cobaltstrike | ac0fd3cfb2d109fe86e26b8278990027d09694dfd7cacfe15cb9c39e4cb4bfb8

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

31600f1a179eee87dba8252d3f259a40
SHA1

241d774cf0cf9484eab88d13604b824bd55b0cbd
SHA256

ac0fd3cfb2d109fe86e26b8278990027d09694dfd7cacfe15cb9c39e4cb4bfb8
SHA512

13417b4f44dfa681019b1ab9554107d15caeeb147ac71c2cadda7a4010b09fbe396d17c53c42659ca13de10fcff43dbec198468e42264c26c58c27df9ff4ea5d
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUL:T+856utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\AiWbEsM.exe	cobalt_reflective_dll
C:\Windows\System\QOaeeDj.exe	cobalt_reflective_dll
C:\Windows\System\RmmabvM.exe	cobalt_reflective_dll
C:\Windows\System\wEHhAqw.exe	cobalt_reflective_dll
C:\Windows\System\EFbQTWU.exe	cobalt_reflective_dll
C:\Windows\System\MHEPDso.exe	cobalt_reflective_dll
C:\Windows\System\UEviDzH.exe	cobalt_reflective_dll
C:\Windows\System\fnmctxb.exe	cobalt_reflective_dll
C:\Windows\System\zZhLwlr.exe	cobalt_reflective_dll
C:\Windows\System\gOSrAgc.exe	cobalt_reflective_dll
C:\Windows\System\jUIKCih.exe	cobalt_reflective_dll
C:\Windows\System\Nocamvg.exe	cobalt_reflective_dll
C:\Windows\System\ZYNilIF.exe	cobalt_reflective_dll
C:\Windows\System\pYxWBhQ.exe	cobalt_reflective_dll
C:\Windows\System\BdFLprk.exe	cobalt_reflective_dll
C:\Windows\System\VAPqiDG.exe	cobalt_reflective_dll
C:\Windows\System\mfNaIpK.exe	cobalt_reflective_dll
C:\Windows\System\RlcTpyn.exe	cobalt_reflective_dll
C:\Windows\System\pSSRwND.exe	cobalt_reflective_dll
C:\Windows\System\jPfMlXv.exe	cobalt_reflective_dll
C:\Windows\System\KDTBZBT.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\AiWbEsM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QOaeeDj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RmmabvM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wEHhAqw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EFbQTWU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MHEPDso.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UEviDzH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fnmctxb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zZhLwlr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gOSrAgc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jUIKCih.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Nocamvg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZYNilIF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pYxWBhQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BdFLprk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VAPqiDG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mfNaIpK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RlcTpyn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pSSRwND.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jPfMlXv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KDTBZBT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2572-0-0x00007FF642A20000-0x00007FF642D74000-memory.dmp	UPX
C:\Windows\System\AiWbEsM.exe	UPX
behavioral2/memory/4252-8-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp	UPX
C:\Windows\System\QOaeeDj.exe	UPX
C:\Windows\System\RmmabvM.exe	UPX
behavioral2/memory/1776-21-0x00007FF691100000-0x00007FF691454000-memory.dmp	UPX
C:\Windows\System\wEHhAqw.exe	UPX
C:\Windows\System\EFbQTWU.exe	UPX
behavioral2/memory/4776-34-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp	UPX
behavioral2/memory/864-36-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	UPX
C:\Windows\System\MHEPDso.exe	UPX
behavioral2/memory/4512-50-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp	UPX
behavioral2/memory/4564-52-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	UPX
behavioral2/memory/5112-56-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	UPX
C:\Windows\System\UEviDzH.exe	UPX
C:\Windows\System\fnmctxb.exe	UPX
behavioral2/memory/4648-31-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp	UPX
C:\Windows\System\zZhLwlr.exe	UPX
behavioral2/memory/844-26-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp	UPX
C:\Windows\System\gOSrAgc.exe	UPX
behavioral2/memory/2964-62-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp	UPX
C:\Windows\System\jUIKCih.exe	UPX
C:\Windows\System\Nocamvg.exe	UPX
behavioral2/memory/3976-69-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	UPX
C:\Windows\System\ZYNilIF.exe	UPX
behavioral2/memory/4492-79-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp	UPX
C:\Windows\System\pYxWBhQ.exe	UPX
C:\Windows\System\BdFLprk.exe	UPX
C:\Windows\System\VAPqiDG.exe	UPX
C:\Windows\System\mfNaIpK.exe	UPX
behavioral2/memory/2916-102-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp	UPX
behavioral2/memory/2340-103-0x00007FF747040000-0x00007FF747394000-memory.dmp	UPX
C:\Windows\System\RlcTpyn.exe	UPX
behavioral2/memory/3036-101-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp	UPX
behavioral2/memory/244-99-0x00007FF615710000-0x00007FF615A64000-memory.dmp	UPX
behavioral2/memory/2200-86-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp	UPX
behavioral2/memory/2572-82-0x00007FF642A20000-0x00007FF642D74000-memory.dmp	UPX
behavioral2/memory/4848-111-0x00007FF764300000-0x00007FF764654000-memory.dmp	UPX
C:\Windows\System\pSSRwND.exe	UPX
behavioral2/memory/864-116-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	UPX
C:\Windows\System\jPfMlXv.exe	UPX
behavioral2/memory/4920-118-0x00007FF660DB0000-0x00007FF661104000-memory.dmp	UPX
C:\Windows\System\KDTBZBT.exe	UPX
behavioral2/memory/1528-126-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp	UPX
behavioral2/memory/5112-125-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	UPX
behavioral2/memory/4564-124-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	UPX
behavioral2/memory/1324-131-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp	UPX
behavioral2/memory/3976-132-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	UPX
