cobaltstrike | 0cb56a1cb8cbcfb68b9ee1e3d1206a4b27a003fc53b9ca491c8f5c771a9a073b

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

677d3799314d1ae3d2386cc280303166
SHA1

5ba8cb1a9df42f5e938ae07aa6fe8249d3d7b703
SHA256

0cb56a1cb8cbcfb68b9ee1e3d1206a4b27a003fc53b9ca491c8f5c771a9a073b
SHA512

1232867a33ae13f7b80149c77858999a35da15b6aad6e75ce03d4dc999de1d4580cb6b738b06204646adab0584ec7a8da7a67702172b7c0a213fadbf604500ff
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lA:RWWBibf56utgpPFotBER/mQ32lU0

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\tTStfsa.exe	cobalt_reflective_dll
C:\Windows\System\auYTFoY.exe	cobalt_reflective_dll
C:\Windows\System\qJRgwmZ.exe	cobalt_reflective_dll
C:\Windows\System\DqwJEpl.exe	cobalt_reflective_dll
C:\Windows\System\eaVjAaz.exe	cobalt_reflective_dll
C:\Windows\System\EonlyzO.exe	cobalt_reflective_dll
C:\Windows\System\zdnTIzL.exe	cobalt_reflective_dll
C:\Windows\System\THVzxpI.exe	cobalt_reflective_dll
C:\Windows\System\XHwVAir.exe	cobalt_reflective_dll
C:\Windows\System\pLqSphx.exe	cobalt_reflective_dll
C:\Windows\System\HhwdqyF.exe	cobalt_reflective_dll
C:\Windows\System\kyPFFXr.exe	cobalt_reflective_dll
C:\Windows\System\LOQNgTv.exe	cobalt_reflective_dll
C:\Windows\System\xhepkNm.exe	cobalt_reflective_dll
C:\Windows\System\RqXBrgW.exe	cobalt_reflective_dll
C:\Windows\System\ZaYTBbY.exe	cobalt_reflective_dll
C:\Windows\System\Jfonnaf.exe	cobalt_reflective_dll
C:\Windows\System\bdqpCGB.exe	cobalt_reflective_dll
C:\Windows\System\FHbuQcb.exe	cobalt_reflective_dll
C:\Windows\System\rhnzazo.exe	cobalt_reflective_dll
C:\Windows\System\nSxmeQg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\tTStfsa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\auYTFoY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qJRgwmZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DqwJEpl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eaVjAaz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EonlyzO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zdnTIzL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\THVzxpI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XHwVAir.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pLqSphx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HhwdqyF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kyPFFXr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LOQNgTv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xhepkNm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RqXBrgW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZaYTBbY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Jfonnaf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bdqpCGB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FHbuQcb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rhnzazo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nSxmeQg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-0-0x00007FF728F30000-0x00007FF729281000-memory.dmp	UPX
C:\Windows\System\tTStfsa.exe	UPX
C:\Windows\System\auYTFoY.exe	UPX
C:\Windows\System\qJRgwmZ.exe	UPX
C:\Windows\System\DqwJEpl.exe	UPX
C:\Windows\System\eaVjAaz.exe	UPX
C:\Windows\System\EonlyzO.exe	UPX
C:\Windows\System\zdnTIzL.exe	UPX
behavioral2/memory/4956-104-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp	UPX
C:\Windows\System\THVzxpI.exe	UPX
C:\Windows\System\XHwVAir.exe	UPX
behavioral2/memory/540-120-0x00007FF7752E0000-0x00007FF775631000-memory.dmp	UPX
behavioral2/memory/3524-123-0x00007FF771730000-0x00007FF771A81000-memory.dmp	UPX
behavioral2/memory/1180-126-0x00007FF62E430000-0x00007FF62E781000-memory.dmp	UPX
behavioral2/memory/2180-127-0x00007FF6769D0000-0x00007FF676D21000-memory.dmp	UPX
behavioral2/memory/452-124-0x00007FF72C850000-0x00007FF72CBA1000-memory.dmp	UPX
behavioral2/memory/4792-122-0x00007FF6E1F00000-0x00007FF6E2251000-memory.dmp	UPX
behavioral2/memory/2476-121-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	UPX
behavioral2/memory/432-119-0x00007FF7E28E0000-0x00007FF7E2C31000-memory.dmp	UPX
C:\Windows\System\pLqSphx.exe	UPX
behavioral2/memory/3924-115-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	UPX
C:\Windows\System\HhwdqyF.exe	UPX
behavioral2/memory/3496-110-0x00007FF630B10000-0x00007FF630E61000-memory.dmp	UPX
C:\Windows\System\kyPFFXr.exe	UPX
C:\Windows\System\LOQNgTv.exe	UPX
behavioral2/memory/1972-93-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp	UPX
C:\Windows\System\xhepkNm.exe	UPX
behavioral2/memory/2120-83-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	UPX
C:\Windows\System\RqXBrgW.exe	UPX
C:\Windows\System\ZaYTBbY.exe	UPX
behavioral2/memory/3484-73-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp	UPX
behavioral2/memory/1188-66-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	UPX
behavioral2/memory/4200-63-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	UPX
C:\Windows\System\Jfonnaf.exe	UPX
behavioral2/memory/2684-54-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	UPX
C:\Windows\System\bdqpCGB.exe	UPX
behavioral2/memory/5100-42-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	UPX
C:\Windows\System\FHbuQcb.exe	UPX
behavioral2/memory/3916-36-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	UPX
C:\Windows\System\rhnzazo.exe	UPX
behavioral2/memory/1604-24-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	UPX
C:\Windows\System\nSxmeQg.exe	UPX
behavioral2/memory/4292-13-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	UPX
behavioral2/memory/3708-128-0x00007FF728F30000-0x00007FF729281000-memory.dmp	UPX
behavioral2/memory/4292-129-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	UPX
