cobaltstrike | 88909c0fdc0214900875b173069bf07c0ba2e3d58de86928dd63951ac8cd271a

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

878800fd686a8d28ba493b3362adfb71
SHA1

2e1964110be0b63836ea0fb91ff4c456cc84f32e
SHA256

88909c0fdc0214900875b173069bf07c0ba2e3d58de86928dd63951ac8cd271a
SHA512

ef64b35dd0a641592c01b9e306b293d58949fd1711d201698d068e0b7800effe9a380d74c39d347ff8219b223ccb8157933f52efc58f233c8c4b71ce325a43a9
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUA:Q+856utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023257-4.dat	cobalt_reflective_dll
behavioral2/files/0x000900000002325c-12.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002325d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002325b-22.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002325e-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023260-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023261-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023263-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023264-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023265-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023266-70.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023267-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023268-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023269-82.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326c-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326f-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023270-116.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326e-111.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326d-107.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326b-92.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002326a-87.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023257-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000900000002325c-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002325d-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000800000002325b-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002325e-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023260-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023261-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023263-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023264-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023265-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023266-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023267-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023268-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023269-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326c-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326f-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023270-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326e-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326d-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326b-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002326a-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4752-0-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp	UPX
behavioral2/files/0x0008000000023257-4.dat	UPX
behavioral2/memory/5036-6-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	UPX
behavioral2/files/0x000900000002325c-12.dat	UPX
behavioral2/memory/3164-14-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	UPX
behavioral2/files/0x000700000002325d-11.dat	UPX
behavioral2/memory/1340-18-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	UPX
behavioral2/files/0x000800000002325b-22.dat	UPX
behavioral2/memory/2680-26-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	UPX
behavioral2/files/0x000700000002325e-28.dat	UPX
behavioral2/memory/2352-31-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	UPX
behavioral2/files/0x0007000000023260-35.dat	UPX
behavioral2/memory/2072-38-0x00007FF7595F0000-0x00007FF759944000-memory.dmp	UPX
behavioral2/files/0x0007000000023261-40.dat	UPX
behavioral2/memory/2208-43-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023263-47.dat	UPX
behavioral2/memory/2696-50-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	UPX
behavioral2/files/0x0007000000023264-53.dat	UPX
behavioral2/files/0x0007000000023265-59.dat	UPX
behavioral2/memory/4752-62-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp	UPX
behavioral2/memory/3632-65-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp	UPX
behavioral2/files/0x0007000000023266-70.dat	UPX
behavioral2/files/0x0007000000023267-72.dat	UPX
behavioral2/files/0x0007000000023268-77.dat	UPX
behavioral2/files/0x0007000000023269-82.dat	UPX
behavioral2/files/0x000700000002326c-96.dat	UPX
behavioral2/files/0x000700000002326f-109.dat	UPX
behavioral2/files/0x0007000000023270-116.dat	UPX
behavioral2/files/0x000700000002326e-111.dat	UPX
behavioral2/files/0x000700000002326d-107.dat	UPX
behavioral2/files/0x000700000002326b-92.dat	UPX
behavioral2/files/0x000700000002326a-87.dat	UPX
behavioral2/memory/2660-54-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	UPX
behavioral2/memory/5036-118-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	UPX
behavioral2/memory/2608-119-0x00007FF767B40000-0x00007FF767E94000-memory.dmp	UPX
behavioral2/memory/2460-121-0x00007FF632D30000-0x00007FF633084000-memory.dmp	UPX
behavioral2/memory/2520-120-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp	UPX
behavioral2/memory/3316-124-0x00007FF660CD0000-0x00007FF661024000-memory.dmp	UPX
behavioral2/memory/4500-125-0x00007FF71A910000-0x00007FF71AC64000-memory.dmp	UPX
behavioral2/memory/4584-126-0x00007FF62D760000-0x00007FF62DAB4000-memory.dmp	UPX
behavioral2/memory/684-123-0x00007FF7B4280000-0x00007FF7B45D4000-memory.dmp	UPX
behavioral2/memory/3544-127-0x00007FF7998A0000-0x00007FF799BF4000-memory.dmp	UPX
behavioral2/memory/1336-122-0x00007FF74FE70000-0x00007FF7501C4000-memory.dmp	UPX
behavioral2/memory/4636-128-0x00007FF6AB750000-0x00007FF6ABAA4000-memory.dmp	UPX
behavioral2/memory/1924-129-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	UPX
