cobaltstrike | 5e8c008cb1744575d9a886d2c112e0b63a38eafe5a4694966b986b4520253429

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 06:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

948b16d6bc2634ca4bc232cc372b3a6e
SHA1

7625d2ad2dbd35c9d0cd19fb7bc70f38b5486c7f
SHA256

5e8c008cb1744575d9a886d2c112e0b63a38eafe5a4694966b986b4520253429
SHA512

e5d0e9a1e65d9637eb61661802d812e93f722f59b0533a4f6a9e29fdbad115ea3c5a7040ce94fcd02c6c25d5554e9dc67b7ad7de1e61661e20f967b39ff5cec6
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l/:RWWBibf56utgpPFotBER/mQ32lUz

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\KVDlmcN.exe	cobalt_reflective_dll
C:\Windows\System\DvbRuWP.exe	cobalt_reflective_dll
C:\Windows\System\fTggrCv.exe	cobalt_reflective_dll
C:\Windows\System\YleCQRM.exe	cobalt_reflective_dll
C:\Windows\System\vHxqzBy.exe	cobalt_reflective_dll
C:\Windows\System\oiwAKYq.exe	cobalt_reflective_dll
C:\Windows\System\VLjkwZp.exe	cobalt_reflective_dll
C:\Windows\System\LsgqGGO.exe	cobalt_reflective_dll
C:\Windows\System\pwtfqyH.exe	cobalt_reflective_dll
C:\Windows\System\uucTEag.exe	cobalt_reflective_dll
C:\Windows\System\PiefZVt.exe	cobalt_reflective_dll
C:\Windows\System\FCVBqSQ.exe	cobalt_reflective_dll
C:\Windows\System\OTCahzM.exe	cobalt_reflective_dll
C:\Windows\System\LBtvpeN.exe	cobalt_reflective_dll
C:\Windows\System\KLxACMT.exe	cobalt_reflective_dll
C:\Windows\System\ZGWGEPq.exe	cobalt_reflective_dll
C:\Windows\System\jYhrqCD.exe	cobalt_reflective_dll
C:\Windows\System\tPCmHay.exe	cobalt_reflective_dll
C:\Windows\System\mryDNaF.exe	cobalt_reflective_dll
C:\Windows\System\PCBkPII.exe	cobalt_reflective_dll
C:\Windows\System\lvdVjyg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\KVDlmcN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DvbRuWP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fTggrCv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YleCQRM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vHxqzBy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oiwAKYq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VLjkwZp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LsgqGGO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pwtfqyH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uucTEag.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PiefZVt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FCVBqSQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OTCahzM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LBtvpeN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KLxACMT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZGWGEPq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jYhrqCD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tPCmHay.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mryDNaF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PCBkPII.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lvdVjyg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/400-0-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	UPX
C:\Windows\System\KVDlmcN.exe	UPX
C:\Windows\System\DvbRuWP.exe	UPX
behavioral2/memory/4772-18-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	UPX
C:\Windows\System\fTggrCv.exe	UPX
C:\Windows\System\YleCQRM.exe	UPX
C:\Windows\System\vHxqzBy.exe	UPX
behavioral2/memory/4540-36-0x00007FF767830000-0x00007FF767B81000-memory.dmp	UPX
behavioral2/memory/668-35-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp	UPX
behavioral2/memory/3916-31-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	UPX
C:\Windows\System\oiwAKYq.exe	UPX
behavioral2/memory/4988-16-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	UPX
behavioral2/memory/4908-11-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp	UPX
C:\Windows\System\VLjkwZp.exe	UPX
behavioral2/memory/1300-43-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	UPX
C:\Windows\System\LsgqGGO.exe	UPX
C:\Windows\System\pwtfqyH.exe	UPX
C:\Windows\System\uucTEag.exe	UPX
C:\Windows\System\PiefZVt.exe	UPX
C:\Windows\System\FCVBqSQ.exe	UPX
C:\Windows\System\OTCahzM.exe	UPX
behavioral2/memory/2328-104-0x00007FF795940000-0x00007FF795C91000-memory.dmp	UPX
behavioral2/memory/4916-106-0x00007FF77F700000-0x00007FF77FA51000-memory.dmp	UPX
behavioral2/memory/552-108-0x00007FF61AF60000-0x00007FF61B2B1000-memory.dmp	UPX
behavioral2/memory/3416-107-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp	UPX
behavioral2/memory/1196-105-0x00007FF7EF350000-0x00007FF7EF6A1000-memory.dmp	UPX
C:\Windows\System\LBtvpeN.exe	UPX
C:\Windows\System\KLxACMT.exe	UPX
behavioral2/memory/4772-124-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	UPX
behavioral2/memory/2316-129-0x00007FF7D4D20000-0x00007FF7D5071000-memory.dmp	UPX
behavioral2/memory/1628-131-0x00007FF6C6A70000-0x00007FF6C6DC1000-memory.dmp	UPX
behavioral2/memory/1052-130-0x00007FF79D450000-0x00007FF79D7A1000-memory.dmp	UPX
behavioral2/memory/4460-128-0x00007FF7B94D0000-0x00007FF7B9821000-memory.dmp	UPX
behavioral2/memory/3916-125-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	UPX
C:\Windows\System\ZGWGEPq.exe	UPX
C:\Windows\System\jYhrqCD.exe	UPX
C:\Windows\System\tPCmHay.exe	UPX
behavioral2/memory/4988-90-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	UPX
behavioral2/memory/1584-86-0x00007FF65E4F0000-0x00007FF65E841000-memory.dmp	UPX
C:\Windows\System\mryDNaF.exe	UPX
C:\Windows\System\PCBkPII.exe	UPX
behavioral2/memory/1832-73-0x00007FF672F10000-0x00007FF673261000-memory.dmp	UPX
behavioral2/memory/3940-71-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp	UPX
C:\Windows\System\lvdVjyg.exe	UPX
behavioral2/memory/400-66-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	UPX
behavioral2/memory/4592-60-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp	UPX
behavioral2/memory/3736-50-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	UPX
behavioral2/memory/400-132-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	UPX
behavioral2/memory/1300-139-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	UPX
behavioral2/memory/3940-142-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp	UPX
behavioral2/memory/4592-141-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp	UPX
behavioral2/memory/3416-149-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp	UPX
behavioral2/memory/3736-140-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	UPX
behavioral2/memory/4540-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp	UPX
behavioral2/memory/400-154-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	UPX
behavioral2/memory/4908-199-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp	UPX
behavioral2/memory/4988-201-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	UPX
behavioral2/memory/4772-203-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	UPX
behavioral2/memory/668-206-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp	UPX
behavioral2/memory/3916-207-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	UPX
behavioral2/memory/4540-209-0x00007FF767830000-0x00007FF767B81000-memory.dmp	UPX
behavioral2/memory/1300-226-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	UPX
behavioral2/memory/3736-228-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	UPX
behavioral2/memory/1832-230-0x00007FF672F10000-0x00007FF673261000-memory.dmp	UPX

