cobaltstrike | 85dc2f1e35c840bc162930a536fceac663fc32e34b8cdd9d8e2988c4afadf582

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

8debbc89129ab46d1191d4c7097e2e6b
SHA1

2acafa019f1268ce02a21738742aca44f6d6287c
SHA256

85dc2f1e35c840bc162930a536fceac663fc32e34b8cdd9d8e2988c4afadf582
SHA512

bf8cf25f56702fc79f0ed65b7e72e5fda2f4d75680ac9c3bc6e0d8b71a62c1eb66fca714f18ee9873d736d1929892d90b235b6d295cb849516fccaa8b071aabe
SSDEEP

98304:MemTLkNdfE0pZba56utgpPFotBER/mQ32lUa:v+D56utgpPF8u/7a

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ZIuPXPe.exe	cobalt_reflective_dll
C:\Windows\System\sIvnddP.exe	cobalt_reflective_dll
C:\Windows\System\WzSsxRa.exe	cobalt_reflective_dll
C:\Windows\System\yswoneK.exe	cobalt_reflective_dll
C:\Windows\System\MocyMgF.exe	cobalt_reflective_dll
C:\Windows\System\HogmUvm.exe	cobalt_reflective_dll
C:\Windows\System\ylFGFcz.exe	cobalt_reflective_dll
C:\Windows\System\XssjjKP.exe	cobalt_reflective_dll
C:\Windows\System\frAURZJ.exe	cobalt_reflective_dll
C:\Windows\System\cmuzJJK.exe	cobalt_reflective_dll
C:\Windows\System\QwCHwlC.exe	cobalt_reflective_dll
C:\Windows\System\eyqmlar.exe	cobalt_reflective_dll
C:\Windows\System\ibkYCLq.exe	cobalt_reflective_dll
C:\Windows\System\isvdQeJ.exe	cobalt_reflective_dll
C:\Windows\System\ObfJsWl.exe	cobalt_reflective_dll
C:\Windows\System\hPrOYQA.exe	cobalt_reflective_dll
C:\Windows\System\uWHnqUY.exe	cobalt_reflective_dll
C:\Windows\System\HUWRGnF.exe	cobalt_reflective_dll
C:\Windows\System\qQiajIb.exe	cobalt_reflective_dll
C:\Windows\System\rZeBpyr.exe	cobalt_reflective_dll
C:\Windows\System\QuAHKbx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\ZIuPXPe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sIvnddP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WzSsxRa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yswoneK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MocyMgF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HogmUvm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ylFGFcz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XssjjKP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\frAURZJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cmuzJJK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QwCHwlC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eyqmlar.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ibkYCLq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\isvdQeJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ObfJsWl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hPrOYQA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uWHnqUY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HUWRGnF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qQiajIb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rZeBpyr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QuAHKbx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3488-0-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp	UPX
C:\Windows\System\ZIuPXPe.exe	UPX
behavioral2/memory/2896-8-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	UPX
C:\Windows\System\sIvnddP.exe	UPX
behavioral2/memory/2892-14-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	UPX
C:\Windows\System\WzSsxRa.exe	UPX
C:\Windows\System\yswoneK.exe	UPX
behavioral2/memory/1520-20-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp	UPX
behavioral2/memory/944-24-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	UPX
C:\Windows\System\MocyMgF.exe	UPX
behavioral2/memory/2196-32-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	UPX
C:\Windows\System\HogmUvm.exe	UPX
behavioral2/memory/2900-38-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp	UPX
C:\Windows\System\ylFGFcz.exe	UPX
behavioral2/memory/1860-44-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp	UPX
C:\Windows\System\XssjjKP.exe	UPX
behavioral2/memory/2240-50-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp	UPX
C:\Windows\System\frAURZJ.exe	UPX
behavioral2/memory/3372-55-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp	UPX
behavioral2/memory/3488-60-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp	UPX
C:\Windows\System\cmuzJJK.exe	UPX
behavioral2/memory/5116-61-0x00007FF742CC0000-0x00007FF743012000-memory.dmp	UPX
C:\Windows\System\QwCHwlC.exe	UPX
C:\Windows\System\eyqmlar.exe	UPX
behavioral2/memory/5096-69-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp	UPX
behavioral2/memory/2896-68-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	UPX
C:\Windows\System\ibkYCLq.exe	UPX
behavioral2/memory/3124-83-0x00007FF721160000-0x00007FF7214B2000-memory.dmp	UPX
C:\Windows\System\isvdQeJ.exe	UPX
behavioral2/memory/968-77-0x00007FF6325A0000-0x00007FF6328F2000-memory.dmp	UPX
behavioral2/memory/2892-76-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	UPX
behavioral2/memory/2544-90-0x00007FF7DB890000-0x00007FF7DBBE2000-memory.dmp	UPX
behavioral2/memory/944-89-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	UPX
C:\Windows\System\ObfJsWl.exe	UPX
C:\Windows\System\hPrOYQA.exe	UPX
behavioral2/memory/3848-103-0x00007FF73D3D0000-0x00007FF73D722000-memory.dmp	UPX
C:\Windows\System\uWHnqUY.exe	UPX
behavioral2/memory/2312-107-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp	UPX
behavioral2/memory/1104-96-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp	UPX
behavioral2/memory/2196-95-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	UPX
C:\Windows\System\HUWRGnF.exe	UPX
C:\Windows\System\qQiajIb.exe	UPX
behavioral2/memory/2880-113-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp	UPX
behavioral2/memory/3372-121-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp	UPX
behavioral2/memory/1736-122-0x00007FF7A5460000-0x00007FF7A57B2000-memory.dmp	UPX
C:\Windows\System\rZeBpyr.exe	UPX
behavioral2/memory/1200-127-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp	UPX
behavioral2/memory/5116-126-0x00007FF742CC0000-0x00007FF743012000-memory.dmp	UPX
C:\Windows\System\QuAHKbx.exe	UPX
