cobaltstrike | 9230620af9c49243e4b65b6f5236eab6ff944b77210ec9ffbca145a4ef3491ac

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

77b1999d1643baee6b5913926db65f9e
SHA1

71ee6fa13708e5bc44742d491cb07a3f3d13052f
SHA256

9230620af9c49243e4b65b6f5236eab6ff944b77210ec9ffbca145a4ef3491ac
SHA512

dcb32f51e16f7b73dc59dda3498332319bf44373da7da01b5d3109a94b60d115c9229651700790c6a142643e87077b82764ef826fb5225515db5feeceeff4539
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBibf56utgpPFotBER/mQ32lUk

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\hskMYqy.exe	cobalt_reflective_dll
C:\Windows\System\shuNxpW.exe	cobalt_reflective_dll
C:\Windows\System\MrTIOTv.exe	cobalt_reflective_dll
C:\Windows\System\aXZjoBS.exe	cobalt_reflective_dll
C:\Windows\System\YauCYOs.exe	cobalt_reflective_dll
C:\Windows\System\oQHjDiq.exe	cobalt_reflective_dll
C:\Windows\System\fInFyDi.exe	cobalt_reflective_dll
C:\Windows\System\VysotoN.exe	cobalt_reflective_dll
C:\Windows\System\mJokMZP.exe	cobalt_reflective_dll
C:\Windows\System\yImUouV.exe	cobalt_reflective_dll
C:\Windows\System\VwkZKQA.exe	cobalt_reflective_dll
C:\Windows\System\CEuAOZF.exe	cobalt_reflective_dll
C:\Windows\System\frbXqlJ.exe	cobalt_reflective_dll
C:\Windows\System\MkvnDkN.exe	cobalt_reflective_dll
C:\Windows\System\GGqBzCq.exe	cobalt_reflective_dll
C:\Windows\System\PBHstfC.exe	cobalt_reflective_dll
C:\Windows\System\gbdTVYJ.exe	cobalt_reflective_dll
C:\Windows\System\jlxJZhI.exe	cobalt_reflective_dll
C:\Windows\System\ZnjQWqN.exe	cobalt_reflective_dll
C:\Windows\System\NUdiVkk.exe	cobalt_reflective_dll
C:\Windows\System\TJdVDlq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\hskMYqy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\shuNxpW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MrTIOTv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aXZjoBS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YauCYOs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oQHjDiq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fInFyDi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VysotoN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mJokMZP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yImUouV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VwkZKQA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CEuAOZF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\frbXqlJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MkvnDkN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GGqBzCq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PBHstfC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gbdTVYJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jlxJZhI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZnjQWqN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NUdiVkk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TJdVDlq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	UPX
C:\Windows\System\hskMYqy.exe	UPX
C:\Windows\System\shuNxpW.exe	UPX
C:\Windows\System\MrTIOTv.exe	UPX
C:\Windows\System\aXZjoBS.exe	UPX
C:\Windows\System\YauCYOs.exe	UPX
C:\Windows\System\oQHjDiq.exe	UPX
C:\Windows\System\fInFyDi.exe	UPX
C:\Windows\System\VysotoN.exe	UPX
C:\Windows\System\mJokMZP.exe	UPX
behavioral2/memory/2196-117-0x00007FF6A1B60000-0x00007FF6A1EB1000-memory.dmp	UPX
behavioral2/memory/5004-119-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp	UPX
behavioral2/memory/3452-122-0x00007FF61ED80000-0x00007FF61F0D1000-memory.dmp	UPX
behavioral2/memory/4768-124-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp	UPX
behavioral2/memory/4784-127-0x00007FF747270000-0x00007FF7475C1000-memory.dmp	UPX
behavioral2/memory/3772-126-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp	UPX
behavioral2/memory/4120-125-0x00007FF6516C0000-0x00007FF651A11000-memory.dmp	UPX
behavioral2/memory/4416-123-0x00007FF6F4880000-0x00007FF6F4BD1000-memory.dmp	UPX
behavioral2/memory/3152-121-0x00007FF782A30000-0x00007FF782D81000-memory.dmp	UPX
behavioral2/memory/380-120-0x00007FF70CF80000-0x00007FF70D2D1000-memory.dmp	UPX
behavioral2/memory/4268-118-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	UPX
C:\Windows\System\yImUouV.exe	UPX
behavioral2/memory/1200-114-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp	UPX
C:\Windows\System\VwkZKQA.exe	UPX
C:\Windows\System\CEuAOZF.exe	UPX
behavioral2/memory/2568-105-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp	UPX
behavioral2/memory/2592-102-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	UPX
C:\Windows\System\frbXqlJ.exe	UPX
behavioral2/memory/1080-93-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp	UPX
C:\Windows\System\MkvnDkN.exe	UPX
C:\Windows\System\GGqBzCq.exe	UPX
C:\Windows\System\PBHstfC.exe	UPX
behavioral2/memory/976-69-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	UPX
C:\Windows\System\gbdTVYJ.exe	UPX
C:\Windows\System\jlxJZhI.exe	UPX
C:\Windows\System\ZnjQWqN.exe	UPX
behavioral2/memory/4728-51-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	UPX
C:\Windows\System\NUdiVkk.exe	UPX
behavioral2/memory/2956-41-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	UPX
behavioral2/memory/3356-24-0x00007FF739830000-0x00007FF739B81000-memory.dmp	UPX
behavioral2/memory/1488-14-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	UPX
C:\Windows\System\TJdVDlq.exe	UPX
behavioral2/memory/1552-10-0x00007FF785400000-0x00007FF785751000-memory.dmp	UPX
behavioral2/memory/4996-128-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	UPX
behavioral2/memory/1552-129-0x00007FF785400000-0x00007FF785751000-memory.dmp	UPX
behavioral2/memory/1488-130-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	UPX
