cobaltstrike | b663f4049653c0d99250404911288f9b4ed42c13ea3c26b61efde8e38d5deb04

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

091b914ccdf9cefeb659f95d68404b2f
SHA1

fa6564684573dd962d1f47344e6ac108ee48e417
SHA256

b663f4049653c0d99250404911288f9b4ed42c13ea3c26b61efde8e38d5deb04
SHA512

5035f7ea350ddd547725342a3edb21c83c3f05c2a7801c32e9e6b5438041e53faad68161517756e5000b4aa313a2e82a829573233c8d71aec4e0ade313692613
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUy:v+D56utgpPF8u/7y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\eXNAdre.exe	cobalt_reflective_dll
C:\Windows\System\zLLGRip.exe	cobalt_reflective_dll
C:\Windows\System\Zlbpsyb.exe	cobalt_reflective_dll
C:\Windows\System\qdCOoLr.exe	cobalt_reflective_dll
C:\Windows\System\uNABOGA.exe	cobalt_reflective_dll
C:\Windows\System\QCaQufx.exe	cobalt_reflective_dll
C:\Windows\System\yaEQSaC.exe	cobalt_reflective_dll
C:\Windows\System\LapOmGA.exe	cobalt_reflective_dll
C:\Windows\System\OlzCsHk.exe	cobalt_reflective_dll
C:\Windows\System\CUIgTlA.exe	cobalt_reflective_dll
C:\Windows\System\dLcfJpQ.exe	cobalt_reflective_dll
C:\Windows\System\TqyIzgg.exe	cobalt_reflective_dll
C:\Windows\System\RHqTlVO.exe	cobalt_reflective_dll
C:\Windows\System\sCUIuvP.exe	cobalt_reflective_dll
C:\Windows\System\GUgczEf.exe	cobalt_reflective_dll
C:\Windows\System\qUemRfj.exe	cobalt_reflective_dll
C:\Windows\System\dpPJkWo.exe	cobalt_reflective_dll
C:\Windows\System\mhiFdzm.exe	cobalt_reflective_dll
C:\Windows\System\zgdYSLt.exe	cobalt_reflective_dll
C:\Windows\System\OUclamA.exe	cobalt_reflective_dll
C:\Windows\System\SKisAwP.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\eXNAdre.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zLLGRip.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Zlbpsyb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qdCOoLr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uNABOGA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QCaQufx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yaEQSaC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LapOmGA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OlzCsHk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CUIgTlA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dLcfJpQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TqyIzgg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RHqTlVO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sCUIuvP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GUgczEf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qUemRfj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dpPJkWo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mhiFdzm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zgdYSLt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OUclamA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SKisAwP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4444-0-0x00007FF652390000-0x00007FF6526E2000-memory.dmp	UPX
C:\Windows\System\eXNAdre.exe	UPX
behavioral2/memory/4772-8-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	UPX
C:\Windows\System\zLLGRip.exe	UPX
C:\Windows\System\Zlbpsyb.exe	UPX
behavioral2/memory/3980-12-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	UPX
behavioral2/memory/1004-18-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	UPX
C:\Windows\System\qdCOoLr.exe	UPX
behavioral2/memory/1284-26-0x00007FF749140000-0x00007FF749492000-memory.dmp	UPX
C:\Windows\System\uNABOGA.exe	UPX
behavioral2/memory/4592-32-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	UPX
C:\Windows\System\QCaQufx.exe	UPX
behavioral2/memory/3020-37-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp	UPX
C:\Windows\System\yaEQSaC.exe	UPX
behavioral2/memory/4472-42-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	UPX
C:\Windows\System\LapOmGA.exe	UPX
C:\Windows\System\OlzCsHk.exe	UPX
C:\Windows\System\CUIgTlA.exe	UPX
behavioral2/memory/2968-65-0x00007FF704C20000-0x00007FF704F72000-memory.dmp	UPX
C:\Windows\System\dLcfJpQ.exe	UPX
behavioral2/memory/4772-71-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	UPX
behavioral2/memory/3980-82-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	UPX
C:\Windows\System\TqyIzgg.exe	UPX
C:\Windows\System\RHqTlVO.exe	UPX
C:\Windows\System\sCUIuvP.exe	UPX
C:\Windows\System\GUgczEf.exe	UPX
behavioral2/memory/312-128-0x00007FF759970000-0x00007FF759CC2000-memory.dmp	UPX
behavioral2/memory/1844-131-0x00007FF7E59E0000-0x00007FF7E5D32000-memory.dmp	UPX
behavioral2/memory/5000-130-0x00007FF608090000-0x00007FF6083E2000-memory.dmp	UPX
behavioral2/memory/1004-129-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	UPX
behavioral2/memory/3724-123-0x00007FF6E2950000-0x00007FF6E2CA2000-memory.dmp	UPX
behavioral2/memory/1884-122-0x00007FF716FB0000-0x00007FF717302000-memory.dmp	UPX
behavioral2/memory/2324-119-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp	UPX
C:\Windows\System\qUemRfj.exe	UPX
C:\Windows\System\dpPJkWo.exe	UPX
behavioral2/memory/3088-109-0x00007FF7DFCD0000-0x00007FF7E0022000-memory.dmp	UPX
behavioral2/memory/2832-108-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp	UPX
C:\Windows\System\mhiFdzm.exe	UPX
C:\Windows\System\zgdYSLt.exe	UPX
behavioral2/memory/2780-88-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp	UPX
C:\Windows\System\OUclamA.exe	UPX
behavioral2/memory/2508-77-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp	UPX
behavioral2/memory/3416-66-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp	UPX
C:\Windows\System\SKisAwP.exe	UPX
behavioral2/memory/4444-63-0x00007FF652390000-0x00007FF6526E2000-memory.dmp	UPX
behavioral2/memory/5012-55-0x00007FF604B40000-0x00007FF604E92000-memory.dmp	UPX
behavioral2/memory/1312-48-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp	UPX
behavioral2/memory/1284-132-0x00007FF749140000-0x00007FF749492000-memory.dmp	UPX
