cobaltstrike | ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

89bb0a8945c30a2a7e5f8c748f68bc54
SHA1

bc47b98c30b725d61b03b976c54e324647d20c65
SHA256

ea5d21cbfc480e93ee72f0f14792230db0a0380c0235eb82f1bf8f97bd96b9aa
SHA512

242c4942f0220b44e31890187bc621c3dccd883c4037f21a195ccc6d86e9d8f6bd60f2a5dc6118c77d82785c7ce1ee5e52ab728081a71a5330ee96e62dfa346e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\cFoJPZz.exe	cobalt_reflective_dll
C:\Windows\System\eAxHtbd.exe	cobalt_reflective_dll
C:\Windows\System\HDpPmgF.exe	cobalt_reflective_dll
C:\Windows\System\OHrqSlq.exe	cobalt_reflective_dll
C:\Windows\System\TwpfrDG.exe	cobalt_reflective_dll
C:\Windows\System\pFAYcZg.exe	cobalt_reflective_dll
C:\Windows\System\sgTdRtb.exe	cobalt_reflective_dll
C:\Windows\System\lJdWxpx.exe	cobalt_reflective_dll
C:\Windows\System\ElhkzLk.exe	cobalt_reflective_dll
C:\Windows\System\MsYFIKY.exe	cobalt_reflective_dll
C:\Windows\System\nOEVESv.exe	cobalt_reflective_dll
C:\Windows\System\cLVizei.exe	cobalt_reflective_dll
C:\Windows\System\AGcPMrr.exe	cobalt_reflective_dll
C:\Windows\System\FPNwLOP.exe	cobalt_reflective_dll
C:\Windows\System\rDzEjVj.exe	cobalt_reflective_dll
C:\Windows\System\xgRjCXO.exe	cobalt_reflective_dll
C:\Windows\System\WVgVBWt.exe	cobalt_reflective_dll
C:\Windows\System\dHZxzWv.exe	cobalt_reflective_dll
C:\Windows\System\lpxhBXy.exe	cobalt_reflective_dll
C:\Windows\System\sbgbEPv.exe	cobalt_reflective_dll
C:\Windows\System\VqfGpFh.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\cFoJPZz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eAxHtbd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HDpPmgF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OHrqSlq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TwpfrDG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pFAYcZg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sgTdRtb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lJdWxpx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ElhkzLk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MsYFIKY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nOEVESv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cLVizei.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AGcPMrr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FPNwLOP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rDzEjVj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xgRjCXO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WVgVBWt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dHZxzWv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lpxhBXy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sbgbEPv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VqfGpFh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1992-0-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	UPX
C:\Windows\System\cFoJPZz.exe	UPX
behavioral2/memory/3296-8-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	UPX
C:\Windows\System\eAxHtbd.exe	UPX
C:\Windows\System\HDpPmgF.exe	UPX
behavioral2/memory/2916-14-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	UPX
C:\Windows\System\OHrqSlq.exe	UPX
behavioral2/memory/2596-26-0x00007FF604010000-0x00007FF604361000-memory.dmp	UPX
behavioral2/memory/3824-21-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp	UPX
C:\Windows\System\TwpfrDG.exe	UPX
C:\Windows\System\pFAYcZg.exe	UPX
C:\Windows\System\sgTdRtb.exe	UPX
behavioral2/memory/3724-45-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp	UPX
behavioral2/memory/4676-49-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp	UPX
C:\Windows\System\lJdWxpx.exe	UPX
C:\Windows\System\ElhkzLk.exe	UPX
behavioral2/memory/3204-55-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp	UPX
C:\Windows\System\MsYFIKY.exe	UPX
behavioral2/memory/2208-40-0x00007FF73B230000-0x00007FF73B581000-memory.dmp	UPX
behavioral2/memory/3792-32-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp	UPX
behavioral2/memory/1992-61-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	UPX
behavioral2/memory/1672-62-0x00007FF6FB000000-0x00007FF6FB351000-memory.dmp	UPX
C:\Windows\System\nOEVESv.exe	UPX
C:\Windows\System\cLVizei.exe	UPX
behavioral2/memory/3264-72-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	UPX
behavioral2/memory/3296-71-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	UPX
behavioral2/memory/4584-83-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	UPX
C:\Windows\System\AGcPMrr.exe	UPX
C:\Windows\System\FPNwLOP.exe	UPX
C:\Windows\System\rDzEjVj.exe	UPX
behavioral2/memory/4548-101-0x00007FF62D2D0000-0x00007FF62D621000-memory.dmp	UPX
behavioral2/memory/2636-95-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	UPX
behavioral2/memory/4724-87-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp	UPX
C:\Windows\System\xgRjCXO.exe	UPX
behavioral2/memory/1468-82-0x00007FF795040000-0x00007FF795391000-memory.dmp	UPX
behavioral2/memory/2916-76-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	UPX
C:\Windows\System\WVgVBWt.exe	UPX
C:\Windows\System\dHZxzWv.exe	UPX
C:\Windows\System\lpxhBXy.exe	UPX
C:\Windows\System\sbgbEPv.exe	UPX
behavioral2/memory/1844-128-0x00007FF663780000-0x00007FF663AD1000-memory.dmp	UPX
behavioral2/memory/4184-133-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp	UPX
behavioral2/memory/4676-134-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp	UPX
behavioral2/memory/2696-135-0x00007FF6782C0000-0x00007FF678611000-memory.dmp	UPX
C:\Windows\System\VqfGpFh.exe	UPX
