cobaltstrike | 0bfe9cfe6dfefbd8635bfbc68205f6e76936a791f0bfe3cd721d84e874745b6c

Analysis

max time kernel
135s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

9692994b50a306dd8b2c1bad47b972c5
SHA1

66618ae1d2bed409353427dc1d778130579edf6a
SHA256

0bfe9cfe6dfefbd8635bfbc68205f6e76936a791f0bfe3cd721d84e874745b6c
SHA512

214db3da293c0480face79a8696af41d0d086cd42807f7a7ea0368d97ee0cfdb63f5bbd252a1776e1a2096c4a5bb56c6944b8f7041d980d567fdaefd4783b0be
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUT:v+D56utgpPF8u/7T

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ePPXIDU.exe	cobalt_reflective_dll
C:\Windows\System\TaxmNBu.exe	cobalt_reflective_dll
C:\Windows\System\VqUvGCF.exe	cobalt_reflective_dll
C:\Windows\System\cFwDNeO.exe	cobalt_reflective_dll
C:\Windows\System\kvKXvOo.exe	cobalt_reflective_dll
C:\Windows\System\wGkLPeQ.exe	cobalt_reflective_dll
C:\Windows\System\lJpFqTs.exe	cobalt_reflective_dll
C:\Windows\System\dsBgyZy.exe	cobalt_reflective_dll
C:\Windows\System\NRqeiYs.exe	cobalt_reflective_dll
C:\Windows\System\ddVqmgM.exe	cobalt_reflective_dll
C:\Windows\System\gwXIswR.exe	cobalt_reflective_dll
C:\Windows\System\ioXFFjO.exe	cobalt_reflective_dll
C:\Windows\System\ONtGUdl.exe	cobalt_reflective_dll
C:\Windows\System\MZnummp.exe	cobalt_reflective_dll
C:\Windows\System\ssQDCve.exe	cobalt_reflective_dll
C:\Windows\System\rFScPfa.exe	cobalt_reflective_dll
C:\Windows\System\vgopZRx.exe	cobalt_reflective_dll
C:\Windows\System\ypVyDQe.exe	cobalt_reflective_dll
C:\Windows\System\ZLrZHgz.exe	cobalt_reflective_dll
C:\Windows\System\fkcXTSP.exe	cobalt_reflective_dll
C:\Windows\System\JJLfXjr.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\ePPXIDU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TaxmNBu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VqUvGCF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cFwDNeO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kvKXvOo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wGkLPeQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lJpFqTs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dsBgyZy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NRqeiYs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ddVqmgM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gwXIswR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ioXFFjO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ONtGUdl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MZnummp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ssQDCve.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rFScPfa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vgopZRx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ypVyDQe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZLrZHgz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fkcXTSP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JJLfXjr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3592-0-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp	UPX
C:\Windows\System\ePPXIDU.exe	UPX
behavioral2/memory/4516-8-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	UPX
C:\Windows\System\TaxmNBu.exe	UPX
C:\Windows\System\VqUvGCF.exe	UPX
behavioral2/memory/3240-14-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp	UPX
C:\Windows\System\cFwDNeO.exe	UPX
behavioral2/memory/2996-18-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	UPX
C:\Windows\System\kvKXvOo.exe	UPX
C:\Windows\System\wGkLPeQ.exe	UPX
behavioral2/memory/4864-36-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	UPX
behavioral2/memory/1372-32-0x00007FF795080000-0x00007FF7953D2000-memory.dmp	UPX
behavioral2/memory/3264-23-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	UPX
C:\Windows\System\lJpFqTs.exe	UPX
behavioral2/memory/2004-44-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp	UPX
C:\Windows\System\dsBgyZy.exe	UPX
behavioral2/memory/3592-64-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp	UPX
C:\Windows\System\NRqeiYs.exe	UPX
behavioral2/memory/3308-72-0x00007FF72D450000-0x00007FF72D7A2000-memory.dmp	UPX
behavioral2/memory/4516-73-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	UPX
behavioral2/memory/4416-74-0x00007FF771650000-0x00007FF7719A2000-memory.dmp	UPX
C:\Windows\System\ddVqmgM.exe	UPX
behavioral2/memory/4956-68-0x00007FF776B40000-0x00007FF776E92000-memory.dmp	UPX
C:\Windows\System\gwXIswR.exe	UPX
C:\Windows\System\ioXFFjO.exe	UPX
behavioral2/memory/3892-56-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp	UPX
behavioral2/memory/3376-52-0x00007FF712E30000-0x00007FF713182000-memory.dmp	UPX
C:\Windows\System\ONtGUdl.exe	UPX
behavioral2/memory/2996-82-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	UPX
C:\Windows\System\MZnummp.exe	UPX
behavioral2/memory/3624-90-0x00007FF654D50000-0x00007FF6550A2000-memory.dmp	UPX
behavioral2/memory/3264-89-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	UPX
behavioral2/memory/2124-83-0x00007FF66F250000-0x00007FF66F5A2000-memory.dmp	UPX
C:\Windows\System\ssQDCve.exe	UPX
behavioral2/memory/2628-96-0x00007FF67E180000-0x00007FF67E4D2000-memory.dmp	UPX
C:\Windows\System\rFScPfa.exe	UPX
C:\Windows\System\vgopZRx.exe	UPX
C:\Windows\System\ypVyDQe.exe	UPX
behavioral2/memory/4292-103-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp	UPX
behavioral2/memory/4864-101-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	UPX
C:\Windows\System\ZLrZHgz.exe	UPX
C:\Windows\System\fkcXTSP.exe	UPX
behavioral2/memory/4380-121-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp	UPX
C:\Windows\System\JJLfXjr.exe	UPX
behavioral2/memory/1916-133-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp	UPX
behavioral2/memory/4956-130-0x00007FF776B40000-0x00007FF776E92000-memory.dmp	UPX
behavioral2/memory/2652-128-0x00007FF752FC0000-0x00007FF753312000-memory.dmp	UPX
behavioral2/memory/756-126-0x00007FF770F00000-0x00007FF771252000-memory.dmp	UPX
behavioral2/memory/3892-125-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp	UPX
