cobaltstrike | 3f0cdaa48950e83d99e3cd28ab694b5be69d3d9c0bfd8920933d7cc7d97811f1

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

456669f917933c276f299f261e8a9a86
SHA1

7fafde71cadaf9cffbc20a3f5c010a714ab1e43a
SHA256

3f0cdaa48950e83d99e3cd28ab694b5be69d3d9c0bfd8920933d7cc7d97811f1
SHA512

9fb15e77628d1021cdb7207c8fb1decf0cda064e085b44c51818a31e3eb42cae0b2dcd54a46754ab410144f44a72638f7d40d78040b769d843e91939bfafbd7d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\iDCwWXZ.exe	cobalt_reflective_dll
C:\Windows\System\ajnyKrw.exe	cobalt_reflective_dll
C:\Windows\System\iOybtKD.exe	cobalt_reflective_dll
C:\Windows\System\QFlpiJu.exe	cobalt_reflective_dll
C:\Windows\System\plRtnnW.exe	cobalt_reflective_dll
C:\Windows\System\KXPrEtP.exe	cobalt_reflective_dll
C:\Windows\System\rYMTeSE.exe	cobalt_reflective_dll
C:\Windows\System\piDxOpw.exe	cobalt_reflective_dll
C:\Windows\System\hLzkzzV.exe	cobalt_reflective_dll
C:\Windows\System\ePEdjfG.exe	cobalt_reflective_dll
C:\Windows\System\EatFykr.exe	cobalt_reflective_dll
C:\Windows\System\vNjSrlV.exe	cobalt_reflective_dll
C:\Windows\System\bhYQaml.exe	cobalt_reflective_dll
C:\Windows\System\GqgJWij.exe	cobalt_reflective_dll
C:\Windows\System\JhSZNey.exe	cobalt_reflective_dll
C:\Windows\System\FkuSlAZ.exe	cobalt_reflective_dll
C:\Windows\System\LIsONxC.exe	cobalt_reflective_dll
C:\Windows\System\QAcyQdq.exe	cobalt_reflective_dll
C:\Windows\System\NaUsXzt.exe	cobalt_reflective_dll
C:\Windows\System\ijOBmJZ.exe	cobalt_reflective_dll
C:\Windows\System\sIDymcV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\iDCwWXZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ajnyKrw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iOybtKD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QFlpiJu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\plRtnnW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KXPrEtP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rYMTeSE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\piDxOpw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hLzkzzV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ePEdjfG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EatFykr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vNjSrlV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bhYQaml.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GqgJWij.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JhSZNey.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FkuSlAZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LIsONxC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QAcyQdq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NaUsXzt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ijOBmJZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sIDymcV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1664-0-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	UPX
C:\Windows\System\iDCwWXZ.exe	UPX
C:\Windows\System\ajnyKrw.exe	UPX
C:\Windows\System\iOybtKD.exe	UPX
behavioral2/memory/980-12-0x00007FF720620000-0x00007FF720971000-memory.dmp	UPX
behavioral2/memory/4548-8-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	UPX
C:\Windows\System\QFlpiJu.exe	UPX
C:\Windows\System\plRtnnW.exe	UPX
behavioral2/memory/3496-30-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	UPX
behavioral2/memory/4600-27-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	UPX
behavioral2/memory/852-23-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	UPX
C:\Windows\System\KXPrEtP.exe	UPX
behavioral2/memory/4648-38-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	UPX
C:\Windows\System\rYMTeSE.exe	UPX
C:\Windows\System\piDxOpw.exe	UPX
behavioral2/memory/476-49-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp	UPX
C:\Windows\System\hLzkzzV.exe	UPX
behavioral2/memory/2144-56-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	UPX
C:\Windows\System\ePEdjfG.exe	UPX
behavioral2/memory/964-62-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	UPX
behavioral2/memory/3040-44-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	UPX
C:\Windows\System\EatFykr.exe	UPX
behavioral2/memory/1664-66-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	UPX
C:\Windows\System\vNjSrlV.exe	UPX
behavioral2/memory/3060-75-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	UPX
behavioral2/memory/2036-72-0x00007FF69DF60000-0x00007FF69E2B1000-memory.dmp	UPX
C:\Windows\System\bhYQaml.exe	UPX
C:\Windows\System\GqgJWij.exe	UPX
behavioral2/memory/4600-90-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	UPX
behavioral2/memory/3496-93-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	UPX
C:\Windows\System\JhSZNey.exe	UPX
behavioral2/memory/3548-103-0x00007FF6373F0000-0x00007FF637741000-memory.dmp	UPX
C:\Windows\System\FkuSlAZ.exe	UPX
C:\Windows\System\LIsONxC.exe	UPX
C:\Windows\System\QAcyQdq.exe	UPX
C:\Windows\System\NaUsXzt.exe	UPX
C:\Windows\System\ijOBmJZ.exe	UPX
C:\Windows\System\sIDymcV.exe	UPX
behavioral2/memory/852-86-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	UPX
behavioral2/memory/980-84-0x00007FF720620000-0x00007FF720971000-memory.dmp	UPX
behavioral2/memory/4548-81-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	UPX
behavioral2/memory/4648-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	UPX
behavioral2/memory/3040-127-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	UPX
behavioral2/memory/2144-129-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	UPX
behavioral2/memory/476-128-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp	UPX
behavioral2/memory/964-130-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	UPX
