cobaltstrike | 643c97d607099d62fd026d9f94549dc6297bd2bb200f850cd0a408c69ef40d03

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

257886e5c477a94f8fc4428aa3400d91
SHA1

542f276d6f1a047e89508fb5f55b2da0b7ad3c02
SHA256

643c97d607099d62fd026d9f94549dc6297bd2bb200f850cd0a408c69ef40d03
SHA512

8a532b49c5bf1cc0c381764f677dc95cf7a4c3e70ff44ba0d984693d359474ccc78c9efabaa306b9148ef6c51f9796e3f515bb93abeca9cf573efa44088567ee
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:Q+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\StEgseK.exe	cobalt_reflective_dll
C:\Windows\System\HaEnZMQ.exe	cobalt_reflective_dll
C:\Windows\System\NqbgQRH.exe	cobalt_reflective_dll
C:\Windows\System\PPefgPH.exe	cobalt_reflective_dll
C:\Windows\System\FPaAvWf.exe	cobalt_reflective_dll
C:\Windows\System\ySJuCtm.exe	cobalt_reflective_dll
C:\Windows\System\sHvEFTk.exe	cobalt_reflective_dll
C:\Windows\System\reAUhRI.exe	cobalt_reflective_dll
C:\Windows\System\hrxExIA.exe	cobalt_reflective_dll
C:\Windows\System\CwPihvG.exe	cobalt_reflective_dll
C:\Windows\System\kmhyBDV.exe	cobalt_reflective_dll
C:\Windows\System\DTIOUkr.exe	cobalt_reflective_dll
C:\Windows\System\MMGWekM.exe	cobalt_reflective_dll
C:\Windows\System\xgeTUmM.exe	cobalt_reflective_dll
C:\Windows\System\OkdKYef.exe	cobalt_reflective_dll
C:\Windows\System\MkiabEQ.exe	cobalt_reflective_dll
C:\Windows\System\tOeSjjw.exe	cobalt_reflective_dll
C:\Windows\System\YaIevvv.exe	cobalt_reflective_dll
C:\Windows\System\gtziiMn.exe	cobalt_reflective_dll
C:\Windows\System\EfDfSDZ.exe	cobalt_reflective_dll
C:\Windows\System\vePnUlx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\StEgseK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HaEnZMQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NqbgQRH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PPefgPH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FPaAvWf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ySJuCtm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sHvEFTk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\reAUhRI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hrxExIA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CwPihvG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kmhyBDV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DTIOUkr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MMGWekM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xgeTUmM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OkdKYef.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MkiabEQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tOeSjjw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YaIevvv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gtziiMn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EfDfSDZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vePnUlx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/852-0-0x00007FF748420000-0x00007FF748774000-memory.dmp	UPX
C:\Windows\System\StEgseK.exe	UPX
C:\Windows\System\HaEnZMQ.exe	UPX
behavioral2/memory/752-11-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	UPX
C:\Windows\System\NqbgQRH.exe	UPX
behavioral2/memory/4356-12-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp	UPX
behavioral2/memory/3108-20-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp	UPX
C:\Windows\System\PPefgPH.exe	UPX
C:\Windows\System\FPaAvWf.exe	UPX
behavioral2/memory/3360-27-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp	UPX
behavioral2/memory/4132-32-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp	UPX
C:\Windows\System\ySJuCtm.exe	UPX
behavioral2/memory/4448-37-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	UPX
C:\Windows\System\sHvEFTk.exe	UPX
C:\Windows\System\reAUhRI.exe	UPX
behavioral2/memory/2992-55-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp	UPX
C:\Windows\System\hrxExIA.exe	UPX
behavioral2/memory/3132-65-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	UPX
behavioral2/memory/624-71-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	UPX
behavioral2/memory/2028-77-0x00007FF608E00000-0x00007FF609154000-memory.dmp	UPX
behavioral2/memory/3512-85-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp	UPX
C:\Windows\System\CwPihvG.exe	UPX
C:\Windows\System\kmhyBDV.exe	UPX
C:\Windows\System\DTIOUkr.exe	UPX
C:\Windows\System\MMGWekM.exe	UPX
C:\Windows\System\xgeTUmM.exe	UPX
C:\Windows\System\OkdKYef.exe	UPX
C:\Windows\System\MkiabEQ.exe	UPX
C:\Windows\System\tOeSjjw.exe	UPX
behavioral2/memory/2760-88-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	UPX
behavioral2/memory/752-84-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	UPX
C:\Windows\System\YaIevvv.exe	UPX
behavioral2/memory/852-78-0x00007FF748420000-0x00007FF748774000-memory.dmp	UPX
C:\Windows\System\gtziiMn.exe	UPX
C:\Windows\System\EfDfSDZ.exe	UPX
behavioral2/memory/3468-62-0x00007FF650350000-0x00007FF6506A4000-memory.dmp	UPX
C:\Windows\System\vePnUlx.exe	UPX
behavioral2/memory/4004-46-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp	UPX
behavioral2/memory/4724-123-0x00007FF689750000-0x00007FF689AA4000-memory.dmp	UPX
behavioral2/memory/4584-124-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp	UPX
behavioral2/memory/2636-125-0x00007FF657850000-0x00007FF657BA4000-memory.dmp	UPX
behavioral2/memory/4652-127-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp	UPX
behavioral2/memory/2644-126-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp	UPX
behavioral2/memory/1936-128-0x00007FF618440000-0x00007FF618794000-memory.dmp	UPX
behavioral2/memory/4404-129-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp	UPX
behavioral2/memory/4448-130-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	UPX
behavioral2/memory/3132-131-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	UPX
behavioral2/memory/2028-132-0x00007FF608E00000-0x00007FF609154000-memory.dmp	UPX