behavioral2/memory/4592-133-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	UPX
behavioral2/memory/4472-134-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	UPX
behavioral2/memory/1312-135-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp	UPX
behavioral2/memory/5012-136-0x00007FF604B40000-0x00007FF604E92000-memory.dmp	UPX
behavioral2/memory/3416-137-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp	UPX
behavioral2/memory/2508-138-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp	UPX
behavioral2/memory/2832-139-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp	UPX
behavioral2/memory/2780-140-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp	UPX
behavioral2/memory/2324-141-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp	UPX
behavioral2/memory/4772-142-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	UPX
behavioral2/memory/3980-143-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	UPX
behavioral2/memory/1004-144-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	UPX
behavioral2/memory/1284-145-0x00007FF749140000-0x00007FF749492000-memory.dmp	UPX
behavioral2/memory/4592-146-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	UPX
behavioral2/memory/3020-147-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp	UPX
behavioral2/memory/4472-148-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4444-0-0x00007FF652390000-0x00007FF6526E2000-memory.dmp	xmrig
C:\Windows\System\eXNAdre.exe	xmrig
behavioral2/memory/4772-8-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	xmrig
C:\Windows\System\zLLGRip.exe	xmrig
C:\Windows\System\Zlbpsyb.exe	xmrig
behavioral2/memory/3980-12-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	xmrig
behavioral2/memory/1004-18-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	xmrig
C:\Windows\System\qdCOoLr.exe	xmrig
behavioral2/memory/1284-26-0x00007FF749140000-0x00007FF749492000-memory.dmp	xmrig
C:\Windows\System\uNABOGA.exe	xmrig
behavioral2/memory/4592-32-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	xmrig
C:\Windows\System\QCaQufx.exe	xmrig
behavioral2/memory/3020-37-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp	xmrig
C:\Windows\System\yaEQSaC.exe	xmrig
behavioral2/memory/4472-42-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	xmrig
C:\Windows\System\LapOmGA.exe	xmrig
C:\Windows\System\OlzCsHk.exe	xmrig
C:\Windows\System\CUIgTlA.exe	xmrig
behavioral2/memory/2968-65-0x00007FF704C20000-0x00007FF704F72000-memory.dmp	xmrig
C:\Windows\System\dLcfJpQ.exe	xmrig
behavioral2/memory/4772-71-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	xmrig
behavioral2/memory/3980-82-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	xmrig
C:\Windows\System\TqyIzgg.exe	xmrig
C:\Windows\System\RHqTlVO.exe	xmrig
C:\Windows\System\sCUIuvP.exe	xmrig
C:\Windows\System\GUgczEf.exe	xmrig
behavioral2/memory/312-128-0x00007FF759970000-0x00007FF759CC2000-memory.dmp	xmrig
behavioral2/memory/1844-131-0x00007FF7E59E0000-0x00007FF7E5D32000-memory.dmp	xmrig
behavioral2/memory/5000-130-0x00007FF608090000-0x00007FF6083E2000-memory.dmp	xmrig
behavioral2/memory/1004-129-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	xmrig
behavioral2/memory/3724-123-0x00007FF6E2950000-0x00007FF6E2CA2000-memory.dmp	xmrig
behavioral2/memory/1884-122-0x00007FF716FB0000-0x00007FF717302000-memory.dmp	xmrig
behavioral2/memory/2324-119-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp	xmrig
C:\Windows\System\qUemRfj.exe	xmrig
C:\Windows\System\dpPJkWo.exe	xmrig
behavioral2/memory/3088-109-0x00007FF7DFCD0000-0x00007FF7E0022000-memory.dmp	xmrig
behavioral2/memory/2832-108-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp	xmrig
C:\Windows\System\mhiFdzm.exe	xmrig
C:\Windows\System\zgdYSLt.exe	xmrig
behavioral2/memory/2780-88-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp	xmrig
C:\Windows\System\OUclamA.exe	xmrig
behavioral2/memory/2508-77-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp	xmrig
behavioral2/memory/3416-66-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp	xmrig
C:\Windows\System\SKisAwP.exe	xmrig
behavioral2/memory/4444-63-0x00007FF652390000-0x00007FF6526E2000-memory.dmp	xmrig
behavioral2/memory/5012-55-0x00007FF604B40000-0x00007FF604E92000-memory.dmp	xmrig
behavioral2/memory/1312-48-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp	xmrig
behavioral2/memory/1284-132-0x00007FF749140000-0x00007FF749492000-memory.dmp	xmrig
behavioral2/memory/4592-133-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	xmrig
behavioral2/memory/4472-134-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	xmrig
behavioral2/memory/1312-135-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp	xmrig
behavioral2/memory/5012-136-0x00007FF604B40000-0x00007FF604E92000-memory.dmp	xmrig
behavioral2/memory/3416-137-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp	xmrig
behavioral2/memory/2508-138-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp	xmrig
behavioral2/memory/2832-139-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp	xmrig
behavioral2/memory/2780-140-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp	xmrig
behavioral2/memory/2324-141-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp	xmrig
behavioral2/memory/4772-142-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	xmrig
behavioral2/memory/3980-143-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	xmrig
behavioral2/memory/1004-144-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	xmrig
behavioral2/memory/1284-145-0x00007FF749140000-0x00007FF749492000-memory.dmp	xmrig
behavioral2/memory/4592-146-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	xmrig
behavioral2/memory/3020-147-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp	xmrig
behavioral2/memory/4472-148-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