behavioral2/memory/3164-130-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	UPX
behavioral2/memory/1340-131-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	UPX
behavioral2/memory/2680-132-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	UPX
behavioral2/memory/2352-133-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	UPX
behavioral2/memory/2208-134-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	UPX
behavioral2/memory/2696-135-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	UPX
behavioral2/memory/2660-136-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	UPX
behavioral2/memory/5036-137-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	UPX
behavioral2/memory/3164-138-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	UPX
behavioral2/memory/1340-139-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	UPX
behavioral2/memory/2680-140-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	UPX
behavioral2/memory/2352-141-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	UPX
behavioral2/memory/2072-142-0x00007FF7595F0000-0x00007FF759944000-memory.dmp	UPX
behavioral2/memory/2208-143-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	UPX
behavioral2/memory/2696-144-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	UPX
behavioral2/memory/2660-145-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	UPX
behavioral2/memory/3632-146-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp	UPX
behavioral2/memory/2460-147-0x00007FF632D30000-0x00007FF633084000-memory.dmp	UPX
behavioral2/memory/2520-148-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4752-0-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023257-4.dat	xmrig
behavioral2/memory/5036-6-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	xmrig
behavioral2/files/0x000900000002325c-12.dat	xmrig
behavioral2/memory/3164-14-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	xmrig
behavioral2/files/0x000700000002325d-11.dat	xmrig
behavioral2/memory/1340-18-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	xmrig
behavioral2/files/0x000800000002325b-22.dat	xmrig
behavioral2/memory/2680-26-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	xmrig
behavioral2/files/0x000700000002325e-28.dat	xmrig
behavioral2/memory/2352-31-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023260-35.dat	xmrig
behavioral2/memory/2072-38-0x00007FF7595F0000-0x00007FF759944000-memory.dmp	xmrig
behavioral2/files/0x0007000000023261-40.dat	xmrig
behavioral2/memory/2208-43-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023263-47.dat	xmrig
behavioral2/memory/2696-50-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	xmrig
behavioral2/files/0x0007000000023264-53.dat	xmrig
behavioral2/files/0x0007000000023265-59.dat	xmrig
behavioral2/memory/4752-62-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp	xmrig
behavioral2/memory/3632-65-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023266-70.dat	xmrig
behavioral2/files/0x0007000000023267-72.dat	xmrig
behavioral2/files/0x0007000000023268-77.dat	xmrig
behavioral2/files/0x0007000000023269-82.dat	xmrig
behavioral2/files/0x000700000002326c-96.dat	xmrig
behavioral2/files/0x000700000002326f-109.dat	xmrig
behavioral2/files/0x0007000000023270-116.dat	xmrig
behavioral2/files/0x000700000002326e-111.dat	xmrig
behavioral2/files/0x000700000002326d-107.dat	xmrig
behavioral2/files/0x000700000002326b-92.dat	xmrig
behavioral2/files/0x000700000002326a-87.dat	xmrig
behavioral2/memory/2660-54-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	xmrig
behavioral2/memory/5036-118-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	xmrig
behavioral2/memory/2608-119-0x00007FF767B40000-0x00007FF767E94000-memory.dmp	xmrig
behavioral2/memory/2460-121-0x00007FF632D30000-0x00007FF633084000-memory.dmp	xmrig
behavioral2/memory/2520-120-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp	xmrig
behavioral2/memory/3316-124-0x00007FF660CD0000-0x00007FF661024000-memory.dmp	xmrig
behavioral2/memory/4500-125-0x00007FF71A910000-0x00007FF71AC64000-memory.dmp	xmrig
behavioral2/memory/4584-126-0x00007FF62D760000-0x00007FF62DAB4000-memory.dmp	xmrig
behavioral2/memory/684-123-0x00007FF7B4280000-0x00007FF7B45D4000-memory.dmp	xmrig
behavioral2/memory/3544-127-0x00007FF7998A0000-0x00007FF799BF4000-memory.dmp	xmrig
behavioral2/memory/1336-122-0x00007FF74FE70000-0x00007FF7501C4000-memory.dmp	xmrig
behavioral2/memory/4636-128-0x00007FF6AB750000-0x00007FF6ABAA4000-memory.dmp	xmrig
behavioral2/memory/1924-129-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	xmrig
behavioral2/memory/3164-130-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	xmrig
behavioral2/memory/1340-131-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	xmrig
behavioral2/memory/2680-132-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	xmrig
behavioral2/memory/2352-133-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	xmrig
behavioral2/memory/2208-134-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	xmrig
behavioral2/memory/2696-135-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	xmrig
behavioral2/memory/2660-136-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	xmrig
behavioral2/memory/5036-137-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	xmrig
behavioral2/memory/3164-138-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	xmrig
behavioral2/memory/1340-139-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	xmrig
behavioral2/memory/2680-140-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	xmrig
behavioral2/memory/2352-141-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	xmrig
behavioral2/memory/2072-142-0x00007FF7595F0000-0x00007FF759944000-memory.dmp	xmrig
behavioral2/memory/2208-143-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	xmrig
behavioral2/memory/2696-144-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	xmrig
behavioral2/memory/2660-145-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	xmrig
behavioral2/memory/3632-146-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp	xmrig
behavioral2/memory/2460-147-0x00007FF632D30000-0x00007FF633084000-memory.dmp	xmrig