behavioral2/memory/3356-131-0x00007FF739830000-0x00007FF739B81000-memory.dmp	UPX
behavioral2/memory/2956-132-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	UPX
behavioral2/memory/4728-134-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	UPX
behavioral2/memory/976-135-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	UPX
behavioral2/memory/2592-138-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	UPX
behavioral2/memory/4996-150-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	UPX
behavioral2/memory/4996-151-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	UPX
behavioral2/memory/1552-196-0x00007FF785400000-0x00007FF785751000-memory.dmp	UPX
behavioral2/memory/1488-198-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	UPX
behavioral2/memory/3356-200-0x00007FF739830000-0x00007FF739B81000-memory.dmp	UPX
behavioral2/memory/2956-206-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	UPX
behavioral2/memory/4768-211-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp	UPX
behavioral2/memory/4728-216-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	UPX
behavioral2/memory/1080-220-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp	UPX
behavioral2/memory/976-225-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	UPX
behavioral2/memory/2568-230-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp	UPX
behavioral2/memory/5004-238-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp	UPX
behavioral2/memory/1200-231-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2196-117-0x00007FF6A1B60000-0x00007FF6A1EB1000-memory.dmp	xmrig
behavioral2/memory/5004-119-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp	xmrig
behavioral2/memory/3452-122-0x00007FF61ED80000-0x00007FF61F0D1000-memory.dmp	xmrig
behavioral2/memory/4768-124-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp	xmrig
behavioral2/memory/4784-127-0x00007FF747270000-0x00007FF7475C1000-memory.dmp	xmrig
behavioral2/memory/3772-126-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp	xmrig
behavioral2/memory/4120-125-0x00007FF6516C0000-0x00007FF651A11000-memory.dmp	xmrig
behavioral2/memory/4416-123-0x00007FF6F4880000-0x00007FF6F4BD1000-memory.dmp	xmrig
behavioral2/memory/3152-121-0x00007FF782A30000-0x00007FF782D81000-memory.dmp	xmrig
behavioral2/memory/380-120-0x00007FF70CF80000-0x00007FF70D2D1000-memory.dmp	xmrig
behavioral2/memory/4268-118-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	xmrig
behavioral2/memory/1200-114-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp	xmrig
behavioral2/memory/2568-105-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp	xmrig
behavioral2/memory/2592-102-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	xmrig
behavioral2/memory/1080-93-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp	xmrig
behavioral2/memory/1552-10-0x00007FF785400000-0x00007FF785751000-memory.dmp	xmrig
behavioral2/memory/4996-128-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	xmrig
behavioral2/memory/1552-129-0x00007FF785400000-0x00007FF785751000-memory.dmp	xmrig
behavioral2/memory/1488-130-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	xmrig
behavioral2/memory/3356-131-0x00007FF739830000-0x00007FF739B81000-memory.dmp	xmrig
behavioral2/memory/2956-132-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	xmrig
behavioral2/memory/4728-134-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	xmrig
behavioral2/memory/976-135-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	xmrig
behavioral2/memory/2592-138-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	xmrig
behavioral2/memory/4996-150-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	xmrig
behavioral2/memory/4996-151-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	xmrig
behavioral2/memory/1552-196-0x00007FF785400000-0x00007FF785751000-memory.dmp	xmrig
behavioral2/memory/1488-198-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	xmrig
behavioral2/memory/3356-200-0x00007FF739830000-0x00007FF739B81000-memory.dmp	xmrig
behavioral2/memory/2956-206-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	xmrig
behavioral2/memory/4768-211-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp	xmrig
behavioral2/memory/4728-216-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	xmrig
behavioral2/memory/1080-220-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp	xmrig
behavioral2/memory/976-225-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	xmrig
behavioral2/memory/2568-230-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp	xmrig
behavioral2/memory/5004-238-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp	xmrig
behavioral2/memory/1200-231-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp	xmrig
behavioral2/memory/2592-241-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	xmrig
behavioral2/memory/2196-240-0x00007FF6A1B60000-0x00007FF6A1EB1000-memory.dmp	xmrig
behavioral2/memory/4120-239-0x00007FF6516C0000-0x00007FF651A11000-memory.dmp	xmrig
behavioral2/memory/3772-249-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp	xmrig
behavioral2/memory/3452-252-0x00007FF61ED80000-0x00007FF61F0D1000-memory.dmp	xmrig
behavioral2/memory/4268-255-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	xmrig
behavioral2/memory/4784-254-0x00007FF747270000-0x00007FF7475C1000-memory.dmp	xmrig
behavioral2/memory/3152-253-0x00007FF782A30000-0x00007FF782D81000-memory.dmp	xmrig
behavioral2/memory/4416-251-0x00007FF6F4880000-0x00007FF6F4BD1000-memory.dmp	xmrig
behavioral2/memory/380-250-0x00007FF70CF80000-0x00007FF70D2D1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