behavioral2/memory/1604-131-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	UPX
behavioral2/memory/3916-134-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	UPX
behavioral2/memory/5100-133-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	UPX
behavioral2/memory/4200-139-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	UPX
behavioral2/memory/1188-140-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	UPX
behavioral2/memory/3708-150-0x00007FF728F30000-0x00007FF729281000-memory.dmp	UPX
behavioral2/memory/3708-172-0x00007FF728F30000-0x00007FF729281000-memory.dmp	UPX
behavioral2/memory/4292-196-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	UPX
behavioral2/memory/3484-198-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp	UPX
behavioral2/memory/1604-200-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	UPX
behavioral2/memory/2120-204-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	UPX
behavioral2/memory/2684-203-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	UPX
behavioral2/memory/1972-208-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp	UPX
behavioral2/memory/5100-207-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	UPX
behavioral2/memory/3916-211-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	UPX
behavioral2/memory/4956-212-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp	UPX
behavioral2/memory/3496-215-0x00007FF630B10000-0x00007FF630E61000-memory.dmp	UPX
behavioral2/memory/4200-217-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	UPX
behavioral2/memory/1188-218-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4956-104-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp	xmrig
behavioral2/memory/540-120-0x00007FF7752E0000-0x00007FF775631000-memory.dmp	xmrig
behavioral2/memory/3524-123-0x00007FF771730000-0x00007FF771A81000-memory.dmp	xmrig
behavioral2/memory/1180-126-0x00007FF62E430000-0x00007FF62E781000-memory.dmp	xmrig
behavioral2/memory/2180-127-0x00007FF6769D0000-0x00007FF676D21000-memory.dmp	xmrig
behavioral2/memory/452-124-0x00007FF72C850000-0x00007FF72CBA1000-memory.dmp	xmrig
behavioral2/memory/4792-122-0x00007FF6E1F00000-0x00007FF6E2251000-memory.dmp	xmrig
behavioral2/memory/2476-121-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	xmrig
behavioral2/memory/432-119-0x00007FF7E28E0000-0x00007FF7E2C31000-memory.dmp	xmrig
behavioral2/memory/3924-115-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	xmrig
behavioral2/memory/3496-110-0x00007FF630B10000-0x00007FF630E61000-memory.dmp	xmrig
behavioral2/memory/1972-93-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp	xmrig
behavioral2/memory/2120-83-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	xmrig
behavioral2/memory/3484-73-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp	xmrig
behavioral2/memory/2684-54-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	xmrig
behavioral2/memory/4292-13-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	xmrig
behavioral2/memory/3708-128-0x00007FF728F30000-0x00007FF729281000-memory.dmp	xmrig
behavioral2/memory/4292-129-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	xmrig
behavioral2/memory/1604-131-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	xmrig
behavioral2/memory/3916-134-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	xmrig
behavioral2/memory/5100-133-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	xmrig
behavioral2/memory/4200-139-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	xmrig
behavioral2/memory/1188-140-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	xmrig
behavioral2/memory/3708-150-0x00007FF728F30000-0x00007FF729281000-memory.dmp	xmrig
behavioral2/memory/3708-172-0x00007FF728F30000-0x00007FF729281000-memory.dmp	xmrig
behavioral2/memory/4292-196-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	xmrig
behavioral2/memory/3484-198-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp	xmrig
behavioral2/memory/1604-200-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	xmrig
behavioral2/memory/2120-204-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	xmrig
behavioral2/memory/2684-203-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	xmrig
behavioral2/memory/1972-208-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp	xmrig
behavioral2/memory/5100-207-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	xmrig
behavioral2/memory/3916-211-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	xmrig
behavioral2/memory/4956-212-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp	xmrig
behavioral2/memory/3496-215-0x00007FF630B10000-0x00007FF630E61000-memory.dmp	xmrig
behavioral2/memory/4200-217-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	xmrig
behavioral2/memory/1188-218-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	xmrig
behavioral2/memory/3924-220-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	xmrig
behavioral2/memory/432-222-0x00007FF7E28E0000-0x00007FF7E2C31000-memory.dmp	xmrig
behavioral2/memory/452-224-0x00007FF72C850000-0x00007FF72CBA1000-memory.dmp	xmrig
behavioral2/memory/3524-227-0x00007FF771730000-0x00007FF771A81000-memory.dmp	xmrig
behavioral2/memory/1180-229-0x00007FF62E430000-0x00007FF62E781000-memory.dmp	xmrig
behavioral2/memory/2476-233-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	xmrig
behavioral2/memory/540-234-0x00007FF7752E0000-0x00007FF775631000-memory.dmp	xmrig
behavioral2/memory/4792-232-0x00007FF6E1F00000-0x00007FF6E2251000-memory.dmp	xmrig
behavioral2/memory/2180-238-0x00007FF6769D0000-0x00007FF676D21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