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/668-35-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp	xmrig
behavioral2/memory/4908-11-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp	xmrig
behavioral2/memory/2328-104-0x00007FF795940000-0x00007FF795C91000-memory.dmp	xmrig
behavioral2/memory/4916-106-0x00007FF77F700000-0x00007FF77FA51000-memory.dmp	xmrig
behavioral2/memory/552-108-0x00007FF61AF60000-0x00007FF61B2B1000-memory.dmp	xmrig
behavioral2/memory/1196-105-0x00007FF7EF350000-0x00007FF7EF6A1000-memory.dmp	xmrig
behavioral2/memory/4772-124-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	xmrig
behavioral2/memory/2316-129-0x00007FF7D4D20000-0x00007FF7D5071000-memory.dmp	xmrig
behavioral2/memory/1628-131-0x00007FF6C6A70000-0x00007FF6C6DC1000-memory.dmp	xmrig
behavioral2/memory/1052-130-0x00007FF79D450000-0x00007FF79D7A1000-memory.dmp	xmrig
behavioral2/memory/4460-128-0x00007FF7B94D0000-0x00007FF7B9821000-memory.dmp	xmrig
behavioral2/memory/3916-125-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	xmrig
behavioral2/memory/4988-90-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	xmrig
behavioral2/memory/1584-86-0x00007FF65E4F0000-0x00007FF65E841000-memory.dmp	xmrig
behavioral2/memory/1832-73-0x00007FF672F10000-0x00007FF673261000-memory.dmp	xmrig
behavioral2/memory/400-66-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	xmrig
behavioral2/memory/400-132-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	xmrig
behavioral2/memory/1300-139-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	xmrig
behavioral2/memory/3940-142-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp	xmrig
behavioral2/memory/4592-141-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp	xmrig
behavioral2/memory/3416-149-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp	xmrig
behavioral2/memory/3736-140-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	xmrig
behavioral2/memory/4540-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp	xmrig
behavioral2/memory/400-154-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	xmrig
behavioral2/memory/4908-199-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp	xmrig
behavioral2/memory/4988-201-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	xmrig
behavioral2/memory/4772-203-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	xmrig
behavioral2/memory/668-206-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp	xmrig
behavioral2/memory/3916-207-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	xmrig
behavioral2/memory/4540-209-0x00007FF767830000-0x00007FF767B81000-memory.dmp	xmrig
behavioral2/memory/1300-226-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	xmrig
behavioral2/memory/3736-228-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	xmrig
behavioral2/memory/1832-230-0x00007FF672F10000-0x00007FF673261000-memory.dmp	xmrig
behavioral2/memory/1196-233-0x00007FF7EF350000-0x00007FF7EF6A1000-memory.dmp	xmrig
behavioral2/memory/3940-238-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp	xmrig
behavioral2/memory/4592-237-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp	xmrig
behavioral2/memory/1584-235-0x00007FF65E4F0000-0x00007FF65E841000-memory.dmp	xmrig
behavioral2/memory/552-240-0x00007FF61AF60000-0x00007FF61B2B1000-memory.dmp	xmrig
behavioral2/memory/4916-243-0x00007FF77F700000-0x00007FF77FA51000-memory.dmp	xmrig
behavioral2/memory/2328-244-0x00007FF795940000-0x00007FF795C91000-memory.dmp	xmrig
behavioral2/memory/4460-247-0x00007FF7B94D0000-0x00007FF7B9821000-memory.dmp	xmrig
behavioral2/memory/3416-248-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp	xmrig
behavioral2/memory/2316-250-0x00007FF7D4D20000-0x00007FF7D5071000-memory.dmp	xmrig
behavioral2/memory/1628-253-0x00007FF6C6A70000-0x00007FF6C6DC1000-memory.dmp	xmrig
behavioral2/memory/1052-254-0x00007FF79D450000-0x00007FF79D7A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