behavioral2/memory/624-133-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	UPX
behavioral2/memory/2760-134-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	UPX
behavioral2/memory/4356-135-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp	UPX
behavioral2/memory/752-136-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	UPX
behavioral2/memory/3108-137-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp	UPX
behavioral2/memory/3360-138-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp	UPX
behavioral2/memory/4132-139-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp	UPX
behavioral2/memory/4448-140-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	UPX
behavioral2/memory/4004-141-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp	UPX
behavioral2/memory/2992-142-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp	UPX
behavioral2/memory/3468-143-0x00007FF650350000-0x00007FF6506A4000-memory.dmp	UPX
behavioral2/memory/624-144-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	UPX
behavioral2/memory/2028-145-0x00007FF608E00000-0x00007FF609154000-memory.dmp	UPX
behavioral2/memory/3132-147-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	UPX
behavioral2/memory/3512-146-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp	UPX
behavioral2/memory/2760-148-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/852-0-0x00007FF748420000-0x00007FF748774000-memory.dmp	xmrig
C:\Windows\System\StEgseK.exe	xmrig
C:\Windows\System\HaEnZMQ.exe	xmrig
behavioral2/memory/752-11-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	xmrig
C:\Windows\System\NqbgQRH.exe	xmrig
behavioral2/memory/4356-12-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp	xmrig
behavioral2/memory/3108-20-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp	xmrig
C:\Windows\System\PPefgPH.exe	xmrig
C:\Windows\System\FPaAvWf.exe	xmrig
behavioral2/memory/3360-27-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp	xmrig
behavioral2/memory/4132-32-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp	xmrig
C:\Windows\System\ySJuCtm.exe	xmrig
behavioral2/memory/4448-37-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	xmrig
C:\Windows\System\sHvEFTk.exe	xmrig
C:\Windows\System\reAUhRI.exe	xmrig
behavioral2/memory/2992-55-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp	xmrig
C:\Windows\System\hrxExIA.exe	xmrig
behavioral2/memory/3132-65-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	xmrig
behavioral2/memory/624-71-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	xmrig
behavioral2/memory/2028-77-0x00007FF608E00000-0x00007FF609154000-memory.dmp	xmrig
behavioral2/memory/3512-85-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp	xmrig
C:\Windows\System\CwPihvG.exe	xmrig
C:\Windows\System\kmhyBDV.exe	xmrig
C:\Windows\System\DTIOUkr.exe	xmrig
C:\Windows\System\MMGWekM.exe	xmrig
C:\Windows\System\xgeTUmM.exe	xmrig
C:\Windows\System\OkdKYef.exe	xmrig
C:\Windows\System\MkiabEQ.exe	xmrig
C:\Windows\System\tOeSjjw.exe	xmrig
behavioral2/memory/2760-88-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	xmrig
behavioral2/memory/752-84-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	xmrig
C:\Windows\System\YaIevvv.exe	xmrig
behavioral2/memory/852-78-0x00007FF748420000-0x00007FF748774000-memory.dmp	xmrig
C:\Windows\System\gtziiMn.exe	xmrig
C:\Windows\System\EfDfSDZ.exe	xmrig
behavioral2/memory/3468-62-0x00007FF650350000-0x00007FF6506A4000-memory.dmp	xmrig
C:\Windows\System\vePnUlx.exe	xmrig
behavioral2/memory/4004-46-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp	xmrig
behavioral2/memory/4724-123-0x00007FF689750000-0x00007FF689AA4000-memory.dmp	xmrig
behavioral2/memory/4584-124-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp	xmrig
behavioral2/memory/2636-125-0x00007FF657850000-0x00007FF657BA4000-memory.dmp	xmrig
behavioral2/memory/4652-127-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp	xmrig
behavioral2/memory/2644-126-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp	xmrig
behavioral2/memory/1936-128-0x00007FF618440000-0x00007FF618794000-memory.dmp	xmrig
behavioral2/memory/4404-129-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp	xmrig
behavioral2/memory/4448-130-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	xmrig
behavioral2/memory/3132-131-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	xmrig
behavioral2/memory/2028-132-0x00007FF608E00000-0x00007FF609154000-memory.dmp	xmrig
behavioral2/memory/624-133-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	xmrig
behavioral2/memory/2760-134-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	xmrig
behavioral2/memory/4356-135-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp	xmrig
behavioral2/memory/752-136-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	xmrig
behavioral2/memory/3108-137-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp	xmrig
behavioral2/memory/3360-138-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp	xmrig
behavioral2/memory/4132-139-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp	xmrig
behavioral2/memory/4448-140-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	xmrig
behavioral2/memory/4004-141-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp	xmrig
behavioral2/memory/2992-142-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp	xmrig
behavioral2/memory/3468-143-0x00007FF650350000-0x00007FF6506A4000-memory.dmp	xmrig
behavioral2/memory/624-144-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	xmrig
behavioral2/memory/2028-145-0x00007FF608E00000-0x00007FF609154000-memory.dmp	xmrig
behavioral2/memory/3132-147-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	xmrig
behavioral2/memory/3512-146-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp	xmrig
behavioral2/memory/2760-148-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

