cobaltstrike | b076c05d25501ff0f9f2c9baafe641d8b38df163666a8bad3966f728dd89e0b4

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 17:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

2789ebac14a266434c13709f2f8bf0c1
SHA1

798d4b52bfa502a9143480fde28d78be09103acd
SHA256

b076c05d25501ff0f9f2c9baafe641d8b38df163666a8bad3966f728dd89e0b4
SHA512

46ad2e2db675ae963cf2d73580cbe3c5294b5ffda5a4d7766043f8dc5b6dcaba11c9856442f2f60653a7f53ed805fe49cca634d23f68b4e0f4a9239c8e832a54
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\PaTcuxu.exe	cobalt_reflective_dll
C:\Windows\System\uQaXeHR.exe	cobalt_reflective_dll
C:\Windows\System\tAXBEoo.exe	cobalt_reflective_dll
C:\Windows\System\UlOgGLg.exe	cobalt_reflective_dll
C:\Windows\System\cqzSEEG.exe	cobalt_reflective_dll
C:\Windows\System\YyETxZV.exe	cobalt_reflective_dll
C:\Windows\System\XthFEIG.exe	cobalt_reflective_dll
C:\Windows\System\aHjyxvJ.exe	cobalt_reflective_dll
C:\Windows\System\uXXSFhx.exe	cobalt_reflective_dll
C:\Windows\System\nPLvxQC.exe	cobalt_reflective_dll
C:\Windows\System\NyrqLeS.exe	cobalt_reflective_dll
C:\Windows\System\hUPhQTI.exe	cobalt_reflective_dll
C:\Windows\System\RjVrfvT.exe	cobalt_reflective_dll
C:\Windows\System\jBAKPAi.exe	cobalt_reflective_dll
C:\Windows\System\uGiGiSg.exe	cobalt_reflective_dll
C:\Windows\System\TtwaSnW.exe	cobalt_reflective_dll
C:\Windows\System\hubwVDO.exe	cobalt_reflective_dll
C:\Windows\System\ehXpbVj.exe	cobalt_reflective_dll
C:\Windows\System\HUXRCKQ.exe	cobalt_reflective_dll
C:\Windows\System\kkiImsV.exe	cobalt_reflective_dll
C:\Windows\System\KjViGpm.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\PaTcuxu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uQaXeHR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tAXBEoo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UlOgGLg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cqzSEEG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YyETxZV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XthFEIG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aHjyxvJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uXXSFhx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nPLvxQC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NyrqLeS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hUPhQTI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RjVrfvT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jBAKPAi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uGiGiSg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TtwaSnW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hubwVDO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ehXpbVj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HUXRCKQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kkiImsV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KjViGpm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1092-0-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	UPX
C:\Windows\System\PaTcuxu.exe	UPX
C:\Windows\System\uQaXeHR.exe	UPX
C:\Windows\System\tAXBEoo.exe	UPX
C:\Windows\System\UlOgGLg.exe	UPX
C:\Windows\System\cqzSEEG.exe	UPX
behavioral2/memory/3448-44-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	UPX
C:\Windows\System\YyETxZV.exe	UPX
C:\Windows\System\XthFEIG.exe	UPX
C:\Windows\System\aHjyxvJ.exe	UPX
C:\Windows\System\uXXSFhx.exe	UPX
behavioral2/memory/3328-105-0x00007FF744AE0000-0x00007FF744E31000-memory.dmp	UPX
behavioral2/memory/1324-109-0x00007FF73F500000-0x00007FF73F851000-memory.dmp	UPX
C:\Windows\System\nPLvxQC.exe	UPX
C:\Windows\System\NyrqLeS.exe	UPX
behavioral2/memory/1012-110-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp	UPX
behavioral2/memory/5092-108-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp	UPX
behavioral2/memory/2568-107-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp	UPX
behavioral2/memory/1620-106-0x00007FF609060000-0x00007FF6093B1000-memory.dmp	UPX
behavioral2/memory/4568-104-0x00007FF68D740000-0x00007FF68DA91000-memory.dmp	UPX
behavioral2/memory/4848-103-0x00007FF792CB0000-0x00007FF793001000-memory.dmp	UPX
behavioral2/memory/4496-102-0x00007FF67AA40000-0x00007FF67AD91000-memory.dmp	UPX
behavioral2/memory/2884-98-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp	UPX
C:\Windows\System\hUPhQTI.exe	UPX
C:\Windows\System\RjVrfvT.exe	UPX
C:\Windows\System\jBAKPAi.exe	UPX
C:\Windows\System\uGiGiSg.exe	UPX
C:\Windows\System\TtwaSnW.exe	UPX
C:\Windows\System\hubwVDO.exe	UPX
behavioral2/memory/4960-57-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp	UPX
behavioral2/memory/1340-56-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp	UPX
behavioral2/memory/516-52-0x00007FF701030000-0x00007FF701381000-memory.dmp	UPX
C:\Windows\System\ehXpbVj.exe	UPX
C:\Windows\System\HUXRCKQ.exe	UPX
behavioral2/memory/2232-33-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	UPX
behavioral2/memory/640-39-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	UPX
behavioral2/memory/3556-24-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	UPX
behavioral2/memory/2740-21-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp	UPX
behavioral2/memory/2044-12-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp	UPX
C:\Windows\System\kkiImsV.exe	UPX
behavioral2/memory/3448-130-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	UPX
behavioral2/memory/516-131-0x00007FF701030000-0x00007FF701381000-memory.dmp	UPX
behavioral2/memory/2568-144-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp	UPX
behavioral2/memory/4220-147-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	UPX
