cobaltstrike | 0580ceaa067653d75937f6c77bc24679ecb3818a6362883615739eb5f5cd8b3a

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

08f328f05ea5f5a32bd970972814cb86
SHA1

f509e04b5235ff363fb3dbb2ed5f838c80503ac8
SHA256

0580ceaa067653d75937f6c77bc24679ecb3818a6362883615739eb5f5cd8b3a
SHA512

787bc5a1ca62d103d2ff5d91bc524f6f1f713063f2137a435deaa921133c6a56cd2471e9e2094fcdb5c7ccd4709732fa75d46e71a808ef54adf4d1b7800cc88a
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU7:Q+u56utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\UFXEtEP.exe	cobalt_reflective_dll
C:\Windows\System\iAWovvm.exe	cobalt_reflective_dll
C:\Windows\System\gCZBlMM.exe	cobalt_reflective_dll
C:\Windows\System\iNpFgxG.exe	cobalt_reflective_dll
C:\Windows\System\MiaqAvs.exe	cobalt_reflective_dll
C:\Windows\System\gXcxEWb.exe	cobalt_reflective_dll
C:\Windows\System\vAHpBez.exe	cobalt_reflective_dll
C:\Windows\System\pzTFwta.exe	cobalt_reflective_dll
C:\Windows\System\kseZHNn.exe	cobalt_reflective_dll
C:\Windows\System\zliyROq.exe	cobalt_reflective_dll
C:\Windows\System\DTnnxHs.exe	cobalt_reflective_dll
C:\Windows\System\ymtsEbL.exe	cobalt_reflective_dll
C:\Windows\System\HSQJUqP.exe	cobalt_reflective_dll
C:\Windows\System\EWwgIGT.exe	cobalt_reflective_dll
C:\Windows\System\MJrtNxg.exe	cobalt_reflective_dll
C:\Windows\System\WMOQseW.exe	cobalt_reflective_dll
C:\Windows\System\fNpjUKC.exe	cobalt_reflective_dll
C:\Windows\System\FpldlTF.exe	cobalt_reflective_dll
C:\Windows\System\otgGGqS.exe	cobalt_reflective_dll
C:\Windows\System\VscFDCx.exe	cobalt_reflective_dll
C:\Windows\System\nyyhNKW.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\UFXEtEP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iAWovvm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gCZBlMM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iNpFgxG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MiaqAvs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gXcxEWb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vAHpBez.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pzTFwta.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kseZHNn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zliyROq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DTnnxHs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ymtsEbL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HSQJUqP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EWwgIGT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MJrtNxg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WMOQseW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fNpjUKC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FpldlTF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\otgGGqS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VscFDCx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nyyhNKW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp	UPX
C:\Windows\System\UFXEtEP.exe	UPX
C:\Windows\System\iAWovvm.exe	UPX
C:\Windows\System\gCZBlMM.exe	UPX
behavioral2/memory/2624-16-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp	UPX
C:\Windows\System\iNpFgxG.exe	UPX
C:\Windows\System\MiaqAvs.exe	UPX
behavioral2/memory/3640-32-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp	UPX
C:\Windows\System\gXcxEWb.exe	UPX
C:\Windows\System\vAHpBez.exe	UPX
behavioral2/memory/3284-45-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	UPX
C:\Windows\System\pzTFwta.exe	UPX
behavioral2/memory/1132-40-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	UPX
behavioral2/memory/3896-37-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	UPX
behavioral2/memory/3100-27-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	UPX
behavioral2/memory/3656-26-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp	UPX
behavioral2/memory/4204-10-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp	UPX
C:\Windows\System\kseZHNn.exe	UPX
behavioral2/memory/3588-54-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	UPX
C:\Windows\System\zliyROq.exe	UPX
C:\Windows\System\DTnnxHs.exe	UPX
behavioral2/memory/600-68-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp	UPX
behavioral2/memory/1620-70-0x00007FF668980000-0x00007FF668CD4000-memory.dmp	UPX
C:\Windows\System\ymtsEbL.exe	UPX
C:\Windows\System\HSQJUqP.exe	UPX
behavioral2/memory/3100-87-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	UPX
C:\Windows\System\EWwgIGT.exe	UPX
C:\Windows\System\MJrtNxg.exe	UPX
C:\Windows\System\WMOQseW.exe	UPX
behavioral2/memory/3600-88-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp	UPX
behavioral2/memory/4080-86-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp	UPX
behavioral2/memory/3336-75-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp	UPX
behavioral2/memory/4276-69-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp	UPX
behavioral2/memory/2920-113-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp	UPX
behavioral2/memory/1836-117-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp	UPX
behavioral2/memory/4740-118-0x00007FF798790000-0x00007FF798AE4000-memory.dmp	UPX
C:\Windows\System\fNpjUKC.exe	UPX
C:\Windows\System\FpldlTF.exe	UPX
C:\Windows\System\otgGGqS.exe	UPX
behavioral2/memory/1132-109-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	UPX
C:\Windows\System\VscFDCx.exe	UPX
behavioral2/memory/2692-101-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	UPX
behavioral2/memory/2392-100-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp	UPX
behavioral2/memory/3896-99-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	UPX
behavioral2/memory/3284-126-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	UPX
C:\Windows\System\nyyhNKW.exe	UPX
behavioral2/memory/2428-127-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp	UPX
behavioral2/memory/3588-132-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	UPX
behavioral2/memory/896-133-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp	UPX
behavioral2/memory/3336-134-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp	UPX
