cobaltstrike | 12c0ac6bdb93eeb72f99fb6422728326bf1aaef955c141e88018dd50fd7f70c6

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

0ce520b34f80bab5324dc0f4cee84f9c
SHA1

9b5a7e11774483f355615ace756c5929f445bba1
SHA256

12c0ac6bdb93eeb72f99fb6422728326bf1aaef955c141e88018dd50fd7f70c6
SHA512

939153b1ff08bb76b9e38d1418c906bdcbce9dfe910ea6277f6aebdfed741adea46e99c6776a1a662d483c61f3bd248283d572e59a4f59e7dac861782c836885
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUw:Q+856utgpPF8u/7w

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vcIFFpV.exe	cobalt_reflective_dll
C:\Windows\System\pEcfLds.exe	cobalt_reflective_dll
C:\Windows\System\ImUDTsY.exe	cobalt_reflective_dll
C:\Windows\System\yWvnMRB.exe	cobalt_reflective_dll
C:\Windows\System\zXHHIsO.exe	cobalt_reflective_dll
C:\Windows\System\KDKrVIm.exe	cobalt_reflective_dll
C:\Windows\System\aFfhoGU.exe	cobalt_reflective_dll
C:\Windows\System\fNeDOvN.exe	cobalt_reflective_dll
C:\Windows\System\olNSvxY.exe	cobalt_reflective_dll
C:\Windows\System\nqyezdf.exe	cobalt_reflective_dll
C:\Windows\System\aSmYrgL.exe	cobalt_reflective_dll
C:\Windows\System\SJFofyn.exe	cobalt_reflective_dll
C:\Windows\System\qXAYasL.exe	cobalt_reflective_dll
C:\Windows\System\gDPLRmx.exe	cobalt_reflective_dll
C:\Windows\System\CSgOMRN.exe	cobalt_reflective_dll
C:\Windows\System\mnyUEaI.exe	cobalt_reflective_dll
C:\Windows\System\mpkfSBW.exe	cobalt_reflective_dll
C:\Windows\System\XvXMOVE.exe	cobalt_reflective_dll
C:\Windows\System\NXKvCeB.exe	cobalt_reflective_dll
C:\Windows\System\PZQAoQJ.exe	cobalt_reflective_dll
C:\Windows\System\iRUaRyn.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\vcIFFpV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pEcfLds.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ImUDTsY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yWvnMRB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zXHHIsO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KDKrVIm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aFfhoGU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fNeDOvN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\olNSvxY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nqyezdf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aSmYrgL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SJFofyn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qXAYasL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gDPLRmx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CSgOMRN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mnyUEaI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mpkfSBW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XvXMOVE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NXKvCeB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PZQAoQJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iRUaRyn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3664-0-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp	UPX
C:\Windows\System\vcIFFpV.exe	UPX
C:\Windows\System\pEcfLds.exe	UPX
C:\Windows\System\ImUDTsY.exe	UPX
behavioral2/memory/1012-26-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	UPX
C:\Windows\System\yWvnMRB.exe	UPX
C:\Windows\System\zXHHIsO.exe	UPX
C:\Windows\System\KDKrVIm.exe	UPX
C:\Windows\System\aFfhoGU.exe	UPX
behavioral2/memory/436-58-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	UPX
behavioral2/memory/2724-64-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	UPX
C:\Windows\System\fNeDOvN.exe	UPX
behavioral2/memory/3668-65-0x00007FF765140000-0x00007FF765494000-memory.dmp	UPX
C:\Windows\System\olNSvxY.exe	UPX
behavioral2/memory/3016-54-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp	UPX
C:\Windows\System\nqyezdf.exe	UPX
behavioral2/memory/3228-42-0x00007FF700500000-0x00007FF700854000-memory.dmp	UPX
behavioral2/memory/3524-39-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	UPX
behavioral2/memory/744-32-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	UPX
behavioral2/memory/1124-30-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp	UPX
C:\Windows\System\aSmYrgL.exe	UPX
behavioral2/memory/1420-20-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp	UPX
behavioral2/memory/3648-13-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp	UPX
C:\Windows\System\SJFofyn.exe	UPX
behavioral2/memory/3664-72-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp	UPX
C:\Windows\System\qXAYasL.exe	UPX
behavioral2/memory/4584-76-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp	UPX
C:\Windows\System\gDPLRmx.exe	UPX
C:\Windows\System\CSgOMRN.exe	UPX
behavioral2/memory/3764-93-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp	UPX
behavioral2/memory/1012-90-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	UPX
behavioral2/memory/2940-99-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp	UPX
behavioral2/memory/3524-105-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	UPX
C:\Windows\System\mnyUEaI.exe	UPX
behavioral2/memory/2052-106-0x00007FF619640000-0x00007FF619994000-memory.dmp	UPX
behavioral2/memory/2432-104-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp	UPX
C:\Windows\System\mpkfSBW.exe	UPX
behavioral2/memory/744-100-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	UPX
behavioral2/memory/1964-81-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp	UPX
C:\Windows\System\XvXMOVE.exe	UPX
behavioral2/memory/3228-114-0x00007FF700500000-0x00007FF700854000-memory.dmp	UPX
C:\Windows\System\NXKvCeB.exe	UPX
C:\Windows\System\PZQAoQJ.exe	UPX
C:\Windows\System\iRUaRyn.exe	UPX
behavioral2/memory/4620-121-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp	UPX
behavioral2/memory/436-118-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	UPX
behavioral2/memory/4132-119-0x00007FF633220000-0x00007FF633574000-memory.dmp	UPX
behavioral2/memory/3636-133-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp	UPX
behavioral2/memory/3180-134-0x00007FF692FB0000-0x00007FF693304000-memory.dmp	UPX
