cobaltstrike | 6173782add83d03f573925b6ccd73006443587663fcff6c0a37475bb8f4eed61

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

f4734c993ed623525d4965455333e630
SHA1

b6d9c4a7ce75cee3270611f25479a61a101a8261
SHA256

6173782add83d03f573925b6ccd73006443587663fcff6c0a37475bb8f4eed61
SHA512

a46868116632c14429d4d295fc0b3e17ef111b5e35c7042292a8a173635a9906c5768760c558ab55cd9203ba52cec3cca41cde2eb66d8e510cc7eefa6f10a499
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUc

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\BrckrEC.exe	cobalt_reflective_dll
C:\Windows\System\dMByyfK.exe	cobalt_reflective_dll
C:\Windows\System\yiaEaxQ.exe	cobalt_reflective_dll
C:\Windows\System\NQnxEML.exe	cobalt_reflective_dll
C:\Windows\System\oYaKnrX.exe	cobalt_reflective_dll
C:\Windows\System\ZpGFPDU.exe	cobalt_reflective_dll
C:\Windows\System\ecyPAJR.exe	cobalt_reflective_dll
C:\Windows\System\HTEVnXp.exe	cobalt_reflective_dll
C:\Windows\System\vjbgzFv.exe	cobalt_reflective_dll
C:\Windows\System\BoNoRXO.exe	cobalt_reflective_dll
C:\Windows\System\lMCCVnt.exe	cobalt_reflective_dll
C:\Windows\System\TSrpJuU.exe	cobalt_reflective_dll
C:\Windows\System\TNoETuF.exe	cobalt_reflective_dll
C:\Windows\System\kacwMQp.exe	cobalt_reflective_dll
C:\Windows\System\BGnjZLL.exe	cobalt_reflective_dll
C:\Windows\System\JHYbYKO.exe	cobalt_reflective_dll
C:\Windows\System\VvcWcMh.exe	cobalt_reflective_dll
C:\Windows\System\qVSXJwp.exe	cobalt_reflective_dll
C:\Windows\System\naBBknN.exe	cobalt_reflective_dll
C:\Windows\System\GEnkpJV.exe	cobalt_reflective_dll
C:\Windows\System\EhlccfR.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\BrckrEC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dMByyfK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yiaEaxQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NQnxEML.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oYaKnrX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZpGFPDU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ecyPAJR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HTEVnXp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vjbgzFv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BoNoRXO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lMCCVnt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TSrpJuU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TNoETuF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kacwMQp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BGnjZLL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JHYbYKO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VvcWcMh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qVSXJwp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\naBBknN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GEnkpJV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EhlccfR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3968-0-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	UPX
C:\Windows\System\BrckrEC.exe	UPX
C:\Windows\System\dMByyfK.exe	UPX
C:\Windows\System\yiaEaxQ.exe	UPX
C:\Windows\System\NQnxEML.exe	UPX
C:\Windows\System\oYaKnrX.exe	UPX
C:\Windows\System\ZpGFPDU.exe	UPX
behavioral2/memory/2012-72-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp	UPX
behavioral2/memory/3168-74-0x00007FF7165B0000-0x00007FF716901000-memory.dmp	UPX
behavioral2/memory/2592-73-0x00007FF704530000-0x00007FF704881000-memory.dmp	UPX
C:\Windows\System\ecyPAJR.exe	UPX
behavioral2/memory/5096-69-0x00007FF68C510000-0x00007FF68C861000-memory.dmp	UPX
C:\Windows\System\HTEVnXp.exe	UPX
behavioral2/memory/2064-63-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp	UPX
behavioral2/memory/3828-51-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp	UPX
C:\Windows\System\vjbgzFv.exe	UPX
C:\Windows\System\BoNoRXO.exe	UPX
behavioral2/memory/4864-41-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	UPX
behavioral2/memory/4860-36-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	UPX
behavioral2/memory/1020-33-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	UPX
behavioral2/memory/208-24-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	UPX
C:\Windows\System\lMCCVnt.exe	UPX
behavioral2/memory/2068-17-0x00007FF764840000-0x00007FF764B91000-memory.dmp	UPX
C:\Windows\System\TSrpJuU.exe	UPX
behavioral2/memory/3960-12-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp	UPX
C:\Windows\System\TNoETuF.exe	UPX
behavioral2/memory/2112-78-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp	UPX
C:\Windows\System\kacwMQp.exe	UPX
C:\Windows\System\BGnjZLL.exe	UPX
C:\Windows\System\JHYbYKO.exe	UPX
C:\Windows\System\VvcWcMh.exe	UPX
behavioral2/memory/3968-99-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	UPX
behavioral2/memory/4080-94-0x00007FF781830000-0x00007FF781B81000-memory.dmp	UPX
C:\Windows\System\qVSXJwp.exe	UPX
C:\Windows\System\naBBknN.exe	UPX
behavioral2/memory/4004-122-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	UPX
C:\Windows\System\GEnkpJV.exe	UPX
behavioral2/memory/3364-128-0x00007FF6A3A90000-0x00007FF6A3DE1000-memory.dmp	UPX
behavioral2/memory/4860-125-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	UPX
behavioral2/memory/1020-124-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	UPX
behavioral2/memory/1472-120-0x00007FF628E40000-0x00007FF629191000-memory.dmp	UPX
C:\Windows\System\EhlccfR.exe	UPX
behavioral2/memory/208-113-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	UPX
behavioral2/memory/2068-111-0x00007FF764840000-0x00007FF764B91000-memory.dmp	UPX
behavioral2/memory/2132-107-0x00007FF7AD2F0000-0x00007FF7AD641000-memory.dmp	UPX
behavioral2/memory/2440-106-0x00007FF61EBB0000-0x00007FF61EF01000-memory.dmp	UPX
behavioral2/memory/5000-86-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	UPX
behavioral2/memory/2112-145-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp	UPX
behavioral2/memory/4864-138-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	UPX
behavioral2/memory/3828-140-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp	UPX
behavioral2/memory/3968-132-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	UPX
behavioral2/memory/1680-146-0x00007FF68D1A0000-0x00007FF68D4F1000-memory.dmp	UPX
behavioral2/memory/5000-147-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	UPX
behavioral2/memory/3968-155-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	UPX
behavioral2/memory/3968-174-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	UPX
behavioral2/memory/3960-200-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp	UPX
behavioral2/memory/2068-202-0x00007FF764840000-0x00007FF764B91000-memory.dmp	UPX
behavioral2/memory/208-204-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	UPX
behavioral2/memory/4860-206-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	UPX
behavioral2/memory/1020-208-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	UPX
behavioral2/memory/5096-210-0x00007FF68C510000-0x00007FF68C861000-memory.dmp	UPX
behavioral2/memory/4864-212-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	UPX
behavioral2/memory/2012-214-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp	UPX
behavioral2/memory/2064-218-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp	UPX

