cobaltstrike | 4f02cb8dc893619c18387387bdaca2ea4b66119fb6b6fdc5d44dd3c77fefc3f2

Analysis

max time kernel
141s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

c0c8395c28372c46ac0deffdf24c6e8a
SHA1

a32ccab9bef5abe403b9705c1d1306652a445755
SHA256

4f02cb8dc893619c18387387bdaca2ea4b66119fb6b6fdc5d44dd3c77fefc3f2
SHA512

90bea8b71a9e19fd2077b08b0fcc72e34a190441ea44e104227c5be189a3f4c3985e7c22ee2cc1ee73d6118cf51132f37cd8e9850b4f3ce858e4ac9e48b8670a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lk:RWWBibf56utgpPFotBER/mQ32lUw

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 14 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\TkKsLzE.exe	cobalt_reflective_dll
C:\Windows\System\BORaANe.exe	cobalt_reflective_dll
C:\Windows\System\sCYjzOj.exe	cobalt_reflective_dll
C:\Windows\System\mBQLGHn.exe	cobalt_reflective_dll
C:\Windows\System\ewuCVMk.exe	cobalt_reflective_dll
C:\Windows\System\qptbmWz.exe	cobalt_reflective_dll
C:\Windows\System\BzXWTAY.exe	cobalt_reflective_dll
C:\Windows\System\KVLGvfG.exe	cobalt_reflective_dll
C:\Windows\System\QQpbzDa.exe	cobalt_reflective_dll
C:\Windows\System\nCfKUUR.exe	cobalt_reflective_dll
C:\Windows\System\RAgqzQe.exe	cobalt_reflective_dll
C:\Windows\System\NABPmTf.exe	cobalt_reflective_dll
C:\Windows\System\SUhvVfw.exe	cobalt_reflective_dll
C:\Windows\System\PZhbmUR.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 14 IoCs

Processes:

resource	yara_rule
C:\Windows\System\TkKsLzE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BORaANe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sCYjzOj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mBQLGHn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ewuCVMk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qptbmWz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BzXWTAY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KVLGvfG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QQpbzDa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nCfKUUR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RAgqzQe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NABPmTf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SUhvVfw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PZhbmUR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3056-7-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	UPX
C:\Windows\System\TkKsLzE.exe	UPX
C:\Windows\System\TkKsLzE.exe	UPX
C:\Windows\System\BORaANe.exe	UPX
C:\Windows\System\RAgqzQe.exe	UPX
C:\Windows\System\sCYjzOj.exe	UPX
C:\Windows\System\mBQLGHn.exe	UPX
behavioral2/memory/632-103-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	UPX
behavioral2/memory/4440-114-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	UPX
C:\Windows\System\qptbmWz.exe	UPX
behavioral2/memory/988-128-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	UPX
C:\Windows\System\ewuCVMk.exe	UPX
C:\Windows\System\qptbmWz.exe	UPX
behavioral2/memory/3996-113-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	UPX
C:\Windows\System\BzXWTAY.exe	UPX
behavioral2/memory/2532-110-0x00007FF725340000-0x00007FF725691000-memory.dmp	UPX
C:\Windows\System\KVLGvfG.exe	UPX
behavioral2/memory/5096-106-0x00007FF646210000-0x00007FF646561000-memory.dmp	UPX
C:\Windows\System\QQpbzDa.exe	UPX
C:\Windows\System\nCfKUUR.exe	UPX
behavioral2/memory/116-83-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	UPX
behavioral2/memory/1436-80-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp	UPX
C:\Windows\System\RAgqzQe.exe	UPX
C:\Windows\System\NABPmTf.exe	UPX
behavioral2/memory/1452-65-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	UPX
behavioral2/memory/988-56-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	UPX
behavioral2/memory/3996-52-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	UPX
C:\Windows\System\SUhvVfw.exe	UPX
behavioral2/memory/2992-47-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp	UPX
C:\Windows\System\PZhbmUR.exe	UPX
C:\Windows\System\PZhbmUR.exe	UPX
behavioral2/memory/3812-40-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp	UPX
behavioral2/memory/632-32-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	UPX
C:\Windows\System\rzMlVvE.exe	UPX
behavioral2/memory/4408-19-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	UPX
behavioral2/memory/116-14-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	UPX
C:\Windows\System\eLQesee.exe	UPX
behavioral2/memory/1452-136-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	UPX
behavioral2/memory/2068-138-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp	UPX
behavioral2/memory/4880-139-0x00007FF653540000-0x00007FF653891000-memory.dmp	UPX
behavioral2/memory/4440-157-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	UPX
behavioral2/memory/2136-154-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	UPX
behavioral2/memory/2532-156-0x00007FF725340000-0x00007FF725691000-memory.dmp	UPX
behavioral2/memory/4880-161-0x00007FF653540000-0x00007FF653891000-memory.dmp	UPX
behavioral2/memory/3056-222-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	UPX
behavioral2/memory/116-224-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	UPX
behavioral2/memory/4408-226-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	UPX
behavioral2/memory/1256-228-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp	UPX
behavioral2/memory/632-230-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	UPX
behavioral2/memory/3812-234-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp	UPX
behavioral2/memory/2992-233-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp	UPX
behavioral2/memory/3996-236-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	UPX
behavioral2/memory/1452-238-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	UPX
behavioral2/memory/988-240-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	UPX
behavioral2/memory/2068-245-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp	UPX
behavioral2/memory/4308-248-0x00007FF644020000-0x00007FF644371000-memory.dmp	UPX
behavioral2/memory/1436-246-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp	UPX
behavioral2/memory/1572-243-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp	UPX
behavioral2/memory/4440-253-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	UPX
behavioral2/memory/2136-254-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	UPX
behavioral2/memory/2532-256-0x00007FF725340000-0x00007FF725691000-memory.dmp	UPX
behavioral2/memory/3552-258-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp	UPX
behavioral2/memory/3716-260-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp	UPX
behavioral2/memory/3272-262-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp	UPX

