cobaltstrike | 1fc4ac3736a393dc3beb491920aa1b353be72bfef033c05bfc35d26bd8275719

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

ca4c1f6eec8fadbaca2284a0574a6475
SHA1

4e6242174e1c8d8927ee29a29294974574189250
SHA256

1fc4ac3736a393dc3beb491920aa1b353be72bfef033c05bfc35d26bd8275719
SHA512

94aa3b2fdf4e86f6eba7d08ecbf12dc228d847c94065bfa53172f3173b72754a507c2fb035d98c18c5b8f8cc73bc1e6a64ce782dd7d4f03339629c88f576ecb4
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUf:Q+856utgpPF8u/7f

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\XVfEehU.exe	cobalt_reflective_dll
C:\Windows\System\zoNEHkd.exe	cobalt_reflective_dll
C:\Windows\System\yHokHxg.exe	cobalt_reflective_dll
C:\Windows\System\AvuzRdY.exe	cobalt_reflective_dll
C:\Windows\System\LrjhqZo.exe	cobalt_reflective_dll
C:\Windows\System\RJLfPyd.exe	cobalt_reflective_dll
C:\Windows\System\qfuGVti.exe	cobalt_reflective_dll
C:\Windows\System\TGGchbA.exe	cobalt_reflective_dll
C:\Windows\System\gtKanGC.exe	cobalt_reflective_dll
C:\Windows\System\gGfgfuO.exe	cobalt_reflective_dll
C:\Windows\System\AmnILYh.exe	cobalt_reflective_dll
C:\Windows\System\nhaErco.exe	cobalt_reflective_dll
C:\Windows\System\NODsGXJ.exe	cobalt_reflective_dll
C:\Windows\System\snHHmwj.exe	cobalt_reflective_dll
C:\Windows\System\QdlpGDi.exe	cobalt_reflective_dll
C:\Windows\System\GHhORDj.exe	cobalt_reflective_dll
C:\Windows\System\prwmgkR.exe	cobalt_reflective_dll
C:\Windows\System\LDDzABz.exe	cobalt_reflective_dll
C:\Windows\System\qvfAARq.exe	cobalt_reflective_dll
C:\Windows\System\nfPnaWc.exe	cobalt_reflective_dll
C:\Windows\System\oMSKiom.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\XVfEehU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zoNEHkd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yHokHxg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AvuzRdY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LrjhqZo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RJLfPyd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qfuGVti.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TGGchbA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gtKanGC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gGfgfuO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AmnILYh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nhaErco.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NODsGXJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\snHHmwj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QdlpGDi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GHhORDj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\prwmgkR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LDDzABz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qvfAARq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nfPnaWc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oMSKiom.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4344-0-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp	UPX
C:\Windows\System\XVfEehU.exe	UPX
C:\Windows\System\zoNEHkd.exe	UPX
C:\Windows\System\yHokHxg.exe	UPX
C:\Windows\System\AvuzRdY.exe	UPX
behavioral2/memory/3492-24-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	UPX
C:\Windows\System\LrjhqZo.exe	UPX
behavioral2/memory/3304-31-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	UPX
behavioral2/memory/1908-29-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp	UPX
behavioral2/memory/3680-25-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp	UPX
behavioral2/memory/1656-7-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	UPX
C:\Windows\System\RJLfPyd.exe	UPX
behavioral2/memory/3312-38-0x00007FF738A20000-0x00007FF738D74000-memory.dmp	UPX
C:\Windows\System\qfuGVti.exe	UPX
C:\Windows\System\TGGchbA.exe	UPX
behavioral2/memory/3024-44-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	UPX
C:\Windows\System\gtKanGC.exe	UPX
behavioral2/memory/2900-64-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	UPX
C:\Windows\System\gGfgfuO.exe	UPX
C:\Windows\System\AmnILYh.exe	UPX
C:\Windows\System\nhaErco.exe	UPX
behavioral2/memory/4092-94-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp	UPX
C:\Windows\System\NODsGXJ.exe	UPX
behavioral2/memory/1380-102-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp	UPX
behavioral2/memory/1972-104-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp	UPX
behavioral2/memory/3736-103-0x00007FF79D020000-0x00007FF79D374000-memory.dmp	UPX
behavioral2/memory/4392-101-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp	UPX
behavioral2/memory/4836-98-0x00007FF676140000-0x00007FF676494000-memory.dmp	UPX
behavioral2/memory/3388-97-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp	UPX
C:\Windows\System\snHHmwj.exe	UPX
behavioral2/memory/4540-91-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	UPX
C:\Windows\System\QdlpGDi.exe	UPX
C:\Windows\System\GHhORDj.exe	UPX
C:\Windows\System\prwmgkR.exe	UPX
behavioral2/memory/1360-52-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp	UPX
C:\Windows\System\LDDzABz.exe	UPX
behavioral2/memory/3088-110-0x00007FF682660000-0x00007FF6829B4000-memory.dmp	UPX
C:\Windows\System\qvfAARq.exe	UPX
behavioral2/memory/2796-116-0x00007FF68D610000-0x00007FF68D964000-memory.dmp	UPX
behavioral2/memory/4344-115-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp	UPX
behavioral2/memory/3492-124-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	UPX
behavioral2/memory/4848-125-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp	UPX
behavioral2/memory/1656-123-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	UPX
C:\Windows\System\nfPnaWc.exe	UPX
C:\Windows\System\oMSKiom.exe	UPX
behavioral2/memory/4712-130-0x00007FF665930000-0x00007FF665C84000-memory.dmp	UPX
behavioral2/memory/3304-131-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	UPX
behavioral2/memory/3024-132-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	UPX