behavioral2/memory/2340-133-0x00007FF747040000-0x00007FF747394000-memory.dmp	UPX
behavioral2/memory/4920-134-0x00007FF660DB0000-0x00007FF661104000-memory.dmp	UPX
behavioral2/memory/4252-135-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp	UPX
behavioral2/memory/1776-136-0x00007FF691100000-0x00007FF691454000-memory.dmp	UPX
behavioral2/memory/844-137-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp	UPX
behavioral2/memory/4776-138-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp	UPX
behavioral2/memory/4648-139-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp	UPX
behavioral2/memory/864-140-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	UPX
behavioral2/memory/4512-141-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp	UPX
behavioral2/memory/5112-143-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	UPX
behavioral2/memory/4564-142-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	UPX
behavioral2/memory/2964-144-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp	UPX
behavioral2/memory/3976-146-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	UPX
behavioral2/memory/4492-145-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp	UPX
behavioral2/memory/2200-147-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp	UPX
behavioral2/memory/244-148-0x00007FF615710000-0x00007FF615A64000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2572-0-0x00007FF642A20000-0x00007FF642D74000-memory.dmp	xmrig
C:\Windows\System\AiWbEsM.exe	xmrig
behavioral2/memory/4252-8-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp	xmrig
C:\Windows\System\QOaeeDj.exe	xmrig
C:\Windows\System\RmmabvM.exe	xmrig
behavioral2/memory/1776-21-0x00007FF691100000-0x00007FF691454000-memory.dmp	xmrig
C:\Windows\System\wEHhAqw.exe	xmrig
C:\Windows\System\EFbQTWU.exe	xmrig
behavioral2/memory/4776-34-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp	xmrig
behavioral2/memory/864-36-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	xmrig
C:\Windows\System\MHEPDso.exe	xmrig
behavioral2/memory/4512-50-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp	xmrig
behavioral2/memory/4564-52-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	xmrig
behavioral2/memory/5112-56-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	xmrig
C:\Windows\System\UEviDzH.exe	xmrig
C:\Windows\System\fnmctxb.exe	xmrig
behavioral2/memory/4648-31-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp	xmrig
C:\Windows\System\zZhLwlr.exe	xmrig
behavioral2/memory/844-26-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp	xmrig
C:\Windows\System\gOSrAgc.exe	xmrig
behavioral2/memory/2964-62-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp	xmrig
C:\Windows\System\jUIKCih.exe	xmrig
C:\Windows\System\Nocamvg.exe	xmrig
behavioral2/memory/3976-69-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	xmrig
C:\Windows\System\ZYNilIF.exe	xmrig
behavioral2/memory/4492-79-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp	xmrig
C:\Windows\System\pYxWBhQ.exe	xmrig
C:\Windows\System\BdFLprk.exe	xmrig
C:\Windows\System\VAPqiDG.exe	xmrig
C:\Windows\System\mfNaIpK.exe	xmrig
behavioral2/memory/2916-102-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp	xmrig
behavioral2/memory/2340-103-0x00007FF747040000-0x00007FF747394000-memory.dmp	xmrig
C:\Windows\System\RlcTpyn.exe	xmrig
behavioral2/memory/3036-101-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp	xmrig
behavioral2/memory/244-99-0x00007FF615710000-0x00007FF615A64000-memory.dmp	xmrig
behavioral2/memory/2200-86-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp	xmrig
behavioral2/memory/2572-82-0x00007FF642A20000-0x00007FF642D74000-memory.dmp	xmrig
behavioral2/memory/4848-111-0x00007FF764300000-0x00007FF764654000-memory.dmp	xmrig
C:\Windows\System\pSSRwND.exe	xmrig
behavioral2/memory/864-116-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	xmrig
C:\Windows\System\jPfMlXv.exe	xmrig
behavioral2/memory/4920-118-0x00007FF660DB0000-0x00007FF661104000-memory.dmp	xmrig
C:\Windows\System\KDTBZBT.exe	xmrig
behavioral2/memory/1528-126-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp	xmrig
behavioral2/memory/5112-125-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	xmrig
behavioral2/memory/4564-124-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	xmrig
behavioral2/memory/1324-131-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp	xmrig
behavioral2/memory/3976-132-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	xmrig
behavioral2/memory/2340-133-0x00007FF747040000-0x00007FF747394000-memory.dmp	xmrig
behavioral2/memory/4920-134-0x00007FF660DB0000-0x00007FF661104000-memory.dmp	xmrig
behavioral2/memory/4252-135-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp	xmrig
behavioral2/memory/1776-136-0x00007FF691100000-0x00007FF691454000-memory.dmp	xmrig
behavioral2/memory/844-137-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp	xmrig
behavioral2/memory/4776-138-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp	xmrig
behavioral2/memory/4648-139-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp	xmrig
behavioral2/memory/864-140-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	xmrig
behavioral2/memory/4512-141-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp	xmrig
behavioral2/memory/5112-143-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	xmrig
behavioral2/memory/4564-142-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	xmrig
behavioral2/memory/2964-144-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp	xmrig
behavioral2/memory/3976-146-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	xmrig
behavioral2/memory/4492-145-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp	xmrig
behavioral2/memory/2200-147-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp	xmrig
behavioral2/memory/244-148-0x00007FF615710000-0x00007FF615A64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

