cobaltstrike | 0c5543b8a8fd22c8005e5982a4fa3fcf2fc7d20b39ed5969519237aa2f1c86cd

Analysis

max time kernel
137s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

de3e57b7602d1c9aaf1271535a75d97c
SHA1

b527ac3ec27d91044aa6d760d274a1cad27d2a4d
SHA256

0c5543b8a8fd22c8005e5982a4fa3fcf2fc7d20b39ed5969519237aa2f1c86cd
SHA512

c613fb8959983e97e96ad15350b8999436e57eb2ab0aacc06523d2eae1d1160f172dfe132ba7c20bb2121df3273a66318fe4d1955d007e7e6b7ced0cfa9a7058
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:Q+856utgpPF8u/78

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 17 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000600000002327c-6.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-18.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341f-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023424-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023427-113.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023429-119.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023428-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023426-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023425-100.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023414-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023422-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023421-71.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341d-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341b-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002341a-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-12.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 17 IoCs

resource	yara_rule
behavioral2/files/0x000600000002327c-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341f-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023424-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023427-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023429-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023428-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023426-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023425-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023414-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023422-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023421-71.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341d-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341b-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002341a-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1792-0-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp	UPX
behavioral2/files/0x000600000002327c-6.dat	UPX
behavioral2/files/0x0007000000023418-11.dat	UPX
behavioral2/files/0x0007000000023418-18.dat	UPX
behavioral2/memory/4848-24-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp	UPX
behavioral2/memory/2944-32-0x00007FF69C830000-0x00007FF69CB84000-memory.dmp	UPX
behavioral2/memory/4412-38-0x00007FF7C9820000-0x00007FF7C9B74000-memory.dmp	UPX
behavioral2/files/0x000700000002341d-50.dat	UPX
behavioral2/files/0x000700000002341e-57.dat	UPX
behavioral2/files/0x000700000002341f-66.dat	UPX
behavioral2/memory/3312-69-0x00007FF6DD370000-0x00007FF6DD6C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023423-88.dat	UPX
behavioral2/files/0x0007000000023424-94.dat	UPX
behavioral2/memory/1656-97-0x00007FF6FDDA0000-0x00007FF6FE0F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023427-113.dat	UPX
behavioral2/files/0x0007000000023429-119.dat	UPX
behavioral2/files/0x0007000000023428-117.dat	UPX
behavioral2/files/0x0007000000023428-112.dat	UPX
behavioral2/files/0x0007000000023427-109.dat	UPX
behavioral2/files/0x0007000000023426-107.dat	UPX
behavioral2/files/0x0007000000023426-104.dat	UPX
behavioral2/files/0x0007000000023425-100.dat	UPX
behavioral2/files/0x0008000000023414-84.dat	UPX
behavioral2/files/0x0008000000023414-83.dat	UPX
behavioral2/files/0x0007000000023422-79.dat	UPX
behavioral2/files/0x0007000000023422-78.dat	UPX
behavioral2/files/0x0007000000023421-74.dat	UPX
behavioral2/memory/5040-72-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023421-71.dat	UPX
behavioral2/memory/2060-68-0x00007FF629830000-0x00007FF629B84000-memory.dmp	UPX
behavioral2/files/0x0007000000023420-63.dat	UPX
behavioral2/memory/1792-62-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp	UPX
behavioral2/files/0x0007000000023420-61.dat	UPX
behavioral2/memory/1208-121-0x00007FF678BD0000-0x00007FF678F24000-memory.dmp	UPX
behavioral2/memory/4440-123-0x00007FF78CE20000-0x00007FF78D174000-memory.dmp	UPX
behavioral2/memory/4500-124-0x00007FF667C10000-0x00007FF667F64000-memory.dmp	UPX
behavioral2/memory/3044-122-0x00007FF7425E0000-0x00007FF742934000-memory.dmp	UPX
behavioral2/memory/4052-126-0x00007FF730220000-0x00007FF730574000-memory.dmp	UPX
behavioral2/memory/2588-128-0x00007FF643BD0000-0x00007FF643F24000-memory.dmp	UPX
behavioral2/memory/2212-129-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp	UPX
behavioral2/memory/4616-56-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp	UPX
behavioral2/memory/4688-55-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-52.dat	UPX
behavioral2/files/0x000700000002341d-45.dat	UPX
behavioral2/memory/824-42-0x00007FF674A20000-0x00007FF674D74000-memory.dmp	UPX
behavioral2/files/0x000700000002341b-35.dat	UPX
behavioral2/files/0x000700000002341a-29.dat	UPX
behavioral2/memory/4124-28-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	UPX
behavioral2/files/0x0007000000023419-23.dat	UPX
behavioral2/files/0x0007000000023419-22.dat	UPX
behavioral2/memory/1492-16-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp	UPX
behavioral2/files/0x0007000000023417-12.dat	UPX