behavioral2/memory/2724-132-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	UPX
behavioral2/memory/3668-135-0x00007FF765140000-0x00007FF765494000-memory.dmp	UPX
behavioral2/memory/4584-136-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp	UPX
behavioral2/memory/2052-137-0x00007FF619640000-0x00007FF619994000-memory.dmp	UPX
behavioral2/memory/4620-138-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp	UPX
behavioral2/memory/3648-139-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp	UPX
behavioral2/memory/1420-140-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp	UPX
behavioral2/memory/1124-141-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp	UPX
behavioral2/memory/1012-142-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	UPX
behavioral2/memory/744-143-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	UPX
behavioral2/memory/3016-144-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp	UPX
behavioral2/memory/3228-145-0x00007FF700500000-0x00007FF700854000-memory.dmp	UPX
behavioral2/memory/3524-146-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	UPX
behavioral2/memory/436-147-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	UPX
behavioral2/memory/2724-148-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3664-0-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp	xmrig
C:\Windows\System\vcIFFpV.exe	xmrig
C:\Windows\System\pEcfLds.exe	xmrig
C:\Windows\System\ImUDTsY.exe	xmrig
behavioral2/memory/1012-26-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	xmrig
C:\Windows\System\yWvnMRB.exe	xmrig
C:\Windows\System\zXHHIsO.exe	xmrig
C:\Windows\System\KDKrVIm.exe	xmrig
C:\Windows\System\aFfhoGU.exe	xmrig
behavioral2/memory/436-58-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	xmrig
behavioral2/memory/2724-64-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	xmrig
C:\Windows\System\fNeDOvN.exe	xmrig
behavioral2/memory/3668-65-0x00007FF765140000-0x00007FF765494000-memory.dmp	xmrig
C:\Windows\System\olNSvxY.exe	xmrig
behavioral2/memory/3016-54-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp	xmrig
C:\Windows\System\nqyezdf.exe	xmrig
behavioral2/memory/3228-42-0x00007FF700500000-0x00007FF700854000-memory.dmp	xmrig
behavioral2/memory/3524-39-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	xmrig
behavioral2/memory/744-32-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	xmrig
behavioral2/memory/1124-30-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp	xmrig
C:\Windows\System\aSmYrgL.exe	xmrig
behavioral2/memory/1420-20-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp	xmrig
behavioral2/memory/3648-13-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp	xmrig
C:\Windows\System\SJFofyn.exe	xmrig
behavioral2/memory/3664-72-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp	xmrig
C:\Windows\System\qXAYasL.exe	xmrig
behavioral2/memory/4584-76-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp	xmrig
C:\Windows\System\gDPLRmx.exe	xmrig
C:\Windows\System\CSgOMRN.exe	xmrig
behavioral2/memory/3764-93-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp	xmrig
behavioral2/memory/1012-90-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	xmrig
behavioral2/memory/2940-99-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp	xmrig
behavioral2/memory/3524-105-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	xmrig
C:\Windows\System\mnyUEaI.exe	xmrig
behavioral2/memory/2052-106-0x00007FF619640000-0x00007FF619994000-memory.dmp	xmrig
behavioral2/memory/2432-104-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp	xmrig
C:\Windows\System\mpkfSBW.exe	xmrig
behavioral2/memory/744-100-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	xmrig
behavioral2/memory/1964-81-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp	xmrig
C:\Windows\System\XvXMOVE.exe	xmrig
behavioral2/memory/3228-114-0x00007FF700500000-0x00007FF700854000-memory.dmp	xmrig
C:\Windows\System\NXKvCeB.exe	xmrig
C:\Windows\System\PZQAoQJ.exe	xmrig
C:\Windows\System\iRUaRyn.exe	xmrig
behavioral2/memory/4620-121-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp	xmrig
behavioral2/memory/436-118-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	xmrig
behavioral2/memory/4132-119-0x00007FF633220000-0x00007FF633574000-memory.dmp	xmrig
behavioral2/memory/3636-133-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp	xmrig
behavioral2/memory/3180-134-0x00007FF692FB0000-0x00007FF693304000-memory.dmp	xmrig
behavioral2/memory/2724-132-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	xmrig
behavioral2/memory/3668-135-0x00007FF765140000-0x00007FF765494000-memory.dmp	xmrig
behavioral2/memory/4584-136-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp	xmrig
behavioral2/memory/2052-137-0x00007FF619640000-0x00007FF619994000-memory.dmp	xmrig
behavioral2/memory/4620-138-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp	xmrig
behavioral2/memory/3648-139-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp	xmrig
behavioral2/memory/1420-140-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp	xmrig
behavioral2/memory/1124-141-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp	xmrig
behavioral2/memory/1012-142-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	xmrig
behavioral2/memory/744-143-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	xmrig
behavioral2/memory/3016-144-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp	xmrig
behavioral2/memory/3228-145-0x00007FF700500000-0x00007FF700854000-memory.dmp	xmrig
behavioral2/memory/3524-146-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	xmrig
behavioral2/memory/436-147-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	xmrig
behavioral2/memory/2724-148-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vcIFFpV.exepEcfLds.exeaSmYrgL.exeImUDTsY.exeyWvnMRB.exezXHHIsO.exeaFfhoGU.exenqyezdf.exeKDKrVIm.exeolNSvxY.exefNeDOvN.exeSJFofyn.exeqXAYasL.exegDPLRmx.exeCSgOMRN.exempkfSBW.exemnyUEaI.exeXvXMOVE.exeNXKvCeB.exeiRUaRyn.exePZQAoQJ.exe