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2012-72-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp	xmrig
behavioral2/memory/3168-74-0x00007FF7165B0000-0x00007FF716901000-memory.dmp	xmrig
behavioral2/memory/2592-73-0x00007FF704530000-0x00007FF704881000-memory.dmp	xmrig
behavioral2/memory/5096-69-0x00007FF68C510000-0x00007FF68C861000-memory.dmp	xmrig
behavioral2/memory/2064-63-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp	xmrig
behavioral2/memory/2068-17-0x00007FF764840000-0x00007FF764B91000-memory.dmp	xmrig
behavioral2/memory/3960-12-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp	xmrig
behavioral2/memory/3968-99-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	xmrig
behavioral2/memory/4080-94-0x00007FF781830000-0x00007FF781B81000-memory.dmp	xmrig
behavioral2/memory/4004-122-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	xmrig
behavioral2/memory/3364-128-0x00007FF6A3A90000-0x00007FF6A3DE1000-memory.dmp	xmrig
behavioral2/memory/4860-125-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	xmrig
behavioral2/memory/1020-124-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	xmrig
behavioral2/memory/1472-120-0x00007FF628E40000-0x00007FF629191000-memory.dmp	xmrig
behavioral2/memory/208-113-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	xmrig
behavioral2/memory/2068-111-0x00007FF764840000-0x00007FF764B91000-memory.dmp	xmrig
behavioral2/memory/2132-107-0x00007FF7AD2F0000-0x00007FF7AD641000-memory.dmp	xmrig
behavioral2/memory/2440-106-0x00007FF61EBB0000-0x00007FF61EF01000-memory.dmp	xmrig
behavioral2/memory/2112-145-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp	xmrig
behavioral2/memory/4864-138-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	xmrig
behavioral2/memory/3828-140-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp	xmrig
behavioral2/memory/3968-132-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	xmrig
behavioral2/memory/1680-146-0x00007FF68D1A0000-0x00007FF68D4F1000-memory.dmp	xmrig
behavioral2/memory/5000-147-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	xmrig
behavioral2/memory/3968-155-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	xmrig
behavioral2/memory/3968-174-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	xmrig
behavioral2/memory/3960-200-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp	xmrig
behavioral2/memory/2068-202-0x00007FF764840000-0x00007FF764B91000-memory.dmp	xmrig
behavioral2/memory/208-204-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	xmrig
behavioral2/memory/4860-206-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	xmrig
behavioral2/memory/1020-208-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	xmrig
behavioral2/memory/5096-210-0x00007FF68C510000-0x00007FF68C861000-memory.dmp	xmrig
behavioral2/memory/4864-212-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	xmrig
behavioral2/memory/2012-214-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp	xmrig
behavioral2/memory/2064-218-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp	xmrig
behavioral2/memory/2592-220-0x00007FF704530000-0x00007FF704881000-memory.dmp	xmrig
behavioral2/memory/3828-217-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp	xmrig
behavioral2/memory/3168-222-0x00007FF7165B0000-0x00007FF716901000-memory.dmp	xmrig
behavioral2/memory/2112-229-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp	xmrig
behavioral2/memory/5000-231-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	xmrig
behavioral2/memory/4080-233-0x00007FF781830000-0x00007FF781B81000-memory.dmp	xmrig
behavioral2/memory/2132-235-0x00007FF7AD2F0000-0x00007FF7AD641000-memory.dmp	xmrig
behavioral2/memory/2440-237-0x00007FF61EBB0000-0x00007FF61EF01000-memory.dmp	xmrig
behavioral2/memory/4004-240-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	xmrig
behavioral2/memory/1472-241-0x00007FF628E40000-0x00007FF629191000-memory.dmp	xmrig
behavioral2/memory/1680-244-0x00007FF68D1A0000-0x00007FF68D4F1000-memory.dmp	xmrig
behavioral2/memory/3364-245-0x00007FF6A3A90000-0x00007FF6A3DE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

