Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-06-2024 01:15

General

  • Target

    2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe

  • Size

    5.9MB

  • MD5

    535513ba32d87b98fda7f6d15f835e83

  • SHA1

    c993f99e3653f7709ffbadd4d6c8062606e3a38a

  • SHA256

    c7e75e49e6ce4ba7f1325c826df12099205f492943ea41c5c89879f30d0d0ef2

  • SHA512

    0f9c84ef591723aca4f369d9387346fee416f7b324b0105c64d4c10cce1b08f748b440168b971a27c8f182ca4cd5fdf08736e673e4f8b2386b8014693eac6d55

  • SSDEEP

    98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUT:Q+856utgpPF8u/7T

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes
  • access_type

    512

  • beacon_type

    256

  • create_remote_thread

    768

  • crypto_scheme

    256

  • host

    ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

  • http_header1

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    5000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /N4215/adj/amzn.us.sr.aps

  • user_agent

    Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

  • watermark

    0

Signatures

  • Cobalt Strike reflective loader 20 IoCs

    Detects the reflective loader used by Cobalt Strike.

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Detects Reflective DLL injection artifacts 20 IoCs
  • UPX dump on OEP (original entry point) 63 IoCs
  • XMRig Miner payload 64 IoCs
  • Executes dropped EXE 21 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-07_535513ba32d87b98fda7f6d15f835e83_cobalt-strike_cobaltstrike.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\System\NcNUaxg.exe
      C:\Windows\System\NcNUaxg.exe
      2⤵
      • Executes dropped EXE
      PID:2996
    • C:\Windows\System\YFXxtem.exe
      C:\Windows\System\YFXxtem.exe
      2⤵
      • Executes dropped EXE
      PID:1260
    • C:\Windows\System\xbIuwfj.exe
      C:\Windows\System\xbIuwfj.exe
      2⤵
      • Executes dropped EXE
      PID:1360
    • C:\Windows\System\nQNuJbo.exe
      C:\Windows\System\nQNuJbo.exe
      2⤵
      • Executes dropped EXE
      PID:1420
    • C:\Windows\System\eGTYFJu.exe
      C:\Windows\System\eGTYFJu.exe
      2⤵
      • Executes dropped EXE
      PID:4140
    • C:\Windows\System\TrnxrST.exe
      C:\Windows\System\TrnxrST.exe
      2⤵
      • Executes dropped EXE
      PID:2844
    • C:\Windows\System\Phqcknz.exe
      C:\Windows\System\Phqcknz.exe
      2⤵
      • Executes dropped EXE
      PID:3876
    • C:\Windows\System\JgxMPKy.exe
      C:\Windows\System\JgxMPKy.exe
      2⤵
      • Executes dropped EXE
      PID:1220
    • C:\Windows\System\bMhLOJO.exe
      C:\Windows\System\bMhLOJO.exe
      2⤵
      • Executes dropped EXE
      PID:2656
    • C:\Windows\System\nttDhBt.exe
      C:\Windows\System\nttDhBt.exe
      2⤵
      • Executes dropped EXE
      PID:4288
    • C:\Windows\System\qQpbixQ.exe
      C:\Windows\System\qQpbixQ.exe
      2⤵
      • Executes dropped EXE
      PID:1872
    • C:\Windows\System\QlmAqjL.exe
      C:\Windows\System\QlmAqjL.exe
      2⤵
      • Executes dropped EXE
      PID:3144
    • C:\Windows\System\fYJyErh.exe
      C:\Windows\System\fYJyErh.exe
      2⤵
      • Executes dropped EXE
      PID:2644
    • C:\Windows\System\bVmoqax.exe
      C:\Windows\System\bVmoqax.exe
      2⤵
      • Executes dropped EXE
      PID:684
    • C:\Windows\System\mhSSQnS.exe
      C:\Windows\System\mhSSQnS.exe
      2⤵
      • Executes dropped EXE
      PID:4752
    • C:\Windows\System\nJXlHjA.exe
      C:\Windows\System\nJXlHjA.exe
      2⤵
      • Executes dropped EXE
      PID:4092
    • C:\Windows\System\zSCupId.exe
      C:\Windows\System\zSCupId.exe
      2⤵
      • Executes dropped EXE
      PID:3068
    • C:\Windows\System\ibNaHRp.exe
      C:\Windows\System\ibNaHRp.exe
      2⤵
      • Executes dropped EXE
      PID:4236
    • C:\Windows\System\bKHmSWv.exe
      C:\Windows\System\bKHmSWv.exe
      2⤵
      • Executes dropped EXE
      PID:1356
    • C:\Windows\System\ZNlmqwk.exe
      C:\Windows\System\ZNlmqwk.exe
      2⤵
      • Executes dropped EXE
      PID:1848
    • C:\Windows\System\vUKhewg.exe
      C:\Windows\System\vUKhewg.exe
      2⤵
      • Executes dropped EXE
      PID:2180
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4124,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=4592 /prefetch:8
    1⤵
      PID:1016