NqbgQRH.exeStEgseK.exeHaEnZMQ.exePPefgPH.exeFPaAvWf.exeySJuCtm.exesHvEFTk.exereAUhRI.exevePnUlx.exeEfDfSDZ.exehrxExIA.exegtziiMn.exeYaIevvv.exetOeSjjw.exeMkiabEQ.exeOkdKYef.exexgeTUmM.exeCwPihvG.exeMMGWekM.exeDTIOUkr.exekmhyBDV.exe

pid	process
752	NqbgQRH.exe
4356	StEgseK.exe
3108	HaEnZMQ.exe
3360	PPefgPH.exe
4132	FPaAvWf.exe
4448	ySJuCtm.exe
4004	sHvEFTk.exe
2992	reAUhRI.exe
3468	vePnUlx.exe
624	EfDfSDZ.exe
3132	hrxExIA.exe
2028	gtziiMn.exe
3512	YaIevvv.exe
2760	tOeSjjw.exe
4404	MkiabEQ.exe
4724	OkdKYef.exe
4584	xgeTUmM.exe
2636	CwPihvG.exe
2644	MMGWekM.exe
4652	DTIOUkr.exe
1936	kmhyBDV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/852-0-0x00007FF748420000-0x00007FF748774000-memory.dmp	upx
C:\Windows\System\StEgseK.exe	upx
C:\Windows\System\HaEnZMQ.exe	upx
behavioral2/memory/752-11-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	upx
C:\Windows\System\NqbgQRH.exe	upx
behavioral2/memory/4356-12-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp	upx
behavioral2/memory/3108-20-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp	upx
C:\Windows\System\PPefgPH.exe	upx
C:\Windows\System\FPaAvWf.exe	upx
behavioral2/memory/3360-27-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp	upx
behavioral2/memory/4132-32-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp	upx
C:\Windows\System\ySJuCtm.exe	upx
behavioral2/memory/4448-37-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	upx
C:\Windows\System\sHvEFTk.exe	upx
C:\Windows\System\reAUhRI.exe	upx
behavioral2/memory/2992-55-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp	upx
C:\Windows\System\hrxExIA.exe	upx
behavioral2/memory/3132-65-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	upx
behavioral2/memory/624-71-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	upx
behavioral2/memory/2028-77-0x00007FF608E00000-0x00007FF609154000-memory.dmp	upx
behavioral2/memory/3512-85-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp	upx
C:\Windows\System\CwPihvG.exe	upx
C:\Windows\System\kmhyBDV.exe	upx
C:\Windows\System\DTIOUkr.exe	upx
C:\Windows\System\MMGWekM.exe	upx
C:\Windows\System\xgeTUmM.exe	upx
C:\Windows\System\OkdKYef.exe	upx
C:\Windows\System\MkiabEQ.exe	upx
C:\Windows\System\tOeSjjw.exe	upx
behavioral2/memory/2760-88-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	upx
behavioral2/memory/752-84-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	upx
C:\Windows\System\YaIevvv.exe	upx
behavioral2/memory/852-78-0x00007FF748420000-0x00007FF748774000-memory.dmp	upx
C:\Windows\System\gtziiMn.exe	upx
C:\Windows\System\EfDfSDZ.exe	upx
behavioral2/memory/3468-62-0x00007FF650350000-0x00007FF6506A4000-memory.dmp	upx
C:\Windows\System\vePnUlx.exe	upx
behavioral2/memory/4004-46-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp	upx
behavioral2/memory/4724-123-0x00007FF689750000-0x00007FF689AA4000-memory.dmp	upx
behavioral2/memory/4584-124-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp	upx
behavioral2/memory/2636-125-0x00007FF657850000-0x00007FF657BA4000-memory.dmp	upx
behavioral2/memory/4652-127-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp	upx
behavioral2/memory/2644-126-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp	upx
behavioral2/memory/1936-128-0x00007FF618440000-0x00007FF618794000-memory.dmp	upx
behavioral2/memory/4404-129-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp	upx
behavioral2/memory/4448-130-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	upx
behavioral2/memory/3132-131-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	upx
behavioral2/memory/2028-132-0x00007FF608E00000-0x00007FF609154000-memory.dmp	upx
behavioral2/memory/624-133-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	upx
behavioral2/memory/2760-134-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	upx
behavioral2/memory/4356-135-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp	upx
behavioral2/memory/752-136-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp	upx
behavioral2/memory/3108-137-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp	upx
behavioral2/memory/3360-138-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp	upx
behavioral2/memory/4132-139-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp	upx
behavioral2/memory/4448-140-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp	upx
behavioral2/memory/4004-141-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp	upx
behavioral2/memory/2992-142-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp	upx
behavioral2/memory/3468-143-0x00007FF650350000-0x00007FF6506A4000-memory.dmp	upx
behavioral2/memory/624-144-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	upx
behavioral2/memory/2028-145-0x00007FF608E00000-0x00007FF609154000-memory.dmp	upx
behavioral2/memory/3132-147-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp	upx
behavioral2/memory/3512-146-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp	upx