behavioral2/memory/2900-133-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	UPX
behavioral2/memory/4540-134-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	UPX
behavioral2/memory/2796-135-0x00007FF68D610000-0x00007FF68D964000-memory.dmp	UPX
behavioral2/memory/1656-136-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	UPX
behavioral2/memory/3492-137-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	UPX
behavioral2/memory/1908-138-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp	UPX
behavioral2/memory/3680-139-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp	UPX
behavioral2/memory/3304-140-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	UPX
behavioral2/memory/3312-141-0x00007FF738A20000-0x00007FF738D74000-memory.dmp	UPX
behavioral2/memory/3024-142-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	UPX
behavioral2/memory/1360-143-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp	UPX
behavioral2/memory/2900-144-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	UPX
behavioral2/memory/3736-145-0x00007FF79D020000-0x00007FF79D374000-memory.dmp	UPX
behavioral2/memory/4540-146-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	UPX
behavioral2/memory/1972-147-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp	UPX
behavioral2/memory/3388-148-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4344-0-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp	xmrig
C:\Windows\System\XVfEehU.exe	xmrig
C:\Windows\System\zoNEHkd.exe	xmrig
C:\Windows\System\yHokHxg.exe	xmrig
C:\Windows\System\AvuzRdY.exe	xmrig
behavioral2/memory/3492-24-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	xmrig
C:\Windows\System\LrjhqZo.exe	xmrig
behavioral2/memory/3304-31-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	xmrig
behavioral2/memory/1908-29-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp	xmrig
behavioral2/memory/3680-25-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp	xmrig
behavioral2/memory/1656-7-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	xmrig
C:\Windows\System\RJLfPyd.exe	xmrig
behavioral2/memory/3312-38-0x00007FF738A20000-0x00007FF738D74000-memory.dmp	xmrig
C:\Windows\System\qfuGVti.exe	xmrig
C:\Windows\System\TGGchbA.exe	xmrig
behavioral2/memory/3024-44-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	xmrig
C:\Windows\System\gtKanGC.exe	xmrig
behavioral2/memory/2900-64-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	xmrig
C:\Windows\System\gGfgfuO.exe	xmrig
C:\Windows\System\AmnILYh.exe	xmrig
C:\Windows\System\nhaErco.exe	xmrig
behavioral2/memory/4092-94-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp	xmrig
C:\Windows\System\NODsGXJ.exe	xmrig
behavioral2/memory/1380-102-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp	xmrig
behavioral2/memory/1972-104-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp	xmrig
behavioral2/memory/3736-103-0x00007FF79D020000-0x00007FF79D374000-memory.dmp	xmrig
behavioral2/memory/4392-101-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp	xmrig
behavioral2/memory/4836-98-0x00007FF676140000-0x00007FF676494000-memory.dmp	xmrig
behavioral2/memory/3388-97-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp	xmrig
C:\Windows\System\snHHmwj.exe	xmrig
behavioral2/memory/4540-91-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	xmrig
C:\Windows\System\QdlpGDi.exe	xmrig
C:\Windows\System\GHhORDj.exe	xmrig
C:\Windows\System\prwmgkR.exe	xmrig
behavioral2/memory/1360-52-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp	xmrig
C:\Windows\System\LDDzABz.exe	xmrig
behavioral2/memory/3088-110-0x00007FF682660000-0x00007FF6829B4000-memory.dmp	xmrig
C:\Windows\System\qvfAARq.exe	xmrig
behavioral2/memory/2796-116-0x00007FF68D610000-0x00007FF68D964000-memory.dmp	xmrig
behavioral2/memory/4344-115-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp	xmrig
behavioral2/memory/3492-124-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	xmrig
behavioral2/memory/4848-125-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp	xmrig
behavioral2/memory/1656-123-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	xmrig
C:\Windows\System\nfPnaWc.exe	xmrig
C:\Windows\System\oMSKiom.exe	xmrig
behavioral2/memory/4712-130-0x00007FF665930000-0x00007FF665C84000-memory.dmp	xmrig
behavioral2/memory/3304-131-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	xmrig
behavioral2/memory/3024-132-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	xmrig
behavioral2/memory/2900-133-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	xmrig
behavioral2/memory/4540-134-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	xmrig
behavioral2/memory/2796-135-0x00007FF68D610000-0x00007FF68D964000-memory.dmp	xmrig
behavioral2/memory/1656-136-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	xmrig
behavioral2/memory/3492-137-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	xmrig
behavioral2/memory/1908-138-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp	xmrig
behavioral2/memory/3680-139-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp	xmrig
behavioral2/memory/3304-140-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	xmrig
behavioral2/memory/3312-141-0x00007FF738A20000-0x00007FF738D74000-memory.dmp	xmrig
behavioral2/memory/3024-142-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	xmrig
behavioral2/memory/1360-143-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp	xmrig
behavioral2/memory/2900-144-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	xmrig
behavioral2/memory/3736-145-0x00007FF79D020000-0x00007FF79D374000-memory.dmp	xmrig
behavioral2/memory/4540-146-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	xmrig
behavioral2/memory/1972-147-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp	xmrig
behavioral2/memory/3388-148-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