pid	process
3648	vcIFFpV.exe
1420	pEcfLds.exe
1124	aSmYrgL.exe
1012	ImUDTsY.exe
744	yWvnMRB.exe
3228	zXHHIsO.exe
3524	aFfhoGU.exe
3016	nqyezdf.exe
436	KDKrVIm.exe
2724	olNSvxY.exe
3668	fNeDOvN.exe
4584	SJFofyn.exe
1964	qXAYasL.exe
3764	gDPLRmx.exe
2940	CSgOMRN.exe
2432	mpkfSBW.exe
2052	mnyUEaI.exe
4132	XvXMOVE.exe
4620	NXKvCeB.exe
3636	iRUaRyn.exe
3180	PZQAoQJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3664-0-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp	upx
C:\Windows\System\vcIFFpV.exe	upx
C:\Windows\System\pEcfLds.exe	upx
C:\Windows\System\ImUDTsY.exe	upx
behavioral2/memory/1012-26-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	upx
C:\Windows\System\yWvnMRB.exe	upx
C:\Windows\System\zXHHIsO.exe	upx
C:\Windows\System\KDKrVIm.exe	upx
C:\Windows\System\aFfhoGU.exe	upx
behavioral2/memory/436-58-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	upx
behavioral2/memory/2724-64-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	upx
C:\Windows\System\fNeDOvN.exe	upx
behavioral2/memory/3668-65-0x00007FF765140000-0x00007FF765494000-memory.dmp	upx
C:\Windows\System\olNSvxY.exe	upx
behavioral2/memory/3016-54-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp	upx
C:\Windows\System\nqyezdf.exe	upx
behavioral2/memory/3228-42-0x00007FF700500000-0x00007FF700854000-memory.dmp	upx
behavioral2/memory/3524-39-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	upx
behavioral2/memory/744-32-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	upx
behavioral2/memory/1124-30-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp	upx
C:\Windows\System\aSmYrgL.exe	upx
behavioral2/memory/1420-20-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp	upx
behavioral2/memory/3648-13-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp	upx
C:\Windows\System\SJFofyn.exe	upx
behavioral2/memory/3664-72-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp	upx
C:\Windows\System\qXAYasL.exe	upx
behavioral2/memory/4584-76-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp	upx
C:\Windows\System\gDPLRmx.exe	upx
C:\Windows\System\CSgOMRN.exe	upx
behavioral2/memory/3764-93-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp	upx
behavioral2/memory/1012-90-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	upx
behavioral2/memory/2940-99-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp	upx
behavioral2/memory/3524-105-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	upx
C:\Windows\System\mnyUEaI.exe	upx
behavioral2/memory/2052-106-0x00007FF619640000-0x00007FF619994000-memory.dmp	upx
behavioral2/memory/2432-104-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp	upx
C:\Windows\System\mpkfSBW.exe	upx
behavioral2/memory/744-100-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	upx
behavioral2/memory/1964-81-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp	upx
C:\Windows\System\XvXMOVE.exe	upx
behavioral2/memory/3228-114-0x00007FF700500000-0x00007FF700854000-memory.dmp	upx
C:\Windows\System\NXKvCeB.exe	upx
C:\Windows\System\PZQAoQJ.exe	upx
C:\Windows\System\iRUaRyn.exe	upx
behavioral2/memory/4620-121-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp	upx
behavioral2/memory/436-118-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	upx
behavioral2/memory/4132-119-0x00007FF633220000-0x00007FF633574000-memory.dmp	upx
behavioral2/memory/3636-133-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp	upx
behavioral2/memory/3180-134-0x00007FF692FB0000-0x00007FF693304000-memory.dmp	upx
behavioral2/memory/2724-132-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	upx
behavioral2/memory/3668-135-0x00007FF765140000-0x00007FF765494000-memory.dmp	upx
behavioral2/memory/4584-136-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp	upx
behavioral2/memory/2052-137-0x00007FF619640000-0x00007FF619994000-memory.dmp	upx
behavioral2/memory/4620-138-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp	upx
behavioral2/memory/3648-139-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp	upx
behavioral2/memory/1420-140-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp	upx
behavioral2/memory/1124-141-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp	upx
behavioral2/memory/1012-142-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp	upx
behavioral2/memory/744-143-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp	upx
behavioral2/memory/3016-144-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp	upx
behavioral2/memory/3228-145-0x00007FF700500000-0x00007FF700854000-memory.dmp	upx
behavioral2/memory/3524-146-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp	upx
behavioral2/memory/436-147-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp	upx