behavioral2/memory/520-132-0x00007FF74CE00000-0x00007FF74D151000-memory.dmp	UPX
behavioral2/memory/1664-133-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	UPX
behavioral2/memory/5076-134-0x00007FF6886C0000-0x00007FF688A11000-memory.dmp	UPX
behavioral2/memory/3060-135-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	UPX
behavioral2/memory/236-136-0x00007FF6686B0000-0x00007FF668A01000-memory.dmp	UPX
behavioral2/memory/2296-138-0x00007FF788BE0000-0x00007FF788F31000-memory.dmp	UPX
behavioral2/memory/3124-146-0x00007FF7BA460000-0x00007FF7BA7B1000-memory.dmp	UPX
behavioral2/memory/4840-149-0x00007FF640A40000-0x00007FF640D91000-memory.dmp	UPX
behavioral2/memory/4760-150-0x00007FF601FB0000-0x00007FF602301000-memory.dmp	UPX
behavioral2/memory/524-151-0x00007FF697590000-0x00007FF6978E1000-memory.dmp	UPX
behavioral2/memory/1664-157-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	UPX
behavioral2/memory/4548-181-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	UPX
behavioral2/memory/980-183-0x00007FF720620000-0x00007FF720971000-memory.dmp	UPX
behavioral2/memory/852-186-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	UPX
behavioral2/memory/4600-188-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	UPX
behavioral2/memory/3496-189-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	UPX
behavioral2/memory/4648-202-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	UPX
behavioral2/memory/3040-204-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4600-27-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	xmrig
behavioral2/memory/852-23-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	xmrig
behavioral2/memory/2144-56-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	xmrig
behavioral2/memory/964-62-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	xmrig
behavioral2/memory/1664-66-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	xmrig
behavioral2/memory/2036-72-0x00007FF69DF60000-0x00007FF69E2B1000-memory.dmp	xmrig
behavioral2/memory/4600-90-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	xmrig
behavioral2/memory/3496-93-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	xmrig
behavioral2/memory/3548-103-0x00007FF6373F0000-0x00007FF637741000-memory.dmp	xmrig
behavioral2/memory/852-86-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	xmrig
behavioral2/memory/980-84-0x00007FF720620000-0x00007FF720971000-memory.dmp	xmrig
behavioral2/memory/4548-81-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	xmrig
behavioral2/memory/4648-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	xmrig
behavioral2/memory/3040-127-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	xmrig
behavioral2/memory/2144-129-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	xmrig
behavioral2/memory/476-128-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp	xmrig
behavioral2/memory/964-130-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	xmrig
behavioral2/memory/520-132-0x00007FF74CE00000-0x00007FF74D151000-memory.dmp	xmrig
behavioral2/memory/1664-133-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	xmrig
behavioral2/memory/5076-134-0x00007FF6886C0000-0x00007FF688A11000-memory.dmp	xmrig
behavioral2/memory/3060-135-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	xmrig
behavioral2/memory/236-136-0x00007FF6686B0000-0x00007FF668A01000-memory.dmp	xmrig
behavioral2/memory/2296-138-0x00007FF788BE0000-0x00007FF788F31000-memory.dmp	xmrig
behavioral2/memory/3124-146-0x00007FF7BA460000-0x00007FF7BA7B1000-memory.dmp	xmrig
behavioral2/memory/4840-149-0x00007FF640A40000-0x00007FF640D91000-memory.dmp	xmrig
behavioral2/memory/4760-150-0x00007FF601FB0000-0x00007FF602301000-memory.dmp	xmrig
behavioral2/memory/524-151-0x00007FF697590000-0x00007FF6978E1000-memory.dmp	xmrig
behavioral2/memory/1664-157-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	xmrig
behavioral2/memory/4548-181-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	xmrig
behavioral2/memory/980-183-0x00007FF720620000-0x00007FF720971000-memory.dmp	xmrig
behavioral2/memory/852-186-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	xmrig
behavioral2/memory/4600-188-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	xmrig
behavioral2/memory/3496-189-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	xmrig
behavioral2/memory/4648-202-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	xmrig
behavioral2/memory/3040-204-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	xmrig
behavioral2/memory/476-206-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp	xmrig
behavioral2/memory/2144-210-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	xmrig
behavioral2/memory/964-209-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	xmrig
behavioral2/memory/2036-213-0x00007FF69DF60000-0x00007FF69E2B1000-memory.dmp	xmrig
behavioral2/memory/3060-216-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	xmrig
behavioral2/memory/236-217-0x00007FF6686B0000-0x00007FF668A01000-memory.dmp	xmrig
behavioral2/memory/3548-223-0x00007FF6373F0000-0x00007FF637741000-memory.dmp	xmrig
behavioral2/memory/520-225-0x00007FF74CE00000-0x00007FF74D151000-memory.dmp	xmrig
behavioral2/memory/3124-229-0x00007FF7BA460000-0x00007FF7BA7B1000-memory.dmp	xmrig
behavioral2/memory/5076-233-0x00007FF6886C0000-0x00007FF688A11000-memory.dmp	xmrig
behavioral2/memory/2296-236-0x00007FF788BE0000-0x00007FF788F31000-memory.dmp	xmrig
behavioral2/memory/4840-240-0x00007FF640A40000-0x00007FF640D91000-memory.dmp	xmrig
behavioral2/memory/524-241-0x00007FF697590000-0x00007FF6978E1000-memory.dmp	xmrig
behavioral2/memory/4760-242-0x00007FF601FB0000-0x00007FF602301000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