XVfEehU.exeyHokHxg.exezoNEHkd.exeAvuzRdY.exeLrjhqZo.exeRJLfPyd.exeqfuGVti.exeTGGchbA.exeprwmgkR.exegtKanGC.exeGHhORDj.exeQdlpGDi.exegGfgfuO.exeAmnILYh.exenhaErco.exesnHHmwj.exeNODsGXJ.exeLDDzABz.exeqvfAARq.exenfPnaWc.exeoMSKiom.exe

pid	process
1656	XVfEehU.exe
3492	yHokHxg.exe
1908	zoNEHkd.exe
3680	AvuzRdY.exe
3304	LrjhqZo.exe
3312	RJLfPyd.exe
3024	qfuGVti.exe
1360	TGGchbA.exe
2900	prwmgkR.exe
3736	gtKanGC.exe
4540	GHhORDj.exe
1972	QdlpGDi.exe
4092	gGfgfuO.exe
3388	AmnILYh.exe
4836	nhaErco.exe
4392	snHHmwj.exe
1380	NODsGXJ.exe
3088	LDDzABz.exe
2796	qvfAARq.exe
4848	nfPnaWc.exe
4712	oMSKiom.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4344-0-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp	upx
C:\Windows\System\XVfEehU.exe	upx
C:\Windows\System\zoNEHkd.exe	upx
C:\Windows\System\yHokHxg.exe	upx
C:\Windows\System\AvuzRdY.exe	upx
behavioral2/memory/3492-24-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	upx
C:\Windows\System\LrjhqZo.exe	upx
behavioral2/memory/3304-31-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	upx
behavioral2/memory/1908-29-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp	upx
behavioral2/memory/3680-25-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp	upx
behavioral2/memory/1656-7-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	upx
C:\Windows\System\RJLfPyd.exe	upx
behavioral2/memory/3312-38-0x00007FF738A20000-0x00007FF738D74000-memory.dmp	upx
C:\Windows\System\qfuGVti.exe	upx
C:\Windows\System\TGGchbA.exe	upx
behavioral2/memory/3024-44-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	upx
C:\Windows\System\gtKanGC.exe	upx
behavioral2/memory/2900-64-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	upx
C:\Windows\System\gGfgfuO.exe	upx
C:\Windows\System\AmnILYh.exe	upx
C:\Windows\System\nhaErco.exe	upx
behavioral2/memory/4092-94-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp	upx
C:\Windows\System\NODsGXJ.exe	upx
behavioral2/memory/1380-102-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp	upx
behavioral2/memory/1972-104-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp	upx
behavioral2/memory/3736-103-0x00007FF79D020000-0x00007FF79D374000-memory.dmp	upx
behavioral2/memory/4392-101-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp	upx
behavioral2/memory/4836-98-0x00007FF676140000-0x00007FF676494000-memory.dmp	upx
behavioral2/memory/3388-97-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp	upx
C:\Windows\System\snHHmwj.exe	upx
behavioral2/memory/4540-91-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	upx
C:\Windows\System\QdlpGDi.exe	upx
C:\Windows\System\GHhORDj.exe	upx
C:\Windows\System\prwmgkR.exe	upx
behavioral2/memory/1360-52-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp	upx
C:\Windows\System\LDDzABz.exe	upx
behavioral2/memory/3088-110-0x00007FF682660000-0x00007FF6829B4000-memory.dmp	upx
C:\Windows\System\qvfAARq.exe	upx
behavioral2/memory/2796-116-0x00007FF68D610000-0x00007FF68D964000-memory.dmp	upx
behavioral2/memory/4344-115-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp	upx
behavioral2/memory/3492-124-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	upx
behavioral2/memory/4848-125-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp	upx
behavioral2/memory/1656-123-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	upx
C:\Windows\System\nfPnaWc.exe	upx
C:\Windows\System\oMSKiom.exe	upx
behavioral2/memory/4712-130-0x00007FF665930000-0x00007FF665C84000-memory.dmp	upx
behavioral2/memory/3304-131-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	upx
behavioral2/memory/3024-132-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	upx
behavioral2/memory/2900-133-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	upx
behavioral2/memory/4540-134-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	upx
behavioral2/memory/2796-135-0x00007FF68D610000-0x00007FF68D964000-memory.dmp	upx
behavioral2/memory/1656-136-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp	upx
behavioral2/memory/3492-137-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp	upx
behavioral2/memory/1908-138-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp	upx
behavioral2/memory/3680-139-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp	upx
behavioral2/memory/3304-140-0x00007FF620190000-0x00007FF6204E4000-memory.dmp	upx
behavioral2/memory/3312-141-0x00007FF738A20000-0x00007FF738D74000-memory.dmp	upx
behavioral2/memory/3024-142-0x00007FF706A10000-0x00007FF706D64000-memory.dmp	upx
behavioral2/memory/1360-143-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp	upx
behavioral2/memory/2900-144-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp	upx
behavioral2/memory/3736-145-0x00007FF79D020000-0x00007FF79D374000-memory.dmp	upx
behavioral2/memory/4540-146-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp	upx
behavioral2/memory/1972-147-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp	upx
