cobaltstrike | 590fcf47be35f5255ea17ff08ea21a6f6e424b6d2412bea845c49190b66a8735

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25/05/2024, 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

7ba6a90d41de9e937268126745a60c8b
SHA1

2ebce7165446a3370070c83773d3559f10ef750f
SHA256

590fcf47be35f5255ea17ff08ea21a6f6e424b6d2412bea845c49190b66a8735
SHA512

7d299c3de12510af4c8524aac417cb3ff2e70c723d63de36107a54846134780b85ba0dca65c6f5a87800ff9cedc55deab965dbc510ed57d1a8eeb0faf0ba7125
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU+:Q+856utgpPF8u/7+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023408-5.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-17.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-54.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-48.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-102.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341c-106.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-112.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341e-121.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-104.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023408-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341c-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341e-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341f-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3136-0-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp	UPX
behavioral2/files/0x0008000000023408-5.dat	UPX
behavioral2/memory/800-8-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp	UPX
behavioral2/files/0x000700000002340c-11.dat	UPX
behavioral2/memory/5244-14-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	UPX
behavioral2/files/0x000700000002340d-17.dat	UPX
behavioral2/files/0x000700000002340e-21.dat	UPX
behavioral2/memory/5276-25-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	UPX
behavioral2/files/0x0007000000023412-54.dat	UPX
behavioral2/files/0x0007000000023414-62.dat	UPX
behavioral2/memory/5084-71-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp	UPX
behavioral2/memory/2044-76-0x00007FF7B9100000-0x00007FF7B9454000-memory.dmp	UPX
behavioral2/files/0x0007000000023417-79.dat	UPX
behavioral2/memory/3684-77-0x00007FF702C10000-0x00007FF702F64000-memory.dmp	UPX
behavioral2/files/0x0007000000023415-72.dat	UPX
behavioral2/memory/3188-70-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp	UPX
behavioral2/memory/4600-67-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-66.dat	UPX
behavioral2/files/0x0007000000023413-59.dat	UPX
behavioral2/memory/6088-53-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023410-48.dat	UPX
behavioral2/memory/4852-44-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp	UPX
behavioral2/files/0x0007000000023411-49.dat	UPX
behavioral2/memory/1852-39-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	UPX
behavioral2/files/0x000700000002340f-42.dat	UPX
behavioral2/memory/3156-35-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	UPX
behavioral2/memory/1220-32-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023418-83.dat	UPX
behavioral2/files/0x0007000000023419-90.dat	UPX
behavioral2/memory/3136-92-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp	UPX
behavioral2/files/0x000700000002341a-102.dat	UPX
behavioral2/files/0x000700000002341c-106.dat	UPX
behavioral2/files/0x000700000002341d-112.dat	UPX
behavioral2/memory/4192-113-0x00007FF621F30000-0x00007FF622284000-memory.dmp	UPX
behavioral2/memory/3880-114-0x00007FF6F74C0000-0x00007FF6F7814000-memory.dmp	UPX
behavioral2/memory/2724-115-0x00007FF667160000-0x00007FF6674B4000-memory.dmp	UPX
behavioral2/memory/3468-111-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp	UPX
behavioral2/memory/4452-109-0x00007FF7DDA10000-0x00007FF7DDD64000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-121.dat	UPX
behavioral2/files/0x000700000002341f-125.dat	UPX
behavioral2/files/0x000700000002341b-104.dat	UPX
behavioral2/memory/4532-86-0x00007FF7D3240000-0x00007FF7D3594000-memory.dmp	UPX
behavioral2/memory/5244-127-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	UPX
behavioral2/memory/1844-129-0x00007FF666F60000-0x00007FF6672B4000-memory.dmp	UPX
behavioral2/memory/3472-130-0x00007FF649DD0000-0x00007FF64A124000-memory.dmp	UPX
behavioral2/memory/5276-128-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	UPX
behavioral2/memory/3156-132-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	UPX
behavioral2/memory/1220-131-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	UPX
behavioral2/memory/4852-133-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp	UPX
behavioral2/memory/1852-134-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	UPX
behavioral2/memory/6088-135-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	UPX
behavioral2/memory/4600-136-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	UPX
behavioral2/memory/3188-137-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp	UPX
behavioral2/memory/3684-138-0x00007FF702C10000-0x00007FF702F64000-memory.dmp	UPX
behavioral2/memory/2724-139-0x00007FF667160000-0x00007FF6674B4000-memory.dmp	UPX
behavioral2/memory/800-140-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp	UPX
behavioral2/memory/5244-141-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	UPX
behavioral2/memory/5276-142-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	UPX
behavioral2/memory/1220-143-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	UPX
behavioral2/memory/3156-144-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	UPX
behavioral2/memory/1852-145-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	UPX
