cobaltstrike | 0c5543b8a8fd22c8005e5982a4fa3fcf2fc7d20b39ed5969519237aa2f1c86cd

Analysis

max time kernel
137s
max time network
148s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

de3e57b7602d1c9aaf1271535a75d97c
SHA1

b527ac3ec27d91044aa6d760d274a1cad27d2a4d
SHA256

0c5543b8a8fd22c8005e5982a4fa3fcf2fc7d20b39ed5969519237aa2f1c86cd
SHA512

c613fb8959983e97e96ad15350b8999436e57eb2ab0aacc06523d2eae1d1160f172dfe132ba7c20bb2121df3273a66318fe4d1955d007e7e6b7ced0cfa9a7058
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:Q+856utgpPF8u/78

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d00000001342e-3.dat	cobalt_reflective_dll
behavioral1/files/0x002a000000013a88-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014183-17.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001418c-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014251-25.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014367-33.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014b1c-40.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001507a-56.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000153ee-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015662-76.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000158d9-80.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015b50-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ae3-84.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001565a-72.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000150d9-64.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015083-60.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014f57-52.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014c2d-48.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000014bd7-44.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000143fb-36.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001431b-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000d00000001342e-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002a000000013a88-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014183-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001418c-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014251-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014367-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014b1c-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001507a-56.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000153ee-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015662-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000158d9-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015b50-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ae3-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001565a-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000150d9-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015083-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014f57-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014c2d-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000014bd7-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000143fb-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001431b-28.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/files/0x000d00000001342e-3.dat	UPX
behavioral1/files/0x002a000000013a88-6.dat	UPX
behavioral1/files/0x0007000000014183-17.dat	UPX
behavioral1/files/0x000700000001418c-21.dat	UPX
behavioral1/files/0x0007000000014251-25.dat	UPX
behavioral1/files/0x0008000000014367-33.dat	UPX
behavioral1/files/0x0006000000014b1c-40.dat	UPX
behavioral1/files/0x000600000001507a-56.dat	UPX
behavioral1/files/0x00060000000153ee-68.dat	UPX
behavioral1/files/0x0006000000015662-76.dat	UPX
behavioral1/files/0x00060000000158d9-80.dat	UPX
behavioral1/files/0x0006000000015b50-86.dat	UPX
behavioral1/files/0x0006000000015ae3-84.dat	UPX
behavioral1/files/0x000600000001565a-72.dat	UPX
behavioral1/files/0x00060000000150d9-64.dat	UPX
behavioral1/files/0x0006000000015083-60.dat	UPX
behavioral1/files/0x0006000000014f57-52.dat	UPX
behavioral1/files/0x0006000000014c2d-48.dat	UPX
behavioral1/files/0x0006000000014bd7-44.dat	UPX
behavioral1/files/0x00080000000143fb-36.dat	UPX
behavioral1/files/0x000700000001431b-28.dat	UPX
behavioral1/memory/2696-117-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2952-105-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2788-103-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
behavioral1/memory/2616-99-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2588-89-0x000000013F090000-0x000000013F3E4000-memory.dmp	UPX
behavioral1/memory/2304-121-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2424-122-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/memory/2412-125-0x000000013F990000-0x000000013FCE4000-memory.dmp	UPX
behavioral1/memory/2948-130-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/memory/3044-131-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/2432-128-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2548-126-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/2624-123-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX
behavioral1/memory/2408-119-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2244-132-0x000000013F2D0000-0x000000013F624000-memory.dmp	UPX
