cobaltstrike | 27c5b09a238d49db1d1612c80027aff9bad3d5bf4d38d7e35ca81ce87db11ef8

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 14:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

052d33dae6614a608ab999f145c1edde
SHA1

b23487765df3bdcabc42557f55598c07e6c3ba2c
SHA256

27c5b09a238d49db1d1612c80027aff9bad3d5bf4d38d7e35ca81ce87db11ef8
SHA512

56c26b5ca437a2e044f0ec73cb56b5981c56a364ce969db9c22f24412419b45d7efe215ea6fcc6b5ab8dec4c5521730fbff98bfa72c5146c1b5bee3b41c5771b
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU3:Q+856utgpPF8u/73

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233f8-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023406-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023407-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023409-26.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340b-31.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340a-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340c-43.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340d-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023410-72.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340f-69.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002340e-66.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023408-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023411-77.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023412-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023414-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023413-90.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023415-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023418-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023419-125.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023416-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023417-120.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral2/files/0x00090000000233f8-4.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023406-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023407-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023409-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340b-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340a-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340c-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340d-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023410-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340f-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x000700000002340e-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023408-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023411-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023412-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023414-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023413-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023415-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023418-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023419-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023416-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral2/files/0x0007000000023417-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/4932-0-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp	UPX
behavioral2/files/0x00090000000233f8-4.dat	UPX
behavioral2/memory/3340-8-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	UPX
behavioral2/files/0x0007000000023406-11.dat	UPX
behavioral2/files/0x0007000000023407-10.dat	UPX
behavioral2/files/0x0007000000023409-26.dat	UPX
behavioral2/files/0x000700000002340b-31.dat	UPX
behavioral2/files/0x000700000002340a-41.dat	UPX
behavioral2/files/0x000700000002340c-43.dat	UPX
behavioral2/files/0x000700000002340d-49.dat	UPX
behavioral2/memory/1728-50-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp	UPX
behavioral2/memory/4412-63-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	UPX
behavioral2/memory/836-68-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp	UPX
behavioral2/files/0x0007000000023410-72.dat	UPX
behavioral2/memory/2132-71-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp	UPX
behavioral2/files/0x000700000002340f-69.dat	UPX
behavioral2/files/0x000700000002340e-66.dat	UPX
behavioral2/memory/5068-64-0x00007FF695990000-0x00007FF695CE4000-memory.dmp	UPX
behavioral2/memory/1688-55-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	UPX
behavioral2/memory/2092-47-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp	UPX
behavioral2/memory/1624-42-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	UPX
behavioral2/memory/5116-37-0x00007FF758640000-0x00007FF758994000-memory.dmp	UPX
behavioral2/memory/2016-33-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp	UPX
behavioral2/files/0x0007000000023408-30.dat	UPX
behavioral2/memory/4380-18-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023411-77.dat	UPX
behavioral2/files/0x0007000000023412-83.dat	UPX
behavioral2/memory/516-82-0x00007FF62FD30000-0x00007FF630084000-memory.dmp	UPX
behavioral2/memory/4932-93-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp	UPX
behavioral2/memory/1608-95-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp	UPX
behavioral2/files/0x0007000000023414-97.dat	UPX
behavioral2/files/0x0007000000023413-90.dat	UPX
behavioral2/memory/3576-89-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp	UPX
behavioral2/files/0x0007000000023415-106.dat	UPX
behavioral2/memory/3948-102-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp	UPX
behavioral2/memory/3340-101-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	UPX
behavioral2/memory/4380-108-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023418-116.dat	UPX
behavioral2/memory/1624-118-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	UPX
behavioral2/files/0x0007000000023419-125.dat	UPX
behavioral2/memory/1688-131-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	UPX
behavioral2/memory/3616-133-0x00007FF686600000-0x00007FF686954000-memory.dmp	UPX
behavioral2/memory/4412-132-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	UPX
behavioral2/memory/1480-124-0x00007FF717110000-0x00007FF717464000-memory.dmp	UPX
behavioral2/memory/1508-123-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp	UPX
behavioral2/files/0x0007000000023416-121.dat	UPX
behavioral2/files/0x0007000000023417-120.dat	UPX
behavioral2/memory/440-117-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp	UPX
behavioral2/memory/3848-115-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp	UPX
behavioral2/memory/5068-134-0x00007FF695990000-0x00007FF695CE4000-memory.dmp	UPX
behavioral2/memory/836-135-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp	UPX
behavioral2/memory/2132-136-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp	UPX
behavioral2/memory/440-137-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp	UPX
behavioral2/memory/1508-138-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp	UPX
behavioral2/memory/1480-139-0x00007FF717110000-0x00007FF717464000-memory.dmp	UPX
behavioral2/memory/3340-140-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	UPX
behavioral2/memory/4380-141-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	UPX
behavioral2/memory/2016-142-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp	UPX
behavioral2/memory/5116-143-0x00007FF758640000-0x00007FF758994000-memory.dmp	UPX
behavioral2/memory/2092-144-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp	UPX
