cobaltstrike | 99f7856d5e1c4ec54f6db1ca97b18f6ed1e6145d8ac5c277631b9e8a4e75fe49

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/05/2024, 02:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
Size

5.2MB
MD5

778418f0e5bedc2f927370e2938780bc
SHA1

8dc70dc2d1a0a5e90a06e6d5793c44756a03e012
SHA256

99f7856d5e1c4ec54f6db1ca97b18f6ed1e6145d8ac5c277631b9e8a4e75fe49
SHA512

335278a2a81f5b734112a95f7129a4d785795e003dccc7b37aa1c1b16b76d13ff6b2d2686058636e1dc721196cbf3b2c26b2ba1c7166b80d127aab69f36c7238
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lx:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012120-3.dat	cobalt_reflective_dll
behavioral1/files/0x002f00000001325f-7.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001344f-20.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000134f5-23.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013a65-34.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013a15-31.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000013b02-45.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000145d4-54.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013f4b-49.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015077-131.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014d0f-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014fac-126.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014a29-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014c0b-116.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000148af-106.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001475f-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014730-86.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001474b-94.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000146a7-75.dat	cobalt_reflective_dll
behavioral1/files/0x00300000000132f2-79.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000013a85-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x0007000000012120-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002f00000001325f-7.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000900000001344f-20.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00090000000134f5-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013a65-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013a15-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000013b02-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000145d4-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013f4b-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015077-131.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014d0f-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014fac-126.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014a29-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014c0b-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000148af-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001475f-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014730-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001474b-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000146a7-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00300000000132f2-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000013a85-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral1/memory/2248-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/files/0x0007000000012120-3.dat	UPX
behavioral1/memory/2028-10-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/files/0x002f00000001325f-7.dat	UPX
behavioral1/memory/3048-19-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/files/0x000900000001344f-20.dat	UPX
behavioral1/memory/2196-21-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/files/0x00090000000134f5-23.dat	UPX
behavioral1/files/0x0008000000013a65-34.dat	UPX
behavioral1/files/0x0008000000013a15-31.dat	UPX
behavioral1/files/0x000a000000013b02-45.dat	UPX
behavioral1/files/0x00060000000145d4-54.dat	UPX
behavioral1/files/0x0008000000013f4b-49.dat	UPX
behavioral1/memory/2756-58-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2692-61-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/2752-69-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2532-76-0x000000013F8D0000-0x000000013FC21000-memory.dmp	UPX
behavioral1/memory/2800-82-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2812-90-0x000000013FFA0000-0x00000001402F1000-memory.dmp	UPX
behavioral1/memory/1504-97-0x000000013FA60000-0x000000013FDB1000-memory.dmp	UPX
behavioral1/files/0x0006000000015077-131.dat	UPX
behavioral1/files/0x0006000000014d0f-121.dat	UPX
behavioral1/files/0x0006000000014fac-126.dat	UPX
behavioral1/files/0x0006000000014a29-111.dat	UPX
behavioral1/files/0x0006000000014c0b-116.dat	UPX
behavioral1/files/0x00060000000148af-106.dat	UPX
behavioral1/files/0x000600000001475f-100.dat	UPX
behavioral1/memory/2028-89-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/memory/2248-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/files/0x0006000000014730-86.dat	UPX
behavioral1/memory/2196-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/files/0x000600000001474b-94.dat	UPX
behavioral1/files/0x00060000000146a7-75.dat	UPX
behavioral1/files/0x00300000000132f2-79.dat	UPX
behavioral1/memory/2604-67-0x000000013F9C0000-0x000000013FD11000-memory.dmp	UPX
behavioral1/memory/2856-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/2764-63-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2612-59-0x000000013F030000-0x000000013F381000-memory.dmp	UPX
behavioral1/files/0x0008000000013a85-40.dat	UPX
behavioral1/memory/2756-134-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2248-136-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2532-147-0x000000013F8D0000-0x000000013FC21000-memory.dmp	UPX
behavioral1/memory/2800-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/1772-151-0x000000013F530000-0x000000013F881000-memory.dmp	UPX
behavioral1/memory/2836-157-0x000000013F3F0000-0x000000013F741000-memory.dmp	UPX
behavioral1/memory/1248-156-0x000000013F920000-0x000000013FC71000-memory.dmp	UPX
behavioral1/memory/1348-155-0x000000013F140000-0x000000013F491000-memory.dmp	UPX
behavioral1/memory/1760-154-0x000000013F990000-0x000000013FCE1000-memory.dmp	UPX
behavioral1/memory/108-153-0x000000013FAD0000-0x000000013FE21000-memory.dmp	UPX
behavioral1/memory/2812-149-0x000000013FFA0000-0x00000001402F1000-memory.dmp	UPX
behavioral1/memory/2284-152-0x000000013F790000-0x000000013FAE1000-memory.dmp	UPX
behavioral1/memory/2248-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp	UPX
behavioral1/memory/2028-205-0x000000013F560000-0x000000013F8B1000-memory.dmp	UPX
behavioral1/memory/3048-207-0x000000013F150000-0x000000013F4A1000-memory.dmp	UPX
behavioral1/memory/2196-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp	UPX
behavioral1/memory/2756-211-0x000000013F400000-0x000000013F751000-memory.dmp	UPX
behavioral1/memory/2692-213-0x000000013F120000-0x000000013F471000-memory.dmp	UPX
behavioral1/memory/2764-215-0x000000013FF90000-0x00000001402E1000-memory.dmp	UPX
behavioral1/memory/2856-217-0x000000013FC60000-0x000000013FFB1000-memory.dmp	UPX
behavioral1/memory/2604-219-0x000000013F9C0000-0x000000013FD11000-memory.dmp	UPX
behavioral1/memory/2752-221-0x000000013FE40000-0x0000000140191000-memory.dmp	UPX
behavioral1/memory/2612-236-0x000000013F030000-0x000000013F381000-memory.dmp	UPX
behavioral1/memory/2800-238-0x000000013FAE0000-0x000000013FE31000-memory.dmp	UPX
behavioral1/memory/2812-240-0x000000013FFA0000-0x00000001402F1000-memory.dmp	UPX