behavioral2/memory/5096-134-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp	UPX
behavioral2/memory/4228-135-0x00007FF6A1B10000-0x00007FF6A1E62000-memory.dmp	UPX
behavioral2/memory/3124-136-0x00007FF721160000-0x00007FF7214B2000-memory.dmp	UPX
behavioral2/memory/1104-137-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp	UPX
behavioral2/memory/2312-138-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp	UPX
behavioral2/memory/2880-139-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp	UPX
behavioral2/memory/1200-140-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp	UPX
behavioral2/memory/2896-141-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	UPX
behavioral2/memory/2892-142-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	UPX
behavioral2/memory/1520-143-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp	UPX
behavioral2/memory/944-144-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	UPX
behavioral2/memory/2196-145-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	UPX
behavioral2/memory/2900-146-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp	UPX
behavioral2/memory/1860-147-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp	UPX
behavioral2/memory/2240-148-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3488-0-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp	xmrig
C:\Windows\System\ZIuPXPe.exe	xmrig
behavioral2/memory/2896-8-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	xmrig
C:\Windows\System\sIvnddP.exe	xmrig
behavioral2/memory/2892-14-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	xmrig
C:\Windows\System\WzSsxRa.exe	xmrig
C:\Windows\System\yswoneK.exe	xmrig
behavioral2/memory/1520-20-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp	xmrig
behavioral2/memory/944-24-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	xmrig
C:\Windows\System\MocyMgF.exe	xmrig
behavioral2/memory/2196-32-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	xmrig
C:\Windows\System\HogmUvm.exe	xmrig
behavioral2/memory/2900-38-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp	xmrig
C:\Windows\System\ylFGFcz.exe	xmrig
behavioral2/memory/1860-44-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp	xmrig
C:\Windows\System\XssjjKP.exe	xmrig
behavioral2/memory/2240-50-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp	xmrig
C:\Windows\System\frAURZJ.exe	xmrig
behavioral2/memory/3372-55-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp	xmrig
behavioral2/memory/3488-60-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp	xmrig
C:\Windows\System\cmuzJJK.exe	xmrig
behavioral2/memory/5116-61-0x00007FF742CC0000-0x00007FF743012000-memory.dmp	xmrig
C:\Windows\System\QwCHwlC.exe	xmrig
C:\Windows\System\eyqmlar.exe	xmrig
behavioral2/memory/5096-69-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp	xmrig
behavioral2/memory/2896-68-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	xmrig
C:\Windows\System\ibkYCLq.exe	xmrig
behavioral2/memory/3124-83-0x00007FF721160000-0x00007FF7214B2000-memory.dmp	xmrig
C:\Windows\System\isvdQeJ.exe	xmrig
behavioral2/memory/968-77-0x00007FF6325A0000-0x00007FF6328F2000-memory.dmp	xmrig
behavioral2/memory/2892-76-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	xmrig
behavioral2/memory/2544-90-0x00007FF7DB890000-0x00007FF7DBBE2000-memory.dmp	xmrig
behavioral2/memory/944-89-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	xmrig
C:\Windows\System\ObfJsWl.exe	xmrig
C:\Windows\System\hPrOYQA.exe	xmrig
behavioral2/memory/3848-103-0x00007FF73D3D0000-0x00007FF73D722000-memory.dmp	xmrig
C:\Windows\System\uWHnqUY.exe	xmrig
behavioral2/memory/2312-107-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp	xmrig
behavioral2/memory/1104-96-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp	xmrig
behavioral2/memory/2196-95-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	xmrig
C:\Windows\System\HUWRGnF.exe	xmrig
C:\Windows\System\qQiajIb.exe	xmrig
behavioral2/memory/2880-113-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp	xmrig
behavioral2/memory/3372-121-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp	xmrig
behavioral2/memory/1736-122-0x00007FF7A5460000-0x00007FF7A57B2000-memory.dmp	xmrig
C:\Windows\System\rZeBpyr.exe	xmrig
behavioral2/memory/1200-127-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp	xmrig
behavioral2/memory/5116-126-0x00007FF742CC0000-0x00007FF743012000-memory.dmp	xmrig
C:\Windows\System\QuAHKbx.exe	xmrig
behavioral2/memory/5096-134-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp	xmrig
behavioral2/memory/4228-135-0x00007FF6A1B10000-0x00007FF6A1E62000-memory.dmp	xmrig
behavioral2/memory/3124-136-0x00007FF721160000-0x00007FF7214B2000-memory.dmp	xmrig
behavioral2/memory/1104-137-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp	xmrig
behavioral2/memory/2312-138-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp	xmrig
behavioral2/memory/2880-139-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp	xmrig
behavioral2/memory/1200-140-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp	xmrig
behavioral2/memory/2896-141-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	xmrig
behavioral2/memory/2892-142-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	xmrig
behavioral2/memory/1520-143-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp	xmrig
behavioral2/memory/944-144-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	xmrig
behavioral2/memory/2196-145-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	xmrig
behavioral2/memory/2900-146-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp	xmrig
behavioral2/memory/1860-147-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp	xmrig
behavioral2/memory/2240-148-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ZIuPXPe.exesIvnddP.exeWzSsxRa.exeyswoneK.exeMocyMgF.exeHogmUvm.exeylFGFcz.exeXssjjKP.exefrAURZJ.execmuzJJK.exeQwCHwlC.exeeyqmlar.exeibkYCLq.exeisvdQeJ.exeObfJsWl.exehPrOYQA.exeuWHnqUY.exeHUWRGnF.exeqQiajIb.exerZeBpyr.exeQuAHKbx.exe