BrckrEC.exeTSrpJuU.exedMByyfK.exelMCCVnt.exeyiaEaxQ.exevjbgzFv.exeoYaKnrX.exeBoNoRXO.exeNQnxEML.exeHTEVnXp.exeZpGFPDU.exeecyPAJR.exeTNoETuF.exekacwMQp.exeBGnjZLL.exeJHYbYKO.exeVvcWcMh.exeqVSXJwp.exeEhlccfR.exenaBBknN.exeGEnkpJV.exe

pid	process
3960	BrckrEC.exe
2068	TSrpJuU.exe
1020	dMByyfK.exe
208	lMCCVnt.exe
4860	yiaEaxQ.exe
4864	vjbgzFv.exe
3828	oYaKnrX.exe
5096	BoNoRXO.exe
2064	NQnxEML.exe
2012	HTEVnXp.exe
2592	ZpGFPDU.exe
3168	ecyPAJR.exe
2112	TNoETuF.exe
5000	kacwMQp.exe
4080	BGnjZLL.exe
2440	JHYbYKO.exe
2132	VvcWcMh.exe
4004	qVSXJwp.exe
1472	EhlccfR.exe
3364	naBBknN.exe
1680	GEnkpJV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3968-0-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	upx
C:\Windows\System\BrckrEC.exe	upx
C:\Windows\System\dMByyfK.exe	upx
C:\Windows\System\yiaEaxQ.exe	upx
C:\Windows\System\NQnxEML.exe	upx
C:\Windows\System\oYaKnrX.exe	upx
C:\Windows\System\ZpGFPDU.exe	upx
behavioral2/memory/2012-72-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp	upx
behavioral2/memory/3168-74-0x00007FF7165B0000-0x00007FF716901000-memory.dmp	upx
behavioral2/memory/2592-73-0x00007FF704530000-0x00007FF704881000-memory.dmp	upx
C:\Windows\System\ecyPAJR.exe	upx
behavioral2/memory/5096-69-0x00007FF68C510000-0x00007FF68C861000-memory.dmp	upx
C:\Windows\System\HTEVnXp.exe	upx
behavioral2/memory/2064-63-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp	upx
behavioral2/memory/3828-51-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp	upx
C:\Windows\System\vjbgzFv.exe	upx
C:\Windows\System\BoNoRXO.exe	upx
behavioral2/memory/4864-41-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	upx
behavioral2/memory/4860-36-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	upx
behavioral2/memory/1020-33-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	upx
behavioral2/memory/208-24-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	upx
C:\Windows\System\lMCCVnt.exe	upx
behavioral2/memory/2068-17-0x00007FF764840000-0x00007FF764B91000-memory.dmp	upx
C:\Windows\System\TSrpJuU.exe	upx
behavioral2/memory/3960-12-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp	upx
C:\Windows\System\TNoETuF.exe	upx
behavioral2/memory/2112-78-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp	upx
C:\Windows\System\kacwMQp.exe	upx
C:\Windows\System\BGnjZLL.exe	upx
C:\Windows\System\JHYbYKO.exe	upx
C:\Windows\System\VvcWcMh.exe	upx
behavioral2/memory/3968-99-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	upx
behavioral2/memory/4080-94-0x00007FF781830000-0x00007FF781B81000-memory.dmp	upx
C:\Windows\System\qVSXJwp.exe	upx
C:\Windows\System\naBBknN.exe	upx
behavioral2/memory/4004-122-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp	upx
C:\Windows\System\GEnkpJV.exe	upx
behavioral2/memory/3364-128-0x00007FF6A3A90000-0x00007FF6A3DE1000-memory.dmp	upx
behavioral2/memory/4860-125-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	upx
behavioral2/memory/1020-124-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	upx
behavioral2/memory/1472-120-0x00007FF628E40000-0x00007FF629191000-memory.dmp	upx
C:\Windows\System\EhlccfR.exe	upx
behavioral2/memory/208-113-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	upx
behavioral2/memory/2068-111-0x00007FF764840000-0x00007FF764B91000-memory.dmp	upx
behavioral2/memory/2132-107-0x00007FF7AD2F0000-0x00007FF7AD641000-memory.dmp	upx
behavioral2/memory/2440-106-0x00007FF61EBB0000-0x00007FF61EF01000-memory.dmp	upx
behavioral2/memory/5000-86-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	upx
behavioral2/memory/2112-145-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp	upx
behavioral2/memory/4864-138-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	upx
behavioral2/memory/3828-140-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp	upx
behavioral2/memory/3968-132-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	upx
behavioral2/memory/1680-146-0x00007FF68D1A0000-0x00007FF68D4F1000-memory.dmp	upx
behavioral2/memory/5000-147-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp	upx
behavioral2/memory/3968-155-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	upx
behavioral2/memory/3968-174-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp	upx
behavioral2/memory/3960-200-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp	upx
behavioral2/memory/2068-202-0x00007FF764840000-0x00007FF764B91000-memory.dmp	upx
behavioral2/memory/208-204-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp	upx
behavioral2/memory/4860-206-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp	upx
behavioral2/memory/1020-208-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp	upx
behavioral2/memory/5096-210-0x00007FF68C510000-0x00007FF68C861000-memory.dmp	upx
behavioral2/memory/4864-212-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp	upx
behavioral2/memory/2012-214-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp	upx