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4408-89-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	xmrig
behavioral2/memory/1572-90-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp	xmrig
behavioral2/memory/1256-91-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp	xmrig
behavioral2/memory/632-103-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	xmrig
behavioral2/memory/988-128-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	xmrig
behavioral2/memory/3996-113-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	xmrig
behavioral2/memory/5096-106-0x00007FF646210000-0x00007FF646561000-memory.dmp	xmrig
behavioral2/memory/2136-97-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	xmrig
behavioral2/memory/4308-86-0x00007FF644020000-0x00007FF644371000-memory.dmp	xmrig
behavioral2/memory/3552-134-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp	xmrig
behavioral2/memory/3716-133-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp	xmrig
behavioral2/memory/116-83-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	xmrig
behavioral2/memory/3056-71-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	xmrig
behavioral2/memory/4880-60-0x00007FF653540000-0x00007FF653891000-memory.dmp	xmrig
behavioral2/memory/2992-47-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp	xmrig
behavioral2/memory/3812-40-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp	xmrig
behavioral2/memory/3272-135-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp	xmrig
behavioral2/memory/1436-137-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp	xmrig
behavioral2/memory/1452-136-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	xmrig
behavioral2/memory/2068-138-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp	xmrig
behavioral2/memory/4880-139-0x00007FF653540000-0x00007FF653891000-memory.dmp	xmrig
behavioral2/memory/4440-157-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	xmrig
behavioral2/memory/2136-154-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	xmrig
behavioral2/memory/2532-156-0x00007FF725340000-0x00007FF725691000-memory.dmp	xmrig
behavioral2/memory/4880-161-0x00007FF653540000-0x00007FF653891000-memory.dmp	xmrig
behavioral2/memory/3056-222-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	xmrig
behavioral2/memory/116-224-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	xmrig
behavioral2/memory/4408-226-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	xmrig
behavioral2/memory/1256-228-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp	xmrig
behavioral2/memory/632-230-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	xmrig
behavioral2/memory/3812-234-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp	xmrig
behavioral2/memory/2992-233-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp	xmrig
behavioral2/memory/3996-236-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	xmrig
behavioral2/memory/1452-238-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	xmrig
behavioral2/memory/988-240-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	xmrig
behavioral2/memory/2068-245-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp	xmrig
behavioral2/memory/4308-248-0x00007FF644020000-0x00007FF644371000-memory.dmp	xmrig
behavioral2/memory/1436-246-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp	xmrig
behavioral2/memory/1572-243-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp	xmrig
behavioral2/memory/4440-253-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	xmrig
behavioral2/memory/2136-254-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	xmrig
behavioral2/memory/2532-256-0x00007FF725340000-0x00007FF725691000-memory.dmp	xmrig
behavioral2/memory/3552-258-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp	xmrig
behavioral2/memory/3716-260-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp	xmrig
behavioral2/memory/3272-262-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp	xmrig
behavioral2/memory/5096-251-0x00007FF646210000-0x00007FF646561000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