behavioral2/memory/3388-148-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\qvfAARq.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nfPnaWc.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qfuGVti.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\prwmgkR.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gGfgfuO.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oMSKiom.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RJLfPyd.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TGGchbA.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AvuzRdY.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LrjhqZo.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QdlpGDi.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NODsGXJ.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yHokHxg.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zoNEHkd.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GHhORDj.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AmnILYh.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nhaErco.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\snHHmwj.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LDDzABz.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XVfEehU.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gtKanGC.exe	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4344 wrote to memory of 1656	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	XVfEehU.exe
PID 4344 wrote to memory of 1656	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	XVfEehU.exe
PID 4344 wrote to memory of 3492	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	yHokHxg.exe
PID 4344 wrote to memory of 3492	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	yHokHxg.exe
PID 4344 wrote to memory of 1908	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	zoNEHkd.exe
PID 4344 wrote to memory of 1908	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	zoNEHkd.exe
PID 4344 wrote to memory of 3680	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	AvuzRdY.exe
PID 4344 wrote to memory of 3680	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	AvuzRdY.exe
PID 4344 wrote to memory of 3304	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	LrjhqZo.exe
PID 4344 wrote to memory of 3304	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	LrjhqZo.exe
PID 4344 wrote to memory of 3312	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	RJLfPyd.exe
PID 4344 wrote to memory of 3312	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	RJLfPyd.exe
PID 4344 wrote to memory of 3024	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	qfuGVti.exe
PID 4344 wrote to memory of 3024	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	qfuGVti.exe
PID 4344 wrote to memory of 1360	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	TGGchbA.exe
PID 4344 wrote to memory of 1360	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	TGGchbA.exe
PID 4344 wrote to memory of 2900	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	prwmgkR.exe
PID 4344 wrote to memory of 2900	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	prwmgkR.exe
PID 4344 wrote to memory of 3736	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gtKanGC.exe
PID 4344 wrote to memory of 3736	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gtKanGC.exe
PID 4344 wrote to memory of 4540	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	GHhORDj.exe
PID 4344 wrote to memory of 4540	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	GHhORDj.exe
PID 4344 wrote to memory of 1972	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QdlpGDi.exe
PID 4344 wrote to memory of 1972	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	QdlpGDi.exe
PID 4344 wrote to memory of 4092	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gGfgfuO.exe
PID 4344 wrote to memory of 4092	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	gGfgfuO.exe
PID 4344 wrote to memory of 3388	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	AmnILYh.exe
PID 4344 wrote to memory of 3388	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	AmnILYh.exe
PID 4344 wrote to memory of 4836	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nhaErco.exe
PID 4344 wrote to memory of 4836	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nhaErco.exe
PID 4344 wrote to memory of 4392	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	snHHmwj.exe
PID 4344 wrote to memory of 4392	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	snHHmwj.exe
PID 4344 wrote to memory of 1380	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	NODsGXJ.exe
PID 4344 wrote to memory of 1380	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	NODsGXJ.exe
PID 4344 wrote to memory of 3088	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	LDDzABz.exe
PID 4344 wrote to memory of 3088	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	LDDzABz.exe
PID 4344 wrote to memory of 2796	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	qvfAARq.exe
PID 4344 wrote to memory of 2796	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	qvfAARq.exe
PID 4344 wrote to memory of 4848	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nfPnaWc.exe
PID 4344 wrote to memory of 4848	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	nfPnaWc.exe
PID 4344 wrote to memory of 4712	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	oMSKiom.exe
PID 4344 wrote to memory of 4712	4344	2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe	oMSKiom.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_ca4c1f6eec8fadbaca2284a0574a6475_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\System\XVfEehU.exe
C:\Windows\System\XVfEehU.exe
2⤵
- Executes dropped EXE
PID:1656

