cobaltstrike | b4b402e0f7640b81947e5f1684c6204849df5d6daace2f1850b40e2f037134f8

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

35dea998155a67464d053b87b0529569
SHA1

2c719ed8e75e27eae732db986c3ccb2ff38a4724
SHA256

b4b402e0f7640b81947e5f1684c6204849df5d6daace2f1850b40e2f037134f8
SHA512

c5de200ce92e5ccfb8e8300904cd159c1dbdc1a426e56195276800f75e1df022e789b690e17c0f829a77d1c250f8d215ea92158be00a6be4545784f2ba2d02fa
SSDEEP

98304:demTLkNdfE0pZ3656utgpPFotBER/mQ32lUU:E+v56utgpPF8u/7U

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\DxIzaII.exe	cobalt_reflective_dll
C:\Windows\system\mIzQXzR.exe	cobalt_reflective_dll
C:\Windows\system\VgFLSaQ.exe	cobalt_reflective_dll
C:\Windows\system\YtxzdJB.exe	cobalt_reflective_dll
C:\Windows\system\NOcsSBQ.exe	cobalt_reflective_dll
C:\Windows\system\JNQewVI.exe	cobalt_reflective_dll
C:\Windows\system\jtNrVTn.exe	cobalt_reflective_dll
C:\Windows\system\HKybwcK.exe	cobalt_reflective_dll
C:\Windows\system\zKiyfMX.exe	cobalt_reflective_dll
C:\Windows\system\CCKOZhU.exe	cobalt_reflective_dll
C:\Windows\system\VuIueoO.exe	cobalt_reflective_dll
\Windows\system\vKpMymg.exe	cobalt_reflective_dll
\Windows\system\ckzDmLO.exe	cobalt_reflective_dll
\Windows\system\WRSNbKx.exe	cobalt_reflective_dll
\Windows\system\ZgakzTq.exe	cobalt_reflective_dll
C:\Windows\system\fnBwXMw.exe	cobalt_reflective_dll
\Windows\system\ffyNvqk.exe	cobalt_reflective_dll
C:\Windows\system\mjRWIFL.exe	cobalt_reflective_dll
\Windows\system\IrxttvH.exe	cobalt_reflective_dll
C:\Windows\system\wuyrqnp.exe	cobalt_reflective_dll
C:\Windows\system\cYNJmLJ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\DxIzaII.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mIzQXzR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VgFLSaQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\YtxzdJB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\NOcsSBQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\JNQewVI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\jtNrVTn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\HKybwcK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\zKiyfMX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\CCKOZhU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\VuIueoO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\vKpMymg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ckzDmLO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\WRSNbKx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ZgakzTq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\fnBwXMw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\ffyNvqk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\mjRWIFL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\IrxttvH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\wuyrqnp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\cYNJmLJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
\Windows\system\DxIzaII.exe	UPX
C:\Windows\system\mIzQXzR.exe	UPX
behavioral1/memory/2948-15-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/3052-13-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
C:\Windows\system\VgFLSaQ.exe	UPX
C:\Windows\system\YtxzdJB.exe	UPX
behavioral1/memory/2532-27-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2600-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2688-40-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
C:\Windows\system\NOcsSBQ.exe	UPX
behavioral1/memory/2916-49-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
C:\Windows\system\JNQewVI.exe	UPX
behavioral1/memory/2864-68-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2412-61-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/3052-60-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
C:\Windows\system\jtNrVTn.exe	UPX
behavioral1/memory/2244-48-0x000000013F3B0000-0x000000013F704000-memory.dmp	UPX
C:\Windows\system\HKybwcK.exe	UPX
behavioral1/memory/2436-54-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
C:\Windows\system\zKiyfMX.exe	UPX
behavioral1/memory/2952-34-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
C:\Windows\system\CCKOZhU.exe	UPX
C:\Windows\system\VuIueoO.exe	UPX
\Windows\system\vKpMymg.exe	UPX
behavioral1/memory/2652-81-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
\Windows\system\ckzDmLO.exe	UPX
behavioral1/memory/2532-89-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
\Windows\system\WRSNbKx.exe	UPX
\Windows\system\ZgakzTq.exe	UPX
C:\Windows\system\fnBwXMw.exe	UPX
\Windows\system\ffyNvqk.exe	UPX
C:\Windows\system\mjRWIFL.exe	UPX
\Windows\system\IrxttvH.exe	UPX
C:\Windows\system\wuyrqnp.exe	UPX
C:\Windows\system\cYNJmLJ.exe	UPX
behavioral1/memory/2952-102-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2244-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/memory/2648-79-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2688-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2436-138-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2412-139-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/2864-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2648-143-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2652-144-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2948-146-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/3052-147-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/memory/2600-148-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2532-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2952-150-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2688-151-0x000000013F6B0000-0x000000013FA04000-memory.dmp	UPX
behavioral1/memory/2916-152-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/memory/2436-153-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/memory/2412-154-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/2864-155-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2652-157-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2648-156-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX

XMRig Miner payload 60 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
\Windows\system\DxIzaII.exe	xmrig
C:\Windows\system\mIzQXzR.exe	xmrig
behavioral1/memory/2948-15-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/3052-13-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
C:\Windows\system\VgFLSaQ.exe	xmrig
C:\Windows\system\YtxzdJB.exe	xmrig
behavioral1/memory/2532-27-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2600-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2688-40-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
C:\Windows\system\NOcsSBQ.exe	xmrig
behavioral1/memory/2916-49-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
C:\Windows\system\JNQewVI.exe	xmrig
behavioral1/memory/2244-67-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2864-68-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2412-61-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/3052-60-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
C:\Windows\system\jtNrVTn.exe	xmrig
behavioral1/memory/2244-48-0x000000013F3B0000-0x000000013F704000-memory.dmp	xmrig
C:\Windows\system\HKybwcK.exe	xmrig
behavioral1/memory/2436-54-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
C:\Windows\system\zKiyfMX.exe	xmrig
behavioral1/memory/2952-34-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
C:\Windows\system\CCKOZhU.exe	xmrig
C:\Windows\system\VuIueoO.exe	xmrig
\Windows\system\vKpMymg.exe	xmrig
behavioral1/memory/2652-81-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
\Windows\system\ckzDmLO.exe	xmrig
behavioral1/memory/2532-89-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
\Windows\system\WRSNbKx.exe	xmrig
\Windows\system\ZgakzTq.exe	xmrig
C:\Windows\system\fnBwXMw.exe	xmrig
\Windows\system\ffyNvqk.exe	xmrig
C:\Windows\system\mjRWIFL.exe	xmrig
\Windows\system\IrxttvH.exe	xmrig
C:\Windows\system\wuyrqnp.exe	xmrig
C:\Windows\system\cYNJmLJ.exe	xmrig
behavioral1/memory/2952-102-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2244-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2244-99-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2648-79-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2688-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2436-138-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2412-139-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2864-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2648-143-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2652-144-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2244-145-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2948-146-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/3052-147-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/2600-148-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2532-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2952-150-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2688-151-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2916-152-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2436-153-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2412-154-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2864-155-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2652-157-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2648-156-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