behavioral2/memory/4600-146-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	UPX
behavioral2/memory/6088-147-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	UPX
behavioral2/memory/5084-148-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3136-0-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp	xmrig
behavioral2/files/0x0008000000023408-5.dat	xmrig
behavioral2/memory/800-8-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp	xmrig
behavioral2/files/0x000700000002340c-11.dat	xmrig
behavioral2/memory/5244-14-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	xmrig
behavioral2/files/0x000700000002340d-17.dat	xmrig
behavioral2/files/0x000700000002340e-21.dat	xmrig
behavioral2/memory/5276-25-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	xmrig
behavioral2/files/0x0007000000023412-54.dat	xmrig
behavioral2/files/0x0007000000023414-62.dat	xmrig
behavioral2/memory/5084-71-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp	xmrig
behavioral2/memory/2044-76-0x00007FF7B9100000-0x00007FF7B9454000-memory.dmp	xmrig
behavioral2/files/0x0007000000023417-79.dat	xmrig
behavioral2/memory/3684-77-0x00007FF702C10000-0x00007FF702F64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-72.dat	xmrig
behavioral2/memory/3188-70-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp	xmrig
behavioral2/memory/4600-67-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-66.dat	xmrig
behavioral2/files/0x0007000000023413-59.dat	xmrig
behavioral2/memory/6088-53-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023410-48.dat	xmrig
behavioral2/memory/4852-44-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-49.dat	xmrig
behavioral2/memory/1852-39-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-42.dat	xmrig
behavioral2/memory/3156-35-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	xmrig
behavioral2/memory/1220-32-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023418-83.dat	xmrig
behavioral2/files/0x0007000000023419-90.dat	xmrig
behavioral2/memory/3136-92-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-102.dat	xmrig
behavioral2/files/0x000700000002341c-106.dat	xmrig
behavioral2/files/0x000700000002341d-112.dat	xmrig
behavioral2/memory/4192-113-0x00007FF621F30000-0x00007FF622284000-memory.dmp	xmrig
behavioral2/memory/3880-114-0x00007FF6F74C0000-0x00007FF6F7814000-memory.dmp	xmrig
behavioral2/memory/2724-115-0x00007FF667160000-0x00007FF6674B4000-memory.dmp	xmrig
behavioral2/memory/3468-111-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp	xmrig
behavioral2/memory/4452-109-0x00007FF7DDA10000-0x00007FF7DDD64000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-121.dat	xmrig
behavioral2/files/0x000700000002341f-125.dat	xmrig
behavioral2/files/0x000700000002341b-104.dat	xmrig
behavioral2/memory/4532-86-0x00007FF7D3240000-0x00007FF7D3594000-memory.dmp	xmrig
behavioral2/memory/5244-127-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	xmrig
behavioral2/memory/1844-129-0x00007FF666F60000-0x00007FF6672B4000-memory.dmp	xmrig
behavioral2/memory/3472-130-0x00007FF649DD0000-0x00007FF64A124000-memory.dmp	xmrig
behavioral2/memory/5276-128-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	xmrig
behavioral2/memory/3156-132-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	xmrig
behavioral2/memory/1220-131-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	xmrig
behavioral2/memory/4852-133-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp	xmrig
behavioral2/memory/1852-134-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	xmrig
behavioral2/memory/6088-135-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	xmrig
behavioral2/memory/4600-136-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	xmrig
behavioral2/memory/3188-137-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp	xmrig
behavioral2/memory/3684-138-0x00007FF702C10000-0x00007FF702F64000-memory.dmp	xmrig
behavioral2/memory/2724-139-0x00007FF667160000-0x00007FF6674B4000-memory.dmp	xmrig
behavioral2/memory/800-140-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp	xmrig
behavioral2/memory/5244-141-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	xmrig
behavioral2/memory/5276-142-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	xmrig
behavioral2/memory/1220-143-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	xmrig
behavioral2/memory/3156-144-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	xmrig
behavioral2/memory/1852-145-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	xmrig
behavioral2/memory/4600-146-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	xmrig
behavioral2/memory/6088-147-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	xmrig
behavioral2/memory/5084-148-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
800	qTjsapv.exe
5244	XCZPCqN.exe
5276	MKlmzZL.exe
1220	hzNASGa.exe
1852	deidxrF.exe
3156	fWfwgjd.exe
4852	kdXpPnw.exe
6088	FrOpbJO.exe
4600	sheeBpi.exe
2044	dZqryPN.exe
3188	CNkTcZP.exe
5084	UefWiUX.exe
3684	CnlPCjd.exe
4532	TppEBCc.exe
4452	aecfLJv.exe
3880	yGovsMg.exe
3468	IMqEcOL.exe
4192	HYtxXbQ.exe
2724	yvLlOZR.exe
1844	PWCYBJn.exe
3472	qFUiMDf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3136-0-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp	upx
behavioral2/files/0x0008000000023408-5.dat	upx
behavioral2/memory/800-8-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp	upx
behavioral2/files/0x000700000002340c-11.dat	upx
behavioral2/memory/5244-14-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	upx
behavioral2/files/0x000700000002340d-17.dat	upx
behavioral2/files/0x000700000002340e-21.dat	upx
behavioral2/memory/5276-25-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	upx