C:\Windows\System\yHokHxg.exe
C:\Windows\System\yHokHxg.exe
2⤵
- Executes dropped EXE
PID:3492

C:\Windows\System\zoNEHkd.exe
C:\Windows\System\zoNEHkd.exe
2⤵
- Executes dropped EXE
PID:1908

C:\Windows\System\AvuzRdY.exe
C:\Windows\System\AvuzRdY.exe
2⤵
- Executes dropped EXE
PID:3680

C:\Windows\System\LrjhqZo.exe
C:\Windows\System\LrjhqZo.exe
2⤵
- Executes dropped EXE
PID:3304

C:\Windows\System\RJLfPyd.exe
C:\Windows\System\RJLfPyd.exe
2⤵
- Executes dropped EXE
PID:3312

C:\Windows\System\qfuGVti.exe
C:\Windows\System\qfuGVti.exe
2⤵
- Executes dropped EXE
PID:3024

C:\Windows\System\TGGchbA.exe
C:\Windows\System\TGGchbA.exe
2⤵
- Executes dropped EXE
PID:1360

C:\Windows\System\prwmgkR.exe
C:\Windows\System\prwmgkR.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\gtKanGC.exe
C:\Windows\System\gtKanGC.exe
2⤵
- Executes dropped EXE
PID:3736

C:\Windows\System\GHhORDj.exe
C:\Windows\System\GHhORDj.exe
2⤵
- Executes dropped EXE
PID:4540

C:\Windows\System\QdlpGDi.exe
C:\Windows\System\QdlpGDi.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System\gGfgfuO.exe
C:\Windows\System\gGfgfuO.exe
2⤵
- Executes dropped EXE
PID:4092

C:\Windows\System\AmnILYh.exe
C:\Windows\System\AmnILYh.exe
2⤵
- Executes dropped EXE
PID:3388

C:\Windows\System\nhaErco.exe
C:\Windows\System\nhaErco.exe
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\System\snHHmwj.exe
C:\Windows\System\snHHmwj.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Windows\System\NODsGXJ.exe
C:\Windows\System\NODsGXJ.exe
2⤵
- Executes dropped EXE
PID:1380

C:\Windows\System\LDDzABz.exe
C:\Windows\System\LDDzABz.exe
2⤵
- Executes dropped EXE
PID:3088

C:\Windows\System\qvfAARq.exe
C:\Windows\System\qvfAARq.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\nfPnaWc.exe
C:\Windows\System\nfPnaWc.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\oMSKiom.exe
C:\Windows\System\oMSKiom.exe
2⤵
- Executes dropped EXE
PID:4712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmnILYh.exe
Filesize
5.9MB

MD5
b33fac21a0b9395deb3d61331258fcaa

SHA1
b3fc84730ee7eb1fa6f89d9dfc4ccf5501f3c7e9

SHA256
c5219f94d98ca8d8cd4dd6c930197818f08b0e6cf0822662525e599628228e50

SHA512
8b6f0642fc71913620915b39f10ed17e9bd075f9ebbe2d721b19051b487e1794cee1cc385b25d6cf58a75df32d62195375b1664ee452d2c2a2177c1795862eb1

Download Submit
C:\Windows\System\AvuzRdY.exe
Filesize
5.9MB

MD5
9c115f0a22af05a820601cfd13f18c14

SHA1
503547baffb5ea3b2818f4227d819d6d25b4f6b6

SHA256
b5678d1796257990158a3499d48fa592bcc5538ec7e1f621206ad31f56b04d0d

SHA512
d81e962ff067b8ff36155b8cc95dea5c6508c9f6b83c20975bb925a82c718b629433daa6ba72c89127ca70c59c8eca9f56bcfb00eab7eb0b8a05d493f3f6ab0e

Download Submit
C:\Windows\System\GHhORDj.exe
Filesize
5.9MB

MD5
3317922965b9608171d0c6c13d4955ac

SHA1
9fc6bfdf03e36f95a31f79d072a8fde80e51dcec

SHA256
594980922683c46ef9acca9e3f3b3c754266f0f0fe83acb47a6c3ce94e1b6f42

SHA512
05ddfaaf1bf45d6bae51726f8bc14d2996316c5a64e24f44a8c80152a798b008297ca037221166cb296376d9b28e918ec1751d99d6892ee50681fa2ff95704fc

Download Submit
C:\Windows\System\LDDzABz.exe
Filesize
5.9MB

MD5
3f515a4268c5fbb1c169bb6e4e02efb7

SHA1
b3459aa93e84fc38ae913795d4b79d18e05b9aab

SHA256
898e75b46969e49e0c5ec16cb6f07294ec287d2012d1f41af35e582c947cd690

SHA512
8622e0f2d494056ee61b012f0ac0c3aa0d426b8ba834cb77272072746d489e42d1c0c2d124fdb2146c3a507d2d79633e8f3e47aa1cb816a6d629bf7cd7d07067