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\System\JgxMPKy.exe

      Filesize

      5.9MB

      MD5

      dee06d50b85e0adbb81c826f01393706

      SHA1

      a2089d2a102ccd63e564d7242009bbfbb057966a

      SHA256

      fe6829f336b2a462dafc00c59dbde1e5dc937e75a9648b11ca6238cf981cddeb

      SHA512

      f4f2e65ffaec8b96f0d5104442f8cfba63c920dc762ef932430d6a73df9ae6eceb12051e3d50cebf33e0a398f756dabaa836fe4276eb9c7e172582dd45117d3f

    • C:\Windows\System\NcNUaxg.exe

      Filesize

      5.9MB

      MD5

      682d9bfa2cf17bc3863ca78c9a5485d2

      SHA1

      714aa31d5f2b8b1c2c0abf42876c76fc803d0f02

      SHA256

      b7943820c5f9f112b8aecdedfb2cea72fc54ac7f68b27ffd866dee33248b25f8

      SHA512

      8d3859801f3283c820f8267a8e1cb0b4fd194260d1d9b5e03102a0b393b919840adea088544be8fe06356fa0b37f6c8e449a88a1662068b5046cb0281e313836

    • C:\Windows\System\Phqcknz.exe

      Filesize

      5.9MB

      MD5

      f6cdfb3d88537b367792cbd894bd98ed

      SHA1

      3d3f99c94c72c456dffcf949bc5d30603a7e936c

      SHA256

      05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86

      SHA512

      0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3

    • C:\Windows\System\Phqcknz.exe

      Filesize

      4.2MB

      MD5

      77dba91fb3c2cde72cb349d9f90ca79c

      SHA1

      b84a9e63676a0ad38ca01ffd44702e7c9744ca69

      SHA256

      ed264866c0bae9fa9d4a16e9bcbd3d21ee672ee0eb5b22b64a5a0fa3926ac6d7

      SHA512

      7688eeb8dd7644b0c13094022c2cf5cb3e8225b2176f2a6c3aa2c5fffd3842d1f2840ab41b990e0e98d17fd029498949a429fd63ec10fb6afac0d993f6b2e67c

    • C:\Windows\System\QlmAqjL.exe

      Filesize

      5.9MB

      MD5

      e57318a63971361a76a0a00d9b4ea356

      SHA1

      bcbb1d386880cdb0c47dbb78c72c9e0c7b42af3f

      SHA256

      26bb691ef68c214044385a52a6635445b6438fd9de6b112687eefbe01cac5fcc

      SHA512

      6888e5c051cd3f80c98da0a2943314be2dd98c855fc187b93f67188d909ba52c1ebfe577beea983c76a7a5ebbfebd0ad630b623d5fc90c3d3a0f5c4f02fea787

    • C:\Windows\System\QlmAqjL.exe

      Filesize

      4.6MB

      MD5

      2130f4461ba7262c4b9569c7ad362fbe

      SHA1

      477f7cc69e47cdff19a52b2da61a04f2127580e1

      SHA256

      f68cab9e215b5970b95a91cba35e4b211ac827a19d524f2bf913504bdbf08025

      SHA512

      bd19fb9a7b432908f39c8e2a25f78223abf0f155bd219827a4b513d256827c60c965e975a97433d8f252d3353383a04a3ae742b841c52e2f210a05922493b703