iDCwWXZ.exeajnyKrw.exeiOybtKD.exeQFlpiJu.exeplRtnnW.exeKXPrEtP.exerYMTeSE.exepiDxOpw.exehLzkzzV.exeePEdjfG.exeEatFykr.exevNjSrlV.exebhYQaml.exeGqgJWij.exesIDymcV.exeJhSZNey.exeFkuSlAZ.exeLIsONxC.exeQAcyQdq.exeNaUsXzt.exeijOBmJZ.exe

pid	process
4548	iDCwWXZ.exe
980	ajnyKrw.exe
852	iOybtKD.exe
4600	QFlpiJu.exe
3496	plRtnnW.exe
4648	KXPrEtP.exe
3040	rYMTeSE.exe
476	piDxOpw.exe
2144	hLzkzzV.exe
964	ePEdjfG.exe
2036	EatFykr.exe
3060	vNjSrlV.exe
236	bhYQaml.exe
3548	GqgJWij.exe
520	sIDymcV.exe
3124	JhSZNey.exe
5076	FkuSlAZ.exe
2296	LIsONxC.exe
4840	QAcyQdq.exe
4760	NaUsXzt.exe
524	ijOBmJZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1664-0-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	upx
C:\Windows\System\iDCwWXZ.exe	upx
C:\Windows\System\ajnyKrw.exe	upx
C:\Windows\System\iOybtKD.exe	upx
behavioral2/memory/980-12-0x00007FF720620000-0x00007FF720971000-memory.dmp	upx
behavioral2/memory/4548-8-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	upx
C:\Windows\System\QFlpiJu.exe	upx
C:\Windows\System\plRtnnW.exe	upx
behavioral2/memory/3496-30-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	upx
behavioral2/memory/4600-27-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	upx
behavioral2/memory/852-23-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	upx
C:\Windows\System\KXPrEtP.exe	upx
behavioral2/memory/4648-38-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	upx
C:\Windows\System\rYMTeSE.exe	upx
C:\Windows\System\piDxOpw.exe	upx
behavioral2/memory/476-49-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp	upx
C:\Windows\System\hLzkzzV.exe	upx
behavioral2/memory/2144-56-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	upx
C:\Windows\System\ePEdjfG.exe	upx
behavioral2/memory/964-62-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	upx
behavioral2/memory/3040-44-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	upx
C:\Windows\System\EatFykr.exe	upx
behavioral2/memory/1664-66-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	upx
C:\Windows\System\vNjSrlV.exe	upx
behavioral2/memory/3060-75-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	upx
behavioral2/memory/2036-72-0x00007FF69DF60000-0x00007FF69E2B1000-memory.dmp	upx
C:\Windows\System\bhYQaml.exe	upx
C:\Windows\System\GqgJWij.exe	upx
behavioral2/memory/4600-90-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	upx
behavioral2/memory/3496-93-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	upx
C:\Windows\System\JhSZNey.exe	upx
behavioral2/memory/3548-103-0x00007FF6373F0000-0x00007FF637741000-memory.dmp	upx
C:\Windows\System\FkuSlAZ.exe	upx
C:\Windows\System\LIsONxC.exe	upx
C:\Windows\System\QAcyQdq.exe	upx
C:\Windows\System\NaUsXzt.exe	upx
C:\Windows\System\ijOBmJZ.exe	upx
C:\Windows\System\sIDymcV.exe	upx
behavioral2/memory/852-86-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	upx
behavioral2/memory/980-84-0x00007FF720620000-0x00007FF720971000-memory.dmp	upx
behavioral2/memory/4548-81-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	upx
behavioral2/memory/4648-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	upx
behavioral2/memory/3040-127-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	upx
behavioral2/memory/2144-129-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp	upx
behavioral2/memory/476-128-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp	upx
behavioral2/memory/964-130-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp	upx
behavioral2/memory/520-132-0x00007FF74CE00000-0x00007FF74D151000-memory.dmp	upx
behavioral2/memory/1664-133-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	upx
behavioral2/memory/5076-134-0x00007FF6886C0000-0x00007FF688A11000-memory.dmp	upx
behavioral2/memory/3060-135-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp	upx
behavioral2/memory/236-136-0x00007FF6686B0000-0x00007FF668A01000-memory.dmp	upx
behavioral2/memory/2296-138-0x00007FF788BE0000-0x00007FF788F31000-memory.dmp	upx
behavioral2/memory/3124-146-0x00007FF7BA460000-0x00007FF7BA7B1000-memory.dmp	upx
behavioral2/memory/4840-149-0x00007FF640A40000-0x00007FF640D91000-memory.dmp	upx
behavioral2/memory/4760-150-0x00007FF601FB0000-0x00007FF602301000-memory.dmp	upx
behavioral2/memory/524-151-0x00007FF697590000-0x00007FF6978E1000-memory.dmp	upx
behavioral2/memory/1664-157-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp	upx
behavioral2/memory/4548-181-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp	upx
behavioral2/memory/980-183-0x00007FF720620000-0x00007FF720971000-memory.dmp	upx
behavioral2/memory/852-186-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp	upx
behavioral2/memory/4600-188-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp	upx
behavioral2/memory/3496-189-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp	upx
behavioral2/memory/4648-202-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp	upx