Download Submit
C:\Windows\System\LrjhqZo.exe
Filesize
5.9MB

MD5
d3c2bc2698c4fab9999d0645995bab75

SHA1
7762c03cf4fc3078132318ca593758891c762f84

SHA256
d74b18bd40ced2e17c6e88dc60386e6bee85f0d711d5f7409e06966269399cc2

SHA512
ae4bb449643584186ad9aa329cde0c35d4e155c65cd3b178f3c5e28d1be66560e096988dc8fa8e206897270a9eaf9b8e7b8900914d5a69885bc27c412693bedf

Download Submit
C:\Windows\System\NODsGXJ.exe
Filesize
5.9MB

MD5
90ec29556591b20b9e82a29806974524

SHA1
a8bb755a1348aab611808e507a4b4af793f6a591

SHA256
1f433fd32ff9eb0d8115d43a29ec449bc9884952327913bfe9e87a94fb295a00

SHA512
9f9e51cb8effa268740593909399a6757d58509645b4d1edd65cc930bff51593326d4a9c07ade22cb00de8d383609bb516cc5e11fdfa98a99495d1caad36cdba

Download Submit
C:\Windows\System\QdlpGDi.exe
Filesize
5.9MB

MD5
063ef9873608385e5bcb88648b170f28

SHA1
75429ec0a6e5e04d1b872ffe6fc52076ef6c5e96

SHA256
f8db64652c081ef1ed0c7f319d17fc2ad592c38dbb70e0b1380058e8885a1ba7

SHA512
25cf8b9cde1a72e6a26c18f218c31d3479edf88f973fac92f2552c2098b4e17a0d747277fd47e885f7279e238b336450e9e567c3fb99eb62c5a1d9ae7d025a65

Download Submit
C:\Windows\System\RJLfPyd.exe
Filesize
5.9MB

MD5
1edc6b0d6036bdd17228aaec6be962f8

SHA1
3d4d6b5bb64d21f6fc964655147d2591849873c6

SHA256
0fafe36c93bfd647a340d3e15d674fb49b6782a2ab962d69ad1870b11d93f6e9

SHA512
89c2bd40d47f940f6a69fc02776f28c6966c53b916195dfd468904fda5d2446b1e2264dbb1d624bd7f1bb445962374fc791c0f667c0ed53ee14aeacc030595ac

Download Submit
C:\Windows\System\TGGchbA.exe
Filesize
5.9MB

MD5
d1a9e428534c4616fd893a6ad2fe6757

SHA1
65ddcf925fc1af60f63e5c476e2b3f2b85b3b82c

SHA256
0a0e623c2234006a47a4e3828c9d6ce44988a9797581ed77535081533e0887fa

SHA512
f2df4744d4e112fc430b485f94b39ccb5622100fed5c8094b919765f3d0a21e28f52bfbad77323d243137bfca5a9c6ce93a457278f89cd5f30f027d28db332d6

Download Submit
C:\Windows\System\XVfEehU.exe
Filesize
5.9MB

MD5
6bd2662a2f5a1766cf4a38df163b8a9d

SHA1
1f4a46620852ea3f92c327fdba4c91245a36db85

SHA256
6798aa712d62f44e11d9d692f25714f68178118a22959a9eefcf8bd207d479fd

SHA512
7c0eaca0adac708fe58c5c8676ac2e0d5e31b265f67c05083477d025f786b3d81b364b7b2429537d5f52d8fdf8acb20417f8f658753ca82335637a21aabaf27f

Download Submit
C:\Windows\System\gGfgfuO.exe
Filesize
5.9MB

MD5
8e87f973ebe77062c5b653f81038813e

SHA1
85fd6adad0d73f6fe8713e8487ac71f8adc4dddb

SHA256
cbe6317a8534e66439f0169defef4061d77ec3dadda795974d734685d245352f

SHA512
3183654055cadb23b497a2c85634ea411530ae5d7ab0feabf36ca2da57832ac27c8ce76f2892d3a73d12f4118d0b64a509748a623aef1576959e4a25ed9ffcf1

Download Submit
C:\Windows\System\gtKanGC.exe
Filesize
5.9MB

MD5
ab0a84e9c6a42e18388a6097cd72510b

SHA1
c1722cc9a5a8da0711293afb846a7a31ea7964e4

SHA256
66f2fa6979ffae98350edf04bff530689458bb0e46b3479a9a81304a43a2f0b5

SHA512
6a4293e371d2076e29f80068c8aeef973ae29528870f1fd18b970c77c42a600841f0170208af39ebb9ec7880fa8ac93ddf3fec610e77a53c30596f892f6ae2b4