behavioral2/memory/2640-113-0x00007FF649630000-0x00007FF649982000-memory.dmp	UPX
behavioral2/memory/4416-135-0x00007FF771650000-0x00007FF7719A2000-memory.dmp	UPX
behavioral2/memory/4292-136-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp	UPX
behavioral2/memory/2640-137-0x00007FF649630000-0x00007FF649982000-memory.dmp	UPX
behavioral2/memory/4380-138-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp	UPX
behavioral2/memory/2652-139-0x00007FF752FC0000-0x00007FF753312000-memory.dmp	UPX
behavioral2/memory/4516-140-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	UPX
behavioral2/memory/3240-141-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp	UPX
behavioral2/memory/3264-142-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	UPX
behavioral2/memory/2996-143-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	UPX
behavioral2/memory/1372-144-0x00007FF795080000-0x00007FF7953D2000-memory.dmp	UPX
behavioral2/memory/4864-145-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	UPX
behavioral2/memory/1916-146-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp	UPX
behavioral2/memory/2004-147-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp	UPX
behavioral2/memory/3376-148-0x00007FF712E30000-0x00007FF713182000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3592-0-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp	xmrig
C:\Windows\System\ePPXIDU.exe	xmrig
behavioral2/memory/4516-8-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	xmrig
C:\Windows\System\TaxmNBu.exe	xmrig
C:\Windows\System\VqUvGCF.exe	xmrig
behavioral2/memory/3240-14-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp	xmrig
C:\Windows\System\cFwDNeO.exe	xmrig
behavioral2/memory/2996-18-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	xmrig
C:\Windows\System\kvKXvOo.exe	xmrig
C:\Windows\System\wGkLPeQ.exe	xmrig
behavioral2/memory/4864-36-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	xmrig
behavioral2/memory/1372-32-0x00007FF795080000-0x00007FF7953D2000-memory.dmp	xmrig
behavioral2/memory/3264-23-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	xmrig
C:\Windows\System\lJpFqTs.exe	xmrig
behavioral2/memory/2004-44-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp	xmrig
C:\Windows\System\dsBgyZy.exe	xmrig
behavioral2/memory/3592-64-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp	xmrig
C:\Windows\System\NRqeiYs.exe	xmrig
behavioral2/memory/3308-72-0x00007FF72D450000-0x00007FF72D7A2000-memory.dmp	xmrig
behavioral2/memory/4516-73-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	xmrig
behavioral2/memory/4416-74-0x00007FF771650000-0x00007FF7719A2000-memory.dmp	xmrig
C:\Windows\System\ddVqmgM.exe	xmrig
behavioral2/memory/4956-68-0x00007FF776B40000-0x00007FF776E92000-memory.dmp	xmrig
C:\Windows\System\gwXIswR.exe	xmrig
C:\Windows\System\ioXFFjO.exe	xmrig
behavioral2/memory/3892-56-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp	xmrig
behavioral2/memory/3376-52-0x00007FF712E30000-0x00007FF713182000-memory.dmp	xmrig
C:\Windows\System\ONtGUdl.exe	xmrig
behavioral2/memory/2996-82-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	xmrig
C:\Windows\System\MZnummp.exe	xmrig
behavioral2/memory/3624-90-0x00007FF654D50000-0x00007FF6550A2000-memory.dmp	xmrig
behavioral2/memory/3264-89-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	xmrig
behavioral2/memory/2124-83-0x00007FF66F250000-0x00007FF66F5A2000-memory.dmp	xmrig
C:\Windows\System\ssQDCve.exe	xmrig
behavioral2/memory/2628-96-0x00007FF67E180000-0x00007FF67E4D2000-memory.dmp	xmrig
C:\Windows\System\rFScPfa.exe	xmrig
C:\Windows\System\vgopZRx.exe	xmrig
C:\Windows\System\ypVyDQe.exe	xmrig
behavioral2/memory/4292-103-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp	xmrig
behavioral2/memory/4864-101-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	xmrig
C:\Windows\System\ZLrZHgz.exe	xmrig
C:\Windows\System\fkcXTSP.exe	xmrig
behavioral2/memory/4380-121-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp	xmrig
C:\Windows\System\JJLfXjr.exe	xmrig
behavioral2/memory/1916-133-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp	xmrig
behavioral2/memory/4956-130-0x00007FF776B40000-0x00007FF776E92000-memory.dmp	xmrig
behavioral2/memory/2652-128-0x00007FF752FC0000-0x00007FF753312000-memory.dmp	xmrig
behavioral2/memory/756-126-0x00007FF770F00000-0x00007FF771252000-memory.dmp	xmrig
behavioral2/memory/3892-125-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp	xmrig
behavioral2/memory/2640-113-0x00007FF649630000-0x00007FF649982000-memory.dmp	xmrig
behavioral2/memory/4416-135-0x00007FF771650000-0x00007FF7719A2000-memory.dmp	xmrig
behavioral2/memory/4292-136-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp	xmrig
behavioral2/memory/2640-137-0x00007FF649630000-0x00007FF649982000-memory.dmp	xmrig
behavioral2/memory/4380-138-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp	xmrig
behavioral2/memory/2652-139-0x00007FF752FC0000-0x00007FF753312000-memory.dmp	xmrig
behavioral2/memory/4516-140-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	xmrig
behavioral2/memory/3240-141-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp	xmrig
behavioral2/memory/3264-142-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	xmrig
behavioral2/memory/2996-143-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	xmrig
behavioral2/memory/1372-144-0x00007FF795080000-0x00007FF7953D2000-memory.dmp	xmrig
behavioral2/memory/4864-145-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	xmrig
behavioral2/memory/1916-146-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp	xmrig
behavioral2/memory/2004-147-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp	xmrig
behavioral2/memory/3376-148-0x00007FF712E30000-0x00007FF713182000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ePPXIDU.exeTaxmNBu.exeVqUvGCF.execFwDNeO.exekvKXvOo.exewGkLPeQ.exelJpFqTs.exedsBgyZy.exeioXFFjO.exeNRqeiYs.exegwXIswR.exeddVqmgM.exeONtGUdl.exeMZnummp.exessQDCve.exeZLrZHgz.exerFScPfa.exeypVyDQe.exevgopZRx.exefkcXTSP.exeJJLfXjr.exe