eXNAdre.exezLLGRip.exeZlbpsyb.exeqdCOoLr.exeuNABOGA.exeQCaQufx.exeyaEQSaC.exeLapOmGA.exeSKisAwP.exeCUIgTlA.exeOlzCsHk.exedLcfJpQ.exeOUclamA.exezgdYSLt.exemhiFdzm.exeTqyIzgg.exedpPJkWo.exeqUemRfj.exeRHqTlVO.exeGUgczEf.exesCUIuvP.exe

pid	process
4772	eXNAdre.exe
3980	zLLGRip.exe
1004	Zlbpsyb.exe
1284	qdCOoLr.exe
4592	uNABOGA.exe
3020	QCaQufx.exe
4472	yaEQSaC.exe
1312	LapOmGA.exe
5012	SKisAwP.exe
2968	CUIgTlA.exe
3416	OlzCsHk.exe
2508	dLcfJpQ.exe
2780	OUclamA.exe
2832	zgdYSLt.exe
5000	mhiFdzm.exe
3088	TqyIzgg.exe
2324	dpPJkWo.exe
1884	qUemRfj.exe
3724	RHqTlVO.exe
1844	GUgczEf.exe
312	sCUIuvP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4444-0-0x00007FF652390000-0x00007FF6526E2000-memory.dmp	upx
C:\Windows\System\eXNAdre.exe	upx
behavioral2/memory/4772-8-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	upx
C:\Windows\System\zLLGRip.exe	upx
C:\Windows\System\Zlbpsyb.exe	upx
behavioral2/memory/3980-12-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	upx
behavioral2/memory/1004-18-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	upx
C:\Windows\System\qdCOoLr.exe	upx
behavioral2/memory/1284-26-0x00007FF749140000-0x00007FF749492000-memory.dmp	upx
C:\Windows\System\uNABOGA.exe	upx
behavioral2/memory/4592-32-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	upx
C:\Windows\System\QCaQufx.exe	upx
behavioral2/memory/3020-37-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp	upx
C:\Windows\System\yaEQSaC.exe	upx
behavioral2/memory/4472-42-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	upx
C:\Windows\System\LapOmGA.exe	upx
C:\Windows\System\OlzCsHk.exe	upx
C:\Windows\System\CUIgTlA.exe	upx
behavioral2/memory/2968-65-0x00007FF704C20000-0x00007FF704F72000-memory.dmp	upx
C:\Windows\System\dLcfJpQ.exe	upx
behavioral2/memory/4772-71-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	upx
behavioral2/memory/3980-82-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	upx
C:\Windows\System\TqyIzgg.exe	upx
C:\Windows\System\RHqTlVO.exe	upx
C:\Windows\System\sCUIuvP.exe	upx
C:\Windows\System\GUgczEf.exe	upx
behavioral2/memory/312-128-0x00007FF759970000-0x00007FF759CC2000-memory.dmp	upx
behavioral2/memory/1844-131-0x00007FF7E59E0000-0x00007FF7E5D32000-memory.dmp	upx
behavioral2/memory/5000-130-0x00007FF608090000-0x00007FF6083E2000-memory.dmp	upx
behavioral2/memory/1004-129-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	upx
behavioral2/memory/3724-123-0x00007FF6E2950000-0x00007FF6E2CA2000-memory.dmp	upx
behavioral2/memory/1884-122-0x00007FF716FB0000-0x00007FF717302000-memory.dmp	upx
behavioral2/memory/2324-119-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp	upx
C:\Windows\System\qUemRfj.exe	upx
C:\Windows\System\dpPJkWo.exe	upx
behavioral2/memory/3088-109-0x00007FF7DFCD0000-0x00007FF7E0022000-memory.dmp	upx
behavioral2/memory/2832-108-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp	upx
C:\Windows\System\mhiFdzm.exe	upx
C:\Windows\System\zgdYSLt.exe	upx
behavioral2/memory/2780-88-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp	upx
C:\Windows\System\OUclamA.exe	upx
behavioral2/memory/2508-77-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp	upx
behavioral2/memory/3416-66-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp	upx
C:\Windows\System\SKisAwP.exe	upx
behavioral2/memory/4444-63-0x00007FF652390000-0x00007FF6526E2000-memory.dmp	upx
behavioral2/memory/5012-55-0x00007FF604B40000-0x00007FF604E92000-memory.dmp	upx
behavioral2/memory/1312-48-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp	upx
behavioral2/memory/1284-132-0x00007FF749140000-0x00007FF749492000-memory.dmp	upx
behavioral2/memory/4592-133-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	upx
behavioral2/memory/4472-134-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	upx
behavioral2/memory/1312-135-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp	upx
behavioral2/memory/5012-136-0x00007FF604B40000-0x00007FF604E92000-memory.dmp	upx
behavioral2/memory/3416-137-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp	upx
behavioral2/memory/2508-138-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp	upx
behavioral2/memory/2832-139-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp	upx
behavioral2/memory/2780-140-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp	upx
behavioral2/memory/2324-141-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp	upx
behavioral2/memory/4772-142-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp	upx
behavioral2/memory/3980-143-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp	upx
behavioral2/memory/1004-144-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp	upx
behavioral2/memory/1284-145-0x00007FF749140000-0x00007FF749492000-memory.dmp	upx
behavioral2/memory/4592-146-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp	upx
behavioral2/memory/3020-147-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp	upx