KVDlmcN.exeDvbRuWP.exefTggrCv.exeYleCQRM.exeoiwAKYq.exevHxqzBy.exeVLjkwZp.exeLsgqGGO.exepwtfqyH.exelvdVjyg.exeuucTEag.exePiefZVt.exePCBkPII.exemryDNaF.exeFCVBqSQ.exeOTCahzM.exeLBtvpeN.exeKLxACMT.exetPCmHay.exejYhrqCD.exeZGWGEPq.exe

pid	process
4908	KVDlmcN.exe
4988	DvbRuWP.exe
4772	fTggrCv.exe
3916	YleCQRM.exe
668	oiwAKYq.exe
4540	vHxqzBy.exe
1300	VLjkwZp.exe
3736	LsgqGGO.exe
4592	pwtfqyH.exe
3940	lvdVjyg.exe
1832	uucTEag.exe
2328	PiefZVt.exe
1196	PCBkPII.exe
1584	mryDNaF.exe
4916	FCVBqSQ.exe
552	OTCahzM.exe
3416	LBtvpeN.exe
4460	KLxACMT.exe
2316	tPCmHay.exe
1052	jYhrqCD.exe
1628	ZGWGEPq.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/400-0-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	upx
C:\Windows\System\KVDlmcN.exe	upx
C:\Windows\System\DvbRuWP.exe	upx
behavioral2/memory/4772-18-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	upx
C:\Windows\System\fTggrCv.exe	upx
C:\Windows\System\YleCQRM.exe	upx
C:\Windows\System\vHxqzBy.exe	upx
behavioral2/memory/4540-36-0x00007FF767830000-0x00007FF767B81000-memory.dmp	upx
behavioral2/memory/668-35-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp	upx
behavioral2/memory/3916-31-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	upx
C:\Windows\System\oiwAKYq.exe	upx
behavioral2/memory/4988-16-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	upx
behavioral2/memory/4908-11-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp	upx
C:\Windows\System\VLjkwZp.exe	upx
behavioral2/memory/1300-43-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	upx
C:\Windows\System\LsgqGGO.exe	upx
C:\Windows\System\pwtfqyH.exe	upx
C:\Windows\System\uucTEag.exe	upx
C:\Windows\System\PiefZVt.exe	upx
C:\Windows\System\FCVBqSQ.exe	upx
C:\Windows\System\OTCahzM.exe	upx
behavioral2/memory/2328-104-0x00007FF795940000-0x00007FF795C91000-memory.dmp	upx
behavioral2/memory/4916-106-0x00007FF77F700000-0x00007FF77FA51000-memory.dmp	upx
behavioral2/memory/552-108-0x00007FF61AF60000-0x00007FF61B2B1000-memory.dmp	upx
behavioral2/memory/3416-107-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp	upx
behavioral2/memory/1196-105-0x00007FF7EF350000-0x00007FF7EF6A1000-memory.dmp	upx
C:\Windows\System\LBtvpeN.exe	upx
C:\Windows\System\KLxACMT.exe	upx
behavioral2/memory/4772-124-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	upx
behavioral2/memory/2316-129-0x00007FF7D4D20000-0x00007FF7D5071000-memory.dmp	upx
behavioral2/memory/1628-131-0x00007FF6C6A70000-0x00007FF6C6DC1000-memory.dmp	upx
behavioral2/memory/1052-130-0x00007FF79D450000-0x00007FF79D7A1000-memory.dmp	upx
behavioral2/memory/4460-128-0x00007FF7B94D0000-0x00007FF7B9821000-memory.dmp	upx
behavioral2/memory/3916-125-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	upx
C:\Windows\System\ZGWGEPq.exe	upx
C:\Windows\System\jYhrqCD.exe	upx
C:\Windows\System\tPCmHay.exe	upx
behavioral2/memory/4988-90-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	upx
behavioral2/memory/1584-86-0x00007FF65E4F0000-0x00007FF65E841000-memory.dmp	upx
C:\Windows\System\mryDNaF.exe	upx
C:\Windows\System\PCBkPII.exe	upx
behavioral2/memory/1832-73-0x00007FF672F10000-0x00007FF673261000-memory.dmp	upx
behavioral2/memory/3940-71-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp	upx
C:\Windows\System\lvdVjyg.exe	upx
behavioral2/memory/400-66-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	upx
behavioral2/memory/4592-60-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp	upx
behavioral2/memory/3736-50-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	upx
behavioral2/memory/400-132-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	upx
behavioral2/memory/1300-139-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	upx
behavioral2/memory/3940-142-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp	upx
behavioral2/memory/4592-141-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp	upx
behavioral2/memory/3416-149-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp	upx
behavioral2/memory/3736-140-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	upx
behavioral2/memory/4540-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp	upx
behavioral2/memory/400-154-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp	upx
behavioral2/memory/4908-199-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp	upx
behavioral2/memory/4988-201-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp	upx
behavioral2/memory/4772-203-0x00007FF7355D0000-0x00007FF735921000-memory.dmp	upx
behavioral2/memory/668-206-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp	upx
behavioral2/memory/3916-207-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp	upx
behavioral2/memory/4540-209-0x00007FF767830000-0x00007FF767B81000-memory.dmp	upx
behavioral2/memory/1300-226-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp	upx
behavioral2/memory/3736-228-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp	upx
behavioral2/memory/1832-230-0x00007FF672F10000-0x00007FF673261000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\FCVBqSQ.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jYhrqCD.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PCBkPII.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OTCahzM.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tPCmHay.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lvdVjyg.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mryDNaF.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZGWGEPq.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YleCQRM.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oiwAKYq.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vHxqzBy.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VLjkwZp.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LsgqGGO.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KVDlmcN.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DvbRuWP.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fTggrCv.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LBtvpeN.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KLxACMT.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pwtfqyH.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uucTEag.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PiefZVt.exe	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 400 wrote to memory of 4908	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	KVDlmcN.exe