behavioral2/memory/2520-148-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5036	ZWhvysJ.exe
3164	vaGzUTW.exe
1340	AkubsWH.exe
2680	kKcVaoZ.exe
2352	WKfnGtX.exe
2072	TjFYKPY.exe
2208	bBoUzcd.exe
2696	idRQxxL.exe
2660	MqfwaCd.exe
3632	UdXNfHL.exe
2608	pvowNop.exe
2520	yBcIQOb.exe
2460	pWLYRdK.exe
1336	HBIvAsz.exe
684	WMjXaeX.exe
3316	ROUYkdd.exe
4500	DFSgsOj.exe
4584	zcGfeLQ.exe
3544	FGrtwNI.exe
4636	KLbghic.exe
1924	FmnBDdD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-0-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp	upx
behavioral2/files/0x0008000000023257-4.dat	upx
behavioral2/memory/5036-6-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	upx
behavioral2/files/0x000900000002325c-12.dat	upx
behavioral2/memory/3164-14-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	upx
behavioral2/files/0x000700000002325d-11.dat	upx
behavioral2/memory/1340-18-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	upx
behavioral2/files/0x000800000002325b-22.dat	upx
behavioral2/memory/2680-26-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	upx
behavioral2/files/0x000700000002325e-28.dat	upx
behavioral2/memory/2352-31-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	upx
behavioral2/files/0x0007000000023260-35.dat	upx
behavioral2/memory/2072-38-0x00007FF7595F0000-0x00007FF759944000-memory.dmp	upx
behavioral2/files/0x0007000000023261-40.dat	upx
behavioral2/memory/2208-43-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	upx
behavioral2/files/0x0007000000023263-47.dat	upx
behavioral2/memory/2696-50-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	upx
behavioral2/files/0x0007000000023264-53.dat	upx
behavioral2/files/0x0007000000023265-59.dat	upx
behavioral2/memory/4752-62-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp	upx
behavioral2/memory/3632-65-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp	upx
behavioral2/files/0x0007000000023266-70.dat	upx
behavioral2/files/0x0007000000023267-72.dat	upx
behavioral2/files/0x0007000000023268-77.dat	upx
behavioral2/files/0x0007000000023269-82.dat	upx
behavioral2/files/0x000700000002326c-96.dat	upx
behavioral2/files/0x000700000002326f-109.dat	upx
behavioral2/files/0x0007000000023270-116.dat	upx
behavioral2/files/0x000700000002326e-111.dat	upx
behavioral2/files/0x000700000002326d-107.dat	upx
behavioral2/files/0x000700000002326b-92.dat	upx
behavioral2/files/0x000700000002326a-87.dat	upx
behavioral2/memory/2660-54-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	upx
behavioral2/memory/5036-118-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	upx
behavioral2/memory/2608-119-0x00007FF767B40000-0x00007FF767E94000-memory.dmp	upx
behavioral2/memory/2460-121-0x00007FF632D30000-0x00007FF633084000-memory.dmp	upx
behavioral2/memory/2520-120-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp	upx
behavioral2/memory/3316-124-0x00007FF660CD0000-0x00007FF661024000-memory.dmp	upx
behavioral2/memory/4500-125-0x00007FF71A910000-0x00007FF71AC64000-memory.dmp	upx
behavioral2/memory/4584-126-0x00007FF62D760000-0x00007FF62DAB4000-memory.dmp	upx
behavioral2/memory/684-123-0x00007FF7B4280000-0x00007FF7B45D4000-memory.dmp	upx
behavioral2/memory/3544-127-0x00007FF7998A0000-0x00007FF799BF4000-memory.dmp	upx
behavioral2/memory/1336-122-0x00007FF74FE70000-0x00007FF7501C4000-memory.dmp	upx
behavioral2/memory/4636-128-0x00007FF6AB750000-0x00007FF6ABAA4000-memory.dmp	upx
behavioral2/memory/1924-129-0x00007FF70B000000-0x00007FF70B354000-memory.dmp	upx
behavioral2/memory/3164-130-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	upx
behavioral2/memory/1340-131-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	upx
behavioral2/memory/2680-132-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	upx
behavioral2/memory/2352-133-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	upx
behavioral2/memory/2208-134-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	upx
behavioral2/memory/2696-135-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	upx
behavioral2/memory/2660-136-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	upx
behavioral2/memory/5036-137-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp	upx
behavioral2/memory/3164-138-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp	upx
behavioral2/memory/1340-139-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp	upx
behavioral2/memory/2680-140-0x00007FF7744D0000-0x00007FF774824000-memory.dmp	upx
behavioral2/memory/2352-141-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp	upx
behavioral2/memory/2072-142-0x00007FF7595F0000-0x00007FF759944000-memory.dmp	upx
behavioral2/memory/2208-143-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp	upx
behavioral2/memory/2696-144-0x00007FF675FC0000-0x00007FF676314000-memory.dmp	upx
behavioral2/memory/2660-145-0x00007FF665CB0000-0x00007FF666004000-memory.dmp	upx
behavioral2/memory/3632-146-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp	upx
behavioral2/memory/2460-147-0x00007FF632D30000-0x00007FF633084000-memory.dmp	upx
behavioral2/memory/2520-148-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AkubsWH.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WKfnGtX.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bBoUzcd.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MqfwaCd.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pWLYRdK.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vaGzUTW.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yBcIQOb.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HBIvAsz.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WMjXaeX.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zcGfeLQ.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FmnBDdD.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kKcVaoZ.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TjFYKPY.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\idRQxxL.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ROUYkdd.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FGrtwNI.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KLbghic.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZWhvysJ.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UdXNfHL.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pvowNop.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DFSgsOj.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 5036	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	91