behavioral2/memory/1696-130-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp	UPX
behavioral2/memory/4124-121-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp	UPX
behavioral2/memory/3724-110-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp	UPX
behavioral2/memory/3204-144-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp	UPX
behavioral2/memory/1468-146-0x00007FF795040000-0x00007FF795391000-memory.dmp	UPX
behavioral2/memory/2636-149-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	UPX
behavioral2/memory/4584-148-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	UPX
behavioral2/memory/4724-147-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp	UPX
behavioral2/memory/4124-151-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp	UPX
behavioral2/memory/1992-152-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	UPX
behavioral2/memory/4184-158-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp	UPX
behavioral2/memory/1696-157-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp	UPX
behavioral2/memory/1992-174-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	UPX
behavioral2/memory/3296-204-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	UPX
behavioral2/memory/2916-206-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	UPX
behavioral2/memory/3824-208-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp	UPX
behavioral2/memory/2596-210-0x00007FF604010000-0x00007FF604361000-memory.dmp	UPX
behavioral2/memory/3792-212-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp	UPX
behavioral2/memory/2208-219-0x00007FF73B230000-0x00007FF73B581000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2596-26-0x00007FF604010000-0x00007FF604361000-memory.dmp	xmrig
behavioral2/memory/3824-21-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp	xmrig
behavioral2/memory/2208-40-0x00007FF73B230000-0x00007FF73B581000-memory.dmp	xmrig
behavioral2/memory/3792-32-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp	xmrig
behavioral2/memory/1992-61-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	xmrig
behavioral2/memory/1672-62-0x00007FF6FB000000-0x00007FF6FB351000-memory.dmp	xmrig
behavioral2/memory/3264-72-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/3296-71-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	xmrig
behavioral2/memory/4548-101-0x00007FF62D2D0000-0x00007FF62D621000-memory.dmp	xmrig
behavioral2/memory/2916-76-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	xmrig
behavioral2/memory/1844-128-0x00007FF663780000-0x00007FF663AD1000-memory.dmp	xmrig
behavioral2/memory/4676-134-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp	xmrig
behavioral2/memory/2696-135-0x00007FF6782C0000-0x00007FF678611000-memory.dmp	xmrig
behavioral2/memory/3724-110-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp	xmrig
behavioral2/memory/3204-144-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp	xmrig
behavioral2/memory/1468-146-0x00007FF795040000-0x00007FF795391000-memory.dmp	xmrig
behavioral2/memory/2636-149-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	xmrig
behavioral2/memory/4584-148-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	xmrig
behavioral2/memory/4724-147-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp	xmrig
behavioral2/memory/4124-151-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp	xmrig
behavioral2/memory/1992-152-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	xmrig
behavioral2/memory/4184-158-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp	xmrig
behavioral2/memory/1696-157-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp	xmrig
behavioral2/memory/1992-174-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	xmrig
behavioral2/memory/3296-204-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	xmrig
behavioral2/memory/2916-206-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	xmrig
behavioral2/memory/3824-208-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp	xmrig
behavioral2/memory/2596-210-0x00007FF604010000-0x00007FF604361000-memory.dmp	xmrig
behavioral2/memory/3792-212-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp	xmrig
behavioral2/memory/2208-219-0x00007FF73B230000-0x00007FF73B581000-memory.dmp	xmrig
behavioral2/memory/4676-221-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp	xmrig
behavioral2/memory/3724-223-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp	xmrig
behavioral2/memory/3204-227-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp	xmrig
behavioral2/memory/1672-226-0x00007FF6FB000000-0x00007FF6FB351000-memory.dmp	xmrig
behavioral2/memory/3264-229-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	xmrig
behavioral2/memory/1468-231-0x00007FF795040000-0x00007FF795391000-memory.dmp	xmrig
behavioral2/memory/4584-234-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	xmrig
behavioral2/memory/4724-235-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp	xmrig
behavioral2/memory/2636-239-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	xmrig
behavioral2/memory/4548-238-0x00007FF62D2D0000-0x00007FF62D621000-memory.dmp	xmrig
behavioral2/memory/4124-247-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp	xmrig
behavioral2/memory/2696-251-0x00007FF6782C0000-0x00007FF678611000-memory.dmp	xmrig
behavioral2/memory/1844-250-0x00007FF663780000-0x00007FF663AD1000-memory.dmp	xmrig
behavioral2/memory/1696-255-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp	xmrig
behavioral2/memory/4184-254-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