behavioral2/files/0x0007000000023412-54.dat	upx
behavioral2/files/0x0007000000023414-62.dat	upx
behavioral2/memory/5084-71-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp	upx
behavioral2/memory/2044-76-0x00007FF7B9100000-0x00007FF7B9454000-memory.dmp	upx
behavioral2/files/0x0007000000023417-79.dat	upx
behavioral2/memory/3684-77-0x00007FF702C10000-0x00007FF702F64000-memory.dmp	upx
behavioral2/files/0x0007000000023415-72.dat	upx
behavioral2/memory/3188-70-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp	upx
behavioral2/memory/4600-67-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	upx
behavioral2/files/0x0007000000023416-66.dat	upx
behavioral2/files/0x0007000000023413-59.dat	upx
behavioral2/memory/6088-53-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	upx
behavioral2/files/0x0007000000023410-48.dat	upx
behavioral2/memory/4852-44-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp	upx
behavioral2/files/0x0007000000023411-49.dat	upx
behavioral2/memory/1852-39-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	upx
behavioral2/files/0x000700000002340f-42.dat	upx
behavioral2/memory/3156-35-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	upx
behavioral2/memory/1220-32-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	upx
behavioral2/files/0x0007000000023418-83.dat	upx
behavioral2/files/0x0007000000023419-90.dat	upx
behavioral2/memory/3136-92-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp	upx
behavioral2/files/0x000700000002341a-102.dat	upx
behavioral2/files/0x000700000002341c-106.dat	upx
behavioral2/files/0x000700000002341d-112.dat	upx
behavioral2/memory/4192-113-0x00007FF621F30000-0x00007FF622284000-memory.dmp	upx
behavioral2/memory/3880-114-0x00007FF6F74C0000-0x00007FF6F7814000-memory.dmp	upx
behavioral2/memory/2724-115-0x00007FF667160000-0x00007FF6674B4000-memory.dmp	upx
behavioral2/memory/3468-111-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp	upx
behavioral2/memory/4452-109-0x00007FF7DDA10000-0x00007FF7DDD64000-memory.dmp	upx
behavioral2/files/0x000700000002341e-121.dat	upx
behavioral2/files/0x000700000002341f-125.dat	upx
behavioral2/files/0x000700000002341b-104.dat	upx
behavioral2/memory/4532-86-0x00007FF7D3240000-0x00007FF7D3594000-memory.dmp	upx
behavioral2/memory/5244-127-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	upx
behavioral2/memory/1844-129-0x00007FF666F60000-0x00007FF6672B4000-memory.dmp	upx
behavioral2/memory/3472-130-0x00007FF649DD0000-0x00007FF64A124000-memory.dmp	upx
behavioral2/memory/5276-128-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	upx
behavioral2/memory/3156-132-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	upx
behavioral2/memory/1220-131-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	upx
behavioral2/memory/4852-133-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp	upx
behavioral2/memory/1852-134-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	upx
behavioral2/memory/6088-135-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	upx
behavioral2/memory/4600-136-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	upx
behavioral2/memory/3188-137-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp	upx
behavioral2/memory/3684-138-0x00007FF702C10000-0x00007FF702F64000-memory.dmp	upx
behavioral2/memory/2724-139-0x00007FF667160000-0x00007FF6674B4000-memory.dmp	upx
behavioral2/memory/800-140-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp	upx
behavioral2/memory/5244-141-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp	upx
behavioral2/memory/5276-142-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp	upx
behavioral2/memory/1220-143-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp	upx
behavioral2/memory/3156-144-0x00007FF69C140000-0x00007FF69C494000-memory.dmp	upx
behavioral2/memory/1852-145-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp	upx
behavioral2/memory/4600-146-0x00007FF67B040000-0x00007FF67B394000-memory.dmp	upx
behavioral2/memory/6088-147-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp	upx
behavioral2/memory/5084-148-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\qTjsapv.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fWfwgjd.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FrOpbJO.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CNkTcZP.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dZqryPN.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aecfLJv.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MKlmzZL.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\deidxrF.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sheeBpi.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CnlPCjd.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IMqEcOL.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HYtxXbQ.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yvLlOZR.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PWCYBJn.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XCZPCqN.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UefWiUX.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yGovsMg.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qFUiMDf.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hzNASGa.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kdXpPnw.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TppEBCc.exe	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 800	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	83
PID 3136 wrote to memory of 800	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	83
PID 3136 wrote to memory of 5244	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	84