DxIzaII.exemIzQXzR.exeVgFLSaQ.exeYtxzdJB.exeCCKOZhU.exezKiyfMX.exeHKybwcK.exeNOcsSBQ.exejtNrVTn.exeJNQewVI.exeVuIueoO.exevKpMymg.exeWRSNbKx.execkzDmLO.exeZgakzTq.execYNJmLJ.exewuyrqnp.exefnBwXMw.exeffyNvqk.exemjRWIFL.exeIrxttvH.exe

pid	process
2948	DxIzaII.exe
3052	mIzQXzR.exe
2600	VgFLSaQ.exe
2532	YtxzdJB.exe
2952	CCKOZhU.exe
2688	zKiyfMX.exe
2916	HKybwcK.exe
2436	NOcsSBQ.exe
2412	jtNrVTn.exe
2864	JNQewVI.exe
2648	VuIueoO.exe
2652	vKpMymg.exe
2100	WRSNbKx.exe
1856	ckzDmLO.exe
1632	ZgakzTq.exe
1960	cYNJmLJ.exe
340	wuyrqnp.exe
2160	fnBwXMw.exe
848	ffyNvqk.exe
1128	mjRWIFL.exe
1964	IrxttvH.exe

Loads dropped DLL 21 IoCs

Processes:

2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

pid	process
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
\Windows\system\DxIzaII.exe	upx
C:\Windows\system\mIzQXzR.exe	upx
behavioral1/memory/2948-15-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/3052-13-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
C:\Windows\system\VgFLSaQ.exe	upx
C:\Windows\system\YtxzdJB.exe	upx
behavioral1/memory/2532-27-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2600-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2688-40-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
C:\Windows\system\NOcsSBQ.exe	upx
behavioral1/memory/2916-49-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
C:\Windows\system\JNQewVI.exe	upx
behavioral1/memory/2864-68-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2412-61-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/3052-60-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
C:\Windows\system\jtNrVTn.exe	upx
behavioral1/memory/2244-48-0x000000013F3B0000-0x000000013F704000-memory.dmp	upx
C:\Windows\system\HKybwcK.exe	upx
behavioral1/memory/2436-54-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
C:\Windows\system\zKiyfMX.exe	upx
behavioral1/memory/2952-34-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
C:\Windows\system\CCKOZhU.exe	upx
C:\Windows\system\VuIueoO.exe	upx
\Windows\system\vKpMymg.exe	upx
behavioral1/memory/2652-81-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
\Windows\system\ckzDmLO.exe	upx
behavioral1/memory/2532-89-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
\Windows\system\WRSNbKx.exe	upx
\Windows\system\ZgakzTq.exe	upx
C:\Windows\system\fnBwXMw.exe	upx
\Windows\system\ffyNvqk.exe	upx
C:\Windows\system\mjRWIFL.exe	upx
\Windows\system\IrxttvH.exe	upx
C:\Windows\system\wuyrqnp.exe	upx
C:\Windows\system\cYNJmLJ.exe	upx
behavioral1/memory/2952-102-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2244-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2648-79-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2688-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2436-138-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2412-139-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2864-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2648-143-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2652-144-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2948-146-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/3052-147-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/2600-148-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2532-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2952-150-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2688-151-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2916-152-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2436-153-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2412-154-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2864-155-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2652-157-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2648-156-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\mjRWIFL.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zKiyfMX.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WRSNbKx.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cYNJmLJ.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ffyNvqk.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ckzDmLO.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CCKOZhU.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HKybwcK.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VuIueoO.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vKpMymg.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VgFLSaQ.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NOcsSBQ.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jtNrVTn.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZgakzTq.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wuyrqnp.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fnBwXMw.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IrxttvH.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DxIzaII.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mIzQXzR.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YtxzdJB.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JNQewVI.exe	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 2244 wrote to memory of 2948	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	DxIzaII.exe
PID 2244 wrote to memory of 2948	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	DxIzaII.exe
PID 2244 wrote to memory of 2948	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	DxIzaII.exe
PID 2244 wrote to memory of 3052	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	mIzQXzR.exe
PID 2244 wrote to memory of 3052	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	mIzQXzR.exe
PID 2244 wrote to memory of 3052	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	mIzQXzR.exe
PID 2244 wrote to memory of 2600	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	VgFLSaQ.exe