    • C:\Windows\System\TrnxrST.exe

      Filesize

      5.9MB

      MD5

      9ce62272e904d938e9b1ab52047b7bed

      SHA1

      de720a95c519dcc91d4a02c6db9b37f62262ee2c

      SHA256

      79bca4257c29962c9874b923b89a5a285718452b849e5e8492e4e49677cb9e72

      SHA512

      047fb0b5efc6adefcb01282833b0e34853652a1c5659011bbec2a909d23352be8a0044b996c829f4c70612ef2d7ed120ac30e98552277c9ba7c96eb8a0b580a0

    • C:\Windows\System\YFXxtem.exe

      Filesize

      5.9MB

      MD5

      9022d259f131f966aeb180532616e878

      SHA1

      d71d74ad68a8bc78022efc3d8ba90a7ccf56f252

      SHA256

      f923b0ea32c8e30590d89c94daa296e1be30afa8a01e564fc20d54e847dc24a8

      SHA512

      23ce4746997e7ed3b66d09180093a9d304634c316a23f805003b8f2ef50b8272352f2fe1fb146365fac09a8b6e5dcc7993a62e76a3480e88d7fa2ab87690952c

    • C:\Windows\System\ZNlmqwk.exe

      Filesize

      5.9MB

      MD5

      46cef478b7258c8fedd6e4c8110b10ed

      SHA1

      425d93655f35af25a5187a10036b4d3779d97f7d

      SHA256

      affd811a828cfe87059a63716187acd3e7a2864ef7d13829c4645fee918039dd

      SHA512

      28fe0449b8a6cab5216d505b7b65b144b19519b573d322893130e12a17672079c2816fc760bc31ad52a7127a5a2273f3d32354e17f2228c77ee0b9fea9781673

    • C:\Windows\System\bKHmSWv.exe

      Filesize

      5.9MB

      MD5

      e31c581003e51523ef8cd76a84783dc2

      SHA1

      ecf4a6ca2861b7aeff73f9a776969bc4be912382

      SHA256

      69b15f7d15aacc6f29671c5a318c5c563db20a1b80a606f911f4a94741be7319

      SHA512

      75c9a26817d2b36ceb1759147fd4b1e5d06c5c9bcf76971ca453c7dc62a29bb067102cededf204d641b4d4e09e478458d96164be8842cb56cc0f6eb259de91cc

    • C:\Windows\System\bKHmSWv.exe

      Filesize

      5.3MB

      MD5

      e8c4508a392ccf08590d3627a36cc3c3

      SHA1

      3a57dd6c92ebc54582acaafd15cc9311eb0d15a2

      SHA256

      cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d

      SHA512

      f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410

    • C:\Windows\System\bMhLOJO.exe

      Filesize

      5.9MB

      MD5

      90a4690536f61f808cdff28f40c8d1e1

      SHA1

      cb625ea686b2a7df3f1a5cd20c5b66ac2ea0c334

      SHA256

      2943994b0fb447066264ab603c5a5419c9f5dec85d3d5cb5301468a058263250

      SHA512

      595b639d216ba7e16b61287c1fe4f2bf03878af722b289433e2de078b3345e4d3b0bd651d2027774246e33832a21b42687ca5334380e4e0597d04393e368db06

    • C:\Windows\System\bMhLOJO.exe

      Filesize

      5.7MB

      MD5

      1d51a6f9f8f706d40a78f27cac287065

      SHA1

      981c2096ede4558d1ebc91ef5d6ea849a5e05a26

      SHA256

      15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1

      SHA512

      f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97

    • C:\Windows\System\bVmoqax.exe

      Filesize

      5.9MB

      MD5

      42392c99db77f9e2b1b77943876acc96

      SHA1

      6e3d690eb2b4987a43047d9c6aaf0b8ff703968a

      SHA256

      fb22aec338479d5a72173cfa3358659080bb225f575c580438bbf1beae2a660f

      SHA512

      961075aa266abd7b91ced28cc1ac3a770e01aee71a2faca3bfdc0a52c30734be616a16fd5830473776fa54ff599db8801b587fc29addd608d36cf9702c8e4914