pid	process
4516	ePPXIDU.exe
3240	TaxmNBu.exe
2996	VqUvGCF.exe
3264	cFwDNeO.exe
1372	kvKXvOo.exe
4864	wGkLPeQ.exe
2004	lJpFqTs.exe
3376	dsBgyZy.exe
3892	ioXFFjO.exe
4956	NRqeiYs.exe
3308	gwXIswR.exe
4416	ddVqmgM.exe
2124	ONtGUdl.exe
3624	MZnummp.exe
2628	ssQDCve.exe
4292	ZLrZHgz.exe
2640	rFScPfa.exe
756	ypVyDQe.exe
4380	vgopZRx.exe
2652	fkcXTSP.exe
1916	JJLfXjr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3592-0-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp	upx
C:\Windows\System\ePPXIDU.exe	upx
behavioral2/memory/4516-8-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	upx
C:\Windows\System\TaxmNBu.exe	upx
C:\Windows\System\VqUvGCF.exe	upx
behavioral2/memory/3240-14-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp	upx
C:\Windows\System\cFwDNeO.exe	upx
behavioral2/memory/2996-18-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	upx
C:\Windows\System\kvKXvOo.exe	upx
C:\Windows\System\wGkLPeQ.exe	upx
behavioral2/memory/4864-36-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	upx
behavioral2/memory/1372-32-0x00007FF795080000-0x00007FF7953D2000-memory.dmp	upx
behavioral2/memory/3264-23-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	upx
C:\Windows\System\lJpFqTs.exe	upx
behavioral2/memory/2004-44-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp	upx
C:\Windows\System\dsBgyZy.exe	upx
behavioral2/memory/3592-64-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp	upx
C:\Windows\System\NRqeiYs.exe	upx
behavioral2/memory/3308-72-0x00007FF72D450000-0x00007FF72D7A2000-memory.dmp	upx
behavioral2/memory/4516-73-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	upx
behavioral2/memory/4416-74-0x00007FF771650000-0x00007FF7719A2000-memory.dmp	upx
C:\Windows\System\ddVqmgM.exe	upx
behavioral2/memory/4956-68-0x00007FF776B40000-0x00007FF776E92000-memory.dmp	upx
C:\Windows\System\gwXIswR.exe	upx
C:\Windows\System\ioXFFjO.exe	upx
behavioral2/memory/3892-56-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp	upx
behavioral2/memory/3376-52-0x00007FF712E30000-0x00007FF713182000-memory.dmp	upx
C:\Windows\System\ONtGUdl.exe	upx
behavioral2/memory/2996-82-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	upx
C:\Windows\System\MZnummp.exe	upx
behavioral2/memory/3624-90-0x00007FF654D50000-0x00007FF6550A2000-memory.dmp	upx
behavioral2/memory/3264-89-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	upx
behavioral2/memory/2124-83-0x00007FF66F250000-0x00007FF66F5A2000-memory.dmp	upx
C:\Windows\System\ssQDCve.exe	upx
behavioral2/memory/2628-96-0x00007FF67E180000-0x00007FF67E4D2000-memory.dmp	upx
C:\Windows\System\rFScPfa.exe	upx
C:\Windows\System\vgopZRx.exe	upx
C:\Windows\System\ypVyDQe.exe	upx
behavioral2/memory/4292-103-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp	upx
behavioral2/memory/4864-101-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	upx
C:\Windows\System\ZLrZHgz.exe	upx
C:\Windows\System\fkcXTSP.exe	upx
behavioral2/memory/4380-121-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp	upx
C:\Windows\System\JJLfXjr.exe	upx
behavioral2/memory/1916-133-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp	upx
behavioral2/memory/4956-130-0x00007FF776B40000-0x00007FF776E92000-memory.dmp	upx
behavioral2/memory/2652-128-0x00007FF752FC0000-0x00007FF753312000-memory.dmp	upx
behavioral2/memory/756-126-0x00007FF770F00000-0x00007FF771252000-memory.dmp	upx
behavioral2/memory/3892-125-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp	upx
behavioral2/memory/2640-113-0x00007FF649630000-0x00007FF649982000-memory.dmp	upx
behavioral2/memory/4416-135-0x00007FF771650000-0x00007FF7719A2000-memory.dmp	upx
behavioral2/memory/4292-136-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp	upx
behavioral2/memory/2640-137-0x00007FF649630000-0x00007FF649982000-memory.dmp	upx
behavioral2/memory/4380-138-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp	upx
behavioral2/memory/2652-139-0x00007FF752FC0000-0x00007FF753312000-memory.dmp	upx
behavioral2/memory/4516-140-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp	upx
behavioral2/memory/3240-141-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp	upx
behavioral2/memory/3264-142-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp	upx
behavioral2/memory/2996-143-0x00007FF680360000-0x00007FF6806B2000-memory.dmp	upx
behavioral2/memory/1372-144-0x00007FF795080000-0x00007FF7953D2000-memory.dmp	upx
behavioral2/memory/4864-145-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp	upx
behavioral2/memory/1916-146-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp	upx
behavioral2/memory/2004-147-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp	upx
behavioral2/memory/3376-148-0x00007FF712E30000-0x00007FF713182000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\TaxmNBu.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dsBgyZy.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZLrZHgz.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ypVyDQe.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VqUvGCF.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lJpFqTs.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ioXFFjO.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NRqeiYs.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ddVqmgM.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JJLfXjr.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ePPXIDU.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cFwDNeO.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kvKXvOo.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gwXIswR.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MZnummp.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ssQDCve.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rFScPfa.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vgopZRx.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wGkLPeQ.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ONtGUdl.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fkcXTSP.exe	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3592 wrote to memory of 4516	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ePPXIDU.exe
