cobaltstrike | e676a099c9b89390acbf118ef728ffde42fdc98bbd08c13a3b0b3d0d163986eb

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

2ded641c530bed74b9a94c14e707963e
SHA1

fef48e255960b4d6632a89a50e6ac9036908ab73
SHA256

e676a099c9b89390acbf118ef728ffde42fdc98bbd08c13a3b0b3d0d163986eb
SHA512

041570d04cf0a3385fd602560f6ce01d804b2a74987ddb1b2144f975c5bf181629ef708dc8c7196fff37fce78b991b227acc9ee44385f07f57668933d13e53d4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\bfWrTzB.exe	cobalt_reflective_dll
C:\Windows\System\hYTNBUR.exe	cobalt_reflective_dll
C:\Windows\System\NbHIokw.exe	cobalt_reflective_dll
C:\Windows\System\AUxQHgr.exe	cobalt_reflective_dll
C:\Windows\System\xJbRGna.exe	cobalt_reflective_dll
C:\Windows\System\WTHdCSy.exe	cobalt_reflective_dll
C:\Windows\System\nMeKMXP.exe	cobalt_reflective_dll
C:\Windows\System\eRTRKiN.exe	cobalt_reflective_dll
C:\Windows\System\XtAbdve.exe	cobalt_reflective_dll
C:\Windows\System\qciRcnP.exe	cobalt_reflective_dll
C:\Windows\System\mPPcYkW.exe	cobalt_reflective_dll
C:\Windows\System\aiseVku.exe	cobalt_reflective_dll
C:\Windows\System\fNhCwzJ.exe	cobalt_reflective_dll
C:\Windows\System\FOdhuUO.exe	cobalt_reflective_dll
C:\Windows\System\nmNvvIK.exe	cobalt_reflective_dll
C:\Windows\System\krmNLga.exe	cobalt_reflective_dll
C:\Windows\System\AanVkzO.exe	cobalt_reflective_dll
C:\Windows\System\MZnxUID.exe	cobalt_reflective_dll
C:\Windows\System\kSRddDB.exe	cobalt_reflective_dll
C:\Windows\System\HUqtvPY.exe	cobalt_reflective_dll
C:\Windows\System\ytnYEaP.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\bfWrTzB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hYTNBUR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NbHIokw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AUxQHgr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xJbRGna.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WTHdCSy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nMeKMXP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eRTRKiN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XtAbdve.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qciRcnP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mPPcYkW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aiseVku.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fNhCwzJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FOdhuUO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nmNvvIK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\krmNLga.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AanVkzO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MZnxUID.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kSRddDB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HUqtvPY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ytnYEaP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4860-0-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	UPX
C:\Windows\System\bfWrTzB.exe	UPX
behavioral2/memory/3904-8-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	UPX
C:\Windows\System\hYTNBUR.exe	UPX
behavioral2/memory/2688-13-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	UPX
C:\Windows\System\NbHIokw.exe	UPX
behavioral2/memory/4160-18-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	UPX
C:\Windows\System\AUxQHgr.exe	UPX
C:\Windows\System\xJbRGna.exe	UPX
behavioral2/memory/3624-32-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp	UPX
C:\Windows\System\WTHdCSy.exe	UPX
behavioral2/memory/828-38-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp	UPX
behavioral2/memory/1964-24-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	UPX
C:\Windows\System\nMeKMXP.exe	UPX
behavioral2/memory/180-45-0x00007FF667820000-0x00007FF667B71000-memory.dmp	UPX
C:\Windows\System\eRTRKiN.exe	UPX
behavioral2/memory/1376-50-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp	UPX
C:\Windows\System\XtAbdve.exe	UPX
behavioral2/memory/4472-55-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	UPX
C:\Windows\System\qciRcnP.exe	UPX
behavioral2/memory/4860-61-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	UPX
behavioral2/memory/3172-63-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp	UPX
C:\Windows\System\mPPcYkW.exe	UPX
C:\Windows\System\aiseVku.exe	UPX
C:\Windows\System\fNhCwzJ.exe	UPX
C:\Windows\System\FOdhuUO.exe	UPX
C:\Windows\System\nmNvvIK.exe	UPX
C:\Windows\System\krmNLga.exe	UPX
C:\Windows\System\AanVkzO.exe	UPX
C:\Windows\System\MZnxUID.exe	UPX
C:\Windows\System\kSRddDB.exe	UPX
C:\Windows\System\HUqtvPY.exe	UPX
C:\Windows\System\ytnYEaP.exe	UPX
behavioral2/memory/4860-118-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	UPX
behavioral2/memory/4160-121-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	UPX
behavioral2/memory/180-125-0x00007FF667820000-0x00007FF667B71000-memory.dmp	UPX
behavioral2/memory/4472-127-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	UPX
behavioral2/memory/1964-122-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	UPX
behavioral2/memory/2688-120-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	UPX
behavioral2/memory/3904-119-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	UPX
behavioral2/memory/2848-128-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	UPX
behavioral2/memory/540-130-0x00007FF6B4AC0000-0x00007FF6B4E11000-memory.dmp	UPX
behavioral2/memory/1484-129-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp	UPX
behavioral2/memory/4476-132-0x00007FF6A21F0000-0x00007FF6A2541000-memory.dmp	UPX
behavioral2/memory/4780-136-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	UPX
behavioral2/memory/2968-135-0x00007FF77CE60000-0x00007FF77D1B1000-memory.dmp	UPX