tTStfsa.exenSxmeQg.exeauYTFoY.exeFHbuQcb.exeqJRgwmZ.exeDqwJEpl.exerhnzazo.exebdqpCGB.exeJfonnaf.exeeaVjAaz.exeZaYTBbY.exeEonlyzO.exeRqXBrgW.exeLOQNgTv.exezdnTIzL.exexhepkNm.exekyPFFXr.exeTHVzxpI.exeHhwdqyF.exepLqSphx.exeXHwVAir.exe

pid	process
4292	tTStfsa.exe
3484	nSxmeQg.exe
1604	auYTFoY.exe
2120	FHbuQcb.exe
3916	qJRgwmZ.exe
5100	DqwJEpl.exe
2684	rhnzazo.exe
1972	bdqpCGB.exe
4956	Jfonnaf.exe
3496	eaVjAaz.exe
4200	ZaYTBbY.exe
3924	EonlyzO.exe
1188	RqXBrgW.exe
3524	LOQNgTv.exe
432	zdnTIzL.exe
452	xhepkNm.exe
1180	kyPFFXr.exe
540	THVzxpI.exe
2476	HhwdqyF.exe
2180	pLqSphx.exe
4792	XHwVAir.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3708-0-0x00007FF728F30000-0x00007FF729281000-memory.dmp	upx
C:\Windows\System\tTStfsa.exe	upx
C:\Windows\System\auYTFoY.exe	upx
C:\Windows\System\qJRgwmZ.exe	upx
C:\Windows\System\DqwJEpl.exe	upx
C:\Windows\System\eaVjAaz.exe	upx
C:\Windows\System\EonlyzO.exe	upx
C:\Windows\System\zdnTIzL.exe	upx
behavioral2/memory/4956-104-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp	upx
C:\Windows\System\THVzxpI.exe	upx
C:\Windows\System\XHwVAir.exe	upx
behavioral2/memory/540-120-0x00007FF7752E0000-0x00007FF775631000-memory.dmp	upx
behavioral2/memory/3524-123-0x00007FF771730000-0x00007FF771A81000-memory.dmp	upx
behavioral2/memory/1180-126-0x00007FF62E430000-0x00007FF62E781000-memory.dmp	upx
behavioral2/memory/2180-127-0x00007FF6769D0000-0x00007FF676D21000-memory.dmp	upx
behavioral2/memory/452-124-0x00007FF72C850000-0x00007FF72CBA1000-memory.dmp	upx
behavioral2/memory/4792-122-0x00007FF6E1F00000-0x00007FF6E2251000-memory.dmp	upx
behavioral2/memory/2476-121-0x00007FF617460000-0x00007FF6177B1000-memory.dmp	upx
behavioral2/memory/432-119-0x00007FF7E28E0000-0x00007FF7E2C31000-memory.dmp	upx
C:\Windows\System\pLqSphx.exe	upx
behavioral2/memory/3924-115-0x00007FF69E400000-0x00007FF69E751000-memory.dmp	upx
C:\Windows\System\HhwdqyF.exe	upx
behavioral2/memory/3496-110-0x00007FF630B10000-0x00007FF630E61000-memory.dmp	upx
C:\Windows\System\kyPFFXr.exe	upx
C:\Windows\System\LOQNgTv.exe	upx
behavioral2/memory/1972-93-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp	upx
C:\Windows\System\xhepkNm.exe	upx
behavioral2/memory/2120-83-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	upx
C:\Windows\System\RqXBrgW.exe	upx
C:\Windows\System\ZaYTBbY.exe	upx
behavioral2/memory/3484-73-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp	upx
behavioral2/memory/1188-66-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	upx
behavioral2/memory/4200-63-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	upx
C:\Windows\System\Jfonnaf.exe	upx
behavioral2/memory/2684-54-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	upx
C:\Windows\System\bdqpCGB.exe	upx
behavioral2/memory/5100-42-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	upx
C:\Windows\System\FHbuQcb.exe	upx
behavioral2/memory/3916-36-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	upx
C:\Windows\System\rhnzazo.exe	upx
behavioral2/memory/1604-24-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	upx
C:\Windows\System\nSxmeQg.exe	upx
behavioral2/memory/4292-13-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	upx
behavioral2/memory/3708-128-0x00007FF728F30000-0x00007FF729281000-memory.dmp	upx
behavioral2/memory/4292-129-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	upx
behavioral2/memory/1604-131-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	upx
behavioral2/memory/3916-134-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	upx
behavioral2/memory/5100-133-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	upx
behavioral2/memory/4200-139-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	upx
behavioral2/memory/1188-140-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	upx
behavioral2/memory/3708-150-0x00007FF728F30000-0x00007FF729281000-memory.dmp	upx
behavioral2/memory/3708-172-0x00007FF728F30000-0x00007FF729281000-memory.dmp	upx
behavioral2/memory/4292-196-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp	upx
behavioral2/memory/3484-198-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp	upx
behavioral2/memory/1604-200-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp	upx
behavioral2/memory/2120-204-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp	upx
behavioral2/memory/2684-203-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp	upx
behavioral2/memory/1972-208-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp	upx
behavioral2/memory/5100-207-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp	upx
behavioral2/memory/3916-211-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp	upx
behavioral2/memory/4956-212-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp	upx
behavioral2/memory/3496-215-0x00007FF630B10000-0x00007FF630E61000-memory.dmp	upx
behavioral2/memory/4200-217-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp	upx