behavioral1/memory/2588-134-0x000000013F090000-0x000000013F3E4000-memory.dmp	UPX
behavioral1/memory/2616-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2952-139-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2948-140-0x000000013F070000-0x000000013F3C4000-memory.dmp	UPX
behavioral1/memory/2788-141-0x000000013FF40000-0x0000000140294000-memory.dmp	UPX
behavioral1/memory/2696-142-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2548-145-0x000000013F4F0000-0x000000013F844000-memory.dmp	UPX
behavioral1/memory/2304-144-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2588-143-0x000000013F090000-0x000000013F3E4000-memory.dmp	UPX
behavioral1/memory/2616-149-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2432-152-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/3044-151-0x000000013FE10000-0x0000000140164000-memory.dmp	UPX
behavioral1/memory/2412-150-0x000000013F990000-0x000000013FCE4000-memory.dmp	UPX
behavioral1/memory/2408-148-0x000000013FA10000-0x000000013FD64000-memory.dmp	UPX
behavioral1/memory/2952-147-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2424-153-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/memory/2624-146-0x000000013F0B0000-0x000000013F404000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/files/0x000d00000001342e-3.dat	xmrig
behavioral1/files/0x002a000000013a88-6.dat	xmrig
behavioral1/memory/2244-13-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2244-7-0x00000000023E0000-0x0000000002734000-memory.dmp	xmrig
behavioral1/files/0x0007000000014183-17.dat	xmrig
behavioral1/files/0x000700000001418c-21.dat	xmrig
behavioral1/files/0x0007000000014251-25.dat	xmrig
behavioral1/files/0x0008000000014367-33.dat	xmrig
behavioral1/files/0x0006000000014b1c-40.dat	xmrig
behavioral1/files/0x000600000001507a-56.dat	xmrig
behavioral1/files/0x00060000000153ee-68.dat	xmrig
behavioral1/files/0x0006000000015662-76.dat	xmrig
behavioral1/files/0x00060000000158d9-80.dat	xmrig
behavioral1/files/0x0006000000015b50-86.dat	xmrig
behavioral1/files/0x0006000000015ae3-84.dat	xmrig
behavioral1/files/0x000600000001565a-72.dat	xmrig
behavioral1/files/0x00060000000150d9-64.dat	xmrig
behavioral1/files/0x0006000000015083-60.dat	xmrig
behavioral1/files/0x0006000000014f57-52.dat	xmrig
behavioral1/files/0x0006000000014c2d-48.dat	xmrig
behavioral1/files/0x0006000000014bd7-44.dat	xmrig
behavioral1/files/0x00080000000143fb-36.dat	xmrig
behavioral1/files/0x000700000001431b-28.dat	xmrig
behavioral1/memory/2696-117-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2952-105-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2788-103-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2616-99-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2244-90-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2588-89-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/2304-121-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2424-122-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/2412-125-0x000000013F990000-0x000000013FCE4000-memory.dmp	xmrig
behavioral1/memory/2948-130-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/3044-131-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2432-128-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2548-126-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2244-124-0x000000013F990000-0x000000013FCE4000-memory.dmp	xmrig
behavioral1/memory/2624-123-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig
behavioral1/memory/2244-120-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2408-119-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2244-132-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2588-134-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/2616-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2952-139-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2948-140-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2788-141-0x000000013FF40000-0x0000000140294000-memory.dmp	xmrig
behavioral1/memory/2696-142-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2548-145-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2304-144-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2588-143-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/2616-149-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2432-152-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/3044-151-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2412-150-0x000000013F990000-0x000000013FCE4000-memory.dmp	xmrig
behavioral1/memory/2408-148-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2952-147-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2424-153-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/2624-146-0x000000013F0B0000-0x000000013F404000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2948	QLydkXb.exe
3044	zKLhgNZ.exe
2588	fHpVnDv.exe
2616	hTuYLvT.exe
2788	sprneBt.exe
2952	jePVjSK.exe
2696	rpEhzSE.exe
2408	TUnXKhw.exe
2304	eOXxtWU.exe
2424	OKsxjks.exe
2624	SzRvxXn.exe
2412	zNtVDQK.exe
2548	ubaGzQP.exe
2432	FIjZRsB.exe
1976	wIcdPRa.exe
1616	RtGrbts.exe
2440	JPExCGl.exe
2664	QuSeYmo.exe
2652	pSkuJql.exe
1800	gUWRwGv.exe
2560	JifCCQW.exe

