cobaltstrike | 794937e4268a9f10430ec03897c339506f345d36e0b827985cc4075a61cc9650

Analysis

max time kernel
158s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

fc5b43eee9d930f342417df1c78c38b8
SHA1

44e7ed5d7b7d7187de1f9b3b1537a6ea1447cf96
SHA256

794937e4268a9f10430ec03897c339506f345d36e0b827985cc4075a61cc9650
SHA512

1971f7cf699635bc549aff646fe912d0168cf21c5c72eb5944ef4dede773298e2a78a6c40357dc121283b6406f1959203c76bb50047430347b28c308ac0c1acb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l6:RWWBibf56utgpPFotBER/mQ32lU2

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 33 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000232fd-4.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000232fd-6.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000232ff-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023302-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023302-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023302-18.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000232fa-30.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000232fa-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023304-36.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023305-40.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023305-43.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023306-46.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023306-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023307-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023308-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023309-64.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330b-73.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330e-92.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023310-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023310-100.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330f-96.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330d-84.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330c-78.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330b-74.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330a-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002330a-68.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023309-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023307-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023304-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023311-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023311-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023312-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023313-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 33 IoCs

resource	yara_rule
behavioral2/files/0x00070000000232fd-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000232fd-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00070000000232ff-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023302-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023302-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023302-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000232fa-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x00080000000232fa-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023304-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023305-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023305-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023306-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023306-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023307-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023308-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023309-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330b-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330e-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023310-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023310-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330f-96.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330d-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330c-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330b-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330a-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002330a-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023309-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023307-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023304-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023311-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023311-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023312-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023313-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4316-0-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp	UPX
behavioral2/files/0x00070000000232fd-4.dat	UPX
behavioral2/files/0x00070000000232fd-6.dat	UPX
behavioral2/memory/2152-8-0x00007FF726550000-0x00007FF7268A1000-memory.dmp	UPX
behavioral2/files/0x00070000000232ff-12.dat	UPX
behavioral2/files/0x0007000000023302-10.dat	UPX
behavioral2/memory/4860-14-0x00007FF631F00000-0x00007FF632251000-memory.dmp	UPX
behavioral2/files/0x0007000000023302-17.dat	UPX
behavioral2/files/0x0007000000023302-18.dat	UPX
behavioral2/memory/2688-20-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp	UPX
behavioral2/memory/3716-26-0x00007FF742820000-0x00007FF742B71000-memory.dmp	UPX
behavioral2/files/0x00080000000232fa-30.dat	UPX
behavioral2/files/0x00080000000232fa-29.dat	UPX
behavioral2/memory/1272-32-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	UPX
behavioral2/files/0x0007000000023304-36.dat	UPX
behavioral2/files/0x0007000000023305-40.dat	UPX
behavioral2/memory/3256-42-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	UPX
behavioral2/files/0x0007000000023305-43.dat	UPX
behavioral2/files/0x0007000000023306-46.dat	UPX
behavioral2/memory/840-47-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp	UPX
behavioral2/files/0x0007000000023306-48.dat	UPX
behavioral2/files/0x0007000000023307-54.dat	UPX
behavioral2/files/0x0007000000023308-59.dat	UPX
behavioral2/files/0x0007000000023309-64.dat	UPX