AiWbEsM.exeQOaeeDj.exeRmmabvM.exezZhLwlr.exewEHhAqw.exeEFbQTWU.exeMHEPDso.exefnmctxb.exeUEviDzH.exegOSrAgc.exejUIKCih.exeNocamvg.exeZYNilIF.exepYxWBhQ.exeBdFLprk.exeVAPqiDG.exemfNaIpK.exeRlcTpyn.exepSSRwND.exejPfMlXv.exeKDTBZBT.exe

pid	process
4252	AiWbEsM.exe
1776	QOaeeDj.exe
844	RmmabvM.exe
4776	zZhLwlr.exe
4648	wEHhAqw.exe
864	EFbQTWU.exe
4512	MHEPDso.exe
4564	fnmctxb.exe
5112	UEviDzH.exe
2964	gOSrAgc.exe
3976	jUIKCih.exe
4492	Nocamvg.exe
2200	ZYNilIF.exe
244	pYxWBhQ.exe
3036	BdFLprk.exe
2916	VAPqiDG.exe
2340	mfNaIpK.exe
4848	RlcTpyn.exe
4920	pSSRwND.exe
1528	jPfMlXv.exe
1324	KDTBZBT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2572-0-0x00007FF642A20000-0x00007FF642D74000-memory.dmp	upx
C:\Windows\System\AiWbEsM.exe	upx
behavioral2/memory/4252-8-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp	upx
C:\Windows\System\QOaeeDj.exe	upx
C:\Windows\System\RmmabvM.exe	upx
behavioral2/memory/1776-21-0x00007FF691100000-0x00007FF691454000-memory.dmp	upx
C:\Windows\System\wEHhAqw.exe	upx
C:\Windows\System\EFbQTWU.exe	upx
behavioral2/memory/4776-34-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp	upx
behavioral2/memory/864-36-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	upx
C:\Windows\System\MHEPDso.exe	upx
behavioral2/memory/4512-50-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp	upx
behavioral2/memory/4564-52-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	upx
behavioral2/memory/5112-56-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	upx
C:\Windows\System\UEviDzH.exe	upx
C:\Windows\System\fnmctxb.exe	upx
behavioral2/memory/4648-31-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp	upx
C:\Windows\System\zZhLwlr.exe	upx
behavioral2/memory/844-26-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp	upx
C:\Windows\System\gOSrAgc.exe	upx
behavioral2/memory/2964-62-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp	upx
C:\Windows\System\jUIKCih.exe	upx
C:\Windows\System\Nocamvg.exe	upx
behavioral2/memory/3976-69-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	upx
C:\Windows\System\ZYNilIF.exe	upx
behavioral2/memory/4492-79-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp	upx
C:\Windows\System\pYxWBhQ.exe	upx
C:\Windows\System\BdFLprk.exe	upx
C:\Windows\System\VAPqiDG.exe	upx
C:\Windows\System\mfNaIpK.exe	upx
behavioral2/memory/2916-102-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp	upx
behavioral2/memory/2340-103-0x00007FF747040000-0x00007FF747394000-memory.dmp	upx
C:\Windows\System\RlcTpyn.exe	upx
behavioral2/memory/3036-101-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp	upx
behavioral2/memory/244-99-0x00007FF615710000-0x00007FF615A64000-memory.dmp	upx
behavioral2/memory/2200-86-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp	upx
behavioral2/memory/2572-82-0x00007FF642A20000-0x00007FF642D74000-memory.dmp	upx
behavioral2/memory/4848-111-0x00007FF764300000-0x00007FF764654000-memory.dmp	upx
C:\Windows\System\pSSRwND.exe	upx
behavioral2/memory/864-116-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	upx
C:\Windows\System\jPfMlXv.exe	upx
behavioral2/memory/4920-118-0x00007FF660DB0000-0x00007FF661104000-memory.dmp	upx
C:\Windows\System\KDTBZBT.exe	upx
behavioral2/memory/1528-126-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp	upx
behavioral2/memory/5112-125-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	upx
behavioral2/memory/4564-124-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	upx
behavioral2/memory/1324-131-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp	upx
behavioral2/memory/3976-132-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	upx
behavioral2/memory/2340-133-0x00007FF747040000-0x00007FF747394000-memory.dmp	upx
behavioral2/memory/4920-134-0x00007FF660DB0000-0x00007FF661104000-memory.dmp	upx
behavioral2/memory/4252-135-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp	upx
behavioral2/memory/1776-136-0x00007FF691100000-0x00007FF691454000-memory.dmp	upx
behavioral2/memory/844-137-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp	upx
behavioral2/memory/4776-138-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp	upx
behavioral2/memory/4648-139-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp	upx
behavioral2/memory/864-140-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp	upx
behavioral2/memory/4512-141-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp	upx
behavioral2/memory/5112-143-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp	upx
behavioral2/memory/4564-142-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp	upx
behavioral2/memory/2964-144-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp	upx
behavioral2/memory/3976-146-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp	upx
behavioral2/memory/4492-145-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp	upx
behavioral2/memory/2200-147-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp	upx