PID 3136 wrote to memory of 5244	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	84
PID 3136 wrote to memory of 5276	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	85
PID 3136 wrote to memory of 5276	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	85
PID 3136 wrote to memory of 1220	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	86
PID 3136 wrote to memory of 1220	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	86
PID 3136 wrote to memory of 3156	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	87
PID 3136 wrote to memory of 3156	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	87
PID 3136 wrote to memory of 1852	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	88
PID 3136 wrote to memory of 1852	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	88
PID 3136 wrote to memory of 4852	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	89
PID 3136 wrote to memory of 4852	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	89
PID 3136 wrote to memory of 4600	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	90
PID 3136 wrote to memory of 4600	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	90
PID 3136 wrote to memory of 6088	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	91
PID 3136 wrote to memory of 6088	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	91
PID 3136 wrote to memory of 3188	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	92
PID 3136 wrote to memory of 3188	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	92
PID 3136 wrote to memory of 2044	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	93
PID 3136 wrote to memory of 2044	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	93
PID 3136 wrote to memory of 5084	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	94
PID 3136 wrote to memory of 5084	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	94
PID 3136 wrote to memory of 3684	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	95
PID 3136 wrote to memory of 3684	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	95
PID 3136 wrote to memory of 4532	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	96
PID 3136 wrote to memory of 4532	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	96
PID 3136 wrote to memory of 4452	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	98
PID 3136 wrote to memory of 4452	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	98
PID 3136 wrote to memory of 3880	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	99
PID 3136 wrote to memory of 3880	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	99
PID 3136 wrote to memory of 3468	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	100
PID 3136 wrote to memory of 3468	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	100
PID 3136 wrote to memory of 4192	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	101
PID 3136 wrote to memory of 4192	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	101
PID 3136 wrote to memory of 2724	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	102
PID 3136 wrote to memory of 2724	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	102
PID 3136 wrote to memory of 1844	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	103
PID 3136 wrote to memory of 1844	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	103
PID 3136 wrote to memory of 3472	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	104
PID 3136 wrote to memory of 3472	3136	2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_7ba6a90d41de9e937268126745a60c8b_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\System\qTjsapv.exe
  C:\Windows\System\qTjsapv.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\XCZPCqN.exe
  C:\Windows\System\XCZPCqN.exe
  2⤵
  - Executes dropped EXE
  PID:5244
- C:\Windows\System\MKlmzZL.exe
  C:\Windows\System\MKlmzZL.exe
  2⤵
  - Executes dropped EXE
  PID:5276
- C:\Windows\System\hzNASGa.exe
  C:\Windows\System\hzNASGa.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\fWfwgjd.exe
  C:\Windows\System\fWfwgjd.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\deidxrF.exe
  C:\Windows\System\deidxrF.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\kdXpPnw.exe
  C:\Windows\System\kdXpPnw.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\sheeBpi.exe
  C:\Windows\System\sheeBpi.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\FrOpbJO.exe
  C:\Windows\System\FrOpbJO.exe
  2⤵
  - Executes dropped EXE
  PID:6088
- C:\Windows\System\CNkTcZP.exe
  C:\Windows\System\CNkTcZP.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\dZqryPN.exe
  C:\Windows\System\dZqryPN.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\UefWiUX.exe
  C:\Windows\System\UefWiUX.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\CnlPCjd.exe
  C:\Windows\System\CnlPCjd.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\TppEBCc.exe
  C:\Windows\System\TppEBCc.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\aecfLJv.exe
  C:\Windows\System\aecfLJv.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\yGovsMg.exe
  C:\Windows\System\yGovsMg.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\IMqEcOL.exe
  C:\Windows\System\IMqEcOL.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\HYtxXbQ.exe
  C:\Windows\System\HYtxXbQ.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\yvLlOZR.exe
  C:\Windows\System\yvLlOZR.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\PWCYBJn.exe
  C:\Windows\System\PWCYBJn.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\qFUiMDf.exe
  C:\Windows\System\qFUiMDf.exe
  2⤵
  - Executes dropped EXE
  PID:3472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CNkTcZP.exe