PID 3592 wrote to memory of 4516	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ePPXIDU.exe
PID 3592 wrote to memory of 3240	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	TaxmNBu.exe
PID 3592 wrote to memory of 3240	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	TaxmNBu.exe
PID 3592 wrote to memory of 2996	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	VqUvGCF.exe
PID 3592 wrote to memory of 2996	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	VqUvGCF.exe
PID 3592 wrote to memory of 3264	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	cFwDNeO.exe
PID 3592 wrote to memory of 3264	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	cFwDNeO.exe
PID 3592 wrote to memory of 1372	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	kvKXvOo.exe
PID 3592 wrote to memory of 1372	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	kvKXvOo.exe
PID 3592 wrote to memory of 4864	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	wGkLPeQ.exe
PID 3592 wrote to memory of 4864	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	wGkLPeQ.exe
PID 3592 wrote to memory of 2004	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	lJpFqTs.exe
PID 3592 wrote to memory of 2004	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	lJpFqTs.exe
PID 3592 wrote to memory of 3376	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	dsBgyZy.exe
PID 3592 wrote to memory of 3376	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	dsBgyZy.exe
PID 3592 wrote to memory of 3892	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ioXFFjO.exe
PID 3592 wrote to memory of 3892	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ioXFFjO.exe
PID 3592 wrote to memory of 4956	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	NRqeiYs.exe
PID 3592 wrote to memory of 4956	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	NRqeiYs.exe
PID 3592 wrote to memory of 3308	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	gwXIswR.exe
PID 3592 wrote to memory of 3308	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	gwXIswR.exe
PID 3592 wrote to memory of 4416	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ddVqmgM.exe
PID 3592 wrote to memory of 4416	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ddVqmgM.exe
PID 3592 wrote to memory of 2124	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ONtGUdl.exe
PID 3592 wrote to memory of 2124	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ONtGUdl.exe
PID 3592 wrote to memory of 3624	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	MZnummp.exe
PID 3592 wrote to memory of 3624	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	MZnummp.exe
PID 3592 wrote to memory of 2628	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ssQDCve.exe
PID 3592 wrote to memory of 2628	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ssQDCve.exe
PID 3592 wrote to memory of 4292	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ZLrZHgz.exe
PID 3592 wrote to memory of 4292	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ZLrZHgz.exe
PID 3592 wrote to memory of 2640	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	rFScPfa.exe
PID 3592 wrote to memory of 2640	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	rFScPfa.exe
PID 3592 wrote to memory of 756	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ypVyDQe.exe
PID 3592 wrote to memory of 756	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	ypVyDQe.exe
PID 3592 wrote to memory of 4380	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	vgopZRx.exe
PID 3592 wrote to memory of 4380	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	vgopZRx.exe
PID 3592 wrote to memory of 2652	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	fkcXTSP.exe
PID 3592 wrote to memory of 2652	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	fkcXTSP.exe
PID 3592 wrote to memory of 1916	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	JJLfXjr.exe
PID 3592 wrote to memory of 1916	3592	2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe	JJLfXjr.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_9692994b50a306dd8b2c1bad47b972c5_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\System\ePPXIDU.exe
  C:\Windows\System\ePPXIDU.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\TaxmNBu.exe
  C:\Windows\System\TaxmNBu.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\VqUvGCF.exe
  C:\Windows\System\VqUvGCF.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\cFwDNeO.exe
  C:\Windows\System\cFwDNeO.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\kvKXvOo.exe
  C:\Windows\System\kvKXvOo.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\wGkLPeQ.exe
  C:\Windows\System\wGkLPeQ.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\lJpFqTs.exe
  C:\Windows\System\lJpFqTs.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\dsBgyZy.exe
  C:\Windows\System\dsBgyZy.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\ioXFFjO.exe
  C:\Windows\System\ioXFFjO.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\NRqeiYs.exe
  C:\Windows\System\NRqeiYs.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\gwXIswR.exe
  C:\Windows\System\gwXIswR.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\ddVqmgM.exe
  C:\Windows\System\ddVqmgM.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\ONtGUdl.exe
  C:\Windows\System\ONtGUdl.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\MZnummp.exe
  C:\Windows\System\MZnummp.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\ssQDCve.exe
  C:\Windows\System\ssQDCve.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\ZLrZHgz.exe
  C:\Windows\System\ZLrZHgz.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\rFScPfa.exe
  C:\Windows\System\rFScPfa.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\ypVyDQe.exe
  C:\Windows\System\ypVyDQe.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\vgopZRx.exe
  C:\Windows\System\vgopZRx.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\fkcXTSP.exe
  C:\Windows\System\fkcXTSP.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\JJLfXjr.exe
  C:\Windows\System\JJLfXjr.exe
  2⤵
  - Executes dropped EXE
  PID:1916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JJLfXjr.exe