behavioral2/memory/2760-148-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\OkdKYef.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xgeTUmM.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MMGWekM.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DTIOUkr.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NqbgQRH.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gtziiMn.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FPaAvWf.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ySJuCtm.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hrxExIA.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EfDfSDZ.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MkiabEQ.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\StEgseK.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HaEnZMQ.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tOeSjjw.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kmhyBDV.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\reAUhRI.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YaIevvv.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vePnUlx.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CwPihvG.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PPefgPH.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sHvEFTk.exe	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 852 wrote to memory of 752	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NqbgQRH.exe
PID 852 wrote to memory of 752	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	NqbgQRH.exe
PID 852 wrote to memory of 4356	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	StEgseK.exe
PID 852 wrote to memory of 4356	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	StEgseK.exe
PID 852 wrote to memory of 3108	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	HaEnZMQ.exe
PID 852 wrote to memory of 3108	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	HaEnZMQ.exe
PID 852 wrote to memory of 3360	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	PPefgPH.exe
PID 852 wrote to memory of 3360	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	PPefgPH.exe
PID 852 wrote to memory of 4132	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	FPaAvWf.exe
PID 852 wrote to memory of 4132	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	FPaAvWf.exe
PID 852 wrote to memory of 4448	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	ySJuCtm.exe
PID 852 wrote to memory of 4448	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	ySJuCtm.exe
PID 852 wrote to memory of 4004	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	sHvEFTk.exe
PID 852 wrote to memory of 4004	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	sHvEFTk.exe
PID 852 wrote to memory of 3468	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	vePnUlx.exe
PID 852 wrote to memory of 3468	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	vePnUlx.exe
PID 852 wrote to memory of 2992	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	reAUhRI.exe
PID 852 wrote to memory of 2992	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	reAUhRI.exe
PID 852 wrote to memory of 3132	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	hrxExIA.exe
PID 852 wrote to memory of 3132	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	hrxExIA.exe
PID 852 wrote to memory of 624	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	EfDfSDZ.exe
PID 852 wrote to memory of 624	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	EfDfSDZ.exe
PID 852 wrote to memory of 2028	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gtziiMn.exe
PID 852 wrote to memory of 2028	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	gtziiMn.exe
PID 852 wrote to memory of 3512	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YaIevvv.exe
PID 852 wrote to memory of 3512	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	YaIevvv.exe
PID 852 wrote to memory of 2760	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	tOeSjjw.exe
PID 852 wrote to memory of 2760	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	tOeSjjw.exe
PID 852 wrote to memory of 4404	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	MkiabEQ.exe
PID 852 wrote to memory of 4404	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	MkiabEQ.exe
PID 852 wrote to memory of 4724	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	OkdKYef.exe
PID 852 wrote to memory of 4724	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	OkdKYef.exe
PID 852 wrote to memory of 4584	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xgeTUmM.exe
PID 852 wrote to memory of 4584	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	xgeTUmM.exe
PID 852 wrote to memory of 2636	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	CwPihvG.exe
PID 852 wrote to memory of 2636	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	CwPihvG.exe
PID 852 wrote to memory of 2644	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	MMGWekM.exe
PID 852 wrote to memory of 2644	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	MMGWekM.exe
PID 852 wrote to memory of 4652	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	DTIOUkr.exe
PID 852 wrote to memory of 4652	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	DTIOUkr.exe
PID 852 wrote to memory of 1936	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	kmhyBDV.exe
PID 852 wrote to memory of 1936	852	2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe	kmhyBDV.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_257886e5c477a94f8fc4428aa3400d91_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\System\NqbgQRH.exe
C:\Windows\System\NqbgQRH.exe
2⤵
- Executes dropped EXE
PID:752

