cobaltstrike | 1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

77b0eeffdcde9e87823dfdde0e436d7b
SHA1

25de9721ed2203d6c4e716e872d0a4b33c148402
SHA256

1175fe857654c399c724e4e19074290bd75dc133f9bbc8460e979ee9972fd37d
SHA512

6ac30e89dcde642a5142c23a83bca253d5dab04c2227b91ff804cb9620c3b5a27d7710775b58c9da35bc8263e8d71d4fa961060552640081d2af8c0374391ca0
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUR:Q+856utgpPF8u/7R

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000014890-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000158d9-15.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015083-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015662-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015b50-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ae3-31.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015b85-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d9c-51.dat	cobalt_reflective_dll
behavioral1/files/0x00330000000150d9-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f23-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fa6-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016013-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016122-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a28-112.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000161ee-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016575-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c1f-125.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000167bf-124.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000164ec-123.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000163eb-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c30-134.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c000000014890-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000158d9-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0033000000015083-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015662-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015b50-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ae3-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015b85-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d9c-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00330000000150d9-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f23-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fa6-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016013-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016122-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a28-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000161ee-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016575-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c1f-125.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000167bf-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000164ec-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000163eb-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c30-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

resource	yara_rule
behavioral1/memory/1636-2-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
behavioral1/files/0x000c000000014890-3.dat	UPX
behavioral1/memory/1636-7-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/files/0x00070000000158d9-15.dat	UPX
behavioral1/files/0x0033000000015083-9.dat	UPX
behavioral1/memory/2036-25-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2820-27-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2572-23-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/files/0x0008000000015662-21.dat	UPX
behavioral1/files/0x0007000000015b50-38.dat	UPX
behavioral1/memory/1636-40-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
behavioral1/memory/892-43-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2380-34-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/files/0x0007000000015ae3-31.dat	UPX
behavioral1/files/0x0007000000015b85-47.dat	UPX
behavioral1/memory/2732-50-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2968-12-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d9c-51.dat	UPX
behavioral1/files/0x00330000000150d9-59.dat	UPX
behavioral1/memory/2668-63-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2672-56-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/files/0x0006000000015f23-66.dat	UPX
behavioral1/memory/2572-69-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/1876-71-0x000000013F490000-0x000000013F7E4000-memory.dmp	UPX
behavioral1/files/0x0006000000015fa6-72.dat	UPX
behavioral1/memory/2036-77-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2596-79-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/files/0x0006000000016013-82.dat	UPX
behavioral1/memory/2820-85-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2756-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/files/0x0006000000016122-88.dat	UPX
behavioral1/files/0x0006000000016a28-112.dat	UPX
behavioral1/files/0x00060000000161ee-120.dat	UPX
behavioral1/files/0x0006000000016575-127.dat	UPX
behavioral1/files/0x0006000000016c1f-125.dat	UPX
behavioral1/files/0x00060000000167bf-124.dat	UPX
behavioral1/files/0x00060000000164ec-123.dat	UPX
behavioral1/files/0x00060000000163eb-122.dat	UPX
behavioral1/files/0x0006000000016c30-134.dat	UPX
behavioral1/memory/2380-102-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/1616-96-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/1616-141-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX
behavioral1/memory/2968-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2572-144-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2036-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2820-146-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2380-147-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/892-148-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2732-149-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2672-150-0x000000013F100000-0x000000013F454000-memory.dmp	UPX
behavioral1/memory/2668-151-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/1876-152-0x000000013F490000-0x000000013F7E4000-memory.dmp	UPX
behavioral1/memory/2596-153-0x000000013F0E0000-0x000000013F434000-memory.dmp	UPX
behavioral1/memory/2756-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp	UPX
behavioral1/memory/1616-155-0x000000013F280000-0x000000013F5D4000-memory.dmp	UPX