cFoJPZz.exeeAxHtbd.exeHDpPmgF.exeOHrqSlq.exeTwpfrDG.exepFAYcZg.exesgTdRtb.exeMsYFIKY.exelJdWxpx.exeElhkzLk.exenOEVESv.execLVizei.exeAGcPMrr.exexgRjCXO.exeFPNwLOP.exerDzEjVj.exeWVgVBWt.exedHZxzWv.exesbgbEPv.exelpxhBXy.exeVqfGpFh.exe

pid	process
3296	cFoJPZz.exe
2916	eAxHtbd.exe
3824	HDpPmgF.exe
2596	OHrqSlq.exe
3792	TwpfrDG.exe
2208	pFAYcZg.exe
3724	sgTdRtb.exe
4676	MsYFIKY.exe
3204	lJdWxpx.exe
1672	ElhkzLk.exe
3264	nOEVESv.exe
1468	cLVizei.exe
4724	AGcPMrr.exe
4584	xgRjCXO.exe
2636	FPNwLOP.exe
4548	rDzEjVj.exe
4124	WVgVBWt.exe
1844	dHZxzWv.exe
2696	sbgbEPv.exe
1696	lpxhBXy.exe
4184	VqfGpFh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1992-0-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	upx
C:\Windows\System\cFoJPZz.exe	upx
behavioral2/memory/3296-8-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	upx
C:\Windows\System\eAxHtbd.exe	upx
C:\Windows\System\HDpPmgF.exe	upx
behavioral2/memory/2916-14-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	upx
C:\Windows\System\OHrqSlq.exe	upx
behavioral2/memory/2596-26-0x00007FF604010000-0x00007FF604361000-memory.dmp	upx
behavioral2/memory/3824-21-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp	upx
C:\Windows\System\TwpfrDG.exe	upx
C:\Windows\System\pFAYcZg.exe	upx
C:\Windows\System\sgTdRtb.exe	upx
behavioral2/memory/3724-45-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp	upx
behavioral2/memory/4676-49-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp	upx
C:\Windows\System\lJdWxpx.exe	upx
C:\Windows\System\ElhkzLk.exe	upx
behavioral2/memory/3204-55-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp	upx
C:\Windows\System\MsYFIKY.exe	upx
behavioral2/memory/2208-40-0x00007FF73B230000-0x00007FF73B581000-memory.dmp	upx
behavioral2/memory/3792-32-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp	upx
behavioral2/memory/1992-61-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	upx
behavioral2/memory/1672-62-0x00007FF6FB000000-0x00007FF6FB351000-memory.dmp	upx
C:\Windows\System\nOEVESv.exe	upx
C:\Windows\System\cLVizei.exe	upx
behavioral2/memory/3264-72-0x00007FF654180000-0x00007FF6544D1000-memory.dmp	upx
behavioral2/memory/3296-71-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	upx
behavioral2/memory/4584-83-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	upx
C:\Windows\System\AGcPMrr.exe	upx
C:\Windows\System\FPNwLOP.exe	upx
C:\Windows\System\rDzEjVj.exe	upx
behavioral2/memory/4548-101-0x00007FF62D2D0000-0x00007FF62D621000-memory.dmp	upx
behavioral2/memory/2636-95-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	upx
behavioral2/memory/4724-87-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp	upx
C:\Windows\System\xgRjCXO.exe	upx
behavioral2/memory/1468-82-0x00007FF795040000-0x00007FF795391000-memory.dmp	upx
behavioral2/memory/2916-76-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	upx
C:\Windows\System\WVgVBWt.exe	upx
C:\Windows\System\dHZxzWv.exe	upx
C:\Windows\System\lpxhBXy.exe	upx
C:\Windows\System\sbgbEPv.exe	upx
behavioral2/memory/1844-128-0x00007FF663780000-0x00007FF663AD1000-memory.dmp	upx
behavioral2/memory/4184-133-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp	upx
behavioral2/memory/4676-134-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp	upx
behavioral2/memory/2696-135-0x00007FF6782C0000-0x00007FF678611000-memory.dmp	upx
C:\Windows\System\VqfGpFh.exe	upx
behavioral2/memory/1696-130-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp	upx
behavioral2/memory/4124-121-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp	upx
behavioral2/memory/3724-110-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp	upx
behavioral2/memory/3204-144-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp	upx
behavioral2/memory/1468-146-0x00007FF795040000-0x00007FF795391000-memory.dmp	upx
behavioral2/memory/2636-149-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp	upx
behavioral2/memory/4584-148-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp	upx
behavioral2/memory/4724-147-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp	upx
behavioral2/memory/4124-151-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp	upx
behavioral2/memory/1992-152-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	upx
behavioral2/memory/4184-158-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp	upx
behavioral2/memory/1696-157-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp	upx
behavioral2/memory/1992-174-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp	upx
behavioral2/memory/3296-204-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp	upx
behavioral2/memory/2916-206-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp	upx
behavioral2/memory/3824-208-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp	upx
behavioral2/memory/2596-210-0x00007FF604010000-0x00007FF604361000-memory.dmp	upx
behavioral2/memory/3792-212-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp	upx