Loads dropped DLL 21 IoCs

pid	Process
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-0-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/files/0x000d00000001342e-3.dat	upx
behavioral1/files/0x002a000000013a88-6.dat	upx
behavioral1/memory/2244-13-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2244-7-0x00000000023E0000-0x0000000002734000-memory.dmp	upx
behavioral1/files/0x0007000000014183-17.dat	upx
behavioral1/files/0x000700000001418c-21.dat	upx
behavioral1/files/0x0007000000014251-25.dat	upx
behavioral1/files/0x0008000000014367-33.dat	upx
behavioral1/files/0x0006000000014b1c-40.dat	upx
behavioral1/files/0x000600000001507a-56.dat	upx
behavioral1/files/0x00060000000153ee-68.dat	upx
behavioral1/files/0x0006000000015662-76.dat	upx
behavioral1/files/0x00060000000158d9-80.dat	upx
behavioral1/files/0x0006000000015b50-86.dat	upx
behavioral1/files/0x0006000000015ae3-84.dat	upx
behavioral1/files/0x000600000001565a-72.dat	upx
behavioral1/files/0x00060000000150d9-64.dat	upx
behavioral1/files/0x0006000000015083-60.dat	upx
behavioral1/files/0x0006000000014f57-52.dat	upx
behavioral1/files/0x0006000000014c2d-48.dat	upx
behavioral1/files/0x0006000000014bd7-44.dat	upx
behavioral1/files/0x00080000000143fb-36.dat	upx
behavioral1/files/0x000700000001431b-28.dat	upx
behavioral1/memory/2696-117-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2952-105-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2788-103-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2616-99-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2588-89-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/2304-121-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2424-122-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/2412-125-0x000000013F990000-0x000000013FCE4000-memory.dmp	upx
behavioral1/memory/2948-130-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/3044-131-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2432-128-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2548-126-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2624-123-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx
behavioral1/memory/2408-119-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2244-132-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2588-134-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/2616-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2952-139-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2948-140-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2788-141-0x000000013FF40000-0x0000000140294000-memory.dmp	upx
behavioral1/memory/2696-142-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2548-145-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2304-144-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2588-143-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/2616-149-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2432-152-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/3044-151-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2412-150-0x000000013F990000-0x000000013FCE4000-memory.dmp	upx
behavioral1/memory/2408-148-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2952-147-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2424-153-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/2624-146-0x000000013F0B0000-0x000000013F404000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sprneBt.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TUnXKhw.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zNtVDQK.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wIcdPRa.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QuSeYmo.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pSkuJql.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JifCCQW.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fHpVnDv.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SzRvxXn.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RtGrbts.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gUWRwGv.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hTuYLvT.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jePVjSK.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rpEhzSE.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eOXxtWU.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OKsxjks.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FIjZRsB.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JPExCGl.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QLydkXb.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ubaGzQP.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zKLhgNZ.exe	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2948	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	29
PID 2244 wrote to memory of 2948	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	29
PID 2244 wrote to memory of 2948	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	29
PID 2244 wrote to memory of 3044	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	30
PID 2244 wrote to memory of 3044	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	30
PID 2244 wrote to memory of 3044	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	30
PID 2244 wrote to memory of 2588	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	31
PID 2244 wrote to memory of 2588	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	31
PID 2244 wrote to memory of 2588	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	31
PID 2244 wrote to memory of 2616	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	32
PID 2244 wrote to memory of 2616	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	32
PID 2244 wrote to memory of 2616	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	32
PID 2244 wrote to memory of 2788	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	33
PID 2244 wrote to memory of 2788	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	33
PID 2244 wrote to memory of 2788	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	33
PID 2244 wrote to memory of 2952	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	34
PID 2244 wrote to memory of 2952	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	34