behavioral2/memory/3288-8-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp	UPX
behavioral2/memory/4688-131-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp	UPX
behavioral2/memory/824-130-0x00007FF674A20000-0x00007FF674D74000-memory.dmp	UPX
behavioral2/memory/4616-132-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp	UPX
behavioral2/memory/2060-133-0x00007FF629830000-0x00007FF629B84000-memory.dmp	UPX
behavioral2/memory/5040-134-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp	UPX
behavioral2/memory/3288-135-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp	UPX
behavioral2/memory/1492-136-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp	UPX
behavioral2/memory/4848-137-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp	UPX
behavioral2/memory/4124-138-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	UPX
behavioral2/memory/2944-139-0x00007FF69C830000-0x00007FF69CB84000-memory.dmp	UPX
behavioral2/memory/4412-140-0x00007FF7C9820000-0x00007FF7C9B74000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1792-0-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp	xmrig
behavioral2/files/0x000600000002327c-6.dat	xmrig
behavioral2/files/0x0007000000023418-11.dat	xmrig
behavioral2/files/0x0007000000023418-18.dat	xmrig
behavioral2/memory/4848-24-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp	xmrig
behavioral2/memory/2944-32-0x00007FF69C830000-0x00007FF69CB84000-memory.dmp	xmrig
behavioral2/memory/4412-38-0x00007FF7C9820000-0x00007FF7C9B74000-memory.dmp	xmrig
behavioral2/files/0x000700000002341d-50.dat	xmrig
behavioral2/files/0x000700000002341e-57.dat	xmrig
behavioral2/files/0x000700000002341f-66.dat	xmrig
behavioral2/memory/3312-69-0x00007FF6DD370000-0x00007FF6DD6C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023423-88.dat	xmrig
behavioral2/files/0x0007000000023424-94.dat	xmrig
behavioral2/memory/1656-97-0x00007FF6FDDA0000-0x00007FF6FE0F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-113.dat	xmrig
behavioral2/files/0x0007000000023429-119.dat	xmrig
behavioral2/files/0x0007000000023428-117.dat	xmrig
behavioral2/files/0x0007000000023428-112.dat	xmrig
behavioral2/files/0x0007000000023427-109.dat	xmrig
behavioral2/files/0x0007000000023426-107.dat	xmrig
behavioral2/files/0x0007000000023426-104.dat	xmrig
behavioral2/files/0x0007000000023425-100.dat	xmrig
behavioral2/files/0x0008000000023414-84.dat	xmrig
behavioral2/files/0x0008000000023414-83.dat	xmrig
behavioral2/files/0x0007000000023422-79.dat	xmrig
behavioral2/files/0x0007000000023422-78.dat	xmrig
behavioral2/files/0x0007000000023421-74.dat	xmrig
behavioral2/memory/5040-72-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023421-71.dat	xmrig
behavioral2/memory/2060-68-0x00007FF629830000-0x00007FF629B84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023420-63.dat	xmrig
behavioral2/memory/1792-62-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023420-61.dat	xmrig
behavioral2/memory/1208-121-0x00007FF678BD0000-0x00007FF678F24000-memory.dmp	xmrig
behavioral2/memory/4440-123-0x00007FF78CE20000-0x00007FF78D174000-memory.dmp	xmrig
behavioral2/memory/4500-124-0x00007FF667C10000-0x00007FF667F64000-memory.dmp	xmrig
behavioral2/memory/2380-125-0x00007FF7B05F0000-0x00007FF7B0944000-memory.dmp	xmrig
behavioral2/memory/3044-122-0x00007FF7425E0000-0x00007FF742934000-memory.dmp	xmrig
behavioral2/memory/4052-126-0x00007FF730220000-0x00007FF730574000-memory.dmp	xmrig
behavioral2/memory/2588-128-0x00007FF643BD0000-0x00007FF643F24000-memory.dmp	xmrig
behavioral2/memory/2212-129-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp	xmrig
behavioral2/memory/4124-127-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	xmrig
behavioral2/memory/4616-56-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp	xmrig
behavioral2/memory/4688-55-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-52.dat	xmrig
behavioral2/files/0x000700000002341d-45.dat	xmrig
behavioral2/memory/824-42-0x00007FF674A20000-0x00007FF674D74000-memory.dmp	xmrig
behavioral2/files/0x000700000002341b-35.dat	xmrig
behavioral2/files/0x000700000002341a-29.dat	xmrig
behavioral2/memory/4124-28-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-23.dat	xmrig
behavioral2/files/0x0007000000023419-22.dat	xmrig
behavioral2/memory/1492-16-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023417-12.dat	xmrig
behavioral2/memory/3288-8-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp	xmrig
behavioral2/memory/4688-131-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp	xmrig
behavioral2/memory/824-130-0x00007FF674A20000-0x00007FF674D74000-memory.dmp	xmrig
behavioral2/memory/4616-132-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp	xmrig
behavioral2/memory/2060-133-0x00007FF629830000-0x00007FF629B84000-memory.dmp	xmrig
behavioral2/memory/5040-134-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp	xmrig
behavioral2/memory/3288-135-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp	xmrig
behavioral2/memory/1492-136-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp	xmrig
behavioral2/memory/4848-137-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp	xmrig
behavioral2/memory/4124-138-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3288	QLydkXb.exe
1492	zKLhgNZ.exe
4848	fHpVnDv.exe
4124	hTuYLvT.exe
2944	sprneBt.exe
4412	jePVjSK.exe
824	rpEhzSE.exe
4688	TUnXKhw.exe
4616	eOXxtWU.exe
2060	OKsxjks.exe
3312	SzRvxXn.exe
5040	zNtVDQK.exe
1656	ubaGzQP.exe
1208	FIjZRsB.exe
3044	wIcdPRa.exe
2588	RtGrbts.exe
2212	JPExCGl.exe
4440	QuSeYmo.exe
4500	pSkuJql.exe
2380	gUWRwGv.exe
4052	JifCCQW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1792-0-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp	upx