    • C:\Windows\System\eGTYFJu.exe

      Filesize

      5.9MB

      MD5

      609c6cd78eb28215a896143da952753a

      SHA1

      b08702a22c1dfa4e852dcf5722f1f1f598b8ce16

      SHA256

      eb841194c5586627885e07c57ef33cff7c5153e1ef23787186728d1a1db675c2

      SHA512

      9cf5f317d9fd6641d585bd943720d261ec5c94ec925c64609025cdbcce6c6f8b2e158841bf03b2e8df0e50f01fbfd305e684c9835a6fc0b9be2860940b892c8b

    • C:\Windows\System\fYJyErh.exe

      Filesize

      5.9MB

      MD5

      92dc21b361752419e6944ac5c8abc595

      SHA1

      7181951bddbed2aff92587e9e876b1f55eda0f92

      SHA256

      b8df1882bd0627671ce8c9369326fc8c01cd62394659eb8861bb632c603944a4

      SHA512

      fed79a0e3522eee9785a584c043d6726b2dea4086f3f819f081520836dee43de8729dcda39969cbf33595127099bea127d5dd024e587b97524f618b59f5f1ebd

    • C:\Windows\System\ibNaHRp.exe

      Filesize

      5.9MB

      MD5

      340992a7237dc521f419e3733452a17e

      SHA1

      928110cb51f67d90406b7785809ef282a747a514

      SHA256

      f15129a60de0c6e61092fd67d235db992807e02235487b180d74638c9e9592ea

      SHA512

      cb114b6aaa2ccdcf6e7c221832ef4537a1cc68880a90aeda26faef234c8cbd96f66939aaabce99246f7a915b7f0a2fed901a8443afbd629c13bb1759c9bc37d1

    • C:\Windows\System\mhSSQnS.exe

      Filesize

      5.9MB

      MD5

      57aa48d8406671d0dcb7c9379e86902d

      SHA1

      a3393915b790f3d46d5f4f0ee1765b1851a89067

      SHA256

      edba9c49f2618bc2613feccac26fe6d9275be87468e868ba1dbbedb8142820f4

      SHA512

      650ba3fd40bf4ae1edd26670d310bb37fe65ec957228c14605577aa7280f5cde3844305b3c44eaa3522116094007f8c760e23a977afeac979fa55e7a4e592c9d

    • C:\Windows\System\nJXlHjA.exe

      Filesize

      5.9MB

      MD5

      79b8ed996143e47c4d663690f2e02df2

      SHA1

      bb5ece110f91c853b61537d4379241e05fa197f9

      SHA256

      204f50135dd3542de480a34086f76dc1412dc0dca3b7950d3c41d21dc390b28f

      SHA512

      fa41037c4af41479df1c9770312fbf3ee5f5f6a691d400f8d6b85cf8964deb3910319c693c0063403c56e62c87c12ae62ac5a0f3a4926b0b4679db71abf02085

    • C:\Windows\System\nQNuJbo.exe

      Filesize

      5.9MB

      MD5

      e27b1bd88330f848ff603d5831461175

      SHA1

      5ca934f50e46589be53fd468a8bec763b178d467

      SHA256

      0e3ec72772d6fa7a0646273b95929a7a1a34eb3e9de06e6b8f0be438d4b0c050

      SHA512

      b578fe1e7a0279ff85996a95e55ea0a43ab3e73f358295c7dded57fa733eab788330d0e3824d29f21f6a62955aa219a2557e148cb379266ac8d4b3849a67c028

    • C:\Windows\System\nttDhBt.exe

      Filesize

      5.9MB

      MD5

      542e3838428bc1dab5c5b1311e6a64a8

      SHA1

      626c0f29c4043b2b324639aade2ca33c5b4ea25e

      SHA256

      843f2ed5321c4686686af30027ce1830054d4dd5e404be2b4731af8043a16e4b

      SHA512

      6b4d8f7d176b4382761b0dad5e950badc4e4a8c4fbafa6fc1b15a97f6ea41d53d3dde77fc6ed5659b0d8372c5f0ddef6e06f59f81ba4d2b9c65009728caacadc