behavioral2/memory/1728-146-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp	UPX
behavioral2/memory/1624-145-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	UPX
behavioral2/memory/4412-147-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	UPX
behavioral2/memory/1688-148-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4932-0-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp	xmrig
behavioral2/files/0x00090000000233f8-4.dat	xmrig
behavioral2/memory/3340-8-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023406-11.dat	xmrig
behavioral2/files/0x0007000000023407-10.dat	xmrig
behavioral2/files/0x0007000000023409-26.dat	xmrig
behavioral2/files/0x000700000002340b-31.dat	xmrig
behavioral2/files/0x000700000002340a-41.dat	xmrig
behavioral2/files/0x000700000002340c-43.dat	xmrig
behavioral2/files/0x000700000002340d-49.dat	xmrig
behavioral2/memory/1728-50-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp	xmrig
behavioral2/memory/4412-63-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	xmrig
behavioral2/memory/836-68-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp	xmrig
behavioral2/files/0x0007000000023410-72.dat	xmrig
behavioral2/memory/2132-71-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-69.dat	xmrig
behavioral2/files/0x000700000002340e-66.dat	xmrig
behavioral2/memory/5068-64-0x00007FF695990000-0x00007FF695CE4000-memory.dmp	xmrig
behavioral2/memory/1688-55-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	xmrig
behavioral2/memory/2092-47-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp	xmrig
behavioral2/memory/1624-42-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	xmrig
behavioral2/memory/5116-37-0x00007FF758640000-0x00007FF758994000-memory.dmp	xmrig
behavioral2/memory/2016-33-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023408-30.dat	xmrig
behavioral2/memory/4380-18-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023411-77.dat	xmrig
behavioral2/files/0x0007000000023412-83.dat	xmrig
behavioral2/memory/516-82-0x00007FF62FD30000-0x00007FF630084000-memory.dmp	xmrig
behavioral2/memory/4932-93-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp	xmrig
behavioral2/memory/1608-95-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023414-97.dat	xmrig
behavioral2/files/0x0007000000023413-90.dat	xmrig
behavioral2/memory/3576-89-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-106.dat	xmrig
behavioral2/memory/3948-102-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp	xmrig
behavioral2/memory/3340-101-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	xmrig
behavioral2/memory/4380-108-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023418-116.dat	xmrig
behavioral2/memory/1624-118-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023419-125.dat	xmrig
behavioral2/memory/1688-131-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	xmrig
behavioral2/memory/3616-133-0x00007FF686600000-0x00007FF686954000-memory.dmp	xmrig
behavioral2/memory/4412-132-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	xmrig
behavioral2/memory/1480-124-0x00007FF717110000-0x00007FF717464000-memory.dmp	xmrig
behavioral2/memory/1508-123-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp	xmrig
behavioral2/files/0x0007000000023416-121.dat	xmrig
behavioral2/files/0x0007000000023417-120.dat	xmrig
behavioral2/memory/440-117-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp	xmrig
behavioral2/memory/3848-115-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp	xmrig
behavioral2/memory/5068-134-0x00007FF695990000-0x00007FF695CE4000-memory.dmp	xmrig
behavioral2/memory/836-135-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp	xmrig
behavioral2/memory/2132-136-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp	xmrig
behavioral2/memory/440-137-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp	xmrig
behavioral2/memory/1508-138-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp	xmrig
behavioral2/memory/1480-139-0x00007FF717110000-0x00007FF717464000-memory.dmp	xmrig
behavioral2/memory/3340-140-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	xmrig
behavioral2/memory/4380-141-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	xmrig
behavioral2/memory/2016-142-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp	xmrig
behavioral2/memory/5116-143-0x00007FF758640000-0x00007FF758994000-memory.dmp	xmrig
behavioral2/memory/2092-144-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp	xmrig
behavioral2/memory/1728-146-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp	xmrig
behavioral2/memory/1624-145-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	xmrig
behavioral2/memory/4412-147-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	xmrig
behavioral2/memory/1688-148-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3340	awpdUWP.exe
4380	iZjZPWB.exe
2016	EPxTDdy.exe
5116	CevPuLX.exe
1728	eSSfCBu.exe
1624	MgRbedl.exe
2092	ZQcDmpq.exe
1688	fQJooND.exe
4412	McWIhvx.exe
836	cDfTOfq.exe
5068	OlwnRqH.exe
2132	doTODZq.exe
516	DSeDILC.exe
3576	jFBeZjN.exe
1608	AXZpuIG.exe
3948	uRNpgZU.exe
3848	Givcypn.exe
1508	qwMMLQB.exe
440	kcINOCX.exe
1480	PPUPtMF.exe
3616	mLjMxxq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4932-0-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp	upx
behavioral2/files/0x00090000000233f8-4.dat	upx
behavioral2/memory/3340-8-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	upx
behavioral2/files/0x0007000000023406-11.dat	upx
behavioral2/files/0x0007000000023407-10.dat	upx
behavioral2/files/0x0007000000023409-26.dat	upx
behavioral2/files/0x000700000002340b-31.dat	upx
behavioral2/files/0x000700000002340a-41.dat	upx
behavioral2/files/0x000700000002340c-43.dat	upx
behavioral2/files/0x000700000002340d-49.dat	upx
behavioral2/memory/1728-50-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp	upx
behavioral2/memory/4412-63-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	upx
behavioral2/memory/836-68-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp	upx
behavioral2/files/0x0007000000023410-72.dat	upx
behavioral2/memory/2132-71-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp	upx
behavioral2/files/0x000700000002340f-69.dat	upx
behavioral2/files/0x000700000002340e-66.dat	upx
behavioral2/memory/5068-64-0x00007FF695990000-0x00007FF695CE4000-memory.dmp	upx
behavioral2/memory/1688-55-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	upx
behavioral2/memory/2092-47-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp	upx
behavioral2/memory/1624-42-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	upx
behavioral2/memory/5116-37-0x00007FF758640000-0x00007FF758994000-memory.dmp	upx
behavioral2/memory/2016-33-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp	upx
behavioral2/files/0x0007000000023408-30.dat	upx
behavioral2/memory/4380-18-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	upx
behavioral2/files/0x0007000000023411-77.dat	upx
behavioral2/files/0x0007000000023412-83.dat	upx
behavioral2/memory/516-82-0x00007FF62FD30000-0x00007FF630084000-memory.dmp	upx
behavioral2/memory/4932-93-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp	upx
behavioral2/memory/1608-95-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp	upx
behavioral2/files/0x0007000000023414-97.dat	upx
behavioral2/files/0x0007000000023413-90.dat	upx
behavioral2/memory/3576-89-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp	upx
behavioral2/files/0x0007000000023415-106.dat	upx