Filesize
5.9MB

MD5
429e60d59f1daf7e92fbe29ea0b2ac1b

SHA1
ef68f626df9e8c447d08d03faa254e752f066ba2

SHA256
c3042036ece14c214f11ab3e879ec0cc75a581fb5cf3794b6d506183f9323c0c

SHA512
7db801d67ff55275c4bce7960df73a44b7ab6e14059ecc7ea7bbbc3a95b31d1cb7d1d77005cce65e5bc2777dd91f18730a4a250ae6cdd42ea9225b5c19bc3fb7

Download Submit
C:\Windows\System\CnlPCjd.exe

Filesize
5.9MB

MD5
58afadd14c8f61816fc653dfe3a41742

SHA1
77f1bbada6d1211bfe621c9802a998df8d8bdc81

SHA256
2b042521036c6a065e2114ae216c377fc421726c88c5715d097aa677ef4e1b8a

SHA512
d65ab5be7c92767b882f914122dc4bb63bc032472dd5d2d392b15614af3a3319000548a3dfac5a00fec9f43e4ed8e44d244e1d58971c90b0bcfed83d84d58bf5

Download Submit
C:\Windows\System\FrOpbJO.exe

Filesize
5.9MB

MD5
1f9bccf845300afe8d1ed4ce71c6cfe5

SHA1
55c8500bbf47a1b7e53149716e79fb9d641307aa

SHA256
896b1fd724caabe840d80d70d8eb409738139b4825690f813c03258ab43b4d99

SHA512
9d65ea400c9d9bd22d5260941cfdef20ad67bab145bc99c902c258cc32edf490c23462e189eee68d10dc99f26a100c094652ab54917dc44aa9b3cada79c471bb

Download Submit
C:\Windows\System\HYtxXbQ.exe

Filesize
5.9MB

MD5
8fa85ac2ba381ec6647b4c88c5318373

SHA1
c5d5a6dd828fb457ff39c08f200935e47e108415

SHA256
224d48b1cea8bec361da4571e6559fcc9f193db19730ba822220caa05b7b8cd8

SHA512
24a76b27e1cef7016c2b86c04c0999c34bacb90f4e3b121d8989a506927dfb941bc045bf4a1966e9d88987a55eba752bfe9565d8716553de42740a14b0103899

Download Submit
C:\Windows\System\IMqEcOL.exe

Filesize
5.9MB

MD5
9e84f66965fd6ae9b3b487f88f4ee8b3

SHA1
3c30c012c412e4c461fd96f0c28292c971914628

SHA256
129ee6c5892d0933503604a472477e8493d218e0f59b953e860362cb16fb856e

SHA512
f08ccb1580c080e752a4b7e3eb3a63844f4bbcb1ec86fc1d64f0128d234efc6da2a8bb38de5ec80d40ef25e8fdde161233728e43448d2a93b55062de99e471f7

Download Submit
C:\Windows\System\MKlmzZL.exe

Filesize
5.9MB

MD5
e4433daebbb1433038d4a458615bd7b6

SHA1
c1eef5a28e8b8a00a6353920b1b137816a6e04b5

SHA256
1058185b30b2cac998ce9f7e26331dbc214bc3e622a9a6e3299ccdb6e4d8c172

SHA512
9645fc9f4068333f864d54d9808b294ff2175c76e7c318aa031f88cd35b97344f72b9aa9283d8b634fe4e4d9fc5823040f915b0b366f58d66a43fb32eaaf84f5

Download Submit
C:\Windows\System\PWCYBJn.exe

Filesize
5.9MB

MD5
17276145414e81e93540e5cf6af59bfc

SHA1
f4aeec03b42084f136e5813c8f10351ac5f4a715

SHA256
f6f962b32479af75211008495923c80f72650ce85c94e0c94d1e7b857b0a4197

SHA512
c12ee835ee540a2190c2e9c28a06d11036009871a4d3a1dfc8e89c20034c563abf8faa1e107f6099d23db5ec0329bd8b46e32aed88ada09b4fd621295a18b55d