hskMYqy.exeTJdVDlq.exeshuNxpW.exeMrTIOTv.exeZnjQWqN.exeNUdiVkk.exejlxJZhI.exeaXZjoBS.exegbdTVYJ.exePBHstfC.exeYauCYOs.exeoQHjDiq.exeGGqBzCq.exefrbXqlJ.exefInFyDi.exemJokMZP.exeMkvnDkN.exeVwkZKQA.exeCEuAOZF.exeyImUouV.exeVysotoN.exe

pid	process
1552	hskMYqy.exe
1488	TJdVDlq.exe
3356	shuNxpW.exe
2956	MrTIOTv.exe
4728	ZnjQWqN.exe
4768	NUdiVkk.exe
976	jlxJZhI.exe
1080	aXZjoBS.exe
2592	gbdTVYJ.exe
2568	PBHstfC.exe
4120	YauCYOs.exe
1200	oQHjDiq.exe
2196	GGqBzCq.exe
3772	frbXqlJ.exe
4268	fInFyDi.exe
4784	mJokMZP.exe
5004	MkvnDkN.exe
380	VwkZKQA.exe
3152	CEuAOZF.exe
3452	yImUouV.exe
4416	VysotoN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	upx
C:\Windows\System\hskMYqy.exe	upx
C:\Windows\System\shuNxpW.exe	upx
C:\Windows\System\MrTIOTv.exe	upx
C:\Windows\System\aXZjoBS.exe	upx
C:\Windows\System\YauCYOs.exe	upx
C:\Windows\System\oQHjDiq.exe	upx
C:\Windows\System\fInFyDi.exe	upx
C:\Windows\System\VysotoN.exe	upx
C:\Windows\System\mJokMZP.exe	upx
behavioral2/memory/2196-117-0x00007FF6A1B60000-0x00007FF6A1EB1000-memory.dmp	upx
behavioral2/memory/5004-119-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp	upx
behavioral2/memory/3452-122-0x00007FF61ED80000-0x00007FF61F0D1000-memory.dmp	upx
behavioral2/memory/4768-124-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp	upx
behavioral2/memory/4784-127-0x00007FF747270000-0x00007FF7475C1000-memory.dmp	upx
behavioral2/memory/3772-126-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp	upx
behavioral2/memory/4120-125-0x00007FF6516C0000-0x00007FF651A11000-memory.dmp	upx
behavioral2/memory/4416-123-0x00007FF6F4880000-0x00007FF6F4BD1000-memory.dmp	upx
behavioral2/memory/3152-121-0x00007FF782A30000-0x00007FF782D81000-memory.dmp	upx
behavioral2/memory/380-120-0x00007FF70CF80000-0x00007FF70D2D1000-memory.dmp	upx
behavioral2/memory/4268-118-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp	upx
C:\Windows\System\yImUouV.exe	upx
behavioral2/memory/1200-114-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp	upx
C:\Windows\System\VwkZKQA.exe	upx
C:\Windows\System\CEuAOZF.exe	upx
behavioral2/memory/2568-105-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp	upx
behavioral2/memory/2592-102-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	upx
C:\Windows\System\frbXqlJ.exe	upx
behavioral2/memory/1080-93-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp	upx
C:\Windows\System\MkvnDkN.exe	upx
C:\Windows\System\GGqBzCq.exe	upx
C:\Windows\System\PBHstfC.exe	upx
behavioral2/memory/976-69-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	upx
C:\Windows\System\gbdTVYJ.exe	upx
C:\Windows\System\jlxJZhI.exe	upx
C:\Windows\System\ZnjQWqN.exe	upx
behavioral2/memory/4728-51-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	upx
C:\Windows\System\NUdiVkk.exe	upx
behavioral2/memory/2956-41-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	upx
behavioral2/memory/3356-24-0x00007FF739830000-0x00007FF739B81000-memory.dmp	upx
behavioral2/memory/1488-14-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	upx
C:\Windows\System\TJdVDlq.exe	upx
behavioral2/memory/1552-10-0x00007FF785400000-0x00007FF785751000-memory.dmp	upx
behavioral2/memory/4996-128-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	upx
behavioral2/memory/1552-129-0x00007FF785400000-0x00007FF785751000-memory.dmp	upx
behavioral2/memory/1488-130-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	upx
behavioral2/memory/3356-131-0x00007FF739830000-0x00007FF739B81000-memory.dmp	upx
behavioral2/memory/2956-132-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	upx
behavioral2/memory/4728-134-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	upx
behavioral2/memory/976-135-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	upx
behavioral2/memory/2592-138-0x00007FF786770000-0x00007FF786AC1000-memory.dmp	upx
behavioral2/memory/4996-150-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	upx
behavioral2/memory/4996-151-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp	upx
behavioral2/memory/1552-196-0x00007FF785400000-0x00007FF785751000-memory.dmp	upx
behavioral2/memory/1488-198-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp	upx
behavioral2/memory/3356-200-0x00007FF739830000-0x00007FF739B81000-memory.dmp	upx
behavioral2/memory/2956-206-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp	upx
behavioral2/memory/4768-211-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp	upx
behavioral2/memory/4728-216-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp	upx
behavioral2/memory/1080-220-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp	upx
behavioral2/memory/976-225-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp	upx
behavioral2/memory/2568-230-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp	upx
behavioral2/memory/5004-238-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp	upx
