000-memory.dmp	upx
behavioral2/memory/2200-148-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp	upx
behavioral2/memory/2892-149-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp	upx
behavioral2/memory/1176-150-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	upx
behavioral2/memory/1176-194-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp	upx
behavioral2/memory/4824-205-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp	upx
behavioral2/memory/1808-207-0x00007FF600CB0000-0x00007FF601001000-memory.dmp	upx
behavioral2/memory/3968-209-0x00007FF751DB0000-0x00007FF752101000-memory.dmp	upx
behavioral2/memory/5028-211-0x00007FF679890000-0x00007FF679BE1000-memory.dmp	upx
behavioral2/memory/4708-213-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp	upx
behavioral2/memory/3100-215-0x00007FF780710000-0x00007FF780A61000-memory.dmp	upx
behavioral2/memory/4908-220-0x00007FF762150000-0x00007FF7624A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\hdpzCXn.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\olrELfi.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uaCxooM.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CIWNyFN.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pEwmfyB.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nVpBDOh.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XDZuNrV.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UvwTxen.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dwZRnIG.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\agUrNWz.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IdTeKyw.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dwVokXc.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MNXjnfp.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YFckdKf.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aoxnjus.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\duGpqDj.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\euSHKaM.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QXvmmzQ.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mWEFrnE.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ExGnXgR.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MLATJTx.exe	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1176 wrote to memory of 4824	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	ExGnXgR.exe
PID 1176 wrote to memory of 4824	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	ExGnXgR.exe
PID 1176 wrote to memory of 1808	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	YFckdKf.exe
PID 1176 wrote to memory of 1808	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	YFckdKf.exe
PID 1176 wrote to memory of 3968	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	MLATJTx.exe
PID 1176 wrote to memory of 3968	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	MLATJTx.exe
PID 1176 wrote to memory of 5028	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	CIWNyFN.exe
PID 1176 wrote to memory of 5028	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	CIWNyFN.exe
PID 1176 wrote to memory of 4708	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	dwZRnIG.exe
PID 1176 wrote to memory of 4708	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	dwZRnIG.exe
PID 1176 wrote to memory of 3100	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	duGpqDj.exe
PID 1176 wrote to memory of 3100	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	duGpqDj.exe
PID 1176 wrote to memory of 1804	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	aoxnjus.exe
PID 1176 wrote to memory of 1804	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	aoxnjus.exe
PID 1176 wrote to memory of 456	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	pEwmfyB.exe
PID 1176 wrote to memory of 456	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	pEwmfyB.exe
PID 1176 wrote to memory of 4908	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	euSHKaM.exe
PID 1176 wrote to memory of 4908	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	euSHKaM.exe
PID 1176 wrote to memory of 436	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	hdpzCXn.exe
PID 1176 wrote to memory of 436	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	hdpzCXn.exe
PID 1176 wrote to memory of 1356	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	QXvmmzQ.exe
PID 1176 wrote to memory of 1356	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	QXvmmzQ.exe
PID 1176 wrote to memory of 1580	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	agUrNWz.exe
PID 1176 wrote to memory of 1580	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	agUrNWz.exe
PID 1176 wrote to memory of 4100	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	nVpBDOh.exe
PID 1176 wrote to memory of 4100	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	nVpBDOh.exe
PID 1176 wrote to memory of 4012	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	olrELfi.exe
PID 1176 wrote to memory of 4012	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	olrELfi.exe
PID 1176 wrote to memory of 1496	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	IdTeKyw.exe
PID 1176 wrote to memory of 1496	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	IdTeKyw.exe
PID 1176 wrote to memory of 5096	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	XDZuNrV.exe
PID 1176 wrote to memory of 5096	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	XDZuNrV.exe
PID 1176 wrote to memory of 4992	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	dwVokXc.exe
PID 1176 wrote to memory of 4992	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	dwVokXc.exe
PID 1176 wrote to memory of 4472	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	mWEFrnE.exe
PID 1176 wrote to memory of 4472	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	mWEFrnE.exe
PID 1176 wrote to memory of 2156	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	uaCxooM.exe
PID 1176 wrote to memory of 2156	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	uaCxooM.exe
PID 1176 wrote to memory of 2200	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	UvwTxen.exe
PID 1176 wrote to memory of 2200	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	UvwTxen.exe
PID 1176 wrote to memory of 2892	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	MNXjnfp.exe
PID 1176 wrote to memory of 2892	1176	2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe	MNXjnfp.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_d99fbd896cee47679d13aa76c73fc30e_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\System\ExGnXgR.exe
C:\Windows\System\ExGnXgR.exe
2⤵
- Executes dropped EXE
PID:4824