PID 2244 wrote to memory of 2952	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	34
PID 2244 wrote to memory of 2696	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	35
PID 2244 wrote to memory of 2696	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	35
PID 2244 wrote to memory of 2696	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	35
PID 2244 wrote to memory of 2408	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	36
PID 2244 wrote to memory of 2408	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	36
PID 2244 wrote to memory of 2408	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	36
PID 2244 wrote to memory of 2304	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	37
PID 2244 wrote to memory of 2304	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	37
PID 2244 wrote to memory of 2304	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	37
PID 2244 wrote to memory of 2424	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	38
PID 2244 wrote to memory of 2424	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	38
PID 2244 wrote to memory of 2424	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	38
PID 2244 wrote to memory of 2624	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	39
PID 2244 wrote to memory of 2624	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	39
PID 2244 wrote to memory of 2624	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	39
PID 2244 wrote to memory of 2412	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	40
PID 2244 wrote to memory of 2412	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	40
PID 2244 wrote to memory of 2412	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	40
PID 2244 wrote to memory of 2548	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	41
PID 2244 wrote to memory of 2548	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	41
PID 2244 wrote to memory of 2548	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	41
PID 2244 wrote to memory of 2432	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	42
PID 2244 wrote to memory of 2432	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	42
PID 2244 wrote to memory of 2432	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	42
PID 2244 wrote to memory of 1976	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	43
PID 2244 wrote to memory of 1976	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	43
PID 2244 wrote to memory of 1976	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	43
PID 2244 wrote to memory of 1616	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	44
PID 2244 wrote to memory of 1616	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	44
PID 2244 wrote to memory of 1616	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	44
PID 2244 wrote to memory of 2440	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	45
PID 2244 wrote to memory of 2440	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	45
PID 2244 wrote to memory of 2440	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	45
PID 2244 wrote to memory of 2664	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	46
PID 2244 wrote to memory of 2664	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	46
PID 2244 wrote to memory of 2664	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	46
PID 2244 wrote to memory of 2652	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	47
PID 2244 wrote to memory of 2652	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	47
PID 2244 wrote to memory of 2652	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	47
PID 2244 wrote to memory of 1800	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	48
PID 2244 wrote to memory of 1800	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	48
PID 2244 wrote to memory of 1800	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	48
PID 2244 wrote to memory of 2560	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	49
PID 2244 wrote to memory of 2560	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	49
PID 2244 wrote to memory of 2560	2244	2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-28_de3e57b7602d1c9aaf1271535a75d97c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System\QLydkXb.exe
  C:\Windows\System\QLydkXb.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\zKLhgNZ.exe
  C:\Windows\System\zKLhgNZ.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\fHpVnDv.exe
  C:\Windows\System\fHpVnDv.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\hTuYLvT.exe
  C:\Windows\System\hTuYLvT.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\sprneBt.exe
  C:\Windows\System\sprneBt.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\jePVjSK.exe
  C:\Windows\System\jePVjSK.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\rpEhzSE.exe
  C:\Windows\System\rpEhzSE.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\TUnXKhw.exe
  C:\Windows\System\TUnXKhw.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\eOXxtWU.exe
  C:\Windows\System\eOXxtWU.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\OKsxjks.exe
  C:\Windows\System\OKsxjks.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\SzRvxXn.exe
  C:\Windows\System\SzRvxXn.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\zNtVDQK.exe
  C:\Windows\System\zNtVDQK.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\ubaGzQP.exe
  C:\Windows\System\ubaGzQP.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\FIjZRsB.exe
  C:\Windows\System\FIjZRsB.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\wIcdPRa.exe
  C:\Windows\System\wIcdPRa.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\RtGrbts.exe
  C:\Windows\System\RtGrbts.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\JPExCGl.exe
  C:\Windows\System\JPExCGl.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\QuSeYmo.exe
  C:\Windows\System\QuSeYmo.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\pSkuJql.exe
  C:\Windows\System\pSkuJql.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\gUWRwGv.exe
  C:\Windows\System\gUWRwGv.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\JifCCQW.exe
  C:\Windows\System\JifCCQW.exe
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FIjZRsB.exe