PID 4752 wrote to memory of 5036	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	91
PID 4752 wrote to memory of 3164	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	92
PID 4752 wrote to memory of 3164	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	92
PID 4752 wrote to memory of 1340	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	93
PID 4752 wrote to memory of 1340	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	93
PID 4752 wrote to memory of 2680	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	94
PID 4752 wrote to memory of 2680	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	94
PID 4752 wrote to memory of 2352	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	95
PID 4752 wrote to memory of 2352	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	95
PID 4752 wrote to memory of 2072	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	96
PID 4752 wrote to memory of 2072	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	96
PID 4752 wrote to memory of 2208	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	97
PID 4752 wrote to memory of 2208	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	97
PID 4752 wrote to memory of 2696	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	98
PID 4752 wrote to memory of 2696	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	98
PID 4752 wrote to memory of 2660	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	99
PID 4752 wrote to memory of 2660	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	99
PID 4752 wrote to memory of 3632	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	100
PID 4752 wrote to memory of 3632	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	100
PID 4752 wrote to memory of 2608	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	101
PID 4752 wrote to memory of 2608	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	101
PID 4752 wrote to memory of 2520	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	102
PID 4752 wrote to memory of 2520	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	102
PID 4752 wrote to memory of 2460	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	103
PID 4752 wrote to memory of 2460	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	103
PID 4752 wrote to memory of 1336	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	104
PID 4752 wrote to memory of 1336	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	104
PID 4752 wrote to memory of 684	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	105
PID 4752 wrote to memory of 684	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	105
PID 4752 wrote to memory of 3316	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	106
PID 4752 wrote to memory of 3316	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	106
PID 4752 wrote to memory of 4500	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	107
PID 4752 wrote to memory of 4500	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	107
PID 4752 wrote to memory of 4584	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	108
PID 4752 wrote to memory of 4584	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	108
PID 4752 wrote to memory of 3544	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	109
PID 4752 wrote to memory of 3544	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	109
PID 4752 wrote to memory of 4636	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	110
PID 4752 wrote to memory of 4636	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	110
PID 4752 wrote to memory of 1924	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	111
PID 4752 wrote to memory of 1924	4752	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\System\ZWhvysJ.exe
  C:\Windows\System\ZWhvysJ.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\vaGzUTW.exe
  C:\Windows\System\vaGzUTW.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\AkubsWH.exe
  C:\Windows\System\AkubsWH.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\kKcVaoZ.exe
  C:\Windows\System\kKcVaoZ.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\WKfnGtX.exe
  C:\Windows\System\WKfnGtX.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\TjFYKPY.exe
  C:\Windows\System\TjFYKPY.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\bBoUzcd.exe
  C:\Windows\System\bBoUzcd.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\idRQxxL.exe
  C:\Windows\System\idRQxxL.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\MqfwaCd.exe
  C:\Windows\System\MqfwaCd.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\UdXNfHL.exe
  C:\Windows\System\UdXNfHL.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\pvowNop.exe
  C:\Windows\System\pvowNop.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\yBcIQOb.exe
  C:\Windows\System\yBcIQOb.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\pWLYRdK.exe
  C:\Windows\System\pWLYRdK.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\HBIvAsz.exe
  C:\Windows\System\HBIvAsz.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\WMjXaeX.exe
  C:\Windows\System\WMjXaeX.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\ROUYkdd.exe
  C:\Windows\System\ROUYkdd.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\DFSgsOj.exe
  C:\Windows\System\DFSgsOj.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\zcGfeLQ.exe
  C:\Windows\System\zcGfeLQ.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\FGrtwNI.exe
  C:\Windows\System\FGrtwNI.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\KLbghic.exe
  C:\Windows\System\KLbghic.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\FmnBDdD.exe
  C:\Windows\System\FmnBDdD.exe
  2⤵
  - Executes dropped EXE
  PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
1⤵
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AkubsWH.exe