behavioral2/files/0x000600000002327c-6.dat	upx
behavioral2/files/0x0007000000023418-11.dat	upx
behavioral2/files/0x0007000000023418-18.dat	upx
behavioral2/memory/4848-24-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp	upx
behavioral2/memory/2944-32-0x00007FF69C830000-0x00007FF69CB84000-memory.dmp	upx
behavioral2/memory/4412-38-0x00007FF7C9820000-0x00007FF7C9B74000-memory.dmp	upx
behavioral2/files/0x000700000002341d-50.dat	upx
behavioral2/files/0x000700000002341e-57.dat	upx
behavioral2/files/0x000700000002341f-66.dat	upx
behavioral2/memory/3312-69-0x00007FF6DD370000-0x00007FF6DD6C4000-memory.dmp	upx
behavioral2/files/0x0007000000023423-88.dat	upx
behavioral2/files/0x0007000000023424-94.dat	upx
behavioral2/memory/1656-97-0x00007FF6FDDA0000-0x00007FF6FE0F4000-memory.dmp	upx
behavioral2/files/0x0007000000023427-113.dat	upx
behavioral2/files/0x0007000000023429-119.dat	upx
behavioral2/files/0x0007000000023428-117.dat	upx
behavioral2/files/0x0007000000023428-112.dat	upx
behavioral2/files/0x0007000000023427-109.dat	upx
behavioral2/files/0x0007000000023426-107.dat	upx
behavioral2/files/0x0007000000023426-104.dat	upx
behavioral2/files/0x0007000000023425-100.dat	upx
behavioral2/files/0x0008000000023414-84.dat	upx
behavioral2/files/0x0008000000023414-83.dat	upx
behavioral2/files/0x0007000000023422-79.dat	upx
behavioral2/files/0x0007000000023422-78.dat	upx
behavioral2/files/0x0007000000023421-74.dat	upx
behavioral2/memory/5040-72-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp	upx
behavioral2/files/0x0007000000023421-71.dat	upx
behavioral2/memory/2060-68-0x00007FF629830000-0x00007FF629B84000-memory.dmp	upx
behavioral2/files/0x0007000000023420-63.dat	upx
behavioral2/memory/1792-62-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp	upx
behavioral2/files/0x0007000000023420-61.dat	upx
behavioral2/memory/1208-121-0x00007FF678BD0000-0x00007FF678F24000-memory.dmp	upx
behavioral2/memory/4440-123-0x00007FF78CE20000-0x00007FF78D174000-memory.dmp	upx
behavioral2/memory/4500-124-0x00007FF667C10000-0x00007FF667F64000-memory.dmp	upx
behavioral2/memory/2380-125-0x00007FF7B05F0000-0x00007FF7B0944000-memory.dmp	upx
behavioral2/memory/3044-122-0x00007FF7425E0000-0x00007FF742934000-memory.dmp	upx
behavioral2/memory/4052-126-0x00007FF730220000-0x00007FF730574000-memory.dmp	upx
behavioral2/memory/2588-128-0x00007FF643BD0000-0x00007FF643F24000-memory.dmp	upx
behavioral2/memory/2212-129-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp	upx
behavioral2/memory/4124-127-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	upx
behavioral2/memory/4616-56-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp	upx
behavioral2/memory/4688-55-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp	upx
behavioral2/files/0x000700000002341e-52.dat	upx
behavioral2/files/0x000700000002341d-45.dat	upx
behavioral2/memory/824-42-0x00007FF674A20000-0x00007FF674D74000-memory.dmp	upx
behavioral2/files/0x000700000002341b-35.dat	upx
behavioral2/files/0x000700000002341a-29.dat	upx
behavioral2/memory/4124-28-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	upx
behavioral2/files/0x0007000000023419-23.dat	upx
behavioral2/files/0x0007000000023419-22.dat	upx
behavioral2/memory/1492-16-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp	upx
behavioral2/files/0x0007000000023417-12.dat	upx
behavioral2/memory/3288-8-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp	upx
behavioral2/memory/4688-131-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp	upx
behavioral2/memory/824-130-0x00007FF674A20000-0x00007FF674D74000-memory.dmp	upx
behavioral2/memory/4616-132-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp	upx
behavioral2/memory/2060-133-0x00007FF629830000-0x00007FF629B84000-memory.dmp	upx
behavioral2/memory/5040-134-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp	upx
behavioral2/memory/3288-135-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp	upx
behavioral2/memory/1492-136-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp	upx
behavioral2/memory/4848-137-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp	upx
behavioral2/memory/4124-138-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\fHpVnDv.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hTuYLvT.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FIjZRsB.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gUWRwGv.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pSkuJql.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sprneBt.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zNtVDQK.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RtGrbts.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JPExCGl.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OKsxjks.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ubaGzQP.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zKLhgNZ.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jePVjSK.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rpEhzSE.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TUnXKhw.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuSeYmo.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JifCCQW.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QLydkXb.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eOXxtWU.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SzRvxXn.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wIcdPRa.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 3288	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	85
PID 1792 wrote to memory of 3288	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	85