behavioral2/memory/4080-135-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp	UPX
behavioral2/memory/3600-136-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp	UPX
behavioral2/memory/4740-137-0x00007FF798790000-0x00007FF798AE4000-memory.dmp	UPX
behavioral2/memory/4204-138-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp	UPX
behavioral2/memory/2624-139-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp	UPX
behavioral2/memory/3656-140-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp	UPX
behavioral2/memory/3100-142-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	UPX
behavioral2/memory/3640-141-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp	UPX
behavioral2/memory/3284-143-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	UPX
behavioral2/memory/1132-144-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	UPX
behavioral2/memory/3896-145-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	UPX
behavioral2/memory/600-146-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp	UPX
behavioral2/memory/3588-148-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	UPX
behavioral2/memory/1620-147-0x00007FF668980000-0x00007FF668CD4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp	xmrig
C:\Windows\System\UFXEtEP.exe	xmrig
C:\Windows\System\iAWovvm.exe	xmrig
C:\Windows\System\gCZBlMM.exe	xmrig
behavioral2/memory/2624-16-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp	xmrig
C:\Windows\System\iNpFgxG.exe	xmrig
C:\Windows\System\MiaqAvs.exe	xmrig
behavioral2/memory/3640-32-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp	xmrig
C:\Windows\System\gXcxEWb.exe	xmrig
C:\Windows\System\vAHpBez.exe	xmrig
behavioral2/memory/3284-45-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	xmrig
C:\Windows\System\pzTFwta.exe	xmrig
behavioral2/memory/1132-40-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	xmrig
behavioral2/memory/3896-37-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	xmrig
behavioral2/memory/3100-27-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	xmrig
behavioral2/memory/3656-26-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp	xmrig
behavioral2/memory/4204-10-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp	xmrig
C:\Windows\System\kseZHNn.exe	xmrig
behavioral2/memory/3588-54-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	xmrig
C:\Windows\System\zliyROq.exe	xmrig
C:\Windows\System\DTnnxHs.exe	xmrig
behavioral2/memory/600-68-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp	xmrig
behavioral2/memory/1620-70-0x00007FF668980000-0x00007FF668CD4000-memory.dmp	xmrig
C:\Windows\System\ymtsEbL.exe	xmrig
C:\Windows\System\HSQJUqP.exe	xmrig
behavioral2/memory/3100-87-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	xmrig
C:\Windows\System\EWwgIGT.exe	xmrig
C:\Windows\System\MJrtNxg.exe	xmrig
C:\Windows\System\WMOQseW.exe	xmrig
behavioral2/memory/3600-88-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp	xmrig
behavioral2/memory/4080-86-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp	xmrig
behavioral2/memory/3336-75-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp	xmrig
behavioral2/memory/4276-69-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp	xmrig
behavioral2/memory/2920-113-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp	xmrig
behavioral2/memory/1836-117-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp	xmrig
behavioral2/memory/4740-118-0x00007FF798790000-0x00007FF798AE4000-memory.dmp	xmrig
C:\Windows\System\fNpjUKC.exe	xmrig
C:\Windows\System\FpldlTF.exe	xmrig
C:\Windows\System\otgGGqS.exe	xmrig
behavioral2/memory/1132-109-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	xmrig
C:\Windows\System\VscFDCx.exe	xmrig
behavioral2/memory/2692-101-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	xmrig
behavioral2/memory/2392-100-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp	xmrig
behavioral2/memory/3896-99-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	xmrig
behavioral2/memory/3284-126-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	xmrig
C:\Windows\System\nyyhNKW.exe	xmrig
behavioral2/memory/2428-127-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp	xmrig
behavioral2/memory/3588-132-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	xmrig
behavioral2/memory/896-133-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp	xmrig
behavioral2/memory/3336-134-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp	xmrig
behavioral2/memory/4080-135-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp	xmrig
behavioral2/memory/3600-136-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp	xmrig
behavioral2/memory/4740-137-0x00007FF798790000-0x00007FF798AE4000-memory.dmp	xmrig
behavioral2/memory/4204-138-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp	xmrig
behavioral2/memory/2624-139-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp	xmrig
behavioral2/memory/3656-140-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp	xmrig
behavioral2/memory/3100-142-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	xmrig
behavioral2/memory/3640-141-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp	xmrig
behavioral2/memory/3284-143-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	xmrig
behavioral2/memory/1132-144-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	xmrig
behavioral2/memory/3896-145-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	xmrig
behavioral2/memory/600-146-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp	xmrig
behavioral2/memory/3588-148-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	xmrig
behavioral2/memory/1620-147-0x00007FF668980000-0x00007FF668CD4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UFXEtEP.exegCZBlMM.exeiAWovvm.exeiNpFgxG.exeMiaqAvs.exepzTFwta.exegXcxEWb.exevAHpBez.exekseZHNn.exezliyROq.exeDTnnxHs.exeymtsEbL.exeHSQJUqP.exeWMOQseW.exeMJrtNxg.exeEWwgIGT.exeVscFDCx.exeotgGGqS.exeFpldlTF.exefNpjUKC.exenyyhNKW.exe