C:\Windows\System\YFckdKf.exe
C:\Windows\System\YFckdKf.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\MLATJTx.exe
C:\Windows\System\MLATJTx.exe
2⤵
- Executes dropped EXE
PID:3968

C:\Windows\System\CIWNyFN.exe
C:\Windows\System\CIWNyFN.exe
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\System\dwZRnIG.exe
C:\Windows\System\dwZRnIG.exe
2⤵
- Executes dropped EXE
PID:4708

C:\Windows\System\duGpqDj.exe
C:\Windows\System\duGpqDj.exe
2⤵
- Executes dropped EXE
PID:3100

C:\Windows\System\aoxnjus.exe
C:\Windows\System\aoxnjus.exe
2⤵
- Executes dropped EXE
PID:1804

C:\Windows\System\pEwmfyB.exe
C:\Windows\System\pEwmfyB.exe
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System\euSHKaM.exe
C:\Windows\System\euSHKaM.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System\hdpzCXn.exe
C:\Windows\System\hdpzCXn.exe
2⤵
- Executes dropped EXE
PID:436

C:\Windows\System\QXvmmzQ.exe
C:\Windows\System\QXvmmzQ.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\System\agUrNWz.exe
C:\Windows\System\agUrNWz.exe
2⤵
- Executes dropped EXE
PID:1580

C:\Windows\System\nVpBDOh.exe
C:\Windows\System\nVpBDOh.exe
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\System\olrELfi.exe
C:\Windows\System\olrELfi.exe
2⤵
- Executes dropped EXE
PID:4012

C:\Windows\System\IdTeKyw.exe
C:\Windows\System\IdTeKyw.exe
2⤵
- Executes dropped EXE
PID:1496

C:\Windows\System\XDZuNrV.exe
C:\Windows\System\XDZuNrV.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System\dwVokXc.exe
C:\Windows\System\dwVokXc.exe
2⤵
- Executes dropped EXE
PID:4992

C:\Windows\System\mWEFrnE.exe
C:\Windows\System\mWEFrnE.exe
2⤵
- Executes dropped EXE
PID:4472

C:\Windows\System\uaCxooM.exe
C:\Windows\System\uaCxooM.exe
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\System\UvwTxen.exe
C:\Windows\System\UvwTxen.exe
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\System\MNXjnfp.exe
C:\Windows\System\MNXjnfp.exe
2⤵
- Executes dropped EXE
PID:2892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CIWNyFN.exe
Filesize
5.2MB

MD5
4a1f4d2d791e4f16d8ab66aef895adc3

SHA1
03906e1100539f8142a7ec8c72630c09521d827b

SHA256
22fdd1f35fa6ff8aae4cdfcacb625ed159d3427f9bf6c00d77c2c8a0b8f42419

SHA512
393751f05cf4771eb9c875dc50403d3119ce26ae30a39614e971ef7d51157d27a3867b4624c71aebf0f6f5f9cff3471f891e6e73532286d16eb1faf0d925e07e

Download Submit
C:\Windows\System\ExGnXgR.exe
Filesize
5.2MB

MD5
848d5ea5e1fafca4fef2fec485e3b473

SHA1
785464e8c90a8700ab8530d2fffd03dfd0d9e714

SHA256
fc47e555a729d22cdd1070b098e961c1a0beaf09d44f330ea41d41d1a89c29f5

SHA512
9a500a98b79e134ab23d1295816c0e42c4f51b6f028de60d5ecaafd1e3903dcdaf7470bc5ef8cdc4660831ef81e6b862a70a5c2565c3936b97d61e57d0bbf4fc