Filesize
5.9MB

MD5
e182eb298e12b6641907312579759e75

SHA1
8085837d1fcf1e18edf6feb30e9f41bb3cdbec5c

SHA256
f348b3d702bb7b0684ad0b17da543a3c9372223ad6a34c3f0a7f5f75314ecdc9

SHA512
f91942efdd7dfe4b16853ef563f2070fe2086f82436653699e089a06122ef8f512007c783ebfc770ae0d285cd8f68bad03904d6e64724a89f29bbfd18359ae7f

Download Submit
C:\Windows\system\JPExCGl.exe

Filesize
5.9MB

MD5
94496b5b8e32eef8cb9ec96d9770a7eb

SHA1
d9dfe144c1372a8f640675a348949bb41d2afe29

SHA256
909b732cf0d686619276c275562a82aa6205b288e56edea6f260c872dc00387d

SHA512
6e5b00831fd65d5f5b1ea8b7089dc9a24d16dc1b2e8d9ba27fe43b780cc059e3a9977a2934156fc7e0f2fa8a1006a26fe7c30b01829a68b1460baaa0d40970ae

Download Submit
C:\Windows\system\OKsxjks.exe

Filesize
5.9MB

MD5
2baaea728b86e59203a47e06990008e4

SHA1
446d594f6aa57741f9600df18b8731ffb01a2ccf

SHA256
20e8ecd986e24c65e63714ca69bd8a0339f666436a1a9a366925ae9fa3a5a77e

SHA512
078f2b43984330d7db12f20a7aef389943070f50ef05053ac803533e6e78d59786bab2cccf266ed9841e0e2f27c7685addffb0bba60f4dbe37c7d695cf1332ff

Download Submit
C:\Windows\system\QuSeYmo.exe

Filesize
5.9MB

MD5
68609939ab5fcb6ce40f1302ec465927

SHA1
ed9867dc232b4bff372b4d0150ab11ddc7da2e0a

SHA256
c660a4039f70356a8011d9aefcdf984d0cc1cc3dd2f057c0631963376df07966

SHA512
2e2203ee0e5e49299d1521acb6a764204830d2e218eec2a21c0f26bac1c7220ae5d8d2d8e6c129a3376c71ea83d822d3d166769db8b8e9dea501fce49983d79a

Download Submit
C:\Windows\system\RtGrbts.exe

Filesize
5.9MB

MD5
8ab1db96a2526e47862c9db3485e7c9c

SHA1
ae19a06081f3f06f18999f57e43686f2f8629ab6

SHA256
1116286698facd0bffd3264419b3b492861138b311c0ee4a3006e53b6b37ccb9

SHA512
729e42f79554e3502a8e30f62542c4b4b0fc4321739edb2cb04b6f0c2d1e18e5db38f0d718063784bcbf4eb7b81547957c0f6a0916d8e8dfe21fc01285f9b8c1

Download Submit
C:\Windows\system\SzRvxXn.exe

Filesize
5.9MB

MD5
e819768c657f0dd295f35ce2c78fcae2

SHA1
53c3829b789cf27f5870fd473b80bf848186b951

SHA256
e5b7b5f4b6ae33c85b7c0e631309852163f8f1d0dc6e06922664b7d270317321

SHA512
ce5e3861cb29f4a57a00de324877c97dc1714186f8372714c5a74419f9941be4f17de23ef7793f91b85c2752f9eb11501308acb731dc2fbaaf95dacf5b312bf3