TkKsLzE.exeeLQesee.exeBORaANe.exerzMlVvE.execgYMxIr.exehwgnORy.exePZhbmUR.exeSUhvVfw.exeAerVpoj.exeGZpPkyb.exeNABPmTf.exeRAgqzQe.exesCYjzOj.exenCfKUUR.exemBQLGHn.exeQQpbzDa.exeKVLGvfG.exeBzXWTAY.exeqptbmWz.exeewuCVMk.exequbLxoO.exe

pid	process
3056	TkKsLzE.exe
116	eLQesee.exe
4408	BORaANe.exe
1256	rzMlVvE.exe
632	cgYMxIr.exe
3812	hwgnORy.exe
2992	PZhbmUR.exe
3996	SUhvVfw.exe
988	AerVpoj.exe
1452	GZpPkyb.exe
2068	NABPmTf.exe
1436	RAgqzQe.exe
4308	sCYjzOj.exe
1572	nCfKUUR.exe
2136	mBQLGHn.exe
5096	QQpbzDa.exe
2532	KVLGvfG.exe
4440	BzXWTAY.exe
3716	qptbmWz.exe
3552	ewuCVMk.exe
3272	qubLxoO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4880-0-0x00007FF653540000-0x00007FF653891000-memory.dmp	upx
behavioral2/memory/3056-7-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	upx
C:\Windows\System\TkKsLzE.exe	upx
C:\Windows\System\TkKsLzE.exe	upx
C:\Windows\System\BORaANe.exe	upx
behavioral2/memory/1256-26-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp	upx
C:\Windows\System\RAgqzQe.exe	upx
C:\Windows\System\sCYjzOj.exe	upx
behavioral2/memory/4408-89-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	upx
behavioral2/memory/1572-90-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp	upx
behavioral2/memory/1256-91-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp	upx
C:\Windows\System\mBQLGHn.exe	upx
behavioral2/memory/632-103-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	upx
behavioral2/memory/4440-114-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	upx
C:\Windows\System\qptbmWz.exe	upx
behavioral2/memory/988-128-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	upx
C:\Windows\System\ewuCVMk.exe	upx
C:\Windows\System\qptbmWz.exe	upx
behavioral2/memory/3996-113-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	upx
C:\Windows\System\BzXWTAY.exe	upx
behavioral2/memory/2532-110-0x00007FF725340000-0x00007FF725691000-memory.dmp	upx
C:\Windows\System\KVLGvfG.exe	upx
behavioral2/memory/5096-106-0x00007FF646210000-0x00007FF646561000-memory.dmp	upx
C:\Windows\System\QQpbzDa.exe	upx
behavioral2/memory/2136-97-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	upx
behavioral2/memory/4308-86-0x00007FF644020000-0x00007FF644371000-memory.dmp	upx
behavioral2/memory/3552-134-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp	upx
behavioral2/memory/3716-133-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp	upx
C:\Windows\System\nCfKUUR.exe	upx
behavioral2/memory/116-83-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	upx
behavioral2/memory/1436-80-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp	upx
behavioral2/memory/2068-72-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp	upx
behavioral2/memory/3056-71-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	upx
C:\Windows\System\RAgqzQe.exe	upx
C:\Windows\System\NABPmTf.exe	upx
behavioral2/memory/1452-65-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	upx
behavioral2/memory/4880-60-0x00007FF653540000-0x00007FF653891000-memory.dmp	upx
behavioral2/memory/988-56-0x00007FF666780000-0x00007FF666AD1000-memory.dmp	upx
behavioral2/memory/3996-52-0x00007FF698790000-0x00007FF698AE1000-memory.dmp	upx
C:\Windows\System\SUhvVfw.exe	upx
behavioral2/memory/2992-47-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp	upx
C:\Windows\System\PZhbmUR.exe	upx
C:\Windows\System\PZhbmUR.exe	upx
behavioral2/memory/3812-40-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp	upx
behavioral2/memory/3272-135-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp	upx
behavioral2/memory/632-32-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	upx
C:\Windows\System\rzMlVvE.exe	upx
behavioral2/memory/4408-19-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	upx
behavioral2/memory/116-14-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	upx
C:\Windows\System\eLQesee.exe	upx
behavioral2/memory/1436-137-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp	upx
behavioral2/memory/1452-136-0x00007FF695380000-0x00007FF6956D1000-memory.dmp	upx
behavioral2/memory/2068-138-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp	upx
behavioral2/memory/4880-139-0x00007FF653540000-0x00007FF653891000-memory.dmp	upx
behavioral2/memory/4440-157-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp	upx
behavioral2/memory/2136-154-0x00007FF664560000-0x00007FF6648B1000-memory.dmp	upx
behavioral2/memory/2532-156-0x00007FF725340000-0x00007FF725691000-memory.dmp	upx
behavioral2/memory/4880-161-0x00007FF653540000-0x00007FF653891000-memory.dmp	upx
behavioral2/memory/3056-222-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp	upx
behavioral2/memory/116-224-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp	upx
behavioral2/memory/4408-226-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp	upx
behavioral2/memory/1256-228-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp	upx
behavioral2/memory/632-230-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp	upx
behavioral2/memory/3812-234-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\AerVpoj.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TkKsLzE.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eLQesee.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rzMlVvE.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SUhvVfw.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QQpbzDa.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ewuCVMk.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BORaANe.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PZhbmUR.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NABPmTf.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nCfKUUR.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RAgqzQe.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KVLGvfG.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BzXWTAY.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qubLxoO.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mBQLGHn.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qptbmWz.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cgYMxIr.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hwgnORy.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GZpPkyb.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sCYjzOj.exe	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4880 wrote to memory of 3056	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	TkKsLzE.exe