XMRig Miner payload 60 IoCs

miner

resource	yara_rule
behavioral1/memory/1636-2-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/files/0x000c000000014890-3.dat	xmrig
behavioral1/memory/1636-7-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/files/0x00070000000158d9-15.dat	xmrig
behavioral1/files/0x0033000000015083-9.dat	xmrig
behavioral1/memory/2036-25-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2820-27-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2572-23-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/files/0x0008000000015662-21.dat	xmrig
behavioral1/files/0x0007000000015b50-38.dat	xmrig
behavioral1/memory/1636-40-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/892-43-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2380-34-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ae3-31.dat	xmrig
behavioral1/files/0x0007000000015b85-47.dat	xmrig
behavioral1/memory/2732-50-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2968-12-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d9c-51.dat	xmrig
behavioral1/files/0x00330000000150d9-59.dat	xmrig
behavioral1/memory/2668-63-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2672-56-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/files/0x0006000000015f23-66.dat	xmrig
behavioral1/memory/1636-70-0x00000000023E0000-0x0000000002734000-memory.dmp	xmrig
behavioral1/memory/2572-69-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/1876-71-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015fa6-72.dat	xmrig
behavioral1/memory/2036-77-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2596-79-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/files/0x0006000000016013-82.dat	xmrig
behavioral1/memory/2820-85-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2756-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/1636-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016122-88.dat	xmrig
behavioral1/files/0x0006000000016a28-112.dat	xmrig
behavioral1/files/0x00060000000161ee-120.dat	xmrig
behavioral1/files/0x0006000000016575-127.dat	xmrig
behavioral1/files/0x0006000000016c1f-125.dat	xmrig
behavioral1/files/0x00060000000167bf-124.dat	xmrig
behavioral1/files/0x00060000000164ec-123.dat	xmrig
behavioral1/files/0x00060000000163eb-122.dat	xmrig
behavioral1/memory/1636-109-0x00000000023E0000-0x0000000002734000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c30-134.dat	xmrig
behavioral1/memory/2380-102-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/1616-96-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/1636-140-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/1616-141-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig
behavioral1/memory/1636-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2968-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2572-144-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2036-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2820-146-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2380-147-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/892-148-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2732-149-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2672-150-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2668-151-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/1876-152-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/memory/2596-153-0x000000013F0E0000-0x000000013F434000-memory.dmp	xmrig
behavioral1/memory/2756-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/1616-155-0x000000013F280000-0x000000013F5D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2968	nsKZNpf.exe
2572	YGWcFal.exe
2036	uDouGko.exe
2820	qNYOfPQ.exe
2380	fBxdPJS.exe
892	KoiIMsS.exe
2732	hCLhjfu.exe
2672	XgKcGTS.exe
2668	kATeXYu.exe
1876	yqqWoLC.exe
2596	frJgmoA.exe
2756	RkFoZqO.exe
1616	RsEBWBt.exe
272	FmBorrD.exe
320	Ferzrsc.exe
1648	TOJtNiW.exe
1728	sKCvpEm.exe
292	TSlYYsY.exe
1904	jSzFnew.exe
1932	xKgwMmp.exe
2776	HMjHqSa.exe