behavioral2/memory/2168-146-0x00007FF75F680000-0x00007FF75F9D1000-memory.dmp	UPX
behavioral2/memory/5092-145-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp	UPX
behavioral2/memory/1012-143-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp	UPX
behavioral2/memory/1340-132-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp	UPX
behavioral2/memory/640-128-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	UPX
C:\Windows\System\KjViGpm.exe	UPX
behavioral2/memory/4960-135-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp	UPX
behavioral2/memory/2232-127-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	UPX
behavioral2/memory/3556-125-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	UPX
behavioral2/memory/1092-121-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	UPX
behavioral2/memory/1092-148-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	UPX
behavioral2/memory/1092-149-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	UPX
behavioral2/memory/2044-202-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp	UPX
behavioral2/memory/2740-204-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp	UPX
behavioral2/memory/3556-206-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	UPX
behavioral2/memory/2232-208-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	UPX
behavioral2/memory/640-210-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	UPX
behavioral2/memory/516-212-0x00007FF701030000-0x00007FF701381000-memory.dmp	UPX
behavioral2/memory/3448-214-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	UPX
behavioral2/memory/2884-220-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3328-105-0x00007FF744AE0000-0x00007FF744E31000-memory.dmp	xmrig
behavioral2/memory/1324-109-0x00007FF73F500000-0x00007FF73F851000-memory.dmp	xmrig
behavioral2/memory/1620-106-0x00007FF609060000-0x00007FF6093B1000-memory.dmp	xmrig
behavioral2/memory/4568-104-0x00007FF68D740000-0x00007FF68DA91000-memory.dmp	xmrig
behavioral2/memory/4848-103-0x00007FF792CB0000-0x00007FF793001000-memory.dmp	xmrig
behavioral2/memory/4496-102-0x00007FF67AA40000-0x00007FF67AD91000-memory.dmp	xmrig
behavioral2/memory/2884-98-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp	xmrig
behavioral2/memory/2740-21-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp	xmrig
behavioral2/memory/2044-12-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp	xmrig
behavioral2/memory/3448-130-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	xmrig
behavioral2/memory/516-131-0x00007FF701030000-0x00007FF701381000-memory.dmp	xmrig
behavioral2/memory/2568-144-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp	xmrig
behavioral2/memory/4220-147-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	xmrig
behavioral2/memory/2168-146-0x00007FF75F680000-0x00007FF75F9D1000-memory.dmp	xmrig
behavioral2/memory/5092-145-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp	xmrig
behavioral2/memory/1012-143-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp	xmrig
behavioral2/memory/1340-132-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp	xmrig
behavioral2/memory/640-128-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	xmrig
behavioral2/memory/4960-135-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp	xmrig
behavioral2/memory/2232-127-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	xmrig
behavioral2/memory/3556-125-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	xmrig
behavioral2/memory/1092-121-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	xmrig
behavioral2/memory/1092-148-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	xmrig
behavioral2/memory/1092-149-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	xmrig
behavioral2/memory/2044-202-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp	xmrig
behavioral2/memory/2740-204-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp	xmrig
behavioral2/memory/3556-206-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	xmrig
behavioral2/memory/2232-208-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	xmrig
behavioral2/memory/640-210-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	xmrig
behavioral2/memory/516-212-0x00007FF701030000-0x00007FF701381000-memory.dmp	xmrig
behavioral2/memory/3448-214-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	xmrig
behavioral2/memory/2884-220-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp	xmrig
behavioral2/memory/4496-219-0x00007FF67AA40000-0x00007FF67AD91000-memory.dmp	xmrig
behavioral2/memory/1340-217-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp	xmrig
behavioral2/memory/1324-223-0x00007FF73F500000-0x00007FF73F851000-memory.dmp	xmrig
behavioral2/memory/4960-230-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp	xmrig
behavioral2/memory/4848-228-0x00007FF792CB0000-0x00007FF793001000-memory.dmp	xmrig
behavioral2/memory/4568-227-0x00007FF68D740000-0x00007FF68DA91000-memory.dmp	xmrig
behavioral2/memory/3328-225-0x00007FF744AE0000-0x00007FF744E31000-memory.dmp	xmrig
behavioral2/memory/1620-232-0x00007FF609060000-0x00007FF6093B1000-memory.dmp	xmrig
behavioral2/memory/2568-234-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp	xmrig
behavioral2/memory/5092-238-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp	xmrig
behavioral2/memory/1012-237-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp	xmrig
behavioral2/memory/4220-243-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	xmrig
behavioral2/memory/2168-245-0x00007FF75F680000-0x00007FF75F9D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