pid	process
4204	UFXEtEP.exe
2624	gCZBlMM.exe
3656	iAWovvm.exe
3100	iNpFgxG.exe
3640	MiaqAvs.exe
3896	pzTFwta.exe
1132	gXcxEWb.exe
3284	vAHpBez.exe
3588	kseZHNn.exe
600	zliyROq.exe
1620	DTnnxHs.exe
3336	ymtsEbL.exe
4080	HSQJUqP.exe
3600	WMOQseW.exe
2392	MJrtNxg.exe
2692	EWwgIGT.exe
2920	VscFDCx.exe
1836	otgGGqS.exe
4740	FpldlTF.exe
2428	fNpjUKC.exe
896	nyyhNKW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4276-0-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp	upx
C:\Windows\System\UFXEtEP.exe	upx
C:\Windows\System\iAWovvm.exe	upx
C:\Windows\System\gCZBlMM.exe	upx
behavioral2/memory/2624-16-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp	upx
C:\Windows\System\iNpFgxG.exe	upx
C:\Windows\System\MiaqAvs.exe	upx
behavioral2/memory/3640-32-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp	upx
C:\Windows\System\gXcxEWb.exe	upx
C:\Windows\System\vAHpBez.exe	upx
behavioral2/memory/3284-45-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	upx
C:\Windows\System\pzTFwta.exe	upx
behavioral2/memory/1132-40-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	upx
behavioral2/memory/3896-37-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	upx
behavioral2/memory/3100-27-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	upx
behavioral2/memory/3656-26-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp	upx
behavioral2/memory/4204-10-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp	upx
C:\Windows\System\kseZHNn.exe	upx
behavioral2/memory/3588-54-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	upx
C:\Windows\System\zliyROq.exe	upx
C:\Windows\System\DTnnxHs.exe	upx
behavioral2/memory/600-68-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp	upx
behavioral2/memory/1620-70-0x00007FF668980000-0x00007FF668CD4000-memory.dmp	upx
C:\Windows\System\ymtsEbL.exe	upx
C:\Windows\System\HSQJUqP.exe	upx
behavioral2/memory/3100-87-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	upx
C:\Windows\System\EWwgIGT.exe	upx
C:\Windows\System\MJrtNxg.exe	upx
C:\Windows\System\WMOQseW.exe	upx
behavioral2/memory/3600-88-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp	upx
behavioral2/memory/4080-86-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp	upx
behavioral2/memory/3336-75-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp	upx
behavioral2/memory/4276-69-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp	upx
behavioral2/memory/2920-113-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp	upx
behavioral2/memory/1836-117-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp	upx
behavioral2/memory/4740-118-0x00007FF798790000-0x00007FF798AE4000-memory.dmp	upx
C:\Windows\System\fNpjUKC.exe	upx
C:\Windows\System\FpldlTF.exe	upx
C:\Windows\System\otgGGqS.exe	upx
behavioral2/memory/1132-109-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	upx
C:\Windows\System\VscFDCx.exe	upx
behavioral2/memory/2692-101-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	upx
behavioral2/memory/2392-100-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp	upx
behavioral2/memory/3896-99-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	upx
behavioral2/memory/3284-126-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	upx
C:\Windows\System\nyyhNKW.exe	upx
behavioral2/memory/2428-127-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp	upx
behavioral2/memory/3588-132-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	upx
behavioral2/memory/896-133-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp	upx
behavioral2/memory/3336-134-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp	upx
behavioral2/memory/4080-135-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp	upx
behavioral2/memory/3600-136-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp	upx
behavioral2/memory/4740-137-0x00007FF798790000-0x00007FF798AE4000-memory.dmp	upx
behavioral2/memory/4204-138-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp	upx
behavioral2/memory/2624-139-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp	upx
behavioral2/memory/3656-140-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp	upx
behavioral2/memory/3100-142-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp	upx
behavioral2/memory/3640-141-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp	upx
behavioral2/memory/3284-143-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp	upx
behavioral2/memory/1132-144-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp	upx
behavioral2/memory/3896-145-0x00007FF660C40000-0x00007FF660F94000-memory.dmp	upx
behavioral2/memory/600-146-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp	upx
behavioral2/memory/3588-148-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp	upx