behavioral2/memory/4472-148-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\zLLGRip.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qdCOoLr.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LapOmGA.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SKisAwP.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OUclamA.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eXNAdre.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Zlbpsyb.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CUIgTlA.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OlzCsHk.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zgdYSLt.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RHqTlVO.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uNABOGA.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QCaQufx.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yaEQSaC.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mhiFdzm.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dpPJkWo.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qUemRfj.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dLcfJpQ.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TqyIzgg.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GUgczEf.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sCUIuvP.exe	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4444 wrote to memory of 4772	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	eXNAdre.exe
PID 4444 wrote to memory of 4772	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	eXNAdre.exe
PID 4444 wrote to memory of 3980	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	zLLGRip.exe
PID 4444 wrote to memory of 3980	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	zLLGRip.exe
PID 4444 wrote to memory of 1004	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	Zlbpsyb.exe
PID 4444 wrote to memory of 1004	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	Zlbpsyb.exe
PID 4444 wrote to memory of 1284	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	qdCOoLr.exe
PID 4444 wrote to memory of 1284	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	qdCOoLr.exe
PID 4444 wrote to memory of 4592	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	uNABOGA.exe
PID 4444 wrote to memory of 4592	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	uNABOGA.exe
PID 4444 wrote to memory of 3020	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QCaQufx.exe
PID 4444 wrote to memory of 3020	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	QCaQufx.exe
PID 4444 wrote to memory of 4472	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	yaEQSaC.exe
PID 4444 wrote to memory of 4472	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	yaEQSaC.exe
PID 4444 wrote to memory of 1312	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	LapOmGA.exe
PID 4444 wrote to memory of 1312	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	LapOmGA.exe
PID 4444 wrote to memory of 5012	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	SKisAwP.exe
PID 4444 wrote to memory of 5012	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	SKisAwP.exe
PID 4444 wrote to memory of 2968	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	CUIgTlA.exe
PID 4444 wrote to memory of 2968	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	CUIgTlA.exe
PID 4444 wrote to memory of 3416	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OlzCsHk.exe
PID 4444 wrote to memory of 3416	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OlzCsHk.exe
PID 4444 wrote to memory of 2508	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dLcfJpQ.exe
PID 4444 wrote to memory of 2508	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dLcfJpQ.exe
PID 4444 wrote to memory of 2780	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OUclamA.exe
PID 4444 wrote to memory of 2780	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	OUclamA.exe
PID 4444 wrote to memory of 2832	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	zgdYSLt.exe
PID 4444 wrote to memory of 2832	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	zgdYSLt.exe
PID 4444 wrote to memory of 5000	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	mhiFdzm.exe
PID 4444 wrote to memory of 5000	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	mhiFdzm.exe
PID 4444 wrote to memory of 3088	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	TqyIzgg.exe
PID 4444 wrote to memory of 3088	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	TqyIzgg.exe
PID 4444 wrote to memory of 2324	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dpPJkWo.exe
PID 4444 wrote to memory of 2324	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	dpPJkWo.exe
PID 4444 wrote to memory of 1884	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	qUemRfj.exe
PID 4444 wrote to memory of 1884	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	qUemRfj.exe
PID 4444 wrote to memory of 3724	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	RHqTlVO.exe
PID 4444 wrote to memory of 3724	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	RHqTlVO.exe
PID 4444 wrote to memory of 1844	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	GUgczEf.exe
PID 4444 wrote to memory of 1844	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	GUgczEf.exe
PID 4444 wrote to memory of 312	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sCUIuvP.exe
PID 4444 wrote to memory of 312	4444	2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe	sCUIuvP.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_091b914ccdf9cefeb659f95d68404b2f_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\System\eXNAdre.exe
C:\Windows\System\eXNAdre.exe
2⤵
- Executes dropped EXE
PID:4772