behavioral2/memory/3948-102-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp	upx
behavioral2/memory/3340-101-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	upx
behavioral2/memory/4380-108-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	upx
behavioral2/files/0x0007000000023418-116.dat	upx
behavioral2/memory/1624-118-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	upx
behavioral2/files/0x0007000000023419-125.dat	upx
behavioral2/memory/1688-131-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	upx
behavioral2/memory/3616-133-0x00007FF686600000-0x00007FF686954000-memory.dmp	upx
behavioral2/memory/4412-132-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	upx
behavioral2/memory/1480-124-0x00007FF717110000-0x00007FF717464000-memory.dmp	upx
behavioral2/memory/1508-123-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp	upx
behavioral2/files/0x0007000000023416-121.dat	upx
behavioral2/files/0x0007000000023417-120.dat	upx
behavioral2/memory/440-117-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp	upx
behavioral2/memory/3848-115-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp	upx
behavioral2/memory/5068-134-0x00007FF695990000-0x00007FF695CE4000-memory.dmp	upx
behavioral2/memory/836-135-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp	upx
behavioral2/memory/2132-136-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp	upx
behavioral2/memory/440-137-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp	upx
behavioral2/memory/1508-138-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp	upx
behavioral2/memory/1480-139-0x00007FF717110000-0x00007FF717464000-memory.dmp	upx
behavioral2/memory/3340-140-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp	upx
behavioral2/memory/4380-141-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp	upx
behavioral2/memory/2016-142-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp	upx
behavioral2/memory/5116-143-0x00007FF758640000-0x00007FF758994000-memory.dmp	upx
behavioral2/memory/2092-144-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp	upx
behavioral2/memory/1728-146-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp	upx
behavioral2/memory/1624-145-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp	upx
behavioral2/memory/4412-147-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp	upx
behavioral2/memory/1688-148-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZQcDmpq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\McWIhvx.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OlwnRqH.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\doTODZq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AXZpuIG.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Givcypn.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kcINOCX.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MgRbedl.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PPUPtMF.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qwMMLQB.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EPxTDdy.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DSeDILC.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\awpdUWP.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CevPuLX.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eSSfCBu.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fQJooND.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cDfTOfq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jFBeZjN.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uRNpgZU.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mLjMxxq.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iZjZPWB.exe	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3340	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	84
PID 4932 wrote to memory of 3340	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	84
PID 4932 wrote to memory of 4380	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	85
PID 4932 wrote to memory of 4380	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	85
PID 4932 wrote to memory of 2016	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	86
PID 4932 wrote to memory of 2016	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	86
PID 4932 wrote to memory of 5116	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	87
PID 4932 wrote to memory of 5116	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	87
PID 4932 wrote to memory of 1728	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	88
PID 4932 wrote to memory of 1728	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	88
PID 4932 wrote to memory of 1624	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	89
PID 4932 wrote to memory of 1624	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	89
PID 4932 wrote to memory of 2092	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	90
PID 4932 wrote to memory of 2092	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	90
PID 4932 wrote to memory of 1688	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	91
PID 4932 wrote to memory of 1688	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	91
PID 4932 wrote to memory of 4412	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	92
PID 4932 wrote to memory of 4412	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	92
PID 4932 wrote to memory of 836	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	93
PID 4932 wrote to memory of 836	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	93
PID 4932 wrote to memory of 5068	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	94
PID 4932 wrote to memory of 5068	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	94
PID 4932 wrote to memory of 2132	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	95
PID 4932 wrote to memory of 2132	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	95
PID 4932 wrote to memory of 516	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	96
PID 4932 wrote to memory of 516	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	96
PID 4932 wrote to memory of 3576	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	98
PID 4932 wrote to memory of 3576	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	98
PID 4932 wrote to memory of 1608	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	99
PID 4932 wrote to memory of 1608	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	99
PID 4932 wrote to memory of 3948	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	100
PID 4932 wrote to memory of 3948	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	100
PID 4932 wrote to memory of 3848	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	101
PID 4932 wrote to memory of 3848	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	101
PID 4932 wrote to memory of 440	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	103
PID 4932 wrote to memory of 440	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	103
PID 4932 wrote to memory of 1508	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	104
PID 4932 wrote to memory of 1508	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	104
PID 4932 wrote to memory of 1480	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	105
PID 4932 wrote to memory of 1480	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	105
PID 4932 wrote to memory of 3616	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	106
PID 4932 wrote to memory of 3616	4932	2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe	106