behavioral2/memory/1188-218-0x00007FF727380000-0x00007FF7276D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\tTStfsa.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\auYTFoY.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qJRgwmZ.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Jfonnaf.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eaVjAaz.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZaYTBbY.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EonlyzO.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pLqSphx.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nSxmeQg.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xhepkNm.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kyPFFXr.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FHbuQcb.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DqwJEpl.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RqXBrgW.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LOQNgTv.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HhwdqyF.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rhnzazo.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bdqpCGB.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zdnTIzL.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\THVzxpI.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XHwVAir.exe	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3708 wrote to memory of 4292	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	tTStfsa.exe
PID 3708 wrote to memory of 4292	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	tTStfsa.exe
PID 3708 wrote to memory of 3484	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	nSxmeQg.exe
PID 3708 wrote to memory of 3484	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	nSxmeQg.exe
PID 3708 wrote to memory of 1604	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	auYTFoY.exe
PID 3708 wrote to memory of 1604	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	auYTFoY.exe
PID 3708 wrote to memory of 2120	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	FHbuQcb.exe
PID 3708 wrote to memory of 2120	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	FHbuQcb.exe
PID 3708 wrote to memory of 5100	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	DqwJEpl.exe
PID 3708 wrote to memory of 5100	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	DqwJEpl.exe
PID 3708 wrote to memory of 3916	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	qJRgwmZ.exe
PID 3708 wrote to memory of 3916	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	qJRgwmZ.exe
PID 3708 wrote to memory of 2684	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	rhnzazo.exe
PID 3708 wrote to memory of 2684	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	rhnzazo.exe
PID 3708 wrote to memory of 1972	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	bdqpCGB.exe
PID 3708 wrote to memory of 1972	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	bdqpCGB.exe
PID 3708 wrote to memory of 4956	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	Jfonnaf.exe
PID 3708 wrote to memory of 4956	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	Jfonnaf.exe
PID 3708 wrote to memory of 3496	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	eaVjAaz.exe
PID 3708 wrote to memory of 3496	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	eaVjAaz.exe
PID 3708 wrote to memory of 4200	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	ZaYTBbY.exe
PID 3708 wrote to memory of 4200	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	ZaYTBbY.exe
PID 3708 wrote to memory of 1188	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	RqXBrgW.exe
PID 3708 wrote to memory of 1188	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	RqXBrgW.exe
PID 3708 wrote to memory of 3924	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	EonlyzO.exe
PID 3708 wrote to memory of 3924	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	EonlyzO.exe
PID 3708 wrote to memory of 3524	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	LOQNgTv.exe
PID 3708 wrote to memory of 3524	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	LOQNgTv.exe
PID 3708 wrote to memory of 432	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	zdnTIzL.exe
PID 3708 wrote to memory of 432	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	zdnTIzL.exe
PID 3708 wrote to memory of 452	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	xhepkNm.exe
PID 3708 wrote to memory of 452	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	xhepkNm.exe
PID 3708 wrote to memory of 1180	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	kyPFFXr.exe
PID 3708 wrote to memory of 1180	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	kyPFFXr.exe
PID 3708 wrote to memory of 540	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	THVzxpI.exe
PID 3708 wrote to memory of 540	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	THVzxpI.exe
PID 3708 wrote to memory of 2476	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	HhwdqyF.exe
PID 3708 wrote to memory of 2476	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	HhwdqyF.exe
PID 3708 wrote to memory of 2180	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	pLqSphx.exe
PID 3708 wrote to memory of 2180	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	pLqSphx.exe
PID 3708 wrote to memory of 4792	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	XHwVAir.exe
PID 3708 wrote to memory of 4792	3708	2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe	XHwVAir.exe

C:\Users\Admin\AppData\Local\Temp\2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-31_677d3799314d1ae3d2386cc280303166_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System\tTStfsa.exe
C:\Windows\System\tTStfsa.exe
2⤵
- Executes dropped EXE
PID:4292

C:\Windows\System\nSxmeQg.exe
C:\Windows\System\nSxmeQg.exe
2⤵
- Executes dropped EXE
PID:3484