PID 1792 wrote to memory of 1492	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	86
PID 1792 wrote to memory of 1492	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	86
PID 1792 wrote to memory of 4848	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	88
PID 1792 wrote to memory of 4848	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	88
PID 1792 wrote to memory of 4124	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	89
PID 1792 wrote to memory of 4124	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	89
PID 1792 wrote to memory of 2944	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	90
PID 1792 wrote to memory of 2944	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	90
PID 1792 wrote to memory of 4412	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	91
PID 1792 wrote to memory of 4412	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	91
PID 1792 wrote to memory of 824	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	92
PID 1792 wrote to memory of 824	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	92
PID 1792 wrote to memory of 4688	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	93
PID 1792 wrote to memory of 4688	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	93
PID 1792 wrote to memory of 4616	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	94
PID 1792 wrote to memory of 4616	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	94
PID 1792 wrote to memory of 2060	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	95
PID 1792 wrote to memory of 2060	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	95
PID 1792 wrote to memory of 3312	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	96
PID 1792 wrote to memory of 3312	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	96
PID 1792 wrote to memory of 5040	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	97
PID 1792 wrote to memory of 5040	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	97
PID 1792 wrote to memory of 1656	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	98
PID 1792 wrote to memory of 1656	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	98
PID 1792 wrote to memory of 1208	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	99
PID 1792 wrote to memory of 1208	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	99
PID 1792 wrote to memory of 3044	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	100
PID 1792 wrote to memory of 3044	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	100
PID 1792 wrote to memory of 2588	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	101
PID 1792 wrote to memory of 2588	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	101
PID 1792 wrote to memory of 2212	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	102
PID 1792 wrote to memory of 2212	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	102
PID 1792 wrote to memory of 4440	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	103
PID 1792 wrote to memory of 4440	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	103
PID 1792 wrote to memory of 4500	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	104
PID 1792 wrote to memory of 4500	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	104
PID 1792 wrote to memory of 2380	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	105
PID 1792 wrote to memory of 2380	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	105
PID 1792 wrote to memory of 4052	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	106
PID 1792 wrote to memory of 4052	1792	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\System\QLydkXb.exe
  C:\Windows\System\QLydkXb.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\zKLhgNZ.exe
  C:\Windows\System\zKLhgNZ.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\fHpVnDv.exe
  C:\Windows\System\fHpVnDv.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\hTuYLvT.exe
  C:\Windows\System\hTuYLvT.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\sprneBt.exe
  C:\Windows\System\sprneBt.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\jePVjSK.exe
  C:\Windows\System\jePVjSK.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\rpEhzSE.exe
  C:\Windows\System\rpEhzSE.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\TUnXKhw.exe
  C:\Windows\System\TUnXKhw.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\eOXxtWU.exe
  C:\Windows\System\eOXxtWU.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\OKsxjks.exe
  C:\Windows\System\OKsxjks.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\SzRvxXn.exe
  C:\Windows\System\SzRvxXn.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\zNtVDQK.exe
  C:\Windows\System\zNtVDQK.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\ubaGzQP.exe
  C:\Windows\System\ubaGzQP.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\FIjZRsB.exe
  C:\Windows\System\FIjZRsB.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\wIcdPRa.exe
  C:\Windows\System\wIcdPRa.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\RtGrbts.exe
  C:\Windows\System\RtGrbts.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\JPExCGl.exe
  C:\Windows\System\JPExCGl.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\QuSeYmo.exe
  C:\Windows\System\QuSeYmo.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\pSkuJql.exe
  C:\Windows\System\pSkuJql.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\gUWRwGv.exe
  C:\Windows\System\gUWRwGv.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\JifCCQW.exe
  C:\Windows\System\JifCCQW.exe
  2⤵
  - Executes dropped EXE
  PID:4052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FIjZRsB.exe