C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_052d33dae6614a608ab999f145c1edde_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\System\awpdUWP.exe
  C:\Windows\System\awpdUWP.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\iZjZPWB.exe
  C:\Windows\System\iZjZPWB.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\EPxTDdy.exe
  C:\Windows\System\EPxTDdy.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\CevPuLX.exe
  C:\Windows\System\CevPuLX.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\eSSfCBu.exe
  C:\Windows\System\eSSfCBu.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\MgRbedl.exe
  C:\Windows\System\MgRbedl.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\ZQcDmpq.exe
  C:\Windows\System\ZQcDmpq.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\fQJooND.exe
  C:\Windows\System\fQJooND.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\McWIhvx.exe
  C:\Windows\System\McWIhvx.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\cDfTOfq.exe
  C:\Windows\System\cDfTOfq.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\OlwnRqH.exe
  C:\Windows\System\OlwnRqH.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\doTODZq.exe
  C:\Windows\System\doTODZq.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\DSeDILC.exe
  C:\Windows\System\DSeDILC.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\jFBeZjN.exe
  C:\Windows\System\jFBeZjN.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\AXZpuIG.exe
  C:\Windows\System\AXZpuIG.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\uRNpgZU.exe
  C:\Windows\System\uRNpgZU.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\Givcypn.exe
  C:\Windows\System\Givcypn.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\kcINOCX.exe
  C:\Windows\System\kcINOCX.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\qwMMLQB.exe
  C:\Windows\System\qwMMLQB.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\PPUPtMF.exe
  C:\Windows\System\PPUPtMF.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\mLjMxxq.exe
  C:\Windows\System\mLjMxxq.exe
  2⤵
  - Executes dropped EXE
  PID:3616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AXZpuIG.exe