behavioral2/memory/3040-204-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\iDCwWXZ.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rYMTeSE.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GqgJWij.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vNjSrlV.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NaUsXzt.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ijOBmJZ.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bhYQaml.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JhSZNey.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QFlpiJu.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\plRtnnW.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hLzkzzV.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\piDxOpw.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ePEdjfG.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EatFykr.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sIDymcV.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FkuSlAZ.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ajnyKrw.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iOybtKD.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KXPrEtP.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LIsONxC.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QAcyQdq.exe	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 1664 wrote to memory of 4548	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	iDCwWXZ.exe
PID 1664 wrote to memory of 4548	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	iDCwWXZ.exe
PID 1664 wrote to memory of 980	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	ajnyKrw.exe
PID 1664 wrote to memory of 980	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	ajnyKrw.exe
PID 1664 wrote to memory of 852	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	iOybtKD.exe
PID 1664 wrote to memory of 852	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	iOybtKD.exe
PID 1664 wrote to memory of 4600	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	QFlpiJu.exe
PID 1664 wrote to memory of 4600	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	QFlpiJu.exe
PID 1664 wrote to memory of 3496	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	plRtnnW.exe
PID 1664 wrote to memory of 3496	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	plRtnnW.exe
PID 1664 wrote to memory of 4648	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	KXPrEtP.exe
PID 1664 wrote to memory of 4648	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	KXPrEtP.exe
PID 1664 wrote to memory of 3040	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	rYMTeSE.exe
PID 1664 wrote to memory of 3040	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	rYMTeSE.exe
PID 1664 wrote to memory of 476	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	piDxOpw.exe
PID 1664 wrote to memory of 476	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	piDxOpw.exe
PID 1664 wrote to memory of 2144	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	hLzkzzV.exe
PID 1664 wrote to memory of 2144	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	hLzkzzV.exe
PID 1664 wrote to memory of 964	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	ePEdjfG.exe
PID 1664 wrote to memory of 964	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	ePEdjfG.exe
PID 1664 wrote to memory of 2036	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	EatFykr.exe
PID 1664 wrote to memory of 2036	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	EatFykr.exe
PID 1664 wrote to memory of 3060	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	vNjSrlV.exe
PID 1664 wrote to memory of 3060	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	vNjSrlV.exe
PID 1664 wrote to memory of 236	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	bhYQaml.exe
PID 1664 wrote to memory of 236	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	bhYQaml.exe
PID 1664 wrote to memory of 3548	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	GqgJWij.exe
PID 1664 wrote to memory of 3548	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	GqgJWij.exe
PID 1664 wrote to memory of 520	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	sIDymcV.exe
PID 1664 wrote to memory of 520	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	sIDymcV.exe
PID 1664 wrote to memory of 3124	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JhSZNey.exe
PID 1664 wrote to memory of 3124	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	JhSZNey.exe
PID 1664 wrote to memory of 5076	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	FkuSlAZ.exe
PID 1664 wrote to memory of 5076	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	FkuSlAZ.exe
PID 1664 wrote to memory of 2296	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	LIsONxC.exe
PID 1664 wrote to memory of 2296	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	LIsONxC.exe
PID 1664 wrote to memory of 4840	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	QAcyQdq.exe
PID 1664 wrote to memory of 4840	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	QAcyQdq.exe
PID 1664 wrote to memory of 4760	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	NaUsXzt.exe
PID 1664 wrote to memory of 4760	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	NaUsXzt.exe
PID 1664 wrote to memory of 524	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	ijOBmJZ.exe
PID 1664 wrote to memory of 524	1664	2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe	ijOBmJZ.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_456669f917933c276f299f261e8a9a86_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\System\iDCwWXZ.exe
C:\Windows\System\iDCwWXZ.exe
2⤵
- Executes dropped EXE
PID:4548