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/3048-19-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2756-58-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2692-61-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2248-68-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2752-69-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/1504-97-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2028-89-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2248-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2196-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2604-67-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2856-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2764-63-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2248-62-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2612-59-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2756-134-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2248-136-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2532-147-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2800-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/1772-151-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2836-157-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/1248-156-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/1348-155-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1760-154-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/108-153-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2812-149-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/2284-152-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2248-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2028-205-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/3048-207-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2196-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2756-211-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2692-213-0x000000013F120000-0x000000013F471000-memory.dmp	xmrig
behavioral1/memory/2764-215-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2856-217-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2604-219-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2752-221-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2612-236-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2800-238-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2812-240-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/1504-242-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2532-251-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2028	UBtOTzX.exe
3048	QCasUEf.exe
2196	TbSGCbN.exe
2756	hsVojtx.exe
2612	StVXWiR.exe
2692	lOMJiAi.exe
2764	ZhQLdeZ.exe
2856	ofAcnjB.exe
2604	fQnWLGR.exe
2752	HlZfMDX.exe
2532	TWufyTw.exe
2800	NXKGpHg.exe
2812	ZAToOOB.exe
1504	JlDETXk.exe
1772	MkBVDDo.exe
2284	rPJrhzl.exe
108	qgRksHa.exe
1760	yDQsgsG.exe
1348	qxrqEKh.exe
1248	HiItscM.exe
2836	NTyJYav.exe