Filesize
5.9MB

MD5
e182eb298e12b6641907312579759e75

SHA1
8085837d1fcf1e18edf6feb30e9f41bb3cdbec5c

SHA256
f348b3d702bb7b0684ad0b17da543a3c9372223ad6a34c3f0a7f5f75314ecdc9

SHA512
f91942efdd7dfe4b16853ef563f2070fe2086f82436653699e089a06122ef8f512007c783ebfc770ae0d285cd8f68bad03904d6e64724a89f29bbfd18359ae7f

Download Submit
C:\Windows\System\FIjZRsB.exe

Filesize
1.7MB

MD5
170dd624fc04fc3839f9c4b66a089ce7

SHA1
689050489367e9d7989856de58d7dae4b3e867bb

SHA256
2882c9c886d8464419d873a9064b43411cb65ebce3e3928914a03cf014d51b3b

SHA512
6c2577b1133dc0e707ddd0582933138a814bc91876e45b902c1ce646d61afa9efa2788e7db3f897838eebb25c1faa4d564ec0bef69844aab72cc22ec6531ab9a

Download Submit
C:\Windows\System\JPExCGl.exe

Filesize
5.9MB

MD5
94496b5b8e32eef8cb9ec96d9770a7eb

SHA1
d9dfe144c1372a8f640675a348949bb41d2afe29

SHA256
909b732cf0d686619276c275562a82aa6205b288e56edea6f260c872dc00387d

SHA512
6e5b00831fd65d5f5b1ea8b7089dc9a24d16dc1b2e8d9ba27fe43b780cc059e3a9977a2934156fc7e0f2fa8a1006a26fe7c30b01829a68b1460baaa0d40970ae

Download Submit
C:\Windows\System\JifCCQW.exe

Filesize
5.9MB

MD5
098ac1bf8f19fd1a43d2583f8c741ddb

SHA1
4205eb61933b4b67bcaba14201ef0cfd4fe7ec6c

SHA256
8c85231696c6d27ec1d70f72454db73513249f58116ba0ef9232fa238f7a839a

SHA512
fa3c9dd81df4f11241bbebf8de102e68701116362219ffcbed3475186518b713b17a1f8555e6ff4c146fe68fa4fa547231c3e672d5a685846eb9a93bed91c4c0

Download Submit
C:\Windows\System\OKsxjks.exe

Filesize
5.9MB

MD5
2baaea728b86e59203a47e06990008e4

SHA1
446d594f6aa57741f9600df18b8731ffb01a2ccf

SHA256
20e8ecd986e24c65e63714ca69bd8a0339f666436a1a9a366925ae9fa3a5a77e

SHA512
078f2b43984330d7db12f20a7aef389943070f50ef05053ac803533e6e78d59786bab2cccf266ed9841e0e2f27c7685addffb0bba60f4dbe37c7d695cf1332ff

Download Submit
C:\Windows\System\QLydkXb.exe

Filesize
5.9MB

MD5
69a5476022ef782fcea414f02badc234

SHA1
fb28e0b6df58413bfb9e75f8a7ae05f027e01923

SHA256
7c9253cfb7f9d6481da56c9d9184f282f240f69bc5981fae6901542e94f3b0b5

SHA512
3790e558f8fa6c8c641bff956c50f4c8f25ba31ec5dc01e89b7206cf32cf98f8296fe7f86e98f145e9d54c424b29c65b250391b8539ab2afc454d5238bf90436

Download Submit
C:\Windows\System\QuSeYmo.exe

Filesize
5.9MB

MD5
f6cdfb3d88537b367792cbd894bd98ed

SHA1
3d3f99c94c72c456dffcf949bc5d30603a7e936c

SHA256
05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

SHA512
0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

Download Submit
C:\Windows\System\QuSeYmo.exe

Filesize
5.9MB

MD5
68609939ab5fcb6ce40f1302ec465927

SHA1
ed9867dc232b4bff372b4d0150ab11ddc7da2e0a

SHA256
c660a4039f70356a8011d9aefcdf984d0cc1cc3dd2f057c0631963376df07966

SHA512
2e2203ee0e5e49299d1521acb6a764204830d2e218eec2a21c0f26bac1c7220ae5d8d2d8e6c129a3376c71ea83d822d3d166769db8b8e9dea501fce49983d79a

Download Submit
C:\Windows\System\RtGrbts.exe

Filesize
5.9MB

MD5
8ab1db96a2526e47862c9db3485e7c9c

SHA1
ae19a06081f3f06f18999f57e43686f2f8629ab6

SHA256
1116286698facd0bffd3264419b3b492861138b311c0ee4a3006e53b6b37ccb9

SHA512
729e42f79554e3502a8e30f62542c4b4b0fc4321739edb2cb04b6f0c2d1e18e5db38f0d718063784bcbf4eb7b81547957c0f6a0916d8e8dfe21fc01285f9b8c1