behavioral2/memory/1200-231-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\TJdVDlq.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\shuNxpW.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MrTIOTv.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\frbXqlJ.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VysotoN.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mJokMZP.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZnjQWqN.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aXZjoBS.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gbdTVYJ.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PBHstfC.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oQHjDiq.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jlxJZhI.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fInFyDi.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MkvnDkN.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CEuAOZF.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yImUouV.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hskMYqy.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NUdiVkk.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YauCYOs.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GGqBzCq.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VwkZKQA.exe	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 4996 wrote to memory of 1552	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	hskMYqy.exe
PID 4996 wrote to memory of 1552	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	hskMYqy.exe
PID 4996 wrote to memory of 1488	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	TJdVDlq.exe
PID 4996 wrote to memory of 1488	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	TJdVDlq.exe
PID 4996 wrote to memory of 3356	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	shuNxpW.exe
PID 4996 wrote to memory of 3356	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	shuNxpW.exe
PID 4996 wrote to memory of 2956	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	MrTIOTv.exe
PID 4996 wrote to memory of 2956	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	MrTIOTv.exe
PID 4996 wrote to memory of 4768	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	NUdiVkk.exe
PID 4996 wrote to memory of 4768	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	NUdiVkk.exe
PID 4996 wrote to memory of 4728	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ZnjQWqN.exe
PID 4996 wrote to memory of 4728	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	ZnjQWqN.exe
PID 4996 wrote to memory of 976	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	jlxJZhI.exe
PID 4996 wrote to memory of 976	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	jlxJZhI.exe
PID 4996 wrote to memory of 1080	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	aXZjoBS.exe
PID 4996 wrote to memory of 1080	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	aXZjoBS.exe
PID 4996 wrote to memory of 4120	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	YauCYOs.exe
PID 4996 wrote to memory of 4120	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	YauCYOs.exe
PID 4996 wrote to memory of 2592	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	gbdTVYJ.exe
PID 4996 wrote to memory of 2592	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	gbdTVYJ.exe
PID 4996 wrote to memory of 2568	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	PBHstfC.exe
PID 4996 wrote to memory of 2568	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	PBHstfC.exe
PID 4996 wrote to memory of 1200	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	oQHjDiq.exe
PID 4996 wrote to memory of 1200	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	oQHjDiq.exe
PID 4996 wrote to memory of 2196	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	GGqBzCq.exe
PID 4996 wrote to memory of 2196	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	GGqBzCq.exe
PID 4996 wrote to memory of 4784	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	mJokMZP.exe
PID 4996 wrote to memory of 4784	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	mJokMZP.exe
PID 4996 wrote to memory of 3772	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	frbXqlJ.exe
PID 4996 wrote to memory of 3772	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	frbXqlJ.exe
PID 4996 wrote to memory of 4268	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	fInFyDi.exe
PID 4996 wrote to memory of 4268	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	fInFyDi.exe
PID 4996 wrote to memory of 5004	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	MkvnDkN.exe
PID 4996 wrote to memory of 5004	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	MkvnDkN.exe
PID 4996 wrote to memory of 380	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	VwkZKQA.exe
PID 4996 wrote to memory of 380	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	VwkZKQA.exe
PID 4996 wrote to memory of 4416	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	VysotoN.exe
PID 4996 wrote to memory of 4416	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	VysotoN.exe
PID 4996 wrote to memory of 3152	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	CEuAOZF.exe
PID 4996 wrote to memory of 3152	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	CEuAOZF.exe
PID 4996 wrote to memory of 3452	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	yImUouV.exe
PID 4996 wrote to memory of 3452	4996	2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe	yImUouV.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-16_77b1999d1643baee6b5913926db65f9e_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\System\hskMYqy.exe
C:\Windows\System\hskMYqy.exe
2⤵
- Executes dropped EXE
PID:1552