behavioral2/memory/2724-148-0x00007FF770350000-0x00007FF7706A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\gDPLRmx.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pEcfLds.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\olNSvxY.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zXHHIsO.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nqyezdf.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KDKrVIm.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fNeDOvN.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SJFofyn.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qXAYasL.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vcIFFpV.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ImUDTsY.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CSgOMRN.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mnyUEaI.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NXKvCeB.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iRUaRyn.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yWvnMRB.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mpkfSBW.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XvXMOVE.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PZQAoQJ.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aSmYrgL.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aFfhoGU.exe	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3664 wrote to memory of 3648	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	vcIFFpV.exe
PID 3664 wrote to memory of 3648	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	vcIFFpV.exe
PID 3664 wrote to memory of 1420	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	pEcfLds.exe
PID 3664 wrote to memory of 1420	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	pEcfLds.exe
PID 3664 wrote to memory of 1124	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aSmYrgL.exe
PID 3664 wrote to memory of 1124	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aSmYrgL.exe
PID 3664 wrote to memory of 1012	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ImUDTsY.exe
PID 3664 wrote to memory of 1012	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	ImUDTsY.exe
PID 3664 wrote to memory of 744	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	yWvnMRB.exe
PID 3664 wrote to memory of 744	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	yWvnMRB.exe
PID 3664 wrote to memory of 3228	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	zXHHIsO.exe
PID 3664 wrote to memory of 3228	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	zXHHIsO.exe
PID 3664 wrote to memory of 3524	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aFfhoGU.exe
PID 3664 wrote to memory of 3524	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	aFfhoGU.exe
PID 3664 wrote to memory of 3016	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	nqyezdf.exe
PID 3664 wrote to memory of 3016	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	nqyezdf.exe
PID 3664 wrote to memory of 436	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	KDKrVIm.exe
PID 3664 wrote to memory of 436	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	KDKrVIm.exe
PID 3664 wrote to memory of 2724	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	olNSvxY.exe
PID 3664 wrote to memory of 2724	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	olNSvxY.exe
PID 3664 wrote to memory of 3668	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	fNeDOvN.exe
PID 3664 wrote to memory of 3668	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	fNeDOvN.exe
PID 3664 wrote to memory of 4584	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	SJFofyn.exe
PID 3664 wrote to memory of 4584	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	SJFofyn.exe
PID 3664 wrote to memory of 1964	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	qXAYasL.exe
PID 3664 wrote to memory of 1964	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	qXAYasL.exe
PID 3664 wrote to memory of 3764	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	gDPLRmx.exe
PID 3664 wrote to memory of 3764	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	gDPLRmx.exe
PID 3664 wrote to memory of 2940	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	CSgOMRN.exe
PID 3664 wrote to memory of 2940	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	CSgOMRN.exe
PID 3664 wrote to memory of 2432	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	mpkfSBW.exe
PID 3664 wrote to memory of 2432	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	mpkfSBW.exe
PID 3664 wrote to memory of 2052	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	mnyUEaI.exe
PID 3664 wrote to memory of 2052	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	mnyUEaI.exe
PID 3664 wrote to memory of 4132	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	XvXMOVE.exe
PID 3664 wrote to memory of 4132	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	XvXMOVE.exe
PID 3664 wrote to memory of 4620	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	NXKvCeB.exe
PID 3664 wrote to memory of 4620	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	NXKvCeB.exe
PID 3664 wrote to memory of 3636	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	iRUaRyn.exe
PID 3664 wrote to memory of 3636	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	iRUaRyn.exe
PID 3664 wrote to memory of 3180	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	PZQAoQJ.exe
PID 3664 wrote to memory of 3180	3664	2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe	PZQAoQJ.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0ce520b34f80bab5324dc0f4cee84f9c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\System\vcIFFpV.exe
C:\Windows\System\vcIFFpV.exe
2⤵
- Executes dropped EXE
PID:3648