behavioral2/memory/3432-134-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp	UPX
behavioral2/memory/3464-137-0x00007FF7F2EF0000-0x00007FF7F3241000-memory.dmp	UPX
behavioral2/memory/3628-138-0x00007FF633580000-0x00007FF6338D1000-memory.dmp	UPX
behavioral2/memory/3400-133-0x00007FF7F17C0000-0x00007FF7F1B11000-memory.dmp	UPX
behavioral2/memory/4496-131-0x00007FF76F7F0000-0x00007FF76FB41000-memory.dmp	UPX
behavioral2/memory/4860-151-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	UPX
behavioral2/memory/3904-200-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	UPX
behavioral2/memory/2688-202-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	UPX
behavioral2/memory/4160-204-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	UPX
behavioral2/memory/1964-208-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	UPX
behavioral2/memory/3624-207-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp	UPX
behavioral2/memory/828-210-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp	UPX
behavioral2/memory/180-215-0x00007FF667820000-0x00007FF667B71000-memory.dmp	UPX
behavioral2/memory/1376-217-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp	UPX
behavioral2/memory/4472-219-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	UPX
behavioral2/memory/3172-221-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp	UPX
behavioral2/memory/2848-223-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	UPX
behavioral2/memory/1484-225-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3624-32-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp	xmrig
behavioral2/memory/828-38-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp	xmrig
behavioral2/memory/1376-50-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp	xmrig
behavioral2/memory/4860-61-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	xmrig
behavioral2/memory/3172-63-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp	xmrig
behavioral2/memory/4860-118-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	xmrig
behavioral2/memory/4160-121-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	xmrig
behavioral2/memory/180-125-0x00007FF667820000-0x00007FF667B71000-memory.dmp	xmrig
behavioral2/memory/4472-127-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	xmrig
behavioral2/memory/1964-122-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	xmrig
behavioral2/memory/2688-120-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	xmrig
behavioral2/memory/3904-119-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	xmrig
behavioral2/memory/2848-128-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	xmrig
behavioral2/memory/540-130-0x00007FF6B4AC0000-0x00007FF6B4E11000-memory.dmp	xmrig
behavioral2/memory/1484-129-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp	xmrig
behavioral2/memory/4476-132-0x00007FF6A21F0000-0x00007FF6A2541000-memory.dmp	xmrig
behavioral2/memory/4780-136-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	xmrig
behavioral2/memory/2968-135-0x00007FF77CE60000-0x00007FF77D1B1000-memory.dmp	xmrig
behavioral2/memory/3432-134-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp	xmrig
behavioral2/memory/3464-137-0x00007FF7F2EF0000-0x00007FF7F3241000-memory.dmp	xmrig
behavioral2/memory/3628-138-0x00007FF633580000-0x00007FF6338D1000-memory.dmp	xmrig
behavioral2/memory/3400-133-0x00007FF7F17C0000-0x00007FF7F1B11000-memory.dmp	xmrig
behavioral2/memory/4496-131-0x00007FF76F7F0000-0x00007FF76FB41000-memory.dmp	xmrig
behavioral2/memory/4860-151-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	xmrig
behavioral2/memory/3904-200-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	xmrig
behavioral2/memory/2688-202-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	xmrig
behavioral2/memory/4160-204-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	xmrig
behavioral2/memory/1964-208-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	xmrig
behavioral2/memory/3624-207-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp	xmrig
behavioral2/memory/828-210-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp	xmrig
behavioral2/memory/180-215-0x00007FF667820000-0x00007FF667B71000-memory.dmp	xmrig
behavioral2/memory/1376-217-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp	xmrig
behavioral2/memory/4472-219-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	xmrig
behavioral2/memory/3172-221-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp	xmrig
behavioral2/memory/2848-223-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	xmrig
behavioral2/memory/1484-225-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp	xmrig
behavioral2/memory/540-227-0x00007FF6B4AC0000-0x00007FF6B4E11000-memory.dmp	xmrig
behavioral2/memory/4496-230-0x00007FF76F7F0000-0x00007FF76FB41000-memory.dmp	xmrig
behavioral2/memory/4476-238-0x00007FF6A21F0000-0x00007FF6A2541000-memory.dmp	xmrig
behavioral2/memory/3400-240-0x00007FF7F17C0000-0x00007FF7F1B11000-memory.dmp	xmrig
behavioral2/memory/3432-242-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp	xmrig
behavioral2/memory/2968-244-0x00007FF77CE60000-0x00007FF77D1B1000-memory.dmp	xmrig
behavioral2/memory/4780-246-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	xmrig
behavioral2/memory/3464-248-0x00007FF7F2EF0000-0x00007FF7F3241000-memory.dmp	xmrig
behavioral2/memory/3628-250-0x00007FF633580000-0x00007FF6338D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bfWrTzB.exehYTNBUR.exeNbHIokw.exeAUxQHgr.exexJbRGna.exeWTHdCSy.exenMeKMXP.exeeRTRKiN.exeXtAbdve.exeqciRcnP.exemPPcYkW.exeytnYEaP.exeaiseVku.exefNhCwzJ.exeFOdhuUO.exenmNvvIK.exekrmNLga.exeAanVkzO.exeMZnxUID.exekSRddDB.exeHUqtvPY.exe