behavioral2/files/0x000700000002330b-73.dat	UPX
behavioral2/files/0x000700000002330e-92.dat	UPX
behavioral2/files/0x0007000000023310-99.dat	UPX
behavioral2/memory/2160-101-0x00007FF7ADA00000-0x00007FF7ADD51000-memory.dmp	UPX
behavioral2/memory/716-103-0x00007FF76A060000-0x00007FF76A3B1000-memory.dmp	UPX
behavioral2/memory/3080-105-0x00007FF77C160000-0x00007FF77C4B1000-memory.dmp	UPX
behavioral2/memory/3252-107-0x00007FF667460000-0x00007FF6677B1000-memory.dmp	UPX
behavioral2/memory/4316-110-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp	UPX
behavioral2/memory/1672-111-0x00007FF65BB30000-0x00007FF65BE81000-memory.dmp	UPX
behavioral2/memory/996-109-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	UPX
behavioral2/memory/3068-108-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp	UPX
behavioral2/memory/1508-106-0x00007FF646740000-0x00007FF646A91000-memory.dmp	UPX
behavioral2/memory/4812-104-0x00007FF694310000-0x00007FF694661000-memory.dmp	UPX
behavioral2/files/0x0007000000023310-100.dat	UPX
behavioral2/memory/4456-97-0x00007FF70A970000-0x00007FF70ACC1000-memory.dmp	UPX
behavioral2/files/0x000700000002330f-96.dat	UPX
behavioral2/files/0x000700000002330d-84.dat	UPX
behavioral2/files/0x000700000002330c-78.dat	UPX
behavioral2/files/0x000700000002330b-74.dat	UPX
behavioral2/files/0x000700000002330a-69.dat	UPX
behavioral2/files/0x000700000002330a-68.dat	UPX
behavioral2/files/0x0007000000023309-63.dat	UPX
behavioral2/files/0x0007000000023307-52.dat	UPX
behavioral2/memory/3300-38-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp	UPX
behavioral2/files/0x0007000000023304-35.dat	UPX
behavioral2/files/0x0007000000023311-115.dat	UPX
behavioral2/files/0x0007000000023311-114.dat	UPX
behavioral2/memory/2152-120-0x00007FF726550000-0x00007FF7268A1000-memory.dmp	UPX
behavioral2/files/0x0007000000023312-122.dat	UPX
behavioral2/files/0x0007000000023313-126.dat	UPX
behavioral2/memory/2688-129-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp	UPX
behavioral2/memory/4860-125-0x00007FF631F00000-0x00007FF632251000-memory.dmp	UPX
behavioral2/memory/3716-130-0x00007FF742820000-0x00007FF742B71000-memory.dmp	UPX
behavioral2/memory/1272-131-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	UPX
behavioral2/memory/3300-132-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp	UPX
behavioral2/memory/3256-133-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	UPX
behavioral2/memory/840-134-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp	UPX
behavioral2/memory/1836-145-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	UPX
behavioral2/memory/4116-146-0x00007FF649030000-0x00007FF649381000-memory.dmp	UPX
behavioral2/memory/3588-147-0x00007FF74E7B0000-0x00007FF74EB01000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/3716-26-0x00007FF742820000-0x00007FF742B71000-memory.dmp	xmrig
behavioral2/memory/1272-32-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	xmrig
behavioral2/memory/2160-101-0x00007FF7ADA00000-0x00007FF7ADD51000-memory.dmp	xmrig
behavioral2/memory/716-103-0x00007FF76A060000-0x00007FF76A3B1000-memory.dmp	xmrig
behavioral2/memory/3080-105-0x00007FF77C160000-0x00007FF77C4B1000-memory.dmp	xmrig
behavioral2/memory/3252-107-0x00007FF667460000-0x00007FF6677B1000-memory.dmp	xmrig
behavioral2/memory/4316-110-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp	xmrig
behavioral2/memory/1672-111-0x00007FF65BB30000-0x00007FF65BE81000-memory.dmp	xmrig
behavioral2/memory/996-109-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	xmrig
behavioral2/memory/3068-108-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp	xmrig
behavioral2/memory/1508-106-0x00007FF646740000-0x00007FF646A91000-memory.dmp	xmrig
behavioral2/memory/4812-104-0x00007FF694310000-0x00007FF694661000-memory.dmp	xmrig
behavioral2/memory/4456-97-0x00007FF70A970000-0x00007FF70ACC1000-memory.dmp	xmrig
behavioral2/memory/2152-120-0x00007FF726550000-0x00007FF7268A1000-memory.dmp	xmrig
behavioral2/memory/2688-129-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp	xmrig
behavioral2/memory/4860-125-0x00007FF631F00000-0x00007FF632251000-memory.dmp	xmrig
behavioral2/memory/3716-130-0x00007FF742820000-0x00007FF742B71000-memory.dmp	xmrig
behavioral2/memory/1272-131-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	xmrig
behavioral2/memory/3300-132-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp	xmrig
behavioral2/memory/3256-133-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	xmrig
behavioral2/memory/840-134-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp	xmrig
behavioral2/memory/1836-145-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	xmrig
behavioral2/memory/4116-146-0x00007FF649030000-0x00007FF649381000-memory.dmp	xmrig
behavioral2/memory/3588-147-0x00007FF74E7B0000-0x00007FF74EB01000-memory.dmp	xmrig
behavioral2/memory/4316-148-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp	xmrig
behavioral2/memory/2152-195-0x00007FF726550000-0x00007FF7268A1000-memory.dmp	xmrig
behavioral2/memory/4860-197-0x00007FF631F00000-0x00007FF632251000-memory.dmp	xmrig
behavioral2/memory/2688-199-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp	xmrig
behavioral2/memory/3716-202-0x00007FF742820000-0x00007FF742B71000-memory.dmp	xmrig
behavioral2/memory/1272-203-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	xmrig
behavioral2/memory/3300-206-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp	xmrig
behavioral2/memory/3256-208-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	xmrig
behavioral2/memory/840-210-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp	xmrig
behavioral2/memory/4456-214-0x00007FF70A970000-0x00007FF70ACC1000-memory.dmp	xmrig
behavioral2/memory/2160-213-0x00007FF7ADA00000-0x00007FF7ADD51000-memory.dmp	xmrig
behavioral2/memory/716-216-0x00007FF76A060000-0x00007FF76A3B1000-memory.dmp	xmrig
behavioral2/memory/1508-220-0x00007FF646740000-0x00007FF646A91000-memory.dmp	xmrig
behavioral2/memory/4812-222-0x00007FF694310000-0x00007FF694661000-memory.dmp	xmrig
behavioral2/memory/3080-221-0x00007FF77C160000-0x00007FF77C4B1000-memory.dmp	xmrig
behavioral2/memory/3252-224-0x00007FF667460000-0x00007FF6677B1000-memory.dmp	xmrig