C:\Windows\System\ajnyKrw.exe
C:\Windows\System\ajnyKrw.exe
2⤵
- Executes dropped EXE
PID:980

C:\Windows\System\iOybtKD.exe
C:\Windows\System\iOybtKD.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\QFlpiJu.exe
C:\Windows\System\QFlpiJu.exe
2⤵
- Executes dropped EXE
PID:4600

C:\Windows\System\plRtnnW.exe
C:\Windows\System\plRtnnW.exe
2⤵
- Executes dropped EXE
PID:3496

C:\Windows\System\KXPrEtP.exe
C:\Windows\System\KXPrEtP.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\rYMTeSE.exe
C:\Windows\System\rYMTeSE.exe
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\System\piDxOpw.exe
C:\Windows\System\piDxOpw.exe
2⤵
- Executes dropped EXE
PID:476

C:\Windows\System\hLzkzzV.exe
C:\Windows\System\hLzkzzV.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Windows\System\ePEdjfG.exe
C:\Windows\System\ePEdjfG.exe
2⤵
- Executes dropped EXE
PID:964

C:\Windows\System\EatFykr.exe
C:\Windows\System\EatFykr.exe
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\System\vNjSrlV.exe
C:\Windows\System\vNjSrlV.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\bhYQaml.exe
C:\Windows\System\bhYQaml.exe
2⤵
- Executes dropped EXE
PID:236

C:\Windows\System\GqgJWij.exe
C:\Windows\System\GqgJWij.exe
2⤵
- Executes dropped EXE
PID:3548

C:\Windows\System\sIDymcV.exe
C:\Windows\System\sIDymcV.exe
2⤵
- Executes dropped EXE
PID:520

C:\Windows\System\JhSZNey.exe
C:\Windows\System\JhSZNey.exe
2⤵
- Executes dropped EXE
PID:3124

C:\Windows\System\FkuSlAZ.exe
C:\Windows\System\FkuSlAZ.exe
2⤵
- Executes dropped EXE
PID:5076

C:\Windows\System\LIsONxC.exe
C:\Windows\System\LIsONxC.exe
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\System\QAcyQdq.exe
C:\Windows\System\QAcyQdq.exe
2⤵
- Executes dropped EXE
PID:4840

C:\Windows\System\NaUsXzt.exe
C:\Windows\System\NaUsXzt.exe
2⤵
- Executes dropped EXE
PID:4760

C:\Windows\System\ijOBmJZ.exe
C:\Windows\System\ijOBmJZ.exe
2⤵
- Executes dropped EXE
PID:524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EatFykr.exe
Filesize
5.2MB

MD5
c8a45501d853deaca8b0c780399942de

SHA1
59f119401f272f3a46933b029f2db81e81c422e2

SHA256
2aae94a6829057dcf1d0f6ed33fee78814e7df9560514a8808cc6634a19c5111

SHA512
e65b74b61489bf9bc25ee1ad546bdc4887e4f13f7b9d4b2535f2ddbcadd7861d8fefa87be72d141097229ce10c362b5b3fb2bad84e92be23b5273f18c59424c5

Download Submit
C:\Windows\System\FkuSlAZ.exe
Filesize
5.2MB

MD5
dd90fd11e7b95b51bcc473024a030e0c

SHA1
68695c419b8a59f2d325dceaa790a8f0e86d67a8

SHA256
d339516cd89394524f66b9f373224ef838eb1a1cd5b4e506742a208bf080a923

SHA512
8559ff7d4e22aa826a790d304976f09cc0715092fee8004d83ebf45550887d2b48d4b74d5fb4af4ac84f28df56ec82d63abe32961e232aded9f6f7c7370ea7ca

Download Submit
C:\Windows\System\GqgJWij.exe
Filesize
5.2MB

MD5
01bb78072d29413bcbbb83c9d70eb13e

SHA1
40d0882592c9b366e3587f3495da51e363acfb29

SHA256
2bfde69534adc6472c61a2b6ebc299bf76d0ba75ead8c71a2d72561241d382c7

SHA512
dc7638e778a657c0ca28dd024d3f7bc75b87f4b4bc5fab4ca6a3ef04af231f1a668d9cb964adbeecef9d20314b187064060f279d7211958a9c16de3fa0ece13a

Download Submit
C:\Windows\System\JhSZNey.exe
Filesize
5.2MB

MD5
fd683b300397d8b6ff06220246168e37

SHA1
871634ec0585c30de8f437de412e7fa10e33bb5a

SHA256
3c083ccb7a39db737157bc4ea88e028e15039defcf80c16f39fb7ffbdf499333

SHA512
832becca4fa2d823dd032aba3ba8ba4b686600d308357c9692d64615fa1d7875ed873030f2ea8c3d43de37b98e404f015f72141babf802b70d80af1ef85b9b94