behavioral2/memory/2064-218-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\BrckrEC.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NQnxEML.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oYaKnrX.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HTEVnXp.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VvcWcMh.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TSrpJuU.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZpGFPDU.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kacwMQp.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EhlccfR.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lMCCVnt.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vjbgzFv.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BoNoRXO.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ecyPAJR.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BGnjZLL.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JHYbYKO.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qVSXJwp.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dMByyfK.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yiaEaxQ.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TNoETuF.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\naBBknN.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GEnkpJV.exe	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3968 wrote to memory of 3960	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	BrckrEC.exe
PID 3968 wrote to memory of 3960	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	BrckrEC.exe
PID 3968 wrote to memory of 2068	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	TSrpJuU.exe
PID 3968 wrote to memory of 2068	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	TSrpJuU.exe
PID 3968 wrote to memory of 1020	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	dMByyfK.exe
PID 3968 wrote to memory of 1020	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	dMByyfK.exe
PID 3968 wrote to memory of 208	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	lMCCVnt.exe
PID 3968 wrote to memory of 208	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	lMCCVnt.exe
PID 3968 wrote to memory of 4860	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	yiaEaxQ.exe
PID 3968 wrote to memory of 4860	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	yiaEaxQ.exe
PID 3968 wrote to memory of 4864	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	vjbgzFv.exe
PID 3968 wrote to memory of 4864	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	vjbgzFv.exe
PID 3968 wrote to memory of 2064	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	NQnxEML.exe
PID 3968 wrote to memory of 2064	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	NQnxEML.exe
PID 3968 wrote to memory of 3828	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	oYaKnrX.exe
PID 3968 wrote to memory of 3828	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	oYaKnrX.exe
PID 3968 wrote to memory of 5096	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	BoNoRXO.exe
PID 3968 wrote to memory of 5096	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	BoNoRXO.exe
PID 3968 wrote to memory of 2012	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	HTEVnXp.exe
PID 3968 wrote to memory of 2012	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	HTEVnXp.exe
PID 3968 wrote to memory of 2592	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	ZpGFPDU.exe
PID 3968 wrote to memory of 2592	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	ZpGFPDU.exe
PID 3968 wrote to memory of 3168	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	ecyPAJR.exe
PID 3968 wrote to memory of 3168	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	ecyPAJR.exe
PID 3968 wrote to memory of 2112	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	TNoETuF.exe
PID 3968 wrote to memory of 2112	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	TNoETuF.exe
PID 3968 wrote to memory of 5000	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	kacwMQp.exe
PID 3968 wrote to memory of 5000	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	kacwMQp.exe
PID 3968 wrote to memory of 4080	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	BGnjZLL.exe
PID 3968 wrote to memory of 4080	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	BGnjZLL.exe
PID 3968 wrote to memory of 2440	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	JHYbYKO.exe
PID 3968 wrote to memory of 2440	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	JHYbYKO.exe
PID 3968 wrote to memory of 2132	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	VvcWcMh.exe
PID 3968 wrote to memory of 2132	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	VvcWcMh.exe
PID 3968 wrote to memory of 4004	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	qVSXJwp.exe
PID 3968 wrote to memory of 4004	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	qVSXJwp.exe
PID 3968 wrote to memory of 1472	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	EhlccfR.exe
PID 3968 wrote to memory of 1472	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	EhlccfR.exe
PID 3968 wrote to memory of 3364	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	naBBknN.exe
PID 3968 wrote to memory of 3364	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	naBBknN.exe
PID 3968 wrote to memory of 1680	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	GEnkpJV.exe
PID 3968 wrote to memory of 1680	3968	2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe	GEnkpJV.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_f4734c993ed623525d4965455333e630_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\System\BrckrEC.exe
C:\Windows\System\BrckrEC.exe
2⤵
- Executes dropped EXE
PID:3960