behavioral2/memory/1672-228-0x00007FF65BB30000-0x00007FF65BE81000-memory.dmp	xmrig
behavioral2/memory/996-229-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	xmrig
behavioral2/memory/3068-230-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp	xmrig
behavioral2/memory/1836-236-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	xmrig
behavioral2/memory/4116-240-0x00007FF649030000-0x00007FF649381000-memory.dmp	xmrig
behavioral2/memory/3588-242-0x00007FF74E7B0000-0x00007FF74EB01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2152	eFSzIAJ.exe
4860	JFxXorq.exe
2688	ynGTlEI.exe
3716	YIJZTpI.exe
1272	eAmCZLd.exe
3300	bVLeNKM.exe
3256	kQFjlFE.exe
840	QNKojBy.exe
4456	MiWdHaP.exe
2160	aEVlBOa.exe
716	PunjSLf.exe
4812	qZGxbkN.exe
3080	xFEFjSu.exe
1508	coqXJTM.exe
3252	cHBrSpq.exe
3068	uAmAzrG.exe
996	eZnKInR.exe
1672	uRTlfyp.exe
1836	KZedRte.exe
4116	kXyCYrP.exe
3588	gWwXsxP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4316-0-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp	upx
behavioral2/files/0x00070000000232fd-4.dat	upx
behavioral2/files/0x00070000000232fd-6.dat	upx
behavioral2/memory/2152-8-0x00007FF726550000-0x00007FF7268A1000-memory.dmp	upx
behavioral2/files/0x00070000000232ff-12.dat	upx
behavioral2/files/0x0007000000023302-10.dat	upx
behavioral2/memory/4860-14-0x00007FF631F00000-0x00007FF632251000-memory.dmp	upx
behavioral2/files/0x0007000000023302-17.dat	upx
behavioral2/files/0x0007000000023302-18.dat	upx
behavioral2/memory/2688-20-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp	upx
behavioral2/memory/3716-26-0x00007FF742820000-0x00007FF742B71000-memory.dmp	upx
behavioral2/files/0x00080000000232fa-30.dat	upx
behavioral2/files/0x00080000000232fa-29.dat	upx
behavioral2/memory/1272-32-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	upx
behavioral2/files/0x0007000000023304-36.dat	upx
behavioral2/files/0x0007000000023305-40.dat	upx
behavioral2/memory/3256-42-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	upx
behavioral2/files/0x0007000000023305-43.dat	upx
behavioral2/files/0x0007000000023306-46.dat	upx
behavioral2/memory/840-47-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp	upx
behavioral2/files/0x0007000000023306-48.dat	upx
behavioral2/files/0x0007000000023307-54.dat	upx
behavioral2/files/0x0007000000023308-59.dat	upx
behavioral2/files/0x0007000000023309-64.dat	upx
behavioral2/files/0x000700000002330b-73.dat	upx
behavioral2/files/0x000700000002330e-92.dat	upx
behavioral2/files/0x0007000000023310-99.dat	upx
behavioral2/memory/2160-101-0x00007FF7ADA00000-0x00007FF7ADD51000-memory.dmp	upx
behavioral2/memory/716-103-0x00007FF76A060000-0x00007FF76A3B1000-memory.dmp	upx
behavioral2/memory/3080-105-0x00007FF77C160000-0x00007FF77C4B1000-memory.dmp	upx
behavioral2/memory/3252-107-0x00007FF667460000-0x00007FF6677B1000-memory.dmp	upx
behavioral2/memory/4316-110-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp	upx
behavioral2/memory/1672-111-0x00007FF65BB30000-0x00007FF65BE81000-memory.dmp	upx
behavioral2/memory/996-109-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp	upx
behavioral2/memory/3068-108-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp	upx
behavioral2/memory/1508-106-0x00007FF646740000-0x00007FF646A91000-memory.dmp	upx
behavioral2/memory/4812-104-0x00007FF694310000-0x00007FF694661000-memory.dmp	upx
behavioral2/files/0x0007000000023310-100.dat	upx
behavioral2/memory/4456-97-0x00007FF70A970000-0x00007FF70ACC1000-memory.dmp	upx
behavioral2/files/0x000700000002330f-96.dat	upx
behavioral2/files/0x000700000002330d-84.dat	upx
behavioral2/files/0x000700000002330c-78.dat	upx
behavioral2/files/0x000700000002330b-74.dat	upx
behavioral2/files/0x000700000002330a-69.dat	upx
behavioral2/files/0x000700000002330a-68.dat	upx
behavioral2/files/0x0007000000023309-63.dat	upx
behavioral2/files/0x0007000000023307-52.dat	upx
behavioral2/memory/3300-38-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp	upx
behavioral2/files/0x0007000000023304-35.dat	upx
behavioral2/files/0x0007000000023311-115.dat	upx
behavioral2/files/0x0007000000023311-114.dat	upx
behavioral2/memory/2152-120-0x00007FF726550000-0x00007FF7268A1000-memory.dmp	upx
behavioral2/files/0x0007000000023312-122.dat	upx
behavioral2/files/0x0007000000023313-126.dat	upx
behavioral2/memory/2688-129-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp	upx
behavioral2/memory/4860-125-0x00007FF631F00000-0x00007FF632251000-memory.dmp	upx
behavioral2/memory/3716-130-0x00007FF742820000-0x00007FF742B71000-memory.dmp	upx
behavioral2/memory/1272-131-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp	upx
behavioral2/memory/3300-132-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp	upx
behavioral2/memory/3256-133-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp	upx
behavioral2/memory/840-134-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp	upx
behavioral2/memory/1836-145-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp	upx
behavioral2/memory/4116-146-0x00007FF649030000-0x00007FF649381000-memory.dmp	upx
behavioral2/memory/3588-147-0x00007FF74E7B0000-0x00007FF74EB01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eAmCZLd.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aEVlBOa.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qZGxbkN.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\coqXJTM.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cHBrSpq.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eZnKInR.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eFSzIAJ.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ynGTlEI.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kXyCYrP.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uRTlfyp.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KZedRte.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uAmAzrG.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bVLeNKM.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kQFjlFE.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JFxXorq.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PunjSLf.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MiWdHaP.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xFEFjSu.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gWwXsxP.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YIJZTpI.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QNKojBy.exe	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 2152	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	87