pid	process
3904	bfWrTzB.exe
2688	hYTNBUR.exe
4160	NbHIokw.exe
1964	AUxQHgr.exe
3624	xJbRGna.exe
828	WTHdCSy.exe
180	nMeKMXP.exe
1376	eRTRKiN.exe
4472	XtAbdve.exe
3172	qciRcnP.exe
2848	mPPcYkW.exe
1484	ytnYEaP.exe
540	aiseVku.exe
4496	fNhCwzJ.exe
4476	FOdhuUO.exe
3400	nmNvvIK.exe
3432	krmNLga.exe
2968	AanVkzO.exe
4780	MZnxUID.exe
3464	kSRddDB.exe
3628	HUqtvPY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4860-0-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	upx
C:\Windows\System\bfWrTzB.exe	upx
behavioral2/memory/3904-8-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	upx
C:\Windows\System\hYTNBUR.exe	upx
behavioral2/memory/2688-13-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	upx
C:\Windows\System\NbHIokw.exe	upx
behavioral2/memory/4160-18-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	upx
C:\Windows\System\AUxQHgr.exe	upx
C:\Windows\System\xJbRGna.exe	upx
behavioral2/memory/3624-32-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp	upx
C:\Windows\System\WTHdCSy.exe	upx
behavioral2/memory/828-38-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp	upx
behavioral2/memory/1964-24-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	upx
C:\Windows\System\nMeKMXP.exe	upx
behavioral2/memory/180-45-0x00007FF667820000-0x00007FF667B71000-memory.dmp	upx
C:\Windows\System\eRTRKiN.exe	upx
behavioral2/memory/1376-50-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp	upx
C:\Windows\System\XtAbdve.exe	upx
behavioral2/memory/4472-55-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	upx
C:\Windows\System\qciRcnP.exe	upx
behavioral2/memory/4860-61-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	upx
behavioral2/memory/3172-63-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp	upx
C:\Windows\System\mPPcYkW.exe	upx
C:\Windows\System\aiseVku.exe	upx
C:\Windows\System\fNhCwzJ.exe	upx
C:\Windows\System\FOdhuUO.exe	upx
C:\Windows\System\nmNvvIK.exe	upx
C:\Windows\System\krmNLga.exe	upx
C:\Windows\System\AanVkzO.exe	upx
C:\Windows\System\MZnxUID.exe	upx
C:\Windows\System\kSRddDB.exe	upx
C:\Windows\System\HUqtvPY.exe	upx
C:\Windows\System\ytnYEaP.exe	upx
behavioral2/memory/4860-118-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	upx
behavioral2/memory/4160-121-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	upx
behavioral2/memory/180-125-0x00007FF667820000-0x00007FF667B71000-memory.dmp	upx
behavioral2/memory/4472-127-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	upx
behavioral2/memory/1964-122-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	upx
behavioral2/memory/2688-120-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	upx
behavioral2/memory/3904-119-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	upx
behavioral2/memory/2848-128-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	upx
behavioral2/memory/540-130-0x00007FF6B4AC0000-0x00007FF6B4E11000-memory.dmp	upx
behavioral2/memory/1484-129-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp	upx
behavioral2/memory/4476-132-0x00007FF6A21F0000-0x00007FF6A2541000-memory.dmp	upx
behavioral2/memory/4780-136-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp	upx
behavioral2/memory/2968-135-0x00007FF77CE60000-0x00007FF77D1B1000-memory.dmp	upx
behavioral2/memory/3432-134-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp	upx
behavioral2/memory/3464-137-0x00007FF7F2EF0000-0x00007FF7F3241000-memory.dmp	upx
behavioral2/memory/3628-138-0x00007FF633580000-0x00007FF6338D1000-memory.dmp	upx
behavioral2/memory/3400-133-0x00007FF7F17C0000-0x00007FF7F1B11000-memory.dmp	upx
behavioral2/memory/4496-131-0x00007FF76F7F0000-0x00007FF76FB41000-memory.dmp	upx
behavioral2/memory/4860-151-0x00007FF606370000-0x00007FF6066C1000-memory.dmp	upx
behavioral2/memory/3904-200-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp	upx
behavioral2/memory/2688-202-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp	upx
behavioral2/memory/4160-204-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp	upx
behavioral2/memory/1964-208-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp	upx
behavioral2/memory/3624-207-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp	upx
behavioral2/memory/828-210-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp	upx
behavioral2/memory/180-215-0x00007FF667820000-0x00007FF667B71000-memory.dmp	upx
behavioral2/memory/1376-217-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp	upx
behavioral2/memory/4472-219-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp	upx
behavioral2/memory/3172-221-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp	upx
behavioral2/memory/2848-223-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp	upx