C:\Windows\System\StEgseK.exe
C:\Windows\System\StEgseK.exe
2⤵
- Executes dropped EXE
PID:4356

C:\Windows\System\HaEnZMQ.exe
C:\Windows\System\HaEnZMQ.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Windows\System\PPefgPH.exe
C:\Windows\System\PPefgPH.exe
2⤵
- Executes dropped EXE
PID:3360

C:\Windows\System\FPaAvWf.exe
C:\Windows\System\FPaAvWf.exe
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\System\ySJuCtm.exe
C:\Windows\System\ySJuCtm.exe
2⤵
- Executes dropped EXE
PID:4448

C:\Windows\System\sHvEFTk.exe
C:\Windows\System\sHvEFTk.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\System\vePnUlx.exe
C:\Windows\System\vePnUlx.exe
2⤵
- Executes dropped EXE
PID:3468

C:\Windows\System\reAUhRI.exe
C:\Windows\System\reAUhRI.exe
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\System\hrxExIA.exe
C:\Windows\System\hrxExIA.exe
2⤵
- Executes dropped EXE
PID:3132

C:\Windows\System\EfDfSDZ.exe
C:\Windows\System\EfDfSDZ.exe
2⤵
- Executes dropped EXE
PID:624

C:\Windows\System\gtziiMn.exe
C:\Windows\System\gtziiMn.exe
2⤵
- Executes dropped EXE
PID:2028

C:\Windows\System\YaIevvv.exe
C:\Windows\System\YaIevvv.exe
2⤵
- Executes dropped EXE
PID:3512

C:\Windows\System\tOeSjjw.exe
C:\Windows\System\tOeSjjw.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\MkiabEQ.exe
C:\Windows\System\MkiabEQ.exe
2⤵
- Executes dropped EXE
PID:4404

C:\Windows\System\OkdKYef.exe
C:\Windows\System\OkdKYef.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\xgeTUmM.exe
C:\Windows\System\xgeTUmM.exe
2⤵
- Executes dropped EXE
PID:4584

C:\Windows\System\CwPihvG.exe
C:\Windows\System\CwPihvG.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\MMGWekM.exe
C:\Windows\System\MMGWekM.exe
2⤵
- Executes dropped EXE
PID:2644

C:\Windows\System\DTIOUkr.exe
C:\Windows\System\DTIOUkr.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\System\kmhyBDV.exe
C:\Windows\System\kmhyBDV.exe
2⤵
- Executes dropped EXE
PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CwPihvG.exe
Filesize
5.9MB

MD5
25aea6da8c378238305d10ba71476616

SHA1
9391c06903215ab5e12e3221b8f9ed95a1a1894b

SHA256
5a265991c312b29e7c3dd7b1fc7729976df0816ba5efd7cd73185297a7bb8c3d

SHA512
0b92334807b60f326c14b6c3b5b46091c285f70588b187b02d060a818f8a176055dbb4e9a25e6e5b8ed7cbf7ab10709ff55c78d39949eb2dc0347bdb25a39de3

Download Submit
C:\Windows\System\DTIOUkr.exe
Filesize
5.9MB

MD5
89ca264ac8ceb3f14a1a5306532a9bff

SHA1
303f897dd0ead89ce37dc70da81329df7f9a534b

SHA256
8f0ba89a4dfe5cbe2e6b0de685abfffa7e06d2a8cf337a0f4b979c8c8504ab7a

SHA512
99d0e16ad4b3fde421afeb07fcb1b9bd03a1cf315cf22e5a40425db1c58c6b64b99352b4f1c7df8b852e72b1e2b4acc4cad56e5a8cb1186c2f0758fd1c3a8437

Download Submit
C:\Windows\System\EfDfSDZ.exe
Filesize
5.9MB

MD5
a888a1ef06b5cc875033cae95df4a076

SHA1
0dd40d6093ce8402ac62b2d9864d61d5621401e5

SHA256
fab7e70ae68630a6f97340ea529fd57a3afdd0b328a6479751b18fdf8bbbdb96

SHA512
d5d91af47e1adf7e7bedf56d614aa1fdc22178eca4aaf71435ee6e043e0447cc0453d9972585fc6a46080218ecf5ee89d3c271b089af317de8571f615f917d7a

Download Submit
C:\Windows\System\FPaAvWf.exe
Filesize
5.9MB

MD5
5c8eb99c1e9bfb82720fcde4dbff3d21

SHA1
065b302ce88bef2b78da94617d02264c1635316f

SHA256
04ee2f5a8529b91cb26535e699e962680d19fa4a213cf17c41fc6433e1cc0a6b

SHA512
af13468c0294971f2661133f66e2ca646ad4caed9ebda816c66b4513ec2377115d77201cf82ee49dbd01f805ab45a46699176154183b06f2decc87f638358cc2