Filesize
5.9MB

MD5
d75bb44b927ba816d9caa3bafd93d655

SHA1
bf74a598153c29e676e3a9222e934ebc6e467ee9

SHA256
d33b3d6a212b1cb61f9f1eab24a33d472dc5933d9d845ff2b979439c406dcbbb

SHA512
9b1741d072cff6379a1b8f7c2541e698ef6643a21ec783d53f12e3936de0109e7d38c69b20556862571bad798cf56106707d4298eeed1c718dd5fdec7e8c0c49

Download Submit
C:\Windows\System\DFSgsOj.exe

Filesize
5.9MB

MD5
d23e40151103bca523333db0e297b17a

SHA1
4a617810597b86feb9c68402959cd6741d6579ef

SHA256
046605d587109db4df532f099f871574bdcd4cb268c5514abdc7ef9def80c915

SHA512
32f86cd5559d72712f0b6f759f71aee1a3bf70a0dd5e3ff99e6e6ccce1a70010e37fa83930361f328a128ecec6af71b86cf6a0281faaa5d22773b7a6e523bd4e

Download Submit
C:\Windows\System\FGrtwNI.exe

Filesize
5.9MB

MD5
f8ad3e0b11acf5d0c11930725b9990a5

SHA1
0ac6910c52a0ec2d400172e192998fc0bee9614e

SHA256
8ce682f6e3764c39ccd1f6eccdcb0ad23266bcf86680707648b43e36c9eac2b7

SHA512
3963d3c2188a66dc95edac108ceb246970adc7a82fc802fa2f9dd77e817fdd0d808eb6fe8814c7f30b6214efa44e2efce9052820b32cdc0d93af4d32c675e521

Download Submit
C:\Windows\System\FmnBDdD.exe

Filesize
5.9MB

MD5
f49fb22f1c945669f89d6a974661f66b

SHA1
f40b5af0a4e3911e3102fb165ca09ca6993bc5fe

SHA256
459180e9fb2f5d1a1453d508e369b148e7148f143b3f45e08d3f9357d7678cd9

SHA512
b74bb7f2e5728580d37f08b42e290bb575efd637f5d321386c209a732e410f8bdca106ddcf1b9f43650a9eb3ed23f0c6f4a00dd77ac29bf3e0cd3a023edb72c2

Download Submit
C:\Windows\System\HBIvAsz.exe

Filesize
5.9MB

MD5
b067fc237ef24aa8afcf1aee6da65ede

SHA1
75aadfe2e0f3241a41e3cebb040a998f45a1b209

SHA256
33c41b19c337b4275e5a483c1faf747fe495e9876cea33ac81d5f8fa30d5c373

SHA512
3dc9244d7e737274abcb09849a997ec643d29aca6e996acceb303f61d32316e187b8e338c7d6178cc993b3ab860c69197892d1d2f2bdcdf89a35a509d6ae18df

Download Submit
C:\Windows\System\KLbghic.exe

Filesize
5.9MB

MD5
a3d07e0624e5ea76b2e772ce182a3756

SHA1
990fc40adef68347cac473cd55a0c359da359ab1

SHA256
9f2748dddc24a6c7081894bbdeede78ffd052e3b6e8339595cfcd246f70997b8

SHA512
2568a2b9b412afa7083a6e0a22c105102b3e0985ea2eee8e0bbd4ce9d9e7f1aa7fa696bb8e12d6dc1f9b4f47dfff13940883bc085a13879f9ca35e5af7ca09dd