pid	process
2896	ZIuPXPe.exe
2892	sIvnddP.exe
1520	WzSsxRa.exe
944	yswoneK.exe
2196	MocyMgF.exe
2900	HogmUvm.exe
1860	ylFGFcz.exe
2240	XssjjKP.exe
3372	frAURZJ.exe
5116	cmuzJJK.exe
5096	QwCHwlC.exe
968	eyqmlar.exe
3124	ibkYCLq.exe
2544	isvdQeJ.exe
1104	ObfJsWl.exe
3848	hPrOYQA.exe
2312	uWHnqUY.exe
2880	HUWRGnF.exe
1736	qQiajIb.exe
1200	rZeBpyr.exe
4228	QuAHKbx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3488-0-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp	upx
C:\Windows\System\ZIuPXPe.exe	upx
behavioral2/memory/2896-8-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	upx
C:\Windows\System\sIvnddP.exe	upx
behavioral2/memory/2892-14-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	upx
C:\Windows\System\WzSsxRa.exe	upx
C:\Windows\System\yswoneK.exe	upx
behavioral2/memory/1520-20-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp	upx
behavioral2/memory/944-24-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	upx
C:\Windows\System\MocyMgF.exe	upx
behavioral2/memory/2196-32-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	upx
C:\Windows\System\HogmUvm.exe	upx
behavioral2/memory/2900-38-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp	upx
C:\Windows\System\ylFGFcz.exe	upx
behavioral2/memory/1860-44-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp	upx
C:\Windows\System\XssjjKP.exe	upx
behavioral2/memory/2240-50-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp	upx
C:\Windows\System\frAURZJ.exe	upx
behavioral2/memory/3372-55-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp	upx
behavioral2/memory/3488-60-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp	upx
C:\Windows\System\cmuzJJK.exe	upx
behavioral2/memory/5116-61-0x00007FF742CC0000-0x00007FF743012000-memory.dmp	upx
C:\Windows\System\QwCHwlC.exe	upx
C:\Windows\System\eyqmlar.exe	upx
behavioral2/memory/5096-69-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp	upx
behavioral2/memory/2896-68-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	upx
C:\Windows\System\ibkYCLq.exe	upx
behavioral2/memory/3124-83-0x00007FF721160000-0x00007FF7214B2000-memory.dmp	upx
C:\Windows\System\isvdQeJ.exe	upx
behavioral2/memory/968-77-0x00007FF6325A0000-0x00007FF6328F2000-memory.dmp	upx
behavioral2/memory/2892-76-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	upx
behavioral2/memory/2544-90-0x00007FF7DB890000-0x00007FF7DBBE2000-memory.dmp	upx
behavioral2/memory/944-89-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	upx
C:\Windows\System\ObfJsWl.exe	upx
C:\Windows\System\hPrOYQA.exe	upx
behavioral2/memory/3848-103-0x00007FF73D3D0000-0x00007FF73D722000-memory.dmp	upx
C:\Windows\System\uWHnqUY.exe	upx
behavioral2/memory/2312-107-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp	upx
behavioral2/memory/1104-96-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp	upx
behavioral2/memory/2196-95-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	upx
C:\Windows\System\HUWRGnF.exe	upx
C:\Windows\System\qQiajIb.exe	upx
behavioral2/memory/2880-113-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp	upx
behavioral2/memory/3372-121-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp	upx
behavioral2/memory/1736-122-0x00007FF7A5460000-0x00007FF7A57B2000-memory.dmp	upx
C:\Windows\System\rZeBpyr.exe	upx
behavioral2/memory/1200-127-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp	upx
behavioral2/memory/5116-126-0x00007FF742CC0000-0x00007FF743012000-memory.dmp	upx
C:\Windows\System\QuAHKbx.exe	upx
behavioral2/memory/5096-134-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp	upx
behavioral2/memory/4228-135-0x00007FF6A1B10000-0x00007FF6A1E62000-memory.dmp	upx
behavioral2/memory/3124-136-0x00007FF721160000-0x00007FF7214B2000-memory.dmp	upx
behavioral2/memory/1104-137-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp	upx
behavioral2/memory/2312-138-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp	upx
behavioral2/memory/2880-139-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp	upx
behavioral2/memory/1200-140-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp	upx
behavioral2/memory/2896-141-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp	upx
behavioral2/memory/2892-142-0x00007FF650850000-0x00007FF650BA2000-memory.dmp	upx
behavioral2/memory/1520-143-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp	upx
behavioral2/memory/944-144-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp	upx
behavioral2/memory/2196-145-0x00007FF7121C0000-0x00007FF712512000-memory.dmp	upx
behavioral2/memory/2900-146-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp	upx
behavioral2/memory/1860-147-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp	upx