Download Submit
C:\Windows\System\HaEnZMQ.exe
Filesize
5.9MB

MD5
87330c05741027a498d9fff6ee3a0987

SHA1
e94495e84d7eb1d207da624200119f5c97352507

SHA256
d01f52ea0dfb9c880549b7553dc1bd501b2edd067c2d910be1acdcba87a3f60c

SHA512
dc13d0ef98b61ce20ff26ac6b22332a98382a739f405422ac42b00b2be6a33a6f3ad7c78b6329be5f33c45d7025481fb1b1a34c5343873f6d0ba289bfdbe7e1b

Download Submit
C:\Windows\System\MMGWekM.exe
Filesize
5.9MB

MD5
db21c29b805538e31a06cfd034f56e5e

SHA1
6bb2e724403757d8df46b08be8ba1195be695f52

SHA256
e632d3f639ebb083f4245bcdb69cdcf6e447aec4ded393bc8b315098b9956149

SHA512
18fbec528d8ce8cb5ed3f8d38008d47c1e05844b974757e570adf58f2109730949b358a33ada96a6517f9ef801867358f024f6a1cb7176dc149afa19235f4228

Download Submit
C:\Windows\System\MkiabEQ.exe
Filesize
5.9MB

MD5
80e7a1c795f7a637638e5c5abfae670b

SHA1
976523e2873f326c952669abc22eeac80e9bc504

SHA256
b3af4c7154bb447ad10747d73ac25d2ce9c2d8553bfe5d1fda8563a143ebe280

SHA512
c6e5bc83689964937e6f0f91001b4b7de76e9b2ff6958ddafacd7f90ca40a204ec47e8e3052486291dc26148d82af912b015feb4cef5384e5bad49ede2b29459

Download Submit
C:\Windows\System\NqbgQRH.exe
Filesize
5.9MB

MD5
08b579111cec1ab7b60b4761131e9c07

SHA1
51c30ce8ad188e64422ec63b4b90d1459eed37f7

SHA256
7b3569811cbe332418bc67b554928f3bd8061126f9bad347d54df6b94afdfbbb

SHA512
534ef21d88fba8265a9090996cbab5d1196f3bf2ba5375b4bdd079032bc695d3e1ec1c1c0eea3296b07963be1834e1e4fe1f107bbd80de94f402a725f489547c

Download Submit
C:\Windows\System\OkdKYef.exe
Filesize
5.9MB

MD5
033935b9041ca3eba95982b1f0eea72e

SHA1
b577756c16e2c36e34ae9d4e6c3a2d0fe4c94678

SHA256
e74dc53b21e39de7a6d1706f72fbb0e52acb8a2dcd2eb0186310577f0d2b4332

SHA512
90fa2099ae19571437d07b60941b2902c460ca179b7f8cae140aab82568b739e0d858e7e4c7810c2ef3dcb3f8fe61e7da3c11c6bc10d892bea223e93bdacc5f3

Download Submit
C:\Windows\System\PPefgPH.exe
Filesize
5.9MB

MD5
0447b3751ee092d8e9d37f2e6049af27

SHA1
d5a0262be0bdfa223935e2278590077390ac2df8

SHA256
605f26bce089d5f0775953d4977dbf77453fcaa3ae7c60ae0e51524ac309ef9c

SHA512
f58f29d5e277461c52b12393211ce56edf9f520f3bb65575a22e11d1b21f770db751624d48754df5ef4457cb6523940345ea229043865185a78d3ed404d57161

Download Submit
C:\Windows\System\StEgseK.exe
Filesize
5.9MB

MD5
85c8358aa8718ef21b76885f6cdf6465

SHA1
9a596b27010d9e74de1976e12d46beccd9c28ff1

SHA256
b395e1f0cb8802e4e766ee1ca0585f17b6b32e613e1bb667e5278971a97056dc

SHA512
6fe9d819e1d1b6c2c0fe330463fc2fc199087ac604a300e9cb12834949b247ee3152dd949b4ee7b68b45bbb40c0a110c2f5c288d11d8e2781905134df005be97

Download Submit
C:\Windows\System\YaIevvv.exe
Filesize
5.9MB

MD5
e090404d2b9623b771cba4e41e3d5b12

SHA1
091875ec30ab7123168ab7a42959fb14f439e516

SHA256
686d72d56bdd3b527548740674b4fe4f58425ae262fd69a9d26a4ae3db04e505

SHA512
62424e5802f615701cd53f6d97c69dad9b3dcf8389f4e70f139a748229a7aba8cd96e295e9fd8c2875b526e71356aee5ad7f45bf8344666a728d6dad1139f9c9

