cobaltstrike | b1253867c8c0a4c8c6ff50cf756298d6e0ffce9ef427648b429446252e167cd4

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
Size

8.3MB
MD5

6bc4bb3ff20e2b7eb5e8d96f1f7d4558
SHA1

1e704db1cf05e777e075104032bef4a5e3f829ea
SHA256

b1253867c8c0a4c8c6ff50cf756298d6e0ffce9ef427648b429446252e167cd4
SHA512

99015e2b0be40965e6a5ae57440c6b5cfc8856fc18b16a3f8a534f6300e28d2a1b8113a919aac98600dad044a8f38ff20a1b15032cbd65c06ebcac17f6178c86
SSDEEP

98304:MemTLkNdfE0pZbR56utgpPFotBER/mQ32lUL:v+A56utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000700000002328e-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023405-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-24.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023402-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-45.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-54.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-69.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-74.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-99.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-90.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x000700000002328e-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023405-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0008000000023402-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023409-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340b-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340a-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3292-0-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp	UPX
behavioral2/files/0x000700000002328e-4.dat	UPX
behavioral2/memory/5056-8-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	UPX
behavioral2/files/0x0007000000023405-10.dat	UPX
behavioral2/files/0x0007000000023406-11.dat	UPX
behavioral2/memory/2432-14-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	UPX
behavioral2/memory/2600-18-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	UPX
behavioral2/files/0x0007000000023407-24.dat	UPX
behavioral2/memory/2688-26-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp	UPX
behavioral2/files/0x0008000000023402-30.dat	UPX
behavioral2/files/0x0007000000023409-35.dat	UPX
behavioral2/files/0x000700000002340b-45.dat	UPX
behavioral2/files/0x000700000002340d-54.dat	UPX
behavioral2/files/0x000700000002340e-59.dat	UPX
behavioral2/files/0x000700000002340f-64.dat	UPX
behavioral2/files/0x0007000000023410-69.dat	UPX
behavioral2/files/0x0007000000023411-74.dat	UPX
behavioral2/files/0x0007000000023412-83.dat	UPX
behavioral2/files/0x0007000000023413-88.dat	UPX
behavioral2/files/0x0007000000023415-94.dat	UPX
behavioral2/files/0x0007000000023416-99.dat	UPX
behavioral2/files/0x0007000000023417-104.dat	UPX
behavioral2/files/0x0007000000023418-109.dat	UPX
behavioral2/files/0x0007000000023414-90.dat	UPX
behavioral2/files/0x000700000002340c-50.dat	UPX
behavioral2/files/0x000700000002340a-40.dat	UPX
behavioral2/memory/4640-111-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp	UPX
behavioral2/memory/2996-112-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp	UPX
behavioral2/memory/4256-113-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp	UPX
behavioral2/memory/3032-114-0x00007FF616380000-0x00007FF6166D2000-memory.dmp	UPX
behavioral2/memory/2248-115-0x00007FF769750000-0x00007FF769AA2000-memory.dmp	UPX
behavioral2/memory/3328-116-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp	UPX
behavioral2/memory/3164-117-0x00007FF725350000-0x00007FF7256A2000-memory.dmp	UPX
behavioral2/memory/660-118-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp	UPX
behavioral2/memory/1596-119-0x00007FF66F120000-0x00007FF66F472000-memory.dmp	UPX
behavioral2/memory/3856-121-0x00007FF79F130000-0x00007FF79F482000-memory.dmp	UPX
behavioral2/memory/3692-120-0x00007FF682460000-0x00007FF6827B2000-memory.dmp	UPX
behavioral2/memory/980-122-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp	UPX
behavioral2/memory/1376-123-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp	UPX
behavioral2/memory/1564-124-0x00007FF660D80000-0x00007FF6610D2000-memory.dmp	UPX
behavioral2/memory/2120-125-0x00007FF6C09A0000-0x00007FF6C0CF2000-memory.dmp	UPX
behavioral2/memory/4036-126-0x00007FF67A910000-0x00007FF67AC62000-memory.dmp	UPX
behavioral2/memory/3196-127-0x00007FF617990000-0x00007FF617CE2000-memory.dmp	UPX
behavioral2/memory/3292-128-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp	UPX
behavioral2/memory/5056-129-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	UPX
behavioral2/memory/2432-130-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	UPX
behavioral2/memory/2600-131-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	UPX
behavioral2/memory/5056-132-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	UPX
behavioral2/memory/2432-133-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	UPX
behavioral2/memory/2600-134-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	UPX
behavioral2/memory/2688-135-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp	UPX
behavioral2/memory/4640-136-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp	UPX
behavioral2/memory/2996-137-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp	UPX
behavioral2/memory/4256-138-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp	UPX
behavioral2/memory/3032-139-0x00007FF616380000-0x00007FF6166D2000-memory.dmp	UPX
behavioral2/memory/2248-140-0x00007FF769750000-0x00007FF769AA2000-memory.dmp	UPX
behavioral2/memory/3328-141-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp	UPX
behavioral2/memory/3164-142-0x00007FF725350000-0x00007FF7256A2000-memory.dmp	UPX
behavioral2/memory/660-143-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp	UPX
behavioral2/memory/1596-144-0x00007FF66F120000-0x00007FF66F472000-memory.dmp	UPX