Download Submit
C:\Windows\system\TUnXKhw.exe

Filesize
5.9MB

MD5
9a7c8b09531b5dafdb8cb0958aeb59bb

SHA1
92c9adae467319849b5d53239db34010dfebee09

SHA256
44ac10d7f6597801b297e63de98e9ddaebf26ee734faf913dc4e74d12737b9a0

SHA512
0d8980a80fba8715bf844da7d323c17817cc9150e3495ed4d9fc1a81dc16b0ef20362bd034e4149d1bf000a8a24470f4d614c85f2b12cc63c9545d54256e08c6

Download Submit
C:\Windows\system\eOXxtWU.exe

Filesize
5.9MB

MD5
0e5f9f9fb23a50bf3ea40bad83a68b95

SHA1
30ffcfbccc9d32d9101ed2aec0029d6f8e07e88b

SHA256
477d3f8f2190c9d3098e988d18ed7df321fb482ad1749e4cf0ad778a3bc6d94e

SHA512
aeb4ea771bd41a20729c76ca179650106a680360029b7e3ddab2e950719806627afc6766d27397ee662b52d9c904f32dcfb365e940f20c1005ce8ca39132088d

Download Submit
C:\Windows\system\fHpVnDv.exe

Filesize
5.9MB

MD5
e47ea02f395b3ac4865cecf41d8fad96

SHA1
7b50bd1fb3e130523eda7402c18bc3e80cd48de4

SHA256
aa1397cf68b3ed666dbc4828ef1ddb7f53729f3e8d871fb5dd30d0fab6cd6ed0

SHA512
9c31f0c5cf75ff65868b315d4d5dc04b6b5b22c272931e6631f5c457fc9af8ee1f16be75b27127147b023ddb36910bb79b550cabf2c2524da8fa0399cec4b24f

Download Submit
C:\Windows\system\gUWRwGv.exe

Filesize
5.9MB

MD5
62f606441219053e85ffc10e5ebad201

SHA1
723ad0cbb39be5f1387eafde3f27ec8fcc34fcbe

SHA256
cbb427f935246fa1db4214a3eb6ec9ef4c8161b66ebd6d2546f75771e8ae8f74

SHA512
e557b8aa75f734439e7c52b10bedfec66b24b2038a74507c5a225c130eabef97b97e5f6c186b2c75a791adc55d6096205e61e77a29409e62d1d0e54b2c04eb73

Download Submit
C:\Windows\system\hTuYLvT.exe

Filesize
5.9MB

MD5
015bf4d66549d5b92383977e1568b92a

SHA1
d5b0052de3dcc62228faaccb450da36adeaa2c28

SHA256
edb19e57131bf22e023ed0dc6b0e4b360a6d1a7ec4856e0850b95691853c24f0

SHA512
2f5b84963ada0d9db9271b09d416db4676f6d5a9f011f82266ac82485eb4e80d57311cf0f4dd94549b4d4c640c6f70abe27803297e681b3b4731a6880a1c1086

Download Submit
C:\Windows\system\jePVjSK.exe

Filesize
5.9MB

MD5
de836c95defbe28acee0950fa4de570e

SHA1
0f4c33916efbbd202b12bf4f85b8203cfedaf44e

SHA256
5031529778f020e24c68a27325c06083b3ebf61c1fb4a7c77b0a51830c2ef11b

SHA512
5820ecdb7c83fb060401f1029ac761cccf33fd8715e2848e997bcb6425eec45f0dfc87c93bc77e795a7187789965f024c46aa0bfebbb528bed663af65525deac

Download Submit
C:\Windows\system\pSkuJql.exe

Filesize
5.9MB

MD5
ce88e5cd0efd95b34c27eebe4fd5c5b7

SHA1
e4d700b1b06f2b6ea191ef1a161efea193722736

SHA256
87a73a3f01c9f77126cfde3dcb526f4e87ef59982d20f21edad206fe3551f584

SHA512
02d0b5bf38079bd82445c1225da4a111aba5d0cdabc1396ea3f7b6c6bb08949f4eb6d78ad83d883d37ae998cb06aae176baffa93c7b2766e0f89d3a716c93083