Download Submit
C:\Windows\System\SzRvxXn.exe

Filesize
5.2MB

MD5
03686cfd6bbb43c8ac4dc50889b137b9

SHA1
6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee

SHA256
ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471

SHA512
529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2

Download Submit
C:\Windows\System\SzRvxXn.exe

Filesize
2.0MB

MD5
ce95ecfd82cad989d07f01bb5a4e0e62

SHA1
9c404e62c6a147d88e2c4214a4a0c1206972e9c1

SHA256
593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576

SHA512
c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084

Download Submit
C:\Windows\System\TUnXKhw.exe

Filesize
5.9MB

MD5
9a7c8b09531b5dafdb8cb0958aeb59bb

SHA1
92c9adae467319849b5d53239db34010dfebee09

SHA256
44ac10d7f6597801b297e63de98e9ddaebf26ee734faf913dc4e74d12737b9a0

SHA512
0d8980a80fba8715bf844da7d323c17817cc9150e3495ed4d9fc1a81dc16b0ef20362bd034e4149d1bf000a8a24470f4d614c85f2b12cc63c9545d54256e08c6

Download Submit
C:\Windows\System\TUnXKhw.exe

Filesize
5.6MB

MD5
1e2459942327eb396bd8cd9cbc885d14

SHA1
b979cbcb517509c30843efb1d91bef30f1f24a44

SHA256
54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a

SHA512
62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7

Download Submit
C:\Windows\System\eOXxtWU.exe

Filesize
3.6MB

MD5
0628374c349921c969043e8b725a574d

SHA1
d4d4b61d7abb11c25e423140f9a833a035819e3d

SHA256
6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0

SHA512
2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1

Download Submit
C:\Windows\System\eOXxtWU.exe

Filesize
4.5MB

MD5
8a8292e812bdde0355ced9f4650bcdf4

SHA1
2e8a60c14fac2a9421b8650758842113f994675b

SHA256
b6229523bd478efadedd62bb8def3190ebe0afe3abfeb1c62110c085d9a63200

SHA512
4eff10d85ba3299f93aebab6233eea9b8e8ff0e8c82485e2d245ceaf447c799ae79b340ebc97ee5307eab71f3def8a3fb7701dabfd3d4d85b4031774dd0c46af

Download Submit
C:\Windows\System\fHpVnDv.exe

Filesize
5.3MB

MD5
e8c4508a392ccf08590d3627a36cc3c3

SHA1
3a57dd6c92ebc54582acaafd15cc9311eb0d15a2

SHA256
cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d

SHA512
f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

Download Submit
C:\Windows\System\fHpVnDv.exe

Filesize
5.9MB

MD5
e47ea02f395b3ac4865cecf41d8fad96

SHA1
7b50bd1fb3e130523eda7402c18bc3e80cd48de4

SHA256
aa1397cf68b3ed666dbc4828ef1ddb7f53729f3e8d871fb5dd30d0fab6cd6ed0

SHA512
9c31f0c5cf75ff65868b315d4d5dc04b6b5b22c272931e6631f5c457fc9af8ee1f16be75b27127147b023ddb36910bb79b550cabf2c2524da8fa0399cec4b24f

Download Submit
C:\Windows\System\gUWRwGv.exe

Filesize
5.9MB

MD5
62f606441219053e85ffc10e5ebad201

SHA1
723ad0cbb39be5f1387eafde3f27ec8fcc34fcbe

SHA256
cbb427f935246fa1db4214a3eb6ec9ef4c8161b66ebd6d2546f75771e8ae8f74

SHA512
e557b8aa75f734439e7c52b10bedfec66b24b2038a74507c5a225c130eabef97b97e5f6c186b2c75a791adc55d6096205e61e77a29409e62d1d0e54b2c04eb73

Download Submit
C:\Windows\System\gUWRwGv.exe

Filesize
2.7MB

MD5
93bacfc3d845f374627b012c3a61a1e5

SHA1
f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae

SHA256
4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d

SHA512
63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83

Download Submit
C:\Windows\System\hTuYLvT.exe

Filesize
5.9MB

MD5
015bf4d66549d5b92383977e1568b92a

SHA1
d5b0052de3dcc62228faaccb450da36adeaa2c28

SHA256
edb19e57131bf22e023ed0dc6b0e4b360a6d1a7ec4856e0850b95691853c24f0

SHA512
2f5b84963ada0d9db9271b09d416db4676f6d5a9f011f82266ac82485eb4e80d57311cf0f4dd94549b4d4c640c6f70abe27803297e681b3b4731a6880a1c1086

Download Submit
C:\Windows\System\hTuYLvT.exe

Filesize
3.4MB

MD5
67d7d0c360c2defa9a36a47a23af7dd6

SHA1
efd9d2994e80ef40cbaab5f7ef02420aebe17206

SHA256
0521cd0d1d60fc081a5e4d3f28f5a76a962e60920d871e29a2de526b0e72b791

SHA512
f5338aedc9e177da3d3af04e6946e9f03280307d40c8e1e2e21b270727d9ec57427c8f7861835c62a83f44226e722c786902eaaa4187cfaefc3a81305ca12e2b