behavioral2/memory/2208-219-0x00007FF73B230000-0x00007FF73B581000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\sgTdRtb.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nOEVESv.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AGcPMrr.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FPNwLOP.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rDzEjVj.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MsYFIKY.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xgRjCXO.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dHZxzWv.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cFoJPZz.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eAxHtbd.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HDpPmgF.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OHrqSlq.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TwpfrDG.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VqfGpFh.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pFAYcZg.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lJdWxpx.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cLVizei.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lpxhBXy.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sbgbEPv.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ElhkzLk.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WVgVBWt.exe	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1992 wrote to memory of 3296	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cFoJPZz.exe
PID 1992 wrote to memory of 3296	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cFoJPZz.exe
PID 1992 wrote to memory of 2916	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	eAxHtbd.exe
PID 1992 wrote to memory of 2916	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	eAxHtbd.exe
PID 1992 wrote to memory of 3824	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	HDpPmgF.exe
PID 1992 wrote to memory of 3824	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	HDpPmgF.exe
PID 1992 wrote to memory of 2596	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	OHrqSlq.exe
PID 1992 wrote to memory of 2596	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	OHrqSlq.exe
PID 1992 wrote to memory of 3792	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	TwpfrDG.exe
PID 1992 wrote to memory of 3792	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	TwpfrDG.exe
PID 1992 wrote to memory of 2208	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	pFAYcZg.exe
PID 1992 wrote to memory of 2208	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	pFAYcZg.exe
PID 1992 wrote to memory of 3724	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	sgTdRtb.exe
PID 1992 wrote to memory of 3724	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	sgTdRtb.exe
PID 1992 wrote to memory of 4676	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	MsYFIKY.exe
PID 1992 wrote to memory of 4676	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	MsYFIKY.exe
PID 1992 wrote to memory of 3204	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lJdWxpx.exe
PID 1992 wrote to memory of 3204	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lJdWxpx.exe
PID 1992 wrote to memory of 1672	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ElhkzLk.exe
PID 1992 wrote to memory of 1672	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	ElhkzLk.exe
PID 1992 wrote to memory of 3264	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	nOEVESv.exe
PID 1992 wrote to memory of 3264	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	nOEVESv.exe
PID 1992 wrote to memory of 1468	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cLVizei.exe
PID 1992 wrote to memory of 1468	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	cLVizei.exe
PID 1992 wrote to memory of 4724	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	AGcPMrr.exe
PID 1992 wrote to memory of 4724	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	AGcPMrr.exe
PID 1992 wrote to memory of 4584	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	xgRjCXO.exe
PID 1992 wrote to memory of 4584	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	xgRjCXO.exe
PID 1992 wrote to memory of 2636	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	FPNwLOP.exe
PID 1992 wrote to memory of 2636	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	FPNwLOP.exe
PID 1992 wrote to memory of 4548	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	rDzEjVj.exe
PID 1992 wrote to memory of 4548	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	rDzEjVj.exe
PID 1992 wrote to memory of 4124	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	WVgVBWt.exe
PID 1992 wrote to memory of 4124	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	WVgVBWt.exe
PID 1992 wrote to memory of 1844	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	dHZxzWv.exe
PID 1992 wrote to memory of 1844	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	dHZxzWv.exe
PID 1992 wrote to memory of 1696	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lpxhBXy.exe
PID 1992 wrote to memory of 1696	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	lpxhBXy.exe
PID 1992 wrote to memory of 4184	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	VqfGpFh.exe
PID 1992 wrote to memory of 4184	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	VqfGpFh.exe
PID 1992 wrote to memory of 2696	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	sbgbEPv.exe
PID 1992 wrote to memory of 2696	1992	2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe	sbgbEPv.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_89bb0a8945c30a2a7e5f8c748f68bc54_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\System\cFoJPZz.exe
C:\Windows\System\cFoJPZz.exe
2⤵
- Executes dropped EXE
PID:3296

C:\Windows\System\eAxHtbd.exe
C:\Windows\System\eAxHtbd.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\HDpPmgF.exe
C:\Windows\System\HDpPmgF.exe
2⤵
- Executes dropped EXE
PID:3824

C:\Windows\System\OHrqSlq.exe
C:\Windows\System\OHrqSlq.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\TwpfrDG.exe
C:\Windows\System\TwpfrDG.exe
2⤵
- Executes dropped EXE
PID:3792