PID 4316 wrote to memory of 2152	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	87
PID 4316 wrote to memory of 4860	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	88
PID 4316 wrote to memory of 4860	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	88
PID 4316 wrote to memory of 2688	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	90
PID 4316 wrote to memory of 2688	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	90
PID 4316 wrote to memory of 3716	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	91
PID 4316 wrote to memory of 3716	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	91
PID 4316 wrote to memory of 1272	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	92
PID 4316 wrote to memory of 1272	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	92
PID 4316 wrote to memory of 3300	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	93
PID 4316 wrote to memory of 3300	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	93
PID 4316 wrote to memory of 3256	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	95
PID 4316 wrote to memory of 3256	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	95
PID 4316 wrote to memory of 840	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	96
PID 4316 wrote to memory of 840	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	96
PID 4316 wrote to memory of 4456	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	97
PID 4316 wrote to memory of 4456	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	97
PID 4316 wrote to memory of 2160	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	98
PID 4316 wrote to memory of 2160	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	98
PID 4316 wrote to memory of 716	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	99
PID 4316 wrote to memory of 716	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	99
PID 4316 wrote to memory of 4812	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	100
PID 4316 wrote to memory of 4812	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	100
PID 4316 wrote to memory of 3080	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	101
PID 4316 wrote to memory of 3080	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	101
PID 4316 wrote to memory of 1508	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	102
PID 4316 wrote to memory of 1508	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	102
PID 4316 wrote to memory of 3252	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	103
PID 4316 wrote to memory of 3252	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	103
PID 4316 wrote to memory of 3068	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	105
PID 4316 wrote to memory of 3068	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	105
PID 4316 wrote to memory of 996	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	106
PID 4316 wrote to memory of 996	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	106
PID 4316 wrote to memory of 1672	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	107
PID 4316 wrote to memory of 1672	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	107
PID 4316 wrote to memory of 1836	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	108
PID 4316 wrote to memory of 1836	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	108
PID 4316 wrote to memory of 4116	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	109
PID 4316 wrote to memory of 4116	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	109
PID 4316 wrote to memory of 3588	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	110
PID 4316 wrote to memory of 3588	4316	2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-10_fc5b43eee9d930f342417df1c78c38b8_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\System\eFSzIAJ.exe
  C:\Windows\System\eFSzIAJ.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\JFxXorq.exe
  C:\Windows\System\JFxXorq.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\ynGTlEI.exe
  C:\Windows\System\ynGTlEI.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\YIJZTpI.exe
  C:\Windows\System\YIJZTpI.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\eAmCZLd.exe
  C:\Windows\System\eAmCZLd.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\bVLeNKM.exe
  C:\Windows\System\bVLeNKM.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\kQFjlFE.exe
  C:\Windows\System\kQFjlFE.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\QNKojBy.exe
  C:\Windows\System\QNKojBy.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\MiWdHaP.exe
  C:\Windows\System\MiWdHaP.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\aEVlBOa.exe
  C:\Windows\System\aEVlBOa.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\PunjSLf.exe
  C:\Windows\System\PunjSLf.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\qZGxbkN.exe
  C:\Windows\System\qZGxbkN.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\xFEFjSu.exe
  C:\Windows\System\xFEFjSu.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\coqXJTM.exe
  C:\Windows\System\coqXJTM.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\cHBrSpq.exe
  C:\Windows\System\cHBrSpq.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\uAmAzrG.exe
  C:\Windows\System\uAmAzrG.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\eZnKInR.exe
  C:\Windows\System\eZnKInR.exe
  2⤵
  - Executes dropped EXE
  PID:996
- C:\Windows\System\uRTlfyp.exe
  C:\Windows\System\uRTlfyp.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\KZedRte.exe
  C:\Windows\System\KZedRte.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\kXyCYrP.exe
  C:\Windows\System\kXyCYrP.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\gWwXsxP.exe
  C:\Windows\System\gWwXsxP.exe
  2⤵
  - Executes dropped EXE
  PID:3588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\JFxXorq.exe