Download Submit
C:\Windows\System\KXPrEtP.exe
Filesize
5.2MB

MD5
0f5b76a4ecc66dc05d1921022341d71a

SHA1
8b1e585297a63d4e72d582df0d9792533dd50e22

SHA256
3a142b3116ed13b069861b2dbead1b74e6ad7e0e0641e6f52ec114f28ca8872d

SHA512
b5ef44d5ff75db9d5a7252e79bee5457b9d5d04ec2b55e6b9648ba29ad31f6b4d0f31ef12d7768ef8890920214b6dcf49195eafc35393e20c9e4419c0a08610c

Download Submit
C:\Windows\System\LIsONxC.exe
Filesize
5.2MB

MD5
5a582bcbf26f79f4c06daaba258d91df

SHA1
8753d6abb48d2a0f0e78abca8e852a7d993d1c82

SHA256
14e1f0f5dcad58cd2d1cc49612ea02733e633d341e2078e61feec8d79e0416f6

SHA512
b0988ab7f1690b784c9d49bfcd1a97b715f34212213677bf4f8d32f3f531d72db61a85331e00017433926a7e86ed96b093bca84bde3873aabc0bc20523515943

Download Submit
C:\Windows\System\NaUsXzt.exe
Filesize
5.2MB

MD5
b25b7675b7c7f6a29d0d7f9402bef4cf

SHA1
627e62190292e5cbfd8f8d7c46cb6146261f48eb

SHA256
f6f6c8db4af854f91c40b392382090b7f3dfbbf94646a08b2f12aeb334c5f185

SHA512
75a27b65f201225e68fa084cff2f715289bd92ed6e0845d08aa578ef04e87b5087a2e7826539028548d33697d51c27400d8d3de9dee94c9a3822e305fbce7f9c

Download Submit
C:\Windows\System\QAcyQdq.exe
Filesize
5.2MB

MD5
9d9d28a1f0fa670d59a2286613578a90

SHA1
c016e9740ec196974e6b1ec449b412ecc0669eae

SHA256
491ee9f10a8d81a60ee97f215a434cfd7a1edf4fc37bd05652bed2b73f92874a

SHA512
2351e27d8c3d5c22a0ab39b22c54b87c80c6de478c510ffdfed0f9a44314b26fa1f6fbcf527e6f18e65acb4b50bfbeade520f161b3bbbc727392800aec9879e5

Download Submit
C:\Windows\System\QFlpiJu.exe
Filesize
5.2MB

MD5
ee339543dcc81a54cac1c049ee164a10

SHA1
1e9ed7b57dfeaf82071fafd1c2e1f8dc325ee982

SHA256
fbdc222b6c3c537c9af09a08edb593237641a089badabc963f70b966c19ba7eb

SHA512
a71617c85293edd6ccf85f68b482b07774598d4a991731378e2e5abe77b338ca65393d7a7d77ef542acae55bd3cda6e872f3e4d8a1d2446be19942b46f40c38c

Download Submit
C:\Windows\System\ajnyKrw.exe
Filesize
5.2MB

MD5
a8ece0995991bbc18e7a187ba5a2bd95

SHA1
b1f9df6b7443a437588d168da62b67d130628476

SHA256
758c80b3b5d5ae853c7f88565dde1a1d25a8d2b6f3559a709febd640f5f4bfd6

SHA512
f934910fc60906daf3224d94f3ba15c56942d98482a801d86a6e34c6417af35da697d8ad06211583ad82429c5b04417dda6152cb0f8a24e4c87f47870d2bce73

Download Submit
C:\Windows\System\bhYQaml.exe
Filesize
5.2MB

MD5
516314dc54cc8b27dbad278276e782f3

SHA1
856b01c8e569f198aae04cac683acbb94bc34d49

SHA256
f40a65b3de2d59b85401e05855dd28ff05ef5fe1299e203f589bd597f418fc8c

SHA512
b9a3e07969c8dd0c9143fca3c91da09f06e3d380be3798974d69d0f004f286ebae805b7142a6b558661865daab76cdc6d0c7af432e26476f1b3baca86a97009e

Download Submit
C:\Windows\System\ePEdjfG.exe
Filesize
5.2MB

MD5
9110adef681d13211fdc115d21b1edd7

SHA1
2a3bd6374ca421e7a83390655674292d433ac84e

SHA256
1fd9c2f724167ab176fd135e0486f3a485ce9c570d370b29dfeb5b9975a45dd8

SHA512
9fb322a1d4d6a2a1e7fe67bcd0a4daf3c4808b1d54a16b270a20e46ebbf7099b71697594c319f99116525c5a3619dcb3c1e921ba7d1cd23fcf9471276a443463

Download Submit
C:\Windows\System\hLzkzzV.exe
Filesize
5.2MB

MD5
685e4ca8ecbf7af9058bc0d88b2e7f7c

SHA1
441b30d1978d1ffd0d179a550ca41fdeb3f388c6

SHA256
758c3af3936d82c908b56e651353c1a3897538c7a7339403beaba178287731d1

SHA512
e617ee21d64ca1b1a840019860924102623521b0a27ce9d2d20ce48688586854852a1f98475b7e1566dfa9cad776caf64eb281508838a4d73657d325d0c1bb39