Filesize
8.3MB

MD5
5b4ab42cf52175826a30703f623897b9

SHA1
c68e2c10a9240de963e49a4b9df38127929b255b

SHA256
5fde8a97aa9d02d147a64a1deacb728d115e8fe5fc0316557dbac254e03a34cc

SHA512
3b00f7c56ee71992ccc72330a154a08153b9c0ecda0846627537a5dda04d77068596760ffbe369c30f390bbee63a8d2309a4f946e3bb961c58493292e9953aac

Download Submit
C:\Windows\System\MZnummp.exe

Filesize
8.3MB

MD5
9b12e3d53e60d7058ce123b43772c9d4

SHA1
ac3e0ed893a746d1561a0c0ee7c2462dd2cf6973

SHA256
f3b186cc8a6a12e92ba1dec561d483b01b63fe18a3d22a6eb72ad5fafa533b94

SHA512
6a7fe61cfab51d121bdd13b68de71ff51dc581000f25e833c12c9b5169f30bc56eaf83cc15b53631b2e8c01e1e160602110c9f4a09a9202a0a7f2c2dd014a236

Download Submit
C:\Windows\System\NRqeiYs.exe

Filesize
8.3MB

MD5
10f219c7211da9d63a85ca469ebd4e5f

SHA1
57d50e0098b4a159eccbc6e6cd809a1913cf8586

SHA256
89bf51c0b20e101d10d87978b397c04d0c7974fd25d467748505090ae27f6a5f

SHA512
68b1cc9ce7aa6b4ca8199a1caaebb89d76795066d9392aa34998cad7c4422a74dce73c78adf51324e0888df2184e2c5a0be8b5ef676b6b02aca7fdd275d8a3c4

Download Submit
C:\Windows\System\ONtGUdl.exe

Filesize
8.3MB

MD5
df91c4a8c16f2bbe72c3ac9a2d91103d

SHA1
305dbb489c211049fe49e19d25fd9eb7a834d55e

SHA256
067e128493bfb95222a489a8087f2e036cf9cf444a3e8fb400a99297d3a17623

SHA512
353d9eb019427389fab11e10a62a7b5b8117757b36ef1295acbf5476d7514c98fd79e23ed456cd60d22c90a5eedc75762c4a4ebe36b801b190135320d86a71fc

Download Submit
C:\Windows\System\TaxmNBu.exe

Filesize
8.3MB

MD5
c97729b93cf2fa61a1dfa13e79114f0e

SHA1
a6ebcb9b9b485a6040e3c7f4d32fb034edf2b888

SHA256
8bfff931fde492a1872b9d788f554e2d6cc5bc2bc95bcfe5e47bf519b9b29214

SHA512
3151b8157f16294994f084e98c42cb61b625c4bc6eb80ce43cdfb419d7e588662d9b040d05caf1c5540805977c4379080a77eb9cdad9236c26f3ce68c7fdb7d6