Filesize
5.9MB

MD5
da81daed24206ca7354ef198077ed05a

SHA1
94b4ef3a8624c7759791d23c8a44d8d316963f32

SHA256
720927d16922d49f23ccdc8a225c5ca4a099751dfc919b6c18496efc821be165

SHA512
4bb304f45d615f119da7d4aeaf4fb4e907d7bf0b797dbc6f39695b69b51dec1060e11ee5fe4de5a6526692bc4e6e35ca5e341ef80bf88873dcf111d2de1eae27

Download Submit
C:\Windows\System\CevPuLX.exe

Filesize
5.9MB

MD5
107f6bfb56bf42e910eb6a9ed3cf1986

SHA1
3e800f966dd64e3cf9da8d71d85ec8894a9f54ac

SHA256
3f5fd63772dc8954264111154bad42b059ab660c5c343ed6918d4dc3f98057e3

SHA512
196e9d8257be18150ec351c26fa589338a1cb1d81b1241b842202815e818961209da9ad85e6e374149d425bffd2e85efc431629e2aeb9397975f935f3211d8c6

Download Submit
C:\Windows\System\DSeDILC.exe

Filesize
5.9MB

MD5
528066938a5b3bd6c01825518fb53517

SHA1
f5cd630d652efa88fb0a064b7e7fa6428bdc2b1f

SHA256
ead8e59c2832fb1a9ba47badb7bdca0008fae1179807b76838d7d00b33ad97d6

SHA512
9bb51a1752af495eb139cf3912aa0d9ad5a82c9d82652a9cdd27694822790234212606a91b2194bab54a0dbc1907d2bcb69f0d342c4343410734f2e23281b80b

Download Submit
C:\Windows\System\EPxTDdy.exe

Filesize
5.9MB

MD5
ebb6cc2952d86061967e33bc2aa029c1

SHA1
ed0e37f3e46b6fef2ee0086695ed93d759244b99

SHA256
c1710cc4e4cf1dd2ce0e92fe90424657fc4a983983e9ce8bee84746575e63590

SHA512
48c99f33f7e3a781b6065e1427cd40343dc17628874dfaa5f47c6944920b7973e760fd6a7381ba9c9a31bcb2217f92e9dc8e631c1ac595f2de7a83594f3d222e

Download Submit
C:\Windows\System\Givcypn.exe

Filesize
5.9MB

MD5
c5210d357c3f795831427510344dd633

SHA1
64e6932f62cb4da36b73b059ba7c03521ca39009

SHA256
3eb77e15884965a5854a78b33a323fce16fdefcbe900a828e44278f52cd41ec6

SHA512
e8b3b43582b011a995097f7be993884ee80815656e683b63b1ae837346aa2bd244a84e25e6789989495321b426fb248f8a3a8eb056a6de9eaa1b40401024af91

Download Submit
C:\Windows\System\McWIhvx.exe

Filesize
5.9MB

MD5
cb34830d4cfa21400df70d08ddded230

SHA1
aef22432f472dee55375a4ed930a9a96caa716d7

SHA256
ca6c5bb4038efe23b2a17efaec93b7ba2e2926d320685db5c9e8df135eb64b63

SHA512
be1480a44f1f765a9b6118ad4b798c80a6f1bf8300ff77f11b33fdbf1eed72af89e8a49e45faf6776bdc4cd0c4f82ea676d689131baaa5fcb04af28266de772e