PID 2244 wrote to memory of 2600	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	VgFLSaQ.exe
PID 2244 wrote to memory of 2600	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	VgFLSaQ.exe
PID 2244 wrote to memory of 2532	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	YtxzdJB.exe
PID 2244 wrote to memory of 2532	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	YtxzdJB.exe
PID 2244 wrote to memory of 2532	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	YtxzdJB.exe
PID 2244 wrote to memory of 2952	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	CCKOZhU.exe
PID 2244 wrote to memory of 2952	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	CCKOZhU.exe
PID 2244 wrote to memory of 2952	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	CCKOZhU.exe
PID 2244 wrote to memory of 2688	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	zKiyfMX.exe
PID 2244 wrote to memory of 2688	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	zKiyfMX.exe
PID 2244 wrote to memory of 2688	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	zKiyfMX.exe
PID 2244 wrote to memory of 2916	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	HKybwcK.exe
PID 2244 wrote to memory of 2916	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	HKybwcK.exe
PID 2244 wrote to memory of 2916	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	HKybwcK.exe
PID 2244 wrote to memory of 2436	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	NOcsSBQ.exe
PID 2244 wrote to memory of 2436	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	NOcsSBQ.exe
PID 2244 wrote to memory of 2436	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	NOcsSBQ.exe
PID 2244 wrote to memory of 2412	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	jtNrVTn.exe
PID 2244 wrote to memory of 2412	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	jtNrVTn.exe
PID 2244 wrote to memory of 2412	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	jtNrVTn.exe
PID 2244 wrote to memory of 2864	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	JNQewVI.exe
PID 2244 wrote to memory of 2864	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	JNQewVI.exe
PID 2244 wrote to memory of 2864	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	JNQewVI.exe
PID 2244 wrote to memory of 2648	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	VuIueoO.exe
PID 2244 wrote to memory of 2648	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	VuIueoO.exe
PID 2244 wrote to memory of 2648	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	VuIueoO.exe
PID 2244 wrote to memory of 2652	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	vKpMymg.exe
PID 2244 wrote to memory of 2652	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	vKpMymg.exe
PID 2244 wrote to memory of 2652	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	vKpMymg.exe
PID 2244 wrote to memory of 1632	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ZgakzTq.exe
PID 2244 wrote to memory of 1632	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ZgakzTq.exe
PID 2244 wrote to memory of 1632	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ZgakzTq.exe
PID 2244 wrote to memory of 2100	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	WRSNbKx.exe
PID 2244 wrote to memory of 2100	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	WRSNbKx.exe
PID 2244 wrote to memory of 2100	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	WRSNbKx.exe
PID 2244 wrote to memory of 1960	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	cYNJmLJ.exe
PID 2244 wrote to memory of 1960	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	cYNJmLJ.exe
PID 2244 wrote to memory of 1960	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	cYNJmLJ.exe
PID 2244 wrote to memory of 1856	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ckzDmLO.exe
PID 2244 wrote to memory of 1856	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ckzDmLO.exe
PID 2244 wrote to memory of 1856	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ckzDmLO.exe
PID 2244 wrote to memory of 340	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	wuyrqnp.exe
PID 2244 wrote to memory of 340	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	wuyrqnp.exe
PID 2244 wrote to memory of 340	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	wuyrqnp.exe
PID 2244 wrote to memory of 2160	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	fnBwXMw.exe
PID 2244 wrote to memory of 2160	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	fnBwXMw.exe
PID 2244 wrote to memory of 2160	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	fnBwXMw.exe
PID 2244 wrote to memory of 848	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ffyNvqk.exe
PID 2244 wrote to memory of 848	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ffyNvqk.exe
PID 2244 wrote to memory of 848	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	ffyNvqk.exe
PID 2244 wrote to memory of 1128	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	mjRWIFL.exe
PID 2244 wrote to memory of 1128	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	mjRWIFL.exe
PID 2244 wrote to memory of 1128	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	mjRWIFL.exe
PID 2244 wrote to memory of 1964	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	IrxttvH.exe
PID 2244 wrote to memory of 1964	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	IrxttvH.exe
PID 2244 wrote to memory of 1964	2244	2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe	IrxttvH.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_35dea998155a67464d053b87b0529569_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\System\DxIzaII.exe
C:\Windows\System\DxIzaII.exe
2⤵
- Executes dropped EXE
PID:2948