Download Submit
C:\Windows\System\VqUvGCF.exe

Filesize
8.3MB

MD5
aa0a4410bf8b08638e7226b9183f24ac

SHA1
80460a2cfbbc2fca7655d18a539833a1ca6201aa

SHA256
d639cda3bdd08544427168c848b53614faaf448e4eba623d2950bbe04bb87a2e

SHA512
20c451d309ecee06a70d2f3658f0e73e8ba6f79b6295bc802a3dc889a08666dbf0f004023417aa1de887ca1a2c6d59ee92ffa4c0cd0a208b422f99a750e6dd96

Download Submit
C:\Windows\System\ZLrZHgz.exe

Filesize
8.3MB

MD5
d5d0d91f0a51a84ddf172c5d29168676

SHA1
53e100a0b975696449d490c8230d1214ef1a84b0

SHA256
63d8eb8509c8f449fdb37b191f20e80a51c0b83256ad7099e917f83389deb7b0

SHA512
6ba62d42262c335d585ca2b97dab1870d2acb04844843db7b37bdeed2412d2ff7088c10b6a9c75b609bef22e32cf8e47cb142bc557d6d16d896fd678a253feb1

Download Submit
C:\Windows\System\cFwDNeO.exe

Filesize
8.3MB

MD5
7b42a55a26587629b63f880ac592232a

SHA1
a9d90ec0e3e294ebbb18bb17e09b13dc66966631

SHA256
d0ab84d864ea4439eeaabb26d1157f0e71aefb775939e2801105393d37c2702d

SHA512
92993ba270f939796e8ac989c2b8ddcac371a8abcb39b4cbb4a7048a577d903bbc2a8dbb5b14597ae513a99f08067d42ed7205cf5c53b8bad11c52ab7f496150

Download Submit
C:\Windows\System\ddVqmgM.exe

Filesize
8.3MB

MD5
cdbe18346d139041ed05835f7e9efc6d

SHA1
4b204610c5fe1bcd4a73e7f9dd4cc698fb3d8500

SHA256
8ac1f694ba65206e4553621e0a530296165f7c916cc38298f49ad7b13fd09cc4

SHA512
32af75cc7c3cfc178468ef93b89a216927f8fc0b45d2f68a140693db4d4ad963387d2b3df46a42f96842f70a6873c2de10f9c94faadefb513d309e6e51d6aef2

Download Submit
C:\Windows\System\dsBgyZy.exe

Filesize
8.3MB

MD5
18aa81b124de0624be1eb54793b15854

SHA1
1747ee6c7019964d48a9bf1b8591482ad89d9c83

SHA256
2dbcd4081fcd60ae66bf477bd6ee3ec90bb93dd2773a896ee0c5e34703344dd0

SHA512
f140c30436001f51ee6946a922be3e7849d057790beb19073af956ab06a01c12efc352464473795f9809548835ecfaa005d2944988b36957ee9b2d3a4e6f0720

Download Submit
C:\Windows\System\ePPXIDU.exe

Filesize
8.3MB

MD5
58014340b9691c753b00dddf9d7d55de

SHA1
956c8ce97336accd7b8cffb003a79108570d685b

SHA256
422818d93a29dcac07b9bd7a2ead63694719f553d14dc74cf10f64c49fb122c2

SHA512
706d123b742850f65822f90c124f264516334b7bc0949130372c3cf2a82f5c68fc1368676083f533f5d0b4f1d567ae28da28e184a3c5a46b9bf397fdd5fe7aa6

Download Submit
C:\Windows\System\fkcXTSP.exe

Filesize
8.3MB

MD5
450120e1cf4a57e968e82e2e07d6cbd2

SHA1
25bfff782ff2839d94245fc674fa55ab80a89541

SHA256
f81736c7c7fae24e97a9b831ef794ff8864144b961cf4cbf6e1aedb74681f32a

SHA512
b75de445acb1f0e73166a5c6de287f45db1be70f77c77ba60ec67ea7a9e7e928ac21d8b68afb5c78d8f5e3516dbcae20b9df815b1da7b46b794254a975576a1c

Download Submit
C:\Windows\System\gwXIswR.exe

Filesize
8.3MB

MD5
2848318cccde8c1b67472429f53d44c4

SHA1
78fd5056964d67e0361dfbcae7f51d9dd496c760

SHA256
93bc6829e890bfe7add3095cb1dcd58608b6107e5a02204955aefb7ddbae32c7

SHA512
0c5cdfa8fd91f71ceb365aff6de68f664c6f05d4487257c913265e350f1885c0d3286f8ef814fbd204e14009d62e42a526def073e988b1766f671d6ea2fc498a

Download Submit
C:\Windows\System\ioXFFjO.exe

Filesize
8.3MB

MD5
fd5c61ac531cb91b4ac9e649530c8160

SHA1
faa1a3f0c5aaa7265f1ea011db955d256bab6547

SHA256
df7ab19c3479f69d01c2469ad1bb3a55c639ba4dcd4bc2adf882e8d41a43fab4

SHA512
d38ec564419f4c3f0870d84e3c1ccd7c3bf390a100e9e3065af61de1c6df521deb303a86f131855c1c6dde2bd2c2387b536ae8a2e86c7348e14895b33670ce91