Download Submit
C:\Windows\System\MgRbedl.exe

Filesize
5.9MB

MD5
27824af6f67c38eb5062127c8920c81c

SHA1
e791bbb8177f132ef17a15a4f3cdeaca468dbf36

SHA256
86c2367db8cf61f2f4ee525c93d63c05b55553db57bb79d8ed11bf0042f21640

SHA512
681ec05b963558c59ab543620bbd0b2634c9372b455e35fcb00f7dd6ad88dfb42a5014a874415bc784b2868d29f9df9f1a1bda02fcbb555d9651f148c8f38fe9

Download Submit
C:\Windows\System\OlwnRqH.exe

Filesize
5.9MB

MD5
394c05f825c15c9856a4c8626d017d06

SHA1
6329cc88e8a52ba202a808f8daf06376a6899707

SHA256
bc5f0019e9dbd831a6acab0d4dd4348d1fcc38803cfae873b335708db8ac131e

SHA512
283b63871690e9d0c2ef787468bc0e0743f3811f18c96db0099e76a1a782c2d9aa634d5e300d7af1d5013cde7aa3a688b5a862c206744dc3ade1f36c77f9e8a9

Download Submit
C:\Windows\System\PPUPtMF.exe

Filesize
5.9MB

MD5
509c1a22b62ea2b517379f6e6441c276

SHA1
d5d89b44166715ac7fccd2673e0d21c373b26351

SHA256
685a288baf9260c53148494dd5e849011cc1af694d2b098b69a179ec3f12c29a

SHA512
2158cd46b1a676e65d860d07f980f1d9f72101484f2161d6bf9bbeb4e0d60cbb1906230a4ebe60d7d15ded0cd6b30c015246b2c94096fa5d2927f13f1b745b6f

Download Submit
C:\Windows\System\ZQcDmpq.exe

Filesize
5.9MB

MD5
98790673bbcb5694cd557d022f1ecb58

SHA1
d89cb51a6e3d89d31626f75e2cd281ed11f1ee39

SHA256
d39a1433e9998326e2a4a16ab81805610e775fb19c052cc6e343c2f0671af888

SHA512
108f9f88d85bb33ac0c9d260fe615fb8e5744ea3fbc3c278273b975130338d7baa54030caa054e3e9ff37fe2014b76fd4e211906f07d1ddc6d13597651a2d1ec

Download Submit
C:\Windows\System\awpdUWP.exe

Filesize
5.9MB

MD5
11521a2378a3c1cb993a96ae664f0945

SHA1
ee045753e597bceef35b88b631f2ac9306209a7a

SHA256
dcb6fa4a7fe16c367b1a3462d90c2e270d06d890aa433001b0851c42ced9c8f5

SHA512
738d205041fb7382b7656b51536c57dad4294aa53bc242937423157ed7c6fad33c0dced1ad931bdf1e7f341e0b49e90f603042980825e0813ac7a9482e305fcf

Download Submit
C:\Windows\System\cDfTOfq.exe

Filesize
5.9MB

MD5
516b0dcfc870b2286b3f235a13bb09ce

SHA1
6f91cbd75d4795cd90285221b6a98a564691c53c

SHA256
7108384c34c4ec4df5d0af83184c0260419d1e3047e847c4f989b971c66b1c3b

SHA512
57ee5e2d4e9da586937f2db8a857b197bb4501cb7ba5fedbf8c624014092c31a2ce85cab04bea0c431fdace44820cee957ad304fe86c19889e20221e316558d0

Download Submit
C:\Windows\System\doTODZq.exe

Filesize
5.9MB

MD5
36554a5531c2e607e54a2fcf43882d7e

SHA1
b0516fdb88e7396b38de55bb2fbba28329bd9bce

SHA256
ebfffe1dddf41b84d0829c453c045152c101871502570ed940f35057f3fa613f

SHA512
cc20eab739dd40961d83fd8ceb4c44f5ea1d0fd499e68589c584b8417718b6af41527f319a5472395303186e7ed4572916dae4df095ab85c3028202650a8b64d

Download Submit
C:\Windows\System\eSSfCBu.exe

Filesize
5.9MB

MD5
ca1250e1474d8883bf982f93e2a813fb

SHA1
a56c246d0cb61361580fde6eafea948aa64a2abe

SHA256
e02b22b5cc2c333a5a98277f6370bc1b414527d9426befd416b08405da8654e5

SHA512
24d507e58af8542eb9ae74b3df455f70f35ef202317dcdcd09037f0b404b7d6e7e3fdb85e266f4e40ee989172fe91fcf5732da5f8553076cdb67b67d8532b90a