C:\Windows\System\mIzQXzR.exe
C:\Windows\System\mIzQXzR.exe
2⤵
- Executes dropped EXE
PID:3052

C:\Windows\System\VgFLSaQ.exe
C:\Windows\System\VgFLSaQ.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\YtxzdJB.exe
C:\Windows\System\YtxzdJB.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\System\CCKOZhU.exe
C:\Windows\System\CCKOZhU.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\zKiyfMX.exe
C:\Windows\System\zKiyfMX.exe
2⤵
- Executes dropped EXE
PID:2688

C:\Windows\System\HKybwcK.exe
C:\Windows\System\HKybwcK.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\NOcsSBQ.exe
C:\Windows\System\NOcsSBQ.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\System\jtNrVTn.exe
C:\Windows\System\jtNrVTn.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\JNQewVI.exe
C:\Windows\System\JNQewVI.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\VuIueoO.exe
C:\Windows\System\VuIueoO.exe
2⤵
- Executes dropped EXE
PID:2648

C:\Windows\System\vKpMymg.exe
C:\Windows\System\vKpMymg.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\ZgakzTq.exe
C:\Windows\System\ZgakzTq.exe
2⤵
- Executes dropped EXE
PID:1632

C:\Windows\System\WRSNbKx.exe
C:\Windows\System\WRSNbKx.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\cYNJmLJ.exe
C:\Windows\System\cYNJmLJ.exe
2⤵
- Executes dropped EXE
PID:1960

C:\Windows\System\ckzDmLO.exe
C:\Windows\System\ckzDmLO.exe
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\System\wuyrqnp.exe
C:\Windows\System\wuyrqnp.exe
2⤵
- Executes dropped EXE
PID:340

C:\Windows\System\fnBwXMw.exe
C:\Windows\System\fnBwXMw.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\ffyNvqk.exe
C:\Windows\System\ffyNvqk.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System\mjRWIFL.exe
C:\Windows\System\mjRWIFL.exe
2⤵
- Executes dropped EXE
PID:1128

C:\Windows\System\IrxttvH.exe
C:\Windows\System\IrxttvH.exe
2⤵
- Executes dropped EXE
PID:1964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CCKOZhU.exe
Filesize
6.0MB

MD5
113f5e82e776c62c95d0185a14c8631a

SHA1
813d2b3259bc30d2dd1b655fee35f7424ea2cf42

SHA256
52add01b6daca54a5a593fc86a17657e1704b80e723f9efe193c2c503d228c80

SHA512
355bdd4a99d4d620753504a202fcefe74adc92d4424847821c9d6c928a90337bb77e144c56d8864599fd9790c8a967c4b50c8a27ecb385e5da3e0962d32a6430

Download Submit
C:\Windows\system\HKybwcK.exe
Filesize
6.0MB

MD5
4300d8da89c5f32b8ce85daa9d2b5184

SHA1
c70034527e81cc1c6ef7d457882319833d730d0d

SHA256
f008d7b06de57fb463054c654e1adf6c2fd6fe4151e9094566abd8cd75b99879

SHA512
d25f14485909b4b6575fc3a2adb9c404ea0fec588d8a770b935eac549edebcddbda9bdc9687716fb88d39e048e26b93c05943f013bd7432abea310b9ab066e32