Download Submit
C:\Windows\System\kvKXvOo.exe

Filesize
8.3MB

MD5
1fe0227d8b0b813689e536467f174c6c

SHA1
d628f64db0faf9ae1c7dff19a6ed802a90f2ceed

SHA256
3ad578fcc402715963b3afbb26357b23325577686e8d76ea72c030b3f1338ea8

SHA512
cbf472951fb3dcbc6780e496705c7fc7e98a841549e7569d05755d965301ba4eec7b8b2a03131f85fa2f6297224523034cbaca753128c4115b145cb0155e735c

Download Submit
C:\Windows\System\lJpFqTs.exe

Filesize
8.3MB

MD5
2926f57b9d793ba5dbca7d30ce19d729

SHA1
75ff930f126ed36ac6f24e4efb8b5a33666ececb

SHA256
7f4b922ce31123ac2095a2d91d9812c9c89e3d4ff6ab52b9285503b3343b96d2

SHA512
2f539245e1683e9b470a17409090bec8a847a1c1a8b9bc379b2cc9c688cbe166e76930a5413f6b636737d5f707c5d13a35b3370b8a97bcb76fc39876aa633a0c

Download Submit
C:\Windows\System\rFScPfa.exe

Filesize
8.3MB

MD5
8ed2c83e4bcd1eb6364c70b5803820c3

SHA1
d025904a60415ac8ec4095f587a50f50b8f693dc

SHA256
f186fc6dd9af3f425cbac9d9af797f973f1503d4ee5ff44b4570342ca31f9202

SHA512
5891fb8693273d2ce2e5734f0830ccae6fb85d1a537013b45912c12996928c8c604f9d804bf61cc6bb6bf4775244cc20e4c13071027b2168cf7b687a12ad5866

Download Submit
C:\Windows\System\ssQDCve.exe

Filesize
8.3MB

MD5
197427e7abc53dab857b21cd5046674c

SHA1
7daaaed458da4ec456494969e4398a7f9b90b944

SHA256
f07e0d53950dadb1315bd35df704656e4f2b02d389ce67a910e8a32f8d8855ed

SHA512
407d8872a97d7dd96a53d456066267b2afe4f611635d1a4fcf3a6a061ae95228dfa5467d80ffce89b176ddcfedfbde28e07dba7c9c2a395533f60f531b8ce85f

Download Submit
C:\Windows\System\vgopZRx.exe

Filesize
8.3MB

MD5
8f835eed0ed0db0ed58bb7bcba11f23f

SHA1
9b6abc3434944837b8a1851e7de06279ddc4e6e5

SHA256
99fc86f9c6f9df10a682d785c728aa3bd9dd08caa977126dcbed6b2b1942a043

SHA512
d36f93092fc55ef50e2ea8de22f099a1bfa59c738fa0320a7b139634a67648258316c05f183d77719a4ccc0aa6a2b8837ca59b3bcc9a94da45c6dd822ac5751f

Download Submit
C:\Windows\System\wGkLPeQ.exe

Filesize
8.3MB

MD5
8972906d2244ce4d89c7313c90637100

SHA1
c12bdc2c67be6b0d758707c3e7b7fb26dbf2d12c

SHA256
f8a7d4482afdd3b87212605e2f2edf2c7abef2a02694320128dc2bf9025718f2

SHA512
869c01ccc9bb9e424bc4c914741d861299b6162299349cf6a5c8aaa38e642e02310bb0248c3c8688f1fc0059c7a2ff88218354644b23d286829ceb707de7a1f7

Download Submit
C:\Windows\System\ypVyDQe.exe

Filesize
8.3MB

MD5
fff8f794f165e9be7f6a1e26c278241d

SHA1
11803dce9e7975ed5aeaee0d6abcc56ecfe8be97

SHA256
1859326b046c49a7ea6a1559653d87229cebb0c68676523ccebaa5a1d81f8c49

SHA512
ff270fb22e2fbb672ef718181ae2dc6b2f084c6c42ec1707539349d12bef8fecb4f26d76fa5616e2fa74a602e7698a4075ad900ce1934c526377f436bf02e22b