C:\Windows\System\TSrpJuU.exe
C:\Windows\System\TSrpJuU.exe
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\System\dMByyfK.exe
C:\Windows\System\dMByyfK.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\lMCCVnt.exe
C:\Windows\System\lMCCVnt.exe
2⤵
- Executes dropped EXE
PID:208

C:\Windows\System\yiaEaxQ.exe
C:\Windows\System\yiaEaxQ.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Windows\System\vjbgzFv.exe
C:\Windows\System\vjbgzFv.exe
2⤵
- Executes dropped EXE
PID:4864

C:\Windows\System\NQnxEML.exe
C:\Windows\System\NQnxEML.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\System\oYaKnrX.exe
C:\Windows\System\oYaKnrX.exe
2⤵
- Executes dropped EXE
PID:3828

C:\Windows\System\BoNoRXO.exe
C:\Windows\System\BoNoRXO.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System\HTEVnXp.exe
C:\Windows\System\HTEVnXp.exe
2⤵
- Executes dropped EXE
PID:2012

C:\Windows\System\ZpGFPDU.exe
C:\Windows\System\ZpGFPDU.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\ecyPAJR.exe
C:\Windows\System\ecyPAJR.exe
2⤵
- Executes dropped EXE
PID:3168

C:\Windows\System\TNoETuF.exe
C:\Windows\System\TNoETuF.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System\kacwMQp.exe
C:\Windows\System\kacwMQp.exe
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\System\BGnjZLL.exe
C:\Windows\System\BGnjZLL.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\System\JHYbYKO.exe
C:\Windows\System\JHYbYKO.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\VvcWcMh.exe
C:\Windows\System\VvcWcMh.exe
2⤵
- Executes dropped EXE
PID:2132

C:\Windows\System\qVSXJwp.exe
C:\Windows\System\qVSXJwp.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\System\EhlccfR.exe
C:\Windows\System\EhlccfR.exe
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\System\naBBknN.exe
C:\Windows\System\naBBknN.exe
2⤵
- Executes dropped EXE
PID:3364

C:\Windows\System\GEnkpJV.exe
C:\Windows\System\GEnkpJV.exe
2⤵
- Executes dropped EXE
PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BGnjZLL.exe
Filesize
5.2MB

MD5
7c07e0890b11fc41d7c5e56fc5fba529

SHA1
f29b343c39073ec846b99c7ab202f5b523e7aa32

SHA256
3d0f653366e68a896658f2d1b083f4b26d6be87ac208fbfbbcf1722a3f4e12d1

SHA512
6554fe7d296495e28ee69ada53ba9f7c8c70d235a3190ac9c22aea94f1717807a3ea386271bed42edaa4f5833bc829552ba73eaaaea13272c0f7f449500c4d06

Download Submit
C:\Windows\System\BoNoRXO.exe
Filesize
5.2MB

MD5
e20cec839255e13765716f73b6599775

SHA1
3db94e0f9aabf89c679296d1fa40e8a71a9f285e

SHA256
31171e0e815e3ccf49c3c5c1756f0a993c57ef84bdb268041b2d9d1b7cd0c9a1

SHA512
50da20cdd24e46ef75ffbd8c855e9510ff7c52dd10b41c25f9eceebc81531065b493604b88dcf883283bba6900abd489d096e2d634117c4d229a1413e0c651ca

Download Submit
C:\Windows\System\BrckrEC.exe
Filesize
5.2MB

MD5
53264152d4b2817962a8b46f6c010bc7

SHA1
6f7cb496aeef17bddbd2cece1dced536593d39ee

SHA256
7c66a51e0b2003fcb098eae9faeadb9572d557a84f47d726ff0664faecf93267

SHA512
daf49d0f46cc813f6b7480b7e90810c0d0ad812245bf5083166cb3ad02ff3764a81d97db90373cf6ff9410c2e06cd0ef0af422a07708fdcacfbe0da8a4217d14

Download Submit
C:\Windows\System\EhlccfR.exe
Filesize
5.2MB

MD5
4575346b00a914f276beae4c796368aa

SHA1
6e0d6ea6e7e1b7fedccfd0d622e38cb87727f6e2

SHA256
5b21829b4a8dc5635f8cfe76892bac70fa4b444f9213d086917e24b56dd84d1d

SHA512
7fc8e50067f0397e54cd604b3f41c048d4635f5513074c4436aafb7b50e76757310a0ca76be15232d00fb73129c5d6f62e6f855d6f097fe88009d38699a2cbfc