behavioral2/memory/1620-147-0x00007FF668980000-0x00007FF668CD4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\gCZBlMM.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iNpFgxG.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vAHpBez.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HSQJUqP.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EWwgIGT.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FpldlTF.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nyyhNKW.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UFXEtEP.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iAWovvm.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MiaqAvs.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zliyROq.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MJrtNxg.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VscFDCx.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fNpjUKC.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pzTFwta.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gXcxEWb.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ymtsEbL.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WMOQseW.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kseZHNn.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DTnnxHs.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\otgGGqS.exe	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4276 wrote to memory of 4204	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	UFXEtEP.exe
PID 4276 wrote to memory of 4204	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	UFXEtEP.exe
PID 4276 wrote to memory of 2624	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	gCZBlMM.exe
PID 4276 wrote to memory of 2624	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	gCZBlMM.exe
PID 4276 wrote to memory of 3656	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	iAWovvm.exe
PID 4276 wrote to memory of 3656	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	iAWovvm.exe
PID 4276 wrote to memory of 3100	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	iNpFgxG.exe
PID 4276 wrote to memory of 3100	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	iNpFgxG.exe
PID 4276 wrote to memory of 3640	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	MiaqAvs.exe
PID 4276 wrote to memory of 3640	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	MiaqAvs.exe
PID 4276 wrote to memory of 3896	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	pzTFwta.exe
PID 4276 wrote to memory of 3896	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	pzTFwta.exe
PID 4276 wrote to memory of 1132	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	gXcxEWb.exe
PID 4276 wrote to memory of 1132	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	gXcxEWb.exe
PID 4276 wrote to memory of 3284	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	vAHpBez.exe
PID 4276 wrote to memory of 3284	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	vAHpBez.exe
PID 4276 wrote to memory of 3588	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	kseZHNn.exe
PID 4276 wrote to memory of 3588	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	kseZHNn.exe
PID 4276 wrote to memory of 600	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	zliyROq.exe
PID 4276 wrote to memory of 600	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	zliyROq.exe
PID 4276 wrote to memory of 1620	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	DTnnxHs.exe
PID 4276 wrote to memory of 1620	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	DTnnxHs.exe
PID 4276 wrote to memory of 3336	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	ymtsEbL.exe
PID 4276 wrote to memory of 3336	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	ymtsEbL.exe
PID 4276 wrote to memory of 4080	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	HSQJUqP.exe
PID 4276 wrote to memory of 4080	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	HSQJUqP.exe
PID 4276 wrote to memory of 3600	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	WMOQseW.exe
PID 4276 wrote to memory of 3600	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	WMOQseW.exe
PID 4276 wrote to memory of 2392	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	MJrtNxg.exe
PID 4276 wrote to memory of 2392	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	MJrtNxg.exe
PID 4276 wrote to memory of 2692	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	EWwgIGT.exe
PID 4276 wrote to memory of 2692	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	EWwgIGT.exe
PID 4276 wrote to memory of 2920	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	VscFDCx.exe
PID 4276 wrote to memory of 2920	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	VscFDCx.exe
PID 4276 wrote to memory of 1836	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	otgGGqS.exe
PID 4276 wrote to memory of 1836	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	otgGGqS.exe
PID 4276 wrote to memory of 4740	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	FpldlTF.exe
PID 4276 wrote to memory of 4740	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	FpldlTF.exe
PID 4276 wrote to memory of 2428	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	fNpjUKC.exe
PID 4276 wrote to memory of 2428	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	fNpjUKC.exe
PID 4276 wrote to memory of 896	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	nyyhNKW.exe
PID 4276 wrote to memory of 896	4276	2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe	nyyhNKW.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_08f328f05ea5f5a32bd970972814cb86_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\System\UFXEtEP.exe
C:\Windows\System\UFXEtEP.exe
2⤵
- Executes dropped EXE
PID:4204