Download Submit
C:\Windows\System\jePVjSK.exe

Filesize
5.9MB

MD5
de836c95defbe28acee0950fa4de570e

SHA1
0f4c33916efbbd202b12bf4f85b8203cfedaf44e

SHA256
5031529778f020e24c68a27325c06083b3ebf61c1fb4a7c77b0a51830c2ef11b

SHA512
5820ecdb7c83fb060401f1029ac761cccf33fd8715e2848e997bcb6425eec45f0dfc87c93bc77e795a7187789965f024c46aa0bfebbb528bed663af65525deac

Download Submit
C:\Windows\System\pSkuJql.exe

Filesize
3.0MB

MD5
7d9f1099f6b47550fd37adb914ba896f

SHA1
73597804426883357ebb880f6c0164793f40ad60

SHA256
66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285

SHA512
e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77

Download Submit
C:\Windows\System\pSkuJql.exe

Filesize
5.9MB

MD5
ce88e5cd0efd95b34c27eebe4fd5c5b7

SHA1
e4d700b1b06f2b6ea191ef1a161efea193722736

SHA256
87a73a3f01c9f77126cfde3dcb526f4e87ef59982d20f21edad206fe3551f584

SHA512
02d0b5bf38079bd82445c1225da4a111aba5d0cdabc1396ea3f7b6c6bb08949f4eb6d78ad83d883d37ae998cb06aae176baffa93c7b2766e0f89d3a716c93083

Download Submit
C:\Windows\System\sprneBt.exe

Filesize
5.9MB

MD5
a72dac26c36d3c27ceb41c8b197e0e54

SHA1
c4ac3c532b9856d734d51644b59545d6f7d42a7c

SHA256
0b0c6c3ebb2570abd2b73f8ffcd6bcf0f2a6e4163e00f52f9f38629d06b6cd0e

SHA512
9105724685137c617f41773e3d2cc687cb263c56e1e2cb836fe3d3bd39cbe900b251ad511b33df582d403ecefaa3ba5eff57974eec3a41e11aa1e064f6d29091

Download Submit
C:\Windows\System\ubaGzQP.exe

Filesize
5.9MB

MD5
7728490dc1213e5a92c975a8832d5171

SHA1
3b1089a4161f8fba487bf49495efb3d4a8ffdf56

SHA256
4373c1466321196d11820a729622b344f6456efb547b5582fbdbbcbf09f78c25

SHA512
dc8e3efc957efe14d878eda9de5714caa70af2bb758189ac76f43bc9bcc4b49e350f535b3a6ef283675f568e521a32076c757a5300d4f38acff85184f714e15a

Download Submit
C:\Windows\System\ubaGzQP.exe

Filesize
5.6MB

MD5
38e1b7b0b9aa649f5c14f03127a6d132

SHA1
3917ca36707cd2c4dba6b6926d34a14a7bb117b1

SHA256
ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72

SHA512
47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0

Download Submit
C:\Windows\System\wIcdPRa.exe

Filesize
5.4MB

MD5
8003c8ca1c6255c4a9df50b61d369786

SHA1
ef521c59d5519424152618453d9a1ec413a267cf

SHA256
caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8

SHA512
0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795

Download Submit
C:\Windows\System\zKLhgNZ.exe

Filesize
5.9MB

MD5
d17e67a0c96a64056cd1df1bf91e88a2

SHA1
2c8acd885052b2375589debd6ad6aef34563313f

SHA256
7a7e51b5f90933136ef83dfa0bcd844eb95b03b855e0ff3aa7d5ab966f3a8676

SHA512
7c40ce347e2c40180ab5aa50d02cd7a9ed0038af52bc934c41cae603f92d6e0634b930f664574ba7d384cfeb32604a548aa4d279e269d1e161fd4f91ccc39d9e

Download Submit
C:\Windows\System\zNtVDQK.exe

Filesize
5.9MB

MD5
513bfd9c71964263c3d3a1a80ac90c88

SHA1
d5b61e2d0ee2b18f2c4f3989ababf40c1974b59b

SHA256
9c2084cb664fa9076832252e83e208a924c5619f5c021cd6b796373cfdf9776e

SHA512
916bb0d2c429aa3897666d3deda0ee06352fbada79e7644a67497482c80c0a4ee8ea09c32b1733c04d4e4603919d52b89f4d1ffb0d7a70d1cb4d6b99cb1584e3