C:\Windows\System\TJdVDlq.exe
C:\Windows\System\TJdVDlq.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\shuNxpW.exe
C:\Windows\System\shuNxpW.exe
2⤵
- Executes dropped EXE
PID:3356

C:\Windows\System\MrTIOTv.exe
C:\Windows\System\MrTIOTv.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\NUdiVkk.exe
C:\Windows\System\NUdiVkk.exe
2⤵
- Executes dropped EXE
PID:4768

C:\Windows\System\ZnjQWqN.exe
C:\Windows\System\ZnjQWqN.exe
2⤵
- Executes dropped EXE
PID:4728

C:\Windows\System\jlxJZhI.exe
C:\Windows\System\jlxJZhI.exe
2⤵
- Executes dropped EXE
PID:976

C:\Windows\System\aXZjoBS.exe
C:\Windows\System\aXZjoBS.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System\YauCYOs.exe
C:\Windows\System\YauCYOs.exe
2⤵
- Executes dropped EXE
PID:4120

C:\Windows\System\gbdTVYJ.exe
C:\Windows\System\gbdTVYJ.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\PBHstfC.exe
C:\Windows\System\PBHstfC.exe
2⤵
- Executes dropped EXE
PID:2568

C:\Windows\System\oQHjDiq.exe
C:\Windows\System\oQHjDiq.exe
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\System\GGqBzCq.exe
C:\Windows\System\GGqBzCq.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System\mJokMZP.exe
C:\Windows\System\mJokMZP.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\frbXqlJ.exe
C:\Windows\System\frbXqlJ.exe
2⤵
- Executes dropped EXE
PID:3772

C:\Windows\System\fInFyDi.exe
C:\Windows\System\fInFyDi.exe
2⤵
- Executes dropped EXE
PID:4268

C:\Windows\System\MkvnDkN.exe
C:\Windows\System\MkvnDkN.exe
2⤵
- Executes dropped EXE
PID:5004

C:\Windows\System\VwkZKQA.exe
C:\Windows\System\VwkZKQA.exe
2⤵
- Executes dropped EXE
PID:380

C:\Windows\System\VysotoN.exe
C:\Windows\System\VysotoN.exe
2⤵
- Executes dropped EXE
PID:4416

C:\Windows\System\CEuAOZF.exe
C:\Windows\System\CEuAOZF.exe
2⤵
- Executes dropped EXE
PID:3152

C:\Windows\System\yImUouV.exe
C:\Windows\System\yImUouV.exe
2⤵
- Executes dropped EXE
PID:3452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CEuAOZF.exe
Filesize
5.2MB

MD5
0d9cf4c1b2585d494e97d0c87a2628be

SHA1
c4074ea924710c6b57af7e5eb359e39d094932b1

SHA256
8cd96416464b72a8ed9733fac9ba48512f7a527f5f2eb8195e1e9d236dcebe92

SHA512
db9b9e9d7f4c63c3421271862f7d0becd0ebe002d9e0e650d5c85a58817cdc642f8e5884d5e5d03582a32ad015c8071a86eb961da5f9c39c8a761b4a63c3a729

Download Submit
C:\Windows\System\GGqBzCq.exe
Filesize
5.2MB

MD5
da80d893e446515025dcdcc17989b08b

SHA1
4999695c5aacb0b599146255ff27ef00ca91407f

SHA256
b49f2b4d0579de745efc256cc8b561e38679ed1a672c1959342e360cb2db3250

SHA512
5b16f76cb994eada0309963495288ab68b188214e43b7a3d82fe4fa8cdfb20a753056309f48372014cb63faecdb74728f81bbb00361bbcced703aa8799d4004d

Download Submit
C:\Windows\System\MkvnDkN.exe
Filesize
5.2MB

MD5
6756d2205055f78dff9604e503b42d70

SHA1
3d751a0d58018919b917115849876c370ab64da9

SHA256
0f131e47d2f8ad1f94d00e89f33f54f5a3d1c57b82032bd4ef69f421302b096b

SHA512
dd5db0d317b3d16ac0421862ce8fe8afafb0d14fae743fede90c8e13ad595605a6b4778038913155c714d7455b9d6ebe3859d0f4958dac3966030bbd217b067a