behavioral2/memory/1484-225-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\AUxQHgr.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xJbRGna.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aiseVku.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fNhCwzJ.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\krmNLga.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WTHdCSy.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nMeKMXP.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eRTRKiN.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XtAbdve.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FOdhuUO.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AanVkzO.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hYTNBUR.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NbHIokw.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mPPcYkW.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ytnYEaP.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nmNvvIK.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kSRddDB.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bfWrTzB.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qciRcnP.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MZnxUID.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HUqtvPY.exe	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4860 wrote to memory of 3904	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	bfWrTzB.exe
PID 4860 wrote to memory of 3904	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	bfWrTzB.exe
PID 4860 wrote to memory of 2688	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	hYTNBUR.exe
PID 4860 wrote to memory of 2688	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	hYTNBUR.exe
PID 4860 wrote to memory of 4160	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	NbHIokw.exe
PID 4860 wrote to memory of 4160	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	NbHIokw.exe
PID 4860 wrote to memory of 1964	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	AUxQHgr.exe
PID 4860 wrote to memory of 1964	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	AUxQHgr.exe
PID 4860 wrote to memory of 3624	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	xJbRGna.exe
PID 4860 wrote to memory of 3624	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	xJbRGna.exe
PID 4860 wrote to memory of 828	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	WTHdCSy.exe
PID 4860 wrote to memory of 828	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	WTHdCSy.exe
PID 4860 wrote to memory of 180	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	nMeKMXP.exe
PID 4860 wrote to memory of 180	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	nMeKMXP.exe
PID 4860 wrote to memory of 1376	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	eRTRKiN.exe
PID 4860 wrote to memory of 1376	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	eRTRKiN.exe
PID 4860 wrote to memory of 4472	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	XtAbdve.exe
PID 4860 wrote to memory of 4472	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	XtAbdve.exe
PID 4860 wrote to memory of 3172	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	qciRcnP.exe
PID 4860 wrote to memory of 3172	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	qciRcnP.exe
PID 4860 wrote to memory of 2848	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	mPPcYkW.exe
PID 4860 wrote to memory of 2848	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	mPPcYkW.exe
PID 4860 wrote to memory of 1484	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	ytnYEaP.exe
PID 4860 wrote to memory of 1484	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	ytnYEaP.exe
PID 4860 wrote to memory of 540	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	aiseVku.exe
PID 4860 wrote to memory of 540	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	aiseVku.exe
PID 4860 wrote to memory of 4496	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	fNhCwzJ.exe
PID 4860 wrote to memory of 4496	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	fNhCwzJ.exe
PID 4860 wrote to memory of 4476	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	FOdhuUO.exe
PID 4860 wrote to memory of 4476	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	FOdhuUO.exe
PID 4860 wrote to memory of 3400	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	nmNvvIK.exe
PID 4860 wrote to memory of 3400	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	nmNvvIK.exe
PID 4860 wrote to memory of 3432	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	krmNLga.exe
PID 4860 wrote to memory of 3432	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	krmNLga.exe
PID 4860 wrote to memory of 2968	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	AanVkzO.exe
PID 4860 wrote to memory of 2968	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	AanVkzO.exe
PID 4860 wrote to memory of 4780	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	MZnxUID.exe
PID 4860 wrote to memory of 4780	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	MZnxUID.exe
PID 4860 wrote to memory of 3464	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	kSRddDB.exe
PID 4860 wrote to memory of 3464	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	kSRddDB.exe
PID 4860 wrote to memory of 3628	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	HUqtvPY.exe
PID 4860 wrote to memory of 3628	4860	2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe	HUqtvPY.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_2ded641c530bed74b9a94c14e707963e_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System\bfWrTzB.exe
C:\Windows\System\bfWrTzB.exe
2⤵
- Executes dropped EXE
PID:3904