Download Submit
memory/756-157-0x00007FF770F00000-0x00007FF771252000-memory.dmp

Filesize
3.3MB

Download
memory/756-126-0x00007FF770F00000-0x00007FF771252000-memory.dmp

Filesize
3.3MB

Download
memory/1372-144-0x00007FF795080000-0x00007FF7953D2000-memory.dmp

Filesize
3.3MB

Download
memory/1372-32-0x00007FF795080000-0x00007FF7953D2000-memory.dmp

Filesize
3.3MB

Download
memory/1916-160-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp

Filesize
3.3MB

Download
memory/1916-133-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp

Filesize
3.3MB

Download
memory/1916-146-0x00007FF6C03C0000-0x00007FF6C0712000-memory.dmp

Filesize
3.3MB

Download
memory/2004-147-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp

Filesize
3.3MB

Download
memory/2004-44-0x00007FF7DF160000-0x00007FF7DF4B2000-memory.dmp

Filesize
3.3MB

Download
memory/2124-153-0x00007FF66F250000-0x00007FF66F5A2000-memory.dmp

Filesize
3.3MB

Download
memory/2124-83-0x00007FF66F250000-0x00007FF66F5A2000-memory.dmp

Filesize
3.3MB

Download
memory/2628-96-0x00007FF67E180000-0x00007FF67E4D2000-memory.dmp

Filesize
3.3MB

Download
memory/2628-155-0x00007FF67E180000-0x00007FF67E4D2000-memory.dmp

Filesize
3.3MB

Download
memory/2640-137-0x00007FF649630000-0x00007FF649982000-memory.dmp

Filesize
3.3MB

Download
memory/2640-156-0x00007FF649630000-0x00007FF649982000-memory.dmp

Filesize
3.3MB

Download
memory/2640-113-0x00007FF649630000-0x00007FF649982000-memory.dmp

Filesize
3.3MB

Download
memory/2652-139-0x00007FF752FC0000-0x00007FF753312000-memory.dmp

Filesize
3.3MB

Download
memory/2652-128-0x00007FF752FC0000-0x00007FF753312000-memory.dmp

Filesize
3.3MB

Download
memory/2652-161-0x00007FF752FC0000-0x00007FF753312000-memory.dmp

Filesize
3.3MB

Download
memory/2996-82-0x00007FF680360000-0x00007FF6806B2000-memory.dmp

Filesize
3.3MB

Download
memory/2996-18-0x00007FF680360000-0x00007FF6806B2000-memory.dmp

Filesize
3.3MB

Download
memory/2996-143-0x00007FF680360000-0x00007FF6806B2000-memory.dmp

Filesize
3.3MB

Download
memory/3240-141-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp

Filesize
3.3MB

Download
memory/3240-14-0x00007FF66E590000-0x00007FF66E8E2000-memory.dmp

Filesize
3.3MB

Download
memory/3264-142-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp

Filesize
3.3MB

Download
memory/3264-89-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp

Filesize
3.3MB

Download
memory/3264-23-0x00007FF7D99B0000-0x00007FF7D9D02000-memory.dmp

Filesize
3.3MB

Download
memory/3308-149-0x00007FF72D450000-0x00007FF72D7A2000-memory.dmp

Filesize
3.3MB

Download
memory/3308-72-0x00007FF72D450000-0x00007FF72D7A2000-memory.dmp

Filesize
3.3MB

Download
memory/3376-148-0x00007FF712E30000-0x00007FF713182000-memory.dmp

Filesize
3.3MB

Download
memory/3376-52-0x00007FF712E30000-0x00007FF713182000-memory.dmp

Filesize
3.3MB

Download
memory/3592-0-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp

Filesize
3.3MB

Download
memory/3592-64-0x00007FF6189A0000-0x00007FF618CF2000-memory.dmp

Filesize
3.3MB

Download
memory/3592-1-0x00000228530B0000-0x00000228530C0000-memory.dmp

Filesize
64KB

Download
memory/3624-90-0x00007FF654D50000-0x00007FF6550A2000-memory.dmp

Filesize
3.3MB

Download
memory/3624-154-0x00007FF654D50000-0x00007FF6550A2000-memory.dmp

Filesize
3.3MB

Download
memory/3892-125-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp

Filesize
3.3MB

Download
memory/3892-56-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp

Filesize
3.3MB

Download
memory/3892-150-0x00007FF604F50000-0x00007FF6052A2000-memory.dmp

Filesize
3.3MB

Download
memory/4292-136-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp

Filesize
3.3MB

Download
memory/4292-103-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp

Filesize
3.3MB

Download
memory/4292-159-0x00007FF7C7C60000-0x00007FF7C7FB2000-memory.dmp

Filesize
3.3MB

Download
memory/4380-138-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp

Filesize
3.3MB

Download
memory/4380-121-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp

Filesize
3.3MB

Download
memory/4380-158-0x00007FF7D9170000-0x00007FF7D94C2000-memory.dmp

Filesize
3.3MB

Download
memory/4416-135-0x00007FF771650000-0x00007FF7719A2000-memory.dmp

Filesize
3.3MB

Download
memory/4416-74-0x00007FF771650000-0x00007FF7719A2000-memory.dmp

Filesize
3.3MB

Download
memory/4416-152-0x00007FF771650000-0x00007FF7719A2000-memory.dmp

Filesize
3.3MB

Download
memory/4516-8-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp

Filesize
3.3MB

Download
memory/4516-140-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp

Filesize
3.3MB

Download
memory/4516-73-0x00007FF76BDD0000-0x00007FF76C122000-memory.dmp

Filesize
3.3MB

Download
memory/4864-36-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp

Filesize
3.3MB

Download
memory/4864-101-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp

Filesize
3.3MB

Download
memory/4864-145-0x00007FF65FCA0000-0x00007FF65FFF2000-memory.dmp

Filesize
3.3MB

Download
memory/4956-130-0x00007FF776B40000-0x00007FF776E92000-memory.dmp

Filesize
3.3MB

Download
memory/4956-68-0x00007FF776B40000-0x00007FF776E92000-memory.dmp

Filesize
3.3MB

Download
memory/4956-151-0x00007FF776B40000-0x00007FF776E92000-memory.dmp

Filesize
3.3MB

Download