behavioral2/memory/3692-145-0x00007FF682460000-0x00007FF6827B2000-memory.dmp	UPX
behavioral2/memory/3856-146-0x00007FF79F130000-0x00007FF79F482000-memory.dmp	UPX
behavioral2/memory/1376-148-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp	UPX
behavioral2/memory/980-147-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3292-0-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp	xmrig
behavioral2/files/0x000700000002328e-4.dat	xmrig
behavioral2/memory/5056-8-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	xmrig
behavioral2/files/0x0007000000023405-10.dat	xmrig
behavioral2/files/0x0007000000023406-11.dat	xmrig
behavioral2/memory/2432-14-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	xmrig
behavioral2/memory/2600-18-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	xmrig
behavioral2/files/0x0007000000023407-24.dat	xmrig
behavioral2/memory/2688-26-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp	xmrig
behavioral2/files/0x0008000000023402-30.dat	xmrig
behavioral2/files/0x0007000000023409-35.dat	xmrig
behavioral2/files/0x000700000002340b-45.dat	xmrig
behavioral2/files/0x000700000002340d-54.dat	xmrig
behavioral2/files/0x000700000002340e-59.dat	xmrig
behavioral2/files/0x000700000002340f-64.dat	xmrig
behavioral2/files/0x0007000000023410-69.dat	xmrig
behavioral2/files/0x0007000000023411-74.dat	xmrig
behavioral2/files/0x0007000000023412-83.dat	xmrig
behavioral2/files/0x0007000000023413-88.dat	xmrig
behavioral2/files/0x0007000000023415-94.dat	xmrig
behavioral2/files/0x0007000000023416-99.dat	xmrig
behavioral2/files/0x0007000000023417-104.dat	xmrig
behavioral2/files/0x0007000000023418-109.dat	xmrig
behavioral2/files/0x0007000000023414-90.dat	xmrig
behavioral2/files/0x000700000002340c-50.dat	xmrig
behavioral2/files/0x000700000002340a-40.dat	xmrig
behavioral2/memory/4640-111-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp	xmrig
behavioral2/memory/2996-112-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp	xmrig
behavioral2/memory/4256-113-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp	xmrig
behavioral2/memory/3032-114-0x00007FF616380000-0x00007FF6166D2000-memory.dmp	xmrig
behavioral2/memory/2248-115-0x00007FF769750000-0x00007FF769AA2000-memory.dmp	xmrig
behavioral2/memory/3328-116-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp	xmrig
behavioral2/memory/3164-117-0x00007FF725350000-0x00007FF7256A2000-memory.dmp	xmrig
behavioral2/memory/660-118-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp	xmrig
behavioral2/memory/1596-119-0x00007FF66F120000-0x00007FF66F472000-memory.dmp	xmrig
behavioral2/memory/3856-121-0x00007FF79F130000-0x00007FF79F482000-memory.dmp	xmrig
behavioral2/memory/3692-120-0x00007FF682460000-0x00007FF6827B2000-memory.dmp	xmrig
behavioral2/memory/980-122-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp	xmrig
behavioral2/memory/1376-123-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp	xmrig
behavioral2/memory/1564-124-0x00007FF660D80000-0x00007FF6610D2000-memory.dmp	xmrig
behavioral2/memory/2120-125-0x00007FF6C09A0000-0x00007FF6C0CF2000-memory.dmp	xmrig
behavioral2/memory/4036-126-0x00007FF67A910000-0x00007FF67AC62000-memory.dmp	xmrig
behavioral2/memory/3196-127-0x00007FF617990000-0x00007FF617CE2000-memory.dmp	xmrig
behavioral2/memory/3292-128-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp	xmrig
behavioral2/memory/5056-129-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	xmrig
behavioral2/memory/2432-130-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	xmrig
behavioral2/memory/2600-131-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	xmrig
behavioral2/memory/5056-132-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	xmrig
behavioral2/memory/2432-133-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	xmrig
behavioral2/memory/2600-134-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	xmrig
behavioral2/memory/2688-135-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp	xmrig
behavioral2/memory/4640-136-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp	xmrig
behavioral2/memory/2996-137-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp	xmrig
behavioral2/memory/4256-138-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp	xmrig
behavioral2/memory/3032-139-0x00007FF616380000-0x00007FF6166D2000-memory.dmp	xmrig
behavioral2/memory/2248-140-0x00007FF769750000-0x00007FF769AA2000-memory.dmp	xmrig
behavioral2/memory/3328-141-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp	xmrig
behavioral2/memory/3164-142-0x00007FF725350000-0x00007FF7256A2000-memory.dmp	xmrig
behavioral2/memory/660-143-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp	xmrig
behavioral2/memory/1596-144-0x00007FF66F120000-0x00007FF66F472000-memory.dmp	xmrig
behavioral2/memory/3692-145-0x00007FF682460000-0x00007FF6827B2000-memory.dmp	xmrig
behavioral2/memory/3856-146-0x00007FF79F130000-0x00007FF79F482000-memory.dmp	xmrig
behavioral2/memory/1376-148-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp	xmrig
behavioral2/memory/980-147-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
5056	HEStvjA.exe
2432	unHLASo.exe
2600	hXgKxgE.exe
2688	bqgBnhf.exe
4640	ngrXPtk.exe
2996	aBtTdYN.exe
4256	HSgoReh.exe
3032	TAfHwEG.exe
2248	yZoEZyS.exe
3328	QnCxDGn.exe
3164	AyYKMoZ.exe
660	YbTxPOB.exe
1596	hfBJuwp.exe
3692	PolFnqg.exe
3856	iUCQAJG.exe
980	yxAQuwT.exe
1376	mozTkaE.exe
1564	DNigFGV.exe
2120	pelCthM.exe
4036	nVYaXYj.exe
3196	hJEDkiA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3292-0-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp	upx
behavioral2/files/0x000700000002328e-4.dat	upx
behavioral2/memory/5056-8-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	upx
behavioral2/files/0x0007000000023405-10.dat	upx