C:\Windows\System\hYTNBUR.exe
C:\Windows\System\hYTNBUR.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\NbHIokw.exe
C:\Windows\System\NbHIokw.exe
2⤵
- Executes dropped EXE
PID:4160

C:\Windows\System\AUxQHgr.exe
C:\Windows\System\AUxQHgr.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\xJbRGna.exe
C:\Windows\System\xJbRGna.exe
2⤵
- Executes dropped EXE
PID:3624

C:\Windows\System\WTHdCSy.exe
C:\Windows\System\WTHdCSy.exe
2⤵
- Executes dropped EXE
PID:828

C:\Windows\System\nMeKMXP.exe
C:\Windows\System\nMeKMXP.exe
2⤵
- Executes dropped EXE
PID:180

C:\Windows\System\eRTRKiN.exe
C:\Windows\System\eRTRKiN.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\XtAbdve.exe
C:\Windows\System\XtAbdve.exe
2⤵
- Executes dropped EXE
PID:4472

C:\Windows\System\qciRcnP.exe
C:\Windows\System\qciRcnP.exe
2⤵
- Executes dropped EXE
PID:3172

C:\Windows\System\mPPcYkW.exe
C:\Windows\System\mPPcYkW.exe
2⤵
- Executes dropped EXE
PID:2848

C:\Windows\System\ytnYEaP.exe
C:\Windows\System\ytnYEaP.exe
2⤵
- Executes dropped EXE
PID:1484

C:\Windows\System\aiseVku.exe
C:\Windows\System\aiseVku.exe
2⤵
- Executes dropped EXE
PID:540

C:\Windows\System\fNhCwzJ.exe
C:\Windows\System\fNhCwzJ.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System\FOdhuUO.exe
C:\Windows\System\FOdhuUO.exe
2⤵
- Executes dropped EXE
PID:4476

C:\Windows\System\nmNvvIK.exe
C:\Windows\System\nmNvvIK.exe
2⤵
- Executes dropped EXE
PID:3400

C:\Windows\System\krmNLga.exe
C:\Windows\System\krmNLga.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System\AanVkzO.exe
C:\Windows\System\AanVkzO.exe
2⤵
- Executes dropped EXE
PID:2968

C:\Windows\System\MZnxUID.exe
C:\Windows\System\MZnxUID.exe
2⤵
- Executes dropped EXE
PID:4780

C:\Windows\System\kSRddDB.exe
C:\Windows\System\kSRddDB.exe
2⤵
- Executes dropped EXE
PID:3464

C:\Windows\System\HUqtvPY.exe
C:\Windows\System\HUqtvPY.exe
2⤵
- Executes dropped EXE
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:1044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUxQHgr.exe

Filesize
5.2MB

MD5
dd7b1a8d4fea1e2484f051d4b5fada15

SHA1
c354ec65095a7b5bdb48d37067bf5d4eef611079

SHA256
a28621f90c5fb24abb780e942ab3fdf2805a97ae8170f0060633b63083d8dbd5

SHA512
cda8787f4788ff8822597804ac8641e80d689ee5a7e7578b2aa4933c8526449a92ce7829e6f118864ff9b899e45b8a5cfa3a7f258ea44928a47f1199863cdec2

Download Submit
C:\Windows\System\AanVkzO.exe

Filesize
5.2MB

MD5
1fde865f4285f929b044d27c5e4decf0

SHA1
c3a61b793aa87a1ed2a0599846a0b99e3d04a857

SHA256
1e604e968cf8d2f832a91a94b5aa4fdfadf5a395ee1b339eb019b6832b1157bc

SHA512
2fbf8e6fdda67771f5676ea3d807063d0366c223b7d5fb24464518ca1f37ebc0cdc3defda49be27a905e1bc4f51c7ea77a7ed8162d0d8c8189a6c2c7fe7846dc

Download Submit
C:\Windows\System\FOdhuUO.exe

Filesize
5.2MB

MD5
6ef4ba54fc1e4077d63eeeaecc1dc66d

SHA1
9661ff85be7df2f2b7e3e1710d86b34314c9bb76

SHA256
ca6fd0be4f003f47a736ddb5c745cc18e6a5d355b3d08b6583726df8d74bd414

SHA512
f4b8e2ca5f31f7f92b7701b1670ee2208fb4304f2a576b9869231f40aaf32d65d0ace97788073811977bf4ff95d2f3ca58d8d04ec94c425f11f8641005f8f0bb

Download Submit
C:\Windows\System\HUqtvPY.exe

Filesize
5.2MB

MD5
42ab8ef8f36319ff0c8d628b4cf4158d

SHA1
db694e1fd2f97482b20f10e0ec95fbb8d2a9af52

SHA256
29ea69d0058b39ac35a61341188914ad12eb4284a19fa0cff9605fdb781dd8bb

SHA512
3b595c35ee1c59f0bf723f6296465972a88409ef972ed843efd754905d1d599197b5d294e993298a358f12536ab3984d949884aba6c422ff34b3f5f077bf20d9