Download Submit
C:\Windows\System\gtziiMn.exe
Filesize
5.9MB

MD5
3806d61d05f2d5f3064021e1e6fe50df

SHA1
97c8a27fb757a88f45482991ffd979b26327182b

SHA256
a0f82d5a0f43d1fc20662843ade2bfc680a556700839db2babae8ce5d20f409f

SHA512
aabf46e67ca28d74cc1be42de83cd3def73c9fd113635cc8c782ccf697bc983529d42cb56aed0e1c017338489cae4e03a4b2f144497e600cae90e1b5abbb406a

Download Submit
C:\Windows\System\hrxExIA.exe
Filesize
5.9MB

MD5
86e83ad8546f770193b055c801552b17

SHA1
64b606cec11b5ffa099ecac115243f3d4b53a075

SHA256
b1c2c654b382efab98baf73b03a6f79d752e45d2d80b441fc07e8461aeb4cdcd

SHA512
11153f7a04d593c16726e26e6afc9d07a237bf6cc89d49b4013fc733e53091baaae55dd78d9c60da0327071c06b0fe40693b8b7a088c2af80d9ab9df6304ac2c

Download Submit
C:\Windows\System\kmhyBDV.exe
Filesize
5.9MB

MD5
a71b8e3f98e5318d039ee52e9b71f271

SHA1
1fc487c9579ad6aa1c94d3cd636c4b9890c54c89

SHA256
99957ffa46a1fdb15d571dc55d8be9b67460cc37509b976f2903aabc2f5a5397

SHA512
b2838847ddfd217b2016df8a11139c1c300deca2e49c3bf019354f41934cbfd689c2964544ee1efb937eb67259298985eb0d4d37c39fad7c6f4eb2a5af26af5c

Download Submit
C:\Windows\System\reAUhRI.exe
Filesize
5.9MB

MD5
7eddef2c1327a9f122f0574318245e68

SHA1
611e4e0ab19804a9da8293bf86911baf23025322

SHA256
3fd64e58b0a5d85b7b9db92597f5faf07481b2c09a69c6dc11eaa244baf6ee39

SHA512
f00979b7fabf1a36a946f9c9052f3e679a0d9a9926546154e3011e001135a992e8b8dce0bab31c9cd87c71e996d200bb3115706530da70bd704a6df353f8a2b0

Download Submit
C:\Windows\System\sHvEFTk.exe
Filesize
5.9MB

MD5
67ac5c0f7a588009a4d46ed96181c204

SHA1
b57256a95d9b365eef73cc1efaf86ceee2a3ab90

SHA256
e250863fda2c63cfd18d1d66f7de189bf56c22f711e8b9ee349a4d70cd064bd0

SHA512
4637a5d670f724d5a75614d0f11e03e94e49bf4713a2b5de5ab99ef9fb2dff115140c0c247f9c57b686ce90801f205c28063dcf301f4ced4e405dda458ef1690

Download Submit
C:\Windows\System\tOeSjjw.exe
Filesize
5.9MB

MD5
370a077b01aae66ec9189b9cefccc1b5

SHA1
e2d9d0a2029973c95beb130653548a35d2f20433

SHA256
07078757ef538a26af84cd8de4431994961d46a6f73c61b239a98da9eaa163eb

SHA512
2993a14b28382f0fb47e7c3d21a94fa127fc5510965cc9564816332cff3cdb1cfaa64e39b4776ce1f29f9fd87ffa42c7eefb96468da93c2c8787c50e3f0c424d

Download Submit
C:\Windows\System\vePnUlx.exe
Filesize
5.9MB

MD5
70a274c93041ef6cb8a37c890a68a29c

SHA1
d4c2f2f2a5a8c29d68530c666fe2b398af99c4da

SHA256
83be60dab5afb8dd88d395a910c2a9e9be52b914c0e0e272f0ec3b0ef862bb90

SHA512
7f67e201f356d9105eba5b897a593e2b9cfdddc6abdf5e1d56adde2602abbc0edffacd0f0a7dea54a3f296ab1e1843eb70d0a2cd34ffbf7a84d9d0523b377fe8

Download Submit
C:\Windows\System\xgeTUmM.exe
Filesize
5.9MB

MD5
9797c62ed0a98a0f7615f08eaa1fb616

SHA1
3c110589f1a4a9eae66ff1e9143e7252a7ca3395

SHA256
d3a235593c3a5615371ddfd615134ecf46d08ea1b324c602e037eb90d48343cd

SHA512
b938d5b29955c97c285c6c3709a2d40de353436107fbf3da177ce8979a59fdc76f8fd1d623268ba3a7f0edb1c6c1ee10b188fa058c47853485059cc25824b6f7

Download Submit
C:\Windows\System\ySJuCtm.exe
Filesize
5.9MB

MD5
d14d729ece374250b9ab4c786ffc4db3

SHA1
ae9aee482c89d73f15974fd6c35100643494e5f7

SHA256
83974eca18d6ee66c15d905fdad0c2b6bd843b4f1048c30bbbda5c6a3a658af1

SHA512
7e20ede8df192b82aa74fe73d45d6614b9e1bb288509dc2647d42b209ad946fb5bf1b037cbd891bad3fb18a88f0fa0acf592226cf0260166655663f32a473aff