behavioral2/memory/244-148-0x00007FF615710000-0x00007FF615A64000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\Nocamvg.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pYxWBhQ.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RlcTpyn.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EFbQTWU.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jUIKCih.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zZhLwlr.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wEHhAqw.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MHEPDso.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fnmctxb.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UEviDzH.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mfNaIpK.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AiWbEsM.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RmmabvM.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pSSRwND.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jPfMlXv.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZYNilIF.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BdFLprk.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VAPqiDG.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KDTBZBT.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QOaeeDj.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gOSrAgc.exe	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2572 wrote to memory of 4252	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	AiWbEsM.exe
PID 2572 wrote to memory of 4252	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	AiWbEsM.exe
PID 2572 wrote to memory of 1776	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	QOaeeDj.exe
PID 2572 wrote to memory of 1776	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	QOaeeDj.exe
PID 2572 wrote to memory of 844	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	RmmabvM.exe
PID 2572 wrote to memory of 844	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	RmmabvM.exe
PID 2572 wrote to memory of 4776	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	zZhLwlr.exe
PID 2572 wrote to memory of 4776	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	zZhLwlr.exe
PID 2572 wrote to memory of 4648	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	wEHhAqw.exe
PID 2572 wrote to memory of 4648	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	wEHhAqw.exe
PID 2572 wrote to memory of 864	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	EFbQTWU.exe
PID 2572 wrote to memory of 864	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	EFbQTWU.exe
PID 2572 wrote to memory of 4512	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	MHEPDso.exe
PID 2572 wrote to memory of 4512	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	MHEPDso.exe
PID 2572 wrote to memory of 4564	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	fnmctxb.exe
PID 2572 wrote to memory of 4564	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	fnmctxb.exe
PID 2572 wrote to memory of 5112	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UEviDzH.exe
PID 2572 wrote to memory of 5112	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	UEviDzH.exe
PID 2572 wrote to memory of 2964	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	gOSrAgc.exe
PID 2572 wrote to memory of 2964	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	gOSrAgc.exe
PID 2572 wrote to memory of 3976	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	jUIKCih.exe
PID 2572 wrote to memory of 3976	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	jUIKCih.exe
PID 2572 wrote to memory of 4492	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	Nocamvg.exe
PID 2572 wrote to memory of 4492	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	Nocamvg.exe
PID 2572 wrote to memory of 2200	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	ZYNilIF.exe
PID 2572 wrote to memory of 2200	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	ZYNilIF.exe
PID 2572 wrote to memory of 244	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	pYxWBhQ.exe
PID 2572 wrote to memory of 244	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	pYxWBhQ.exe
PID 2572 wrote to memory of 3036	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	BdFLprk.exe
PID 2572 wrote to memory of 3036	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	BdFLprk.exe
PID 2572 wrote to memory of 2916	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	VAPqiDG.exe
PID 2572 wrote to memory of 2916	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	VAPqiDG.exe
PID 2572 wrote to memory of 2340	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	mfNaIpK.exe
PID 2572 wrote to memory of 2340	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	mfNaIpK.exe
PID 2572 wrote to memory of 4848	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	RlcTpyn.exe
PID 2572 wrote to memory of 4848	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	RlcTpyn.exe
PID 2572 wrote to memory of 4920	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	pSSRwND.exe
PID 2572 wrote to memory of 4920	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	pSSRwND.exe
PID 2572 wrote to memory of 1528	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	jPfMlXv.exe
PID 2572 wrote to memory of 1528	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	jPfMlXv.exe
PID 2572 wrote to memory of 1324	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	KDTBZBT.exe
PID 2572 wrote to memory of 1324	2572	2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe	KDTBZBT.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_31600f1a179eee87dba8252d3f259a40_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\System\AiWbEsM.exe
C:\Windows\System\AiWbEsM.exe
2⤵
- Executes dropped EXE
PID:4252