C:\Windows\System\pFAYcZg.exe
C:\Windows\System\pFAYcZg.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\System\sgTdRtb.exe
C:\Windows\System\sgTdRtb.exe
2⤵
- Executes dropped EXE
PID:3724

C:\Windows\System\MsYFIKY.exe
C:\Windows\System\MsYFIKY.exe
2⤵
- Executes dropped EXE
PID:4676

C:\Windows\System\lJdWxpx.exe
C:\Windows\System\lJdWxpx.exe
2⤵
- Executes dropped EXE
PID:3204

C:\Windows\System\ElhkzLk.exe
C:\Windows\System\ElhkzLk.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\nOEVESv.exe
C:\Windows\System\nOEVESv.exe
2⤵
- Executes dropped EXE
PID:3264

C:\Windows\System\cLVizei.exe
C:\Windows\System\cLVizei.exe
2⤵
- Executes dropped EXE
PID:1468

C:\Windows\System\AGcPMrr.exe
C:\Windows\System\AGcPMrr.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\xgRjCXO.exe
C:\Windows\System\xgRjCXO.exe
2⤵
- Executes dropped EXE
PID:4584

C:\Windows\System\FPNwLOP.exe
C:\Windows\System\FPNwLOP.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\rDzEjVj.exe
C:\Windows\System\rDzEjVj.exe
2⤵
- Executes dropped EXE
PID:4548

C:\Windows\System\WVgVBWt.exe
C:\Windows\System\WVgVBWt.exe
2⤵
- Executes dropped EXE
PID:4124

C:\Windows\System\dHZxzWv.exe
C:\Windows\System\dHZxzWv.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Windows\System\lpxhBXy.exe
C:\Windows\System\lpxhBXy.exe
2⤵
- Executes dropped EXE
PID:1696

C:\Windows\System\VqfGpFh.exe
C:\Windows\System\VqfGpFh.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Windows\System\sbgbEPv.exe
C:\Windows\System\sbgbEPv.exe
2⤵
- Executes dropped EXE
PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGcPMrr.exe
Filesize
5.2MB

MD5
caaa448ef27a3a8145f225fdfabc56fc

SHA1
8676141c93485ac4161f69f80711dd104a516b43

SHA256
b88ca17cc82510a2a4b36076d46c7ab048ff640a397ca046205f6b7490cafa60

SHA512
02d6758db122e7498e888513e234b5b633627b48f5a1cb891c922d2c292e1c43778144aec297ab12a50c6b68e937922030397b2c89963b568ab4d032a09fe4a5

Download Submit
C:\Windows\System\ElhkzLk.exe
Filesize
5.2MB

MD5
1976bf8b325f7081080867b81e3a1557

SHA1
e99bd27a84643b8cdd27f2397a032bbaf3fd1728

SHA256
21248ef84d644063b7fedd9c348a486000a38f4b5634f0cf94f5eba9ee3b8b53

SHA512
b2b9671bb8e950b3a134099da84b27b5895dfb29d27b398becff5744df4e26fdeda6b2b784b466944dab6b236e9a6af31f365e33745a8b4e4c5de16b5cf764eb

Download Submit
C:\Windows\System\FPNwLOP.exe
Filesize
5.2MB

MD5
05de9a4b01fb2d41c178bb088c12e6a2

SHA1
5eba310944d3fc494473e792caee2992027d771c

SHA256
8ec29d939a43af87148c81feb676b89ff3a6d37c3e048ea8906e9160b9791e68

SHA512
bb6d21066b226a55d61af9841c67afe7ae9d29839bfc164dfc57ae98e457a1c02f543668249289f4ecc5e05414ee5e5b5871ee9b4920e320cee94c268e767979

Download Submit
C:\Windows\System\HDpPmgF.exe
Filesize
5.2MB

MD5
44dab0d5672bf0a6ed606525ce4fc931

SHA1
cc9282febca8c4bf6d6e0e7880c3b3c0e73b2e27

SHA256
ff48d8c30d986b406704e9000043fa4b48688da8fadf675bc1e7b32f6ade5791

SHA512
823ebc86461d3578aa87ccfc774de34025c7836d5bd33395c59cbff71fd60045d8f4bbbf6723cd1d3997e44d0ae2320575fbe2af855e6993240b302332226956

Download Submit
C:\Windows\System\MsYFIKY.exe
Filesize
5.2MB

MD5
c61452875a89cf5a4a7be9dadfb64e4c

SHA1
c417e9a68426c4fad855c5bddf0fe4b8f0bf6bad

SHA256
dcdbc8022d50b821fd9c4e6cd132e0a695cf8f3ec8bb4f911c964017d943db4c

SHA512
5b443e0b049f64ecbd777f3adec53cf8fdf3e43fd9ffba5a75d8520810b8c62c93ae8ff234adcd1981b457a540bb96bcbdc069c641b8079167c1d442625bf820