PID 400 wrote to memory of 4908	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	KVDlmcN.exe
PID 400 wrote to memory of 4988	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	DvbRuWP.exe
PID 400 wrote to memory of 4988	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	DvbRuWP.exe
PID 400 wrote to memory of 4772	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	fTggrCv.exe
PID 400 wrote to memory of 4772	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	fTggrCv.exe
PID 400 wrote to memory of 3916	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	YleCQRM.exe
PID 400 wrote to memory of 3916	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	YleCQRM.exe
PID 400 wrote to memory of 668	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	oiwAKYq.exe
PID 400 wrote to memory of 668	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	oiwAKYq.exe
PID 400 wrote to memory of 4540	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	vHxqzBy.exe
PID 400 wrote to memory of 4540	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	vHxqzBy.exe
PID 400 wrote to memory of 1300	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	VLjkwZp.exe
PID 400 wrote to memory of 1300	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	VLjkwZp.exe
PID 400 wrote to memory of 3736	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	LsgqGGO.exe
PID 400 wrote to memory of 3736	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	LsgqGGO.exe
PID 400 wrote to memory of 4592	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	pwtfqyH.exe
PID 400 wrote to memory of 4592	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	pwtfqyH.exe
PID 400 wrote to memory of 3940	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	lvdVjyg.exe
PID 400 wrote to memory of 3940	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	lvdVjyg.exe
PID 400 wrote to memory of 1832	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	uucTEag.exe
PID 400 wrote to memory of 1832	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	uucTEag.exe
PID 400 wrote to memory of 2328	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	PiefZVt.exe
PID 400 wrote to memory of 2328	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	PiefZVt.exe
PID 400 wrote to memory of 1196	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	PCBkPII.exe
PID 400 wrote to memory of 1196	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	PCBkPII.exe
PID 400 wrote to memory of 1584	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	mryDNaF.exe
PID 400 wrote to memory of 1584	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	mryDNaF.exe
PID 400 wrote to memory of 4916	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	FCVBqSQ.exe
PID 400 wrote to memory of 4916	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	FCVBqSQ.exe
PID 400 wrote to memory of 552	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	OTCahzM.exe
PID 400 wrote to memory of 552	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	OTCahzM.exe
PID 400 wrote to memory of 3416	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	LBtvpeN.exe
PID 400 wrote to memory of 3416	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	LBtvpeN.exe
PID 400 wrote to memory of 4460	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	KLxACMT.exe
PID 400 wrote to memory of 4460	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	KLxACMT.exe
PID 400 wrote to memory of 2316	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	tPCmHay.exe
PID 400 wrote to memory of 2316	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	tPCmHay.exe
PID 400 wrote to memory of 1052	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	jYhrqCD.exe
PID 400 wrote to memory of 1052	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	jYhrqCD.exe
PID 400 wrote to memory of 1628	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	ZGWGEPq.exe
PID 400 wrote to memory of 1628	400	2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe	ZGWGEPq.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_948b16d6bc2634ca4bc232cc372b3a6e_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\System\KVDlmcN.exe
  C:\Windows\System\KVDlmcN.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\DvbRuWP.exe
  C:\Windows\System\DvbRuWP.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\fTggrCv.exe
  C:\Windows\System\fTggrCv.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\YleCQRM.exe
  C:\Windows\System\YleCQRM.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\oiwAKYq.exe
  C:\Windows\System\oiwAKYq.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\vHxqzBy.exe
  C:\Windows\System\vHxqzBy.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\VLjkwZp.exe
  C:\Windows\System\VLjkwZp.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\LsgqGGO.exe
  C:\Windows\System\LsgqGGO.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\pwtfqyH.exe
  C:\Windows\System\pwtfqyH.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\lvdVjyg.exe
  C:\Windows\System\lvdVjyg.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\uucTEag.exe
  C:\Windows\System\uucTEag.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\PiefZVt.exe
  C:\Windows\System\PiefZVt.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\PCBkPII.exe
  C:\Windows\System\PCBkPII.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\mryDNaF.exe
  C:\Windows\System\mryDNaF.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\FCVBqSQ.exe
  C:\Windows\System\FCVBqSQ.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\OTCahzM.exe
  C:\Windows\System\OTCahzM.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\LBtvpeN.exe
  C:\Windows\System\LBtvpeN.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\KLxACMT.exe
  C:\Windows\System\KLxACMT.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\tPCmHay.exe
  C:\Windows\System\tPCmHay.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\jYhrqCD.exe
  C:\Windows\System\jYhrqCD.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\ZGWGEPq.exe
  C:\Windows\System\ZGWGEPq.exe
  2⤵
  - Executes dropped EXE
  PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DvbRuWP.exe