PID 4880 wrote to memory of 3056	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	TkKsLzE.exe
PID 4880 wrote to memory of 116	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	eLQesee.exe
PID 4880 wrote to memory of 116	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	eLQesee.exe
PID 4880 wrote to memory of 4408	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	BORaANe.exe
PID 4880 wrote to memory of 4408	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	BORaANe.exe
PID 4880 wrote to memory of 1256	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	rzMlVvE.exe
PID 4880 wrote to memory of 1256	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	rzMlVvE.exe
PID 4880 wrote to memory of 632	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	cgYMxIr.exe
PID 4880 wrote to memory of 632	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	cgYMxIr.exe
PID 4880 wrote to memory of 3812	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	hwgnORy.exe
PID 4880 wrote to memory of 3812	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	hwgnORy.exe
PID 4880 wrote to memory of 2992	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	PZhbmUR.exe
PID 4880 wrote to memory of 2992	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	PZhbmUR.exe
PID 4880 wrote to memory of 3996	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	SUhvVfw.exe
PID 4880 wrote to memory of 3996	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	SUhvVfw.exe
PID 4880 wrote to memory of 988	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	AerVpoj.exe
PID 4880 wrote to memory of 988	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	AerVpoj.exe
PID 4880 wrote to memory of 1452	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	GZpPkyb.exe
PID 4880 wrote to memory of 1452	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	GZpPkyb.exe
PID 4880 wrote to memory of 2068	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	NABPmTf.exe
PID 4880 wrote to memory of 2068	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	NABPmTf.exe
PID 4880 wrote to memory of 1436	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	RAgqzQe.exe
PID 4880 wrote to memory of 1436	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	RAgqzQe.exe
PID 4880 wrote to memory of 4308	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	sCYjzOj.exe
PID 4880 wrote to memory of 4308	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	sCYjzOj.exe
PID 4880 wrote to memory of 1572	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	nCfKUUR.exe
PID 4880 wrote to memory of 1572	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	nCfKUUR.exe
PID 4880 wrote to memory of 2136	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	mBQLGHn.exe
PID 4880 wrote to memory of 2136	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	mBQLGHn.exe
PID 4880 wrote to memory of 5096	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	QQpbzDa.exe
PID 4880 wrote to memory of 5096	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	QQpbzDa.exe
PID 4880 wrote to memory of 2532	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	KVLGvfG.exe
PID 4880 wrote to memory of 2532	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	KVLGvfG.exe
PID 4880 wrote to memory of 4440	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	BzXWTAY.exe
PID 4880 wrote to memory of 4440	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	BzXWTAY.exe
PID 4880 wrote to memory of 3552	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	ewuCVMk.exe
PID 4880 wrote to memory of 3552	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	ewuCVMk.exe
PID 4880 wrote to memory of 3716	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	qptbmWz.exe
PID 4880 wrote to memory of 3716	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	qptbmWz.exe
PID 4880 wrote to memory of 3272	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	qubLxoO.exe
PID 4880 wrote to memory of 3272	4880	2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe	qubLxoO.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c0c8395c28372c46ac0deffdf24c6e8a_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System\TkKsLzE.exe
  C:\Windows\System\TkKsLzE.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\eLQesee.exe
  C:\Windows\System\eLQesee.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\BORaANe.exe
  C:\Windows\System\BORaANe.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\rzMlVvE.exe
  C:\Windows\System\rzMlVvE.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\cgYMxIr.exe
  C:\Windows\System\cgYMxIr.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\hwgnORy.exe
  C:\Windows\System\hwgnORy.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\PZhbmUR.exe
  C:\Windows\System\PZhbmUR.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\SUhvVfw.exe
  C:\Windows\System\SUhvVfw.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\AerVpoj.exe
  C:\Windows\System\AerVpoj.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\GZpPkyb.exe
  C:\Windows\System\GZpPkyb.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\NABPmTf.exe
  C:\Windows\System\NABPmTf.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\RAgqzQe.exe
  C:\Windows\System\RAgqzQe.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\sCYjzOj.exe
  C:\Windows\System\sCYjzOj.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\nCfKUUR.exe
  C:\Windows\System\nCfKUUR.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\mBQLGHn.exe
  C:\Windows\System\mBQLGHn.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\QQpbzDa.exe
  C:\Windows\System\QQpbzDa.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\KVLGvfG.exe
  C:\Windows\System\KVLGvfG.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\BzXWTAY.exe
  C:\Windows\System\BzXWTAY.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\ewuCVMk.exe
  C:\Windows\System\ewuCVMk.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\qptbmWz.exe
  C:\Windows\System\qptbmWz.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\qubLxoO.exe
  C:\Windows\System\qubLxoO.exe
  2⤵
  - Executes dropped EXE
  PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BORaANe.exe