behavioral2/files/0x0007000000023406-11.dat	upx
behavioral2/memory/2432-14-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	upx
behavioral2/memory/2600-18-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	upx
behavioral2/files/0x0007000000023407-24.dat	upx
behavioral2/memory/2688-26-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp	upx
behavioral2/files/0x0008000000023402-30.dat	upx
behavioral2/files/0x0007000000023409-35.dat	upx
behavioral2/files/0x000700000002340b-45.dat	upx
behavioral2/files/0x000700000002340d-54.dat	upx
behavioral2/files/0x000700000002340e-59.dat	upx
behavioral2/files/0x000700000002340f-64.dat	upx
behavioral2/files/0x0007000000023410-69.dat	upx
behavioral2/files/0x0007000000023411-74.dat	upx
behavioral2/files/0x0007000000023412-83.dat	upx
behavioral2/files/0x0007000000023413-88.dat	upx
behavioral2/files/0x0007000000023415-94.dat	upx
behavioral2/files/0x0007000000023416-99.dat	upx
behavioral2/files/0x0007000000023417-104.dat	upx
behavioral2/files/0x0007000000023418-109.dat	upx
behavioral2/files/0x0007000000023414-90.dat	upx
behavioral2/files/0x000700000002340c-50.dat	upx
behavioral2/files/0x000700000002340a-40.dat	upx
behavioral2/memory/4640-111-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp	upx
behavioral2/memory/2996-112-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp	upx
behavioral2/memory/4256-113-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp	upx
behavioral2/memory/3032-114-0x00007FF616380000-0x00007FF6166D2000-memory.dmp	upx
behavioral2/memory/2248-115-0x00007FF769750000-0x00007FF769AA2000-memory.dmp	upx
behavioral2/memory/3328-116-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp	upx
behavioral2/memory/3164-117-0x00007FF725350000-0x00007FF7256A2000-memory.dmp	upx
behavioral2/memory/660-118-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp	upx
behavioral2/memory/1596-119-0x00007FF66F120000-0x00007FF66F472000-memory.dmp	upx
behavioral2/memory/3856-121-0x00007FF79F130000-0x00007FF79F482000-memory.dmp	upx
behavioral2/memory/3692-120-0x00007FF682460000-0x00007FF6827B2000-memory.dmp	upx
behavioral2/memory/980-122-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp	upx
behavioral2/memory/1376-123-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp	upx
behavioral2/memory/1564-124-0x00007FF660D80000-0x00007FF6610D2000-memory.dmp	upx
behavioral2/memory/2120-125-0x00007FF6C09A0000-0x00007FF6C0CF2000-memory.dmp	upx
behavioral2/memory/4036-126-0x00007FF67A910000-0x00007FF67AC62000-memory.dmp	upx
behavioral2/memory/3196-127-0x00007FF617990000-0x00007FF617CE2000-memory.dmp	upx
behavioral2/memory/3292-128-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp	upx
behavioral2/memory/5056-129-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	upx
behavioral2/memory/2432-130-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	upx
behavioral2/memory/2600-131-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	upx
behavioral2/memory/5056-132-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp	upx
behavioral2/memory/2432-133-0x00007FF65A420000-0x00007FF65A772000-memory.dmp	upx
behavioral2/memory/2600-134-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp	upx
behavioral2/memory/2688-135-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp	upx
behavioral2/memory/4640-136-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp	upx
behavioral2/memory/2996-137-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp	upx
behavioral2/memory/4256-138-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp	upx
behavioral2/memory/3032-139-0x00007FF616380000-0x00007FF6166D2000-memory.dmp	upx
behavioral2/memory/2248-140-0x00007FF769750000-0x00007FF769AA2000-memory.dmp	upx
behavioral2/memory/3328-141-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp	upx
behavioral2/memory/3164-142-0x00007FF725350000-0x00007FF7256A2000-memory.dmp	upx
behavioral2/memory/660-143-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp	upx
behavioral2/memory/1596-144-0x00007FF66F120000-0x00007FF66F472000-memory.dmp	upx
behavioral2/memory/3692-145-0x00007FF682460000-0x00007FF6827B2000-memory.dmp	upx
behavioral2/memory/3856-146-0x00007FF79F130000-0x00007FF79F482000-memory.dmp	upx
behavioral2/memory/1376-148-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp	upx
behavioral2/memory/980-147-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\unHLASo.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QnCxDGn.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hfBJuwp.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iUCQAJG.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yxAQuwT.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mozTkaE.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pelCthM.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nVYaXYj.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hJEDkiA.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HEStvjA.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AyYKMoZ.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PolFnqg.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DNigFGV.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ngrXPtk.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aBtTdYN.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HSgoReh.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yZoEZyS.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YbTxPOB.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hXgKxgE.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bqgBnhf.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TAfHwEG.exe	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 5056	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	84
PID 3292 wrote to memory of 5056	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	84