Download Submit
C:\Windows\System\IdTeKyw.exe
Filesize
5.2MB

MD5
a0f752450d3d6e1efed951e2c4394e98

SHA1
a6d1eaa91c0030d0282f6383fe282e4ce9dbc377

SHA256
f8ca0a1a77b3ae014f787f6f6333a5fb6bb550f9d0e8a77d8bce2d8b808f7266

SHA512
a2941b98e960d513da9a5ebf383f055ea544e8edd58b0082cfd5f9e1a07d7a4b8481ebff66202cbb6d11dd90b50b4ee317252f7cf9d2f8c783155ebdf1f1f213

Download Submit
C:\Windows\System\MLATJTx.exe
Filesize
5.2MB

MD5
9ff33697d5c425bcde4647fad1ba32ec

SHA1
9cd129a89a752ab4d12ee85211c8ecc15b497f63

SHA256
94e1d22c711d67caab8d24d4687da07bf54cc036bb26638e3cf2e3b23cd1e4f8

SHA512
11aa6107cfa151ca8c3715c1799685362abdd547007a428177fb04c03ec1c4fee3d89736f8ecbb0dc616f3e55d92c9bcea57ea8124a702d69d591c517fe9cac4

Download Submit
C:\Windows\System\MNXjnfp.exe
Filesize
5.2MB

MD5
71a3959b91445063110581a6bbf8ec35

SHA1
7b03614eb9510130d054852c0e88b05bb98a1ba3

SHA256
2849b3668560dd81aff0ec843a7ed7bf48ee6a02a1ebb079db2b7b5ed04e22bb

SHA512
08443e8fbd95ff798ec8238af74044b4d4f7292fbb6c9369bba5abf4d193ab56d4b39af2685b5c2121acf1f1a180235f690ffcad3fc4f3049cb1870d8c4937ac

Download Submit
C:\Windows\System\QXvmmzQ.exe
Filesize
5.2MB

MD5
353aa3b6878a70687503cf50305b435f

SHA1
f179c9fd156f29b0d4237b63897356877c038c2f

SHA256
57f921d71cf45e68bc6855a636435c4aae69345c4cc38c1e37ec43d6f4699b84

SHA512
8339de9c15d0c34e67ab49d431821bdc0f32a30d4b08433e7cef7eea955eee97aa0ed95d14a9288866237d3c2fe649eff37815f93c274c0b63b47031a435890a

Download Submit
C:\Windows\System\UvwTxen.exe
Filesize
5.2MB

MD5
239f5a37725f1ea0cd7c5006a0c07558

SHA1
6739cc94ffadaa5f37404d773412b0a1df27156c

SHA256
234c8576b20da96baa4ae8087ce267e23e900f5c5c010b7bca677518e9ed1c09

SHA512
a0a1eb1641d1787692b7d1e6cdfd78c6d0a59e669812b0df9a08ef6d3c173a6bdb996b5facafc179f15060a3e856f3a4c4bc8cc5da03e579b60afe82283ede42

Download Submit
C:\Windows\System\XDZuNrV.exe
Filesize
5.2MB

MD5
04f3c597bcb450df07fd3b4603570162

SHA1
c5078b581e2e1f4f11ebd0f85db160b06e163dcf

SHA256
08bdc8bfb0b11d26720564378ced7c6c1ff1743e5588f400ccc69df2db13ca07

SHA512
863a1465bd2afd8e68dd87f2c17fd5de0940d78404142f2402b0b65ca9256ba9b2a00cd10817b324880a690b5cb6166987be7b23a4df01aa8de1033b3fea1e12

Download Submit
C:\Windows\System\YFckdKf.exe
Filesize
5.2MB

MD5
84faad0134e466fe7cce3e180c3c83bd

SHA1
546bc008e2726960893bbfc00b2e53570b6cf0c1

SHA256
3c859d631c3be17ed65f8d390c27f15a7486e6f20584505ceeb5fdca07e027f6

SHA512
5f0b95ce4a806ddb0dbfbbd044e5278373444afcf06d88c5598d7a8e90e1cbdf70f7fb17dfcc9be508ab5e23b2ab0d3130960391d215305a9bc545eaa0cf7265