C:\Windows\System\zLLGRip.exe
C:\Windows\System\zLLGRip.exe
2⤵
- Executes dropped EXE
PID:3980

C:\Windows\System\Zlbpsyb.exe
C:\Windows\System\Zlbpsyb.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Windows\System\qdCOoLr.exe
C:\Windows\System\qdCOoLr.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\System\uNABOGA.exe
C:\Windows\System\uNABOGA.exe
2⤵
- Executes dropped EXE
PID:4592

C:\Windows\System\QCaQufx.exe
C:\Windows\System\QCaQufx.exe
2⤵
- Executes dropped EXE
PID:3020

C:\Windows\System\yaEQSaC.exe
C:\Windows\System\yaEQSaC.exe
2⤵
- Executes dropped EXE
PID:4472

C:\Windows\System\LapOmGA.exe
C:\Windows\System\LapOmGA.exe
2⤵
- Executes dropped EXE
PID:1312

C:\Windows\System\SKisAwP.exe
C:\Windows\System\SKisAwP.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System\CUIgTlA.exe
C:\Windows\System\CUIgTlA.exe
2⤵
- Executes dropped EXE
PID:2968

C:\Windows\System\OlzCsHk.exe
C:\Windows\System\OlzCsHk.exe
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\System\dLcfJpQ.exe
C:\Windows\System\dLcfJpQ.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\OUclamA.exe
C:\Windows\System\OUclamA.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\zgdYSLt.exe
C:\Windows\System\zgdYSLt.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\mhiFdzm.exe
C:\Windows\System\mhiFdzm.exe
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\System\TqyIzgg.exe
C:\Windows\System\TqyIzgg.exe
2⤵
- Executes dropped EXE
PID:3088

C:\Windows\System\dpPJkWo.exe
C:\Windows\System\dpPJkWo.exe
2⤵
- Executes dropped EXE
PID:2324

C:\Windows\System\qUemRfj.exe
C:\Windows\System\qUemRfj.exe
2⤵
- Executes dropped EXE
PID:1884

C:\Windows\System\RHqTlVO.exe
C:\Windows\System\RHqTlVO.exe
2⤵
- Executes dropped EXE
PID:3724

C:\Windows\System\GUgczEf.exe
C:\Windows\System\GUgczEf.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Windows\System\sCUIuvP.exe
C:\Windows\System\sCUIuvP.exe
2⤵
- Executes dropped EXE
PID:312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CUIgTlA.exe

Filesize
8.3MB

MD5
53179c422d55e05b527f06f369c3767c

SHA1
ccb9149096f73cf2f9bd0c2bec1c049bd01b7107

SHA256
5edb7d10e7af07fe529ea6a5c4eb85e86d5ee2626318b5fe957989b8aba55d03

SHA512
0a2ad34977fe0f845cdf88216d43037d4b084f17466bfdfd92ac37e6aeafba9808c5af99f8af9b1348912477534510f9499ad0c3b94bceb69824b191e6112cee

Download Submit
C:\Windows\System\GUgczEf.exe

Filesize
8.3MB

MD5
99463cae6c58bb43b1cc63486f07d206

SHA1
57b800329e1a30002c8142c816e9021bb437704b

SHA256
27e84837a93102bfae8557d74e654bdc841087326f642d0acda8e7a8ddfa0fc5

SHA512
3f9c300a613443329252463f2a648656b04275a1dd0a7d49e6bca28edf6a9db0185e1cc1a59286ccd4f7f1d2e754988f8be85c411241a975307fa10b0e867dcb

Download Submit
C:\Windows\System\LapOmGA.exe

Filesize
8.3MB

MD5
9b8dc50960fed23c674d46e10ce2db9f

SHA1
597a589d2c6bc31ab8fdf693eaf0af589343512d

SHA256
82d445a532c2be09056134486ad84249747e6bbb01868642310e24f465c84db4

SHA512
ed01e8b64d9151ec5d40d033dc2ddb879877f34742bfdcb7ea2c0b47465bb195b16355a41406eb60800350871903f14958369f730a88d9b9c79cb0b3d2eb8ac5

Download Submit
C:\Windows\System\OUclamA.exe

Filesize
8.3MB

MD5
355586f22a11e3947442704165496cd4

SHA1
24399e57aabddd2cd47af8297e488a227bc9d1a6

SHA256
6631ac307b02114eecab726e4dc9c989f54d355c551cac42bc47d517db3c678f

SHA512
e5b1eb5b82de5527f8c2f1b473a9249225a74c4cc98c309a401a17b12386e9ef09ee2b676642711e7eff25eee0f319b2ec2c91b33d5169d17cdec11b2963fe8d

Download Submit
C:\Windows\System\OlzCsHk.exe

Filesize
8.3MB

MD5
c317cb2346f757bdaa2ad6888e1f7f33

SHA1
722ad91c69523707ee4b10fd9240455117deed37

SHA256
c1d6b0f2b7dc444be78ecc4f4d857b63370139640372fd729c85c65a592a9aa8

SHA512
36a7175a455585461e9881594b2dd4f92bf0adf44db326a6ed222bf5488aef6bc1dc7b9e53aba2024098836517594ce96da7fcba8291be0bce878d64f6dc3795