Download Submit
C:\Windows\System\GEnkpJV.exe
Filesize
5.2MB

MD5
6253913fdf806cb45b37d95806eb7789

SHA1
9d9f8ef88108102119b454991da68091fe4cfa69

SHA256
e0002ad895c292a51c15c41b12772dfdf2c4870dde761cb1bff13f2537d07329

SHA512
494b5faf1f0fd7d028d23c13f3a4ef7c92b8ba5807209c3ab494ac4953f47d0c55b68f480db8f2b57f76dfea2c5e0144de49ef13ebccc7bb8ceb5bae9a117332

Download Submit
C:\Windows\System\HTEVnXp.exe
Filesize
5.2MB

MD5
56263e71878fa322aabb1632b7e8aa87

SHA1
91f0ffec61c9ab097cea2c6ab539f7d63d67bf12

SHA256
000a58230e7c00c74c7a35abe96501b5658ef1c7bf0c94549e079ed8886a0c5c

SHA512
bf487d497093437fca081ff8507ea9ab8bb060fdd27d3b62613a663db1cb59b3223539a07570c023f530a82cd00304ac038dd1ca9c14c4123810d15dee1f24aa

Download Submit
C:\Windows\System\JHYbYKO.exe
Filesize
5.2MB

MD5
6acbc8bfe7146cf005d1f7592aaa0b2e

SHA1
0eecd60bc4d6812f0f06cb68ec832ac2892964cb

SHA256
20f4c4b55989fba2950b17b68dc3a64f7d393614c1c1fcff2727b36f41e69bd5

SHA512
c68df900a7bd2fc3360731debe88aed5d4157aa8cf30cc78ffe0f50f73dae1cdc96f23fda2acacaf5806edaf1016dcd9f780f7af85818d31182691b618625b1c

Download Submit
C:\Windows\System\NQnxEML.exe
Filesize
5.2MB

MD5
92e2476efb0955a3a43d3cbe5b990211

SHA1
9411c116b6a7d85b9282a5dbadf11bddc7399151

SHA256
db796129bce1ae3496594d25562f7f08be51acb12a50d2e7bfaa90a353354cba

SHA512
a816da31cea4e2c7dc0df77c1a751ca61b2fe6311df7acdcb15df7f739d516625b8d9f64925f5a5bb8e8863a60049d0aeca206bfe1acf6c1469e15c5aad8015c

Download Submit
C:\Windows\System\TNoETuF.exe
Filesize
5.2MB

MD5
ae5e0d0ad9e4cb371c9ab47b22f0efb2

SHA1
228d7575b57b6e0587398c5541c432c65dcaee91

SHA256
1b3f9b228eebde9aede09bde3c2082ae54f41634f7911778bb272b8e6d8ebab3

SHA512
605edac86f530175f814a4c42c0025d7c36de26f02d0ec4d3b3144aedb53fc4fa1fe30e7ce7e2bc51bc33c150e254254e357d3403218c737a3e0fb1b7ef421d6

Download Submit
C:\Windows\System\TSrpJuU.exe
Filesize
5.2MB

MD5
f59d515210e6bd04554a8315889a0a39

SHA1
1c8ec9e19a2c6dece2e5de1d37760150b9590b63

SHA256
18d04947da2fa01534282aa0aceb270ac53aa2c8b6ba080183bc4ce26d3f7f73

SHA512
ce9fd37526a7f466aeaf9f18c5ec248c31eca54ca18dde536bee9a4f821628c4f0a0d4c6e8efd59edd879c46cc5c9de720028a8f5f767582ec4bdf2027b41168

Download Submit
C:\Windows\System\VvcWcMh.exe
Filesize
5.2MB

MD5
549cfe50aba15d316ce0e7bfd0221217

SHA1
1d6f16829fc7e9468e36407c99354975fcf456d8

SHA256
b09c81604e31f515e44bf121f52bcb0feb1215ac01485698d240f8f2d2d98515

SHA512
88cd3439c6eb64788f27b05b9afe6bdcef989d5975e8b55ec8d69c45a345979750ef9a34f27e72301b864b681d96879d87ddf4257818c2e591ffe3b3f4d3fba6

Download Submit
C:\Windows\System\ZpGFPDU.exe
Filesize
5.2MB

MD5
4ab31ab87f0f6be2ee265d9a87711a2c

SHA1
8c54c3e2ea58793c15b4081740ebd692cadb448d

SHA256
fd5aabc0fa6b6214ccbc2656e09e0cab368e47aac43b4b157a76033ff24fdc77

SHA512
575d37c3ddc63e7a9419652cb10d52df948e69db0f4d4aa005c68b1a733efc52e6bd09eba7c0627c1f33156925af9e8235249fbb92ab3a82d8f789e95d59742a