behavioral2/memory/2240-148-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\frAURZJ.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ibkYCLq.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uWHnqUY.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HogmUvm.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XssjjKP.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ObfJsWl.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hPrOYQA.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HUWRGnF.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuAHKbx.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WzSsxRa.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eyqmlar.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QwCHwlC.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qQiajIb.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sIvnddP.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cmuzJJK.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MocyMgF.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ylFGFcz.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\isvdQeJ.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rZeBpyr.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZIuPXPe.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yswoneK.exe	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3488 wrote to memory of 2896	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ZIuPXPe.exe
PID 3488 wrote to memory of 2896	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ZIuPXPe.exe
PID 3488 wrote to memory of 2892	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	sIvnddP.exe
PID 3488 wrote to memory of 2892	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	sIvnddP.exe
PID 3488 wrote to memory of 1520	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	WzSsxRa.exe
PID 3488 wrote to memory of 1520	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	WzSsxRa.exe
PID 3488 wrote to memory of 944	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	yswoneK.exe
PID 3488 wrote to memory of 944	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	yswoneK.exe
PID 3488 wrote to memory of 2196	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	MocyMgF.exe
PID 3488 wrote to memory of 2196	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	MocyMgF.exe
PID 3488 wrote to memory of 2900	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	HogmUvm.exe
PID 3488 wrote to memory of 2900	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	HogmUvm.exe
PID 3488 wrote to memory of 1860	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ylFGFcz.exe
PID 3488 wrote to memory of 1860	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ylFGFcz.exe
PID 3488 wrote to memory of 2240	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	XssjjKP.exe
PID 3488 wrote to memory of 2240	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	XssjjKP.exe
PID 3488 wrote to memory of 3372	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	frAURZJ.exe
PID 3488 wrote to memory of 3372	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	frAURZJ.exe
PID 3488 wrote to memory of 5116	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	cmuzJJK.exe
PID 3488 wrote to memory of 5116	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	cmuzJJK.exe
PID 3488 wrote to memory of 5096	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	QwCHwlC.exe
PID 3488 wrote to memory of 5096	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	QwCHwlC.exe
PID 3488 wrote to memory of 968	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	eyqmlar.exe
PID 3488 wrote to memory of 968	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	eyqmlar.exe
PID 3488 wrote to memory of 3124	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ibkYCLq.exe
PID 3488 wrote to memory of 3124	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ibkYCLq.exe
PID 3488 wrote to memory of 2544	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	isvdQeJ.exe
PID 3488 wrote to memory of 2544	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	isvdQeJ.exe
PID 3488 wrote to memory of 1104	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ObfJsWl.exe
PID 3488 wrote to memory of 1104	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	ObfJsWl.exe
PID 3488 wrote to memory of 3848	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	hPrOYQA.exe
PID 3488 wrote to memory of 3848	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	hPrOYQA.exe
PID 3488 wrote to memory of 2312	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	uWHnqUY.exe
PID 3488 wrote to memory of 2312	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	uWHnqUY.exe
PID 3488 wrote to memory of 2880	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	HUWRGnF.exe
PID 3488 wrote to memory of 2880	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	HUWRGnF.exe
PID 3488 wrote to memory of 1736	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	qQiajIb.exe
PID 3488 wrote to memory of 1736	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	qQiajIb.exe
PID 3488 wrote to memory of 1200	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	rZeBpyr.exe
PID 3488 wrote to memory of 1200	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	rZeBpyr.exe
PID 3488 wrote to memory of 4228	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	QuAHKbx.exe
PID 3488 wrote to memory of 4228	3488	2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe	QuAHKbx.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_8debbc89129ab46d1191d4c7097e2e6b_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\System\ZIuPXPe.exe
C:\Windows\System\ZIuPXPe.exe
2⤵
- Executes dropped EXE
PID:2896