Download Submit
C:\Windows\System\nfPnaWc.exe
Filesize
5.9MB

MD5
c17bfe34bcb4903d48de921c04289cdf

SHA1
16958bc58c33ee0e4b6741f54720167237d0b85e

SHA256
6e3aeb321d8fdb418d2ff3ce9d179b96e5c098ee8a5b84fae4cb013df2f910bd

SHA512
61487c9a26bda6141609effbc5a67fe2828ca0b8cf4922e6a92156534cf1bc0c4c4f4b7f168099f746a90bc07056e3deab50cc8ee9c7fc80f666405e1a765b3a

Download Submit
C:\Windows\System\nhaErco.exe
Filesize
5.9MB

MD5
76dbadfae219793bf4e3ae030ce1727a

SHA1
3c07f401d52160e0d0ca8bb27623e827664cae2c

SHA256
a5ac865f8fb26234c79adb0366ee09d20d8daaf576f162ba71236091b149130d

SHA512
678e12e5d247f77bf3658e937c93566c53682b292e335f96e786b26856642cf46fca39cf862d01bb852809892578461007933bdc927f0b21b265ae668d95d597

Download Submit
C:\Windows\System\oMSKiom.exe
Filesize
5.9MB

MD5
a318f22f33c4a8af70b842590c3432dc

SHA1
ab88485cfd44e9475f059d307ff5971ee658f811

SHA256
1431f7c6f4777e06ba58ab7542f5a624580d9abae663a1836ad7de5251f7c015

SHA512
a22e2af5b55ce2e5622adc1025b104a6642ae6376877d5eb5d0044813c0f3a898fa8176218d6098a0e2a311a9c25650b298ff1fef08b7c6f844bffcd607505e9

Download Submit
C:\Windows\System\prwmgkR.exe
Filesize
5.9MB

MD5
7ee027c7927194b2a356db665f5956ce

SHA1
b047f100c7256624f3585427057f5533fcd2c5d9

SHA256
330550dd1b486719354529c14582ce3e24fd983656df8c3fc37a40d9a709b7f5

SHA512
b5a309aee80927800f138726fabd67a1ea9bc549cbf530f12a31a2f956386387b57706e93d9a154f78e5ffea3ac00bf45f8b0b6b692cd132960e75636b67220b

Download Submit
C:\Windows\System\qfuGVti.exe
Filesize
5.9MB

MD5
dc48dc4634d98c096a86a09244fa7a6a

SHA1
a0ed11b303508abe241d2e19d7168bb19e335441

SHA256
f3cb372793eb4b390a4fc6b5643637dc20ec269404adec9fe554902adf9d710f

SHA512
ee5ec49255f96bf96a3b1f5a84254230dc5938322cc426da355911f5fee25293bd4dd2a50d499e86678949150f41cec20fe8f8ca79c9c9c36a524a2cb80d3d14

Download Submit
C:\Windows\System\qvfAARq.exe
Filesize
5.9MB

MD5
09eb7e1c1c78d47bf0c7a5086fbbeb0c

SHA1
d82b8b036ddfe4c862e4d1258ac0bb607596e57c

SHA256
855ff5ab768c46a25f954bb573f306fc3090d95e096ff61fd3e776f8c9d06c72

SHA512
6436667ee13fbbaa7ddb73298d564a061f568a985dba9fcaa80742adceda10e9393e8fd06a488587bec1f07c670b5380bef5507841ae7e70ae86b15585688ce3

Download Submit
C:\Windows\System\snHHmwj.exe
Filesize
5.9MB

MD5
4ffc7f43aa5aec32dd7b652606018e1c

SHA1
091be94cd3dcac2cc0728826233570ffa7ae3772

SHA256
1470c854ad6b9c79da9ec5b02f7c83407a20f0636a8427744cee039ef50dba1b

SHA512
d2ab4a7f53977e156a2fa83bf1a17d9f7fcb55d0c492372e664109ec2df043b0351c4945ee8fbbeac9c6316d6c6568c577e01ef07afe2d93d34e5b3f838d3ccb

Download Submit
C:\Windows\System\yHokHxg.exe
Filesize
5.9MB

MD5
a340edff876aff761c4db36a2e56d692

SHA1
a0c1f01e0ee45b7d2d8b0d458b4c65c30000e830

SHA256
339fc9e42a2b6f122e216674bd2e200eee894ef0d68b1af9019229c8409f90f7

SHA512
64fea51b5dfd719b9470667e0e0daa2b1f49a51c83dbffe2bf744fdd15b0b709fcbe225f41f8ce38048eedcfb169eef818694a120abd1735d103ffe640b201b7

Download Submit
C:\Windows\System\zoNEHkd.exe
Filesize
5.9MB

MD5
0b008ab6fb5478cdd4383da6536d2ab2

SHA1
875c9556a0a2b4e90791646aa4712a427f91783c

SHA256
3640ac621019811d953db0ee22acfda543c0e397523849185887c1baee45f95f

SHA512
8e25625491bc6186eaf8124a68338a94163ea3115f345e3395dce420e84792cef5087cebdb695b7686ee5047471d874fc836e395577ba98843c8ba4b9a69a94c

Download Submit
memory/1360-52-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp

Filesize
3.3MB

Download
memory/1360-143-0x00007FF674E60000-0x00007FF6751B4000-memory.dmp

Filesize
3.3MB

Download
memory/1380-152-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1380-102-0x00007FF6B3B70000-0x00007FF6B3EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1656-136-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp

Filesize
3.3MB

Download
memory/1656-123-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp

Filesize
3.3MB

Download
memory/1656-7-0x00007FF72ED10000-0x00007FF72F064000-memory.dmp

Filesize
3.3MB

Download
memory/1908-29-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp

Filesize
3.3MB

Download
memory/1908-138-0x00007FF6EBE20000-0x00007FF6EC174000-memory.dmp

Filesize
3.3MB

Download
memory/1972-104-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-147-0x00007FF73C650000-0x00007FF73C9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-154-0x00007FF68D610000-0x00007FF68D964000-memory.dmp

Filesize
3.3MB

Download
memory/2796-116-0x00007FF68D610000-0x00007FF68D964000-memory.dmp

Filesize
3.3MB

Download
memory/2796-135-0x00007FF68D610000-0x00007FF68D964000-memory.dmp

Filesize
3.3MB

Download
memory/2900-144-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2900-133-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2900-64-0x00007FF73F660000-0x00007FF73F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-44-0x00007FF706A10000-0x00007FF706D64000-memory.dmp

Filesize
3.3MB

Download
memory/3024-132-0x00007FF706A10000-0x00007FF706D64000-memory.dmp

Filesize
3.3MB

Download
memory/3024-142-0x00007FF706A10000-0x00007FF706D64000-memory.dmp

Filesize
3.3MB

Download
memory/3088-153-0x00007FF682660000-0x00007FF6829B4000-memory.dmp

Filesize
3.3MB

Download
memory/3088-110-0x00007FF682660000-0x00007FF6829B4000-memory.dmp

Filesize
3.3MB

Download
memory/3304-131-0x00007FF620190000-0x00007FF6204E4000-memory.dmp

Filesize
3.3MB

Download
memory/3304-140-0x00007FF620190000-0x00007FF6204E4000-memory.dmp

Filesize
3.3MB

Download
memory/3304-31-0x00007FF620190000-0x00007FF6204E4000-memory.dmp

Filesize
3.3MB

Download
memory/3312-141-0x00007FF738A20000-0x00007FF738D74000-memory.dmp

Filesize
3.3MB

Download
memory/3312-38-0x00007FF738A20000-0x00007FF738D74000-memory.dmp

Filesize
3.3MB

Download
memory/3388-97-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp

Filesize
3.3MB

Download
memory/3388-148-0x00007FF6D3A00000-0x00007FF6D3D54000-memory.dmp

Filesize
3.3MB

Download
memory/3492-24-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp

Filesize
3.3MB

Download
memory/3492-124-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp

Filesize
3.3MB

Download
memory/3492-137-0x00007FF6E65B0000-0x00007FF6E6904000-memory.dmp

Filesize
3.3MB

Download
memory/3680-25-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3680-139-0x00007FF6FCC80000-0x00007FF6FCFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3736-145-0x00007FF79D020000-0x00007FF79D374000-memory.dmp

Filesize
3.3MB

Download
memory/3736-103-0x00007FF79D020000-0x00007FF79D374000-memory.dmp

Filesize
3.3MB

Download
memory/4092-149-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp

Filesize
3.3MB

Download
memory/4092-94-0x00007FF6D10F0000-0x00007FF6D1444000-memory.dmp

Filesize
3.3MB

Download
memory/4344-1-0x000001C0CC3E0000-0x000001C0CC3F0000-memory.dmp

Filesize
64KB

Download
memory/4344-0-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4344-115-0x00007FF7F9DA0000-0x00007FF7FA0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-101-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp

Filesize
3.3MB

Download
memory/4392-150-0x00007FF79D2B0000-0x00007FF79D604000-memory.dmp

Filesize
3.3MB

Download
memory/4540-146-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp

Filesize
3.3MB

Download
memory/4540-91-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp

Filesize
3.3MB

Download
memory/4540-134-0x00007FF6F47D0000-0x00007FF6F4B24000-memory.dmp

Filesize
3.3MB

Download
memory/4712-156-0x00007FF665930000-0x00007FF665C84000-memory.dmp

Filesize
3.3MB

Download
memory/4712-130-0x00007FF665930000-0x00007FF665C84000-memory.dmp

Filesize
3.3MB

Download
memory/4836-151-0x00007FF676140000-0x00007FF676494000-memory.dmp

Filesize
3.3MB

Download
memory/4836-98-0x00007FF676140000-0x00007FF676494000-memory.dmp

Filesize
3.3MB

Download
memory/4848-155-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp

Filesize
3.3MB

Download
memory/4848-125-0x00007FF6AE4E0000-0x00007FF6AE834000-memory.dmp

Filesize
3.3MB

Download