Download Submit
C:\Windows\System\MZnxUID.exe

Filesize
5.2MB

MD5
a6468dbf3f1b1e90b867b5a240c28a77

SHA1
63c9b1c3fc404f64d55678e7b9cb88dd81fbaeb8

SHA256
b937eda108910c8fd21057796bd6e8efbc39cf5c5999090314f78c032509294e

SHA512
ad0367cdaf2058d131a2da57b9c6f91a8d58984e801f44a1a4cdb46a5fc505973941a2813ed30952fe56afe9551df26f20c87be08385dfc1095eca806cd4a51c

Download Submit
C:\Windows\System\NbHIokw.exe

Filesize
5.2MB

MD5
d309783359b1656486f4686de6686d8d

SHA1
dd5898176b7670010f422bd80a38b0562d428933

SHA256
03ef49be5aa89c2f229e4d8b86574e2e99e51fbd65e418bf9c4f5f039a3da8ac

SHA512
3a5b8de7be50e900833730ac5ec33336e49d371b89cddea1bae9eae9c8699c4f6a963e3ac3582200cf9f0f5234908f1c3f7e5c816b4766d6eeae48646d09c83f

Download Submit
C:\Windows\System\WTHdCSy.exe

Filesize
5.2MB

MD5
070122f978a904916aca64b60ce78f16

SHA1
6907c27654dba46093bd29b24e6ee509f2c60e5f

SHA256
622292f8766263a10ab9d004454d9bbd8f2b5f03544d6fc24fa825019991b08c

SHA512
25ac03f4a7ebd674d8e736103f0ae7b518256971a594b84d19768622eec22f782d6f5d129df5555a6d8ae493a4a841627ba771dae1d98a86d61783c74dcb28d4

Download Submit
C:\Windows\System\XtAbdve.exe

Filesize
5.2MB

MD5
bd8a05a6131fe4ab70758c3c7c82dfb7

SHA1
69b9d629533acbe2e37fe30341851eea52a4c5a8

SHA256
08b968724778f2f21f676995c0c4da8741315bd0e54cb702200fee2097fafa0e

SHA512
b7d79b266ac84eba9764234e73396ec33147e7b8fd1067d486a81ca59b4a5ee0b17e221fd9f89a6d077ecc4957206f8e6cd42cb9ccad6466d7b0bfccee5902a8

Download Submit
C:\Windows\System\aiseVku.exe

Filesize
5.2MB

MD5
212e4f5908883dd13701689f7da37352

SHA1
288fc87929a7e4d3d04db3afd9289efc756c7f20

SHA256
6a8d25647cd2e1ce06ea1fc5173dc9bea4ffe25686420e66e6d97b40b9e49720

SHA512
1225825c495c9b0085c38d2144fa0e543584644b8d019468d35c306f89f4b0e74d8036dcb5ecab28e825828dc4a62f7700614dba3731a0534a1ac53c98b15de1

Download Submit
C:\Windows\System\bfWrTzB.exe

Filesize
5.2MB

MD5
5a869f90089c26e41333dd1ba71554db

SHA1
63eb59442b8b244f27446c37ce70f7b04c20dc00

SHA256
286721a6eb4bc439e67483c2f7864f14f65b3e38ff133dedd5f88311ec9d1085

SHA512
4adedecc01c10d54749b57aed4c432b5b784b23159560d79d7e70eff2d32f199fd982280fa28956b2f99b31a0475675d783029adc21d8dc5c2f361e3c262bfb1

Download Submit
C:\Windows\System\eRTRKiN.exe

Filesize
5.2MB

MD5
9362692e7ba8bfa49ffed890adbb764c

SHA1
991ec1e0a4352613f76eec4b7f3a932184018d5e

SHA256
09d46cc555190c8a5f83a93fa986367abfffc9f3f866bde8a740f1ca669cb232

SHA512
a75019a99a14b945b88f690090ea8d745bde5aca9c87ca130f5eb804dbceff0ef305e0f89c3c17791f753a35405e2b0472418ca16c2d478511d62c18a7f0c4c7

Download Submit
C:\Windows\System\fNhCwzJ.exe

Filesize
5.2MB

MD5
dbb23704b9377638c01fa7488c02e4c8

SHA1
995b1b2c023fa56b0799df0391279e40ab165b85

SHA256
a0808445b9e0666ae2f8f19e2ce7ed813ee7b6eb10cc3f372647a3d88be88325

SHA512
4f40880293b3fd16fdc9fb52419eeb214c0a202c491e95a191a50ec3648e26ed4386b00fbe599a2afff08aabfb75daeb2592c21a1f9924e927e793837ec700d6

Download Submit
C:\Windows\System\hYTNBUR.exe

Filesize
5.2MB

MD5
d3312b8e28b94e48b802c227981161e6

SHA1
3e5104b4ee04e79fea3adc131eb991c2b2b2b818

SHA256
2ed82807972c9adaecb573667385441d813070d0fee2c8cf294a1aca851c85c4

SHA512
ed0e0793003b0fe00fb910e5fffab426bb42d66c4fcbf75a2abc42b2db2ddf8726f795709415176d3e4d2b43bed8700515e6806998c64f87b3c35eae4c12e506