Download Submit
C:\Windows\System\QCaQufx.exe

Filesize
8.3MB

MD5
bd36adf674779e6802e7792291035261

SHA1
25260f51128239c5144bd5db4740e1c622f08612

SHA256
6cd5940034273e9981aecfbcba1b4f517df82f46a0911d8b08e9b095367a7bdc

SHA512
0f6cd2c700d39599561ce6cf8851cce5c21722820d6a03f47b0a77b2c81fb7034bd9bcda1f6681c00169e060a50426b8ccb6bc1f97f7dad9364d2430800d8882

Download Submit
C:\Windows\System\RHqTlVO.exe

Filesize
8.3MB

MD5
c1ab556b592aa07aec27f4c3d0a7bf04

SHA1
cae8b1a9f8dc1025d38e4e87bd126dbc30c0b424

SHA256
a3b1e47652a6c7b37e34c3ad8f52680484e9400676a9c908110430332eec520b

SHA512
026a61715bd2ada3750a775db7360cee9b626470a019a39c80ae0b91ef3aee7976483d32f343cd5a5b9c70e2434241bc1368e81d89403f773e982818e8399e15

Download Submit
C:\Windows\System\SKisAwP.exe

Filesize
8.3MB

MD5
182f14d1514571e118bed959b1ff56ff

SHA1
c8fc1cbd00ff72d46f659903f41c1d2d9882d5ce

SHA256
c0e84448adc3765edec4b75315c3e4d88546bd1921715f7b287c6583b0078223

SHA512
9af96c021e7f119ba8e811becb06f0831d3c0e3a46c5cd3b840a41b2d5f4923ff5e85eeaa512652dc45ea04b3bede763d069e278594bc9324912149194a20641

Download Submit
C:\Windows\System\TqyIzgg.exe

Filesize
8.3MB

MD5
5a97b2d76cdd464349f42ffd116aad02

SHA1
5e32a1b35483942f8fccae77fea38ef1d8bb6c5b

SHA256
74955a4bcd1746f4b8fea6f1162ed33cd1fc9327a7bd7478a9e8551fd00a3b25

SHA512
30af07013825e22bf6f03eebb824a5e9a4dbc46d2bdef96219037214f09ac168d30cce9e1b15a806ba43ada1a131104639a4468936563502b0d8e77839912a18

Download Submit
C:\Windows\System\Zlbpsyb.exe

Filesize
8.3MB

MD5
8877b2105b42c4f37b85644bb867a9e6

SHA1
c3803fe30c0df5a4c36471bd20bb94fa7ab6b7ba

SHA256
c0644cea74a6610ffbd3a7246344d15ef62a6fbe9e8dbe70a33aafdfcb62ad10

SHA512
6259a0965bf9ae70318efea7a42e9c068ada997f576ffc82e0c0726d3f37987fa5f2cd10dc65c1c989940074405e674e2b88a68c023dd6928db7e39b8d461764

Download Submit
C:\Windows\System\dLcfJpQ.exe

Filesize
8.3MB

MD5
e1560dcc5ca2ac4a42c2009cd86ac3c2

SHA1
776254b8a70cdcb7d1f6146d705fe99979d300e5

SHA256
2eb91be52dc0abff64de431cf92ef4bd438d41711559e7c132fee8f00282185c

SHA512
2155d1cb351b53e725667f9d5f33309979de35026a15842eddd73854c2ac49329ffe30c70a1b30d4f1a6a0ec6fd2dec862397e16fac21ad6f40fc34b809a7826

Download Submit
C:\Windows\System\dpPJkWo.exe

Filesize
8.3MB

MD5
3c19e8146415e66dac1b73825f096ef1

SHA1
1152a3b8b766b7b52f1e0c966f16fd82d3e96ada

SHA256
752adc2fdadfd8d27bd325756dfcaef75e72726d1e680bfa826c215078d697f0

SHA512
d79267bcabe023ea4ccb2320a2e6fdf01154ea26fd9024d3956e7a6e5e63b398132e7d6779db28d91e6bf96207d1cd1ee7647879a465b214112b15c303564a2a

Download Submit
C:\Windows\System\eXNAdre.exe

Filesize
8.3MB

MD5
26d8bdda7d14dd1649c859b8eff2e36a

SHA1
58fd3aa33cdccae564068a961c78a1923f67d905

SHA256
59a7b9154f9a73da11642f3f3b3ed8744eb5460cd5f9183829cf7b93ec3a86ae

SHA512
c988e11e1086987763cfdccb701f1365fc81f0afdd5bcb9c82bd019af0d5c33dd873bd901fd6a72f61d4ba94566b728feb6340133497da913cb29bdec62aed43

Download Submit
C:\Windows\System\mhiFdzm.exe

Filesize
8.3MB

MD5
b1066ab891e2682b1c92addc0a4826d7

SHA1
11de5a64f334af2cf3bed17cfa5d9789f26c0a72

SHA256
736ab4aab12b17dcef050b1974d7419af41c3e89adc73e125f4cb1a6044ccf35

SHA512
c18f4e188598ca2fd6d5be85a457b9eca2248de93ad8959f7331e5b1585986f9fb6fdf6195bc8ffa1e07e4b7c352606abd5245ce645c4cfb420a687e3a4cc734