Download Submit
C:\Windows\System\MrTIOTv.exe
Filesize
5.2MB

MD5
32027f4cb5dbbb6bf7a6e435cad19ec8

SHA1
003a7a0ab4f440ba6a22399651d5f1b4c95841c6

SHA256
b1f57170a68977f3a8eda1d6f685d47e8bab103aab8856ee3af999419f8365d0

SHA512
ca02b532f6f3313f0d7f5c013c2bdd44a58b176fdb8e3879428387619c951794946fccaaaa8f90efab406d0fcf2ee81a836d3fd27ad583960021640e8a705b9f

Download Submit
C:\Windows\System\NUdiVkk.exe
Filesize
5.2MB

MD5
263c05cd13a100cf876c21dd9bb114f5

SHA1
df9f3295008e2d92c8d6e3f2392ce366e78c364f

SHA256
6ae06698829035a2413fa4c544ee6b996b0d21f6b54f4aedc762579253f43e20

SHA512
aeddabd34e848e58ce8db139f6ecb6040a5965ac88d2c21505c027d4ebd54ae50a62d89996ca920feb3cfea3d9974c7338fa6efcac733fd1c58cbd84136e704e

Download Submit
C:\Windows\System\PBHstfC.exe
Filesize
5.2MB

MD5
b30eb977bdd35c647e9434e617a59224

SHA1
34439e074d45f0e4493c29ec2dda88955b74aa0a

SHA256
9ace3327b16e2b1e997693180a303130e6c8700c7420c6507c7b036e49b631f8

SHA512
3aee876858504bf27ca8d866911edbd6bcf1ab9aa743d71796b05374e735ec4a3baaeb73773667b99c9d135063f81a319ea5ec40f1e97192779d9206eb46452a

Download Submit
C:\Windows\System\TJdVDlq.exe
Filesize
5.2MB

MD5
03db3e87163ab8223bd3bee3095d721e

SHA1
7651f3d447a4357f4232d5355fb4826d33df6fe3

SHA256
7def44b295be3c63ce059ca810e69ba7ff733562fdaeb859f4632a294d3955ba

SHA512
3190caab838b84e1e2bdf4e90ffc4bfc89aa99723640f2a1c9cdfa34db8b5d9a1853f64f0aa3179d48789c8e091b3f662e0319be0a9493b9fe28dcf9e71b36e1

Download Submit
C:\Windows\System\VwkZKQA.exe
Filesize
5.2MB

MD5
96bb884aeb8aee3107965e5e33f6f7d9

SHA1
e47a29e60735383e3e1ba449456a357fb17419ab

SHA256
cbd00c2169f5dab75098d2e9835e1cf3391235914e1a358e0fc68c8eb44b43c7

SHA512
57eae9b1b40288d47bac911c5aa692e35f34ef7a9ef0ff209378b7706bea8d715da840e681cfca01e6a34473e55a46da9c718687ea166c98e9f9c4f2d84295b5

Download Submit
C:\Windows\System\VysotoN.exe
Filesize
5.2MB

MD5
5bff2fc6119da57ef8f6d3c7375a7cbc

SHA1
c69361ec49bddb40cf2214a5a31d09250871ed08

SHA256
c61d5dfa949da994e44cc285ae0ab10e3b32694ef231958e5f603c7b379094ff

SHA512
4e21181eefd9bade58ed5bef2311bf92d60bc1c2bb02d0cae4d508d0f105963ab0056825200c61475068b0c6a57ebce050b2ff7e26429605b007baea893953d9

Download Submit
C:\Windows\System\YauCYOs.exe
Filesize
5.2MB

MD5
e6738e07ab76b9a79fabb19a36f966d1

SHA1
0290fe9321e41bf3024f82f8f1f2357e693bf3d2

SHA256
d3d18084d94a0b536c2f609cb72a3c53285bcc0d6caf3f80c08766137dd51255

SHA512
283f07cc9691dbb4565f0ec8982de7da683ad5745299e39782371926e5506be76440654390c1efaf2db47ad32f9c2af86aeb6d9b2903d7da78803343b1970af6

Download Submit
C:\Windows\System\ZnjQWqN.exe
Filesize
5.2MB

MD5
02876ef52ba262527768d2567dc65e49

SHA1
8b56b1961a6c07df082c9013c13d21d567a5f43f

SHA256
973f5146bcd9ff12791de1e623c3b0a9d84a651deb896dad5b5cc6b2c68c394d

SHA512
80f949cb438b939f91c25080798e44e3e06ec5a863292423034227d64c073b7d3c29d02ee48fad32e4c607d660f2a565be1854b258ef678d2eb4ec0e26c75d19

Download Submit
C:\Windows\System\aXZjoBS.exe
Filesize
5.2MB

MD5
e7e93b8c8d3000950a093156ed91047c

SHA1
4af328946fafc7224dac0c35e2fa63b9db925a8a

SHA256
5c045b4dc97fbcdee4c583b1323605c0f653144a6cc2ee08be8209b7f0dbe9ef

SHA512
bc5892363e080a2d036b42bd816530dda95d2cb1aa119f5da07f762a96ebb773f5398edc5ea256eca59472ae8311c98b3d9f4f54b2e2a12cb11a4fc2d56c96b4