Download Submit
C:\Windows\System\MqfwaCd.exe

Filesize
5.9MB

MD5
9525a3f89ee6a4ec9679477834559aba

SHA1
3bf5623b022edd618324e70a9e6fc945f6b30e08

SHA256
42b1527bdb5a8213c520c7701fcd960cf02daf6e078788b0c025753db0f909d7

SHA512
e4facc73897416494c2302a3cc21d4c4f99368cc86ffabc97ff7021c2f252110f987aca91f1fec467ee92fd912bb4e3c97b6eed13d6bd176c78fe7fe9d972ce2

Download Submit
C:\Windows\System\ROUYkdd.exe

Filesize
5.9MB

MD5
d7df3e57dafc8065422366da0de3d942

SHA1
d0f65200cd8361fdea946c3dc4e3abbed979afa9

SHA256
158c5dcbf39b5a88e489a33f3f30bacf9a8b82740d7a7b871cdd07673029decd

SHA512
cd0e3df937a06ca2f1e1d7fce4a19743bf4861796ee9d18562269ec56cbe0f1b2c0e0011f7cb7e420bcddd7b9f0e81293adbb19394862f79fee47e314892ea83

Download Submit
C:\Windows\System\TjFYKPY.exe

Filesize
5.9MB

MD5
ae2dacad6979aa6a4cb1e455cb1926e6

SHA1
adc355d840d454c6f4678ee21db2db2a0b44a023

SHA256
4e0f9294d10bfad406911c25afdbe55a16d9dba699de739a80b26902154ba0b1

SHA512
8407e6ad747f9f9ddfd3cf4699e54564f8ad7ffc6d25f5ee2f98012d0ab008a61e250474fad16ab1692d23dd7413d367d20c231dbfe48c91ba1471d35e048e70

Download Submit
C:\Windows\System\UdXNfHL.exe

Filesize
5.9MB

MD5
99d471ca8cfdfdd9ef991b042484e999

SHA1
5c25951a50efe37cd946aacbaa3393d36fc7a36a

SHA256
6bcb9669952f0d5bc3c9574eb49323e6a650db382edf5199a4cdf1a6eb07eb33

SHA512
3b128fecc411933f54d67e46c3df61b098a64b203f8a8f4a483af5abf3fb4814f041cc57eaa9b9a3c45bf7641eb711648c1f5a690482dfe5200d75a83c86de49

Download Submit
C:\Windows\System\WKfnGtX.exe

Filesize
5.9MB

MD5
1af008430e7cd789a45e0a52b640e3d7

SHA1
45bcf59ed14a0e3dddccfad20f7122c56c1ebbe7

SHA256
30de6c9a5dd0e3836059cf2c23e134f8e80619d9dbac5e852b6e85571e06eb4b

SHA512
73baaebce71259cdc1750743335436cf1fa21450dd44a4cd25f3c7f67b8af3fca4be4c43bb8e5d81a844b71a105a4676340a847c3ab4b2917600cf49414fb730

Download Submit
C:\Windows\System\WMjXaeX.exe

Filesize
5.9MB

MD5
65fc958b7c8b45e526df479d2c77e335

SHA1
ffe0b523c7156782d7cf1852dea60c3686863cdf

SHA256
b251746f0551e0bcaa96def88a0c9d232ea6ade5ccc6169cadac9bd013b76443

SHA512
0ede0c50dbf166c8515771ead8e16e3ef112c9f4b53da602e236cb0db046785d11e8d9f28e7ccef8bb26702566066094b0dae207676aa8f33d12d4e2740c69bb

Download Submit
C:\Windows\System\ZWhvysJ.exe

Filesize
5.9MB

MD5
e2dde198a4774009c28a940add8dd175

SHA1
685293076e50104066179acc7c9f67e5e2019e3c

SHA256
10cfcc13b7a995aeb2c146798baa19aff3c5d2e3cffacbe716e69c4409398a31

SHA512
d6cc74f8193538742de811a699b321280557ffbbf11ea889167b562f28d9509b5f2c4375557f909d2c4fc3cfacdd770296c3f91ccfb30287274172552ad1921d

Download Submit
C:\Windows\System\bBoUzcd.exe

Filesize
5.9MB

MD5
89b5c78fa5638fb960c582ebc90e4c85

SHA1
bdc9dcd9e53fe3623b1ca5a530d60668c4628f51

SHA256
dfbec3a45ad91c919f7c3901cfd53636c46372e7d8c166788d9ffc01c9be13bd

SHA512
6f16250877be28eec6e057527b95e24799baac19d358a354345d103c4c7077a46564f0936dacf27e84da1586e3332bc43e3902c501b904acc08dec89b391627b