Filesize
5.2MB

MD5
927415d606bab7686a4c0183c90fecee

SHA1
4450390b7e02e5d727b93ab441e0e2a5656430b7

SHA256
d98300b9f529b5786e87c26d97f063545dc24c4956be1faa4ce53f9f45084acf

SHA512
df23f03ca28441ec5bc849673247bb68163734cca9e01eb12838933c4a65b014240adb62940f74a269f26beec5f4c5a4ee62c1b52fd99f9d27fd26c0846a5c57

Download Submit
C:\Windows\System\FCVBqSQ.exe

Filesize
5.2MB

MD5
522b4f2624686d475ce8011ab92c9424

SHA1
56a4f0bf351cdb7809e7f3d0937fa3f058c3f61f

SHA256
a5cc9f50c7618ad86a3a840f1a487b805a58595c466e2bce702ff0e30b194e0c

SHA512
32608062d4f9799db747b0d2f37f43dc680667da406350f67dcc86ed2c01182d2586524e775decfe41727ceae614f88870f1b78606b60b16cb91e33d29eb9c96

Download Submit
C:\Windows\System\KLxACMT.exe

Filesize
5.2MB

MD5
cba7ab085663a3e6a3f6116d610a2e19

SHA1
71a2893711ee65ca04ed0d6cbbc11a600de50c24

SHA256
c13dc7e89066248981bacf72ca8d98da1a8f470fac20313a2e1db8be77a2195f

SHA512
127d5d381157aa3032cb11ebca4d9ba258053336fb26b1575b32f48ef6e28b5b0d38fe5981ba649c8414fb1848c32ab202bfe1a3e9fb5b3214762d359f1f9091

Download Submit
C:\Windows\System\KVDlmcN.exe

Filesize
5.2MB

MD5
e12f23e9445ee9f6a8ba836e189e6d77

SHA1
cda9bd7f2f9172a3044b777093e753de564f20cb

SHA256
7fe1cb3c8caddd7efeaa7cafa974941cfce3d2f9595b5157ddd270d67cb661fd

SHA512
7a3f0de419b375a3b3aea438ab14bb09ae87b27b12c6f7a08c454b1d7ba84b437128f8e8528b83d1c97983348f73f8ab7e173c62bcb1a6e7b3cc1ff32d4cbddc