Download Submit
C:\Windows\System\qUemRfj.exe

Filesize
8.3MB

MD5
caac07720c2daf8a6227329f90a98fa6

SHA1
8a5ed2b94fb2af1826a6bc5b008fbd6ab5b7d332

SHA256
01498bcec5336545b1626d402ff9a327cf6c57016abb73a6fa6b1d8916b2be58

SHA512
2a31383615969ba25ff80214585b2a6dd6e0d70da4a00cb63ac59de23cee1d31aa790bda427af07d1bf78f3177df5a4ff138323efdc96c8071519623e4e64f21

Download Submit
C:\Windows\System\qdCOoLr.exe

Filesize
8.3MB

MD5
3a311764e79e1403e6e3652e2a063893

SHA1
060b251a8bc506b18c52925a8f62927d9e3bedd0

SHA256
f1178b22c75b30344729c759f41f83e407d87bf46118b663014fe8c5b3ec8eba

SHA512
e88a92ede3cca2414ec05cca4f02b8812b0f63621db16936bddac7eb92dd7906b34b62d0736241bf8b150b038e1906e9beba90628e860374f873142a758032d0

Download Submit
C:\Windows\System\sCUIuvP.exe

Filesize
8.3MB

MD5
f190c29137388994a3d709690b2f727a

SHA1
ddc90ab2da36668bb5fca2cf2970cdb222377807

SHA256
1c136f7f7d717cc6f5a1e4119276d6669ef0a4af42ad5f3e6f3d72ce2ae22a70

SHA512
66ac50f7115b78b04b7edb794a376bd7ab143a35dc1ddf3e0bcf9155782cb47dd67278c6863d9c727096fa6b22b755b68385cb74f98b33eadc0ca87b29c6857b

Download Submit
C:\Windows\System\uNABOGA.exe

Filesize
8.3MB

MD5
e2dfb6ac948cb3d9a3990054616045f6

SHA1
1f58b4fb4f25641cf22dc03dcb6aa196a11145d3

SHA256
e56a7c4f06cb1c4abe3ad01bbd266d2dc7a9d7df2eedc7360cfa932206dcbb63

SHA512
bc62ebbf84fa9b1363ae7102f339ae0f3badf9799016e5a4cafea34a322236facbe2e3fd473cbb77548892ecc32d015bbf53351423e470e59210b84a9a681d06

Download Submit
C:\Windows\System\yaEQSaC.exe

Filesize
8.3MB

MD5
1e429ac6e8f6d956dd445d179f23e176

SHA1
0a41391898e6c81a7bf3d685f8998f5f50ef081d

SHA256
2c0fa67f5911bf1da9e8ecbf47a61a83fa07a5d071b76ab68b2ddd5b2995c6d3

SHA512
8fbec91bca817398f27570a066b9ddd73bd6d9ba9bbe0df7d338422c9e40bc96ada5ba07e7d1e6e105f5ecbcda7075cf233b41bac0dcd845b7f8e9c13f23c4eb

Download Submit
C:\Windows\System\zLLGRip.exe

Filesize
8.3MB

MD5
76dcc2ff67c9ec013db67094acb5ecc8

SHA1
728cc456987a227522322fa94b09c0421a78eafa

SHA256
9f27dbfc0529bdd8efa340c2ffc644c3428813a199471e9c9dac48c49716f70c

SHA512
06fa1aae1c9108e241cb49ea1765f7e0a21220e33fd7b35840a7ee68bc3fdc3d79386e54739861e8981e914223f818d3ffecbc0ccb25c0e5e1e397c43d1f7251

Download Submit
C:\Windows\System\zgdYSLt.exe

Filesize
8.3MB

MD5
862d67561a507e93beeb359df69f9cb4

SHA1
c8b86151bed6f9666fe0fe889e2aa20208e1adc0

SHA256
c31f4636811b474a386b63866be1e8e259e9b4d86ec2d5eb6aa738c8ec316305

SHA512
79c0234e6ef6a5a8cb3748bdf2ff1efbb926986601f45dcd5457284fd7aa547b300730d70bb9d37dbb542949a859c190011448887be82d71bb9b755f1b1c34d7