Loads dropped DLL 21 IoCs

pid	Process
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1636-2-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/files/0x000c000000014890-3.dat	upx
behavioral1/memory/1636-7-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/files/0x00070000000158d9-15.dat	upx
behavioral1/files/0x0033000000015083-9.dat	upx
behavioral1/memory/2036-25-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2820-27-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2572-23-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/files/0x0008000000015662-21.dat	upx
behavioral1/files/0x0007000000015b50-38.dat	upx
behavioral1/memory/1636-40-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/892-43-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2380-34-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/files/0x0007000000015ae3-31.dat	upx
behavioral1/files/0x0007000000015b85-47.dat	upx
behavioral1/memory/2732-50-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/1636-49-0x00000000023E0000-0x0000000002734000-memory.dmp	upx
behavioral1/memory/2968-12-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/files/0x0007000000015d9c-51.dat	upx
behavioral1/files/0x00330000000150d9-59.dat	upx
behavioral1/memory/2668-63-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2672-56-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/files/0x0006000000015f23-66.dat	upx
behavioral1/memory/2572-69-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/1876-71-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/files/0x0006000000015fa6-72.dat	upx
behavioral1/memory/2036-77-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2596-79-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/files/0x0006000000016013-82.dat	upx
behavioral1/memory/2820-85-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2756-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/files/0x0006000000016122-88.dat	upx
behavioral1/files/0x0006000000016a28-112.dat	upx
behavioral1/files/0x00060000000161ee-120.dat	upx
behavioral1/files/0x0006000000016575-127.dat	upx
behavioral1/files/0x0006000000016c1f-125.dat	upx
behavioral1/files/0x00060000000167bf-124.dat	upx
behavioral1/files/0x00060000000164ec-123.dat	upx
behavioral1/files/0x00060000000163eb-122.dat	upx
behavioral1/files/0x0006000000016c30-134.dat	upx
behavioral1/memory/2380-102-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/1616-96-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/1616-141-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx
behavioral1/memory/2968-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2572-144-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2036-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2820-146-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2380-147-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/892-148-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2732-149-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2672-150-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2668-151-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/1876-152-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/memory/2596-153-0x000000013F0E0000-0x000000013F434000-memory.dmp	upx
behavioral1/memory/2756-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/1616-155-0x000000013F280000-0x000000013F5D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uDouGko.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YGWcFal.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KoiIMsS.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kATeXYu.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RsEBWBt.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fBxdPJS.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yqqWoLC.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xKgwMmp.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TSlYYsY.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HMjHqSa.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hCLhjfu.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TOJtNiW.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jSzFnew.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sKCvpEm.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FmBorrD.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\Ferzrsc.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nsKZNpf.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qNYOfPQ.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XgKcGTS.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\frJgmoA.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RkFoZqO.exe	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 2968	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	29
PID 1636 wrote to memory of 2968	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	29
PID 1636 wrote to memory of 2968	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	29
PID 1636 wrote to memory of 2036	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	30
PID 1636 wrote to memory of 2036	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	30
PID 1636 wrote to memory of 2036	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	30
PID 1636 wrote to memory of 2572	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	31
PID 1636 wrote to memory of 2572	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	31
PID 1636 wrote to memory of 2572	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	31
PID 1636 wrote to memory of 2820	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	32
PID 1636 wrote to memory of 2820	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	32
PID 1636 wrote to memory of 2820	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	32
PID 1636 wrote to memory of 2380	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	33
PID 1636 wrote to memory of 2380	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	33
PID 1636 wrote to memory of 2380	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	33
PID 1636 wrote to memory of 892	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	34
PID 1636 wrote to memory of 892	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	34