C:\Windows\System\QOaeeDj.exe
C:\Windows\System\QOaeeDj.exe
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\System\RmmabvM.exe
C:\Windows\System\RmmabvM.exe
2⤵
- Executes dropped EXE
PID:844

C:\Windows\System\zZhLwlr.exe
C:\Windows\System\zZhLwlr.exe
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\System\wEHhAqw.exe
C:\Windows\System\wEHhAqw.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\EFbQTWU.exe
C:\Windows\System\EFbQTWU.exe
2⤵
- Executes dropped EXE
PID:864

C:\Windows\System\MHEPDso.exe
C:\Windows\System\MHEPDso.exe
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\System\fnmctxb.exe
C:\Windows\System\fnmctxb.exe
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\System\UEviDzH.exe
C:\Windows\System\UEviDzH.exe
2⤵
- Executes dropped EXE
PID:5112

C:\Windows\System\gOSrAgc.exe
C:\Windows\System\gOSrAgc.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\jUIKCih.exe
C:\Windows\System\jUIKCih.exe
2⤵
- Executes dropped EXE
PID:3976

C:\Windows\System\Nocamvg.exe
C:\Windows\System\Nocamvg.exe
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\System\ZYNilIF.exe
C:\Windows\System\ZYNilIF.exe
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\System\pYxWBhQ.exe
C:\Windows\System\pYxWBhQ.exe
2⤵
- Executes dropped EXE
PID:244

C:\Windows\System\BdFLprk.exe
C:\Windows\System\BdFLprk.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\VAPqiDG.exe
C:\Windows\System\VAPqiDG.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\mfNaIpK.exe
C:\Windows\System\mfNaIpK.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\RlcTpyn.exe
C:\Windows\System\RlcTpyn.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\pSSRwND.exe
C:\Windows\System\pSSRwND.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\System\jPfMlXv.exe
C:\Windows\System\jPfMlXv.exe
2⤵
- Executes dropped EXE
PID:1528

C:\Windows\System\KDTBZBT.exe
C:\Windows\System\KDTBZBT.exe
2⤵
- Executes dropped EXE
PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AiWbEsM.exe
Filesize
5.9MB

MD5
e4225b1e690ed061faf4de88bd8edb7e

SHA1
5f06b843235c667f6a7f78d702b2ab5946b223ce

SHA256
37f738a691bcc48c3d00d3c199e6c930030f9d78654bbeb3fa8e0cc959f51e85

SHA512
aa70143cc5f7309b4ffaca52b2128e75933c0264b76aefca406fe79110cdc9de983c2ecd6238077ecf9df7c43a314e67978764d85779a0406b44059edafb65a2

Download Submit
C:\Windows\System\BdFLprk.exe
Filesize
5.9MB

MD5
a2b88b4f6d1a5ac49f10803ddacb9b42

SHA1
b808051e0bb568b31f0c3f87d985ac3ab96f9c86

SHA256
705e7a609d21c09f78439d30d513a82daf8d1bac6774d1b3f768a6df06800186

SHA512
90c991121af6a208661a503316432b7447d7cf67fb2a89fedd75634d22595828c02aa21688b48ecac92f8622fb9223153ba182f83110623f67d26febb69c2cae

Download Submit
C:\Windows\System\EFbQTWU.exe
Filesize
5.9MB

MD5
1d56fd03822fd848dc43aa48303be481

SHA1
9a81c6da478abdfbf73a4bab97cb6ebdb024e18e

SHA256
8d54a94608a7630192a534cfdc118f0f23564b9bd524cccb64c2cfcbe192ae3e

SHA512
aad5754226dfa97c503063d947a73d309d10b72eb42947fd20209594b60e5535ea0a41e8a88a24b68af23274f0c8ef25cbac844fc88948f0b68f1091c71c2fe7

Download Submit
C:\Windows\System\KDTBZBT.exe
Filesize
5.9MB

MD5
e7d5b36e438b37de945e5d4a86ec4663

SHA1
64cc4ba9062e06be3699552b9d388706b3cadf6d

SHA256
441c1ac5c32265ba679b6e05dfc1316d5947d6c7ee9c909ac4a5a6db592530f4

SHA512
e1666cd360bbe2f3b14273aaf9dbe3ddfd59a846db5026216f23d3e6f1cd6a874ec4d6addc6a15f3242c72ab82750b4c619e7af43944ab3a3cde238b8970db5b