C:\Windows\System\auYTFoY.exe
C:\Windows\System\auYTFoY.exe
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\System\FHbuQcb.exe
C:\Windows\System\FHbuQcb.exe
2⤵
- Executes dropped EXE
PID:2120

C:\Windows\System\DqwJEpl.exe
C:\Windows\System\DqwJEpl.exe
2⤵
- Executes dropped EXE
PID:5100

C:\Windows\System\qJRgwmZ.exe
C:\Windows\System\qJRgwmZ.exe
2⤵
- Executes dropped EXE
PID:3916

C:\Windows\System\rhnzazo.exe
C:\Windows\System\rhnzazo.exe
2⤵
- Executes dropped EXE
PID:2684

C:\Windows\System\bdqpCGB.exe
C:\Windows\System\bdqpCGB.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System\Jfonnaf.exe
C:\Windows\System\Jfonnaf.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\System\eaVjAaz.exe
C:\Windows\System\eaVjAaz.exe
2⤵
- Executes dropped EXE
PID:3496

C:\Windows\System\ZaYTBbY.exe
C:\Windows\System\ZaYTBbY.exe
2⤵
- Executes dropped EXE
PID:4200

C:\Windows\System\RqXBrgW.exe
C:\Windows\System\RqXBrgW.exe
2⤵
- Executes dropped EXE
PID:1188

C:\Windows\System\EonlyzO.exe
C:\Windows\System\EonlyzO.exe
2⤵
- Executes dropped EXE
PID:3924

C:\Windows\System\LOQNgTv.exe
C:\Windows\System\LOQNgTv.exe
2⤵
- Executes dropped EXE
PID:3524

C:\Windows\System\zdnTIzL.exe
C:\Windows\System\zdnTIzL.exe
2⤵
- Executes dropped EXE
PID:432

C:\Windows\System\xhepkNm.exe
C:\Windows\System\xhepkNm.exe
2⤵
- Executes dropped EXE
PID:452

C:\Windows\System\kyPFFXr.exe
C:\Windows\System\kyPFFXr.exe
2⤵
- Executes dropped EXE
PID:1180

C:\Windows\System\THVzxpI.exe
C:\Windows\System\THVzxpI.exe
2⤵
- Executes dropped EXE
PID:540

C:\Windows\System\HhwdqyF.exe
C:\Windows\System\HhwdqyF.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\System\pLqSphx.exe
C:\Windows\System\pLqSphx.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System\XHwVAir.exe
C:\Windows\System\XHwVAir.exe
2⤵
- Executes dropped EXE
PID:4792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DqwJEpl.exe
Filesize
5.2MB

MD5
59d6eb8e725d240bb3967b5f7180627a

SHA1
6ce3f41b11437b69fc5c5a426ce72af86c0f3a12

SHA256
bda804b62e17a6bb11dc0116218798ffe7e12076ac87824c29f5eeb540190b6e

SHA512
a2846bdd92ca03a2b1d58a6df61d90d13854a59c434d66736426eddeebb229353d235ebc4239ce073bcf298399eb7ffdbc007b9e1b29973724808704d2b5b9df

Download Submit
C:\Windows\System\EonlyzO.exe
Filesize
5.2MB

MD5
a2f591d047a312738cb3416dd1689ebd

SHA1
39796d1eb81350600597181030cf383e6d8abf53

SHA256
88b9726b6e19bfe9ad7a5d0e98640f01c0a1ea5542cf179bbc8059c1ad1c9e78

SHA512
387c7d2bfec173dd4f8ff3659c2e0fc9d9b72805974b9bda81ece0dffc3a5487db4084e08381bb8f441c78b793c58ef98ac530619e57d1d51654e20c88c57b17

Download Submit
C:\Windows\System\FHbuQcb.exe
Filesize
5.2MB

MD5
4df48e3fccc2b1732dd133944258701a

SHA1
026e4d25b8fb817599c416a353e86577346fae22

SHA256
f497a163bb88af56411da0e6125a6a68ade021529138494682a1ab7104bf1adc

SHA512
7f39966935efc3df0e938e8d3b9f3573edcaa68aad6dcf97aafae5fa9591c633b1a19f3e175f4b3eb722251abb46ac0bb3f397ea1ea76c3153b0fd2959de6068

Download Submit
C:\Windows\System\HhwdqyF.exe
Filesize
5.2MB

MD5
56521877a3dab2b4ee924916173e5383

SHA1
58d327dd1b8013663f535f4e4783a4646036131f

SHA256
a60e0404812b9d4651bb0f862a0f3c18f4b36cb9cc01a82ea61d0f0ba1324d15

SHA512
123d89fd20f77332e36fa694b881851e969be5e61dd3b3b30ae175d244a418191ee1854d540544170da7f965823fa09798b464fc92db3ff4d88e6b5abc206df1