Filesize
3.2MB

MD5
a5d491b9e9589273fb2a6d160131f596

SHA1
1c5471c8ba200b75109697621be99f7784a5915f

SHA256
21a3297b3906afb0ca6d180b5bfae65c1b3f6652fb62f4e02be82c04ff5311a0

SHA512
dbabb40db66b055c5d97b3ec8a42424bc78b07c3ade60caab19eda20d90cc1f6d6b68dcf2254b7e5b1d125687266463b23b49b3b3bbf9ed0ee139f49e3aa6ce9

Download Submit
C:\Windows\System\KZedRte.exe

Filesize
5.2MB

MD5
5fe2af8c6e208394d388139db9b3b606

SHA1
4c8bf85a5921d96404370435bd343d424158a904

SHA256
f0ec115d607cd51c729980a688d2ffac5b58813629c4422357e605302d2b4a02

SHA512
c5f8e648601749899dc250a09b0e41709e565025ae63439c849a8b5f18fabeb2dfb3087f8fb6296f86a42805cd5e33cf2746e60ebd8bb534b51d576a1320a9db

Download Submit
C:\Windows\System\KZedRte.exe

Filesize
4.4MB

MD5
1c188e3890a2ded791333607b5010836

SHA1
7b52404de9bf774b4f432d86b3575632d47c9a0f

SHA256
aef175299d0c90533ca1294fe1b0e92edf86a2de157d9ed565e8727b85f50871

SHA512
626124dcb1c97710dd180d69527a447a3d850562cf797dabf54846386e6d01562b875cf5b533a891e28256f3a333d8ec5a52039e5265f3e511d0d06d58222f5b

Download Submit
C:\Windows\System\MiWdHaP.exe

Filesize
3.9MB

MD5
76093197b5e6143e58c39836be52ad4b

SHA1
d48079fc429c271b2637ace5e1ba30bbc5df4a6b

SHA256
7d9e8131fd87333d8f8340d055323063ff4d4f53a23c9dff846a4746e8bf4c47

SHA512
85d0ca2942e9674b2991c11975d2fb019d10b45412ecc5f5f2384f0bbec80da3aae1fb1d4acb20833b6357505a77dc072bbeba541e64c607d85871fa48748c4e

Download Submit
C:\Windows\System\MiWdHaP.exe

Filesize
384KB

MD5
501ace9801b109a6c22e9eec177f5910

SHA1
0e8cff928c9ff2fb0a5edf29bff36fcca0083129

SHA256
77506142a649913afe4fa0ad337356389f2604142893f670c7581afd61f5d3cc

SHA512
135e0b61ee3198bd34dde0fa18406205909d0f557aa90c9e91c94971a7959a4e6cddd9062d057a5e162476dc1ddba41dadd53947108a4c85257f4f5a6b50f13d

Download Submit
C:\Windows\System\PunjSLf.exe

Filesize
3.2MB

MD5
b7cbdd2d211debb4c459827b2b21aa0e

SHA1
9f65927d64d5e8f9dc2c368576abe671a123cdff

SHA256
f2e60f622c8e9f3002d7784fdfc770244cc602e9acf1c2845d2bd02eacf2a03f

SHA512
8c6a45b1408c698286f86218a9b7cd0b910a6f65b106916643e8c2dda8a922e89ebd3854cb319ab87e683da6e452967b0e00ee67789baf91fe2aaf5a474187f4

Download Submit
C:\Windows\System\PunjSLf.exe

Filesize
192KB

MD5
942c2bee5bfc55732f09aad92fc3e996

SHA1
4be5a1927c876dcf888c45defde22b1998b026cd

SHA256
81a669d983102395713d283f96448aacd6fc91460e0501091720864223352d59

SHA512
fe7fd8138f9cd79fd64af96675cbdb2f884745ce45dc82e45780326483d77e89006c686eef31855c1266e0b5721d8579d251e5cea0860cc61feb1008c02f6508

Download Submit
C:\Windows\System\QNKojBy.exe

Filesize
512KB

MD5
70b8aef07c2832574bfe5c0a738efcb6

SHA1
dfe34f75fc10632b4fd550dccf88c8e2c9a98e88

SHA256
1c206df2bd904961bcf4ca5be45fee9cb0558bd88267d02b75ffc4e3a52629d8

SHA512
8409ecb6a7ffa3bed639fee43eb18008d1af7a019600c6c45f6903ab9181c5c3e7f93c7c6214739c361b389a430fc7f4371c5bc8f9f60ef067a68fe4b6acab99

Download Submit
C:\Windows\System\QNKojBy.exe

Filesize
448KB

MD5
17d1f1447d515d3e3282ae8f7862a216

SHA1
b8ef65706d9c4683e302951967606d624643bbc2

SHA256
746637dbbb571e3df58303fbce9a4793f848aa42aff8db29e91ae1070cfa6d12

SHA512
b9e0ba54d1a2e83b6e77ea2c1db8b27f849655e83b9648a44e8fd76d7bb465d3210ac46b31194039dc46759afc80d3d0680b0f9f1c2dd81766428acbebd53b26

Download Submit
C:\Windows\System\aEVlBOa.exe

Filesize
256KB

MD5
ae54bedd5413475f8a071aadeaf53c42

SHA1
5d1d5c5dfd349cf4a67a0443d07da15dcfa5110e

SHA256
9b43e4ac9c0450145f48a9f37c29de0118ae008c4c9b6713c8a323db1cdacc82

SHA512
89b52fa8e2f0f385b5944a49eb9d207dab258fcc1f853e5cfeae440f5c106575bb4e32561b646e98307fc2bc890785ad2d5d0819e8b232e4d227950dd6703cfc

Download Submit
C:\Windows\System\bVLeNKM.exe

Filesize
4.6MB

MD5
d8c6c0fc51ffce98e09bda0e111f2f11

SHA1
568f559c0ae68c0b6a1910b897f588fcebb26fbd

SHA256
3b2ee953c8a34a25ff2667169388d3bba29d301ef9e4761826aae34ae2dc19d3

SHA512
177e74be4b03b3fe628c971acf42070c59d8919fcdbb4b71644048546f985bd7a293fb7c65ee83d9e8d67520b6beb89432f941e624cda26b564bdd7fd20034f9

Download Submit
C:\Windows\System\bVLeNKM.exe

Filesize
896KB

MD5
2a401cc77e7c35eef3fb7ef4e9b683eb

SHA1
02ce6c7567cc36757e5a81595bcce31ec8248f29

SHA256
5a8ac2f9c374fc6a68ae4aef6b1d234888fc524211043ce629db055794d454c9

SHA512
ecc1106101616918447b367d8edd5237382cff66d2337a2c142741c222354fabe5974b80f5533a95da7ab736f91deda4ad9c845b3700515ac0efaf8299d5f450