PaTcuxu.exeuQaXeHR.exetAXBEoo.exeUlOgGLg.exeHUXRCKQ.exeehXpbVj.execqzSEEG.exeYyETxZV.exehubwVDO.exeTtwaSnW.exeuGiGiSg.exejBAKPAi.exeXthFEIG.exeRjVrfvT.exehUPhQTI.exeaHjyxvJ.exeNyrqLeS.exeuXXSFhx.exenPLvxQC.exekkiImsV.exeKjViGpm.exe

pid	process
2044	PaTcuxu.exe
2740	uQaXeHR.exe
3556	tAXBEoo.exe
2232	UlOgGLg.exe
640	HUXRCKQ.exe
3448	ehXpbVj.exe
516	cqzSEEG.exe
2884	YyETxZV.exe
1340	hubwVDO.exe
4496	TtwaSnW.exe
4960	uGiGiSg.exe
1324	jBAKPAi.exe
4848	XthFEIG.exe
4568	RjVrfvT.exe
3328	hUPhQTI.exe
1620	aHjyxvJ.exe
1012	NyrqLeS.exe
2568	uXXSFhx.exe
5092	nPLvxQC.exe
2168	kkiImsV.exe
4220	KjViGpm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1092-0-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
C:\Windows\System\PaTcuxu.exe	upx
C:\Windows\System\uQaXeHR.exe	upx
C:\Windows\System\tAXBEoo.exe	upx
C:\Windows\System\UlOgGLg.exe	upx
C:\Windows\System\cqzSEEG.exe	upx
behavioral2/memory/3448-44-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	upx
C:\Windows\System\YyETxZV.exe	upx
C:\Windows\System\XthFEIG.exe	upx
C:\Windows\System\aHjyxvJ.exe	upx
C:\Windows\System\uXXSFhx.exe	upx
behavioral2/memory/3328-105-0x00007FF744AE0000-0x00007FF744E31000-memory.dmp	upx
behavioral2/memory/1324-109-0x00007FF73F500000-0x00007FF73F851000-memory.dmp	upx
C:\Windows\System\nPLvxQC.exe	upx
C:\Windows\System\NyrqLeS.exe	upx
behavioral2/memory/1012-110-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp	upx
behavioral2/memory/5092-108-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp	upx
behavioral2/memory/2568-107-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp	upx
behavioral2/memory/1620-106-0x00007FF609060000-0x00007FF6093B1000-memory.dmp	upx
behavioral2/memory/4568-104-0x00007FF68D740000-0x00007FF68DA91000-memory.dmp	upx
behavioral2/memory/4848-103-0x00007FF792CB0000-0x00007FF793001000-memory.dmp	upx
behavioral2/memory/4496-102-0x00007FF67AA40000-0x00007FF67AD91000-memory.dmp	upx
behavioral2/memory/2884-98-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp	upx
C:\Windows\System\hUPhQTI.exe	upx
C:\Windows\System\RjVrfvT.exe	upx
C:\Windows\System\jBAKPAi.exe	upx
C:\Windows\System\uGiGiSg.exe	upx
C:\Windows\System\TtwaSnW.exe	upx
C:\Windows\System\hubwVDO.exe	upx
behavioral2/memory/4960-57-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp	upx
behavioral2/memory/1340-56-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp	upx
behavioral2/memory/516-52-0x00007FF701030000-0x00007FF701381000-memory.dmp	upx
C:\Windows\System\ehXpbVj.exe	upx
C:\Windows\System\HUXRCKQ.exe	upx
behavioral2/memory/2232-33-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	upx
behavioral2/memory/640-39-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	upx
behavioral2/memory/3556-24-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	upx
behavioral2/memory/2740-21-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp	upx
behavioral2/memory/2044-12-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp	upx
C:\Windows\System\kkiImsV.exe	upx
behavioral2/memory/3448-130-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	upx
behavioral2/memory/516-131-0x00007FF701030000-0x00007FF701381000-memory.dmp	upx
behavioral2/memory/2568-144-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp	upx
behavioral2/memory/4220-147-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp	upx
behavioral2/memory/2168-146-0x00007FF75F680000-0x00007FF75F9D1000-memory.dmp	upx
behavioral2/memory/5092-145-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp	upx
behavioral2/memory/1012-143-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp	upx
behavioral2/memory/1340-132-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp	upx
behavioral2/memory/640-128-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	upx
C:\Windows\System\KjViGpm.exe	upx
behavioral2/memory/4960-135-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp	upx
behavioral2/memory/2232-127-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	upx
behavioral2/memory/3556-125-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	upx
behavioral2/memory/1092-121-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
behavioral2/memory/1092-148-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
behavioral2/memory/1092-149-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp	upx
behavioral2/memory/2044-202-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp	upx
behavioral2/memory/2740-204-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp	upx
behavioral2/memory/3556-206-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp	upx
behavioral2/memory/2232-208-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp	upx
behavioral2/memory/640-210-0x00007FF750760000-0x00007FF750AB1000-memory.dmp	upx
behavioral2/memory/516-212-0x00007FF701030000-0x00007FF701381000-memory.dmp	upx
behavioral2/memory/3448-214-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp	upx