Download Submit
C:\Windows\system\JNQewVI.exe
Filesize
6.0MB

MD5
be0a026f538ed0ee508623a6ce869306

SHA1
a2b97b219547529ba3c9d8ed43ac6f8f229c469d

SHA256
15908e51589910930855fb401a30af7e6c37126c2b4ebcd65928f8ce110c485e

SHA512
9234135a5887324b831317169cc288a61f6810d35fd5bb688910b4da710d68834bb551502f8e6f1b25ef36d964b7886c1f843797ae057bf0f9077afb686aff07

Download Submit
C:\Windows\system\NOcsSBQ.exe
Filesize
6.0MB

MD5
46a3c2b142926598121679454f808348

SHA1
c1f62c42ec616f7cebcfb786a421c731e5213132

SHA256
51333562ee088d1e5e65648169f68ab4ad8bc0b240f93a8c32a942470763d5e1

SHA512
39d47459d76c69fa439567723aee892f932b2b7da86ac01d2bb1d9ce01f981d35beb7d05aed446f33503f27cbf64d582944ab5de5fb322fe68df145a829e7c39

Download Submit
C:\Windows\system\VgFLSaQ.exe
Filesize
5.9MB

MD5
9efbca84df6d1084dd149e36b7e20229

SHA1
714735c167eedca79506d10227f4ada2da5b4e26

SHA256
e5296df7e867751e69ebc545638287c221b1f659e4388598729c684a85cac3fd

SHA512
3d2ce795599c5874b3266a430593a8abf30cef13268eb7de1ece83fdb389ee7703cba6a42837605eb45fe894b061e8fb9abf4a439ec3bc22a6d7cfe7e860461c

Download Submit
C:\Windows\system\VuIueoO.exe
Filesize
6.0MB

MD5
a5cfbd583fcc8361f9525d751b138df8

SHA1
aba4787d37c2496693b99642f8c97366c3b1fa76

SHA256
22cdf76c860f622099762c8ef7a5630bf7a5c4bf2a242675fd0e1ce4faac2e36

SHA512
4963a7bb30e194b36ff98d49c150803387d27b3bfd969b96e9c17fb81693bb20e40edd9c7d9dcc69790df46219f65c7cf1cfc31979ad8db53dc765463ddb019b

Download Submit
C:\Windows\system\YtxzdJB.exe
Filesize
5.9MB

MD5
5c5c7edf0e18ba6b7e1d0187f8da38ba

SHA1
fb5cbecebd17e87b6bd67b0bf078db5c6adc5e71

SHA256
7fc637a12cf190f898ee408cd258a3abbbee19b75d77e481c2d7a6bb46db4d02

SHA512
addef5ca00d383f0be0f28939e3c0338eb4fe7f3d850887dd2075f9bff75c5aa670fae92c10bf51a8fcba42829ad2f0d18139e7270adcb76a96da3fdbc1ed518

Download Submit
C:\Windows\system\cYNJmLJ.exe
Filesize
6.0MB

MD5
958b6b34d2f797748c09b07d4efb06fa

SHA1
6f5525774d23203f7c94f862b9d51966b6b4c6c6

SHA256
6fa8e32b3f9679f00c12d834e8e5379c6a9e501ae29931d36cf06f6fab9d8197

SHA512
35445a2aa63457abb1db5fcb510f951c8df13a76e61c7a8b4557be3de2d3fcc64ba5cb19d1666b20eea95c2059ec3ea673d7b0657d5f53cd4a2306518601a2bf

Download Submit
C:\Windows\system\fnBwXMw.exe
Filesize
6.0MB

MD5
a967a5357417bb109cf294b906196f36

SHA1
e915259629250f0b1f97ba6378bc98aff29865a0

SHA256
185d10d5282d45b9bc6dad87d0b5b02445a2b0e2e212f64ece1e2e37438a0d5a

SHA512
b7537a09fbd119e3983e3500d659f382954e6850006473671fda83e07d79e8e44a4d5f60894dd1840392a23c19d13e552c9deec3f06f532741a5951d90ff626c