Download Submit
C:\Windows\System\Jfonnaf.exe
Filesize
5.2MB

MD5
fab2b4067175abf443da35702bebfa1c

SHA1
91c7ea84fed9ace7734d5786a0d429420855b856

SHA256
1ce06f6d9114d86ee6c77099e45a762f189eef291ce2e54a9a821b99654345a4

SHA512
871a8507bf056814e7b9b4b335882da0a9b27f1d0bca97d196a989ea95723c69eaa4e6d9bd4dc48805a43725b47d799b8f8963eff090285071b6b212a2d6b800

Download Submit
C:\Windows\System\LOQNgTv.exe
Filesize
5.2MB

MD5
fdcb4864c11df21a6db0d2b2d0271d08

SHA1
53cceb3aa797792a5491badea574166cb88d5127

SHA256
d83b6fa4e74795bae2ed38225f223298bba8435435dcb299b859fceaa4e44ac3

SHA512
34a747743e2b6a8f5dbb6a13442b0daead083003d9f6f0c3e0d199caa15b2d2d1a070f9ef6b9fe98b6025c22b497483f7ab775fc0719a7d7663f244acab68876

Download Submit
C:\Windows\System\RqXBrgW.exe
Filesize
5.2MB

MD5
ed1b1a195695403b9b9348b6cb5fdc69

SHA1
094b2155ff32fc91263a594d49b5ace39ab601b4

SHA256
96e2e1f9cb3f1c56db0b3f8148ff66a5a645a676a072fa0581bf8a0247d68c37

SHA512
0eb98c1722598cd0dac0ac3d3328741805a26f08cf385326add4d33c5b3b4287100e90883cf41662ea5c4f3adaf759175a2c1408f5c3822250c3d002429db463

Download Submit
C:\Windows\System\THVzxpI.exe
Filesize
5.2MB

MD5
42146c6b2d31ff5a0d703dda9a1407e7

SHA1
7b21b5e2bb6f9ac65f4589338fd089d8b2baa945

SHA256
a28a2f03fd36b75e20d94fa4e21c83c08a3b8272b6af82a3e9f98a0d2dba6c70

SHA512
c662d49a93d5db7c8dd91e5c216b73642002dcb5ff01449e4ee2c639f186eb06d0008e26062daec7866cf0b9be3e38e241c7c7d6e60afc9198c55de221062a10

Download Submit
C:\Windows\System\XHwVAir.exe
Filesize
5.2MB

MD5
d02a564116111f28e88ab7c92a633a71

SHA1
75067fa789d6a61380e7ab9066c97538639707c5

SHA256
f5f35709af8acc378c82a49d8e7ad6cf5190b7734e14f0aeb06db113b0df3fad

SHA512
d8f3e1d5b812c604185325a00d33bb2820c344062ce3e43053d0da93d549c408ae34e2781a7aee74275950e65255b04e2bf4b1a04373a3da8eaaef79cd878355

Download Submit
C:\Windows\System\ZaYTBbY.exe
Filesize
5.2MB

MD5
00c6e07952574f118ac7bf4031713a1d

SHA1
6f6fa3393aec1033bc01312a51c005fa9b9e1030

SHA256
981a861b157d4794069954bad1f15245a0207792e296a99b0ac49f562cd9abd5

SHA512
00e066ab9af968b3a68b2bb2dd56e3df8f407ad9c1cd0c8c70b5e4c34f78af7ec9b2a33be35906ee89719057ecfe30a49dc7c4f1c72a7ad911802245bf8a11f0

Download Submit
C:\Windows\System\auYTFoY.exe
Filesize
5.2MB

MD5
e48a7155a036725d204b066a0cb53f73

SHA1
a38dd56e9374c1b54f290fe31d064fd8e0d4d752

SHA256
7054a2a93ec0750f89e5d019c59e24c27fb13507386ec33d775a6c1327c3ba36

SHA512
77b96006683c4659d72d919afce8b5f448869ed4b013866f294ab173f27cc31e8323960ef2394d3be6203ef05630fb670bf4df0aab85be3cf987bab545df8676

Download Submit
C:\Windows\System\bdqpCGB.exe
Filesize
5.2MB

MD5
b83a9414c67d3535e54cc8e3099570f8

SHA1
e2940e8eaa121f2caee21f8ac7e7ca22ad66a1c4

SHA256
7be2e6dce1324f4142f87f62a719abb6a931b5e49b3cb1340d4a4a429b7a040e

SHA512
dc8ecd81a6ed95a5fc856cd45191847b5c6046d2eafc3522f3608f443cfbcd9881917a7ee2a3841d22fcfc240c1e34d2f8acce83e21b93ed5ae60c4f52f5efe7

Download Submit
C:\Windows\System\eaVjAaz.exe
Filesize
5.2MB

MD5
09cb4a07dc45c718daa46c1808a4c97a

SHA1
f33c510727e1685ccdaff1d0eb0740ac29c0c0c4

SHA256
00378d967f02a650e49145771202dc6931046cb29707bd09becbaa0ec9ae446e

SHA512
8fff37b032f3b649b063ab4fa1985fc301e229840d89169146c40657e4c7a0cf7e7321263e6f1e29d8e382a86dcbf838fdb14bf5d75acc7704f140bd2ddaed13