Loads dropped DLL 21 IoCs

pid	Process
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2248-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/files/0x0007000000012120-3.dat	upx
behavioral1/memory/2028-10-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/files/0x002f00000001325f-7.dat	upx
behavioral1/memory/3048-19-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/files/0x000900000001344f-20.dat	upx
behavioral1/memory/2196-21-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/files/0x00090000000134f5-23.dat	upx
behavioral1/files/0x0008000000013a65-34.dat	upx
behavioral1/files/0x0008000000013a15-31.dat	upx
behavioral1/files/0x000a000000013b02-45.dat	upx
behavioral1/files/0x00060000000145d4-54.dat	upx
behavioral1/files/0x0008000000013f4b-49.dat	upx
behavioral1/memory/2756-58-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2692-61-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2752-69-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2532-76-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2800-82-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2812-90-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/1504-97-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/files/0x0006000000015077-131.dat	upx
behavioral1/files/0x0006000000014d0f-121.dat	upx
behavioral1/files/0x0006000000014fac-126.dat	upx
behavioral1/files/0x0006000000014a29-111.dat	upx
behavioral1/files/0x0006000000014c0b-116.dat	upx
behavioral1/files/0x00060000000148af-106.dat	upx
behavioral1/files/0x000600000001475f-100.dat	upx
behavioral1/memory/2028-89-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2248-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/files/0x0006000000014730-86.dat	upx
behavioral1/memory/2196-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/files/0x000600000001474b-94.dat	upx
behavioral1/files/0x00060000000146a7-75.dat	upx
behavioral1/files/0x00300000000132f2-79.dat	upx
behavioral1/memory/2604-67-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2856-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2764-63-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2612-59-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/files/0x0008000000013a85-40.dat	upx
behavioral1/memory/2756-134-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2248-136-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2532-147-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2800-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/1772-151-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/2836-157-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/1248-156-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/1348-155-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/1760-154-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/108-153-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2812-149-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/2284-152-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2248-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2028-205-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/3048-207-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2196-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2756-211-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2692-213-0x000000013F120000-0x000000013F471000-memory.dmp	upx
behavioral1/memory/2764-215-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2856-217-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2604-219-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2752-221-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/2612-236-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2800-238-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2812-240-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZAToOOB.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HiItscM.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NTyJYav.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TbSGCbN.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hsVojtx.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TWufyTw.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HlZfMDX.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rPJrhzl.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yDQsgsG.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UBtOTzX.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lOMJiAi.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fQnWLGR.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZhQLdeZ.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ofAcnjB.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MkBVDDo.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JlDETXk.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qgRksHa.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qxrqEKh.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QCasUEf.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\StVXWiR.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NXKGpHg.exe	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2028	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	29
PID 2248 wrote to memory of 2028	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	29
PID 2248 wrote to memory of 2028	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	29
PID 2248 wrote to memory of 3048	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	30
PID 2248 wrote to memory of 3048	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	30
PID 2248 wrote to memory of 3048	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	30
PID 2248 wrote to memory of 2196	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	31
PID 2248 wrote to memory of 2196	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	31
PID 2248 wrote to memory of 2196	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	31
PID 2248 wrote to memory of 2756	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	32
PID 2248 wrote to memory of 2756	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	32
PID 2248 wrote to memory of 2756	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	32
PID 2248 wrote to memory of 2612	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	33
PID 2248 wrote to memory of 2612	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	33
PID 2248 wrote to memory of 2612	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	33