C:\Windows\System\pEcfLds.exe
C:\Windows\System\pEcfLds.exe
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\System\aSmYrgL.exe
C:\Windows\System\aSmYrgL.exe
2⤵
- Executes dropped EXE
PID:1124

C:\Windows\System\ImUDTsY.exe
C:\Windows\System\ImUDTsY.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Windows\System\yWvnMRB.exe
C:\Windows\System\yWvnMRB.exe
2⤵
- Executes dropped EXE
PID:744

C:\Windows\System\zXHHIsO.exe
C:\Windows\System\zXHHIsO.exe
2⤵
- Executes dropped EXE
PID:3228

C:\Windows\System\aFfhoGU.exe
C:\Windows\System\aFfhoGU.exe
2⤵
- Executes dropped EXE
PID:3524

C:\Windows\System\nqyezdf.exe
C:\Windows\System\nqyezdf.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\KDKrVIm.exe
C:\Windows\System\KDKrVIm.exe
2⤵
- Executes dropped EXE
PID:436

C:\Windows\System\olNSvxY.exe
C:\Windows\System\olNSvxY.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\fNeDOvN.exe
C:\Windows\System\fNeDOvN.exe
2⤵
- Executes dropped EXE
PID:3668

C:\Windows\System\SJFofyn.exe
C:\Windows\System\SJFofyn.exe
2⤵
- Executes dropped EXE
PID:4584

C:\Windows\System\qXAYasL.exe
C:\Windows\System\qXAYasL.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\gDPLRmx.exe
C:\Windows\System\gDPLRmx.exe
2⤵
- Executes dropped EXE
PID:3764

C:\Windows\System\CSgOMRN.exe
C:\Windows\System\CSgOMRN.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\System\mpkfSBW.exe
C:\Windows\System\mpkfSBW.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\mnyUEaI.exe
C:\Windows\System\mnyUEaI.exe
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\System\XvXMOVE.exe
C:\Windows\System\XvXMOVE.exe
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\System\NXKvCeB.exe
C:\Windows\System\NXKvCeB.exe
2⤵
- Executes dropped EXE
PID:4620

C:\Windows\System\iRUaRyn.exe
C:\Windows\System\iRUaRyn.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\PZQAoQJ.exe
C:\Windows\System\PZQAoQJ.exe
2⤵
- Executes dropped EXE
PID:3180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CSgOMRN.exe
Filesize
5.9MB

MD5
090e71160130a24963516da1e8cceb65

SHA1
32ff7be73b58c0dec1d00bcb4fa9396180845f89

SHA256
c577c83ca599d10020fcc8ab0e57c735f438d7dcf3052c834aabe45681c0526d

SHA512
83cfc9a6e02d2032dca05df20695582468f7770950fe61b5b6e16d22a5d4c2ccceec8b939b6581e30f4f32771d8a788fde1492283ced1572b12deb5982784583

Download Submit
C:\Windows\System\ImUDTsY.exe
Filesize
5.9MB

MD5
8da72d7ce1959bec520771766a3fc681

SHA1
4aeb88019d6aaecf02cb5c39a35623e80d49143a

SHA256
90838bd58ab6a1e9e5ed70580574c06e3531c69fd489a81187a8af99dfbe8e67

SHA512
69f519c5debe2bb72c74aff3ddbc1a0c4f667864dc7387e6427ac5df682e3bb01ea43bc8369117ec5a15405d8f4b1af4d9fcb7d32d070d8bbc6b376051b6d78f

Download Submit
C:\Windows\System\KDKrVIm.exe
Filesize
5.9MB

MD5
43e05b9e6df3016c65fb67f98a07b4b4

SHA1
87cd7381121d81ca3ae64bc1221c16c4675e5e21

SHA256
4e5971169f2f52bb7d07c75ff30fc9c2636bebb5f478d7aa042cfd03a6b81bc9

SHA512
ae174aae41e46936b50081a95c5bc7b04df0e8a6a08f23435b16d9d636897f30bfc5d062d3df863737d888914495261183ae685be025cea58eebcf3c95b795dc

Download Submit
C:\Windows\System\NXKvCeB.exe
Filesize
5.9MB

MD5
f00ec59fd42859124739e0a99b02019e

SHA1
fe8abd1c103d15de7232b7fa762fa079b4ecf064

SHA256
6707fae2f5a188509cc0c4bb46b752da8eb0be15f3b73f9539b0d7b1d2d75ba3

SHA512
dc1dbcaeb5dc2821390b40c8e93d975fe7e3c7b84ad1e77a3810cfb90a51398ae218565bdf7defd8133f2129033abf1790329de1184669bd884915d41472229e