    • C:\Windows\System\qQpbixQ.exe

      Filesize

      5.9MB

      MD5

      24c799f31d37f20e6a45c663fbd4bc7f

      SHA1

      0cdada5f4e38dff8963b02508333bebaf72858f2

      SHA256

      9b0d3f5d7d20a63ff0fb7eea26a84e1630e8c1550a003b6a57d0854bb738b4a1

      SHA512

      93ba72472259ae15d57cc8534988af6fcce1cab4d83bab2dbd800ddee22cad65dbc1b640eaba9e228c09188817384fa879907fc4404254b2a1c4aecaad44644c

    • C:\Windows\System\vUKhewg.exe

      Filesize

      5.9MB

      MD5

      39e0b48602867ba7a27259b41e502711

      SHA1

      2f5f932002a96d3516884f572deb44a213792601

      SHA256

      d17cd61ffe37d78fd2b29b96e1c45ec2f3e57ad4c634f55474932229eb1dac3c

      SHA512

      d4bd0ad2169cefad8271031a22ec7f54ea99c2d7d6bd97ade92aea5c1e8060a0e1344f5be0daacd02add2f320a2988e5aae130008312f6c44075ad1ae20ae50d

    • C:\Windows\System\xbIuwfj.exe

      Filesize

      5.9MB

      MD5

      5e3c1c44eeaf0a234bfd932b352b8a82

      SHA1

      53404a534f7d691d869705d9b2e34c13d90f9bf2

      SHA256

      8b012b8f81fb711fd354725b9864181709bff6e3f30b0a9ccfd4e398eb715c80

      SHA512

      127876f9fed1d346f7428584ccdf4698b8b90d831ed4e221cec075c0d5e636e9227578d4fcce10298d4e1e724d08995d6e205dc1c575ab33e1040ff52fa3bfcc

    • C:\Windows\System\zSCupId.exe

      Filesize

      5.9MB

      MD5

      cf313fd3567660358188c59a0a20f444

      SHA1

      8632dac699892a62b347b390d451e31b8da6b7a2

      SHA256

      bdabd7afb3def616db7c79fd00c9940f52ea72dbe1ae83556070f60b0a8d097d

      SHA512

      76a5fac08caae91c1e4e9ec14c5cbac879cb012a5fb81ef0d12af0f3e9364b89a2676846187a24e57ea761fed334c621fb13cb54ad0b9ba008e40042d35f58b1