behavioral2/memory/2884-220-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\kkiImsV.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PaTcuxu.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UlOgGLg.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hubwVDO.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YyETxZV.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hUPhQTI.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NyrqLeS.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nPLvxQC.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HUXRCKQ.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cqzSEEG.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jBAKPAi.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XthFEIG.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RjVrfvT.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TtwaSnW.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uGiGiSg.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aHjyxvJ.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uXXSFhx.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tAXBEoo.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uQaXeHR.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ehXpbVj.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KjViGpm.exe	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1092 wrote to memory of 2044	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	PaTcuxu.exe
PID 1092 wrote to memory of 2044	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	PaTcuxu.exe
PID 1092 wrote to memory of 3556	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	tAXBEoo.exe
PID 1092 wrote to memory of 3556	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	tAXBEoo.exe
PID 1092 wrote to memory of 2740	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	uQaXeHR.exe
PID 1092 wrote to memory of 2740	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	uQaXeHR.exe
PID 1092 wrote to memory of 2232	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	UlOgGLg.exe
PID 1092 wrote to memory of 2232	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	UlOgGLg.exe
PID 1092 wrote to memory of 640	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	HUXRCKQ.exe
PID 1092 wrote to memory of 640	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	HUXRCKQ.exe
PID 1092 wrote to memory of 3448	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	ehXpbVj.exe
PID 1092 wrote to memory of 3448	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	ehXpbVj.exe
PID 1092 wrote to memory of 516	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	cqzSEEG.exe
PID 1092 wrote to memory of 516	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	cqzSEEG.exe
PID 1092 wrote to memory of 1340	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	hubwVDO.exe
PID 1092 wrote to memory of 1340	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	hubwVDO.exe
PID 1092 wrote to memory of 2884	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	YyETxZV.exe
PID 1092 wrote to memory of 2884	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	YyETxZV.exe
PID 1092 wrote to memory of 4496	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	TtwaSnW.exe
PID 1092 wrote to memory of 4496	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	TtwaSnW.exe
PID 1092 wrote to memory of 4960	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	uGiGiSg.exe
PID 1092 wrote to memory of 4960	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	uGiGiSg.exe
PID 1092 wrote to memory of 1324	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	jBAKPAi.exe
PID 1092 wrote to memory of 1324	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	jBAKPAi.exe
PID 1092 wrote to memory of 4848	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	XthFEIG.exe
PID 1092 wrote to memory of 4848	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	XthFEIG.exe
PID 1092 wrote to memory of 4568	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	RjVrfvT.exe
PID 1092 wrote to memory of 4568	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	RjVrfvT.exe
PID 1092 wrote to memory of 3328	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	hUPhQTI.exe
PID 1092 wrote to memory of 3328	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	hUPhQTI.exe
PID 1092 wrote to memory of 1620	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	aHjyxvJ.exe
PID 1092 wrote to memory of 1620	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	aHjyxvJ.exe
PID 1092 wrote to memory of 1012	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	NyrqLeS.exe
PID 1092 wrote to memory of 1012	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	NyrqLeS.exe
PID 1092 wrote to memory of 2568	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	uXXSFhx.exe
PID 1092 wrote to memory of 2568	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	uXXSFhx.exe
PID 1092 wrote to memory of 5092	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	nPLvxQC.exe
PID 1092 wrote to memory of 5092	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	nPLvxQC.exe
PID 1092 wrote to memory of 2168	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	kkiImsV.exe
PID 1092 wrote to memory of 2168	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	kkiImsV.exe
PID 1092 wrote to memory of 4220	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	KjViGpm.exe
PID 1092 wrote to memory of 4220	1092	2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe	KjViGpm.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_2789ebac14a266434c13709f2f8bf0c1_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System\PaTcuxu.exe
C:\Windows\System\PaTcuxu.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\tAXBEoo.exe
C:\Windows\System\tAXBEoo.exe
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\System\uQaXeHR.exe
C:\Windows\System\uQaXeHR.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System\UlOgGLg.exe
C:\Windows\System\UlOgGLg.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\HUXRCKQ.exe
C:\Windows\System\HUXRCKQ.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System\ehXpbVj.exe
C:\Windows\System\ehXpbVj.exe
2⤵
- Executes dropped EXE
PID:3448