Download Submit
C:\Windows\System\idRQxxL.exe

Filesize
5.9MB

MD5
b229def7c35c36fa96bdecfdfee23206

SHA1
9cb40ad2f6ffb9c0b83976c071e3f4ac1a2b0929

SHA256
3d08c15d378136b6291c44997ed6c3c9fe2399441464eb996b5f00c43a41bc4a

SHA512
0cde3eb24cb3add5143bb4079353c6b4f04597a26d1d852626c586cb96b4bf8ea050f757a0e00694c7404fabd8112a0d17679a54fb8db8d62b14490549d2fdef

Download Submit
C:\Windows\System\kKcVaoZ.exe

Filesize
5.9MB

MD5
cf6e3610d4d707bfda35e12257748483

SHA1
14cda3a326587fc224ab2d358bf54533d45ebe58

SHA256
18bdd66bcde69600238090993052a7dc423ef939d2229e87660c9bcd1e06c7bd

SHA512
dd3f1da465bfd3ac9154f92d78abe20ed88e352289cf0b580bcea8625eb267648441972f16f0fcda99ed66e6a610e6070d0aad02f709cfd1e5c94b8bf4401055

Download Submit
C:\Windows\System\pWLYRdK.exe

Filesize
5.9MB

MD5
b6cb3ee5023da1b94a8c467980161f9f

SHA1
ed7c9c371dbd3705c98498c20b26a53eafcf8eff

SHA256
37c8cc0c754c2bf38d7ec31d02a3e56933558cbc1add13cd08117ede84178ff8

SHA512
ed70350423513d2bc0ea6ed2ccf7b3356930d0e225eb53cfeb2d00ce3e7e33be83fd45d944b827b6157b54be270659e9380695624f22c226037347490b0b8e7e

Download Submit
C:\Windows\System\pvowNop.exe

Filesize
5.9MB

MD5
fccfd12b7f4a48bd14d1dcca69de1379

SHA1
038381e9986c76d41667e34b8741e618d7a3c8cb

SHA256
72afd902d6dd998e3cd0e57b343547300646a9bcae62c0df385cff48c879c65c

SHA512
481ca1e1645cf19cb26a0b9fe71aded725b8cfbedba6017b9893504469f60e45a6afb57cce4a850e638cfd7db13b0dad38d2b39b5e018e5f6fc07b8590e68d97

Download Submit
C:\Windows\System\vaGzUTW.exe

Filesize
5.9MB

MD5
6b4985331d4f6cfd462119f5f8386c17

SHA1
e02529a9f815cf1273c5a9d72728565cde066bbc

SHA256
9679f2c1aebc820a85b462e095273646f71995f1fbf660ae63e948cf40145a6e

SHA512
c73a72589e7760cd9ef1e5efc3e8d68f79199687e5db4a406b04dd9a618a91b6c752d2f13fa77d64aec2184a4fd9edd92ff8ff89d17b84cec66b13e2fe6df5ff

Download Submit
C:\Windows\System\yBcIQOb.exe

Filesize
5.9MB

MD5
a4210902f90cf9413581c3bf6ee706a5

SHA1
06a667e4257f72ee2b3230a79642b4f89b500ef9

SHA256
5001f50c4fa1aace5f7e3c688dde3a0185f29893980166692514053edb87881d

SHA512
258824f43ab5774408622200fc1434b8d394b30da5c850acc243014359352889e6f4a891700726dcd5d6bf202f093bfab881385a1279617beeb09be25702bed0

Download Submit
C:\Windows\System\zcGfeLQ.exe

Filesize
5.9MB

MD5
e0f278a102595151386fad909e7eff9b

SHA1
cffeb4bb9ad4dbadaee6df1146e583ce3d013b79

SHA256
11f008337c7ca7627decfb95d03c0f8fc8c3c6941339252b93b78d0d744b6911

SHA512
cf57e72f824d54a84f5afb8207b488598db1e6ffb4186ee92849f51624e994517f49ce2279c16548d8200e54398a69d34716715f81b23bde4eeaa2107724d72e

Download Submit
memory/684-152-0x00007FF7B4280000-0x00007FF7B45D4000-memory.dmp

Filesize
3.3MB

Download
memory/684-123-0x00007FF7B4280000-0x00007FF7B45D4000-memory.dmp

Filesize
3.3MB

Download
memory/1336-150-0x00007FF74FE70000-0x00007FF7501C4000-memory.dmp

Filesize
3.3MB

Download
memory/1336-122-0x00007FF74FE70000-0x00007FF7501C4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-139-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-18-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-131-0x00007FF65DE50000-0x00007FF65E1A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-156-0x00007FF70B000000-0x00007FF70B354000-memory.dmp