Download Submit
C:\Windows\System\kyPFFXr.exe
Filesize
5.2MB

MD5
0f1131c72e16e9996a6e02f52df7258b

SHA1
b83e4d2ededc4d68ef20c9bab35fbe9cce5e0f34

SHA256
cd7db04a3cf686958111553d3f2754245e85592b04f8e26e5a532a0194487bdb

SHA512
9883c4be472aa73a0b35995d8990a99797d9135703a7ef61fd684317b00155f6165e3e2c16da7fc251e341dcf9a2cf99610e8ebb5fd7aa5e1a322c45c09893e5

Download Submit
C:\Windows\System\nSxmeQg.exe
Filesize
5.2MB

MD5
a7f215cd1ca0b26e2cae0e6fd987a59a

SHA1
1ae13bd5d97527eb66799528dae7eec247f11145

SHA256
378c7d0c006e261197ce25e1f838baf7e91acde692aa1adee978f2145b8f3295

SHA512
3030a006d35ff3931394e248b849654ede8a846daa565e5ab21924b43a4af2687757f2a158ca55339ee8ef6df49493d9de16aad7ff93cac17d5d32edb24d06bd

Download Submit
C:\Windows\System\pLqSphx.exe
Filesize
5.2MB

MD5
7aa9379e22c468f00eb67d6f684e2e2c

SHA1
4400c44a31832b1f20f7e06abe45039d76fcdbcf

SHA256
a3ec6497a893e64cf89fa3c734200531e4e92b7a5af7c89f19d6c986ed2eadb5

SHA512
17f38eb5b53b3fe5e7a99dd82463c1e15926d88a02418dc2445d5347a0166ecac6952c7a310f5bfeef2dbaba82d412003ba0c4e69fb0d104946c19fdcc7ec1bf

Download Submit
C:\Windows\System\qJRgwmZ.exe
Filesize
5.2MB

MD5
375ba7af2469387d13350ed3e0e95c23

SHA1
9497fc0eb7d76b3abd069b9c7fae85ba7eacaa5c

SHA256
9a11fc036d905360bea696da73b13363f4ead6e6afa50fb44feb362885eb16f4

SHA512
b11490bbc33cbf1e4c049c7c133eae190c00908ce91a89a8ca02c7edf053a4f5dd3eb3b7db4a0647a418029f9cfcaf00d5144440c56f5d3ed8222fa7b4d6c801

Download Submit
C:\Windows\System\rhnzazo.exe
Filesize
5.2MB

MD5
fe77cd3a88513c918310f5d86ccffcdb

SHA1
747677ce2ae584fd4a407b9875e0901eaf026f15

SHA256
ed3f344f557b360f689935a9dcf81f5b2297f381c8587f56b68b50b380822438

SHA512
0034d96a9e91ca5d9301e69868851266469bd6445b06dc12d5f3c437f278ebb2521b011a1b1bde0bb297e3cb8af852a91c45fe03f5b7ef7c7996e54f82cd7fbb

Download Submit
C:\Windows\System\tTStfsa.exe
Filesize
5.2MB

MD5
d996e04c22c5bdbeda4f13dc367dc384

SHA1
c392001fff304754236bab6078a019965722e159

SHA256
fbd8c09c205720c30ca823ed9568330122bcd3e74998923c722ae3fb7617e37f

SHA512
1d80a815920d5d1a86a1c1c3c27203051a22cdd419fe1b7e99a0cd5f453c3079d40d146f8400953ce181e5bb861abf547f097497aabfd7a520edce7914928bdc

Download Submit
C:\Windows\System\xhepkNm.exe
Filesize
5.2MB

MD5
ba79b8d0dc65cade54c4d9ea73e5f84a

SHA1
6a35b9bb58f497f5b2ff51e0fc40aa2e216685ed

SHA256
169d08c65f92c1c6ae0c65d6206b2da4cda258efbb583c4d63d1876d48d41ffb

SHA512
8bb9f0223174446ff8ea05ff42405922c028af87469b28b99a7271a7952159d086d8bb4c837f8eb270d079573b788a130fefb1465c60bb93c5ba1033360ea9c6

Download Submit
C:\Windows\System\zdnTIzL.exe
Filesize
5.2MB

MD5
9b347767b123e789a9036baaa21c79c5

SHA1
6f380a3bc28377f4fd38be0a58793ea9e439430c

SHA256
6ac473106c197a604b0573225aaf9ab27d6c2f0000f7b38ab336abc3b0e6d271

SHA512
db7da3c4ee41ea6d63696778ff3b0061c4ea4e9db53efc4d32c90890747fe01a883e4b054d2446b5bd2c41255197d9e81e1b4f5f02b21fdb1c072894f0015006