Download Submit
C:\Windows\System\dMByyfK.exe
Filesize
5.2MB

MD5
d493789de030397b1fbbd0362e2884d6

SHA1
b091644b52b2f05d03d762cb27cfc97ba6166f77

SHA256
359a7578452ecc413e5a100b16af44895c941fb59e03f0722e12ea692aa48ab3

SHA512
4b95af3626443253d3f45902159512120300b2d8352ab5f3254a4cd90a0902cb95f1c339b52d05298029f3ab7e5fa3e9daf02061f1d7a4eaf1235fa67f6e16b8

Download Submit
C:\Windows\System\ecyPAJR.exe
Filesize
5.2MB

MD5
59deb20cae75ad10a57fc988525ab4ed

SHA1
00e8157c8faf5fb0b54535ef64a4aa1caf9cc1e7

SHA256
a34ca44bc2225f07953a66ab01f0425e2176f1e1bd2607321d73d4d60484e0f7

SHA512
84d9d18c569e330680fd0082c064ad1325d04d034e6ed3a8a938f6db5e53224b89b1dac1b0277f3517c27a1d62e2eaaa4e5203415053ffe37b63e214a9f9e5fa

Download Submit
C:\Windows\System\kacwMQp.exe
Filesize
5.2MB

MD5
56e0e44316a325df59d1636842d05756

SHA1
c9b0be146a86c57ca002c4d149472c899d4b78a6

SHA256
811ece3a18e5ed1c75c96e4d32202c1f595b3b0be0fbbd71f7c4bb3f9a3567d3

SHA512
7cba9bb2dbed1dab44e3e12d7c47aa391c888501b75613af9aed19a64483ddb0dec48f2c68e87f074083bdbbe8e692c6c0004b2fcfdd520ef47ad515c7f62f72

Download Submit
C:\Windows\System\lMCCVnt.exe
Filesize
5.2MB

MD5
420bfb456a290c8da67ebae06a7070c4

SHA1
559caf3f87528ef3c9483cafe957ad3296b25d5e

SHA256
ed8fc4222aea2008b0222e08ba2300d45875d1e4789117b3bf0332548816e8b2

SHA512
efff5e91f3366a4e028fa37e38eb0e28ecdf2bd1bfa7483813474de458d2efd095615527666ee03b5749d4f4c6d82b262f5ea9d1c6fc4a86a4e105fdcd314d86

Download Submit
C:\Windows\System\naBBknN.exe
Filesize
5.2MB

MD5
6b5ee1b0bd6c7cf102be7ee37ce4bbb4

SHA1
cf89e3aaf99a8cb6a67fb67874209a9c1504a2fd

SHA256
78b6b92271e45dae25924ac99aec9bb471631923a35c95e6ecd2bd0414c8f0f5

SHA512
354d94020d312b54e413d44c97634006c84c6c54881d4094f1e47cb3118969a3f187f4b12ec7848a28dc186c923d680f4453364efb16876a6cb3f7f92b63719e

Download Submit
C:\Windows\System\oYaKnrX.exe
Filesize
5.2MB

MD5
68320b5204e87da7ee9d2bcd32350b2b

SHA1
e2e07f17225d8008bc3cd7d40a1c22356a787d49

SHA256
c68e0441a5378faf45ee7c76925ba5621c3134ba2ca1a7ca9ad49d7a8169403b

SHA512
aacd1175de32e304745d4aabae63daa4b5841097dc080558d929068f3282b48979f0fca898adc46bdb13385827a85aaee95da9b5663b81318e07d7e707f41b76

Download Submit
C:\Windows\System\qVSXJwp.exe
Filesize
5.2MB

MD5
7abfa245156b94a1e16b4c417d8f01d1

SHA1
01396e98e6f884c41563517d3a75dfd6d9d31c63

SHA256
be48ca192200c0b11c46331c57f2c26d159959b3b9a83bc2f32fc97ea7df6cbc

SHA512
98b18bfc8010c6df3ce1b3766c873fa188455182b2bb90f1c4041e4ea5cd970d76d8919b1eed0cf2b8f11c895d6678de1290ebff35894ce8fe1057d829eab252

Download Submit
C:\Windows\System\vjbgzFv.exe
Filesize
5.2MB

MD5
91aaa85048f770d8c54fbfaee6007f2f

SHA1
b7ff345270a8f0e80f542ea604b117945042d0f0

SHA256
07f450f5f67d87acc94eb2039f9af454d2a6b2959dce94c52d29ac282cf29e8c

SHA512
09903cecb181213ba2de3828306400c1638a9b1e7b13110b68d42a323dc9f8eb83d4efc6dc5c4e468d2ad66eddbc4d3b3cb8c35260689994177dfe2ab4498e34

Download Submit
C:\Windows\System\yiaEaxQ.exe
Filesize
5.2MB

MD5
db99b3b895677b6456cee10ae225a089

SHA1
44ec756ebc886ec48a1258193c2c7fc2b02c21fb

SHA256
46a7015294b1ade8d292edade1d9cb088f13480b37f3b1b0e45d7140d002a0b2

SHA512
48f89a9cc01b9f4dc0e7e404978e6f6c5abc2343ea0cd1d9cbac7a35fccad7ba8dcf55db70c8193c0988b8a075cf93d63d4ddbacf0a6bd173a61a7e6989cc025