Download Submit
C:\Windows\System\LBtvpeN.exe

Filesize
5.2MB

MD5
3808d86556b08962f068699ce7df2ee2

SHA1
6ae3761eeb0ab1e4ac4f14bf8dff22e4c50577e8

SHA256
c8531e684ed0734e29eccd820c6e18debc23f2ea78d1175bf6a7fec7082f0501

SHA512
89fa6bed6093519a3dcee7a1f8af8fc1a0abf9623ef2b9dc09a5ae86c3c821556379eb9b436020200d9e89d7b57c21a253a81e27557e316f7023d7ea14e48490

Download Submit
C:\Windows\System\LsgqGGO.exe

Filesize
5.2MB

MD5
eb83518947af269765cd86613bacd333

SHA1
2e7b0221700ac9c63b54031b773056267cd358d4

SHA256
633452016b397e01130adea974e0daa29bcf8e038de272a08d3914776366d7cb

SHA512
4b6873151570fc2dcab758b8e2295d82ac00a611235d133b68a8220e7c34cf83742ca2261a64231100dfc87cd6ec823d0e223feebf063c33217b6c13a5dd7605

Download Submit
C:\Windows\System\OTCahzM.exe

Filesize
5.2MB

MD5
4e805a37f77104e3b9f99f87e770b338

SHA1
aa1da83cb6087759a0541fc0b349de11370367e2

SHA256
a446ea8b81df60a0acad8c5298d90a5b5c51f588365e42b3dbf827feb3f16bce

SHA512
fcdca4e29c5588740e989dcb73feee5947c03ca5648676e58860d9dc849d571fe8a81dae1fbfbacf587d159aa081dc014cede4b3c4ec9815ed2aeb8ade7ae3f9

Download Submit
C:\Windows\System\PCBkPII.exe

Filesize
5.2MB

MD5
f368368ec2116a70d76f9f1af3057b73

SHA1
7c629053c331445f9f6a95eee8af7540336fab62

SHA256
fa233d419cc86418d755cd766560c62dd3a142f969132e4eb6bd6f86913c09b3

SHA512
fa3a75c41c201e4be6a9048f008280e9ccdc0e76f60a1d8ac6a8600128224b92a287da85c0a3422027cd9528084e854f95e8862de0b23fa83d6b11e8893053b8

Download Submit
C:\Windows\System\PiefZVt.exe

Filesize
5.2MB

MD5
cda489281cba42775b7432194aa5446b

SHA1
1c3638454166a5fb12262f42f433818b1b9593bf

SHA256
94acd10f10bf9c21df5fb5a52dbe33816366b0972e572c3822c43fef350839bd

SHA512
b387fe23cba12844bd62c1382519af0bc833ae2d1def022348e707d55f99034e6a4f41615479f33cc080664c7bfc216c1c6fc2eaa7cee293e4f4b9c8b48dd0f1

Download Submit
C:\Windows\System\VLjkwZp.exe

Filesize
5.2MB

MD5
9c36f5518b10194cb4d33e7559c0a7f1

SHA1
efafce432503b5155947c41240de99c236f35132

SHA256
247c531bca19642eb7fcbcc3d1c0532ed78ba8f8076afac78e3b439881fea9be

SHA512
deca111b8ac4514806afc3d2f95882e4c7fd229c62f697647b703f9cd8359d59773db7e60433330008c639602515651c157291b46692010edb11c469bb76247b

Download Submit
C:\Windows\System\YleCQRM.exe

Filesize
5.2MB

MD5
8960cac03a1cceb591578abae5587689

SHA1
398add5d3e8308b82f9ab23ca396b3c41bfbdca0

SHA256
ea0978c5faaf0081d5d5c6bb168a23fa7f0967e94f38df3310d41dd7171bea79

SHA512
dd0d24c4f211f845175c10c20171032b0a56e3828c82da904afddd8cacf32991a17c6ce9efa0d53d545421343c2cac9f28ec1a20f9413908e3906180445d51c7

Download Submit
C:\Windows\System\ZGWGEPq.exe

Filesize
5.2MB

MD5
ca55b558af743b3e9020e843772bf99b

SHA1
baab419449d5c1fe79921e503d8896d19728e6a9

SHA256
dd9b418acb1976df31aeeb5109d7bcd050e38a081ca8ba9fdf9412f0ecd4c720

SHA512
a4fda3963a6334aea192a5c35e428d46718fbf5c97f7306c718db0ada17b3b770b20d41186a7718767df3defd414e9a0f333fa7eeaeb39e173b3545d20ef6c69

Download Submit
C:\Windows\System\fTggrCv.exe

Filesize
5.2MB

MD5
9d7bd3763570e269bc4cdb39a87dde4a

SHA1
d9c58990adb27571fd393be5a4366a6ae162fdf0

SHA256
31f98f53e6673c201033047c726848feac8471e34639c6407d060de734581296

SHA512
b2a4f7ed0b070271b18336c8476f463c9b3bd48313bac0e0b14294abcc5413dab24cabcc5d121686444aa6d1cf82236b91291d62afb752db735cbaeaf7c813b7