PID 2248 wrote to memory of 2692	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	34
PID 2248 wrote to memory of 2692	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	34
PID 2248 wrote to memory of 2692	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	34
PID 2248 wrote to memory of 2764	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	35
PID 2248 wrote to memory of 2764	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	35
PID 2248 wrote to memory of 2764	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	35
PID 2248 wrote to memory of 2856	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	36
PID 2248 wrote to memory of 2856	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	36
PID 2248 wrote to memory of 2856	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	36
PID 2248 wrote to memory of 2604	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	37
PID 2248 wrote to memory of 2604	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	37
PID 2248 wrote to memory of 2604	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	37
PID 2248 wrote to memory of 2752	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	38
PID 2248 wrote to memory of 2752	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	38
PID 2248 wrote to memory of 2752	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	38
PID 2248 wrote to memory of 2532	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	39
PID 2248 wrote to memory of 2532	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	39
PID 2248 wrote to memory of 2532	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	39
PID 2248 wrote to memory of 2800	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	40
PID 2248 wrote to memory of 2800	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	40
PID 2248 wrote to memory of 2800	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	40
PID 2248 wrote to memory of 2812	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	41
PID 2248 wrote to memory of 2812	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	41
PID 2248 wrote to memory of 2812	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	41
PID 2248 wrote to memory of 1504	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	42
PID 2248 wrote to memory of 1504	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	42
PID 2248 wrote to memory of 1504	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	42
PID 2248 wrote to memory of 1772	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	43
PID 2248 wrote to memory of 1772	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	43
PID 2248 wrote to memory of 1772	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	43
PID 2248 wrote to memory of 2284	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	44
PID 2248 wrote to memory of 2284	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	44
PID 2248 wrote to memory of 2284	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	44
PID 2248 wrote to memory of 108	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	45
PID 2248 wrote to memory of 108	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	45
PID 2248 wrote to memory of 108	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	45
PID 2248 wrote to memory of 1760	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	46
PID 2248 wrote to memory of 1760	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	46
PID 2248 wrote to memory of 1760	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	46
PID 2248 wrote to memory of 1348	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	47
PID 2248 wrote to memory of 1348	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	47
PID 2248 wrote to memory of 1348	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	47
PID 2248 wrote to memory of 1248	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	48
PID 2248 wrote to memory of 1248	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	48
PID 2248 wrote to memory of 1248	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	48
PID 2248 wrote to memory of 2836	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	49
PID 2248 wrote to memory of 2836	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	49
PID 2248 wrote to memory of 2836	2248	2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\System\UBtOTzX.exe
  C:\Windows\System\UBtOTzX.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\QCasUEf.exe
  C:\Windows\System\QCasUEf.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\TbSGCbN.exe
  C:\Windows\System\TbSGCbN.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\hsVojtx.exe
  C:\Windows\System\hsVojtx.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\StVXWiR.exe
  C:\Windows\System\StVXWiR.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\lOMJiAi.exe
  C:\Windows\System\lOMJiAi.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\ZhQLdeZ.exe
  C:\Windows\System\ZhQLdeZ.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\ofAcnjB.exe
  C:\Windows\System\ofAcnjB.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\fQnWLGR.exe
  C:\Windows\System\fQnWLGR.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\HlZfMDX.exe
  C:\Windows\System\HlZfMDX.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\TWufyTw.exe
  C:\Windows\System\TWufyTw.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\NXKGpHg.exe
  C:\Windows\System\NXKGpHg.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\ZAToOOB.exe
  C:\Windows\System\ZAToOOB.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\JlDETXk.exe
  C:\Windows\System\JlDETXk.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\MkBVDDo.exe
  C:\Windows\System\MkBVDDo.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\rPJrhzl.exe
  C:\Windows\System\rPJrhzl.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\qgRksHa.exe
  C:\Windows\System\qgRksHa.exe
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\System\yDQsgsG.exe
  C:\Windows\System\yDQsgsG.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\qxrqEKh.exe
  C:\Windows\System\qxrqEKh.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\HiItscM.exe
  C:\Windows\System\HiItscM.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\NTyJYav.exe
  C:\Windows\System\NTyJYav.exe
  2⤵
  - Executes dropped EXE
  PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HiItscM.exe