Download Submit
C:\Windows\System\PZQAoQJ.exe
Filesize
5.9MB

MD5
608c7868c9d946be6a4fa3ad12aa94f5

SHA1
929c9cd520e87adc774bcd3ee9ee551ee44f3ad1

SHA256
f42a7985c4ff852912fe78ef5cea5d2a99072f72912606802b58ac115300d8a5

SHA512
da2a80b2c01442535bcd705a69397cdafa8797ae9607a72cf94b20f5cdc0e531903d4c6eb2e50018ba4f676a9ad1a7bcb570d0d882d6a5df3071e4eadc091505

Download Submit
C:\Windows\System\SJFofyn.exe
Filesize
5.9MB

MD5
c1aba502875b21583f3ed901aa490c64

SHA1
7af0140bb4a2b671a2a9f899ffdc9a1456a164a8

SHA256
6b66bcb735071a7c6558e6d2e88a0f5087a94ffb3e36d3ab3d4ae8105a037c76

SHA512
574baabf91e2c1004a566cc93f513e2ddfbaa451d7930210a872f1b2d9566aeef9a6b7b445fb647723ba31a0f7d0ad06da55aa4e1841ec6f39de8ad5b8ecaf8d

Download Submit
C:\Windows\System\XvXMOVE.exe
Filesize
5.9MB

MD5
f13952d53a5265f4eadc52422240f31b

SHA1
6e340532d28787ad336b68db3844b673ce733c36

SHA256
3f9aeed6e8ee52f954cee72990a7130b12aa8314da92877ff9c612e9491197d1

SHA512
47d174d716a083f2b5532bdf3fa38e40653718a241ec171fb8aff7d82bbb619e4f6135933867efec60f66fa2694d3ff1c52651a4bad20d439197d944d6a4aa1f

Download Submit
C:\Windows\System\aFfhoGU.exe
Filesize
5.9MB

MD5
bb20639688c5e62bded9d941fd05ff90

SHA1
237715522bb71b0f02a60b83a82025c7bdacf127

SHA256
8b1d4ab87806ec95447b6a5645a47b4aebab27647a27575803f61268ff8352b8

SHA512
f038f66361a1552110c29155e6b86a630e4cf860d2bf53caeb7f13aca76694b63b9730bd12a82788c7e4a6e0afb225267697df8b537e527e62b275d3af879808

Download Submit
C:\Windows\System\aSmYrgL.exe
Filesize
5.9MB

MD5
9cb54538a9c33e5c587d79830182e724

SHA1
69da5dbff0e773c935422c8588386f20bc523c48

SHA256
734ee854e5cd7c6a9185c62b4f57784b84303b7492f9022783d277193069969b

SHA512
02934b16e6d442450c927c225423fdd08fd7e2976aebcfd2356c2e846f51e18b4d5cf05c8565e1df8fcd2e5c0fc647083bf55865bc67a0ce415a5ac8b5d9a207

Download Submit
C:\Windows\System\fNeDOvN.exe
Filesize
5.9MB

MD5
432840a64e8b6895a88a34b2e4864b4b

SHA1
5e4ac773cfdb3bc12c5b2583f900d8a873c73bdf

SHA256
61e3b13aa58a2b2ba5c732408508aa210b58c33235aacfae13c19946c7342d4e

SHA512
f3a736a9cb6a923cbdda3c301a791a148ee0fe7b6f527682147450c491f39c151cea510a5d040c4c3910260a2a7c31de108183b5999d6eb1254ce800060464b0

Download Submit
C:\Windows\System\gDPLRmx.exe
Filesize
5.9MB

MD5
ba72b20c65ac48e8066868935e0523c6

SHA1
781111dd4a1f28bcdea43ed4b804ee221d5b8714

SHA256
45675789f19a00865304c244b30436b8573a34f11a11af3721f2ec216c4073c2

SHA512
86c737add84dc200003dfc85ce1be8fd4d727842430289d8d999e731900aa0d7db14c6ef290d49762e110789c6fb15d3654efdfa24da14fc3562afa4e7e11f1b

Download Submit
C:\Windows\System\iRUaRyn.exe
Filesize
5.9MB

MD5
070f3c0bc4b719d188b739ca3fd5e9ff

SHA1
6d6890cc0412beeff2121666c0bb7919373c013f

SHA256
c449a6e604d6351b392c87be765ed75d6d39b41747db294384517c27b8cd3f9d

SHA512
c26af03c51d7ef896aef9ccacbe1a0c012f70780da512250fba5fc99bfba5c586fd00348a14854d6ac4628c598edb677aeae8af0c55dd8f0620dfe9c2aaeb7b7

Download Submit
C:\Windows\System\mnyUEaI.exe
Filesize
5.9MB

MD5
a18090e220ff5cd34ed274ede9f49548

SHA1
9c6667b4523be2092a7941ff5aa2608bcde39d99

SHA256
be63d9a6e7e04c2ceef384983550f6ef605e7e4796449ac66f2b807262793b3f

SHA512
79f5613194b704f56803ffdace78420cb32dcafc8b002b51d319f3a48c3c8d08c69c975fb41e899fdd273d1bcf976dffa6879774b3c6868797115ee6cceb9bd3