Download Submit
memory/312-128-0x00007FF759970000-0x00007FF759CC2000-memory.dmp

Filesize
3.3MB

Download
memory/312-162-0x00007FF759970000-0x00007FF759CC2000-memory.dmp

Filesize
3.3MB

Download
memory/1004-144-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp

Filesize
3.3MB

Download
memory/1004-18-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp

Filesize
3.3MB

Download
memory/1004-129-0x00007FF6DB210000-0x00007FF6DB562000-memory.dmp

Filesize
3.3MB

Download
memory/1284-132-0x00007FF749140000-0x00007FF749492000-memory.dmp

Filesize
3.3MB

Download
memory/1284-26-0x00007FF749140000-0x00007FF749492000-memory.dmp

Filesize
3.3MB

Download
memory/1284-145-0x00007FF749140000-0x00007FF749492000-memory.dmp

Filesize
3.3MB

Download
memory/1312-135-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp

Filesize
3.3MB

Download
memory/1312-149-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp

Filesize
3.3MB

Download
memory/1312-48-0x00007FF67AE60000-0x00007FF67B1B2000-memory.dmp

Filesize
3.3MB

Download
memory/1844-131-0x00007FF7E59E0000-0x00007FF7E5D32000-memory.dmp

Filesize
3.3MB

Download
memory/1844-161-0x00007FF7E59E0000-0x00007FF7E5D32000-memory.dmp

Filesize
3.3MB

Download
memory/1884-122-0x00007FF716FB0000-0x00007FF717302000-memory.dmp

Filesize
3.3MB

Download
memory/1884-158-0x00007FF716FB0000-0x00007FF717302000-memory.dmp

Filesize
3.3MB

Download
memory/2324-141-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp

Filesize
3.3MB

Download
memory/2324-119-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp

Filesize
3.3MB

Download
memory/2324-159-0x00007FF7B1770000-0x00007FF7B1AC2000-memory.dmp

Filesize
3.3MB

Download
memory/2508-138-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp

Filesize
3.3MB

Download
memory/2508-77-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp

Filesize
3.3MB

Download
memory/2508-152-0x00007FF6A94C0000-0x00007FF6A9812000-memory.dmp

Filesize
3.3MB

Download
memory/2780-154-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp

Filesize
3.3MB

Download
memory/2780-88-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp

Filesize
3.3MB

Download
memory/2780-140-0x00007FF7BD570000-0x00007FF7BD8C2000-memory.dmp

Filesize
3.3MB

Download
memory/2832-108-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp

Filesize
3.3MB

Download
memory/2832-155-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp

Filesize
3.3MB

Download
memory/2832-139-0x00007FF7C26F0000-0x00007FF7C2A42000-memory.dmp

Filesize
3.3MB

Download
memory/2968-150-0x00007FF704C20000-0x00007FF704F72000-memory.dmp

Filesize
3.3MB

Download
memory/2968-65-0x00007FF704C20000-0x00007FF704F72000-memory.dmp

Filesize
3.3MB

Download
memory/3020-147-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp

Filesize
3.3MB

Download
memory/3020-37-0x00007FF67E4F0000-0x00007FF67E842000-memory.dmp

Filesize
3.3MB

Download
memory/3088-109-0x00007FF7DFCD0000-0x00007FF7E0022000-memory.dmp

Filesize
3.3MB

Download
memory/3088-156-0x00007FF7DFCD0000-0x00007FF7E0022000-memory.dmp

Filesize
3.3MB

Download
memory/3416-66-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp

Filesize
3.3MB

Download
memory/3416-151-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp

Filesize
3.3MB

Download
memory/3416-137-0x00007FF68C9E0000-0x00007FF68CD32000-memory.dmp

Filesize
3.3MB

Download
memory/3724-123-0x00007FF6E2950000-0x00007FF6E2CA2000-memory.dmp

Filesize
3.3MB

Download
memory/3724-160-0x00007FF6E2950000-0x00007FF6E2CA2000-memory.dmp

Filesize
3.3MB

Download
memory/3980-143-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp

Filesize
3.3MB

Download
memory/3980-12-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp

Filesize
3.3MB

Download
memory/3980-82-0x00007FF75FE80000-0x00007FF7601D2000-memory.dmp

Filesize
3.3MB

Download
memory/4444-1-0x000001FA29DC0000-0x000001FA29DD0000-memory.dmp

Filesize
64KB

Download
memory/4444-0-0x00007FF652390000-0x00007FF6526E2000-memory.dmp

Filesize
3.3MB

Download
memory/4444-63-0x00007FF652390000-0x00007FF6526E2000-memory.dmp

Filesize
3.3MB

Download
memory/4472-134-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp

Filesize
3.3MB

Download
memory/4472-42-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp

Filesize
3.3MB

Download
memory/4472-148-0x00007FF6BF4F0000-0x00007FF6BF842000-memory.dmp

Filesize
3.3MB

Download
memory/4592-133-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp

Filesize
3.3MB

Download
memory/4592-146-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp

Filesize
3.3MB

Download
memory/4592-32-0x00007FF7D3A70000-0x00007FF7D3DC2000-memory.dmp

Filesize
3.3MB

Download
memory/4772-8-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp

Filesize
3.3MB

Download
memory/4772-71-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp

Filesize
3.3MB

Download
memory/4772-142-0x00007FF7DFA80000-0x00007FF7DFDD2000-memory.dmp

Filesize
3.3MB

Download
memory/5000-157-0x00007FF608090000-0x00007FF6083E2000-memory.dmp

Filesize
3.3MB

Download
memory/5000-130-0x00007FF608090000-0x00007FF6083E2000-memory.dmp

Filesize
3.3MB

Download
memory/5012-55-0x00007FF604B40000-0x00007FF604E92000-memory.dmp

Filesize
3.3MB

Download
memory/5012-136-0x00007FF604B40000-0x00007FF604E92000-memory.dmp

Filesize
3.3MB

Download
memory/5012-153-0x00007FF604B40000-0x00007FF604E92000-memory.dmp

Filesize
3.3MB

Download