Filesize
5.2MB

MD5
1a0047601d8611e61e69350f657e6f28

SHA1
85c60cf532c6d8a6d9651473eef5786a92160c79

SHA256
83756167eea91d2b94a1a0688e6b3b90fbd6feae350616d445a0c2c33ba9e0a5

SHA512
4540f5f9149a34062d278c1e2a6080c1f5b027b63dd728fd68430e33a531cfc7be6e97aa9e365025c48fac9896d6d17d9d69917e7e72838d0a558ce473b23220

Download Submit
C:\Windows\System\BzXWTAY.exe

Filesize
5.2MB

MD5
6ae8e3926593e737a07cd2ea77e0fe54

SHA1
d5517add33a51384215192f89524b867e6c48a50

SHA256
8ba39d161a5a1842a06809bc59fa0773d59566ac6535ac922a2ff17ae7370c46

SHA512
3ea1d4524aaba87b16261177be91aa6e73f8f3550d4b5f559a1239ff6386016d72050f518faa00db54bb02096a93eee23356dcb600757fc98ef0a68f537c8f3d

Download Submit
C:\Windows\System\KVLGvfG.exe

Filesize
5.2MB

MD5
07cac703e110d9fb4c0579751373869b

SHA1
ad3ba740dad76cd577c59b523a4dab0dca4eeb20

SHA256
d6ec3bb8176e0535544e5780b7b02c3efa96ee294328acd8233e3d6b5b9e497a

SHA512
4cc50e2514ff78785bd1e515c427a26ed165a75d6b13b06fa80ea6306aee83558a9dac5448113070f201b1cc41b922bcb2c94066b8bc88abd74e72953e69f7b9

Download Submit
C:\Windows\System\NABPmTf.exe

Filesize
5.2MB

MD5
fc7ccf2b7c19c61956cc015595ea3675

SHA1
e3e64b85797348024de32719a9e8f4b2da6422ef

SHA256
1eff488aeb6ba567013583520736b5e074abf50eb288fd915a49533594170272

SHA512
bcdec8c878c69d131730a0fae1a51b0e643359cad0f0e05c6963e5d731d81190eb74c635d9961b0e230da3d064266380e9708cb4e7801ba89f389ad8a82843fb

Download Submit
C:\Windows\System\PZhbmUR.exe

Filesize
5.2MB

MD5
88e8f420e88d62211c2c582fd715ed73

SHA1
175d4a9e8867d5a4b6ec28fb3bd2cf004d873989

SHA256
22d0e00279243745f5b2fee098f4fd069dc14529fa705d39b43ccff7fb8caa9e

SHA512
cb0a3be81f31f4bf019d7a2e14a9a6b7b4ebb554467e0263a45cab191071560d560eb544a963c4981fa518d1ad465358fe490e9ba1e73aa28beed4b6fcc7408a