Download Submit
C:\Windows\System\cHBrSpq.exe

Filesize
1.4MB

MD5
e54abc4bb4a619d0b59c102af28ad855

SHA1
a686c2a1ea36f14e152869153fa8e67afdf87d77

SHA256
fb0acc81330626d6fbac29e4b559ffeaf44c8dd43745051f8f38c404941fb2c9

SHA512
cbb8424a57b505cd9caf314303b8d7dbf2347dc6135f6d7dcf5ba65c2a90aba4a51b64e83505f4c0659e7af6aa7a1ff2e232a11002d4103ecde048bbb0c78f25

Download Submit
C:\Windows\System\coqXJTM.exe

Filesize
1.5MB

MD5
9cc3b8c96655ff70e0bab32927095145

SHA1
d44bc1271168e8cd48fd0247350522ff19ba10d0

SHA256
74c79613da11d512073bb65225893b278d9bbcf417b1b76e01905a61f9de45b8

SHA512
3756c7f8b567842b22282115ffeb29b7b5301154331afcc7c93aa3748cf12a4eed1e40a794dc937299e81a9b4917e38dcff4fdc3d6936bb4c744cf7d417c4d15

Download Submit
C:\Windows\System\eAmCZLd.exe

Filesize
4.2MB

MD5
cc1ec9496992a830935dd35a595603a6

SHA1
65e96d197e64ef95d6b790a7224265e07194266a

SHA256
edffdb1765376561341e649880fa669229b8f0d97efbf8dc7cc3f3a62390c10a

SHA512
b3c4b6b1282c3c912c4131e49a7921ceec87147edfb0fcfda09aa65926bffe856cccc5562e99fdcd78dfbeafe08e8eb91f5110de148243534157dfbec722bdc3

Download Submit
C:\Windows\System\eAmCZLd.exe

Filesize
3.9MB

MD5
0a453f08fcbb44ad0b23010e2281b872

SHA1
af8b6be2abf7f8b787967474d623f1b6e60c30fc

SHA256
c430c4167fb82e73081de1d87fad204df4da757304f96404c3ab03a7ab01162d

SHA512
d3305facb3d581b93c3676ea9db991c75f3cbe8209bde1465667f2156b7a81c54e38a9fbd3ff38a1fb5762a4d7d14806c40d9a69672415a0794fabb619bde295

Download Submit
C:\Windows\System\eFSzIAJ.exe

Filesize
4.5MB

MD5
9b41427706e96efeda7de2ec9bb18f90

SHA1
009118a48ca559216866b1a699644d7a0f65b1c3

SHA256
cc10cd2eb4a2395addabfdf60255108c5a8529f0cc19f63bc245150231d1b3dc

SHA512
7dbfb42348c96e613d2268e253e837783e764e29f1da1373252bae0b4bd64031cb280772642d59554d77b4779b9b66de06ea6e07abff49183e7262e6366feadf

Download Submit
C:\Windows\System\eFSzIAJ.exe

Filesize
5.2MB

MD5
79c824b3575cf3bc005016c5de23125c

SHA1
fe3b27017c2bc70806206b164bc8bf93fed92597

SHA256
099951f367dda1885ab047eb31221aeb952bfdee3bc813a10fcb956511da2376

SHA512
8c7e9fac8c5b44f5280bea5b347f4271587f02bbe3edf4fc6282d2afe37d43e4a9bd164a96d9a06418e05c6b1766cce735964428cd475fb47cfa0b6d9c6999a3

Download Submit
C:\Windows\System\eZnKInR.exe

Filesize
1.0MB

MD5
51a5aab3db13d7c7b0556545525fe5c9

SHA1
83b433edd079eb23f72dc19927707a0ec3213c84

SHA256
958d831cdb09762b695161e47936040fd0df30758e341bd46e84bdc528f42a69

SHA512
d1175d7d9a663fcc0d561530858504e6734e88af9da228fbddb3f71a5798f585bbe8b87a7178019d9b235f9930b25187ca28e2831b61837b0ee4ad5f34e3b8bd

Download Submit
C:\Windows\System\gWwXsxP.exe

Filesize
5.2MB

MD5
76dc027203b2f20c162f35607b2b9e35

SHA1
0dc7d1f806e7f3dac5acedaf70d248d51e7f9381

SHA256
b4b7c08b1b54e0a2d1c84f412fd018cd59b6538553d6c63ee4d6b27eca19cd49

SHA512
dda8e32b70251a390fe76d742ea1f71dca8b3ad6232ba8e4d2bc0db87b385e693fc3dbc32610f5ab21b7fc585085913edb7ec9b70670da5612cb881f8633cabc

Download Submit
C:\Windows\System\kQFjlFE.exe

Filesize
832KB

MD5
968ca35417cb5024876e16ccf418a31b

SHA1
cb8f3160b87cd7b1f775d93d99418980f7faaea3

SHA256
904e275c8b11d946a814a92aae748be2dfeb780881335771b9ed0dd2b9f85d48

SHA512
8db09590c97c88fded5ef17f071f06ed316556a3f8d53ce2605dbecf2e73dda34eff7dcba1229426e0acf6a21207def4a3a509cc9e52b821a48c180574447fc3