C:\Windows\System\gCZBlMM.exe
C:\Windows\System\gCZBlMM.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\iAWovvm.exe
C:\Windows\System\iAWovvm.exe
2⤵
- Executes dropped EXE
PID:3656

C:\Windows\System\iNpFgxG.exe
C:\Windows\System\iNpFgxG.exe
2⤵
- Executes dropped EXE
PID:3100

C:\Windows\System\MiaqAvs.exe
C:\Windows\System\MiaqAvs.exe
2⤵
- Executes dropped EXE
PID:3640

C:\Windows\System\pzTFwta.exe
C:\Windows\System\pzTFwta.exe
2⤵
- Executes dropped EXE
PID:3896

C:\Windows\System\gXcxEWb.exe
C:\Windows\System\gXcxEWb.exe
2⤵
- Executes dropped EXE
PID:1132

C:\Windows\System\vAHpBez.exe
C:\Windows\System\vAHpBez.exe
2⤵
- Executes dropped EXE
PID:3284

C:\Windows\System\kseZHNn.exe
C:\Windows\System\kseZHNn.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\System\zliyROq.exe
C:\Windows\System\zliyROq.exe
2⤵
- Executes dropped EXE
PID:600

C:\Windows\System\DTnnxHs.exe
C:\Windows\System\DTnnxHs.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\ymtsEbL.exe
C:\Windows\System\ymtsEbL.exe
2⤵
- Executes dropped EXE
PID:3336

C:\Windows\System\HSQJUqP.exe
C:\Windows\System\HSQJUqP.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\System\WMOQseW.exe
C:\Windows\System\WMOQseW.exe
2⤵
- Executes dropped EXE
PID:3600

C:\Windows\System\MJrtNxg.exe
C:\Windows\System\MJrtNxg.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\EWwgIGT.exe
C:\Windows\System\EWwgIGT.exe
2⤵
- Executes dropped EXE
PID:2692

C:\Windows\System\VscFDCx.exe
C:\Windows\System\VscFDCx.exe
2⤵
- Executes dropped EXE
PID:2920

C:\Windows\System\otgGGqS.exe
C:\Windows\System\otgGGqS.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\System\FpldlTF.exe
C:\Windows\System\FpldlTF.exe
2⤵
- Executes dropped EXE
PID:4740

C:\Windows\System\fNpjUKC.exe
C:\Windows\System\fNpjUKC.exe
2⤵
- Executes dropped EXE
PID:2428

C:\Windows\System\nyyhNKW.exe
C:\Windows\System\nyyhNKW.exe
2⤵
- Executes dropped EXE
PID:896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DTnnxHs.exe
Filesize
5.9MB

MD5
da0c3854edd879edbcd7df917078fdc0

SHA1
4f95bf3b9cf6ce18cf116de0b79da033af948f6f

SHA256
87b39f0a383aba62cec3d7a89aca21a4887c28059ac071f90eb1fd1e2ec96240

SHA512
e327a1b74702a01dc55140a8a0aba3bd3a4b28f6f7c3dd180880fbc6bbb2db6fb42cb38d56841f5f5fc737381f8625b438a35c84801e07c041d3fb1f8310ddd5

Download Submit
C:\Windows\System\EWwgIGT.exe
Filesize
5.9MB

MD5
12157465e1191ed355098311cd1437f4

SHA1
2de4e5e2e8d3e3084371a9f79472612573206d95

SHA256
b89942aab932012d61b58ef25b1e45dc7f6bb320b0ecac5b49b18c94338b6054

SHA512
caf34671f0530f53034ae8ce0328813ca91fbf6de020e133fb8d9c4cbaf1e5d68cc1bee28b8669a9329206d7756b3910c6cb87481089a188b0ee43baa0695a7a

Download Submit
C:\Windows\System\FpldlTF.exe
Filesize
5.9MB

MD5
da5b1fc872c41710047ae810c5612e9d

SHA1
9c1deff9717aaf7ba1aba6b363406bb4caa2e26c

SHA256
62dfe5848d36a24b145eed4ba10937f70e25e2f8004e1914b678ff792238ee41

SHA512
e133144246c33ec01be65a5293f15abe6eb4ae9acbf2de079657bc217ab50f08864347bd2516a104efad6d87b59e418343c3a9db5f48097efde5f6b1eff65539

Download Submit
C:\Windows\System\HSQJUqP.exe
Filesize
5.9MB

MD5
3a1ad934433ff98b3774cbc2b15bca68

SHA1
69992675a2f8211a436350fc62350228433b5e1c

SHA256
3c38e8c1fb09e206ad127a5e0d082c13427adff0b547955697e54c4f49831a57

SHA512
338c24534df19f446a52da0a8546067bacb79c6d1534b266b7788d0ef959580e46309c3a3acd8add621f2673f5791e01f75d271de918987c39d8040db594e0bd

Download Submit
C:\Windows\System\MJrtNxg.exe
Filesize
5.9MB

MD5
08c2fb9400746cd9f0db3aa55e9e67a9

SHA1
16736572328c5efe1b7f8ebb2833f3d89fa6e4ae

SHA256
d44f0c810c85742dfd65c66128c72192f7867400cc04cd7cc55c415ab54aaf05

SHA512
b1519849add659c6f0b19e7a472cad47a1a759e6854db13ec639270443e370050b9450fa296895bdb0b8c10c70755ecec2f168f783ad44e7bb2aa6b81d57a606