PID 3292 wrote to memory of 2432	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	85
PID 3292 wrote to memory of 2432	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	85
PID 3292 wrote to memory of 2600	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	86
PID 3292 wrote to memory of 2600	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	86
PID 3292 wrote to memory of 2688	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	87
PID 3292 wrote to memory of 2688	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	87
PID 3292 wrote to memory of 4640	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	88
PID 3292 wrote to memory of 4640	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	88
PID 3292 wrote to memory of 2996	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	89
PID 3292 wrote to memory of 2996	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	89
PID 3292 wrote to memory of 4256	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	90
PID 3292 wrote to memory of 4256	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	90
PID 3292 wrote to memory of 3032	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	91
PID 3292 wrote to memory of 3032	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	91
PID 3292 wrote to memory of 2248	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	92
PID 3292 wrote to memory of 2248	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	92
PID 3292 wrote to memory of 3328	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	93
PID 3292 wrote to memory of 3328	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	93
PID 3292 wrote to memory of 3164	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	94
PID 3292 wrote to memory of 3164	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	94
PID 3292 wrote to memory of 660	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	95
PID 3292 wrote to memory of 660	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	95
PID 3292 wrote to memory of 1596	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	96
PID 3292 wrote to memory of 1596	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	96
PID 3292 wrote to memory of 3692	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	97
PID 3292 wrote to memory of 3692	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	97
PID 3292 wrote to memory of 3856	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	98
PID 3292 wrote to memory of 3856	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	98
PID 3292 wrote to memory of 980	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	99
PID 3292 wrote to memory of 980	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	99
PID 3292 wrote to memory of 1376	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	100
PID 3292 wrote to memory of 1376	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	100
PID 3292 wrote to memory of 1564	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	101
PID 3292 wrote to memory of 1564	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	101
PID 3292 wrote to memory of 2120	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	102
PID 3292 wrote to memory of 2120	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	102
PID 3292 wrote to memory of 4036	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	103
PID 3292 wrote to memory of 4036	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	103
PID 3292 wrote to memory of 3196	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	104
PID 3292 wrote to memory of 3196	3292	2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_6bc4bb3ff20e2b7eb5e8d96f1f7d4558_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\System\HEStvjA.exe
  C:\Windows\System\HEStvjA.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\unHLASo.exe
  C:\Windows\System\unHLASo.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\hXgKxgE.exe
  C:\Windows\System\hXgKxgE.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\bqgBnhf.exe
  C:\Windows\System\bqgBnhf.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\ngrXPtk.exe
  C:\Windows\System\ngrXPtk.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\aBtTdYN.exe
  C:\Windows\System\aBtTdYN.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\HSgoReh.exe
  C:\Windows\System\HSgoReh.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\TAfHwEG.exe
  C:\Windows\System\TAfHwEG.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\yZoEZyS.exe
  C:\Windows\System\yZoEZyS.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\QnCxDGn.exe
  C:\Windows\System\QnCxDGn.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\AyYKMoZ.exe
  C:\Windows\System\AyYKMoZ.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\YbTxPOB.exe
  C:\Windows\System\YbTxPOB.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System\hfBJuwp.exe
  C:\Windows\System\hfBJuwp.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\PolFnqg.exe
  C:\Windows\System\PolFnqg.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\iUCQAJG.exe
  C:\Windows\System\iUCQAJG.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\yxAQuwT.exe
  C:\Windows\System\yxAQuwT.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\mozTkaE.exe
  C:\Windows\System\mozTkaE.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\DNigFGV.exe
  C:\Windows\System\DNigFGV.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\pelCthM.exe
  C:\Windows\System\pelCthM.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\nVYaXYj.exe
  C:\Windows\System\nVYaXYj.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\hJEDkiA.exe
  C:\Windows\System\hJEDkiA.exe
  2⤵
  - Executes dropped EXE
  PID:3196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AyYKMoZ.exe