PID 1636 wrote to memory of 892	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	34
PID 1636 wrote to memory of 2732	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	35
PID 1636 wrote to memory of 2732	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	35
PID 1636 wrote to memory of 2732	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	35
PID 1636 wrote to memory of 2672	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	36
PID 1636 wrote to memory of 2672	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	36
PID 1636 wrote to memory of 2672	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	36
PID 1636 wrote to memory of 2668	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	37
PID 1636 wrote to memory of 2668	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	37
PID 1636 wrote to memory of 2668	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	37
PID 1636 wrote to memory of 1876	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	38
PID 1636 wrote to memory of 1876	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	38
PID 1636 wrote to memory of 1876	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	38
PID 1636 wrote to memory of 2596	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	39
PID 1636 wrote to memory of 2596	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	39
PID 1636 wrote to memory of 2596	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	39
PID 1636 wrote to memory of 2756	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	40
PID 1636 wrote to memory of 2756	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	40
PID 1636 wrote to memory of 2756	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	40
PID 1636 wrote to memory of 1616	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	41
PID 1636 wrote to memory of 1616	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	41
PID 1636 wrote to memory of 1616	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	41
PID 1636 wrote to memory of 272	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	42
PID 1636 wrote to memory of 272	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	42
PID 1636 wrote to memory of 272	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	42
PID 1636 wrote to memory of 320	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	43
PID 1636 wrote to memory of 320	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	43
PID 1636 wrote to memory of 320	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	43
PID 1636 wrote to memory of 1648	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	44
PID 1636 wrote to memory of 1648	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	44
PID 1636 wrote to memory of 1648	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	44
PID 1636 wrote to memory of 1904	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	45
PID 1636 wrote to memory of 1904	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	45
PID 1636 wrote to memory of 1904	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	45
PID 1636 wrote to memory of 1728	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	46
PID 1636 wrote to memory of 1728	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	46
PID 1636 wrote to memory of 1728	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	46
PID 1636 wrote to memory of 1932	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	47
PID 1636 wrote to memory of 1932	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	47
PID 1636 wrote to memory of 1932	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	47
PID 1636 wrote to memory of 292	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	48
PID 1636 wrote to memory of 292	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	48
PID 1636 wrote to memory of 292	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	48
PID 1636 wrote to memory of 2776	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	49
PID 1636 wrote to memory of 2776	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	49
PID 1636 wrote to memory of 2776	1636	2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_77b0eeffdcde9e87823dfdde0e436d7b_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Windows\System\nsKZNpf.exe
  C:\Windows\System\nsKZNpf.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\uDouGko.exe
  C:\Windows\System\uDouGko.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\YGWcFal.exe
  C:\Windows\System\YGWcFal.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\qNYOfPQ.exe
  C:\Windows\System\qNYOfPQ.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\fBxdPJS.exe
  C:\Windows\System\fBxdPJS.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\KoiIMsS.exe
  C:\Windows\System\KoiIMsS.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\hCLhjfu.exe
  C:\Windows\System\hCLhjfu.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\XgKcGTS.exe
  C:\Windows\System\XgKcGTS.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\kATeXYu.exe
  C:\Windows\System\kATeXYu.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\yqqWoLC.exe
  C:\Windows\System\yqqWoLC.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\frJgmoA.exe
  C:\Windows\System\frJgmoA.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\RkFoZqO.exe
  C:\Windows\System\RkFoZqO.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\RsEBWBt.exe
  C:\Windows\System\RsEBWBt.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\FmBorrD.exe
  C:\Windows\System\FmBorrD.exe
  2⤵
  - Executes dropped EXE
  PID:272
- C:\Windows\System\Ferzrsc.exe
  C:\Windows\System\Ferzrsc.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\TOJtNiW.exe
  C:\Windows\System\TOJtNiW.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\jSzFnew.exe
  C:\Windows\System\jSzFnew.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\sKCvpEm.exe
  C:\Windows\System\sKCvpEm.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\xKgwMmp.exe
  C:\Windows\System\xKgwMmp.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\TSlYYsY.exe
  C:\Windows\System\TSlYYsY.exe
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\System\HMjHqSa.exe
  C:\Windows\System\HMjHqSa.exe
  2⤵
  - Executes dropped EXE
  PID:2776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\Ferzrsc.exe