Download Submit
C:\Windows\system\jtNrVTn.exe
Filesize
6.0MB

MD5
e96f9a84cc811b5c4c207a58b09f67c8

SHA1
848692c18410c82abb7b68d24da3579dd6862d23

SHA256
b0ca8b7674e1ab15ac7d2a737026d480c471f67aca724da08040c8be4812e84d

SHA512
de6023ea3c83735fb6aecf2b5eea4ab12762e38e50305d373d54f1697e192019688afcad4e0eafa6bd23b37f6bdac79277127c4ef7e06f4c5a6a3b60779fd8c0

Download Submit
C:\Windows\system\mIzQXzR.exe
Filesize
5.9MB

MD5
de182cebb706356ef50cf98a3378169e

SHA1
88a419b2f857263b4862fb1ec0b8ae7ff756dbaf

SHA256
8b899f4d1e27b7f93ccc5a2ab586b395ea13d2aa90449ede75aa475e4a483f88

SHA512
17534a07a079b32255519759b85036ca2f20477909bd79a07fed0fb1d0ca4e879ea7fe5ec7ea9edfa9a6cf870ce98499dd1d048f1d2f9fb3a4df7ccd0ba1765c

Download Submit
C:\Windows\system\mjRWIFL.exe
Filesize
6.0MB

MD5
0a6cd5c728ceaa57952f80d2e20988b0

SHA1
1754305e3fdeeb80c32954c2153ff527892a0708

SHA256
82e41bdedaf5393f5e49c14355574751d07be4ce765d537f0dff1e35f64d0389

SHA512
013e76cbb48caad37b079cfdd00b749d46da2de4e994bc2d72dd8f62097b9820d53795d01fbcfaef53c09b94a13b934507a21f367a3db5925cad439dcbd54314

Download Submit
C:\Windows\system\wuyrqnp.exe
Filesize
6.0MB

MD5
d29494d245a497ea4287e09e13272f64

SHA1
8496c6da8cc2b0b560ec94b1858046d5bbf85fa5

SHA256
aea7099fb2cdae17cc3354bd9388d432ed1c92826aa8a24aaae54ae47361f6c4

SHA512
7a97d273df86b6bc13a15af8c394c772e80f53f2d5eb200c3dc26a4667016cec8920d17baa40e3de77b5d56d2a51bb4c2c572ac2ad548c3078c59d27c6d43131

Download Submit
C:\Windows\system\zKiyfMX.exe
Filesize
6.0MB

MD5
314b7649c0a8571144e39e3a054fd47a

SHA1
391a431bb2ad49a11bef4348fcf5c490a7c39b13

SHA256
ec99478fb90f3227fdf20bd784e959f7ef3bbaf7a94fdd167c6db97c9b110844

SHA512
4e5aac264c15afa29d447572c391bda00bdf41097ac6c33658e04ace1e94d93a5e5729c1c6372717ee899034ed4034a122f907aa97e3310668449c3ebce4b7af

Download Submit
\Windows\system\DxIzaII.exe
Filesize
5.9MB

MD5
6186226aa28d004d5926da800da54619

SHA1
3b1417318d018edf7e08ae2e35c7f68883e93cd2

SHA256
76a8ab25e057c1d156d67a20ec1e75fa94596e34bcfa96df4ca451f2c9822af7

SHA512
21ab075192fc05d015abd726c72eeba3d9c6133118c687d5b766a2b7f676b8925c745e6212db928b77ea8261f6b7bf0fb00ee64a56b745b01e3950b6ac453aab

Download Submit
\Windows\system\IrxttvH.exe
Filesize
6.0MB

MD5
786c3cbc9715bf25aa8125fcbfc7d725

SHA1
82181e23b93a6b0647a5df064870a5e95985ef72

SHA256
c440b42841fd68b54737ac50fc236f2abf1f53e820363aa4f24c6d77350c160f

SHA512
86d7e04acbb1593dc626157da85508172a33ed3af65fc1bd5d38545ee84aaae5d512160b9e94a05761ae2c8532dabdf968219a71a554c20f067a8887bdd154c4