Filesize
8.3MB

MD5
450cbfa90c160bcc0b5b466a526a0d4d

SHA1
5669e5c95daf00d31cfed16aad07bd140fc1736f

SHA256
e297c5d2d6845bf27126c8972cdec36c5160afad070d6c452083cde2d98871fd

SHA512
f483a3e08e036788bb6033bf569ff7b9cc633306886fe8d223885bfd403b81f1d253a4091cd67411ec98e47e0503336d2f442dc37c717fd530f9842423c77a52

Download Submit
C:\Windows\System\DNigFGV.exe

Filesize
8.3MB

MD5
09cf79bea8166a56a2ccec180ee56dbd

SHA1
bdec3b5c2ad2f5eef4f65d110763d4b0ec2c63e0

SHA256
7b6d03a92099c694cb4388a2528f3b5c8c2426d3f6ca39df5265251355112245

SHA512
84310ba818bd1210b6f91c7c7d7b185bce652e443e39bd7613d704b6ef651843ccfcc33839352c4350772482d31cefe45f1e6f81ee09735c7784f3a586bf3293

Download Submit
C:\Windows\System\HEStvjA.exe

Filesize
8.3MB

MD5
b496ada48f0dbdc57cbfedb1f200d645

SHA1
566598476a3c2dfea6683e74f21b335a0b3f1cc4

SHA256
e649b726ab2fc1396fcb154795eaa766bf210d1c560044618a9916cba0e7f890

SHA512
594f263337bb2562920d9c377ac7874c569222b8750f45bee848aa487b248d64089f395b650388a972726e18600a6ab8f6ab61b90f738e1cbba74c969847ff65

Download Submit
C:\Windows\System\HSgoReh.exe

Filesize
8.3MB

MD5
0b4a78513b2b0c215d9d0114d522a823

SHA1
d96a350add16ad4f87277a2e55870d2d2f54633a

SHA256
4b8600fad83871c842fb007b503484e387b4ee01bb39187ccc4f34e3ada1ead0

SHA512
992a5c1f8cb8aeac6d0fe937db85c5891c4f205d98537dcb90d2ed2f7457dae997b3b26221234c7f53864e774501e1ea017caa5516152aeb9568d42c9f0a22ff

Download Submit
C:\Windows\System\PolFnqg.exe

Filesize
8.3MB

MD5
45adba7c7636f7441f9b89f3229ce6da

SHA1
e184a2dd4c4d6ab8cd4931d09269910cbe876078

SHA256
9bfaac95304678f6693a6680907674279447f6755396c311bc0f1a4fc20e58f3

SHA512
48fa798a2ebe7b20152bef16a9c0c450dc17f18cfeed7369646e0ad9c166c8bfa1993e55303d4bbb1694618fc5f859593c6dabef4b5f4ffce3c3dc932a88f765

Download Submit
C:\Windows\System\QnCxDGn.exe

Filesize
8.3MB

MD5
1716a293d06d4d5fcf80ade9bd198c6c

SHA1
6fdb41833017cb79d97496bdf3a6da03f00c7e0e

SHA256
558bdf0969ed432e732e040b11522ef4e597a682bfcb89185fdc8054ae6395e6

SHA512
ef742301431a1ff34a3be5f07c2f59751aae0f11bf666a08d893f52c19f28ef2482387202c1f00aec6c8065fbec3ccf2e35700dd43274b1c079b8185565e6b70