Download Submit
memory/208-24-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp

Filesize
3.3MB

Download
memory/208-204-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp

Filesize
3.3MB

Download
memory/208-113-0x00007FF7A4730000-0x00007FF7A4A81000-memory.dmp

Filesize
3.3MB

Download
memory/1020-33-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp

Filesize
3.3MB

Download
memory/1020-208-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp

Filesize
3.3MB

Download
memory/1020-124-0x00007FF723AF0000-0x00007FF723E41000-memory.dmp

Filesize
3.3MB

Download
memory/1472-241-0x00007FF628E40000-0x00007FF629191000-memory.dmp

Filesize
3.3MB

Download
memory/1472-120-0x00007FF628E40000-0x00007FF629191000-memory.dmp

Filesize
3.3MB

Download
memory/1680-244-0x00007FF68D1A0000-0x00007FF68D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-146-0x00007FF68D1A0000-0x00007FF68D4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-72-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-214-0x00007FF6DC2A0000-0x00007FF6DC5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-63-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-218-0x00007FF63AC60000-0x00007FF63AFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-17-0x00007FF764840000-0x00007FF764B91000-memory.dmp

Filesize
3.3MB

Download
memory/2068-202-0x00007FF764840000-0x00007FF764B91000-memory.dmp

Filesize
3.3MB

Download
memory/2068-111-0x00007FF764840000-0x00007FF764B91000-memory.dmp

Filesize
3.3MB

Download
memory/2112-229-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp

Filesize
3.3MB

Download
memory/2112-145-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp

Filesize
3.3MB

Download
memory/2112-78-0x00007FF6A9490000-0x00007FF6A97E1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-235-0x00007FF7AD2F0000-0x00007FF7AD641000-memory.dmp

Filesize
3.3MB

Download
memory/2132-107-0x00007FF7AD2F0000-0x00007FF7AD641000-memory.dmp

Filesize
3.3MB

Download
memory/2440-106-0x00007FF61EBB0000-0x00007FF61EF01000-memory.dmp

Filesize
3.3MB

Download
memory/2440-237-0x00007FF61EBB0000-0x00007FF61EF01000-memory.dmp

Filesize
3.3MB

Download
memory/2592-73-0x00007FF704530000-0x00007FF704881000-memory.dmp

Filesize
3.3MB

Download
memory/2592-220-0x00007FF704530000-0x00007FF704881000-memory.dmp

Filesize
3.3MB

Download
memory/3168-222-0x00007FF7165B0000-0x00007FF716901000-memory.dmp

Filesize
3.3MB

Download
memory/3168-74-0x00007FF7165B0000-0x00007FF716901000-memory.dmp

Filesize
3.3MB

Download
memory/3364-128-0x00007FF6A3A90000-0x00007FF6A3DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3364-245-0x00007FF6A3A90000-0x00007FF6A3DE1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-51-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-217-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp

Filesize
3.3MB

Download
memory/3828-140-0x00007FF7B4370000-0x00007FF7B46C1000-memory.dmp

Filesize
3.3MB

Download
memory/3960-12-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp

Filesize
3.3MB

Download
memory/3960-200-0x00007FF7BB820000-0x00007FF7BBB71000-memory.dmp

Filesize
3.3MB

Download
memory/3968-174-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/3968-155-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/3968-0-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/3968-1-0x00000259CB9F0000-0x00000259CBA00000-memory.dmp

Filesize
64KB

Download
memory/3968-132-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/3968-99-0x00007FF7EF740000-0x00007FF7EFA91000-memory.dmp

Filesize
3.3MB

Download
memory/4004-240-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4004-122-0x00007FF6FAF50000-0x00007FF6FB2A1000-memory.dmp

Filesize
3.3MB

Download
memory/4080-233-0x00007FF781830000-0x00007FF781B81000-memory.dmp

Filesize
3.3MB

Download
memory/4080-94-0x00007FF781830000-0x00007FF781B81000-memory.dmp

Filesize
3.3MB

Download
memory/4860-36-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-206-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-125-0x00007FF7262A0000-0x00007FF7265F1000-memory.dmp

Filesize
3.3MB

Download
memory/4864-212-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp

Filesize
3.3MB

Download
memory/4864-41-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp

Filesize
3.3MB

Download
memory/4864-138-0x00007FF7F9B40000-0x00007FF7F9E91000-memory.dmp

Filesize
3.3MB

Download
memory/5000-231-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-86-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/5000-147-0x00007FF76FB50000-0x00007FF76FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/5096-210-0x00007FF68C510000-0x00007FF68C861000-memory.dmp

Filesize
3.3MB

Download
memory/5096-69-0x00007FF68C510000-0x00007FF68C861000-memory.dmp

Filesize
3.3MB

Download