Download Submit
C:\Windows\System\TppEBCc.exe

Filesize
5.9MB

MD5
604b5ffae85d253866d72bd0ec8e525f

SHA1
1454db24504f04f2690b94fb4dab279931591a3c

SHA256
0aab11b91d989796b85a59c5900a78b790adc8cbf3cfebd4202b29b558307933

SHA512
bcb742e588d49c2a2eec6845b6d07d34e8bb1b1c6b9c95b31606cb326bc4a3ce80ed5a28a75b2ce7fde55c0936f101a3f55a8ce549f83c0879c6419d8217fb0a

Download Submit
C:\Windows\System\UefWiUX.exe

Filesize
5.9MB

MD5
043ac2ed4cc3d66a88fa8014c8656fe0

SHA1
b65de4c9cc4a4ad1b8862b23e0ac6d2b4487b20c

SHA256
c5c319ae3d0be4404e01ef85d84092225bdc1afbfa03df54e8bc84c68f61c6eb

SHA512
ef5ee5fc72ea35fd2cb1f8d8ac5857c6a4a53d011686d0a7b88992482f2f54c34ab2b2fbcdbd03b8fa99fbf70e07cdb1ca42d11af718be9a660dc0caa7ba6783

Download Submit
C:\Windows\System\XCZPCqN.exe

Filesize
5.9MB

MD5
e4479a2a37824ba97eb0a77969344d86

SHA1
1981b518a401142d14d8ff29cc629a3c720c694a

SHA256
04e706ff8eec193e865468734db507d962c4a412cfbd3dc3fa77f0d655b55092

SHA512
fd2297fa8ea3b87746fe916e201799bce5714d4224a73646db666b79efb04c757e90b6661d3ef881ce49d3f44c85e596b990f3fe873033a661afe56e671d23b6

Download Submit
C:\Windows\System\aecfLJv.exe

Filesize
5.9MB

MD5
2a6ee1ab419f5b8eb0077f58fc1699c2

SHA1
484a62446129f41e582e544267ce11893d5146a8

SHA256
1d7a80c9f01517cd79b182e767a65a1c4252e8abf3fc4c22a172079045c22905

SHA512
8a8f37375faf5337387d155044b079a5fbf164d837730d592322fd303082d8313ae35684ba5eec75ce0479f07a41c9ee6a6f50e6ba050d397848ad4698de3205

Download Submit
C:\Windows\System\dZqryPN.exe

Filesize
5.9MB

MD5
4d71e4034412f7515fdf19f6dcd9cbf0

SHA1
223bedced92191f1e6e4f6e62c86c9f4b1750738

SHA256
2cfa75454314e5be64250c36a911ec55993bceb36b414fe5f818c5955fb0bb61

SHA512
1892461c677cd2c2630f1a14e7aa6150bf570aedb2d7f54789c014cc9f9d4ead846902726e82790b3fcd43ca7b38aedb9e846c52cd8a37a75507f2879765d9ff

Download Submit
C:\Windows\System\deidxrF.exe

Filesize
5.9MB

MD5
1c9644f16506f4681d439473b16be746

SHA1
4291f20fec239570a4a1e130851e51ffb8ba454a

SHA256
0912aec9d0b2bda94f10818ab878c694ad1c73228fb2e7eba39ad559cbacb54f

SHA512
db5e65965421c87b517d3e1ee2e1f43b575f8c16351c93ccabb00e7e6ac7298314674c2a45eb7e26b1cd878204dd07f70fa31c245e89c0b94d41d77db0c33139

Download Submit
C:\Windows\System\fWfwgjd.exe

Filesize
5.9MB

MD5
390817f9f048d71eb436e1f9887347b0

SHA1
45f600342958589c829d7193b1f69bf41b13d1f0

SHA256
2a88bdf9236b65c4c5ecc8bb051332a3364274e88bd537a2c7da3412272f2556

SHA512
3519ef20ef41591b111d6717768fdbe92fc1549ffff11a62d098a51403f0f6fa49d341983affb626a8386d849f127ac3f7df4dd79aa2f0c3fb8feb91cf953a94

Download Submit
C:\Windows\System\hzNASGa.exe

Filesize
5.9MB

MD5
dbb6ac0d645938614b4c2cc82b207671

SHA1
215feb972c0aed2cd0b233b349dbcdceb76d8e52

SHA256
63907ab517a50e45961a24c13030a9340d3c9d9c25595a5a8b35b7c786a91c30

SHA512
c4ead9cad5fc32d87b573d14846e2b2f40a4256202df7ec720c5d4af490bd67e3bff711437e79d18f8ee9d25fcb52e2f4ac24d3566a1fefb52a9acb424af3bef