C:\Windows\System\cqzSEEG.exe
C:\Windows\System\cqzSEEG.exe
2⤵
- Executes dropped EXE
PID:516

C:\Windows\System\hubwVDO.exe
C:\Windows\System\hubwVDO.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\System\YyETxZV.exe
C:\Windows\System\YyETxZV.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\TtwaSnW.exe
C:\Windows\System\TtwaSnW.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System\uGiGiSg.exe
C:\Windows\System\uGiGiSg.exe
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\System\jBAKPAi.exe
C:\Windows\System\jBAKPAi.exe
2⤵
- Executes dropped EXE
PID:1324

C:\Windows\System\XthFEIG.exe
C:\Windows\System\XthFEIG.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\RjVrfvT.exe
C:\Windows\System\RjVrfvT.exe
2⤵
- Executes dropped EXE
PID:4568

C:\Windows\System\hUPhQTI.exe
C:\Windows\System\hUPhQTI.exe
2⤵
- Executes dropped EXE
PID:3328

C:\Windows\System\aHjyxvJ.exe
C:\Windows\System\aHjyxvJ.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\NyrqLeS.exe
C:\Windows\System\NyrqLeS.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Windows\System\uXXSFhx.exe
C:\Windows\System\uXXSFhx.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\nPLvxQC.exe
C:\Windows\System\nPLvxQC.exe
2⤵
- Executes dropped EXE
PID:5092

C:\Windows\System\kkiImsV.exe
C:\Windows\System\kkiImsV.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\KjViGpm.exe
C:\Windows\System\KjViGpm.exe
2⤵
- Executes dropped EXE
PID:4220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HUXRCKQ.exe

Filesize
5.2MB

MD5
3ee763766378a763dd3f1559c5708b17

SHA1
0d8a411cc4f8750ad21f381f9a479b1b3eb76c7e

SHA256
3c6062232c442cae495fdb3c39f661ccde6ba2243c5d2a854457f2f4a6bf7c04

SHA512
cfa203374b9c163d819259ad2490869be66887fcecdc1b8e4e43855b5669d385645ef334c07d6cf0a82160232a445f896821c1ad375ce7a805b50bc49d3308c2

Download Submit
C:\Windows\System\KjViGpm.exe

Filesize
5.2MB

MD5
db8dc5004d6606e2909e13469f110151

SHA1
8e5bcf7914fedb19e4044b4037e4d7e831da6ec5

SHA256
2d6c437eca5651978a579a2621bdf5b548173cc79546f1bb8f8c9bbaa744c559

SHA512
cd75487437a8e855514dbd7cd11031a9cf9527009727b1efb899e22f5b5fc9d146ba2fbe508024c43bb4385dee9670b2bedcf3960d4294181202f109b4031962

Download Submit
C:\Windows\System\NyrqLeS.exe

Filesize
5.2MB

MD5
c7a38762711e8ddfe006c98891d93882

SHA1
2bf11eea104f7ce73d52793e33714af21be1a28a

SHA256
bffceb97dd932584954c15039aaf1e87ee8fa45d3a85982554e9345cc34b8c5a

SHA512
019917d5f20fde067cee2278222b8a7d5a897e6112622f5dd02c91bd2a5f50964f592952265a740094ba759626d91d5f4276592ed323397625b9e9a1429903ea

Download Submit
C:\Windows\System\PaTcuxu.exe

Filesize
5.2MB

MD5
6a6efd5975fee62c6a4a004f59c55755

SHA1
c8b121a0b8cb4488c45ccb8b2422151a9c090b8f

SHA256
8f0f862abe02e6249a558fbd8950bdfa7636c8cd9192ba906459444af3548474

SHA512
441ee5107941a8582aee1a7c40f34ea609119fb0199200f13125aa0d1265b06545c1dfdc0e97cff6ef34082642d3827d56fcd69fd2dd2cba106199fb2897dc08

Download Submit
C:\Windows\System\RjVrfvT.exe

Filesize
5.2MB

MD5
3a8b9b3ebee3df6869bf59bfefb31d98

SHA1
fc7ed713633182b9ad2b17755732442d46ca5bba

SHA256
b4c9082e3b01177e28643efa1115629dfb7d9358fb70f2226a4d78c95c14cb62

SHA512
e86a34407fa0553c87a998987a2941701f448f90484e66d03bed8e0c0034bb2a5e87e0092232f1e83bbe7e7686b84106cf71702f7c150c7861b3875f86c0e1d9