Download Submit
C:\Windows\System\kQFjlFE.exe

Filesize
640KB

MD5
d2eff30caba4c307e913b9b5cc48a4a7

SHA1
245827bc73264cae3ac3ed600062646fad6e2a8c

SHA256
cbef0228a7c67eee5fdb69a33ecc6188a501e44ebc636397bc2be62ed7c3f5d2

SHA512
ae4b369be8a4ec305f59f5fde463172ef83574c282f0f372144f42a8dc71d2aafac271db269ddf17d37792b0126ce603b672de23aeba8f59638ac2da98e357bd

Download Submit
C:\Windows\System\kXyCYrP.exe

Filesize
5.2MB

MD5
cb849073ef0666399c454a1e21f084e6

SHA1
3f09b7d1f296538ac9c4a1c3acd45a0956d85595

SHA256
c6586406b8790186845d1fa6a5c42f0c9d9b313566c3c0fb7212941f52b8c550

SHA512
d514ebbc3533c608b7de6b995feaaf7a2aadaa9064984437570e3cc6f91bd1371b3eecef9a063785c75abeb7737c3568546e37b5e2f757483c9abc8829a5afa8

Download Submit
C:\Windows\System\qZGxbkN.exe

Filesize
2.7MB

MD5
e079a532debf2aa09ed43399f7482a78

SHA1
d64d769e3852c50693e4939ff3c40188d985ada3

SHA256
f0e2e71cee385e456cf0a137190ff1c1a4b29ed7cc4b5c514e44a5a394624d11

SHA512
8aba5fe4a36db99c5343691e54a7723b5626c7b4bf43886827b3df3f80c7dcb9e6bc850e27458fb5b242f7a701bccc0b53ebc5b21d12d38ba652c2283e9e3d7e

Download Submit
C:\Windows\System\qZGxbkN.exe

Filesize
1.8MB

MD5
f08a7f7c09ba326a7d2f8c4bca518f78

SHA1
a0055a447e0c8d1d784ca349ada8ff7abc94b13b

SHA256
5706ed08ce1701335eee7ef4a3ec062ef461d13b0ace9057026bf01db8478ccd

SHA512
e2e929f4596db5a87c5e1668e613f5b84e6c97359c40bfc64957117901e8a70a14627c2575fe7c5b3a631f6dfef2e372d1d00b033d7b5220bed5ce0bae3ca5db

Download Submit
C:\Windows\System\uAmAzrG.exe

Filesize
115KB

MD5
db6cf5db9ac47a2e51eb8160e498aa6d

SHA1
1e953435172613f64cdc3c713ca944d7e3cb5aad

SHA256
7dbac99cfebf7673ecba0ecbc7ab6a4b073cdd7009f7b0b642ffb5243f07e1fc

SHA512
ea33109f464b1728d6484c1e4748dc15864253c19ea667589f6f01319462341c79edf2f62241df8794aa982d2bb190dc35b5fb3a493fb8fcae103b24585e064f

Download Submit
C:\Windows\System\uRTlfyp.exe

Filesize
960KB

MD5
854649bc9b7eb30a0b4a12773987ce71

SHA1
3d52198c9b521cb3d98021ee6a37c505e5662162

SHA256
9e58730207c69f823eb7db7429a119c01a546b71f409a15c973b1c8179969035

SHA512
d8081254680347589302b02eecdca4ce2342786ab2a825dec914eaaada528dbe2058b9ec642d54a4f3dc8ced6b8487f2ec34d61110a344a088e1e727f1b253b1

Download Submit
C:\Windows\System\xFEFjSu.exe

Filesize
42KB

MD5
5d87adead288ac65e81464b7803da173

SHA1
d8ba9f5cb599c7a7d7ec35a4390b4af0fbbbb2de

SHA256
6942c1a6c24bd5bf3e7b7b3922e237f4d78cb852f3454b059d64e7f9cbb83eef

SHA512
b83890be722985bfda3a1fb63b9d9ec641ca7e4d9c4d2f11c4f7032e73e9886992fdb45e2b6ad66220945f7af929c85862b3a9f0df6b82e367abf5a4bfca8458

Download Submit
C:\Windows\System\xFEFjSu.exe

Filesize
1.7MB

MD5
2bd727cd06f5e3d710a4fe2a92360836

SHA1
9c67ec63191bcc8a334e8eb631a616627196d2e5

SHA256
46d6cda639b5d412036894faa55bf17f50bb19741b4e34547473e7738cb66e97

SHA512
55330c8d8895aacd4484f61335b82518f94a5810db941086fc49f44721daadf811eb88e552bc62b31fbe51edb660c7d038e536be5f7ba2cb8d01d74ceaf303bc

Download Submit
C:\Windows\System\ynGTlEI.exe

Filesize
5.2MB

MD5
eaa0a05934581590c0ef065649b36a6b

SHA1
3a3abfae494c6be4a81b506854aae948725d8945

SHA256
9ec17aad7ad5b87890ce6ee0da1db563db49f77de9a13b0163128414f1b052f6

SHA512
d5fdd2b8b444d7606bbbbaa03e119af741eec1f44e5b28674d25088b49eeeae1d6b2c2b481bd48733192fe9efa8d7b262f1362807f3b27d592aa4e39b01125a1

Download Submit
C:\Windows\System\ynGTlEI.exe

Filesize
3.8MB

MD5
19820d42c87aba4b3b0e3f462b52d923

SHA1
b8e0fcd04db0dabf0e7ce79111300f5bfc94b9fc

SHA256
12324395466704029c0770bea29890be55a2ecd5105ed9a99310878ce8a44ce2

SHA512
a330f067a0ab8a8f35d1038d80da660bc23c1c3394dc3e3f7f8160c71caf1cb97595eade3679bc1afd3ca6ef8a43af69cd18a91be5df5d814fb47374d694bf62