Download Submit
C:\Windows\System\kdXpPnw.exe

Filesize
5.9MB

MD5
53455229055e495e28154bf88ae1211a

SHA1
006faeeec37fa5abaa57ca5a502061597ebec079

SHA256
6599ed84099fbef51dfe19283d6bf325a12cb8d4b0205ddae3e8328178b4e4db

SHA512
f5e2760b6893e64198022f4fdac2d8baf2a151bba206773dcab742f985992056fb083d73121b853b212683c733d696b693e65609a450e1367c80038df7dc493b

Download Submit
C:\Windows\System\qFUiMDf.exe

Filesize
5.9MB

MD5
557ff2ac8dd1669d6e7969470b1a6f63

SHA1
fe49ffe2e7532d8932b33fb0b2d8cb7fd39db91a

SHA256
3f42b27b452de6bc0b427c6221231729a08171c6f25b4fdc5fb0aba41001e9a8

SHA512
7902b7ace479f70747e8e50967ae52dab3e2bf6396a1f73ae70f87f3748619923101741e2c90af617328cefd6c6b75cb02b08798a7b0ab881e0c3cb74566bd0f

Download Submit
C:\Windows\System\qTjsapv.exe

Filesize
5.9MB

MD5
2e252c837678d8019f755a290f28062c

SHA1
1e82d85382b09a192dcb610fc12c96920d2207b7

SHA256
357378e36394f7b34a0077768e48c30b276dc9733993c3f62a0e76ffa6542fec

SHA512
549e1e0b3edd0732c5d3c8857040a8169bf0e56469598309ba624db95ea62ad13f5bdd199c8437b2a3186945c401d70729c18019ad19d0b15a8483c2167e30a2

Download Submit
C:\Windows\System\sheeBpi.exe

Filesize
5.9MB

MD5
cec010c0e7b4f3ba3d2b2f03b58c27f5

SHA1
93522bdd8edc8eb4522d9f7d6a287d677804cadd

SHA256
34320018febcf2f724072f185cfcdcd2a42560d7d045f118d5d03d32cc814789

SHA512
36a9f8bfeb6c9619f763d4fec5b2ee074010599bdc78843cf4c29b65b5c48483340d3918a2501403399fb84dee92fc75c35bd194aaa00de2129dd9f90d543759

Download Submit
C:\Windows\System\yGovsMg.exe

Filesize
5.9MB

MD5
dd946da32a0c0b1fca2423232a7c74f4

SHA1
aeaed93b0aa4c6535e2e4fd7b16d4ae37a943b5c

SHA256
a36233889e62052e9bde7442a473f530970667f17047e17c8f510aa39516950f

SHA512
15d57b08df4a5a0ba83d020f7ab81b2f2b56fb09c5ad9afd32a629a050367c573fac1e011ab7516e0ab4d57b889f73cd1375dc1e4aa0ae8531853a6554407a58

Download Submit
C:\Windows\System\yvLlOZR.exe

Filesize
5.9MB

MD5
b2bedd1ee47fecca3262c49cd069abdd

SHA1
017953a55458e91879c758df0f84b2d186fd95ba

SHA256
994beb1c2d8993412b86549aa7b018976921a2c614dc952116f66fa3283dec05

SHA512
d2d40c0c1a8b4ab51456966e95b5aa4b19391ab00aae19bbf4b0226f2d87ec76ba6770fe9a4064e702997590a6b8767746e53a9a122147aa7ae5c2f8ec79215f

Download Submit
memory/800-140-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp

Filesize
3.3MB

Download
memory/800-8-0x00007FF6FB8D0000-0x00007FF6FBC24000-memory.dmp

Filesize
3.3MB

Download
memory/1220-143-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp

Filesize
3.3MB

Download
memory/1220-131-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp

Filesize
3.3MB

Download
memory/1220-32-0x00007FF62BF60000-0x00007FF62C2B4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-129-0x00007FF666F60000-0x00007FF6672B4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-159-0x00007FF666F60000-0x00007FF6672B4000-memory.dmp

Filesize
3.3MB

Download
memory/1852-134-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp

Filesize
3.3MB

Download
memory/1852-145-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp

Filesize
3.3MB

Download
memory/1852-39-0x00007FF72ABC0000-0x00007FF72AF14000-memory.dmp

Filesize
3.3MB

Download
memory/2044-76-0x00007FF7B9100000-0x00007FF7B9454000-memory.dmp

Filesize
3.3MB

Download
memory/2044-149-0x00007FF7B9100000-0x00007FF7B9454000-memory.dmp

Filesize
3.3MB

Download
memory/2724-158-0x00007FF667160000-0x00007FF6674B4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-139-0x00007FF667160000-0x00007FF6674B4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-115-0x00007FF667160000-0x00007FF6674B4000-memory.dmp