Download Submit
C:\Windows\System\TtwaSnW.exe

Filesize
5.2MB

MD5
c396f7552610174f2ccd10297731702d

SHA1
6a1bad0f5d641f909bd84659381dd30cce270efd

SHA256
ea6ab54dfc35df9b9b5265d8137c2594891b47902474e037733496bd3c78a1b0

SHA512
462a8831de963616fad09da9b710817d6ee2f92ab5f07ff73548c5c983f128a8d40ea59e60b255e0459dd514594cedf2e4d067f1d62559a0eabd5caabc0b2b9a

Download Submit
C:\Windows\System\UlOgGLg.exe

Filesize
5.2MB

MD5
e52903e67d27670a954e4d3032e175dd

SHA1
39c6b53c331de5d66b55365621aacbc8dbe00bb5

SHA256
faa92d2a552cae9e49e037736891ebc7f8eb0c3538c1f91de1217096dcef6371

SHA512
0b549ac12e4d55209ec06837a22229d8c5e06261aca5f9b9cff5b2d2961e35615bc5856030b38d62e352ab718295c28bcca05e46b0d6ae0de423e4f6e4d6975e

Download Submit
C:\Windows\System\XthFEIG.exe

Filesize
5.2MB

MD5
148c2acd7f59458b0c003e83dd9106e2

SHA1
45af587001ca3f3d956f95a117b82c1cedaa2c3d

SHA256
3ef0833c3377af0101dd69c557be059c0c54ea5e2dc722813d59b498153d944a

SHA512
2b64ce090d4fc12463e896d195cdc53ee9929e99132f4d6c1b3cc3173ea66f59e4f1c59eeb7506cbd45e83c9296302a77e58da345a5dcd278cc7d560df5742b8

Download Submit
C:\Windows\System\YyETxZV.exe

Filesize
5.2MB

MD5
49c03b97a4f71ac026e19cb5a7cfe82e

SHA1
5308eca3559826dade2672d8f01561c8d910d685

SHA256
0a9bb2cf43cb954f52082218a6b2de13132e8c8d6bb84056a7f6b41107e901a3

SHA512
cfc4cb0bf5fe2806a17a58d18d4229a69ef96967849b78a5672bdd89b82bd8feb1fd3469c8a3d049f87cda946af7855e19407f42707fae501719db562ca65e43

Download Submit
C:\Windows\System\aHjyxvJ.exe

Filesize
5.2MB

MD5
aca20077f7adfb79639d3485d892a589

SHA1
c957f0611a7b3a10ad2f2e5e1413dc5e304b79c3

SHA256
998b3c5e65e3319c4500744cf761900b15c9b1f42f56589caf54ad93eed7229a

SHA512
1513dfefea61a55aa2e1b3a9d31772321cff908c84bd9a62baac1d261958bc83c2445722036e7f0398887e8f3c6963596797be4f6936e17405c9c327362ebf11

Download Submit
C:\Windows\System\cqzSEEG.exe

Filesize
5.2MB

MD5
bd33b178dd71b52b7c89c89e1c81d524

SHA1
d7f6b56774ca5a5b27b4674efbd371a3c3078402

SHA256
7f9819dd7527d42e9ef498aca527a0a0436121b6b439016de46b4785c7f98343

SHA512
055d902c09377f2883f619418d8dc80fefb131e1a3622bf92da606802f1a031e9208c812710c16e8fb96d92b6f203d776385a8f5f0b8962d7734368815589985

Download Submit
C:\Windows\System\ehXpbVj.exe

Filesize
5.2MB

MD5
8e9cc4f71364f18055e3142f1f8ef934

SHA1
30852d0cc92810c90187b309b250f50b3fd72511

SHA256
d0872dd08389f8d9ed6c7a9660ac2cdb05a6c982a5a50dc25e83bcbcf94181d2

SHA512
1b6006430195b0937fa4390ccfc5f8163935ba3976d9a64859181728dfa63312a29f0a4939ab53ec2c060d7b9b14abd7aea369a01edb647babba685bc1adfcff

Download Submit
C:\Windows\System\hUPhQTI.exe

Filesize
5.2MB

MD5
5076939079828584cbabfb81b9d31e1c

SHA1
623dfae24162888ad0ed50bd1f3e6efe36fba40e

SHA256
fb8b04115f9dbf403f3a3197a4718147a6601a16981e95d83874cdd3fd57f9d3

SHA512
7b00bcc8de6fd40f2c0c2d72e55f1287bafca5300e42cfb92b8a56ad16b2fdc3dafea335711878c7b5060d39e3f9f764c3b1c9e62d35de3e3e20200580c188b2