Download Submit
C:\Windows\System\MHEPDso.exe
Filesize
5.9MB

MD5
dd259198aeaada4fd08e36e08b4377b2

SHA1
93ee44768ad6f5d2ee03d99f13fcba8031db6661

SHA256
318bc03efa63263bbcd44c78edca466eeca15cf1f45d533a315f61dd8e3af801

SHA512
b2d9a7f1a4844fcbf1e3e369289096f25732e909577acaf1dff90a053d747a4fbdc4ce06f1d6a88a08f571bb1b59043712b5e667683bf0ac7f226917493f07bb

Download Submit
C:\Windows\System\Nocamvg.exe
Filesize
5.9MB

MD5
c02acc50bf2fb550e627c5c8602be445

SHA1
a35ebe33ef55b791eff6e5fbae828a03bc14f2ee

SHA256
ac047fba19d368d119c873e4cf240eb53ee76e7f1f7dc5d262920cb498904223

SHA512
c5c1885bf65d7787096e89de94a676d8d24f201e89129dc873ec92aee2141e3efb8628f1722ce8948c824c266e2c5d6f11e33db9a5d50e2bab73078ded7b5d3a

Download Submit
C:\Windows\System\QOaeeDj.exe
Filesize
5.9MB

MD5
dffe949abc15285dd6b885e38a343578

SHA1
7a71ea9673e8e197805f746c09c4e8638e4993f5

SHA256
9a437dca12b9e773c2d3a23c38774ccefd49eba46d2479fbe973ae77d4e6c6cc

SHA512
2058ea09d65b0367326785c1681c26de3320526b4ffe2413fb8090420f53a5739ff4a55f9fa5c1c1ad9f7ef0348c65809056df525632f9d1a1d95ece5782d241

Download Submit
C:\Windows\System\RlcTpyn.exe
Filesize
5.9MB

MD5
f9208ca14d15ee135e71bebe70ea7674

SHA1
efe2b190578fdae6b0a63836f8d8e6fe8a1f6a72

SHA256
445a274a6c1476171bcb8e32b64a3fc918e665ff9324b1445a91afb9562eacb0

SHA512
5132083a8915ec7499fcc392b2fc382801a5649f638c81bf280506f01fa6fa40dc073b4523f6a6f5b45d92650b7670cb138806b95bcc0b48f80098e3acba13fb

Download Submit
C:\Windows\System\RmmabvM.exe
Filesize
5.9MB

MD5
3ea206c1891ca177acacf6fbff270226

SHA1
95a41a3d1b328b2d9db28fcf51d8ea42b5ea6135

SHA256
daacb19962e02f548921b4e5caf366ccf484c9bbffbcc98b7cffb073c4bb3a6d

SHA512
b57ffd6e710275a551381b2f68c5c0452ee4591f931e8fb703fecef0690155b7c04e2a3facac1beff30f426c2e6f4bf0bfc2485e076b676fdaee03fb1a1b6b28

Download Submit
C:\Windows\System\UEviDzH.exe
Filesize
5.9MB

MD5
9b2988d78b41b147a2a3812ef170783c

SHA1
9450f3ac9c60744a87b0cf66f0f7c96fd35f2cf6

SHA256
a764a24f5e408e17f377a7ad59743e723decadcfcba8d6e934e8bfe8c1c9cc33

SHA512
9de0c1567a1a0affa513af3881ce98a237d0d106139e8eddae18886ccb24e63374b7aa4eca5894befd537c8236974a74b782efad283afb4c958eadbd72411571

Download Submit
C:\Windows\System\VAPqiDG.exe
Filesize
5.9MB

MD5
841f098b7602e2f75f84556622ac2d5f

SHA1
bbff70081ff91f1185063b94adb186b66de90011

SHA256
9a6d2db4cb0c7e8108dbaec146278a9c0a2537e22588043ef94326363cbd3d35

SHA512
4407aade1d1f2ef5339c307f9349cc580111532e5c341df113c287eeaf5c15209cf6f416ff91a20bb701f7edcd95e42bb5049970a0185479f38fe6a26682692d

Download Submit
C:\Windows\System\ZYNilIF.exe
Filesize
5.9MB

MD5
e5a3cb21aaaabc329921b860d0ebba37

SHA1
d155938fbb6c0670a7c41afb1b89568caefa6377

SHA256
ceb0a05bf918a99a5e88fb1ee1b9514a12b13ea1c49acceb1ce0a5198d9d10c8

SHA512
ad7a5a6534bef3deb29c1f392bda3c8fedb2ad79f12ece168e7d338464820d5d786d3080fd236873ecc87c25d3adbfd2c6255b72ed5ba168870990fdf6f09028