Filesize
3.3MB

Download
memory/1924-129-0x00007FF70B000000-0x00007FF70B354000-memory.dmp

Filesize
3.3MB

Download
memory/2072-38-0x00007FF7595F0000-0x00007FF759944000-memory.dmp

Filesize
3.3MB

Download
memory/2072-142-0x00007FF7595F0000-0x00007FF759944000-memory.dmp

Filesize
3.3MB

Download
memory/2208-143-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp

Filesize
3.3MB

Download
memory/2208-43-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp

Filesize
3.3MB

Download
memory/2208-134-0x00007FF665EA0000-0x00007FF6661F4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-141-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp

Filesize
3.3MB

Download
memory/2352-133-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp

Filesize
3.3MB

Download
memory/2352-31-0x00007FF7DCBD0000-0x00007FF7DCF24000-memory.dmp

Filesize
3.3MB

Download
memory/2460-121-0x00007FF632D30000-0x00007FF633084000-memory.dmp

Filesize
3.3MB

Download
memory/2460-147-0x00007FF632D30000-0x00007FF633084000-memory.dmp

Filesize
3.3MB

Download
memory/2520-120-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-148-0x00007FF6A84A0000-0x00007FF6A87F4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-149-0x00007FF767B40000-0x00007FF767E94000-memory.dmp

Filesize
3.3MB

Download
memory/2608-119-0x00007FF767B40000-0x00007FF767E94000-memory.dmp

Filesize
3.3MB

Download
memory/2660-136-0x00007FF665CB0000-0x00007FF666004000-memory.dmp

Filesize
3.3MB

Download
memory/2660-145-0x00007FF665CB0000-0x00007FF666004000-memory.dmp

Filesize
3.3MB

Download
memory/2660-54-0x00007FF665CB0000-0x00007FF666004000-memory.dmp

Filesize
3.3MB

Download
memory/2680-140-0x00007FF7744D0000-0x00007FF774824000-memory.dmp

Filesize
3.3MB

Download
memory/2680-132-0x00007FF7744D0000-0x00007FF774824000-memory.dmp

Filesize
3.3MB

Download
memory/2680-26-0x00007FF7744D0000-0x00007FF774824000-memory.dmp

Filesize
3.3MB

Download
memory/2696-135-0x00007FF675FC0000-0x00007FF676314000-memory.dmp

Filesize
3.3MB

Download
memory/2696-144-0x00007FF675FC0000-0x00007FF676314000-memory.dmp

Filesize
3.3MB

Download
memory/2696-50-0x00007FF675FC0000-0x00007FF676314000-memory.dmp

Filesize
3.3MB

Download
memory/3164-138-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp

Filesize
3.3MB

Download
memory/3164-14-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp

Filesize
3.3MB

Download
memory/3164-130-0x00007FF75D8B0000-0x00007FF75DC04000-memory.dmp

Filesize
3.3MB

Download
memory/3316-124-0x00007FF660CD0000-0x00007FF661024000-memory.dmp

Filesize
3.3MB

Download
memory/3316-151-0x00007FF660CD0000-0x00007FF661024000-memory.dmp

Filesize
3.3MB

Download
memory/3544-127-0x00007FF7998A0000-0x00007FF799BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3544-154-0x00007FF7998A0000-0x00007FF799BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3632-65-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp

Filesize
3.3MB

Download
memory/3632-146-0x00007FF627AF0000-0x00007FF627E44000-memory.dmp

Filesize
3.3MB

Download
memory/4500-153-0x00007FF71A910000-0x00007FF71AC64000-memory.dmp

Filesize
3.3MB

Download
memory/4500-125-0x00007FF71A910000-0x00007FF71AC64000-memory.dmp

Filesize
3.3MB

Download
memory/4584-126-0x00007FF62D760000-0x00007FF62DAB4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-155-0x00007FF62D760000-0x00007FF62DAB4000-memory.dmp

Filesize
3.3MB

Download
memory/4636-157-0x00007FF6AB750000-0x00007FF6ABAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4636-128-0x00007FF6AB750000-0x00007FF6ABAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4752-62-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp

Filesize
3.3MB

Download
memory/4752-0-0x00007FF601D70000-0x00007FF6020C4000-memory.dmp

Filesize
3.3MB

Download
memory/4752-1-0x00000210BE770000-0x00000210BE780000-memory.dmp

Filesize
64KB

Download
memory/5036-6-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-137-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-118-0x00007FF6F8B50000-0x00007FF6F8EA4000-memory.dmp

Filesize
3.3MB

Download