Download Submit
C:\Windows\System\agUrNWz.exe
Filesize
5.2MB

MD5
4b8f9d44c7d9c4793a6c11b33cde4c8f

SHA1
5a99b7d0a68dbd72b67e1562427b8e4ca24f6740

SHA256
b9311f0f96457c6295bb14eadbf64891155ad9d7b65bf9633284df4db67ed6a3

SHA512
7129c29619481b9fadf0c46087c59bf78236f15abe29cf1bdcab31ac3829e309ecb3467fd13b09ebfb96647c166bd1bff9f882701bd1f74f8eb0e9f27328c391

Download Submit
C:\Windows\System\aoxnjus.exe
Filesize
5.2MB

MD5
18dc0f4f30cf7fb3b2ef08c8e6c2bbc4

SHA1
4ff81cb25626a7ccd8f13c208044701716e8512b

SHA256
132ed89c69188bb206a4005c299eaeb0db0f7f0dc713c9048710b323432cc1e3

SHA512
53a86b59a9b148fdde4a02006d8457e02c64802761228c78fa830a05adbb8e115532ba5c7410cd5cfcd74bf3952fd425ac1067a97aa3161dcee4e24fc6b2a4b3

Download Submit
C:\Windows\System\duGpqDj.exe
Filesize
5.2MB

MD5
6a91f81883e120225fb344875915e7f6

SHA1
b39d95e4205cfb204903be981f9db5dfbb00ee1d

SHA256
b8c53acc868b8d5c6636965471871b8e523c7d4f8b39ec5226c44863ad82ba6e

SHA512
11f743396939896807e7e48590c91c77d54d3cf17a0661f7dc615c2e7c45b443069b22d778a160e2e2a73f19585fe1484e8ee7f6fb7aa9a509ee3edd48157533

Download Submit
C:\Windows\System\dwVokXc.exe
Filesize
5.2MB

MD5
0b7ba09a2d738139d37dbc615dd91819

SHA1
58a55cbb33221965a9b18abc4b04e6b06e11554a

SHA256
2c482929842b777305a668e6aebf64bcd9f7870a731e8204a18ea6a39cf84b66

SHA512
948d88b6066a4bc2415ad915f0139f3796418122fb90d1f5ddd43a6e64d06455cde13500ff0c066cc6f766598c6417f49ac66475ca840377a65cc4ad0a28db46

Download Submit
C:\Windows\System\dwZRnIG.exe
Filesize
5.2MB

MD5
ac14ef72aafef12e4f18461e8f7258b4

SHA1
d7bf170dfd8f5d8245998c0278e8f6f88211f1be

SHA256
4d3ec129b1595fcb403e21fc69b0d76eb6ac925811181f77addccfb57f0fb15a

SHA512
505f07e39cddec79d6f6bde29dd4c8126d12339659e7fe235650ee8b3c3b430368c81801b1d3d28c37c3f80731b48217cb61acda123495246757275e69d6447c

Download Submit
C:\Windows\System\euSHKaM.exe
Filesize
5.2MB

MD5
ca673153e03ce6b0f548b950d77c046d

SHA1
21ccc178c7f4b90a495e8094bfc0b2afa614b1cb

SHA256
73ee0f6922f43c14dd6dbb4885fda1c598a15d2f0d7f07e570327ea821f310db

SHA512
7f2dc271bae6b46e51f6cdcea4d573d430e9c095de2dc00a8e9109d900025729377f71fa27e00ca6b41b059702cefff0182baf3922e2706ff5626b22f4fb2816

Download Submit
C:\Windows\System\hdpzCXn.exe
Filesize
5.2MB

MD5
b3814ea694e708f859c616a7b648409a

SHA1
a5c4a99f56f2947d4700c7674d16ecd5e1805584

SHA256
96c6af655cc06253037457363b2ff490ccd7acec073e813b86edc179b52cf50b

SHA512
598571a59d11807cfd9b9e5e07bfdba22ddb3129b34611b9cd6dcb83d27ef6482a85aef67db24a09bbbe07999c77d1c6d436761f9c525d688e0e94eed4e5ba4d