Download Submit
C:\Windows\System\PZhbmUR.exe

Filesize
2.1MB

MD5
8bcb05d9bcfba893b0c9a24fb80f6614

SHA1
5787929aa9a028156eff17f3dc6b3534a614751f

SHA256
c2b85fec940454260304826248a9c8767c8fd8661f4d8f9df2d49d53f354b177

SHA512
cd49e4319053da319c5e4d9adfd75fa0a3fa018ac7044e6437f9e748d51fcc424c57ff6b17d63db1f771e2d6057cb98e8c453c049529195658cea1958c0e6804

Download Submit
C:\Windows\System\QQpbzDa.exe

Filesize
5.2MB

MD5
f638c33e4339434eb6ea0009e4ee2063

SHA1
98b52b647ac0147d10cabccc180fc479e9fc5bca

SHA256
8e2e1c9dafaead55a526e3cd38b9260d5052f289072a7fae394f84db8a5acbdd

SHA512
6da1102f76a5778bff074dd5d2f1435bbe9da8dbb018c7e30ea5e63415fa0c37c536c9ea95e159303026d825ee6a852dd08e6c1daa61c8f757620d2f8ce8ff2a

Download Submit
C:\Windows\System\RAgqzQe.exe

Filesize
5.2MB

MD5
34ee7b80d480e878cdd0752548e1e5e4

SHA1
bd71e3bbf5c579dbdc698668a32a08c10af210a3

SHA256
dd7cc67c0b3317c94bfb0eb96de5d4280b6882f859f50dcf9cb8eda6b748117a

SHA512
05fb107cf12ddfd6b2abd14ffb89d860f20c768c96348de27bcf73e382d271373666fc1b96846447de1737fdf368615930778b20432f0a6f13208010e1169046

Download Submit
C:\Windows\System\RAgqzQe.exe

Filesize
1.2MB

MD5
dfd2c67e54cfdf354e8bbb29e332ac4c

SHA1
f24c275731b407476a6020a51b76ab1e2e179598

SHA256
c0be5d6112649ab730dd260148056a01227d051b9d17131042f6515fe6c2f010

SHA512
deec41c10fe0e2347f5445324da636126b3be5f85c230d035d5b6983b80abdc078e082d7a6098e2344c9a31a02e70ce3299e88c86063ee89cb6f4bc8de2697ce

Download Submit
C:\Windows\System\SUhvVfw.exe

Filesize
5.2MB

MD5
c896aff36ae15189bd151386dbcc0d2a

SHA1
1fef15239b2c6965a9aba85b3ffed2975b913e06

SHA256
13490b20bcf7a9c29b3d924906c2830e06c5ea416db703813532cc8665f83a5a

SHA512
1ae382bd76d96b6cc2afc52ebf9a7bed10b4ca9b6da7182342d35e08a12506deb52279991ea536265400a636b57cd67de8dd479d28ce5b0f296bf6bf5e2c3570

Download Submit
C:\Windows\System\TkKsLzE.exe

Filesize
3.6MB

MD5
d84891106dad0d7b4c34af85835ec4a8

SHA1
9665f97e962cdc4144cc100086ef9767ced5a5b4

SHA256
e8a5f91c8c2782a6bcd21f33eab10bf4224beef644a32d7ad28b3f57f788882d

SHA512
99ae93fd510de7cfcef873c985249199410b4395cf47a95aa3cb62c05fffe82e1b6c91a6f0f0d5f663e3d94c1f85eb70bf420495bec4261acf83c98b566255fe

Download Submit
C:\Windows\System\TkKsLzE.exe

Filesize
5.2MB

MD5
195ce6910a886350ecbe6a58daa3517d

SHA1
fb547c21c122d0a2f30ebab6f5f016bb3e51fc6d

SHA256
bb01b8d292cd3715a103bdb23a35220a5da22230ffc73f39f26bed321da1ec97

SHA512
23765276ea6b1a2621ced69d382db6669973e7092e8e8d6d49b5e475bbaaea8cf7aaebb913a275db5252dce7a5e86076dd00a01f11504722bc723d50725475b1

Download Submit
C:\Windows\System\eLQesee.exe

Filesize
4.3MB

MD5
a13a8d0815d860885bfa9dffc2cf3f43

SHA1
ba8ed394c789c67da35f142462ffcb146ba23145

SHA256
37801cac559eef09a2eafcac36911ee601c76d10a22a1e9fbdc475bb69ec2fef

SHA512
3e6ab34661d36946a5104f7f4a8797aed42473fba76921631e0d5bcc8950086db5f33a7e5f5d3fd5d0a18aeaa339c59a05dd30cc8cea91201cf5cf9f392095c2