Download Submit
C:\Windows\System\zNtVDQK.exe

Filesize
5.8MB

MD5
984a8cf637fc9f46a5be1646493a183b

SHA1
eff3045fcb5d0b4a9321004fdd3e94f3f336f5af

SHA256
0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068

SHA512
f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d

Download Submit
memory/824-141-0x00007FF674A20000-0x00007FF674D74000-memory.dmp

Filesize
3.3MB

Download
memory/824-42-0x00007FF674A20000-0x00007FF674D74000-memory.dmp

Filesize
3.3MB

Download
memory/824-130-0x00007FF674A20000-0x00007FF674D74000-memory.dmp

Filesize
3.3MB

Download
memory/1208-121-0x00007FF678BD0000-0x00007FF678F24000-memory.dmp

Filesize
3.3MB

Download
memory/1208-148-0x00007FF678BD0000-0x00007FF678F24000-memory.dmp

Filesize
3.3MB

Download
memory/1492-16-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-136-0x00007FF63F9A0000-0x00007FF63FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/1656-147-0x00007FF6FDDA0000-0x00007FF6FE0F4000-memory.dmp

Filesize
3.3MB

Download
memory/1656-97-0x00007FF6FDDA0000-0x00007FF6FE0F4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-62-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-1-0x000002584DA30000-0x000002584DA40000-memory.dmp

Filesize
64KB

Download
memory/1792-0-0x00007FF6F3A70000-0x00007FF6F3DC4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-145-0x00007FF629830000-0x00007FF629B84000-memory.dmp

Filesize
3.3MB

Download
memory/2060-133-0x00007FF629830000-0x00007FF629B84000-memory.dmp

Filesize
3.3MB

Download
memory/2060-68-0x00007FF629830000-0x00007FF629B84000-memory.dmp

Filesize
3.3MB

Download
memory/2212-129-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2212-151-0x00007FF73F380000-0x00007FF73F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-125-0x00007FF7B05F0000-0x00007FF7B0944000-memory.dmp

Filesize
3.3MB

Download
memory/2380-152-0x00007FF7B05F0000-0x00007FF7B0944000-memory.dmp

Filesize
3.3MB

Download
memory/2588-128-0x00007FF643BD0000-0x00007FF643F24000-memory.dmp

Filesize
3.3MB

Download
memory/2588-150-0x00007FF643BD0000-0x00007FF643F24000-memory.dmp

Filesize
3.3MB

Download
memory/2944-32-0x00007FF69C830000-0x00007FF69CB84000-memory.dmp

Filesize
3.3MB

Download
memory/2944-139-0x00007FF69C830000-0x00007FF69CB84000-memory.dmp

Filesize
3.3MB

Download
memory/3044-149-0x00007FF7425E0000-0x00007FF742934000-memory.dmp

Filesize
3.3MB

Download
memory/3044-122-0x00007FF7425E0000-0x00007FF742934000-memory.dmp

Filesize
3.3MB

Download
memory/3288-8-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp

Filesize
3.3MB

Download
memory/3288-135-0x00007FF69EA80000-0x00007FF69EDD4000-memory.dmp

Filesize
3.3MB

Download
memory/3312-144-0x00007FF6DD370000-0x00007FF6DD6C4000-memory.dmp

Filesize
3.3MB

Download
memory/3312-69-0x00007FF6DD370000-0x00007FF6DD6C4000-memory.dmp

Filesize
3.3MB

Download
memory/4052-126-0x00007FF730220000-0x00007FF730574000-memory.dmp

Filesize
3.3MB

Download
memory/4052-153-0x00007FF730220000-0x00007FF730574000-memory.dmp

Filesize
3.3MB

Download
memory/4124-28-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp

Filesize
3.3MB

Download
memory/4124-127-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp

Filesize
3.3MB

Download
memory/4124-138-0x00007FF69BF10000-0x00007FF69C264000-memory.dmp

Filesize
3.3MB

Download
memory/4412-140-0x00007FF7C9820000-0x00007FF7C9B74000-memory.dmp

Filesize
3.3MB

Download
memory/4412-38-0x00007FF7C9820000-0x00007FF7C9B74000-memory.dmp

Filesize
3.3MB

Download
memory/4440-123-0x00007FF78CE20000-0x00007FF78D174000-memory.dmp

Filesize
3.3MB

Download
memory/4440-155-0x00007FF78CE20000-0x00007FF78D174000-memory.dmp

Filesize
3.3MB

Download
memory/4500-124-0x00007FF667C10000-0x00007FF667F64000-memory.dmp

Filesize
3.3MB

Download
memory/4500-154-0x00007FF667C10000-0x00007FF667F64000-memory.dmp

Filesize
3.3MB

Download
memory/4616-132-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/4616-143-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/4616-56-0x00007FF7EB960000-0x00007FF7EBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/4688-142-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp

Filesize
3.3MB

Download
memory/4688-131-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp

Filesize
3.3MB

Download
memory/4688-55-0x00007FF7BC070000-0x00007FF7BC3C4000-memory.dmp

Filesize
3.3MB

Download
memory/4848-137-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp

Filesize
3.3MB

Download
memory/4848-24-0x00007FF6D6600000-0x00007FF6D6954000-memory.dmp

Filesize
3.3MB

Download
memory/5040-146-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-72-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-134-0x00007FF7E9260000-0x00007FF7E95B4000-memory.dmp

Filesize
3.3MB

Download