Filesize
5.9MB

MD5
2f7b79474d871d3a3d1a3568580f12d8

SHA1
9cf722d5741b844a92229aa9e3fc0f65fac2010f

SHA256
18ea12819f7f3409091f71c5a4ae57c1994566a577a9ee42ea74a81fda824e27

SHA512
e6f17911aef2273bf846537f418605896bc0563e02601e96bf57475a195b362c0cb082b9f632431750187bdc3423f28024f8c2670e440e48efccfdc64e1e3311

Download Submit
C:\Windows\system\FmBorrD.exe

Filesize
5.9MB

MD5
f805a25bc4a930da1c587d030629b20d

SHA1
9c843f8843f55b15d0ed26cdcc330cd563c2b5aa

SHA256
0df5d9532b2067cc7b8d24227103d88eda2c1bff98f7b571a47d5fc18213f58c

SHA512
c74dc01afa4c51caef37de83391d666bafc1f28903a4dee751cea6eb2b008371ad5b69f8d303417332311550118c5238b4984486ee882227f3e8d05c3c11cde4

Download Submit
C:\Windows\system\KoiIMsS.exe

Filesize
5.9MB

MD5
4b208de24ecd1d5d7b72e510e47cf419

SHA1
bf486189cb6e38eda977d1a04abfb7e4b7257543

SHA256
5ebd8d9193bdeb8dcb5c4694645460c1baa30da409e9a61964d1e03b07140b77

SHA512
de928cc65680c6a90a04619ed2a266396d17f4655babc361d7762be46d5f7d6b543d20beffea7aa44395418524db82a42abec06607bc235db2dc6841deae3719

Download Submit
C:\Windows\system\RkFoZqO.exe

Filesize
5.9MB

MD5
c80a33da50cf0d7484deacabfa820a00

SHA1
f3e39f5a57388c1a9035aecf6ab9a170252ae0b9

SHA256
946bbf3ac109feb22f51264cfe879bc51dc4ea0161fcd3ef4509f25de0c5ab26

SHA512
0dd98a48acf4e9aebe1ab40cee41d45892c81fa14b1857a73e05f26da30e85a0a459169d4d0122e92da772f2f38531f4e480e1d01f9ff884ef9301287ba16968

Download Submit
C:\Windows\system\TOJtNiW.exe

Filesize
5.9MB

MD5
1069c1a4498510990f2fa5895c5a45e2

SHA1
0324c84d2a4e083a0f2f885aa26302d6e3126754

SHA256
445bd01008820febd1adfd1d7d2ce7fbed5e05025307cfd0351aa2d84d461ebd

SHA512
c92399abe85ee5c77ac6d42e136c84eac6b441de000d8465cd9c1a8146d18ef5d573c873920441c36ade544bab6d910decb364717abf9264f3c8c7ab7bed96fe

Download Submit
C:\Windows\system\TSlYYsY.exe

Filesize
5.9MB

MD5
7606c825524e7dff9f0d2d5dd055032d

SHA1
6c7ce36263edc3caa56d0506ee0ee7dccf699bd4

SHA256
ab6ab378435dc2785c8b7977e65c21db7b80b3c1eb9ba307f5bdadf2860ccb9c

SHA512
69a0cc7c130a07ce688968a152cb0e3c2adee2540cfea62c15bcaa80057b593fa4fa2d1414ed33d554672340fffea972a60392c8279fd8abdd67ac5ccefb8277

Download Submit
C:\Windows\system\YGWcFal.exe

Filesize
5.9MB

MD5
e7398fad780a7df97150c1f6a28afaad

SHA1
007d17c2c506fa2e54de58d46408edd3583a8193

SHA256
f7a22c05982bf64a6aa66991a80fd84bb596f5ced17a146ca273e9558e50a48f

SHA512
8b2c73cac5cae6171cd9418b4ee53a2e5a44fbb6a12a1b47ef982c6bb2c234cb59a9bb51c87cc00ca3159a77b2f791b866054651810a9176df74d689b80894f7

Download Submit
C:\Windows\system\fBxdPJS.exe

Filesize
5.9MB

MD5
90a10a7f7f5160830b280cc690db36ef

SHA1
aa74f39e947037fefe60d63f6d0f76aa5438d296

SHA256
d6b6c01b551e5e8967f6a6671acd93dda7feb7dce6f5cf29dbadda1801d61b1a

SHA512
0d947397d2d1f4d702a9730bbd696892b865803248c491c03f8b5739e6d64ce29e37c60a87d9e3ccd9681fdcf273671ad689ea73837ca9cb1e667c853f5d6702

Download Submit
C:\Windows\system\hCLhjfu.exe

Filesize
5.9MB

MD5
5a82c99a6d7a2fa38825c126e43da7f5

SHA1
db4918c25b0fa4b7e28d379095d8be6eefa62e6f

SHA256
e99cc74a693216b317e12ddfbe0324ce9f9523c5314bc009487457b8e4da6040

SHA512
acbd6ca4a065ba27e419eb60971db9ff06a6246248687652b57ef9ea51946d54a415f239ade593448ef20ddbbf7896ad8eff1405d85092ff0222bf6e4bca37df