Download Submit
C:\Windows\System\kSRddDB.exe

Filesize
5.2MB

MD5
559e88569766122d48eacde1d6a05686

SHA1
0c5c0677fca3b9fd3d3e08cc2c566624bc500c48

SHA256
5e975290365e887c65f69226f8780a39f37cf276d2ea132ac8051b19238deb10

SHA512
d02ef58a0980fbfdec344a22f6b3e7d52086e99b73e82b0590aca0bd7c9846a76171c7ec526a6855d116e5079eea9e5e02c304a4ce6efde7639628f105d35fa5

Download Submit
C:\Windows\System\krmNLga.exe

Filesize
5.2MB

MD5
46e3f7569a803892f63ce76c549ea057

SHA1
4004ad9ce6a358b140da7ec7d87f2bd272270fd2

SHA256
0ae80f8664268a5bfc6fb9584f09feec024dcae5095bcc085c8ae13e9a1e8604

SHA512
4a8f147d1c6b74012d088ce9fb7aeb412a511d3c7b940daef0f60e6c9ecd3b7232338f2eeb8118772a97a55718e27c1412657bfbc9f5b618a76e71b7ed0addd6

Download Submit
C:\Windows\System\mPPcYkW.exe

Filesize
5.2MB

MD5
62fc02dde6af21190932806ef16d8e4e

SHA1
060cdd714abc61118f6b556dc75056fc8e0b2ae6

SHA256
ba84ca1a356f36173cd074d19086f591b49adf0494b2f57861404e2c5ec2021f

SHA512
3dfd599a8e2450ef54e02354ddbcc1f2b9c786ed7be5e5ff0e2be50491c1f2579ecfaee1e7b75742cb88dcedf9c06fc7f5008c959e5fedb89c24bbbd3b6c12e1

Download Submit
C:\Windows\System\nMeKMXP.exe

Filesize
5.2MB

MD5
6d364e78f56d898733dae2801437120d

SHA1
3f7ed1aeaca16a5056dae488a4125ca8dae09503

SHA256
b4a4e2146d5398c2cbbfb043ce8819f2798cf9c11b6c74c7fe57369d34726194

SHA512
2a6ba0307f22bb98a19cdde39b1ce20a3986f1f68ba742b7cb37a68a0a0d4c4d5ce5b9e94d617b1cdb9f4ff9797bd7f75e6ae40258d9aa0e14c6c2fa9056e646

Download Submit
C:\Windows\System\nmNvvIK.exe

Filesize
5.2MB

MD5
c0a342ed1cf481bb309c41e5e6446b14

SHA1
1f3158bf8fa3180c9a9e299a6d50cda5d545a45e

SHA256
02fe1fb4e0d7b59d532e9c8a902cfe71f6d0e75bd5ab4bd8b43a1ac1463cd9b0

SHA512
3caed4fdbfc0d75f2bf92a70c04bee1a4b20b608eeda6babb4ea04ea56e68dccae3dcb2803553b7bd0351d2d2a7b1834a71dfad992a24e2a33f44fa5b834ce26

Download Submit
C:\Windows\System\qciRcnP.exe

Filesize
5.2MB

MD5
dff0746e6d71eaf8616d513a7b10c189

SHA1
1df79d5d54492db293cb947a25ad33e5f56a0a4f

SHA256
339177461d0ac41829f7a5efa50d91b3d298f9e6abb00d51fd8cc600be2d58bc

SHA512
a501dd6c8a1a0bbaf5f6eb62f6a34b912265b0e76a9df8f8f56a8e58435a22acbe0d6255d2467f3f8926d844f081d125009059505703a3dce25243e67843c1c2

Download Submit
C:\Windows\System\xJbRGna.exe

Filesize
5.2MB

MD5
fab70fcaa29d3ff9f9ddcd9d642ec7f9

SHA1
0c60364ec75da8203e9c79bdcfebce0a1bcaaf50

SHA256
ecccb8dacaa37622823fb6d047d3a1b327c879bf5f4cb0f76ecd3fff7848a350

SHA512
292f75011c9cdc62640d5bdec474c4b41e5096799fa72bfbf183e5066a60dcf5eda5a534c1b49585762053d015755722ec102ca85e68931fc658df9e7e5086ae

Download Submit
C:\Windows\System\ytnYEaP.exe

Filesize
5.2MB

MD5
50a0e0058d8320261e4e3466b58195c7

SHA1
1661e98f80dc53d1e76318589aa3b898c62fe1ac

SHA256
b052196cfc157f672cfede10c961296eb0f7c2410c548c097f9a2a2bdfaccd22

SHA512
ea7323b7fc94a735ae1148f40f85d26334dbcd8dd721f0d04154d98a7c92377dc9f52d56698f2c55e5a38df1ffef36b2ff13edc28796748b9e36902f80f1fbd5