Download Submit
memory/432-222-0x00007FF7E28E0000-0x00007FF7E2C31000-memory.dmp

Filesize
3.3MB

Download
memory/432-119-0x00007FF7E28E0000-0x00007FF7E2C31000-memory.dmp

Filesize
3.3MB

Download
memory/452-124-0x00007FF72C850000-0x00007FF72CBA1000-memory.dmp

Filesize
3.3MB

Download
memory/452-224-0x00007FF72C850000-0x00007FF72CBA1000-memory.dmp

Filesize
3.3MB

Download
memory/540-234-0x00007FF7752E0000-0x00007FF775631000-memory.dmp

Filesize
3.3MB

Download
memory/540-120-0x00007FF7752E0000-0x00007FF775631000-memory.dmp

Filesize
3.3MB

Download
memory/1180-229-0x00007FF62E430000-0x00007FF62E781000-memory.dmp

Filesize
3.3MB

Download
memory/1180-126-0x00007FF62E430000-0x00007FF62E781000-memory.dmp

Filesize
3.3MB

Download
memory/1188-140-0x00007FF727380000-0x00007FF7276D1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-218-0x00007FF727380000-0x00007FF7276D1000-memory.dmp

Filesize
3.3MB

Download
memory/1188-66-0x00007FF727380000-0x00007FF7276D1000-memory.dmp

Filesize
3.3MB

Download
memory/1604-24-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp

Filesize
3.3MB

Download
memory/1604-131-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp

Filesize
3.3MB

Download
memory/1604-200-0x00007FF7DE3B0000-0x00007FF7DE701000-memory.dmp

Filesize
3.3MB

Download
memory/1972-93-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp

Filesize
3.3MB

Download
memory/1972-208-0x00007FF6A99B0000-0x00007FF6A9D01000-memory.dmp

Filesize
3.3MB

Download
memory/2120-204-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2120-83-0x00007FF62D390000-0x00007FF62D6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-238-0x00007FF6769D0000-0x00007FF676D21000-memory.dmp

Filesize
3.3MB

Download
memory/2180-127-0x00007FF6769D0000-0x00007FF676D21000-memory.dmp

Filesize
3.3MB

Download
memory/2476-121-0x00007FF617460000-0x00007FF6177B1000-memory.dmp

Filesize
3.3MB

Download
memory/2476-233-0x00007FF617460000-0x00007FF6177B1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-54-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-203-0x00007FF6D6680000-0x00007FF6D69D1000-memory.dmp

Filesize
3.3MB

Download
memory/3484-198-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp

Filesize
3.3MB

Download
memory/3484-73-0x00007FF6C3020000-0x00007FF6C3371000-memory.dmp

Filesize
3.3MB

Download
memory/3496-215-0x00007FF630B10000-0x00007FF630E61000-memory.dmp

Filesize
3.3MB

Download
memory/3496-110-0x00007FF630B10000-0x00007FF630E61000-memory.dmp

Filesize
3.3MB

Download
memory/3524-123-0x00007FF771730000-0x00007FF771A81000-memory.dmp

Filesize
3.3MB

Download
memory/3524-227-0x00007FF771730000-0x00007FF771A81000-memory.dmp

Filesize
3.3MB

Download
memory/3708-0-0x00007FF728F30000-0x00007FF729281000-memory.dmp

Filesize
3.3MB

Download
memory/3708-1-0x0000019AC3B90000-0x0000019AC3BA0000-memory.dmp

Filesize
64KB

Download
memory/3708-150-0x00007FF728F30000-0x00007FF729281000-memory.dmp

Filesize
3.3MB

Download
memory/3708-172-0x00007FF728F30000-0x00007FF729281000-memory.dmp

Filesize
3.3MB

Download
memory/3708-128-0x00007FF728F30000-0x00007FF729281000-memory.dmp

Filesize
3.3MB

Download
memory/3916-134-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-36-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-211-0x00007FF6409A0000-0x00007FF640CF1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-220-0x00007FF69E400000-0x00007FF69E751000-memory.dmp

Filesize
3.3MB

Download
memory/3924-115-0x00007FF69E400000-0x00007FF69E751000-memory.dmp

Filesize
3.3MB

Download
memory/4200-139-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp

Filesize
3.3MB

Download
memory/4200-63-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp

Filesize
3.3MB

Download
memory/4200-217-0x00007FF6E0630000-0x00007FF6E0981000-memory.dmp

Filesize
3.3MB

Download
memory/4292-196-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-13-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-129-0x00007FF6BC880000-0x00007FF6BCBD1000-memory.dmp

Filesize
3.3MB

Download
memory/4792-122-0x00007FF6E1F00000-0x00007FF6E2251000-memory.dmp

Filesize
3.3MB

Download
memory/4792-232-0x00007FF6E1F00000-0x00007FF6E2251000-memory.dmp

Filesize
3.3MB

Download
memory/4956-212-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp

Filesize
3.3MB

Download
memory/4956-104-0x00007FF72B8B0000-0x00007FF72BC01000-memory.dmp

Filesize
3.3MB

Download
memory/5100-42-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp

Filesize
3.3MB

Download
memory/5100-207-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp

Filesize
3.3MB

Download
memory/5100-133-0x00007FF63E710000-0x00007FF63EA61000-memory.dmp

Filesize
3.3MB

Download