Download Submit
C:\Windows\system\jSzFnew.exe

Filesize
5.9MB

MD5
453e100a5af0683255c8b4c2cc0db03a

SHA1
d56bcc48d6b79b420e181153ac5586760d4e5dea

SHA256
8f439bac237b46445879df46ead91647993dcee5cf3dc86eeeb3d7c14af704a2

SHA512
00213eb1c00331625f78036268a16b1f0ee3c0d9460343d90d30e6fce0eb61e838a6a421100b5b1a9cf5a2b076add78843bbc6469367c93f742229e227d2c8cc

Download Submit
C:\Windows\system\kATeXYu.exe

Filesize
5.9MB

MD5
ae4fbee4f525934e1ee6cb86c5cd0d96

SHA1
37f0e650e5326e3af89317a38f7cc5533c05ebdd

SHA256
56276a959f59fb46065bfec8ab2160b05ca2cca7aa39d47d79ec3347c298247d

SHA512
851af1dcbc9129426d798939e1411eb723ff6eafbab1a7f4be4f43a8b74690843977a1297052631dffe93bd018b5a440626e4c07859c7a9dc313388f487890d7

Download Submit
C:\Windows\system\qNYOfPQ.exe

Filesize
5.9MB

MD5
996e8d7f4e2f45f927fdb1e49b997666

SHA1
9b4a32900495e315a57e956bc0ea3568caacb037

SHA256
93e6e575afb8a1ed33103e5f0ca63ba4a8404746bd1f929d14bc8b59d488efa6

SHA512
f245818ea420efc69df8bd96ad90cc49686626dffe489dbd4be5d1cb3909463d26499bde4458ac82782b5723929c5a4fe9803ac3d90c84601d4d7998d28b9219

Download Submit
C:\Windows\system\sKCvpEm.exe

Filesize
5.9MB

MD5
2a7e219914c9d73f74bd3580ad1a88a5

SHA1
6099fa0f3eed593ca196246cb0f1ef5fed794ed7

SHA256
654fe4b4f21e134f1b42683e19fa0a153eff1ad2c7d078b75cf96c75b5c093dc

SHA512
a0838b81df7f5aca6f746aab7bda0448ecf25ec3e0bf8af94a4f657bd189f0faf4b9873cd5f0fc2d683a9c0a7012c2ce7132d42bbcfda127b97d5c469a472576

Download Submit
C:\Windows\system\yqqWoLC.exe

Filesize
5.9MB

MD5
c3538a2499bae672a63e5d5c74b6593f

SHA1
38c2b03c08d9a51abbadbc251333e831ae52fd9b

SHA256
f81a461d50d8c65c4af09b9b57986aedfb745e0ac96759960997374682bac9c8

SHA512
b6de9dc1e40ea4a3bb057099bbfa8b0d67141d23ab22dd0dddc87abf5a7f2da3d374dbab1d04121d29360905034bcbf0aac3da70a5b82dc2a45c39f9d1233046

Download Submit
\Windows\system\HMjHqSa.exe

Filesize
5.9MB

MD5
c4e449c14766983b9f799a1076166d86

SHA1
28dd31dc5e85fb9a619e67f6df9b94736fc6095b

SHA256
050036f56df99474c1649c998452281b45d19025a56d455af5f7ac40bb984bc7

SHA512
c5cbc0fb3667d7fe25fa583287425c47d9cb1aecafcfae95443b9737d935d8b8a26b1a0baf5c68362ac829381a50a20094a5a07d8f50946d1a3505ff1b24a02b