Download Submit
C:\Windows\System\OHrqSlq.exe
Filesize
5.2MB

MD5
a4fb7a03e528dcac0af4c43b79050337

SHA1
ccda2bbaf2b142016980f41101fe221f45ef91ab

SHA256
27dd96b63374dc8f6a7bc5bd8f01dda5860ddb106bde6d6e74f3e9bd168f071f

SHA512
a0df618149d51d356d3563e30a9e7ac60616be374767c71eb8c9d70c479891ce0361d7559ea160bc43828082fa4adc93e138ea3d8c04b3795280747722cecbf4

Download Submit
C:\Windows\System\TwpfrDG.exe
Filesize
5.2MB

MD5
fcf2f01696f5c914c87e2a1d560cf104

SHA1
1b72fb474e94e9856a20eb81e1975f029b26908a

SHA256
593300e6ed4cd40e2a4b7bab8128533ade187d7c1a7656fcfebca29b15e861d6

SHA512
9a8342026bd71daecd652356b4e73db15042568869eb618fbef1704c121af4bd8d75f671d5f6bfb1b44a1c39eae28aaef8768300263b49625ec28ff0476f5aac

Download Submit
C:\Windows\System\VqfGpFh.exe
Filesize
5.2MB

MD5
0006319dddf59691b44d883e7c60b11c

SHA1
8726647c1d345f079950699a7862adb5c9b0267e

SHA256
d877a65d1a6e73c5a6c3351f037c12e3d98146979cbb9b68a30c5bd5e1593e3e

SHA512
2b9b1b1b4717c2814cca02705840a8285c07f3a06ce01c0db339efbb986358257124736c91e10aba062dc158b0090aae541a16b562a48382716e70be7efc07de

Download Submit
C:\Windows\System\WVgVBWt.exe
Filesize
5.2MB

MD5
921b694fa682fa655400b3e8d879371f

SHA1
fb7bff00c73f833b5862186a4b08210eb0c8321e

SHA256
9a069431ec06e03c074e7ba49c412fa6f66b76c86db3602b1aa943fde574dae6

SHA512
2121f8daef8cb8f5bef17caec39f105d6fb4ba0f09a340278149b974d51124876067667a9a4b4e6f09aa8a368e726bbe59bea6d80f1652d9ac234ea7f8266f7a

Download Submit
C:\Windows\System\cFoJPZz.exe
Filesize
5.2MB

MD5
39ec33ddb17dfa782a1dbdd767f5e61b

SHA1
90425dcc61d43967971a82e20c9572d22a7990f5

SHA256
6838bd56251e6716e9be0ef52a4e60c209e39cfd2fc22187cf2bc3c623baf52c

SHA512
66d2f5902291ace096c1cb831f7586cc61dafcc38a0ac896b9b288aff1ca451844402c33b8ab5413060bd83216910e5c066c06c377543755d335cf62e88a4ddc

Download Submit
C:\Windows\System\cLVizei.exe
Filesize
5.2MB

MD5
e0ef0dd08f4b0dbf24ff62f42419dbc3

SHA1
46d0346dc33112aa5fe6530fc70dff37fe24b9ab

SHA256
01bf9d122da5d2bccabb507039e9a91ef989062d56ca0b90edf41f7c476cb958

SHA512
2c919d6cd096c9a05def48a8a6a5be257bddbde87681602e5553da0ec1d7177b488841c9231eb8139e5b7fab39ad2cd7753f82288ef8cc2c8abc99dcaf4b40a1

Download Submit
C:\Windows\System\dHZxzWv.exe
Filesize
5.2MB

MD5
befb0f1039b7127c0ff06de6272c6098

SHA1
4882cb5d5417bc3a71e649bf9a8688cd207cfc39

SHA256
c6b7ca544faeb9a8ac99ef17307b262c1089bd0e836a729ba1111ca9d1578e9e

SHA512
c92697197b3e8560845738bcbc5a3568e137ac869a1c023759fc803a2fb52d3cc0b93102174559ee70b7918c674ef97d0c4dc27c3ad27eb28e773b1b1a81cae4

Download Submit
C:\Windows\System\eAxHtbd.exe
Filesize
5.2MB

MD5
46412af3fccbe63067a9a195eceffd43

SHA1
a8fcc177f0b7defc7924c887d3ae18c0cb92373b

SHA256
475d16786d35dd10ab4c5650a51cc4e7defd13a3e521612cca86502e9b969bc0

SHA512
a8c2b47f3658efd462fd47b02b337d1c025f47806ba9e4fee133fa5ac858ddf69b5fe1a2b107ea7c5c380e5069c03f37b8abf255032b59093a3a045c140a750c