C:\Windows\System\sIvnddP.exe
C:\Windows\System\sIvnddP.exe
2⤵
- Executes dropped EXE
PID:2892

C:\Windows\System\WzSsxRa.exe
C:\Windows\System\WzSsxRa.exe
2⤵
- Executes dropped EXE
PID:1520

C:\Windows\System\yswoneK.exe
C:\Windows\System\yswoneK.exe
2⤵
- Executes dropped EXE
PID:944

C:\Windows\System\MocyMgF.exe
C:\Windows\System\MocyMgF.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System\HogmUvm.exe
C:\Windows\System\HogmUvm.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\ylFGFcz.exe
C:\Windows\System\ylFGFcz.exe
2⤵
- Executes dropped EXE
PID:1860

C:\Windows\System\XssjjKP.exe
C:\Windows\System\XssjjKP.exe
2⤵
- Executes dropped EXE
PID:2240

C:\Windows\System\frAURZJ.exe
C:\Windows\System\frAURZJ.exe
2⤵
- Executes dropped EXE
PID:3372

C:\Windows\System\cmuzJJK.exe
C:\Windows\System\cmuzJJK.exe
2⤵
- Executes dropped EXE
PID:5116

C:\Windows\System\QwCHwlC.exe
C:\Windows\System\QwCHwlC.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System\eyqmlar.exe
C:\Windows\System\eyqmlar.exe
2⤵
- Executes dropped EXE
PID:968

C:\Windows\System\ibkYCLq.exe
C:\Windows\System\ibkYCLq.exe
2⤵
- Executes dropped EXE
PID:3124

C:\Windows\System\isvdQeJ.exe
C:\Windows\System\isvdQeJ.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\ObfJsWl.exe
C:\Windows\System\ObfJsWl.exe
2⤵
- Executes dropped EXE
PID:1104

C:\Windows\System\hPrOYQA.exe
C:\Windows\System\hPrOYQA.exe
2⤵
- Executes dropped EXE
PID:3848

C:\Windows\System\uWHnqUY.exe
C:\Windows\System\uWHnqUY.exe
2⤵
- Executes dropped EXE
PID:2312

C:\Windows\System\HUWRGnF.exe
C:\Windows\System\HUWRGnF.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\qQiajIb.exe
C:\Windows\System\qQiajIb.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System\rZeBpyr.exe
C:\Windows\System\rZeBpyr.exe
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\System\QuAHKbx.exe
C:\Windows\System\QuAHKbx.exe
2⤵
- Executes dropped EXE
PID:4228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HUWRGnF.exe
Filesize
8.3MB

MD5
f89a45a44a6c0f4f93ba95ec6b15911b

SHA1
c7652b77714a3fb8972643adf3be9d7f697bc577

SHA256
66f682de085d78173236180bfe12b99caadc3ac9f3da41deaf94a7337108b5e1

SHA512
13b48f0157f2a87d75cba35019b632ba9a759f411ba38370928306fb85f3b3047c06e04e1391e352d6fe0aea1a484f5c1e040ad697e5bf0358990dbb98be24f9

Download Submit
C:\Windows\System\HogmUvm.exe
Filesize
8.3MB

MD5
d808b1ccb269f2e86f7e2f339fda078a

SHA1
a50ca4e747f38ac46c81445557dac9ac85c61826

SHA256
2aabbed61ed49dd44247523ba56c6e4afa5e0ecebb8a27d6732c58a6b230fc42

SHA512
3c1a9379d1ddd0f6563521f1bacb7eca2313448df249e89c6185b2915b039ab355504e893a204efef54f4a3fd139f641d7edca34be755727bda074c4a2a4813f

Download Submit
C:\Windows\System\MocyMgF.exe
Filesize
8.3MB

MD5
41abecfc8692e369ba3a55429cf48859

SHA1
e73d0e178a6dfc1ecc90ac334e93342f16551535

SHA256
6a5ac5e2a4cda97fc471d0ff36b44c41c674c679ae88173d84fd4fd206f4154d

SHA512
e64e7fd19e3db202193642e7bceccff693a793541c5c528860e3cac838ceb5e1936ecd3403006afff2185177f4783d733ea323688f2e7f8c4f7090ac350e27af

Download Submit
C:\Windows\System\ObfJsWl.exe
Filesize
8.3MB

MD5
181a82b829a870af8e3e44bef187d959

SHA1
fbe4e907c946f3e88a1294156cff945d579f5d44

SHA256
ba2b336a86f6f09bca126965038afa2a3e141e6aad44934387c6f7634773b97d

SHA512
b90a5036f2369d7680a7fd8d10480c5fe020f26edd302f8f3f57aa9495be2070657439beb82b02d0ab8e10a28e4d8f3dcc037d40d28fd28e68441b141a267780

Download Submit
C:\Windows\System\QuAHKbx.exe
Filesize
8.3MB

MD5
47c0180b5c289fd34172899c774ba340

SHA1
b2a17e71b538bcbafea63a5759fbfa589ba1fc6c

SHA256
6c1df743fb459ebe3e9bb17b86bfcf59470c8970a093511c43b5797095d8f07d

SHA512
dc7994ae65f90a66b1c190678c66cb20045d0022d95b6bc2aba061d3f73091b67a55bcf7ec6d1920b610da07e0daab14e0e8f445125140e5070dc97aa7f00c7a