Download Submit
C:\Windows\System\TAfHwEG.exe

Filesize
8.3MB

MD5
697861536732fcb5e673e12d079bd605

SHA1
8ec909b58772ae15896d4768b97e918ec8418369

SHA256
eb1c003e094c880b035b86ee6d545008b2e3954e74bc395fe24b8f9e09a3e6b9

SHA512
2d0530b7a10345234c78640a905a51d49c2ea0d29b3cb3682a6d5a0f8898d59791e623383fb020f3d1f03f342e6eb61e54d0990130f162018f464afff14b9f50

Download Submit
C:\Windows\System\YbTxPOB.exe

Filesize
8.3MB

MD5
e63d23f0b426953023f6b98e69569e32

SHA1
d873d191173c3cc130450899d1329c59c6ec6521

SHA256
d5d3430f008a290129016f29e399a3559b69aac108a4e401976db7ccc8e16cd4

SHA512
79971bd906e5233433395859b9879282ad00c48ea4742794371d801b769404b5cd6a2bd6b6ae3b8fc9e0fbd73bfc10d450733fb445c4a7746451ab55f76741f2

Download Submit
C:\Windows\System\aBtTdYN.exe

Filesize
8.3MB

MD5
e783cfde0e35c5ed40300d8fe68f7f54

SHA1
5e53c80cbd7eb71942196baf06b68dac7fa74722

SHA256
36160f9602459c060b691caca094bad427a9685d3610a55a5452a808a17f7125

SHA512
cde9f46fc9621e07b85f257cdddf59d99199b92a04b13bce812dbf54fcfbe673414254acc2f99669cd4d793a6c4fc89f61dda9fc37ddbb059040a6b7bee91a1f

Download Submit
C:\Windows\System\bqgBnhf.exe

Filesize
8.3MB

MD5
e96ba6e31d437cd771957f7a48864822

SHA1
388711e4c4c40bc5a75c5b54bb099cf74fb2d9fa

SHA256
81c0c7d4d76ff95372955dd110ff5bca0da2513ef25a3773a27dcc0b7696c8c1

SHA512
83a75c6427dd5d3b084d88c18466253ee0edbfbbe799da090a18f4b305bf2a293f089a15223c2857f0c1779112b565cb2a42140b81a2f89a2f9ecde98714322c

Download Submit
C:\Windows\System\hJEDkiA.exe

Filesize
8.3MB

MD5
defe7e2cbf265fec3ca4e26329200652

SHA1
b26555d7db174ad25f3982bd5591655037de8f80

SHA256
703dbeb3e18c02a9c50f0d06d089afc08140ee423346493d90acb3b6b0e18666

SHA512
f18b30014e8673f4b8dd7b85212ddebcf85f6b7b2d19455f9b47ed4b1a5add696753a1100f6deb99167ee07e48ec5cd389fecb6c3bfe571628ec5636fc9a57d1

Download Submit
C:\Windows\System\hXgKxgE.exe

Filesize
8.3MB

MD5
5e67104337322a9627f113506d535cc6

SHA1
dfeb0cdb1fa00d859d9af567b46008662c754790

SHA256
c184544fd181097a5a06ae302e0b324d96b5b0d4fd7ae081e5a6cca15312a752

SHA512
2f86c5b2b7d961a52d38f09161aa67438f46c0f53a8ac47ebfad34475dbbf79f327c27e4cd04bdf964e628861efc8981252c444927d868a07b80464e08c5f431

Download Submit
C:\Windows\System\hfBJuwp.exe

Filesize
8.3MB

MD5
8a9b0e09fda0cbeeda03f924137f12e0

SHA1
9d1b0a7e89523fcde06082bc99be5f3352aa6b13

SHA256
c2f9e3c0ada28f4b0e5e14519613159a0a14d8230214756f3036a73cd83d45fa

SHA512
78bc11d2ff2fd9a3e84205a36b62c87ba251d972b0a5e6ff01ec5321a367acdc68208f47591abd4df0a2528f78b5a2bf60245b8a92c9d06bef8c5d4f46cafa13

Download Submit
C:\Windows\System\iUCQAJG.exe

Filesize
8.3MB

MD5
f7dcfd72df06fd773befef7e514ceade

SHA1
986f30807f770dc811656f2b0934f741948c4224

SHA256
374f5815cb6c80e384e1430b27444a1392fa9ec68a6c71c91035474472f9c462

SHA512
384d760a96e03f02dc3d9c32d2ea927759cec11a2bfdd2e16e6748b004e30dcf5fb5ecdc36be5ed11be5f2a35c79f6fe65a00314377bcc13b625805358ec01b6