Download Submit
C:\Windows\System\MiaqAvs.exe
Filesize
5.9MB

MD5
bd0bb4a48c0fd644dfdb1592c208bdfb

SHA1
ae1d4694fc97f04823600865d8ba5afd41842dbc

SHA256
52506c7b54bbb3bb52dd35fa84ff9ec3430bbf3fec11c104b795a12d837df5b8

SHA512
be7144d78e9f512ba1cb30d9a2d323460679b9d61eed2fa425f5606450f5a3710c18d3a13ddfa507c590e9a8cc8a3eddb3537bdfe36e50603be2bd9eb15c03c0

Download Submit
C:\Windows\System\UFXEtEP.exe
Filesize
5.9MB

MD5
ae99c37a3dab579b5440571216d4b201

SHA1
9fa096bbbb95002fe5d6bfe9defad4ad00e4e6b7

SHA256
db0b977f105ffd1bcc7025c44d69f117dedb5e2db08aaa03696b691d68824ce7

SHA512
c3900200563aece188cc8b61cf3ce9097449130f363240453bbe377657b28cf260fb0b8bbe645300c63eb4259f5ec7e6aeb02e0784a06369dc1c02522b51c111

Download Submit
C:\Windows\System\VscFDCx.exe
Filesize
5.9MB

MD5
e19db02ba0e2fea57df003d6a8693b04

SHA1
6263cf2d9b6986bf2fe1964ebc4497f643467c15

SHA256
60a9f6b4204e58c5c071def9013927aa08815b4371dc78ee3437207108d5767c

SHA512
99efbf0ff32ebe69b168899ce5d5e232b4de319e2af33e36696d65feb62e22f9dda20426d1ff7d3f5e8efd3c42da48e5e1f25d10d2aeeffed9f86fba63cbce21

Download Submit
C:\Windows\System\WMOQseW.exe
Filesize
5.9MB

MD5
42f5e9a43222fc81fc7d826e31ee5a3a

SHA1
5c944b1a96c702b9cce81311b297e80a66ef0dea

SHA256
0ada4136bd1bd8d73fb564ad73dfa5411741ab76e1c94d85690c02592f72661a

SHA512
6ae7c568d521e5af81fc06be4e2cca57cc4e2c106a896ae7b2f8bb326d9fd15cac9fbfa99c92967c5ce087a6895a20721020fceef0c5c586ff70a65ba6433502

Download Submit
C:\Windows\System\fNpjUKC.exe
Filesize
5.9MB

MD5
8fa96088e44ff34f26678e71215b854f

SHA1
5bde4e041ff467683c1691ec4b4864d977007b56

SHA256
7f1476de0d2e59c40d708f4ad673fe65d4e11e0cd1d82f33ffbf38cceff69e19

SHA512
baa4d0cf43f3fd810f1826a944e53e1baa056a7d5a3cd1555d886b83d29be82639ff22e240ba45f1d5afd0f36cc95df404c6b5455ecb4c48c2bb75e78ba6f838

Download Submit
C:\Windows\System\gCZBlMM.exe
Filesize
5.9MB

MD5
4be11b422107747f8c4fe2a6c984c58e

SHA1
70400cfbf1c97957d491b616784d70dcf0150cf0

SHA256
e322f848fc0e0ba64aeffb7188675abc455619f39f9636627040ad56b284344e

SHA512
89064e56996c5f2fb51a23d18db38907ccf17ff0f5ad2deb942b8b69068f95a9c197bb1397c66dd639039d3181e9110e0e94a4e3af17c0d56d9b58bec87c7300

Download Submit
C:\Windows\System\gXcxEWb.exe
Filesize
5.9MB

MD5
c44ea4f97f217ab5b3f9a894ba1b9c95

SHA1
8eb57eda27aa017661cceec0088fad0081100597

SHA256
a8e6cf18f2b7b817bed2cde462262cf7f0030aad8fd586e6b68a41b7465edba4

SHA512
c14f765ba34ed923d84563e97f564fc7defe7ee7f3de59e68fabeca64611110f816ac8d93c5ccfbb14a03d2f70ca404a697f2fc1dd7a0c32ef62746efeafa2c0

Download Submit
C:\Windows\System\iAWovvm.exe
Filesize
5.9MB

MD5
ddb18809fe091ddeac3a93b61d7081f9

SHA1
d9767cd34967a84dadb6f423b0beb06e3c8477c0

SHA256
fb2f42be05c10040e76a2d75c06be091e60abb54a102ddd983f97126b1d7190e

SHA512
57ac7e508398e81e3fb5352cf707d3bb370fdcc0cdcf83a644c664b195b6b776f09aa6187f3467046f6a26b626f8f09dbf8d3fd93ce75d9ee7a0a00f0d2deabd