Download Submit
C:\Windows\System\mWEFrnE.exe
Filesize
5.2MB

MD5
2d49b17672e9260e3618372b6295a396

SHA1
2ff1caf8cab6543aaef4a8c25c7eb345cc0b7272

SHA256
06519b1388b3aa64fba4010bf73f1bb1234f055b3c4f43675dc51241f68f3585

SHA512
f53b6073f35d5deca233161ab1dc2205072affaab9029e346fc6e1f73ec75f12eb98d4a3c5cb8fc2dcd64d51833b4ae29a955bf785f66f6edca2eec9dbc32a7c

Download Submit
C:\Windows\System\nVpBDOh.exe
Filesize
5.2MB

MD5
80cfdebcedc988ea7a435f632391a4a5

SHA1
3887dc44a83b85042796f783a59a30a9ab41578a

SHA256
d4700eac36cd66fbe849ee85b4906df10ce94031f63a91a87faff0fe2e8fa2f2

SHA512
0387e0015a45345771646c9657686bfafbe0dd56850e6ce93cc2e895f392ef11e0b2e6e704faee7db1314e67f1cb70c15b36d23eddc9a25efa1a45d931edbeb3

Download Submit
C:\Windows\System\olrELfi.exe
Filesize
5.2MB

MD5
c9f4d03110413a1b91da0a2bc957b1e7

SHA1
a36ccdd95479c98d56995ca93ca9c64c997a31b2

SHA256
cc2956eec2ac503fd2af729581d306772704b494f27c5726f498775d935ef7d0

SHA512
5f00a3e86c216187c5053c225ea62e4e6d3494726ce042f70c01d53db9b0c32c126ae7b072a0f74a25ccf0a03811dacf988b33c870a80d41369ac6cdef84fb02

Download Submit
C:\Windows\System\pEwmfyB.exe
Filesize
5.2MB

MD5
1a5602e7175f90478ee3249c70edc393

SHA1
d6be6ea8d64d5439ca80b28c603826b906f6ca50

SHA256
4e4e8f2a5a3f365b3d3b139a4b709524e201283b0430eac371091b87facf8129

SHA512
faf110ddb7fda8114fc4d344b1b2fc16129ff7b0845b2d2b7df5d1492ce81a3eadb70830765254e29fcbe531862ff44dcaa9622a1c830ff67ebd77b3837139d3

Download Submit
C:\Windows\System\uaCxooM.exe
Filesize
5.2MB

MD5
0891c48e4d8f037e4133f57d7299224c

SHA1
d66117df4c0bd7d34365f492d941a94cba295c7d

SHA256
1796832d41e1f9869eac1651f47992370d3d1c345d8f22f7e3adef86a6b7cfdb

SHA512
161dcace95b79b71e0dbadf4eb2114fc3d0aba97b65dfac31c9c17693e006967068d47fa2ba9fdd4e2ead969e8f9e259414d98dcc83a9a43e4c8fc6c881dc499

Download Submit
memory/436-121-0x00007FF76B4C0000-0x00007FF76B811000-memory.dmp

Filesize
3.3MB

Download
memory/436-226-0x00007FF76B4C0000-0x00007FF76B811000-memory.dmp

Filesize
3.3MB

Download
memory/456-120-0x00007FF650E80000-0x00007FF6511D1000-memory.dmp

Filesize
3.3MB

Download
memory/456-222-0x00007FF650E80000-0x00007FF6511D1000-memory.dmp

Filesize
3.3MB

Download
memory/1176-194-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp

Filesize
3.3MB

Download
memory/1176-150-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp

Filesize
3.3MB

Download
memory/1176-128-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp

Filesize
3.3MB

Download
memory/1176-0-0x00007FF7BC230000-0x00007FF7BC581000-memory.dmp

Filesize
3.3MB

Download
memory/1176-1-0x0000021BEB140000-0x0000021BEB150000-memory.dmp

Filesize
64KB

Download
memory/1356-224-0x00007FF648740000-0x00007FF648A91000-memory.dmp

Filesize
3.3MB

Download
memory/1356-78-0x00007FF648740000-0x00007FF648A91000-memory.dmp

Filesize
3.3MB

Download
memory/1496-233-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-143-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1496-96-0x00007FF74D980000-0x00007FF74DCD1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-227-0x00007FF776180000-0x00007FF7764D1000-memory.dmp