Download Submit
C:\Windows\System\mozTkaE.exe

Filesize
8.3MB

MD5
75eeb0bbdadc4685f6d6333f24e1e394

SHA1
e1aec5f4e7f8508d76c44ce5cea82a27dcb0ca13

SHA256
750c545467e92859314f9f698c36fc65fc4d93aaad5abc2c52ca529cc40667f5

SHA512
38aa0d3f8024cde2bd8eb903eb350fe70290201a466271adba407870766a932171c9e1a7da4ce8f6a891de66c3f365fa671ebd7f3a0460b9ff3a8231cb57bfb9

Download Submit
C:\Windows\System\nVYaXYj.exe

Filesize
8.3MB

MD5
683dd3b71ae483c00f12f9a8663f1cfa

SHA1
22d5faae1c60372136e20b381f8033454590bba4

SHA256
a9a0a5a6b094402e23f877056dcd3ded544bdac703df6d3100fc9d63c48dc9b9

SHA512
d6b7fe91efb7720a5f9fff477a5345976f2eb663473040229c7c3005ac6d903617d12e4314055675382102323fddd4ea6c013668634b7516e729dbca7d6b0012

Download Submit
C:\Windows\System\ngrXPtk.exe

Filesize
8.3MB

MD5
53ce941ed4553525256857ca97ccf8de

SHA1
7555839e8d7e2b229aac0f27147c4bf6c0fe111a

SHA256
f2a221bc106496a160b19550ce78efb7517e350f966be47a284867e2a5fb8c36

SHA512
2531333e3e8754a5c350dccb3081dc5e1fb5e1b02080e0079e29f1073d7a2eeb305e2a5285169e16c04b0d72ba0bf3458273fef4a022a339a472e42282c1699e

Download Submit
C:\Windows\System\pelCthM.exe

Filesize
8.3MB

MD5
98939e8817286a0b32f2f7eb2792e40f

SHA1
693c2c03c0280642c3238a403ab285be2aa8e9b9

SHA256
f62348406086c34dd379858deb7f1e7aebbe2672b0cf68ed10d7b61552afa0ad

SHA512
a0117f29c64bea2ba577f2430c4235621aedafadce29eccd40efe08dff949e216b609544e787f7715146f3b3a4f200647f8d1ab64e48b406c9962a17e7c979ed

Download Submit
C:\Windows\System\unHLASo.exe

Filesize
8.3MB

MD5
b7d4e500e6ce9d5b9e0835a9038e96c8

SHA1
e143e5deb2962bd317a9da6bcf6aa3d283cf1a4a

SHA256
c57f54a47ea5b218d587cd2ef5652d90bf18707a94456635df7504880350d3a6

SHA512
edf2afa250eb22f2af33431b85dcf42bc477e9c8fb385fe97c033966cf20edcae75a5678ab3ad653a000b715e7b418246f164b30709db1651feaf17720b06f43

Download Submit
C:\Windows\System\yZoEZyS.exe

Filesize
8.3MB

MD5
c02dbd3408915da38592ecc2c8e94913

SHA1
e4df5bf808bfb4316547769729083788495bfd63

SHA256
06dab4785be2730935909e76739ce4ccd483df68beff2b568b050ab79e214d50

SHA512
3d3ac97ca7c5a8e3842c1df40667285e459187c01520b080fbde4bfbcc6654b0e9bb3ac6473ae49f0bbb2dc38f43d4846bdd4f6ec5f4b50748c24865667c0235

Download Submit
C:\Windows\System\yxAQuwT.exe

Filesize
8.3MB

MD5
b996e3d9602f32494748ac3ea39a1ffb

SHA1
a6b52409f4038113004a468ee3c4ae907b59c089

SHA256
492c40c6bbef84950ef6330ffdb74abbfa664e903d50a1f52f866bf2c9653160

SHA512
338b8a0affaf2df8d234bf3379f012072c13fd697a0d5cff35ee90befe4c6f8b572fa3456caf6e959fea9ab5487acc5f2dfef6332357d409610e8440852ee3a8

Download Submit
memory/660-143-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp

Filesize
3.3MB

Download
memory/660-118-0x00007FF6DA540000-0x00007FF6DA892000-memory.dmp

Filesize
3.3MB

Download
memory/980-147-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp

Filesize
3.3MB

Download
memory/980-122-0x00007FF7F8BC0000-0x00007FF7F8F12000-memory.dmp

Filesize
3.3MB

Download
memory/1376-148-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp

Filesize
3.3MB

Download
memory/1376-123-0x00007FF71EA30000-0x00007FF71ED82000-memory.dmp

Filesize
3.3MB

Download
memory/1564-124-0x00007FF660D80000-0x00007FF6610D2000-memory.dmp

Filesize
3.3MB

Download
memory/1564-151-0x00007FF660D80000-0x00007FF6610D2000-memory.dmp

Filesize
3.3MB

Download
memory/1596-119-0x00007FF66F120000-0x00007FF66F472000-memory.dmp

Filesize
3.3MB

Download
memory/1596-144-0x00007FF66F120000-0x00007FF66F472000-memory.dmp

Filesize
3.3MB

Download
memory/2120-152-0x00007FF6C09A0000-0x00007FF6C0CF2000-memory.dmp

Filesize
3.3MB

Download
memory/2120-125-0x00007FF6C09A0000-0x00007FF6C0CF2000-memory.dmp

Filesize
3.3MB

Download
memory/2248-115-0x00007FF769750000-0x00007FF769AA2000-memory.dmp

Filesize
3.3MB

Download
memory/2248-140-0x00007FF769750000-0x00007FF769AA2000-memory.dmp

Filesize
3.3MB

Download
memory/2432-14-0x00007FF65A420000-0x00007FF65A772000-memory.dmp

Filesize
3.3MB

Download
memory/2432-130-0x00007FF65A420000-0x00007FF65A772000-memory.dmp

Filesize
3.3MB

Download
memory/2432-133-0x00007FF65A420000-0x00007FF65A772000-memory.dmp

Filesize
3.3MB

Download
memory/2600-18-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp

Filesize
3.3MB

Download
memory/2600-134-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp

Filesize
3.3MB

Download
memory/2600-131-0x00007FF6D2B10000-0x00007FF6D2E62000-memory.dmp

Filesize
3.3MB

Download
memory/2688-135-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp

Filesize
3.3MB

Download
memory/2688-26-0x00007FF7CFCF0000-0x00007FF7D0042000-memory.dmp

Filesize
3.3MB

Download
memory/2996-112-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp

Filesize
3.3MB

Download
memory/2996-137-0x00007FF68F6F0000-0x00007FF68FA42000-memory.dmp

Filesize
3.3MB

Download
memory/3032-139-0x00007FF616380000-0x00007FF6166D2000-memory.dmp

Filesize
3.3MB

Download
memory/3032-114-0x00007FF616380000-0x00007FF6166D2000-memory.dmp

Filesize
3.3MB

Download
memory/3164-117-0x00007FF725350000-0x00007FF7256A2000-memory.dmp

Filesize
3.3MB

Download
memory/3164-142-0x00007FF725350000-0x00007FF7256A2000-memory.dmp

Filesize
3.3MB

Download
memory/3196-127-0x00007FF617990000-0x00007FF617CE2000-memory.dmp

Filesize
3.3MB

Download
memory/3196-150-0x00007FF617990000-0x00007FF617CE2000-memory.dmp

Filesize
3.3MB

Download
memory/3292-0-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp

Filesize
3.3MB

Download
memory/3292-128-0x00007FF707E90000-0x00007FF7081E2000-memory.dmp

Filesize
3.3MB

Download
memory/3292-1-0x0000014FF68C0000-0x0000014FF68D0000-memory.dmp

Filesize
64KB

Download
memory/3328-141-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp

Filesize
3.3MB

Download
memory/3328-116-0x00007FF7499D0000-0x00007FF749D22000-memory.dmp

Filesize
3.3MB

Download
memory/3692-120-0x00007FF682460000-0x00007FF6827B2000-memory.dmp

Filesize
3.3MB

Download
memory/3692-145-0x00007FF682460000-0x00007FF6827B2000-memory.dmp

Filesize
3.3MB

Download
memory/3856-121-0x00007FF79F130000-0x00007FF79F482000-memory.dmp

Filesize
3.3MB

Download
memory/3856-146-0x00007FF79F130000-0x00007FF79F482000-memory.dmp

Filesize
3.3MB

Download
memory/4036-126-0x00007FF67A910000-0x00007FF67AC62000-memory.dmp

Filesize
3.3MB

Download
memory/4036-149-0x00007FF67A910000-0x00007FF67AC62000-memory.dmp

Filesize
3.3MB

Download
memory/4256-138-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp

Filesize
3.3MB

Download
memory/4256-113-0x00007FF7ABEC0000-0x00007FF7AC212000-memory.dmp

Filesize
3.3MB

Download
memory/4640-111-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp

Filesize
3.3MB

Download
memory/4640-136-0x00007FF69DCC0000-0x00007FF69E012000-memory.dmp

Filesize
3.3MB

Download
memory/5056-8-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp

Filesize
3.3MB

Download
memory/5056-132-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp

Filesize
3.3MB

Download
memory/5056-129-0x00007FF6C5B40000-0x00007FF6C5E92000-memory.dmp

Filesize
3.3MB

Download