Download Submit
\Windows\system\WRSNbKx.exe
Filesize
6.0MB

MD5
84612db5de0208a6c4a5a0cba6a1198f

SHA1
6da1a303771deeca0d1981ddbfd45f491d87dc11

SHA256
b024cf2fa288d0321365cea8637bbcd07df56dd909bb929879cad5019e2b3fe3

SHA512
2d57898a7cedd8be82cc9a66f5aec6468c3abfa12098fb543810a89735e5baff7b6b99f4f229cedbdf5a4be1eff8643aa7caa5e46804d6ff8046fad275cb2477

Download Submit
\Windows\system\ZgakzTq.exe
Filesize
6.0MB

MD5
f3b33560a37599fe74bb4d0b494ed285

SHA1
77700dbe118705cb5ed52b6852662b60dabf38cb

SHA256
f87df1ecd06a789a5ed20b8fa07400eb273f8dfa402e41bc4b147f605e96544f

SHA512
fcf06cbb9d7933e07fb9f5a95c2883e9bc918c6b34feb7451331b531603437bdab762205c374509425abebb7a29d987be7367004741a01ebe1c964fdaef4a93b

Download Submit
\Windows\system\ckzDmLO.exe
Filesize
6.0MB

MD5
d461e8d9a661fa14bf2f2516070dd075

SHA1
c4216d676229a034d284d6bee132cfd0e38803f4

SHA256
ac4f38c0195dca3cbc9b94514d9bd6096bfd9e1ee40ace68150073871f7f04ef

SHA512
9286813f90534f85c855749fa46e2d900e437f15eed108daf4b4255d59a9bbbee8abe0f938309639c89b525405ab58573dfed9df8f9aa18e45bc758dbbad330d

Download Submit
\Windows\system\ffyNvqk.exe
Filesize
6.0MB

MD5
12b9318a2f62c59b18c791bfbeb8480c

SHA1
e6917a5af0ff04009949741f182660847b73a28d

SHA256
923bc6be908580f9305a779edc8f74438bb9d6b94eb760a76e99c9aa7993e23a

SHA512
958e76d23ff2e5bce5af598f34ab8c11da6493e29402a48e9b1dbc351563e48e0c4b8a5c9917fe595e5d614ddbdf485c44ac7b3a7ca30508dfa48b85360e29fe

Download Submit
\Windows\system\vKpMymg.exe
Filesize
6.0MB

MD5
f8e61f551382068fe46aadc069e2cef6

SHA1
d3b6847726ef0040b43a4fc0dcd0bf64b5ba598d

SHA256
3f4f901ca06dad129df86204b7b866384f8cfa6606fda6c26d0e7038d39870d0

SHA512
d4577bcb4b6f3c8d148c50af55cb0256e47e24bcac53dcf17ebf0a3fc4a21a2377c866e0bc6881fdec468599343ba65370844acedf758d6693642644efa513b2

Download Submit
memory/2244-140-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2244-48-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2244-101-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/2244-103-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-0-0x000000013F3B0000-0x000000013F704000-memory.dmp

Filesize
3.3MB

Download
memory/2244-104-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-33-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2244-100-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-67-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2244-99-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-76-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2244-78-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2244-37-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2244-137-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2244-10-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2244-80-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2244-142-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2244-16-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2244-145-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2412-61-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-139-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-154-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-54-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-153-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-138-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-149-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2532-89-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2532-27-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2600-148-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2600-24-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2648-156-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2648-143-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2648-79-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2652-144-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2652-157-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2652-81-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2688-136-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2688-40-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2688-151-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2864-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2864-68-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2864-155-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2916-49-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2916-152-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2948-15-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2948-146-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2952-150-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2952-102-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2952-34-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/3052-147-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/3052-13-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/3052-60-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download