Filesize
5.2MB

MD5
ffe3bbba6db3b924956b00e8141a3b4f

SHA1
4987c68dbe016d989603885f957b68c3245af107

SHA256
be6886bba4bba6a6dc17be56bcb69878a06699cdd38c0497b27fd3283413ab89

SHA512
337e983e9d0b16f450a3f425b4fa5441deac32f4e2340f5d3d6e7fd16abdc820151758c441190b2cb039d4e99277769e3f9a87b3f0f9bb3fd77e83fa64d4e7c2

Download Submit
C:\Windows\system\HlZfMDX.exe

Filesize
5.2MB

MD5
0ca683652a03c58de413989b35d3d0f6

SHA1
0f26871079d1456933e232cab1f9eed253df5bcd

SHA256
5daf33677997ddf86e03b36c8c94db24900eb290e4c620f5c2a83f207b9ae27c

SHA512
35b7b49587d693ec7eb638802ad8722a8a480712affa812d67810cbbbdb362832afac7290bfcd49a9410d5279dfef6aae298359841ff7a5431bec39a6dbcb614

Download Submit
C:\Windows\system\JlDETXk.exe

Filesize
5.2MB

MD5
d1c85805b83d96223e1875518e15ff31

SHA1
11eebd73971b222d3b2027ea8a059239cd7d7630

SHA256
c39f404d28b33bd19750ba0b485c629c0bc2547c9a3df200c6b043c951fec8f6

SHA512
57574772316659ff41855d75f5fa013b0e39bbdb69ac565b43a62a3b1c19d5e1aa63de6d34b2e74110595d3f2dc65b70ec23d72aca65265fc0500e433d41a88a

Download Submit
C:\Windows\system\MkBVDDo.exe

Filesize
5.2MB

MD5
51192d328bc0af800b9fc93bdd1d2002

SHA1
afacfcbff9778c3dc65406310c65b587ae8a79c9

SHA256
176132a4fec136ec3fa5f37567380f1e843268fa77759af73047590a3ebf8eed

SHA512
da7096b3ee354d08dec5b4eb777b3b8c09d3c38e635f5edfa96a5896f4a31f9113cfbb7f0f5f552f773b394f0be0f11e6a96330519d71eb40b76fd2353375001

Download Submit
C:\Windows\system\NTyJYav.exe

Filesize
5.2MB

MD5
08590ec876dfac6ecbbcff517f922945

SHA1
81d483cb2b07208dc9d35ce69ab9adf6d2749b8d

SHA256
9e97511f704c1b5ae4c73775d9bb466535eb21aa6a51c1c140422c8740a8fdf9

SHA512
b46c875049493f112571352d58b07c5047ca31f446e93b673e55701a4cc2db2bb7ba4177c9b4bf463afa23630f969951a2b48ed62ecc73e6ff4d0f3b2765de56

Download Submit
C:\Windows\system\NXKGpHg.exe

Filesize
5.2MB

MD5
373453e966ac0f86bce1ac3f4df0f228

SHA1
30bdb698d210c03b935677a14bac855d8536d384

SHA256
0440f96974205c58b22e780c34c027175f056037c86b452877ae78ddcc339a26

SHA512
6d93ef0bd7255aa267fb0b52b04a89040ad23f2936b1c5e03829c2ccf68d2549e7202cda6fc3fc34ee8353ad96bcfb0db126f3ab6cb9a20327b50b9753c35a97

Download Submit
C:\Windows\system\StVXWiR.exe

Filesize
5.2MB

MD5
d1f27b3bcd6251c710dc03762f862411

SHA1
bbe8162348d24605327e655b459c44766e621b46

SHA256
3eda8fd26972e07b85bbbf431302f761bbe85900cbc82af8de68e420aaa195c8

SHA512
a3684e9cf08dd4e8952b46a01517e095e304ca342241558a32d178a292985da3a47e5d1e727ec27bb1f6d2b032e107d93cc645bc4b7909e8e2285856e3767cf3

Download Submit
C:\Windows\system\TWufyTw.exe

Filesize
5.2MB

MD5
7b1ddc88ff5af845aefa16f552e67105

SHA1
af0627398fefadf13c6a78d75994e63458e1bb99

SHA256
28aab2e3d1fedbc153bd1c97ec5c806456af14d3cb95e060627c7a80406af37a

SHA512
6f8fc938ae1ae4d71cf4ab2f587888c60cb4f426f086125313580921e0d64d6133c51495f6f9ac1e7c3d1cbee1cdb1de15b084d87a68a68b3ba7c09769bf65bc

Download Submit
C:\Windows\system\TbSGCbN.exe

Filesize
5.2MB

MD5
bc85c63a59294f12715edcce97330c5b

SHA1
8366b4dd2ac7b4957aae6740297909bd887f09f7

SHA256
2cb933fef40998acf33cbe170783c9aed13c85c39677ea6b8f456b54c5f810f0

SHA512
394569870a79bd55d2a091069f15a5f2fa7a392c7158a79ffddb0f8099c4b5b929dc0797fca655aed0d80bbbc328dc3327fd6eed838d033bbfaaad4d6ca92308