Download Submit
C:\Windows\System\QwCHwlC.exe
Filesize
8.3MB

MD5
cddb10020a8c3af7d1a6e71179ed29bf

SHA1
775e074c2769cedbff8acb58d393b92be9aad66b

SHA256
c0d4c6726cf9173bdbd0028b5682ae554b33b61558aa766f7bf7831caa1a5806

SHA512
da7cd6116d9798d087242537268b6b61a6563d52bf71e3c335b9ea8f1e37c0ab296fe780bc43ae0052ad5b7d0d6784d042d8c8381c5798723f42bcbdb873d994

Download Submit
C:\Windows\System\WzSsxRa.exe
Filesize
8.3MB

MD5
c313357525bf21914df6ea3a54e0431a

SHA1
d046ad847056274d9a235b0a16978d4481eeb7b8

SHA256
7cd3c73723e47ea28aa463cde9f521c2e1efc1c1c64d753567ef6e4a0effdd51

SHA512
d5da76c64d8ece2ff8773baf248d14785e750ddbe9575b0f95e394ec1fbd712ce6c383a851ba952c52395f0ba3b2fb9aadf3db5113bd4ff4aa8d67ed89e1f748

Download Submit
C:\Windows\System\XssjjKP.exe
Filesize
8.3MB

MD5
d63ed6b03d12e3e24da8b6e50f70b9da

SHA1
27d9bb6710514884cbf728a390cde7ba6b50d98c

SHA256
a183354377e9a5c1d5d64290763dab87555a1716be4b6529b3e2fb4d03944764

SHA512
5b2752559c4678bca67ed89e55b3786b9fb842af4252edd51781362d162f126a8f3713e7b595efd29b62174576b27e8e5134129060af9b24a90d36284d0dddfb

Download Submit
C:\Windows\System\ZIuPXPe.exe
Filesize
8.3MB

MD5
15585cdb6a0d5e03c506691575280328

SHA1
d63b8cf118924fd2b39f55ce79b327401500d56b

SHA256
69b1e66406aac8f7a1d4ecece3e3a848513766ce3dae9c09970a8dc58f34dc8c

SHA512
df9306fb7019aa0adf3c3c31bbdbca236dfb3b5af068d43e6063d8415499909d521e724ab2d2bf2bb20e1138b61b8a96f46906faeeaac4fd46f38b0b391872ae

Download Submit
C:\Windows\System\cmuzJJK.exe
Filesize
8.3MB

MD5
944835f5a7da916a9b0af1b40b85b494

SHA1
50179d00113627395b71b7bdc4a38af558d6d952

SHA256
24e6ca433a04948a970ca66c5f6305fb710e82787dade9aa3d283d381c9c6e12

SHA512
3fedca03215384270b8e6e1cdb98f1bec293a130fc05d89eacf2e056f072a07c650deeb8088d39c2b9fd092df40aba8d9e72246e223bd5d68604e591f8777bfe

Download Submit
C:\Windows\System\eyqmlar.exe
Filesize
8.3MB

MD5
85a594089c4eca2a0c68bd4c99eb5597

SHA1
06d3cf23de47d436480805faf46820cb0b2da794

SHA256
e7d69e6d9180cf5287becf8d0f3ed1c0bf4981486234fe5763025baa064fd969

SHA512
87a9f6e3128cf0c70d52f6729f36334abeb69565c285a7961b18140e0384c6addbf995665ab161c5655bd6dc1568f6fa351c6d7cc17c44446731d665ae12695a

Download Submit
C:\Windows\System\frAURZJ.exe
Filesize
8.3MB

MD5
8042499f7d2f348a5431b5bbcfe51700

SHA1
336afcb6367e2aaed48a8d9bcee9cc7a52280a4f

SHA256
47020d338a62820775b73e62e9dd0fc88fdb47e62676dfbbe76ff9c47ad1a29d

SHA512
4a22fe7e4ec3599b17ad777bdccc8a2b432febc5cec1b65fef1d4b305e744e99cb21a032d95ba4ef05bbbcbc20114e33fbbc1ce12a1ed2a8f076b0bb71acd3ea

Download Submit
C:\Windows\System\hPrOYQA.exe
Filesize
8.3MB

MD5
eb1ba09af98d90aa5746a3fe06b70064

SHA1
28d12645e456ddd001415b980ad0921bd38aa629

SHA256
595e7f1f74246778aebb7d092f6f32d2b0485ee0332e903809871553180d6832

SHA512
8ebb898ca1e703080ef67aae5e19fba12525b061e1da9b738826172394a37b0f286dc7d6dd2c942273272381b3b0ef9ab39b2fa0d1587f04dd808b0200dd51d2

Download Submit
C:\Windows\System\ibkYCLq.exe
Filesize
8.3MB

MD5
dcf27500344f262556576126cb973f4f

SHA1
a36f4f880acadc3ce19bea26c1ce5df5ff47ae8e

SHA256
7732163810d51afae42fb816242b97c2aa3bcb4f3519f10ded01adb44caf9b54

SHA512
2842ece0cf2fa62ecb4f22edeb89e62da15988bcda68ab8f54b5b52f8857123f6a27a5e214518b5abfd8dd9f3dd1510c13a2fb4ff474889087200d25d24bb9f3