Download Submit
C:\Windows\System\fnmctxb.exe
Filesize
5.9MB

MD5
a8e1abec353d1e77d155433486f03fdc

SHA1
72d9f8169f023f2a444d4ff5fb9854f7c02547d4

SHA256
a03c413602febfb0699e18fff321707cb3bf469900588606146b519223ad0089

SHA512
217bafbace0f447c47f48a5de4b080888291cca308fc9701d352b20be58d43b75abaf776b47607c45ff5b2b03188d01165c3f21d91ff6193cd636f0de3cc5745

Download Submit
C:\Windows\System\gOSrAgc.exe
Filesize
5.9MB

MD5
9c9b0471eb5dc6dee9560bb0eaa31801

SHA1
520f1625862aafa999a0b3d518a231604865f7f9

SHA256
c92e8e7ea8e7238b26eb7aa3fa5a83380fc14c994d21adfbcd32ea9448a81e0a

SHA512
b6c242c5d0bcea30abfc60cafc11a57e9a637d8f5f65f1aefec9ef48e99d85cd0e7395ce4fd21bd085590c53548e1324a1e7cf740adb85f1b513a589411b1060

Download Submit
C:\Windows\System\jPfMlXv.exe
Filesize
5.9MB

MD5
9d5e9f1d118444924c613cd162357432

SHA1
3883c56f4c3420fb863f7c2a5298fc0552a770ce

SHA256
84650dbdd26ee8766502d9eff5bccec2f6a0cd47f16b7dde8af17eb2fb74d23a

SHA512
d746f65c28fe26b20619480f14092108276e26a84858909036a9a018e974237aa886fab320683a8cd59b0fdaf6ae484b51b6cdbc686528a4ff26e192aec5973a

Download Submit
C:\Windows\System\jUIKCih.exe
Filesize
5.9MB

MD5
88b2da1a4513e6b7626a5810a6be999b

SHA1
0f66b23d8973f54208a2b1bb4c8776b42910363f

SHA256
ecc19ce63acb3949c00ad14819381219f27634e6fc79bc80ff274ebc43b04d8f

SHA512
5e7f6891ca5bc28318f4fa39bd7922bd8df6237a78e728955bb83ebc6392839176d5043a1d4e2f6c539043c84960d7dcc1448177b743c43e7f7fb4897e647610

Download Submit
C:\Windows\System\mfNaIpK.exe
Filesize
5.9MB

MD5
20191237934407c68bb502aea54b8742

SHA1
b748c949c99044097ba462e4a025778c9cbdba9b

SHA256
41b9f0f081f026551bd013a0af315f3a1a0e737dba7e9d81453d4b5cc6f85815

SHA512
cce82bf3bc07ae5b9bbdbf186ec67ab4a00c8e00c704b21bc393fd24bee82c812795047187c7776c2c475246218ecdda4fc4e04814ee5cb6e7199fc5ff8b23e1

Download Submit
C:\Windows\System\pSSRwND.exe
Filesize
5.9MB

MD5
d53950088b8e178b8bb5f0b15f700351

SHA1
ba06ea1e44efddf367e0bbecb692a7d4ddbbcb07

SHA256
2b4a8b6cd8665046205d6e523bae930bc30575f39c9b5f8e8e5d06b132af8557

SHA512
d559d4bcd643b89f371c6b55329f7b49b84e43fac9cb91159ee678370e4fdb70fc29db13bf4fbb2e7d8b0b36b3f9ecdf5d2e2279841b63e3257b7d2ef5ad4a01

Download Submit
C:\Windows\System\pYxWBhQ.exe
Filesize
5.9MB

MD5
0e25912be1896bd2f800582d70e6693c

SHA1
f31098502086051ab363f34a82bdf486ae0b380f

SHA256
9c1d626be1358072b0b8da30f369a3de522044c6ac0080efd15d9f926a9d1557

SHA512
53c286bdd1c37e7549e8302153fe161dab371a4bdb5ab16db298edad5bd9ff97a7034fec183764228266318f5143a0b5f57b4e52cbcf8132eaffef65f87b0458

Download Submit
C:\Windows\System\wEHhAqw.exe
Filesize
5.9MB

MD5
43c2564f9d67727847024f383ae307d7

SHA1
0cd79a399fdf77edf2e737d3d8b2e6bda488285d

SHA256
88eaa650564508297df69411fe887f87bd5901ec2d2beb89a81f7472c40b2898

SHA512
3415e105ab2a172df06690fb87b24950f3647856ad868b7a9a3d20b375bf0a475ac6158f511f70c83c65ff2670ecf9499c371030b39391b26388a7bd40491f56

Download Submit
C:\Windows\System\zZhLwlr.exe
Filesize
5.9MB

MD5
05e35d0de9508f1382ede8b77cfad1cf

SHA1
0cdf1d94ca0b0e572ba35090ee0726ccb5da330c

SHA256
23e93c803831eb46206c398e5ce51297e8f4e8778531375851603dcea395b3dc

SHA512
f69df2fb706762d909207b90add3fcc460c314111a0e0663e355c5813803bc72b82517d63d62110f4aa46a602dee829b4b8ec3805782fb578e61bbe9ea40e480