Download Submit
\Windows\system\RsEBWBt.exe

Filesize
5.9MB

MD5
0229095cddc449588226b156728af038

SHA1
2dcf65477b7b9b5e4e14370124a4b753ca86e1f5

SHA256
0a1bccb3d02a5d66fe98fece0c723ec9fd52d52bf790ff44ab6956b737cc4e7e

SHA512
2f8196affddef1db6d7f2112ee11c3582e16d3e91d1ffd43b9f73c78fe87d3ac764d6cb4de63e93ff5580662f304e549ef024f26ac224ed6fad29b14f7eb29b7

Download Submit
\Windows\system\XgKcGTS.exe

Filesize
5.9MB

MD5
53fe11e954d2fb13775a156d31b6c2e1

SHA1
6b72f230d6f24eb4fb8d252e9227cc5566756bc1

SHA256
020b5c7b3674acbb7102a0041e80a18ff883d73bc19219cb513e2b32445365e3

SHA512
eadceff0316e4b01dcfe783fd27cd921791663e6e14695809ba4f139ea38fc6386e109d1cdaff0e31117e48e90abe97807cdef96556cbce9ad2f64a9ba79ff8d

Download Submit
\Windows\system\frJgmoA.exe

Filesize
5.9MB

MD5
1163e4e2813427d9dbfc28eb38a33609

SHA1
1a9072cfa624f955107022ffdf341afdaca7561a

SHA256
8587c83cfe5bb47e277534713b7307f46f6c4479bf8e783a4ac1455222c2bb3f

SHA512
17db6d7bb630b950aec65f1e738e14b3eb75fe2da4826c9eef842d6aaa18a40f540bc43544c8f0e922d2e9522ac36bf67529c2e1560a443adf7579f9577c66c8

Download Submit
\Windows\system\nsKZNpf.exe

Filesize
5.9MB

MD5
ef6da47b49384f92e6dd1713aa878b64

SHA1
95998db508d7052b911eed34bc94a805cb27a898

SHA256
80ae0f36cda9260c1c006a990d8cbb54b03823ebaac83b3debf5920de1a35e22

SHA512
880423a87ac007435a2c4359ae868747effe7dab6603248eaecf646147dc5130843802193c38d914a723f865943d63df399999c8ba58539ea363749556c727df

Download Submit
\Windows\system\uDouGko.exe

Filesize
5.9MB

MD5
46798ed08206fc5c84464267f462469c

SHA1
ad6926c861bdd3e4a56278adcec451e9a55cda0d

SHA256
5c6cc0eafe4e27d6683f4d81049562e8c8d276cb8ab355984de17517a94ebee6

SHA512
38d45d856cebebe15ce057296e39fe0a7c1b78149a61b541c1ea0375226e466b49ace015d033b203548f1c7f356f8356ead193e2ca47969b03e4bb4507d79179

Download Submit
\Windows\system\xKgwMmp.exe

Filesize
5.9MB

MD5
1797c7494b62f923d1dd0c06c3a86f3c

SHA1
512d7c234b4aeeac6a8cb5f6756f39cbcdaa52d2

SHA256
66f977149952d4a2eedd734053a9505a22d70f5069dfb17510ab10d203a78fc8

SHA512
b0247452e1ff974a389efc87a76b44cf421dfdc7a3ffd84cc30661eb91a0aead1d72001ceb42b789b18df1738f9ef47a06929ef3a8dd0ffba4ed6556ff1bd6ea

Download Submit
memory/892-148-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/892-43-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-141-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-155-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-96-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-138-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/1636-109-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-70-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-2-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-7-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-140-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/1636-139-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-78-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/1636-62-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1636-92-0x000000013F280000-0x000000013F5D4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-16-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-49-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-111-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-20-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-118-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/1636-41-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-40-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-152-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-71-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-25-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-145-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2036-77-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-34-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-102-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-147-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2572-69-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2572-144-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2572-23-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2596-153-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2596-79-0x000000013F0E0000-0x000000013F434000-memory.dmp

Filesize
3.3MB

Download
memory/2668-63-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2668-151-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2672-150-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2672-56-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2732-149-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2732-50-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2756-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-85-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-146-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-27-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-12-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download