Download Submit
C:\Windows\system\ZAToOOB.exe

Filesize
5.2MB

MD5
046a45ce5da95ac7ca7d06a2d3e2e948

SHA1
ddc8bf2f9dc82d1c7304fe759f53fb550fad5942

SHA256
32cd3c092583b25b76acf63cc28c3e8fd026c7aeec7d99375e94e8b0cf5c6f98

SHA512
78ab81cc03743f540ee88d8540a2c64074d2ad7c1cbc78d0c01cbc8d3997f80c1d427aaae75451432118065bc126a33d26fec7cdacfc92e641f4a223427746ff

Download Submit
C:\Windows\system\ZhQLdeZ.exe

Filesize
5.2MB

MD5
b9b8bcaf29d2432f2988817048f707a9

SHA1
a71c499b6186d44c9ae2416737bd22695450966e

SHA256
ebbc9c6c59c1734e049bd21da227d2476ea49a350131ccfe610d37833016f04f

SHA512
3b88a1f7d1c5d13c77647826836af1dfecd38a5945457e4006403c6de023cfc91770d5bac5a1e76f62b81e5242e875adda8c914af0665ea9caf0f46dc77b42ee

Download Submit
C:\Windows\system\fQnWLGR.exe

Filesize
5.2MB

MD5
c94a8c20889d418f4a771513fafb5003

SHA1
779cebe7579c1d9f865b87c6c15101a64f315ff4

SHA256
c59f1926f7c76178b0070ec2c231cebc1680bb8fae46bfb68981ec9137d4ca7c

SHA512
e4daaeca699218d60a9ab85ab03ac213ccd69b1b2511994acded070ac175eb133192961dfcdcd1902a5e581d809305890d82bbbe5951e3d9ce3620d49f9b1f72

Download Submit
C:\Windows\system\lOMJiAi.exe

Filesize
5.2MB

MD5
00556f0b4a814fab62e1d1c77b5c96c0

SHA1
cea21cd51189bd78670036a4f90261c2c7ef0182

SHA256
4dab1e7aae3329f10b3bbd207c982340c5fa2746bbae0d74f6cc66111a091ffc

SHA512
988ed162d0ad19430d427e204889390508fe0e207e53e0e12a1eba112a11822c553134b3795f63a49c0b7644aad5c7810a619ac4ce70beb181ac58111bac3c9a

Download Submit
C:\Windows\system\ofAcnjB.exe

Filesize
5.2MB

MD5
dc4e3a5891c22102e77e34a6634bbbdf

SHA1
1b23e7562afa8a9df5d7cd66e35eeb8958a57ab6

SHA256
2df69c677094b337e20f8f139fe8cc0278c8c8a44e73b9717415d7a36c07bca9

SHA512
31602e6d47bc09f18cdb7d47520e0846ac3b62292005bac1779cc3dc362a1109bc6671548729aa38e1fca4f35a64fbfb08a3b8ef8c3bb80c62bd381011711299

Download Submit
C:\Windows\system\qgRksHa.exe

Filesize
5.2MB

MD5
f44c8af3ea82c0739d682446145bfd66

SHA1
3d6dfe40891e28de9785d70bfd22f7a97eab1f44

SHA256
a0e3b86d1196633c87950460b78922bfc761f6e6f08a34aa5d3dc721668edd98

SHA512
9abf088695f6986cc749fd337c9295f6d9d3c733bd68cdbb600b1aefc6720e28b8974265d14049d430fe154282ee404fdbe48426bb7640822aa1416a77e949c8

Download Submit
C:\Windows\system\qxrqEKh.exe

Filesize
5.2MB

MD5
1f899e27faa8239d048f7f4e20794793

SHA1
3eb7f5922fb194afdc59a0d421c840e413b219e7

SHA256
618e5a24b80be2b9a6cc5a27f3ed89220ac141337a6aef9731bca3d749fd74f4

SHA512
ae5eccf8f9646698f75bbd94e5471e9e131e71eb1c31108e2147bc67d22d8c9ad1c7f64fb59cf24d9703c675ffd1c26a363053f6d2427620ca1e696fbb893498