Download Submit
C:\Windows\System\jYhrqCD.exe

Filesize
5.2MB

MD5
f16f7727ba8e3b523cac9473829177f6

SHA1
ae00e1d7193c7656ca631f36a9587304ac54d581

SHA256
5820cc5aad2fc1ad08c59f650e3c3e31e164495e2acecf8b62ad15a05c401ba8

SHA512
77eb4f3ea70075cbe674d7b42f4e3efb1e3ec84644a6a8b5ac1b05dbb1f4fb6f6758f6c617da44102dfda39b88c52a39ea54cef5744fc1ec513a4afe024bd716

Download Submit
C:\Windows\System\lvdVjyg.exe

Filesize
5.2MB

MD5
98c9b6a543b41b6e4c116f37ae4e6a6c

SHA1
cf3fe44c59cccd3a0566160cc826b8edab196774

SHA256
ee7bc0c38208c8844e073f3029c449f9665a63821b1a1be10414539eba01fa15

SHA512
f966d2eb616dc73dd6cb4f41a1bd1531ca2078c80f3dcf99856c308b0033c3119479ce16121232c3191b19d1ac15b7384978447abe8ba06ee48c8b5a77aaf8e3

Download Submit
C:\Windows\System\mryDNaF.exe

Filesize
5.2MB

MD5
71991114721af3ad217f3cf447a3a0ed

SHA1
2b86a3cc7245babb0d4d41c50905522a9dc43646

SHA256
e3cfc701ba0897e8713daa6a81f3c9ca4ce63aace8f2428b72880e08de7cf425

SHA512
d8bcd6bbf27af52369baab0692c7c8bd1339fc34b02a758ed955de0434dcdcc16830cfef17397180221d045e27e1e887fc16fd06180a32d0f97369f8ded3cde8

Download Submit
C:\Windows\System\oiwAKYq.exe

Filesize
5.2MB

MD5
90b67e0bf209e7b16ae4a4cd481c4bde

SHA1
9ac90fdcab228909d5e797b9ef22b8286ee640ae

SHA256
6da4cf6db22b7a9b5fc8b5cc64caa1ddb5ef5533411d5466bad854f108cee866

SHA512
20e5a642266f996e2e1e1e04748446b2475ec4c42708d3e30a5d4afdfd7a02dd0378b9a3e4e7d7c6f84886ce6fca70de3175dcb042bc97963e2c839ca13a8f54

Download Submit
C:\Windows\System\pwtfqyH.exe

Filesize
5.2MB

MD5
fb7add64d622bf0825e439e7110b932e

SHA1
228cc353916e2c7d8323c0e4e1ea133713c5a348

SHA256
54add59193e194ca178d5ab622ef0ea424dcd20aa4fb2496495019240726cb02

SHA512
b225742bf1647ba29129d0172416436e2775613de6020cbd7d01b80f69b613daeccd8b19258a8bbcab7afb5c0e10037600c3e6887d17f44dce29226eaa900f90

Download Submit
C:\Windows\System\tPCmHay.exe

Filesize
5.2MB

MD5
3e80b1ed79e834802650cfa9eeaf963f

SHA1
6f4c1299bb001a6ca95f065cb92d39c247764075

SHA256
0ce9400d92b7d94bf6c300754c91aefcedebdc307fa8110c81140304d5e83658

SHA512
34cf09ba558ad4b0752fdfe5e09615e3f7dbbad2484ebd4ad3d60b8f3f70bc272e2ee9a1702c5736f5ba32df30b3eac5b2ead9719881816bcfb18264e7377a40

Download Submit
C:\Windows\System\uucTEag.exe

Filesize
5.2MB

MD5
1be2042b9bb868ead11e76ebafc7fbf0

SHA1
44fb3f53a1e9f8f8fe0817b2fe1f24ac75749067

SHA256
d9331f1e8a09f3e46ff01933de5ce0bad3518d6dd61ecd2bf268691f31ea4d99

SHA512
d7754f90d10b5a06c932280c67126bc3b7e65a1351e973c217b9767e845e126e9222194db402b7d4a851ae84c489424e7301522ecc8924e43264d2bb8dbe8298

Download Submit
C:\Windows\System\vHxqzBy.exe

Filesize
5.2MB

MD5
32131849f102e2f9cdcb2e8a2eb511b3

SHA1
668061e471d99d7a03d11611af22c8e9a66b512e

SHA256
c83f6a0b2f148867027babf2ceed6b63f1ae8bfc52f10de6f05072a934235cce

SHA512
f1c468ceb934d5f2ee7f8bad17c9ea3c4d5b5de5c7378b3b65a3685be1aac93ec2b3df57debc665e4555c61be4f7ab860f9596f5c7bb16e317c125500f4a028b

Download Submit
memory/400-154-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp

Filesize
3.3MB

Download
memory/400-1-0x000001E03BF50000-0x000001E03BF60000-memory.dmp

Filesize
64KB

Download
memory/400-132-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp

Filesize
3.3MB

Download
memory/400-0-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp

Filesize
3.3MB

Download
memory/400-66-0x00007FF60E4C0000-0x00007FF60E811000-memory.dmp

Filesize
3.3MB

Download
memory/552-108-0x00007FF61AF60000-0x00007FF61B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/552-240-0x00007FF61AF60000-0x00007FF61B2B1000-memory.dmp

Filesize
3.3MB

Download
memory/668-35-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp

Filesize
3.3MB

Download
memory/668-206-0x00007FF6B6710000-0x00007FF6B6A61000-memory.dmp

Filesize
3.3MB

Download
memory/1052-130-0x00007FF79D450000-0x00007FF79D7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-254-0x00007FF79D450000-0x00007FF79D7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-233-0x00007FF7EF350000-0x00007FF7EF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1196-105-0x00007FF7EF350000-0x00007FF7EF6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-43-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-226-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-139-0x00007FF744A90000-0x00007FF744DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-86-0x00007FF65E4F0000-0x00007FF65E841000-memory.dmp

Filesize
3.3MB

Download
memory/1584-235-0x00007FF65E4F0000-0x00007FF65E841000-memory.dmp

Filesize
3.3MB

Download
memory/1628-253-0x00007FF6C6A70000-0x00007FF6C6DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-131-0x00007FF6C6A70000-0x00007FF6C6DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1832-230-0x00007FF672F10000-0x00007FF673261000-memory.dmp

Filesize
3.3MB

Download
memory/1832-73-0x00007FF672F10000-0x00007FF673261000-memory.dmp

Filesize
3.3MB

Download
memory/2316-129-0x00007FF7D4D20000-0x00007FF7D5071000-memory.dmp

Filesize
3.3MB

Download
memory/2316-250-0x00007FF7D4D20000-0x00007FF7D5071000-memory.dmp

Filesize
3.3MB

Download
memory/2328-244-0x00007FF795940000-0x00007FF795C91000-memory.dmp

Filesize
3.3MB

Download
memory/2328-104-0x00007FF795940000-0x00007FF795C91000-memory.dmp

Filesize
3.3MB

Download
memory/3416-248-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp

Filesize
3.3MB

Download
memory/3416-107-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp

Filesize
3.3MB

Download
memory/3416-149-0x00007FF7877B0000-0x00007FF787B01000-memory.dmp

Filesize
3.3MB

Download
memory/3736-140-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-50-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3736-228-0x00007FF6EE870000-0x00007FF6EEBC1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-31-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-207-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3916-125-0x00007FF763C60000-0x00007FF763FB1000-memory.dmp

Filesize
3.3MB

Download
memory/3940-238-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp

Filesize
3.3MB

Download
memory/3940-71-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp

Filesize
3.3MB

Download
memory/3940-142-0x00007FF7BDA70000-0x00007FF7BDDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4460-128-0x00007FF7B94D0000-0x00007FF7B9821000-memory.dmp

Filesize
3.3MB

Download
memory/4460-247-0x00007FF7B94D0000-0x00007FF7B9821000-memory.dmp

Filesize
3.3MB

Download
memory/4540-138-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/4540-209-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/4540-36-0x00007FF767830000-0x00007FF767B81000-memory.dmp

Filesize
3.3MB

Download
memory/4592-141-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp

Filesize
3.3MB

Download
memory/4592-237-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp

Filesize
3.3MB

Download
memory/4592-60-0x00007FF6A5230000-0x00007FF6A5581000-memory.dmp

Filesize
3.3MB

Download
memory/4772-124-0x00007FF7355D0000-0x00007FF735921000-memory.dmp

Filesize
3.3MB

Download
memory/4772-203-0x00007FF7355D0000-0x00007FF735921000-memory.dmp

Filesize
3.3MB

Download
memory/4772-18-0x00007FF7355D0000-0x00007FF735921000-memory.dmp

Filesize
3.3MB

Download
memory/4908-11-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp

Filesize
3.3MB

Download
memory/4908-199-0x00007FF7DB5C0000-0x00007FF7DB911000-memory.dmp

Filesize
3.3MB

Download
memory/4916-243-0x00007FF77F700000-0x00007FF77FA51000-memory.dmp

Filesize
3.3MB

Download
memory/4916-106-0x00007FF77F700000-0x00007FF77FA51000-memory.dmp

Filesize
3.3MB

Download
memory/4988-90-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp

Filesize
3.3MB

Download
memory/4988-16-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp

Filesize
3.3MB

Download
memory/4988-201-0x00007FF62DC30000-0x00007FF62DF81000-memory.dmp

Filesize
3.3MB

Download