Download Submit
C:\Windows\System\iDCwWXZ.exe
Filesize
5.2MB

MD5
df42be8d958c387a8ece303964acfc59

SHA1
b56f67c9ca397dd1f873bd3b6933955f34411251

SHA256
7a8931989ba7ad525b1af1205ebffcfefddbff767f65b5b8f4d87710cb840844

SHA512
46a937812d0d2a0573383f58aca6762de2a1fb4e6c91675b1ec403a82a4011f923eaec1e0959fce222c684167cb278d1246e53d8eaed6a54f6779a4d290622df

Download Submit
C:\Windows\System\iOybtKD.exe
Filesize
5.2MB

MD5
3a47cf9884011d3aa1d53f73f333c2d7

SHA1
539e5fe677a02366fc636d3c5c8373ac38759b0e

SHA256
3697282544ac5cc8a0fea8f1a07fec3218793aed63b3a6d3ecd33ded320c63e9

SHA512
04a01770d78c740fc53f43cdb64a1e514700ab744b59f1792a73ac3d604e6c3818c04086075517838f4d9b019003d33cc4594ff92a4a08572672a27c604d8909

Download Submit
C:\Windows\System\ijOBmJZ.exe
Filesize
5.2MB

MD5
1c35ff54ca99720de89762501cf6c24e

SHA1
d14f6099cd2ffe61fed241b0569eb6ac04d5cbbd

SHA256
d54c5ce4e63025b09c34169610398cbbd86095c1909d620ff418c81bcc1a26b3

SHA512
c133ff15779a990b76595b67dd47571a46dc5f77174deaf83a747ce17d8a28ce59109d063daacea7198cab5babe84cc4eae5b8fb7a4b43c72e1ad1c741208754

Download Submit
C:\Windows\System\piDxOpw.exe
Filesize
5.2MB

MD5
34f52fdb77f0665ed20f9564ea796c52

SHA1
f26ae60d0e75bf7f391366148662199aa2a388d1

SHA256
ae3984337422b320d4071fd6c97689d83278c8c7f1067bd59e5e52f78fb5e0c2

SHA512
3caf8643c041e61f1a0c09c873aebc639f408a9bf7b47d889df421ca973c956f5370c804d0b2e93211c9c2a3b1a9e3d77de1d6811cfcc62964adfc65055e62a4

Download Submit
C:\Windows\System\plRtnnW.exe
Filesize
5.2MB

MD5
0c2ae2fb6af9907ffb632428d38daa0d

SHA1
6a2118dd2d3ebd1bdd035faf73e9089d20210559

SHA256
1470435e60fda47da6303399441663f55ca998aae39255d065569c17d660ec14

SHA512
2242bb5b3c07b5000dff13db6fd50a685001d230ee049cc6ea8b06ed3277536e56be7e782a098d21fcddbfb2f1360a67759a69332ee40f604ebd5fec84a8bb78

Download Submit
C:\Windows\System\rYMTeSE.exe
Filesize
5.2MB

MD5
ad59d854326cf8184ed5e12a4682ce03

SHA1
5bdfffa9f6a1c7868f1a27891d050d566f044455

SHA256
486d16fa224c8f435ce5477c48ae9e7f830a38e6ccf5a998c7cd2dd9c5a55530

SHA512
094f0bb87612c7b27218e67921dfb2a1c8f8208a812bfcb82d99f38e18f84a50218aac8eeb1722613cf21610ac8862303409807206c1eff06b5e0efc2060792e

Download Submit
C:\Windows\System\sIDymcV.exe
Filesize
5.2MB

MD5
0b6c0d95bf5bfce3aaa2d9bce1d49e81

SHA1
e4a6f0fc22ef79e22b73bacce94dc33886e014be

SHA256
a9cd615f005f78b734bc8fbc376c4220cc6b51df5e0e3c59d1e12f846f1121b6

SHA512
97aef08f333d68c83f7bdaef3cdbdefed54af42ca413255591f60469840ab0abc03cc0d19e861354051bf2e404555c0aa162cd77225d625e2f025894c90072ac

Download Submit
C:\Windows\System\vNjSrlV.exe
Filesize
5.2MB

MD5
205d0d44d9ebe9bf840938f769890bee

SHA1
5fed71c3b510bab394b70f55c625a73fdf417e4b

SHA256
d04e72754b5dc72e763e68f3b23b6ec1d2bf4f081e7fef4693803bd2c187847f

SHA512
36007fcf89174b2d96fbd881e07fc0bddfab47516ed7fd74401eb804b42859bc93b61f6bb67788f005b30ebe89f7636979db047e1e744d56564e59a8d9204750