Download Submit
C:\Windows\System\fQJooND.exe

Filesize
5.9MB

MD5
a57c0b3f5d4852dc983210a57bd9f447

SHA1
6d892d7d19e16edddd4c6414861ca952cebf4ddc

SHA256
a43c58dddbd3a1c09b7c1b114a8c7b8865dab385c1ad08d5518555523cf3858b

SHA512
e1b54d524fe5d4bd59e515e88a7665166023a6b1e45959e14752851d82a029c92ca30f25f804546592dbf07ba1d85f40afbea046b1ca291fbb9523ba31ff29b0

Download Submit
C:\Windows\System\iZjZPWB.exe

Filesize
5.9MB

MD5
d2de1753d58caf0569e778b6e2a95fe4

SHA1
38578a7da06b35c7788e1683cd04d55401e3c6f3

SHA256
4771550e308dc222293ae78fdd76e0b9d20f9561c36615f1ea3f51369f19f828

SHA512
f59380ea3699f65862138124ab8e13c62bdf561727aa50f56bd553a7973d92fdbf63b558b83baa6fa7bf93e68d7cc4480d3dce017f65a12ef74f051f4047fd95

Download Submit
C:\Windows\System\jFBeZjN.exe

Filesize
5.9MB

MD5
772c11b53c3ce6570264c88d8bae8700

SHA1
4fe4fd76c370ad133c6d78b9d137c4c59cef9bc8

SHA256
357fd7231be2e1957b8cba8bbb53296308fe2a8a86cbf7a370f1f8776144f2e5

SHA512
cc5f491b56e0d6f702955a85ca79859320ced3f7e2d4bf74d3bc5d661cfd0edd5d420973f71ab25e9129f4769b94c5813e6d84bac5e04c5cfee801ec35e0fec1

Download Submit
C:\Windows\System\kcINOCX.exe

Filesize
5.9MB

MD5
51da0b9059dee55183346e6effaeb7dc

SHA1
ec6a9468ce8776876b1250ce2b593101cc9eebcd

SHA256
31ce5d558266365ea207707bda05549e5336998d4526ba4d99ed9c0da0bed13d

SHA512
63caca26553cf0346e56fdf9ba577cd7c444bbad39ccc60fb5634f08d082557d32a14a6a650995b4a84e46d158d3d5a05499c928f637e8d8b7d325f36dad7b67

Download Submit
C:\Windows\System\mLjMxxq.exe

Filesize
5.9MB

MD5
43cbcb0214802aaaf026520b7340a0d4

SHA1
ede0983916a6b005b72b1c27066489908e9796fb

SHA256
2344541e0a023c240fc87ccbae6b92fc6f542e7d1b52470639e5f97acacf27d3

SHA512
1197c753e079b1c6d8d9e4d733ebf9b91f4124d8a930789e94b701ccaa8341531235c866da015b0a58b47926f36d6950b3fa6eda8bcb7cc0efb05fea82d8eb46

Download Submit
C:\Windows\System\qwMMLQB.exe

Filesize
5.9MB

MD5
72688b0c0e95323579ce5d70e727162c

SHA1
eb3ac39599b74b2ab1e0054b87169dd2a8657857

SHA256
1e4227e4617fe89b36f53d709420fbef51aff828ddfa5383fa48c0467d11aca2

SHA512
a85d6ebff0840a32b420f39f9343e428ddab8293a09f53bbda4121c9e7aecd9b92223f2731abae85c48042d59740bd65bcbf6d40fe6e3f39dbb49f392616df91

Download Submit
C:\Windows\System\uRNpgZU.exe

Filesize
5.9MB

MD5
5a3cc804b8e2a4f796023ac59b1bd64c

SHA1
7de85f894fd3f0a319b5c6b203838f79bab7ecdb

SHA256
7e1b702b7cb9c8f605b7a3bad27f5400298fc6831beb42b51f878800ced1a177

SHA512
5848d16dbf1da20ae6a126804c0ccc137a8a3420e28f6a43f98930698cc40faaaf4e4d6a48f968515e3f726ae1b4498c9b1578600aedfc576c08a5c81bc628f8

Download Submit
memory/440-117-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp

Filesize
3.3MB

Download
memory/440-157-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp

Filesize
3.3MB

Download
memory/440-137-0x00007FF631B70000-0x00007FF631EC4000-memory.dmp

Filesize
3.3MB

Download
memory/516-152-0x00007FF62FD30000-0x00007FF630084000-memory.dmp

Filesize
3.3MB

Download
memory/516-82-0x00007FF62FD30000-0x00007FF630084000-memory.dmp

Filesize
3.3MB

Download
memory/836-68-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp

Filesize
3.3MB

Download
memory/836-135-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp

Filesize
3.3MB

Download
memory/836-149-0x00007FF6BF500000-0x00007FF6BF854000-memory.dmp

Filesize
3.3MB

Download
memory/1480-124-0x00007FF717110000-0x00007FF717464000-memory.dmp

Filesize
3.3MB

Download
memory/1480-160-0x00007FF717110000-0x00007FF717464000-memory.dmp

Filesize
3.3MB

Download
memory/1480-139-0x00007FF717110000-0x00007FF717464000-memory.dmp

Filesize
3.3MB

Download
memory/1508-158-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp

Filesize
3.3MB

Download
memory/1508-123-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp

Filesize
3.3MB

Download
memory/1508-138-0x00007FF65EED0000-0x00007FF65F224000-memory.dmp

Filesize
3.3MB

Download
memory/1608-154-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1608-95-0x00007FF6FB560000-0x00007FF6FB8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-145-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-118-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-42-0x00007FF63AF70000-0x00007FF63B2C4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-148-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp

Filesize
3.3MB

Download
memory/1688-55-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp

Filesize
3.3MB

Download
memory/1688-131-0x00007FF79E5F0000-0x00007FF79E944000-memory.dmp

Filesize
3.3MB

Download
memory/1728-50-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp

Filesize
3.3MB

Download
memory/1728-146-0x00007FF73E860000-0x00007FF73EBB4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-142-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2016-33-0x00007FF62C590000-0x00007FF62C8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-47-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp

Filesize
3.3MB

Download
memory/2092-144-0x00007FF6FB200000-0x00007FF6FB554000-memory.dmp

Filesize
3.3MB

Download
memory/2132-136-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-71-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-150-0x00007FF6E9990000-0x00007FF6E9CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3340-101-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp

Filesize
3.3MB

Download
memory/3340-8-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp

Filesize
3.3MB

Download
memory/3340-140-0x00007FF6B6700000-0x00007FF6B6A54000-memory.dmp

Filesize
3.3MB

Download
memory/3576-89-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp

Filesize
3.3MB

Download
memory/3576-153-0x00007FF7E6B10000-0x00007FF7E6E64000-memory.dmp

Filesize
3.3MB

Download
memory/3616-133-0x00007FF686600000-0x00007FF686954000-memory.dmp

Filesize
3.3MB

Download
memory/3616-159-0x00007FF686600000-0x00007FF686954000-memory.dmp

Filesize
3.3MB

Download
memory/3848-156-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp

Filesize
3.3MB

Download
memory/3848-115-0x00007FF6D9640000-0x00007FF6D9994000-memory.dmp

Filesize
3.3MB

Download
memory/3948-102-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3948-155-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-141-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-108-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-18-0x00007FF7D3980000-0x00007FF7D3CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-147-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp

Filesize
3.3MB

Download
memory/4412-63-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp

Filesize
3.3MB

Download
memory/4412-132-0x00007FF7CEDC0000-0x00007FF7CF114000-memory.dmp

Filesize
3.3MB

Download
memory/4932-0-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp

Filesize
3.3MB

Download
memory/4932-93-0x00007FF63E4D0000-0x00007FF63E824000-memory.dmp

Filesize
3.3MB

Download
memory/4932-1-0x0000023C6D4F0000-0x0000023C6D500000-memory.dmp

Filesize
64KB

Download
memory/5068-64-0x00007FF695990000-0x00007FF695CE4000-memory.dmp

Filesize
3.3MB

Download
memory/5068-151-0x00007FF695990000-0x00007FF695CE4000-memory.dmp

Filesize
3.3MB

Download
memory/5068-134-0x00007FF695990000-0x00007FF695CE4000-memory.dmp

Filesize
3.3MB

Download
memory/5116-143-0x00007FF758640000-0x00007FF758994000-memory.dmp

Filesize
3.3MB

Download
memory/5116-37-0x00007FF758640000-0x00007FF758994000-memory.dmp

Filesize
3.3MB

Download