Download Submit
C:\Windows\System\iNpFgxG.exe
Filesize
5.9MB

MD5
0db2339d2102072afb3b59ad59358841

SHA1
edb350ac97dc0d20a7de97fd0c764d3b2b14ee87

SHA256
28cb46d69799f3789cae96a3bd7bdf96bc1f57661e9c63e3b025cf24c404a0c4

SHA512
7fa833363b39c52234a34d1d5f6cdddfaeeb242b7f25283d33823c66b96ab4e9ef9e35e568d1606481e0092bb98e6422e25ce728bf6d29aa5f1552188bfc8cfb

Download Submit
C:\Windows\System\kseZHNn.exe
Filesize
5.9MB

MD5
b63243134836b8742019b2b677501d90

SHA1
1fc45dc8b9e1bdaf01e8fa1a6d6922320698fea3

SHA256
50255be8e7eee73a5201c5b77d33dc6cf1d1668de66c3202558909e4c846034a

SHA512
67733d416c9df5e4da22d9200ddf711e59b23914539e792192b6a6976c453a59eaefceb2e48be9712549e2a5abb76164af91210c6d8c62710b7dd08fc27fb254

Download Submit
C:\Windows\System\nyyhNKW.exe
Filesize
5.9MB

MD5
601d261e1b55f54d85bc6015c5e0a0b2

SHA1
a119caf0ba7140170757af666df87c682cf4f889

SHA256
db0f5ddd4762382482bdea6c5032e48ce9a4b53651ee5e4ec7e393b4fdf3ff99

SHA512
1a63648076d5766495ed8033d27c7a040d4c4a71c6df93554b15917ebe5cf14247fccdcb08656051cdad9e5a32f5645c2be3557267d9116498d20e0670a71e88

Download Submit
C:\Windows\System\otgGGqS.exe
Filesize
5.9MB

MD5
adb47b93ed3de20b9a820a42c0d4e25d

SHA1
192132eb58211431897d9a2f51f58d357935ab2d

SHA256
53b31e481a5cfb3dc9b6407f08586a169dce3bd29b71d64d0f22f392a3e76081

SHA512
947f3683d51b904cc83a89f0a24386f0e650193b2f1109ab86e73d2a56f418f20e51829332e927b77ae391384ace0796dcd47ad1f3396ec346fac592f0e2cc32

Download Submit
C:\Windows\System\pzTFwta.exe
Filesize
5.9MB

MD5
d7d3323badba4657766eb374aa88d352

SHA1
d3ee9ab8871ed32e981a219f3f7df9dbd94db025

SHA256
01a3db23226235fe6a14df081c5700e74d8d88721330b949078c882a4898f1cc

SHA512
d5f10b993a7905831dc73a71ce2a58b38c7463c3541678cc4ee2937ed1de638f3b96518f91c7aaa2e16bf1fc0c0eff2d3690b526d17e51e4cfeee3ebaee0469b

Download Submit
C:\Windows\System\vAHpBez.exe
Filesize
5.9MB

MD5
8ca3ce559fc71f2bbf22623aaa71fec4

SHA1
a50bf611a7716d7ca0dbfabd625e4d3a2731b955

SHA256
299f50ae42ef576f551cd83b6cce6b58198fe0ace29d14441873dccddc091f1f

SHA512
3ac46a75ee7caabd49f81482b19d75ab16ea8d3b91bbf92bfa81419f646cbaff7864aca88c9d3b2ab5a14e08bae19300816ac01c100584288b105159c6177b4c

Download Submit
C:\Windows\System\ymtsEbL.exe
Filesize
5.9MB

MD5
1e4f3d22e6aafad119d1bbcf929ce469

SHA1
e48cc7c3e30961ce6f340f6ee6984c2e1a7a9a1e

SHA256
f7ac2c64198eb4ed51f0b0abcac15f4c830e82109f4a3d0a4ff02305f9bd0595

SHA512
d8ab2364b2c87d5928304e487766d7c47387615ebb761b649c1e0e2c870f27122cafe590df5a2a50d3ffeccb38b8863a87588fbcbaceba34551551419c81af4b

Download Submit
C:\Windows\System\zliyROq.exe
Filesize
5.9MB

MD5
9b8f0349223c94f905079d1924800bc4

SHA1
bbdfebe3c07749eff7d727fb1b6bd90a7689057b

SHA256
94839ae1b8f594bbc9b6af16b127f8eba2e45295b70c3dd228691a9106f89fd5

SHA512
9740a732cc6a26e9c7f9dd3ed893a92868928299f03573737b5f150c7a40294e41a5482144d03e9f7deb2c8140335692fb00f895ce70ff9b79b0805e24f513d3