Download Submit
C:\Windows\System\hubwVDO.exe

Filesize
5.2MB

MD5
029bc51cdc1dd191d3be495b868e41bf

SHA1
55145214c6141dae0a3d02ca9255a30acda99176

SHA256
076ca7edb58e6e7f0a2356eb72e661cfe731be2da8d853bd03996d4b359357db

SHA512
f2ec48c0d87f2f813092f97488b41b1184a3cf340a1760ad751483952370f2b623d2a5decebd5e2d0acdad3127e296af1a712fec7fc6490bee00213181824ac8

Download Submit
C:\Windows\System\jBAKPAi.exe

Filesize
5.2MB

MD5
c52d0226833530adb51e0204116535d6

SHA1
c21b49b676ede4d95ba3c2e8237a28a08967374c

SHA256
49f14fffa3e4ceb0ac8b928096dee6e7a0aca6c8ecc60f3fab570aca10bb4b9b

SHA512
55abbe091773ffa3bd1b429d26d46b5871fa55221ecc86cbed30612820545e8e60e8081c85b0fe101a4e4acfa0587aab81ff9841fae475e1785852054e1b26ae

Download Submit
C:\Windows\System\kkiImsV.exe

Filesize
5.2MB

MD5
74c086487df396c7aa8756131ab3bc73

SHA1
8675dec1cd6b41df1ded7d93dd4b05ce43be9978

SHA256
fce489489f7379f7b355031da6f4347a0b3703fb8e947c6dc77eb26f063abf42

SHA512
2911be2e3d43d9b7f300d0ca7cbd3d13a7195754285e25584e27810a909e909b431fa6b1bdd9f22c1cfc03a68730998ce559421bced44c6632fe7fed373ae9ba

Download Submit
C:\Windows\System\nPLvxQC.exe

Filesize
5.2MB

MD5
85e3e6945c702a52003af151d0522586

SHA1
a1899ba7540186a4deba9842a5d02316c62ad7e8

SHA256
bd5a5cac1d85fede2029e3da20983beee59ca5e6c969e61caa3891586fa59d3d

SHA512
4196bd53a55afa2bb781e74878269505c9d1f5e3916e945004b7c0b51515924796d19d36df6af3801838801708d95f2c51f7cd0e44068975129e3ecbf5ba5e10

Download Submit
C:\Windows\System\tAXBEoo.exe

Filesize
5.2MB

MD5
c18b057f962d6eedd3698d6056303824

SHA1
4892c2724cf341b0d049bb242e149636a0fd148c

SHA256
0ec39ab8283cd535c517cfc6cd98c7992d31b3fea3e61f599f1ef4853fc5714e

SHA512
3f42b838acd23b958906f1a1603e576975432e3655694ff51229e912cbe67012b408b6f9d030e787f8284a61332a4618c7a346865e2cc379a5cc085a15084079

Download Submit
C:\Windows\System\uGiGiSg.exe

Filesize
5.2MB

MD5
7311e758dc802792c34f9480f01a658a

SHA1
4c1cfc4554902725526132266b69eb6a4e542d65

SHA256
6e57a63bdf73b062f2fb2f85323a2fa0f4cc0ba93c4ec76c7bd8e1e97e87ab45

SHA512
27c0ffdc300e652a13302b63ade5e49c43c6f6a47b9368df13545477681fab6e4fab277464889b6e726e1e9fd264d925b7a3bc98485f27f47a69818322dedbdd

Download Submit
C:\Windows\System\uQaXeHR.exe

Filesize
5.2MB

MD5
e89f5159c71d31c06249ea08ec1d7df6

SHA1
8bc9ea18d80b132d753f6cc57a9647bdf7446bec

SHA256
0e4805d2ae129c526b3d879abb6e2c15499871e0648dba3a530447854a9831bc

SHA512
d2a8ae20f4ba83ca0e5eecc7e708f5894e6d314fcbd35abed61f23208ffd30698d5002d0a9a8c06a6902db72e4108a02c3f2131168d3201228c7a1e111e67d4f

Download Submit
C:\Windows\System\uXXSFhx.exe

Filesize
5.2MB

MD5
a667800a73789dc03167b16a160e54d6

SHA1
9d6bff3f550c9f1714b6631c75fba00dbc104cee

SHA256
b06b53834780d995a216293322b7963bdc8d003d9bda7678fc28151fbc6cfaad

SHA512
060c938ab457486d9923f4d746032fd15078f4eab8d36ad3cc50e9d95927e56ac1a3007acdf3c97971740d41263e27363894788b2347fb85d53294ff5b4bfd6e