Download Submit
C:\Windows\System\lJdWxpx.exe
Filesize
5.2MB

MD5
042542195fb7376f2c3a3e11bafdf6b4

SHA1
d227d381bb7f2d623a5c0df0e03d95674781debf

SHA256
2589ade47952a92d4a9743ac53c67e0ed848374ccde210f565ca0b388244513e

SHA512
ca54ea9fe0394742ec27f4ac03d78c6a4c06325c5deff708c6d0e4a24e737f77b23948147683409d095eaad51bbc2156ea7c80f29afba3125c268009e1e3fc71

Download Submit
C:\Windows\System\lpxhBXy.exe
Filesize
5.2MB

MD5
50d9dd4dd9bc92c2588ef81b834acbe9

SHA1
b3368e08271254feebcd76a289bed8b3f2ba2d2c

SHA256
54f9482215dcbb122bb18acf2078ed39bd9c6403fbd4bc99cc18cfdf143a5ea0

SHA512
358bd316595f5071508e97d0ad8bd6541f1edfb9c201abfaede71093446197cc9e6e7441a5c19bcdf9360f951ab28d86f6b3a082504c4bcc208579d420e9a450

Download Submit
C:\Windows\System\nOEVESv.exe
Filesize
5.2MB

MD5
c936d394b26c6417dfe80ccd5e682ad9

SHA1
f37078db4863e6bb4e68bf42406bf0c71268ede3

SHA256
df0c770279d8b133038526ce99e2e9ea5739bd39470745225230c1f358e7a925

SHA512
99a89f193389d6973295510fadbdea07952bdb71cdc49231a7973bbe73c6f52abb3e28ecb640f040dd04dc10577bff3b06f4523a5a4f032d19093c2813dab418

Download Submit
C:\Windows\System\pFAYcZg.exe
Filesize
5.2MB

MD5
89bab8e0a69626e14a4c6968f5fbf3f8

SHA1
27a28175bf9d273de86a11e46d9ee592cb0ed660

SHA256
daad3150701e9237eda0d6b1a9147d16cc23fe72d0928a3cb880c3e94e91106f

SHA512
fe8df767630b1e606476d360420d8b5aff4696c1de820dd7f1b75271463eed7417fe87acd908cab74d065caf94aa473349f2db9e7fe9c5d2f5e1c920bb77c439

Download Submit
C:\Windows\System\rDzEjVj.exe
Filesize
5.2MB

MD5
ba625709dbc2d453ee7d02a062000ee2

SHA1
028877565a6642daca21e8f62330691a989e4868

SHA256
fe017603a0e77fbb6818fb8089de15fa8251d243981f7ab0c0aa4d8c824c637d

SHA512
6a4099d3aed76c605acf0133e843bc469465571d9caa434fc154c054c0e0e0487edc9f0bad0949f868dd00569728f61059c2fc2e5e5bd34b01bfe60b1b0f8ebf

Download Submit
C:\Windows\System\sbgbEPv.exe
Filesize
5.2MB

MD5
3cf109b553d9f5f5e03ded50f1ecb9b3

SHA1
bceff9122dce59abaf68e503580511c7e247d542

SHA256
d52b069ede1e71072879374408606ff97af20814bae075a044073a03b9ea2e0f

SHA512
0725a43eb89aecfb07e93682baf7cbefb43934f7265545f8ee1cdebb7906c68db2f50c273337e549fc39a6320907f69249da230027822dbc0a19d4c218d764d8

Download Submit
C:\Windows\System\sgTdRtb.exe
Filesize
5.2MB

MD5
4a3da378c0698eff1318d1351c1362c5

SHA1
ea0faa9d76afe784a900f2b5704c7cc99fc4a80d

SHA256
b200e3fb9fc352de56fe8c75538f50433308eb0482db4488c2bc7842c78006f0

SHA512
7acb26705f731a3180282d3e753445bf48adb753f1098925ad59afc95514be8b56bb778a052a2f788772c6cb3ea488a147ce53698b6bc4f12c1a060c582b3d50

Download Submit
C:\Windows\System\xgRjCXO.exe
Filesize
5.2MB

MD5
1593d049caabe287021c7b11dc4823d0

SHA1
4a29d8a6d4939efd28b605b0893471497786ec01

SHA256
68f5d0afc25b65b09e1f1137dfd88a8d7231b73554bd34f1ea1cb819be1188c3

SHA512
6ea88f434ec8587da55784de05fe72dfa3d55507345cee445061c55386008913644b65ca01f28b05e7faaf4074b60aacd1f85f141a4ec0e2caedd708042c4cbc