Download Submit
memory/180-215-0x00007FF667820000-0x00007FF667B71000-memory.dmp

Filesize
3.3MB

Download
memory/180-125-0x00007FF667820000-0x00007FF667B71000-memory.dmp

Filesize
3.3MB

Download
memory/180-45-0x00007FF667820000-0x00007FF667B71000-memory.dmp

Filesize
3.3MB

Download
memory/540-227-0x00007FF6B4AC0000-0x00007FF6B4E11000-memory.dmp

Filesize
3.3MB

Download
memory/540-130-0x00007FF6B4AC0000-0x00007FF6B4E11000-memory.dmp

Filesize
3.3MB

Download
memory/828-38-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp

Filesize
3.3MB

Download
memory/828-210-0x00007FF679E80000-0x00007FF67A1D1000-memory.dmp

Filesize
3.3MB

Download
memory/1376-50-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp

Filesize
3.3MB

Download
memory/1376-217-0x00007FF6C0820000-0x00007FF6C0B71000-memory.dmp

Filesize
3.3MB

Download
memory/1484-129-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp

Filesize
3.3MB

Download
memory/1484-225-0x00007FF69DC00000-0x00007FF69DF51000-memory.dmp

Filesize
3.3MB

Download
memory/1964-122-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-208-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-24-0x00007FF7C1F80000-0x00007FF7C22D1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-202-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp

Filesize
3.3MB

Download
memory/2688-13-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp

Filesize
3.3MB

Download
memory/2688-120-0x00007FF6F6D40000-0x00007FF6F7091000-memory.dmp

Filesize
3.3MB

Download
memory/2848-223-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-128-0x00007FF6B3A50000-0x00007FF6B3DA1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-244-0x00007FF77CE60000-0x00007FF77D1B1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-135-0x00007FF77CE60000-0x00007FF77D1B1000-memory.dmp

Filesize
3.3MB

Download
memory/3172-221-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp

Filesize
3.3MB

Download
memory/3172-63-0x00007FF6C5FB0000-0x00007FF6C6301000-memory.dmp

Filesize
3.3MB

Download
memory/3400-133-0x00007FF7F17C0000-0x00007FF7F1B11000-memory.dmp

Filesize
3.3MB

Download
memory/3400-240-0x00007FF7F17C0000-0x00007FF7F1B11000-memory.dmp

Filesize
3.3MB

Download
memory/3432-242-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp

Filesize
3.3MB

Download
memory/3432-134-0x00007FF6C3DC0000-0x00007FF6C4111000-memory.dmp

Filesize
3.3MB

Download
memory/3464-248-0x00007FF7F2EF0000-0x00007FF7F3241000-memory.dmp

Filesize
3.3MB

Download
memory/3464-137-0x00007FF7F2EF0000-0x00007FF7F3241000-memory.dmp

Filesize
3.3MB

Download
memory/3624-32-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-207-0x00007FF6BECA0000-0x00007FF6BEFF1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-138-0x00007FF633580000-0x00007FF6338D1000-memory.dmp

Filesize
3.3MB

Download
memory/3628-250-0x00007FF633580000-0x00007FF6338D1000-memory.dmp

Filesize
3.3MB

Download
memory/3904-200-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp

Filesize
3.3MB

Download
memory/3904-8-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp

Filesize
3.3MB

Download
memory/3904-119-0x00007FF65EB10000-0x00007FF65EE61000-memory.dmp

Filesize
3.3MB

Download
memory/4160-18-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-204-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4160-121-0x00007FF6FD280000-0x00007FF6FD5D1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-127-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-55-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp

Filesize
3.3MB

Download
memory/4472-219-0x00007FF74AA50000-0x00007FF74ADA1000-memory.dmp

Filesize
3.3MB

Download
memory/4476-238-0x00007FF6A21F0000-0x00007FF6A2541000-memory.dmp

Filesize
3.3MB

Download
memory/4476-132-0x00007FF6A21F0000-0x00007FF6A2541000-memory.dmp

Filesize
3.3MB

Download
memory/4496-230-0x00007FF76F7F0000-0x00007FF76FB41000-memory.dmp

Filesize
3.3MB

Download
memory/4496-131-0x00007FF76F7F0000-0x00007FF76FB41000-memory.dmp

Filesize
3.3MB

Download
memory/4780-136-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4780-246-0x00007FF6FE7A0000-0x00007FF6FEAF1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-118-0x00007FF606370000-0x00007FF6066C1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-61-0x00007FF606370000-0x00007FF6066C1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-151-0x00007FF606370000-0x00007FF6066C1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-0-0x00007FF606370000-0x00007FF6066C1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-1-0x000001AE06E60000-0x000001AE06E70000-memory.dmp

Filesize
64KB

Download