Download Submit
memory/600-146-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp

Filesize
3.3MB

Download
memory/600-68-0x00007FF7DA2F0000-0x00007FF7DA644000-memory.dmp

Filesize
3.3MB

Download
memory/896-133-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp

Filesize
3.3MB

Download
memory/896-158-0x00007FF6EC870000-0x00007FF6ECBC4000-memory.dmp

Filesize
3.3MB

Download
memory/1132-40-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp

Filesize
3.3MB

Download
memory/1132-144-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp

Filesize
3.3MB

Download
memory/1132-109-0x00007FF6ECCE0000-0x00007FF6ED034000-memory.dmp

Filesize
3.3MB

Download
memory/1620-70-0x00007FF668980000-0x00007FF668CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1620-147-0x00007FF668980000-0x00007FF668CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1836-155-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp

Filesize
3.3MB

Download
memory/1836-117-0x00007FF71D990000-0x00007FF71DCE4000-memory.dmp

Filesize
3.3MB

Download
memory/2392-152-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp

Filesize
3.3MB

Download
memory/2392-100-0x00007FF65D8E0000-0x00007FF65DC34000-memory.dmp

Filesize
3.3MB

Download
memory/2428-156-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp

Filesize
3.3MB

Download
memory/2428-127-0x00007FF7FC4D0000-0x00007FF7FC824000-memory.dmp

Filesize
3.3MB

Download
memory/2624-16-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2624-139-0x00007FF6CC660000-0x00007FF6CC9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-101-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

Filesize
3.3MB

Download
memory/2692-151-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

Filesize
3.3MB

Download
memory/2920-113-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp

Filesize
3.3MB

Download
memory/2920-154-0x00007FF71BEC0000-0x00007FF71C214000-memory.dmp

Filesize
3.3MB

Download
memory/3100-27-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-142-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-87-0x00007FF6009A0000-0x00007FF600CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3284-143-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp

Filesize
3.3MB

Download
memory/3284-126-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp

Filesize
3.3MB

Download
memory/3284-45-0x00007FF7A0800000-0x00007FF7A0B54000-memory.dmp

Filesize
3.3MB

Download
memory/3336-75-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp

Filesize
3.3MB

Download
memory/3336-149-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp

Filesize
3.3MB

Download
memory/3336-134-0x00007FF7F44A0000-0x00007FF7F47F4000-memory.dmp

Filesize
3.3MB

Download
memory/3588-54-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp

Filesize
3.3MB

Download
memory/3588-132-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp

Filesize
3.3MB

Download
memory/3588-148-0x00007FF6AC9C0000-0x00007FF6ACD14000-memory.dmp

Filesize
3.3MB

Download
memory/3600-136-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp

Filesize
3.3MB

Download
memory/3600-88-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp

Filesize
3.3MB

Download
memory/3600-153-0x00007FF7E9BC0000-0x00007FF7E9F14000-memory.dmp

Filesize
3.3MB

Download
memory/3640-32-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3640-141-0x00007FF7B6A70000-0x00007FF7B6DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-26-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp

Filesize
3.3MB

Download
memory/3656-140-0x00007FF7CE640000-0x00007FF7CE994000-memory.dmp

Filesize
3.3MB

Download
memory/3896-37-0x00007FF660C40000-0x00007FF660F94000-memory.dmp

Filesize
3.3MB

Download
memory/3896-145-0x00007FF660C40000-0x00007FF660F94000-memory.dmp

Filesize
3.3MB

Download
memory/3896-99-0x00007FF660C40000-0x00007FF660F94000-memory.dmp

Filesize
3.3MB

Download
memory/4080-86-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp

Filesize
3.3MB

Download
memory/4080-135-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp

Filesize
3.3MB

Download
memory/4080-150-0x00007FF638BF0000-0x00007FF638F44000-memory.dmp

Filesize
3.3MB

Download
memory/4204-138-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp

Filesize
3.3MB

Download
memory/4204-10-0x00007FF7C33F0000-0x00007FF7C3744000-memory.dmp

Filesize
3.3MB

Download
memory/4276-69-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp

Filesize
3.3MB

Download
memory/4276-0-0x00007FF67D6D0000-0x00007FF67DA24000-memory.dmp

Filesize
3.3MB

Download
memory/4276-1-0x000001E194580000-0x000001E194590000-memory.dmp

Filesize
64KB

Download
memory/4740-118-0x00007FF798790000-0x00007FF798AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4740-137-0x00007FF798790000-0x00007FF798AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4740-157-0x00007FF798790000-0x00007FF798AE4000-memory.dmp

Filesize
3.3MB

Download