Download Submit
C:\Windows\System\ynGTlEI.exe

Filesize
4.1MB

MD5
639b50b1f933cb7c9080a2138ead71de

SHA1
6a7ab2b4eb740c106f8b7da1e22e5078ec72759f

SHA256
7640a570498fadb5748b6340912f0f99a74c682891dfd8cbda79b1f804c175b8

SHA512
908a79bbbad43bd685de4cec25101fd551593fd603a0293446ca9bc2c43aa56b5e68b158e310af4542c0fdd0f38cff75dac0de47e849bcd7a4fe961210d926aa

Download Submit
memory/716-216-0x00007FF76A060000-0x00007FF76A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/716-103-0x00007FF76A060000-0x00007FF76A3B1000-memory.dmp

Filesize
3.3MB

Download
memory/840-134-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp

Filesize
3.3MB

Download
memory/840-210-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp

Filesize
3.3MB

Download
memory/840-47-0x00007FF6898B0000-0x00007FF689C01000-memory.dmp

Filesize
3.3MB

Download
memory/996-109-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/996-229-0x00007FF62C460000-0x00007FF62C7B1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-203-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-131-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1272-32-0x00007FF68B270000-0x00007FF68B5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1508-106-0x00007FF646740000-0x00007FF646A91000-memory.dmp

Filesize
3.3MB

Download
memory/1508-220-0x00007FF646740000-0x00007FF646A91000-memory.dmp

Filesize
3.3MB

Download
memory/1672-228-0x00007FF65BB30000-0x00007FF65BE81000-memory.dmp

Filesize
3.3MB

Download
memory/1672-111-0x00007FF65BB30000-0x00007FF65BE81000-memory.dmp

Filesize
3.3MB

Download
memory/1836-145-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp

Filesize
3.3MB

Download
memory/1836-236-0x00007FF65CAA0000-0x00007FF65CDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-120-0x00007FF726550000-0x00007FF7268A1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-8-0x00007FF726550000-0x00007FF7268A1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-195-0x00007FF726550000-0x00007FF7268A1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-213-0x00007FF7ADA00000-0x00007FF7ADD51000-memory.dmp

Filesize
3.3MB

Download
memory/2160-101-0x00007FF7ADA00000-0x00007FF7ADD51000-memory.dmp

Filesize
3.3MB

Download
memory/2688-20-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-129-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-199-0x00007FF7DCF60000-0x00007FF7DD2B1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-230-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp

Filesize
3.3MB

Download
memory/3068-108-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp

Filesize
3.3MB

Download
memory/3080-105-0x00007FF77C160000-0x00007FF77C4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3080-221-0x00007FF77C160000-0x00007FF77C4B1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-107-0x00007FF667460000-0x00007FF6677B1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-224-0x00007FF667460000-0x00007FF6677B1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-42-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-133-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp

Filesize
3.3MB

Download
memory/3256-208-0x00007FF7FFB80000-0x00007FF7FFED1000-memory.dmp

Filesize
3.3MB

Download
memory/3300-206-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3300-132-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3300-38-0x00007FF6B5C00000-0x00007FF6B5F51000-memory.dmp

Filesize
3.3MB

Download
memory/3588-242-0x00007FF74E7B0000-0x00007FF74EB01000-memory.dmp

Filesize
3.3MB

Download
memory/3588-147-0x00007FF74E7B0000-0x00007FF74EB01000-memory.dmp

Filesize
3.3MB

Download
memory/3716-130-0x00007FF742820000-0x00007FF742B71000-memory.dmp

Filesize
3.3MB

Download
memory/3716-202-0x00007FF742820000-0x00007FF742B71000-memory.dmp

Filesize
3.3MB

Download
memory/3716-26-0x00007FF742820000-0x00007FF742B71000-memory.dmp

Filesize
3.3MB

Download
memory/4116-146-0x00007FF649030000-0x00007FF649381000-memory.dmp

Filesize
3.3MB

Download
memory/4116-240-0x00007FF649030000-0x00007FF649381000-memory.dmp

Filesize
3.3MB

Download
memory/4316-110-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp

Filesize
3.3MB

Download
memory/4316-1-0x00000259E5D00000-0x00000259E5D10000-memory.dmp

Filesize
64KB

Download
memory/4316-0-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp

Filesize
3.3MB

Download
memory/4316-148-0x00007FF7BA700000-0x00007FF7BAA51000-memory.dmp

Filesize
3.3MB

Download
memory/4456-214-0x00007FF70A970000-0x00007FF70ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4456-97-0x00007FF70A970000-0x00007FF70ACC1000-memory.dmp

Filesize
3.3MB

Download
memory/4812-222-0x00007FF694310000-0x00007FF694661000-memory.dmp

Filesize
3.3MB

Download
memory/4812-104-0x00007FF694310000-0x00007FF694661000-memory.dmp

Filesize
3.3MB

Download
memory/4860-197-0x00007FF631F00000-0x00007FF632251000-memory.dmp

Filesize
3.3MB

Download
memory/4860-125-0x00007FF631F00000-0x00007FF632251000-memory.dmp

Filesize
3.3MB

Download
memory/4860-14-0x00007FF631F00000-0x00007FF632251000-memory.dmp

Filesize
3.3MB

Download