Download Submit
memory/236-136-0x00007FF6686B0000-0x00007FF668A01000-memory.dmp

Filesize
3.3MB

Download
memory/236-217-0x00007FF6686B0000-0x00007FF668A01000-memory.dmp

Filesize
3.3MB

Download
memory/476-128-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp

Filesize
3.3MB

Download
memory/476-49-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp

Filesize
3.3MB

Download
memory/476-206-0x00007FF70DB10000-0x00007FF70DE61000-memory.dmp

Filesize
3.3MB

Download
memory/520-132-0x00007FF74CE00000-0x00007FF74D151000-memory.dmp

Filesize
3.3MB

Download
memory/520-225-0x00007FF74CE00000-0x00007FF74D151000-memory.dmp

Filesize
3.3MB

Download
memory/524-151-0x00007FF697590000-0x00007FF6978E1000-memory.dmp

Filesize
3.3MB

Download
memory/524-241-0x00007FF697590000-0x00007FF6978E1000-memory.dmp

Filesize
3.3MB

Download
memory/852-86-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp

Filesize
3.3MB

Download
memory/852-23-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp

Filesize
3.3MB

Download
memory/852-186-0x00007FF6E94D0000-0x00007FF6E9821000-memory.dmp

Filesize
3.3MB

Download
memory/964-62-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

Filesize
3.3MB

Download
memory/964-130-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

Filesize
3.3MB

Download
memory/964-209-0x00007FF6AF440000-0x00007FF6AF791000-memory.dmp

Filesize
3.3MB

Download
memory/980-84-0x00007FF720620000-0x00007FF720971000-memory.dmp

Filesize
3.3MB

Download
memory/980-183-0x00007FF720620000-0x00007FF720971000-memory.dmp

Filesize
3.3MB

Download
memory/980-12-0x00007FF720620000-0x00007FF720971000-memory.dmp

Filesize
3.3MB

Download
memory/1664-66-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-1-0x000001BB410D0000-0x000001BB410E0000-memory.dmp

Filesize
64KB

Download
memory/1664-0-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-133-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-157-0x00007FF6D7D90000-0x00007FF6D80E1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-213-0x00007FF69DF60000-0x00007FF69E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-72-0x00007FF69DF60000-0x00007FF69E2B1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-210-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-129-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-56-0x00007FF768D70000-0x00007FF7690C1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-236-0x00007FF788BE0000-0x00007FF788F31000-memory.dmp

Filesize
3.3MB

Download
memory/2296-138-0x00007FF788BE0000-0x00007FF788F31000-memory.dmp

Filesize
3.3MB

Download
memory/3040-44-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp

Filesize
3.3MB

Download
memory/3040-204-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp

Filesize
3.3MB

Download
memory/3040-127-0x00007FF660AC0000-0x00007FF660E11000-memory.dmp

Filesize
3.3MB

Download
memory/3060-75-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp

Filesize
3.3MB

Download
memory/3060-135-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp

Filesize
3.3MB

Download
memory/3060-216-0x00007FF70C7C0000-0x00007FF70CB11000-memory.dmp

Filesize
3.3MB

Download
memory/3124-146-0x00007FF7BA460000-0x00007FF7BA7B1000-memory.dmp

Filesize
3.3MB

Download
memory/3124-229-0x00007FF7BA460000-0x00007FF7BA7B1000-memory.dmp

Filesize
3.3MB

Download
memory/3496-93-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp

Filesize
3.3MB

Download
memory/3496-189-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp

Filesize
3.3MB

Download
memory/3496-30-0x00007FF6D9320000-0x00007FF6D9671000-memory.dmp

Filesize
3.3MB

Download
memory/3548-223-0x00007FF6373F0000-0x00007FF637741000-memory.dmp

Filesize
3.3MB

Download
memory/3548-103-0x00007FF6373F0000-0x00007FF637741000-memory.dmp

Filesize
3.3MB

Download
memory/4548-181-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp

Filesize
3.3MB

Download
memory/4548-81-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp

Filesize
3.3MB

Download
memory/4548-8-0x00007FF6BD320000-0x00007FF6BD671000-memory.dmp

Filesize
3.3MB

Download
memory/4600-188-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp

Filesize
3.3MB

Download
memory/4600-27-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp

Filesize
3.3MB

Download
memory/4600-90-0x00007FF7E45D0000-0x00007FF7E4921000-memory.dmp

Filesize
3.3MB

Download
memory/4648-126-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-202-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-38-0x00007FF6F7E70000-0x00007FF6F81C1000-memory.dmp

Filesize
3.3MB

Download
memory/4760-150-0x00007FF601FB0000-0x00007FF602301000-memory.dmp

Filesize
3.3MB

Download
memory/4760-242-0x00007FF601FB0000-0x00007FF602301000-memory.dmp

Filesize
3.3MB

Download
memory/4840-149-0x00007FF640A40000-0x00007FF640D91000-memory.dmp

Filesize
3.3MB

Download
memory/4840-240-0x00007FF640A40000-0x00007FF640D91000-memory.dmp

Filesize
3.3MB

Download
memory/5076-134-0x00007FF6886C0000-0x00007FF688A11000-memory.dmp

Filesize
3.3MB

Download
memory/5076-233-0x00007FF6886C0000-0x00007FF688A11000-memory.dmp

Filesize
3.3MB

Download