Download Submit
C:\Windows\System\fInFyDi.exe
Filesize
5.2MB

MD5
3a904f8570db27442f13c0042719e6d3

SHA1
b8382a18620229364d317a81b86c7fed5c94f3cc

SHA256
69a7a26e98cc8705235fb28476cbab01381ad21f263eaf3705cc67c1f8af09fd

SHA512
b362a468f75daf39d5aaec4a637a7555e2faaa21fc44be1df781eec898fa9ca8029788751d95492e0b077c7c77762a957b88b20838cd6d492304d0c8745385cb

Download Submit
C:\Windows\System\frbXqlJ.exe
Filesize
5.2MB

MD5
e36af7e52e9ee309fd1a6374ab1db74c

SHA1
6053133b573aa49f4e2ce2bb6ad4958dfe9e2b0c

SHA256
89511472054dc2a42fe69141433cee713a3b09159cdea04c8321028c4dde3cd7

SHA512
b11dbbc5eb675a7fec26cabc124727ea4fb5fd9c5396a1cc682f59b0ab1be79125c9c408ceabab5f2600c21f0c117fa497f6bc0d548c4cac09ae56c4950a0500

Download Submit
C:\Windows\System\gbdTVYJ.exe
Filesize
5.2MB

MD5
5ede97165c02661fe102f5aedc2bfd18

SHA1
6828795eba53b7e83b825c19e5726fc7fab4be84

SHA256
4276fd85ded7bf4d0aa406dc3f4460dde95cc695c9b85fbb7de9375f3898aaf0

SHA512
8296a2a28816b335d0156c4f75d502c8fbd60980cdee19a3804ea94dc6dfa30c1aa3c4f26f86cc8a30badf1e22271d08c41f190736ac124825babd0f4e669fbc

Download Submit
C:\Windows\System\hskMYqy.exe
Filesize
5.2MB

MD5
ad56dc84a8055d8396b157fb9d894258

SHA1
b1df51657fa7e5577495715f06db2c4f6d31abe8

SHA256
6bbdaec3f856de72479cfdd0c6ff4f3c70c5ac91811f5268eea0707c3735fc5c

SHA512
f6d34b42dccdd5f4a0495ed12a06ae60d6532d14695165b6b04af5772b2e5830124742b8e8bc15673cb5407b3d80c7025d7f7977095cf476ca84b8ba1b40ae6a

Download Submit
C:\Windows\System\jlxJZhI.exe
Filesize
5.2MB

MD5
649fe999fcd4c336ebf6f5e118f77942

SHA1
1c727f6850b80fce14de66dd36324a4d4a388f0f

SHA256
9d62bce65cdc6c5227ba1e9b267e4b4998dce4e94a4b395da0519feaeabfb9b3

SHA512
b34f5909806793d06d44213ec8623dd2cb740dd45b70941b6f5ccd4f2c02d93158c220a007ac14f507d3dc1e9a743ab985da5fd02444bc37bc84bec1aac1eaef

Download Submit
C:\Windows\System\mJokMZP.exe
Filesize
5.2MB

MD5
2f93e97aaa8ed7f81eb28cbada123501

SHA1
d033d442094cb593c9e62e3c1b78b3128e73100e

SHA256
a880d67e85c8268a487c6e208adf8745e974d6f5b918eccd22f37389997a52ab

SHA512
1acfd6b1d66ea73bb44c56e56998f976c40ec5d71aeeafd9e1a833e0207d78e49cbafaae382700d61e564d3bade3011db5f9e59535d2c0614720fc89e75fb105

Download Submit
C:\Windows\System\oQHjDiq.exe
Filesize
5.2MB

MD5
a369d20d3c29d3b2115bbb4c3ad604df

SHA1
068564871ae0beb9a7e357a0b5558cb888b53443

SHA256
1e4ce359690a5ef75d87094dfe6acea03d83312bc24ddce74c28a3e23211072f

SHA512
dffd68c1f47a5fa2d831875886ef885b61d3fe37c4cd50512b72cb255c89a7e78d6d0fa62f2c9d5eb652ce6052fa42637b233fe0a15aeb5e614d52d357563454

Download Submit
C:\Windows\System\shuNxpW.exe
Filesize
5.2MB

MD5
7499bcf2fed7336712a67e11c92190ae

SHA1
dc9b86ca8463fc0130c817e958d895bdd3a75741

SHA256
24a0490e3a23a25b95088c6472f3fffb61f40087095fcf6ac24ebbd525e749d1

SHA512
5cd06f5737d75ebc974f11ac91f662e7455ed06bdf9cf94b5d909539b515f7f9b1df08783aa0bac2e8e44c5da04625dd61a3b170bd173614f23d96360c0caf5e