Download Submit
memory/516-52-0x00007FF701030000-0x00007FF701381000-memory.dmp

Filesize
3.3MB

Download
memory/516-131-0x00007FF701030000-0x00007FF701381000-memory.dmp

Filesize
3.3MB

Download
memory/516-212-0x00007FF701030000-0x00007FF701381000-memory.dmp

Filesize
3.3MB

Download
memory/640-39-0x00007FF750760000-0x00007FF750AB1000-memory.dmp

Filesize
3.3MB

Download
memory/640-210-0x00007FF750760000-0x00007FF750AB1000-memory.dmp

Filesize
3.3MB

Download
memory/640-128-0x00007FF750760000-0x00007FF750AB1000-memory.dmp

Filesize
3.3MB

Download
memory/1012-143-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1012-110-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1012-237-0x00007FF6B1780000-0x00007FF6B1AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1092-149-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/1092-1-0x000001E3E9CA0000-0x000001E3E9CB0000-memory.dmp

Filesize
64KB

Download
memory/1092-0-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/1092-121-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/1092-148-0x00007FF6EDB10000-0x00007FF6EDE61000-memory.dmp

Filesize
3.3MB

Download
memory/1324-223-0x00007FF73F500000-0x00007FF73F851000-memory.dmp

Filesize
3.3MB

Download
memory/1324-109-0x00007FF73F500000-0x00007FF73F851000-memory.dmp

Filesize
3.3MB

Download
memory/1340-56-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp

Filesize
3.3MB

Download
memory/1340-217-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp

Filesize
3.3MB

Download
memory/1340-132-0x00007FF66D1D0000-0x00007FF66D521000-memory.dmp

Filesize
3.3MB

Download
memory/1620-232-0x00007FF609060000-0x00007FF6093B1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-106-0x00007FF609060000-0x00007FF6093B1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-202-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-12-0x00007FF665D90000-0x00007FF6660E1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-245-0x00007FF75F680000-0x00007FF75F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-146-0x00007FF75F680000-0x00007FF75F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2232-33-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp

Filesize
3.3MB

Download
memory/2232-208-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp

Filesize
3.3MB

Download
memory/2232-127-0x00007FF6A42D0000-0x00007FF6A4621000-memory.dmp

Filesize
3.3MB

Download
memory/2568-107-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-234-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-144-0x00007FF6499A0000-0x00007FF649CF1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-21-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-204-0x00007FF62EC90000-0x00007FF62EFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-220-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp

Filesize
3.3MB

Download
memory/2884-98-0x00007FF6C9DB0000-0x00007FF6CA101000-memory.dmp

Filesize
3.3MB

Download
memory/3328-225-0x00007FF744AE0000-0x00007FF744E31000-memory.dmp

Filesize
3.3MB

Download
memory/3328-105-0x00007FF744AE0000-0x00007FF744E31000-memory.dmp

Filesize
3.3MB

Download
memory/3448-130-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp

Filesize
3.3MB

Download
memory/3448-44-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp

Filesize
3.3MB

Download
memory/3448-214-0x00007FF79EEE0000-0x00007FF79F231000-memory.dmp

Filesize
3.3MB

Download
memory/3556-206-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp

Filesize
3.3MB

Download
memory/3556-125-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp

Filesize
3.3MB

Download
memory/3556-24-0x00007FF600AF0000-0x00007FF600E41000-memory.dmp

Filesize
3.3MB

Download
memory/4220-147-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp

Filesize
3.3MB

Download
memory/4220-243-0x00007FF6AFDB0000-0x00007FF6B0101000-memory.dmp

Filesize
3.3MB

Download
memory/4496-102-0x00007FF67AA40000-0x00007FF67AD91000-memory.dmp

Filesize
3.3MB

Download
memory/4496-219-0x00007FF67AA40000-0x00007FF67AD91000-memory.dmp

Filesize
3.3MB

Download
memory/4568-104-0x00007FF68D740000-0x00007FF68DA91000-memory.dmp

Filesize
3.3MB

Download
memory/4568-227-0x00007FF68D740000-0x00007FF68DA91000-memory.dmp

Filesize
3.3MB

Download
memory/4848-228-0x00007FF792CB0000-0x00007FF793001000-memory.dmp

Filesize
3.3MB

Download
memory/4848-103-0x00007FF792CB0000-0x00007FF793001000-memory.dmp

Filesize
3.3MB

Download
memory/4960-135-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp

Filesize
3.3MB

Download
memory/4960-230-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp

Filesize
3.3MB

Download
memory/4960-57-0x00007FF70F810000-0x00007FF70FB61000-memory.dmp

Filesize
3.3MB

Download
memory/5092-145-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp

Filesize
3.3MB

Download
memory/5092-108-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp

Filesize
3.3MB

Download
memory/5092-238-0x00007FF7DD610000-0x00007FF7DD961000-memory.dmp

Filesize
3.3MB

Download