Filesize
3.3MB

Download
memory/3136-0-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp

Filesize
3.3MB

Download
memory/3136-92-0x00007FF6D2DB0000-0x00007FF6D3104000-memory.dmp

Filesize
3.3MB

Download
memory/3136-1-0x000002074D650000-0x000002074D660000-memory.dmp

Filesize
64KB

Download
memory/3156-144-0x00007FF69C140000-0x00007FF69C494000-memory.dmp

Filesize
3.3MB

Download
memory/3156-35-0x00007FF69C140000-0x00007FF69C494000-memory.dmp

Filesize
3.3MB

Download
memory/3156-132-0x00007FF69C140000-0x00007FF69C494000-memory.dmp

Filesize
3.3MB

Download
memory/3188-150-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3188-137-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3188-70-0x00007FF6568A0000-0x00007FF656BF4000-memory.dmp

Filesize
3.3MB

Download
memory/3468-111-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp

Filesize
3.3MB

Download
memory/3468-156-0x00007FF7B9E50000-0x00007FF7BA1A4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-130-0x00007FF649DD0000-0x00007FF64A124000-memory.dmp

Filesize
3.3MB

Download
memory/3472-160-0x00007FF649DD0000-0x00007FF64A124000-memory.dmp

Filesize
3.3MB

Download
memory/3684-151-0x00007FF702C10000-0x00007FF702F64000-memory.dmp

Filesize
3.3MB

Download
memory/3684-77-0x00007FF702C10000-0x00007FF702F64000-memory.dmp

Filesize
3.3MB

Download
memory/3684-138-0x00007FF702C10000-0x00007FF702F64000-memory.dmp

Filesize
3.3MB

Download
memory/3880-155-0x00007FF6F74C0000-0x00007FF6F7814000-memory.dmp

Filesize
3.3MB

Download
memory/3880-114-0x00007FF6F74C0000-0x00007FF6F7814000-memory.dmp

Filesize
3.3MB

Download
memory/4192-113-0x00007FF621F30000-0x00007FF622284000-memory.dmp

Filesize
3.3MB

Download
memory/4192-157-0x00007FF621F30000-0x00007FF622284000-memory.dmp

Filesize
3.3MB

Download
memory/4452-154-0x00007FF7DDA10000-0x00007FF7DDD64000-memory.dmp

Filesize
3.3MB

Download
memory/4452-109-0x00007FF7DDA10000-0x00007FF7DDD64000-memory.dmp

Filesize
3.3MB

Download
memory/4532-153-0x00007FF7D3240000-0x00007FF7D3594000-memory.dmp

Filesize
3.3MB

Download
memory/4532-86-0x00007FF7D3240000-0x00007FF7D3594000-memory.dmp

Filesize
3.3MB

Download
memory/4600-136-0x00007FF67B040000-0x00007FF67B394000-memory.dmp

Filesize
3.3MB

Download
memory/4600-67-0x00007FF67B040000-0x00007FF67B394000-memory.dmp

Filesize
3.3MB

Download
memory/4600-146-0x00007FF67B040000-0x00007FF67B394000-memory.dmp

Filesize
3.3MB

Download
memory/4852-152-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp

Filesize
3.3MB

Download
memory/4852-44-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp

Filesize
3.3MB

Download
memory/4852-133-0x00007FF6A68F0000-0x00007FF6A6C44000-memory.dmp

Filesize
3.3MB

Download
memory/5084-71-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp

Filesize
3.3MB

Download
memory/5084-148-0x00007FF7C61D0000-0x00007FF7C6524000-memory.dmp

Filesize
3.3MB

Download
memory/5244-141-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp

Filesize
3.3MB

Download
memory/5244-127-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp

Filesize
3.3MB

Download
memory/5244-14-0x00007FF62FEC0000-0x00007FF630214000-memory.dmp

Filesize
3.3MB

Download
memory/5276-128-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp

Filesize
3.3MB

Download
memory/5276-142-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp

Filesize
3.3MB

Download
memory/5276-25-0x00007FF7F2640000-0x00007FF7F2994000-memory.dmp

Filesize
3.3MB

Download
memory/6088-135-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp

Filesize
3.3MB

Download
memory/6088-53-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp

Filesize
3.3MB

Download
memory/6088-147-0x00007FF66A880000-0x00007FF66ABD4000-memory.dmp

Filesize
3.3MB

Download