Download Submit
C:\Windows\System\yImUouV.exe
Filesize
5.2MB

MD5
a3737606678979722f6e61a0b5e4e46d

SHA1
dc258acd91f3d7fe2b8d130866529fa1fb8047fa

SHA256
0d9ec537a0db56a055059cd1fa5f4a43e91e517dd618a2020b985a9495b62cdd

SHA512
f9e5408017cd5ccafe10bc4ab3c8c04eedc64e432003e821d7d4fcbe93e79e3a3857ac69a5888b6cc2591caf359ba7a92eebf21dd2c6140166c38734cfd9a3e8

Download Submit
memory/380-120-0x00007FF70CF80000-0x00007FF70D2D1000-memory.dmp

Filesize
3.3MB

Download
memory/380-250-0x00007FF70CF80000-0x00007FF70D2D1000-memory.dmp

Filesize
3.3MB

Download
memory/976-69-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/976-225-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/976-135-0x00007FF70E360000-0x00007FF70E6B1000-memory.dmp

Filesize
3.3MB

Download
memory/1080-93-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1080-220-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-114-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-231-0x00007FF7BB790000-0x00007FF7BBAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-14-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp

Filesize
3.3MB

Download
memory/1488-130-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp

Filesize
3.3MB

Download
memory/1488-198-0x00007FF7C03D0000-0x00007FF7C0721000-memory.dmp

Filesize
3.3MB

Download
memory/1552-196-0x00007FF785400000-0x00007FF785751000-memory.dmp

Filesize
3.3MB

Download
memory/1552-10-0x00007FF785400000-0x00007FF785751000-memory.dmp

Filesize
3.3MB

Download
memory/1552-129-0x00007FF785400000-0x00007FF785751000-memory.dmp

Filesize
3.3MB

Download
memory/2196-240-0x00007FF6A1B60000-0x00007FF6A1EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-117-0x00007FF6A1B60000-0x00007FF6A1EB1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-105-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp

Filesize
3.3MB

Download
memory/2568-230-0x00007FF7FD630000-0x00007FF7FD981000-memory.dmp

Filesize
3.3MB

Download
memory/2592-241-0x00007FF786770000-0x00007FF786AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2592-138-0x00007FF786770000-0x00007FF786AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2592-102-0x00007FF786770000-0x00007FF786AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-132-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp

Filesize
3.3MB

Download
memory/2956-41-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp

Filesize
3.3MB

Download
memory/2956-206-0x00007FF75A940000-0x00007FF75AC91000-memory.dmp

Filesize
3.3MB

Download
memory/3152-121-0x00007FF782A30000-0x00007FF782D81000-memory.dmp

Filesize
3.3MB

Download
memory/3152-253-0x00007FF782A30000-0x00007FF782D81000-memory.dmp

Filesize
3.3MB

Download
memory/3356-200-0x00007FF739830000-0x00007FF739B81000-memory.dmp

Filesize
3.3MB

Download
memory/3356-24-0x00007FF739830000-0x00007FF739B81000-memory.dmp

Filesize
3.3MB

Download
memory/3356-131-0x00007FF739830000-0x00007FF739B81000-memory.dmp

Filesize
3.3MB

Download
memory/3452-252-0x00007FF61ED80000-0x00007FF61F0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3452-122-0x00007FF61ED80000-0x00007FF61F0D1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-126-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/3772-249-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp

Filesize
3.3MB

Download
memory/4120-125-0x00007FF6516C0000-0x00007FF651A11000-memory.dmp

Filesize
3.3MB

Download
memory/4120-239-0x00007FF6516C0000-0x00007FF651A11000-memory.dmp

Filesize
3.3MB

Download
memory/4268-255-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp

Filesize
3.3MB

Download
memory/4268-118-0x00007FF71CFC0000-0x00007FF71D311000-memory.dmp

Filesize
3.3MB

Download
memory/4416-251-0x00007FF6F4880000-0x00007FF6F4BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4416-123-0x00007FF6F4880000-0x00007FF6F4BD1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-134-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-216-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4728-51-0x00007FF746BA0000-0x00007FF746EF1000-memory.dmp

Filesize
3.3MB

Download
memory/4768-211-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp

Filesize
3.3MB

Download
memory/4768-124-0x00007FF689AD0000-0x00007FF689E21000-memory.dmp

Filesize
3.3MB

Download
memory/4784-254-0x00007FF747270000-0x00007FF7475C1000-memory.dmp

Filesize
3.3MB

Download
memory/4784-127-0x00007FF747270000-0x00007FF7475C1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-128-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-0-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-151-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-150-0x00007FF7AAF50000-0x00007FF7AB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-1-0x000001D594B20000-0x000001D594B30000-memory.dmp

Filesize
64KB

Download
memory/5004-238-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp

Filesize
3.3MB

Download
memory/5004-119-0x00007FF629A90000-0x00007FF629DE1000-memory.dmp

Filesize
3.3MB

Download