Download Submit
memory/624-71-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp

Filesize
3.3MB

Download
memory/624-144-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp

Filesize
3.3MB

Download
memory/624-133-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp

Filesize
3.3MB

Download
memory/752-11-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp

Filesize
3.3MB

Download
memory/752-84-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp

Filesize
3.3MB

Download
memory/752-136-0x00007FF60EC30000-0x00007FF60EF84000-memory.dmp

Filesize
3.3MB

Download
memory/852-0-0x00007FF748420000-0x00007FF748774000-memory.dmp

Filesize
3.3MB

Download
memory/852-1-0x000001AC942A0000-0x000001AC942B0000-memory.dmp

Filesize
64KB

Download
memory/852-78-0x00007FF748420000-0x00007FF748774000-memory.dmp

Filesize
3.3MB

Download
memory/1936-153-0x00007FF618440000-0x00007FF618794000-memory.dmp

Filesize
3.3MB

Download
memory/1936-128-0x00007FF618440000-0x00007FF618794000-memory.dmp

Filesize
3.3MB

Download
memory/2028-77-0x00007FF608E00000-0x00007FF609154000-memory.dmp

Filesize
3.3MB

Download
memory/2028-132-0x00007FF608E00000-0x00007FF609154000-memory.dmp

Filesize
3.3MB

Download
memory/2028-145-0x00007FF608E00000-0x00007FF609154000-memory.dmp

Filesize
3.3MB

Download
memory/2636-152-0x00007FF657850000-0x00007FF657BA4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-125-0x00007FF657850000-0x00007FF657BA4000-memory.dmp

Filesize
3.3MB

Download
memory/2644-126-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp

Filesize
3.3MB

Download
memory/2644-155-0x00007FF7A9DC0000-0x00007FF7AA114000-memory.dmp

Filesize
3.3MB

Download
memory/2760-148-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp

Filesize
3.3MB

Download
memory/2760-88-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp

Filesize
3.3MB

Download
memory/2760-134-0x00007FF6E2820000-0x00007FF6E2B74000-memory.dmp

Filesize
3.3MB

Download
memory/2992-142-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp

Filesize
3.3MB

Download
memory/2992-55-0x00007FF6F04B0000-0x00007FF6F0804000-memory.dmp

Filesize
3.3MB

Download
memory/3108-20-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp

Filesize
3.3MB

Download
memory/3108-137-0x00007FF7D19E0000-0x00007FF7D1D34000-memory.dmp

Filesize
3.3MB

Download
memory/3132-147-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3132-131-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3132-65-0x00007FF76BB60000-0x00007FF76BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3360-27-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp

Filesize
3.3MB

Download
memory/3360-138-0x00007FF63EEC0000-0x00007FF63F214000-memory.dmp

Filesize
3.3MB

Download
memory/3468-143-0x00007FF650350000-0x00007FF6506A4000-memory.dmp

Filesize
3.3MB

Download
memory/3468-62-0x00007FF650350000-0x00007FF6506A4000-memory.dmp

Filesize
3.3MB

Download
memory/3512-85-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp

Filesize
3.3MB

Download
memory/3512-146-0x00007FF6DB990000-0x00007FF6DBCE4000-memory.dmp

Filesize
3.3MB

Download
memory/4004-46-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4004-141-0x00007FF66EE80000-0x00007FF66F1D4000-memory.dmp

Filesize
3.3MB

Download
memory/4132-32-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp

Filesize
3.3MB

Download
memory/4132-139-0x00007FF77A1A0000-0x00007FF77A4F4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-12-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-135-0x00007FF78D690000-0x00007FF78D9E4000-memory.dmp

Filesize
3.3MB

Download
memory/4404-129-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp

Filesize
3.3MB

Download
memory/4404-150-0x00007FF76DA60000-0x00007FF76DDB4000-memory.dmp

Filesize
3.3MB

Download
memory/4448-130-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp

Filesize
3.3MB

Download
memory/4448-140-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp

Filesize
3.3MB

Download
memory/4448-37-0x00007FF6A9710000-0x00007FF6A9A64000-memory.dmp

Filesize
3.3MB

Download
memory/4584-151-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-124-0x00007FF7F7650000-0x00007FF7F79A4000-memory.dmp

Filesize
3.3MB

Download
memory/4652-154-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp

Filesize
3.3MB

Download
memory/4652-127-0x00007FF7EB8D0000-0x00007FF7EBC24000-memory.dmp

Filesize
3.3MB

Download
memory/4724-149-0x00007FF689750000-0x00007FF689AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4724-123-0x00007FF689750000-0x00007FF689AA4000-memory.dmp

Filesize
3.3MB

Download