    • memory/684-121-0x00007FF75F450000-0x00007FF75F7A4000-memory.dmp

      Filesize

      3.3MB

    • memory/684-149-0x00007FF75F450000-0x00007FF75F7A4000-memory.dmp

      Filesize

      3.3MB

    • memory/1220-135-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp

      Filesize

      3.3MB

    • memory/1220-48-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp

      Filesize

      3.3MB

    • memory/1220-143-0x00007FF6CE400000-0x00007FF6CE754000-memory.dmp

      Filesize

      3.3MB

    • memory/1260-14-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp

      Filesize

      3.3MB

    • memory/1260-137-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp

      Filesize

      3.3MB

    • memory/1260-129-0x00007FF67B1E0000-0x00007FF67B534000-memory.dmp

      Filesize

      3.3MB

    • memory/1356-154-0x00007FF6FA990000-0x00007FF6FACE4000-memory.dmp

      Filesize

      3.3MB

    • memory/1356-126-0x00007FF6FA990000-0x00007FF6FACE4000-memory.dmp

      Filesize

      3.3MB

    • memory/1360-138-0x00007FF702F10000-0x00007FF703264000-memory.dmp

      Filesize

      3.3MB

    • memory/1360-130-0x00007FF702F10000-0x00007FF703264000-memory.dmp

      Filesize

      3.3MB

    • memory/1360-20-0x00007FF702F10000-0x00007FF703264000-memory.dmp

      Filesize

      3.3MB

    • memory/1420-139-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp

      Filesize

      3.3MB

    • memory/1420-24-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp

      Filesize

      3.3MB

    • memory/1420-131-0x00007FF642F90000-0x00007FF6432E4000-memory.dmp

      Filesize

      3.3MB

    • memory/1848-127-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

      Filesize

      3.3MB

    • memory/1848-156-0x00007FF7348E0000-0x00007FF734C34000-memory.dmp

      Filesize

      3.3MB

    • memory/1872-146-0x00007FF63E430000-0x00007FF63E784000-memory.dmp

      Filesize

      3.3MB

    • memory/1872-118-0x00007FF63E430000-0x00007FF63E784000-memory.dmp

      Filesize

      3.3MB

    • memory/2180-155-0x00007FF7CDB00000-0x00007FF7CDE54000-memory.dmp

      Filesize

      3.3MB

    • memory/2180-128-0x00007FF7CDB00000-0x00007FF7CDE54000-memory.dmp

      Filesize

      3.3MB

    • memory/2204-1-0x000001C5771D0000-0x000001C5771E0000-memory.dmp

      Filesize

      64KB

    • memory/2204-61-0x00007FF6159E0000-0x00007FF615D34000-memory.dmp

      Filesize

      3.3MB

    • memory/2204-0-0x00007FF6159E0000-0x00007FF615D34000-memory.dmp

      Filesize

      3.3MB

    • memory/2644-148-0x00007FF7E8920000-0x00007FF7E8C74000-memory.dmp

      Filesize

      3.3MB

    • memory/2644-120-0x00007FF7E8920000-0x00007FF7E8C74000-memory.dmp

      Filesize

      3.3MB

    • memory/2656-56-0x00007FF63F6C0000-0x00007FF63FA14000-memory.dmp

      Filesize

      3.3MB

    • memory/2656-144-0x00007FF63F6C0000-0x00007FF63FA14000-memory.dmp

      Filesize

      3.3MB

    • memory/2844-39-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp

      Filesize

      3.3MB

    • memory/2844-142-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp

      Filesize

      3.3MB

    • memory/2844-133-0x00007FF6D3AD0000-0x00007FF6D3E24000-memory.dmp

      Filesize

      3.3MB

    • memory/2996-136-0x00007FF641620000-0x00007FF641974000-memory.dmp

      Filesize

      3.3MB

    • memory/2996-8-0x00007FF641620000-0x00007FF641974000-memory.dmp

      Filesize

      3.3MB

    • memory/3068-152-0x00007FF7738E0000-0x00007FF773C34000-memory.dmp

      Filesize

      3.3MB

    • memory/3068-124-0x00007FF7738E0000-0x00007FF773C34000-memory.dmp

      Filesize

      3.3MB

    • memory/3144-147-0x00007FF799330000-0x00007FF799684000-memory.dmp

      Filesize

      3.3MB

    • memory/3144-119-0x00007FF799330000-0x00007FF799684000-memory.dmp

      Filesize

      3.3MB

    • memory/3876-141-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp

      Filesize

      3.3MB

    • memory/3876-40-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp

      Filesize

      3.3MB

    • memory/3876-134-0x00007FF62FF50000-0x00007FF6302A4000-memory.dmp

      Filesize

      3.3MB

    • memory/4092-123-0x00007FF7EE5F0000-0x00007FF7EE944000-memory.dmp

      Filesize

      3.3MB

    • memory/4092-151-0x00007FF7EE5F0000-0x00007FF7EE944000-memory.dmp

      Filesize

      3.3MB

    • memory/4140-140-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp

      Filesize

      3.3MB

    • memory/4140-132-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp

      Filesize

      3.3MB

    • memory/4140-30-0x00007FF7EA270000-0x00007FF7EA5C4000-memory.dmp

      Filesize

      3.3MB

    • memory/4236-125-0x00007FF7EE5D0000-0x00007FF7EE924000-memory.dmp

      Filesize

      3.3MB

    • memory/4236-153-0x00007FF7EE5D0000-0x00007FF7EE924000-memory.dmp

      Filesize

      3.3MB

    • memory/4288-145-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

      Filesize

      3.3MB

    • memory/4288-64-0x00007FF7C6D80000-0x00007FF7C70D4000-memory.dmp

      Filesize

      3.3MB

    • memory/4752-122-0x00007FF7A56D0000-0x00007FF7A5A24000-memory.dmp

      Filesize

      3.3MB

    • memory/4752-150-0x00007FF7A56D0000-0x00007FF7A5A24000-memory.dmp

      Filesize

      3.3MB