Download Submit
C:\Windows\System\ewuCVMk.exe

Filesize
5.2MB

MD5
887c4db9c0e731c51c424f25723ca01e

SHA1
ebd4d0fec45790285506992b629378dbdf685bed

SHA256
8bdb3ec24c554b9ccb52964f39def71f5534abceb5aec814c918cc861abcac4a

SHA512
4a80f3d26dcd27c06e3614db59a15e70eda0ed392fc46dcf36320375a85a950d986e150e3f8fe8e6a084ee6d8c9d3a0a1c85df0e3bf8dc0563096df42e12868e

Download Submit
C:\Windows\System\mBQLGHn.exe

Filesize
5.2MB

MD5
c75c795d510b861f9f9b558cb79b1fbc

SHA1
d5add5618e5c3a7108967d8d5b9c9510ebec09aa

SHA256
5bec47309a6327ce4ba19196bf252a4b51e899e3d727c2dc2a100e252a0eee08

SHA512
c50063c1c71134f748e573d171811d1f33c168aa105479f20b41f27a816d5fb101e3298bf4d46910a258d07a1655cf0eabe4dc22c77b55d3371cd2a75f6a17b4

Download Submit
C:\Windows\System\nCfKUUR.exe

Filesize
5.2MB

MD5
61766f9cc12cf5573a414cdbe6b61b16

SHA1
28729773373596d9f584514c8f67e595dadfb7e1

SHA256
ea519d1ac115be7d6b82e6719d9e683f74ece818f62f43c303e9387ec35a764a

SHA512
8d298316114fb9954fb0bbef0775301287c93ff0e7dce1c95a94e62f06cdab3043b842cdff9f347f3064fe87bebb71640c309ee589364844d0eddbfa04acf432

Download Submit
C:\Windows\System\qptbmWz.exe

Filesize
5.2MB

MD5
6eb84780ec578014fd161168296e315f

SHA1
0f588f5efd7eba784fa3acfd7eb9bee8effcf279

SHA256
1df596e4eaf10d43f9dccf220096764379b5ce8c420de814644ae91c64482a2d

SHA512
7197619ddebc22e6fbbf209701e46c0bac88b967f72e604babbaaffe6e5aa0d17b0d6bdc5da7079d142de6e8ed7a5dfa85e9faa917239010d3e1592882be9149

Download Submit
C:\Windows\System\qptbmWz.exe

Filesize
1.8MB

MD5
127fc12f6faae6241480d3135e552500

SHA1
801e5edf3a087a26f7d10e6bccde102f07d029e4

SHA256
825915c16780b599c32204b48d20a1fbcb4baf2eb57960853aa1679574121fb8

SHA512
c859058e54b6a916c73c8cfc81b0347195ddc770d4112c2189cb2dc9a6aa8574b3ee3ca67deb659ca1901ed5c0c543ddc2ed6de390260167651487d0bed263fe

Download Submit
C:\Windows\System\rzMlVvE.exe

Filesize
2.5MB

MD5
4302e29560732a68d4ff81b99a9a6728

SHA1
867d3426704c9287d13c44a18f34eb929d02e60f

SHA256
eed7eb266aa3940308760212ce5afbae4e7c432894c30852d3d1775f4c7eed6c

SHA512
2ee8a738ad84db753abd103ff3d354485aa1cf9e249c2ea0fcf0e26edd26120d75a4c9186760b250295587218a1b2d94c1e8013658858f6ad83769cb8dd4057d

Download Submit
C:\Windows\System\sCYjzOj.exe

Filesize
5.2MB

MD5
3b1eb838a01fe1e43ca67be9e0326b86

SHA1
413824f1385e11fcaeef554eda4421930a30fe99

SHA256
c16538f5b7602b3a7801026403f451d5591c91bac592090cd517ad0412b71b87

SHA512
db1f24b7aef29bd9a61a5ff8e0815d33e2d1d85f87c5666ac0ef1bd01949c0c43a2cf24fdfa9a91e787ea234de34a490ea76c280c4f477fdb150f06fd0240d9e

Download Submit
memory/116-83-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp

Filesize
3.3MB

Download
memory/116-224-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp

Filesize
3.3MB

Download
memory/116-14-0x00007FF76C890000-0x00007FF76CBE1000-memory.dmp

Filesize
3.3MB

Download
memory/632-230-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp

Filesize
3.3MB

Download
memory/632-103-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp

Filesize
3.3MB

Download
memory/632-32-0x00007FF623B70000-0x00007FF623EC1000-memory.dmp

Filesize
3.3MB

Download
memory/988-240-0x00007FF666780000-0x00007FF666AD1000-memory.dmp

Filesize
3.3MB

Download
memory/988-56-0x00007FF666780000-0x00007FF666AD1000-memory.dmp

Filesize
3.3MB

Download
memory/988-128-0x00007FF666780000-0x00007FF666AD1000-memory.dmp

Filesize
3.3MB

Download
memory/1256-91-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp

Filesize
3.3MB

Download
memory/1256-26-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp

Filesize
3.3MB

Download
memory/1256-228-0x00007FF7EF6E0000-0x00007FF7EFA31000-memory.dmp

Filesize
3.3MB

Download
memory/1436-80-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-246-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp

Filesize
3.3MB

Download
memory/1436-137-0x00007FF632E60000-0x00007FF6331B1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-136-0x00007FF695380000-0x00007FF6956D1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-65-0x00007FF695380000-0x00007FF6956D1000-memory.dmp

Filesize
3.3MB

Download
memory/1452-238-0x00007FF695380000-0x00007FF6956D1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-90-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-243-0x00007FF7A5F90000-0x00007FF7A62E1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-138-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-72-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-245-0x00007FF62D150000-0x00007FF62D4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-254-0x00007FF664560000-0x00007FF6648B1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-97-0x00007FF664560000-0x00007FF6648B1000-memory.dmp

Filesize
3.3MB

Download
memory/2136-154-0x00007FF664560000-0x00007FF6648B1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-110-0x00007FF725340000-0x00007FF725691000-memory.dmp

Filesize
3.3MB

Download
memory/2532-156-0x00007FF725340000-0x00007FF725691000-memory.dmp

Filesize
3.3MB

Download
memory/2532-256-0x00007FF725340000-0x00007FF725691000-memory.dmp

Filesize
3.3MB

Download
memory/2992-47-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-233-0x00007FF7CC280000-0x00007FF7CC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-71-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-222-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-7-0x00007FF620F70000-0x00007FF6212C1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-135-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3272-262-0x00007FF7DE270000-0x00007FF7DE5C1000-memory.dmp

Filesize
3.3MB

Download
memory/3552-134-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp

Filesize
3.3MB

Download
memory/3552-258-0x00007FF7FA540000-0x00007FF7FA891000-memory.dmp

Filesize
3.3MB

Download
memory/3716-260-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp

Filesize
3.3MB

Download
memory/3716-133-0x00007FF7E7430000-0x00007FF7E7781000-memory.dmp

Filesize
3.3MB

Download
memory/3812-40-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp

Filesize
3.3MB

Download
memory/3812-234-0x00007FF7F6E70000-0x00007FF7F71C1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-52-0x00007FF698790000-0x00007FF698AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-113-0x00007FF698790000-0x00007FF698AE1000-memory.dmp

Filesize
3.3MB

Download
memory/3996-236-0x00007FF698790000-0x00007FF698AE1000-memory.dmp

Filesize
3.3MB

Download
memory/4308-86-0x00007FF644020000-0x00007FF644371000-memory.dmp

Filesize
3.3MB

Download
memory/4308-248-0x00007FF644020000-0x00007FF644371000-memory.dmp

Filesize
3.3MB

Download
memory/4408-226-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4408-89-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4408-19-0x00007FF76F730000-0x00007FF76FA81000-memory.dmp

Filesize
3.3MB

Download
memory/4440-114-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4440-253-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4440-157-0x00007FF6F8880000-0x00007FF6F8BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-161-0x00007FF653540000-0x00007FF653891000-memory.dmp

Filesize
3.3MB

Download
memory/4880-60-0x00007FF653540000-0x00007FF653891000-memory.dmp

Filesize
3.3MB

Download
memory/4880-1-0x000001E089070000-0x000001E089080000-memory.dmp

Filesize
64KB

Download
memory/4880-139-0x00007FF653540000-0x00007FF653891000-memory.dmp

Filesize
3.3MB

Download
memory/4880-0-0x00007FF653540000-0x00007FF653891000-memory.dmp

Filesize
3.3MB

Download
memory/5096-106-0x00007FF646210000-0x00007FF646561000-memory.dmp

Filesize
3.3MB

Download
memory/5096-251-0x00007FF646210000-0x00007FF646561000-memory.dmp

Filesize
3.3MB

Download