Download Submit
memory/244-99-0x00007FF615710000-0x00007FF615A64000-memory.dmp

Filesize
3.3MB

Download
memory/244-148-0x00007FF615710000-0x00007FF615A64000-memory.dmp

Filesize
3.3MB

Download
memory/844-26-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp

Filesize
3.3MB

Download
memory/844-137-0x00007FF76A1A0000-0x00007FF76A4F4000-memory.dmp

Filesize
3.3MB

Download
memory/864-116-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp

Filesize
3.3MB

Download
memory/864-36-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp

Filesize
3.3MB

Download
memory/864-140-0x00007FF7E6E20000-0x00007FF7E7174000-memory.dmp

Filesize
3.3MB

Download
memory/1324-131-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp

Filesize
3.3MB

Download
memory/1324-155-0x00007FF7A9BE0000-0x00007FF7A9F34000-memory.dmp

Filesize
3.3MB

Download
memory/1528-153-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp

Filesize
3.3MB

Download
memory/1528-126-0x00007FF6FE2C0000-0x00007FF6FE614000-memory.dmp

Filesize
3.3MB

Download
memory/1776-136-0x00007FF691100000-0x00007FF691454000-memory.dmp

Filesize
3.3MB

Download
memory/1776-21-0x00007FF691100000-0x00007FF691454000-memory.dmp

Filesize
3.3MB

Download
memory/2200-86-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp

Filesize
3.3MB

Download
memory/2200-147-0x00007FF6C7720000-0x00007FF6C7A74000-memory.dmp

Filesize
3.3MB

Download
memory/2340-103-0x00007FF747040000-0x00007FF747394000-memory.dmp

Filesize
3.3MB

Download
memory/2340-151-0x00007FF747040000-0x00007FF747394000-memory.dmp

Filesize
3.3MB

Download
memory/2340-133-0x00007FF747040000-0x00007FF747394000-memory.dmp

Filesize
3.3MB

Download
memory/2572-0-0x00007FF642A20000-0x00007FF642D74000-memory.dmp

Filesize
3.3MB

Download
memory/2572-82-0x00007FF642A20000-0x00007FF642D74000-memory.dmp

Filesize
3.3MB

Download
memory/2572-1-0x000001E6545F0000-0x000001E654600000-memory.dmp

Filesize
64KB

Download
memory/2916-102-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp

Filesize
3.3MB

Download
memory/2916-150-0x00007FF7C79E0000-0x00007FF7C7D34000-memory.dmp

Filesize
3.3MB

Download
memory/2964-144-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp

Filesize
3.3MB

Download
memory/2964-62-0x00007FF7D6F20000-0x00007FF7D7274000-memory.dmp

Filesize
3.3MB

Download
memory/3036-149-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-101-0x00007FF7C4390000-0x00007FF7C46E4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-69-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-132-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp

Filesize
3.3MB

Download
memory/3976-146-0x00007FF7D5190000-0x00007FF7D54E4000-memory.dmp

Filesize
3.3MB

Download
memory/4252-8-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp

Filesize
3.3MB

Download
memory/4252-135-0x00007FF73AFC0000-0x00007FF73B314000-memory.dmp

Filesize
3.3MB

Download
memory/4492-145-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp

Filesize
3.3MB

Download
memory/4492-79-0x00007FF76DE00000-0x00007FF76E154000-memory.dmp

Filesize
3.3MB

Download
memory/4512-141-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-50-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-52-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-142-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-124-0x00007FF65D260000-0x00007FF65D5B4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-139-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp

Filesize
3.3MB

Download
memory/4648-31-0x00007FF6ABF40000-0x00007FF6AC294000-memory.dmp

Filesize
3.3MB

Download
memory/4776-138-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp

Filesize
3.3MB

Download
memory/4776-34-0x00007FF642D60000-0x00007FF6430B4000-memory.dmp

Filesize
3.3MB

Download
memory/4848-111-0x00007FF764300000-0x00007FF764654000-memory.dmp

Filesize
3.3MB

Download
memory/4848-152-0x00007FF764300000-0x00007FF764654000-memory.dmp

Filesize
3.3MB

Download
memory/4920-134-0x00007FF660DB0000-0x00007FF661104000-memory.dmp

Filesize
3.3MB

Download
memory/4920-154-0x00007FF660DB0000-0x00007FF661104000-memory.dmp

Filesize
3.3MB

Download
memory/4920-118-0x00007FF660DB0000-0x00007FF661104000-memory.dmp

Filesize
3.3MB

Download
memory/5112-143-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp

Filesize
3.3MB

Download
memory/5112-125-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp

Filesize
3.3MB

Download
memory/5112-56-0x00007FF6C8EC0000-0x00007FF6C9214000-memory.dmp

Filesize
3.3MB

Download