Download Submit
memory/1468-231-0x00007FF795040000-0x00007FF795391000-memory.dmp

Filesize
3.3MB

Download
memory/1468-146-0x00007FF795040000-0x00007FF795391000-memory.dmp

Filesize
3.3MB

Download
memory/1468-82-0x00007FF795040000-0x00007FF795391000-memory.dmp

Filesize
3.3MB

Download
memory/1672-226-0x00007FF6FB000000-0x00007FF6FB351000-memory.dmp

Filesize
3.3MB

Download
memory/1672-62-0x00007FF6FB000000-0x00007FF6FB351000-memory.dmp

Filesize
3.3MB

Download
memory/1696-130-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp

Filesize
3.3MB

Download
memory/1696-157-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp

Filesize
3.3MB

Download
memory/1696-255-0x00007FF6C4BF0000-0x00007FF6C4F41000-memory.dmp

Filesize
3.3MB

Download
memory/1844-128-0x00007FF663780000-0x00007FF663AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-250-0x00007FF663780000-0x00007FF663AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1992-61-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp

Filesize
3.3MB

Download
memory/1992-0-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp

Filesize
3.3MB

Download
memory/1992-152-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp

Filesize
3.3MB

Download
memory/1992-174-0x00007FF7EC8B0000-0x00007FF7ECC01000-memory.dmp

Filesize
3.3MB

Download
memory/1992-1-0x0000019B286E0000-0x0000019B286F0000-memory.dmp

Filesize
64KB

Download
memory/2208-40-0x00007FF73B230000-0x00007FF73B581000-memory.dmp

Filesize
3.3MB

Download
memory/2208-219-0x00007FF73B230000-0x00007FF73B581000-memory.dmp

Filesize
3.3MB

Download
memory/2596-210-0x00007FF604010000-0x00007FF604361000-memory.dmp

Filesize
3.3MB

Download
memory/2596-26-0x00007FF604010000-0x00007FF604361000-memory.dmp

Filesize
3.3MB

Download
memory/2636-149-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp

Filesize
3.3MB

Download
memory/2636-95-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp

Filesize
3.3MB

Download
memory/2636-239-0x00007FF6DE8B0000-0x00007FF6DEC01000-memory.dmp

Filesize
3.3MB

Download
memory/2696-251-0x00007FF6782C0000-0x00007FF678611000-memory.dmp

Filesize
3.3MB

Download
memory/2696-135-0x00007FF6782C0000-0x00007FF678611000-memory.dmp

Filesize
3.3MB

Download
memory/2916-14-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp

Filesize
3.3MB

Download
memory/2916-206-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp

Filesize
3.3MB

Download
memory/2916-76-0x00007FF7ADFD0000-0x00007FF7AE321000-memory.dmp

Filesize
3.3MB

Download
memory/3204-144-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp

Filesize
3.3MB

Download
memory/3204-227-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp

Filesize
3.3MB

Download
memory/3204-55-0x00007FF6DBBD0000-0x00007FF6DBF21000-memory.dmp

Filesize
3.3MB

Download
memory/3264-229-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/3264-72-0x00007FF654180000-0x00007FF6544D1000-memory.dmp

Filesize
3.3MB

Download
memory/3296-204-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp

Filesize
3.3MB

Download
memory/3296-71-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp

Filesize
3.3MB

Download
memory/3296-8-0x00007FF7C7600000-0x00007FF7C7951000-memory.dmp

Filesize
3.3MB

Download
memory/3724-110-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp

Filesize
3.3MB

Download
memory/3724-223-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp

Filesize
3.3MB

Download
memory/3724-45-0x00007FF7AA7B0000-0x00007FF7AAB01000-memory.dmp

Filesize
3.3MB

Download
memory/3792-212-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3792-32-0x00007FF74BB60000-0x00007FF74BEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3824-21-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp

Filesize
3.3MB

Download
memory/3824-208-0x00007FF73AEC0000-0x00007FF73B211000-memory.dmp

Filesize
3.3MB

Download
memory/4124-121-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-151-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp

Filesize
3.3MB

Download
memory/4124-247-0x00007FF62C560000-0x00007FF62C8B1000-memory.dmp

Filesize
3.3MB

Download
memory/4184-133-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp

Filesize
3.3MB

Download
memory/4184-158-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp

Filesize
3.3MB

Download
memory/4184-254-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp

Filesize
3.3MB

Download
memory/4548-101-0x00007FF62D2D0000-0x00007FF62D621000-memory.dmp

Filesize
3.3MB

Download
memory/4548-238-0x00007FF62D2D0000-0x00007FF62D621000-memory.dmp

Filesize
3.3MB

Download
memory/4584-148-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp

Filesize
3.3MB

Download
memory/4584-234-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp

Filesize
3.3MB

Download
memory/4584-83-0x00007FF6D49D0000-0x00007FF6D4D21000-memory.dmp

Filesize
3.3MB

Download
memory/4676-49-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp

Filesize
3.3MB

Download
memory/4676-134-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp

Filesize
3.3MB

Download
memory/4676-221-0x00007FF6E52E0000-0x00007FF6E5631000-memory.dmp

Filesize
3.3MB

Download
memory/4724-147-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-87-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp

Filesize
3.3MB

Download
memory/4724-235-0x00007FF7939A0000-0x00007FF793CF1000-memory.dmp

Filesize
3.3MB

Download