Download Submit
C:\Windows\system\rPJrhzl.exe

Filesize
5.2MB

MD5
d5fb97234af10797b011ae514f6912e2

SHA1
df47ef95262792b92144b5cec2e9abb7e9f3c7e3

SHA256
998f1a99f48d5ea6d47dfcfa3ab5e360b160c4fe90bcb847a9b23cfb4c27a5cd

SHA512
d3ca191f3000bdd1f2372474627f0dd9121382ed32d31f780e6648dc4904e91827a314fc50e225c01caab3f4c3bfb0d9c7ddf1382ae6b674e9e90ca71f342ec3

Download Submit
C:\Windows\system\yDQsgsG.exe

Filesize
5.2MB

MD5
11260c2c93bea6b7a263a507a30024c4

SHA1
5dfc5db3eb090969da774e8cc53813035cc7884b

SHA256
b63392a202db2a80591892b843248427beae257b6a59807d659dc88db82e653e

SHA512
f9efb2cc6e87a50a5ca98e84ea145df061dd25a985d5006ce8639f8c5e45005f9e61cc7554c7d0d6b2388321a31f16d8da46bb95af9cd7c5e42d161abb40f0ae

Download Submit
\Windows\system\QCasUEf.exe

Filesize
5.2MB

MD5
1322b26d90eceb13bbd98b9fb1e88710

SHA1
c0252d0faebdb50115ddd14da2740e08dbea1264

SHA256
832fc954f419d7a28224a588229b78fe80e19957d65b661c9f7f774b63863a60

SHA512
da1b4607247f1f16cca4139804cc24cb433cb916d4b0451f1fe10045641e0f5de1cb49267cd05febf8eb36e9887eb3ef6626b90a280fc2016222e7bba3b1b4d8

Download Submit
\Windows\system\UBtOTzX.exe

Filesize
5.2MB

MD5
86506870a8977f37ed2cf5d6a911f010

SHA1
47d6aabcb3e6f1641e6cd68935a80f6cb8d86db4

SHA256
44043f8d9ecd075eb85e4dc095a885010522ad6564352f673e7ab95cf55d363c

SHA512
6c739a23e6917763196a8d798544ba9eca95cce6b890efbb6f416c366f8c352321d431ba92724d7484d9f07a32d8c61421eea89e0195f95083146660bf2321d6

Download Submit
\Windows\system\hsVojtx.exe

Filesize
5.2MB

MD5
9830f50ae1892cc920563dd96b56a483

SHA1
169a12dde45422a4164c42abeb388992def55211

SHA256
1e80fe19d243c5597abe16d0ed51e5f9f75cdcbb2625921b9dbc7269c1421053

SHA512
35241b9bf2aaaf27e3e0f0c6d03453dfc4356cf36beebfcd3cea8ecb78486a96daa227f5fb8a2e04ecaf035f2e98e3a462d9d8bb9d83c6d464b5001a127e8170

Download Submit
memory/108-153-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/1248-156-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/1348-155-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/1504-242-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-97-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-154-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/1772-151-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2028-89-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-205-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2028-10-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2196-21-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2196-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2248-70-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2248-181-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2248-102-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2248-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2248-18-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2248-81-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2248-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2248-72-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2248-16-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2248-64-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2248-66-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2248-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2248-158-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2248-62-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2248-60-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2248-68-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2248-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2248-136-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2284-152-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-147-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2532-251-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2532-76-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2604-219-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2604-67-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2612-59-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2612-236-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2692-213-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2692-61-0x000000013F120000-0x000000013F471000-memory.dmp

Filesize
3.3MB

Download
memory/2752-221-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2752-69-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2756-134-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2756-58-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2756-211-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2764-63-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-215-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-82-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2800-238-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2800-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2812-149-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-240-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-90-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-157-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2856-217-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-19-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-207-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download