Filesize
3.3MB

Download
memory/1580-85-0x00007FF776180000-0x00007FF7764D1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-219-0x00007FF69EC70000-0x00007FF69EFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-119-0x00007FF69EC70000-0x00007FF69EFC1000-memory.dmp

Filesize
3.3MB

Download
memory/1808-16-0x00007FF600CB0000-0x00007FF601001000-memory.dmp

Filesize
3.3MB

Download
memory/1808-207-0x00007FF600CB0000-0x00007FF601001000-memory.dmp

Filesize
3.3MB

Download
memory/1808-130-0x00007FF600CB0000-0x00007FF601001000-memory.dmp

Filesize
3.3MB

Download
memory/2156-239-0x00007FF7E8DA0000-0x00007FF7E90F1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-125-0x00007FF7E8DA0000-0x00007FF7E90F1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-117-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp

Filesize
3.3MB

Download
memory/2200-148-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp

Filesize
3.3MB

Download
memory/2200-242-0x00007FF6CF0D0000-0x00007FF6CF421000-memory.dmp

Filesize
3.3MB

Download
memory/2892-118-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp

Filesize
3.3MB

Download
memory/2892-245-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp

Filesize
3.3MB

Download
memory/2892-149-0x00007FF6FF030000-0x00007FF6FF381000-memory.dmp

Filesize
3.3MB

Download
memory/3100-43-0x00007FF780710000-0x00007FF780A61000-memory.dmp

Filesize
3.3MB

Download
memory/3100-215-0x00007FF780710000-0x00007FF780A61000-memory.dmp

Filesize
3.3MB

Download
memory/3968-25-0x00007FF751DB0000-0x00007FF752101000-memory.dmp

Filesize
3.3MB

Download
memory/3968-209-0x00007FF751DB0000-0x00007FF752101000-memory.dmp

Filesize
3.3MB

Download
memory/3968-131-0x00007FF751DB0000-0x00007FF752101000-memory.dmp

Filesize
3.3MB

Download
memory/4012-122-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4012-238-0x00007FF61A7A0000-0x00007FF61AAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4100-141-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp

Filesize
3.3MB

Download
memory/4100-230-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp

Filesize
3.3MB

Download
memory/4100-89-0x00007FF64B3F0000-0x00007FF64B741000-memory.dmp

Filesize
3.3MB

Download
memory/4472-124-0x00007FF654650000-0x00007FF6549A1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-241-0x00007FF654650000-0x00007FF6549A1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-30-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-133-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4708-213-0x00007FF624A80000-0x00007FF624DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4824-205-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp

Filesize
3.3MB

Download
memory/4824-129-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp

Filesize
3.3MB

Download
memory/4824-8-0x00007FF7CFBF0000-0x00007FF7CFF41000-memory.dmp

Filesize
3.3MB

Download
memory/4908-137-0x00007FF762150000-0x00007FF7624A1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-69-0x00007FF762150000-0x00007FF7624A1000-memory.dmp

Filesize
3.3MB

Download
memory/4908-220-0x00007FF762150000-0x00007FF7624A1000-memory.dmp

Filesize
3.3MB

Download
memory/4992-243-0x00007FF6191E0000-0x00007FF619531000-memory.dmp

Filesize
3.3MB

Download
memory/4992-123-0x00007FF6191E0000-0x00007FF619531000-memory.dmp

Filesize
3.3MB

Download
memory/5028-132-0x00007FF679890000-0x00007FF679BE1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-211-0x00007FF679890000-0x00007FF679BE1000-memory.dmp

Filesize
3.3MB

Download
memory/5028-39-0x00007FF679890000-0x00007FF679BE1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-103-0x00007FF656E30000-0x00007FF657181000-memory.dmp

Filesize
3.3MB

Download
memory/5096-240-0x00007FF656E30000-0x00007FF657181000-memory.dmp

Filesize
3.3MB

Download
memory/5096-144-0x00007FF656E30000-0x00007FF657181000-memory.dmp

Filesize
3.3MB

Download