Download Submit
C:\Windows\System\mpkfSBW.exe
Filesize
5.9MB

MD5
3a4218d8d196658788cc577d9c04c497

SHA1
d7d114e8c07da28e46f2e2202ab8c7b09eb51f8d

SHA256
0e12b0861b43e3007f44d5be867758dbb5deea0617d3df43ce3cb96dabfef10f

SHA512
a59785ca9ed9cb78df1353863474b79bd649c56022217342b125d81657820daa0aa6c292c728f4d72ececf4812af985f213ceb8ffb19457477306bb7aea708e9

Download Submit
C:\Windows\System\nqyezdf.exe
Filesize
5.9MB

MD5
3881e5062beb8caa0b24f6d382d18f34

SHA1
ba263c6041f517fbc7e597aecd19f8e5aec081d6

SHA256
8798d87739983e3e24b7eb4965f819c01b7262c2a6288048f29dda78c76b43fe

SHA512
46283020c8aca9951a4ee3e10cc73f1e50df903265401165dc1b0e57d0bcc91107dfc3572c6a2307a6dbe33f83c6a51dc346194a879d49c0887d29df50da2ecb

Download Submit
C:\Windows\System\olNSvxY.exe
Filesize
5.9MB

MD5
29b9dce3ede3d3238aad5e2975c89b20

SHA1
cf00b4f18073a118172a9075598c7b51044c0781

SHA256
097dd6056232e9bd03076a68db164af390d5e72dfbcf82fe2a72bd817cc61b80

SHA512
bbe394c3d2da35ab55e14033a2b5eb03e4deb039cea06b904762d35b9bfd736b61ad6e86dfb541403146c2163b22dedfa18bca0acc176cf2dd747c9374e20ee7

Download Submit
C:\Windows\System\pEcfLds.exe
Filesize
5.9MB

MD5
50d69650b5688989ac9fd2457d3a0bca

SHA1
d4d18c8d93392caa423c9bca633a6fb13b631169

SHA256
ae0c5655978d36af69651695f1b306432a32b796a781dd4b48d577192659c2bf

SHA512
c45a1238bfd22088c5e027860d8a4114e2b01130770247e0f9d975137a25577ad8543a8f957c09a28468fd4ccecbfb4e26305a93e511ade3955e53f44bcddcff

Download Submit
C:\Windows\System\qXAYasL.exe
Filesize
5.9MB

MD5
753b8900edaf15a9e0952de1b76d6261

SHA1
8097f9bc6557181e31f0f4eb1a1be7f25461c4d1

SHA256
ee5e40131b53f5196ba1ac7b92b045fef8e08c517b912741d3377e3abf1da399

SHA512
929a1b5f58df781f4ae52d026977f8d9d027c905c8d52b330f0e5054ff73aa4b8ca5d60557307509e6e7d3af1fb857f2152ba27eca932910bfd0698040854a49

Download Submit
C:\Windows\System\vcIFFpV.exe
Filesize
5.9MB

MD5
02cb1d80691f528c9f2a8fc9b9395575

SHA1
586ccb37f97a757dba2f38014adae50904f15528

SHA256
59a244156863bd687c83b3238e4c243cdecaa83757d7be957558bf311d6ddc88

SHA512
9e15a5486d9fbc920304b9d34f4788b51509f87bd60dbfccce01514aac40b34179e3737d9609826755785f4306399c1647d4bcdc0d119c325fb9da3378f8131b

Download Submit
C:\Windows\System\yWvnMRB.exe
Filesize
5.9MB

MD5
52813bcfeacfef3ad71f3ff8d8422758

SHA1
7cc05b8b4c75a9801c5ae334e64cc5e28baf15a7

SHA256
d0352dd5c6f707c926f259a5a958305f6274f5e9699bf5bdd675ed188a2de58b

SHA512
d5dcadfe71dde49413cadc5881afdc33399854c15f56733320e399c0591c2d25b713b1ccf6884835b9a9f1b1ca2db5ef4204ef893145ed9db21c75fd07716d2d

Download Submit
C:\Windows\System\zXHHIsO.exe
Filesize
5.9MB

MD5
762c2f62c078b646869b5a9250792e48

SHA1
a85cd28d0d5b7bf408b01fbd19b94b5e316d8c41

SHA256
d4abd9ec373779f52485518ea6869067a515d3c671567733026f6713fdcf3989

SHA512
ffb99fe7e1491fb69b49880df9c70f70d8e43ccddcebbe81b6bb8e50f84bb226f70549de3873ff8d54544233e92a54ed724089b9d4d4b6f21590fa314dcd6358

Download Submit
memory/436-147-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp

Filesize
3.3MB

Download
memory/436-118-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp

Filesize
3.3MB

Download
memory/436-58-0x00007FF6BA500000-0x00007FF6BA854000-memory.dmp

Filesize
3.3MB

Download
memory/744-32-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp

Filesize
3.3MB

Download
memory/744-100-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp

Filesize
3.3MB

Download
memory/744-143-0x00007FF6CC2D0000-0x00007FF6CC624000-memory.dmp

Filesize
3.3MB

Download
memory/1012-26-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp

Filesize
3.3MB

Download
memory/1012-142-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp

Filesize
3.3MB

Download
memory/1012-90-0x00007FF7E7F30000-0x00007FF7E8284000-memory.dmp

Filesize
3.3MB

Download
memory/1124-30-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp

Filesize
3.3MB

Download
memory/1124-141-0x00007FF6D7FC0000-0x00007FF6D8314000-memory.dmp

Filesize
3.3MB

Download
memory/1420-140-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1420-20-0x00007FF7FBA70000-0x00007FF7FBDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-151-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-81-0x00007FF7FCDA0000-0x00007FF7FD0F4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-137-0x00007FF619640000-0x00007FF619994000-memory.dmp

Filesize
3.3MB

Download
memory/2052-155-0x00007FF619640000-0x00007FF619994000-memory.dmp

Filesize
3.3MB

Download
memory/2052-106-0x00007FF619640000-0x00007FF619994000-memory.dmp

Filesize
3.3MB

Download
memory/2432-154-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp

Filesize
3.3MB

Download
memory/2432-104-0x00007FF7FBED0000-0x00007FF7FC224000-memory.dmp

Filesize
3.3MB

Download
memory/2724-148-0x00007FF770350000-0x00007FF7706A4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-64-0x00007FF770350000-0x00007FF7706A4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-132-0x00007FF770350000-0x00007FF7706A4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-99-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-153-0x00007FF6385A0000-0x00007FF6388F4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-144-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp

Filesize
3.3MB

Download
memory/3016-54-0x00007FF6B8A20000-0x00007FF6B8D74000-memory.dmp

Filesize
3.3MB

Download
memory/3180-158-0x00007FF692FB0000-0x00007FF693304000-memory.dmp

Filesize
3.3MB

Download
memory/3180-134-0x00007FF692FB0000-0x00007FF693304000-memory.dmp

Filesize
3.3MB

Download
memory/3228-114-0x00007FF700500000-0x00007FF700854000-memory.dmp

Filesize
3.3MB

Download
memory/3228-145-0x00007FF700500000-0x00007FF700854000-memory.dmp

Filesize
3.3MB

Download
memory/3228-42-0x00007FF700500000-0x00007FF700854000-memory.dmp

Filesize
3.3MB

Download
memory/3524-105-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp

Filesize
3.3MB

Download
memory/3524-39-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp

Filesize
3.3MB

Download
memory/3524-146-0x00007FF7E11F0000-0x00007FF7E1544000-memory.dmp

Filesize
3.3MB

Download
memory/3636-133-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp

Filesize
3.3MB

Download
memory/3636-159-0x00007FF76D710000-0x00007FF76DA64000-memory.dmp

Filesize
3.3MB

Download
memory/3648-139-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp

Filesize
3.3MB

Download
memory/3648-13-0x00007FF7C1CF0000-0x00007FF7C2044000-memory.dmp

Filesize
3.3MB

Download
memory/3664-1-0x0000023B727B0000-0x0000023B727C0000-memory.dmp

Filesize
64KB

Download
memory/3664-72-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp

Filesize
3.3MB

Download
memory/3664-0-0x00007FF7D1480000-0x00007FF7D17D4000-memory.dmp

Filesize
3.3MB

Download
memory/3668-65-0x00007FF765140000-0x00007FF765494000-memory.dmp

Filesize
3.3MB

Download
memory/3668-149-0x00007FF765140000-0x00007FF765494000-memory.dmp

Filesize
3.3MB

Download
memory/3668-135-0x00007FF765140000-0x00007FF765494000-memory.dmp

Filesize
3.3MB

Download
memory/3764-93-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp

Filesize
3.3MB

Download
memory/3764-152-0x00007FF67BFB0000-0x00007FF67C304000-memory.dmp

Filesize
3.3MB

Download
memory/4132-156-0x00007FF633220000-0x00007FF633574000-memory.dmp

Filesize
3.3MB

Download
memory/4132-119-0x00007FF633220000-0x00007FF633574000-memory.dmp

Filesize
3.3MB

Download
memory/4584-150-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp

Filesize
3.3MB

Download
memory/4584-76-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp

Filesize
3.3MB

Download
memory/4584-136-0x00007FF7D27E0000-0x00007FF7D2B34000-memory.dmp

Filesize
3.3MB

Download
memory/4620-138-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-157-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-121-0x00007FF675E50000-0x00007FF6761A4000-memory.dmp

Filesize
3.3MB

Download