Download Submit
C:\Windows\System\isvdQeJ.exe
Filesize
8.3MB

MD5
717fc539f2f583afee22c0904c787e2f

SHA1
e53c442e77061ac38c2b45c297b3d6e4a580fe5a

SHA256
6765f2d2aed4dc6355edb6d37211fe56cbfd8fa2e4fc363f45ec3e4e0078a879

SHA512
baca01b63d96ff4e8c649ed65f316bf4c3feb3fe640fda4d9fadbf1308622a748e34472b5825c32dc6f3dee5830e3b0dc20b752527594e4d84760b7a70337a12

Download Submit
C:\Windows\System\qQiajIb.exe
Filesize
8.3MB

MD5
6c5a46aa89cb5f8ca20d3f39a753cb37

SHA1
acb1ac76f9f477418c522d76ad9409234ee1f164

SHA256
05867b2362419420b6f254409d13100385ff8ba9f4d8e851098b04483aa304ff

SHA512
065b3fb52c067b761dba08f841de1be8cc15af115275bd035dab04f562bf6b10518c25c4cc213f74e01524435912abdf1a931abb6aaa83a0e318cf11883de517

Download Submit
C:\Windows\System\rZeBpyr.exe
Filesize
8.3MB

MD5
5e213a6d7f99910efda5e2391400f444

SHA1
06a22cb1096a1a1927dcc3cdb24333eed9ea7961

SHA256
625e4139570c8c264f2598dc4dd10edeae077796cc32f8c6eca0009320206ee0

SHA512
2501ee10ece8aef7970fdd868e95acf56758b304f6e26bda2af501b28c906058fa4ce7df6b3bce6e688dce0fbf10f4e01417c67a224b7521fafa5877a4db378f

Download Submit
C:\Windows\System\sIvnddP.exe
Filesize
8.3MB

MD5
f7771dc0f23901523075163a353298ed

SHA1
2b4ca98b3f456a347ff3a19435a13cd2b66512b2

SHA256
912f5e4da10a13c25bf9469edbd50ac227141870f2a6387e2a4e6810c93c25fd

SHA512
ad282249f3b269081b5552e6b99df4b82e04555146185bbbf43e42ed3e5bbaf5fe2f87e0b34924e8d1045f16bdf75c8fadd5024b70c596ee99d4cd5ddf1c3e4e

Download Submit
C:\Windows\System\uWHnqUY.exe
Filesize
8.3MB

MD5
f1fab7e5c8dd6734786bfd9e0d2d8446

SHA1
253f358d1f1759ae5e3d8ec32145f9a7c581aefc

SHA256
3405c386a24433256a9c3dbd25bfef7e883d5d89836631bf5d7b4e1ff36fd30e

SHA512
a9ad428f6d1daf15e835e1b72563751c22450fd299d2d929b107b6856b77b4592ce86c2ca0fbe4a4fd119df3844fb992137a553e683e8addba65fb17cc0f7d9c

Download Submit
C:\Windows\System\ylFGFcz.exe
Filesize
8.3MB

MD5
18a9e6dcb971c30c31dcf5a85d5a30dc

SHA1
5249fa1b3f7f0322fc6b7c56df43b404bd3b5d5b

SHA256
1455363882fe164a1d491e6cefd999394c6e177da370c0062b29e8da8acf41e2

SHA512
27fd7afd881f4611be74740e9fde79755b966b8edae6fba1ee0c87f26d557dd580f445c7a9e3eb9551d659e6c57522612ca8af3348ae4c47df473be887205e71

Download Submit
C:\Windows\System\yswoneK.exe
Filesize
8.3MB

MD5
fa049e572d5a994996e0867765da15e8

SHA1
db6e64bbbf450e6eef6bf3b390c7b662702d37ee

SHA256
eaa892aed11bc016e1154c3e443c16cec9ef9260c4454f9e16cc268a539ed7ef

SHA512
a909dd9012cbc39abbbdf5dfb7b9d2f9060e1afc61327b5c11d269f3330908bc367abbf669b68497074ac8b5d29c5fce6f56e36d45cdd078510d1c4563f3f734

Download Submit
memory/944-24-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp

Filesize
3.3MB

Download
memory/944-89-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp

Filesize
3.3MB

Download
memory/944-144-0x00007FF6B8C90000-0x00007FF6B8FE2000-memory.dmp

Filesize
3.3MB

Download
memory/968-77-0x00007FF6325A0000-0x00007FF6328F2000-memory.dmp

Filesize
3.3MB

Download
memory/968-152-0x00007FF6325A0000-0x00007FF6328F2000-memory.dmp

Filesize
3.3MB

Download
memory/1104-137-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp

Filesize
3.3MB

Download
memory/1104-96-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp

Filesize
3.3MB

Download
memory/1104-155-0x00007FF649CF0000-0x00007FF64A042000-memory.dmp

Filesize
3.3MB

Download
memory/1200-127-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp

Filesize
3.3MB

Download
memory/1200-160-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp

Filesize
3.3MB

Download
memory/1200-140-0x00007FF6941A0000-0x00007FF6944F2000-memory.dmp

Filesize
3.3MB

Download
memory/1520-20-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp

Filesize
3.3MB

Download
memory/1520-143-0x00007FF7177B0000-0x00007FF717B02000-memory.dmp

Filesize
3.3MB

Download
memory/1736-159-0x00007FF7A5460000-0x00007FF7A57B2000-memory.dmp

Filesize
3.3MB

Download
memory/1736-122-0x00007FF7A5460000-0x00007FF7A57B2000-memory.dmp

Filesize
3.3MB

Download
memory/1860-44-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp

Filesize
3.3MB

Download
memory/1860-147-0x00007FF7E0B40000-0x00007FF7E0E92000-memory.dmp

Filesize
3.3MB

Download
memory/2196-32-0x00007FF7121C0000-0x00007FF712512000-memory.dmp

Filesize
3.3MB

Download
memory/2196-95-0x00007FF7121C0000-0x00007FF712512000-memory.dmp

Filesize
3.3MB

Download
memory/2196-145-0x00007FF7121C0000-0x00007FF712512000-memory.dmp

Filesize
3.3MB

Download
memory/2240-50-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp

Filesize
3.3MB

Download
memory/2240-148-0x00007FF7BB790000-0x00007FF7BBAE2000-memory.dmp

Filesize
3.3MB

Download
memory/2312-157-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp

Filesize
3.3MB

Download
memory/2312-107-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp

Filesize
3.3MB

Download
memory/2312-138-0x00007FF6A17A0000-0x00007FF6A1AF2000-memory.dmp

Filesize
3.3MB

Download
memory/2544-90-0x00007FF7DB890000-0x00007FF7DBBE2000-memory.dmp

Filesize
3.3MB

Download
memory/2544-154-0x00007FF7DB890000-0x00007FF7DBBE2000-memory.dmp

Filesize
3.3MB

Download
memory/2880-113-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp

Filesize
3.3MB

Download
memory/2880-158-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp

Filesize
3.3MB

Download
memory/2880-139-0x00007FF7C18C0000-0x00007FF7C1C12000-memory.dmp

Filesize
3.3MB

Download
memory/2892-142-0x00007FF650850000-0x00007FF650BA2000-memory.dmp

Filesize
3.3MB

Download
memory/2892-76-0x00007FF650850000-0x00007FF650BA2000-memory.dmp

Filesize
3.3MB

Download
memory/2892-14-0x00007FF650850000-0x00007FF650BA2000-memory.dmp

Filesize
3.3MB

Download
memory/2896-8-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp

Filesize
3.3MB

Download
memory/2896-68-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp

Filesize
3.3MB

Download
memory/2896-141-0x00007FF7D4410000-0x00007FF7D4762000-memory.dmp

Filesize
3.3MB

Download
memory/2900-38-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp

Filesize
3.3MB

Download
memory/2900-146-0x00007FF68D760000-0x00007FF68DAB2000-memory.dmp

Filesize
3.3MB

Download
memory/3124-83-0x00007FF721160000-0x00007FF7214B2000-memory.dmp

Filesize
3.3MB

Download
memory/3124-136-0x00007FF721160000-0x00007FF7214B2000-memory.dmp

Filesize
3.3MB

Download
memory/3124-153-0x00007FF721160000-0x00007FF7214B2000-memory.dmp

Filesize
3.3MB

Download
memory/3372-149-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp

Filesize
3.3MB

Download
memory/3372-55-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp

Filesize
3.3MB

Download
memory/3372-121-0x00007FF75DC70000-0x00007FF75DFC2000-memory.dmp

Filesize
3.3MB

Download
memory/3488-60-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp

Filesize
3.3MB

Download
memory/3488-0-0x00007FF6A6860000-0x00007FF6A6BB2000-memory.dmp

Filesize
3.3MB

Download
memory/3488-1-0x000001AC32570000-0x000001AC32580000-memory.dmp

Filesize
64KB

Download
memory/3848-103-0x00007FF73D3D0000-0x00007FF73D722000-memory.dmp

Filesize
3.3MB

Download
memory/3848-156-0x00007FF73D3D0000-0x00007FF73D722000-memory.dmp

Filesize
3.3MB

Download
memory/4228-135-0x00007FF6A1B10000-0x00007FF6A1E62000-memory.dmp

Filesize
3.3MB

Download
memory/4228-161-0x00007FF6A1B10000-0x00007FF6A1E62000-memory.dmp

Filesize
3.3MB

Download
memory/5096-151-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp

Filesize
3.3MB

Download
memory/5096-69-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp

Filesize
3.3MB

Download
memory/5096-134-0x00007FF63F190000-0x00007FF63F4E2000-memory.dmp

Filesize
3.3MB

Download
memory/5116-150-0x00007FF742CC0000-0x00007FF743012000-memory.dmp

Filesize
3.3MB

Download
memory/5116-61-0x00007FF742CC0000-0x00007FF743012000-memory.dmp

Filesize
3.3MB

Download
memory/5116-126-0x00007FF742CC0000-0x00007FF743012000-memory.dmp

Filesize
3.3MB

Download