Download Submit
C:\Windows\system\rpEhzSE.exe

Filesize
5.9MB

MD5
052a40d969fc2c9d8c72cfc0b629f5da

SHA1
05cd98d0f8bc762e28737c639eb40405afd1e85c

SHA256
ddbf16101f528e01cd2985801f9fa6507de49e2b4342dc9ad774e9ad04bbc14a

SHA512
1e6968e82cafa135cef3958182d03ddb58027e527d8b2447265fad096c57037b573073a507388277762720a210ebadc54d3d0b4c821968e71250a60c0ce93039

Download Submit
C:\Windows\system\sprneBt.exe

Filesize
5.9MB

MD5
a72dac26c36d3c27ceb41c8b197e0e54

SHA1
c4ac3c532b9856d734d51644b59545d6f7d42a7c

SHA256
0b0c6c3ebb2570abd2b73f8ffcd6bcf0f2a6e4163e00f52f9f38629d06b6cd0e

SHA512
9105724685137c617f41773e3d2cc687cb263c56e1e2cb836fe3d3bd39cbe900b251ad511b33df582d403ecefaa3ba5eff57974eec3a41e11aa1e064f6d29091

Download Submit
C:\Windows\system\ubaGzQP.exe

Filesize
5.9MB

MD5
7728490dc1213e5a92c975a8832d5171

SHA1
3b1089a4161f8fba487bf49495efb3d4a8ffdf56

SHA256
4373c1466321196d11820a729622b344f6456efb547b5582fbdbbcbf09f78c25

SHA512
dc8e3efc957efe14d878eda9de5714caa70af2bb758189ac76f43bc9bcc4b49e350f535b3a6ef283675f568e521a32076c757a5300d4f38acff85184f714e15a

Download Submit
C:\Windows\system\wIcdPRa.exe

Filesize
5.9MB

MD5
ba6ee3bf6d47887500b5bdec48a62b99

SHA1
1fa4795669e0c565d79aba3415b2c1029fb9be6b

SHA256
b70707e83d825d5e71a76ca110c0b4e5165cdc54ced08dd15b9cf434b9ea5f6f

SHA512
f45acc59756c8ec9d9b78da8c9a4f317866de9a82f4e8676eee239b2e217c81751e38b606ab380de7332d2a93f3118185a41fab5fd7f03c84d587030ce0e4363

Download Submit
C:\Windows\system\zNtVDQK.exe

Filesize
5.9MB

MD5
513bfd9c71964263c3d3a1a80ac90c88

SHA1
d5b61e2d0ee2b18f2c4f3989ababf40c1974b59b

SHA256
9c2084cb664fa9076832252e83e208a924c5619f5c021cd6b796373cfdf9776e

SHA512
916bb0d2c429aa3897666d3deda0ee06352fbada79e7644a67497482c80c0a4ee8ea09c32b1733c04d4e4603919d52b89f4d1ffb0d7a70d1cb4d6b99cb1584e3

Download Submit
\Windows\system\JifCCQW.exe

Filesize
5.9MB

MD5
098ac1bf8f19fd1a43d2583f8c741ddb

SHA1
4205eb61933b4b67bcaba14201ef0cfd4fe7ec6c

SHA256
8c85231696c6d27ec1d70f72454db73513249f58116ba0ef9232fa238f7a839a

SHA512
fa3c9dd81df4f11241bbebf8de102e68701116362219ffcbed3475186518b713b17a1f8555e6ff4c146fe68fa4fa547231c3e672d5a685846eb9a93bed91c4c0

Download Submit
\Windows\system\QLydkXb.exe

Filesize
5.9MB

MD5
69a5476022ef782fcea414f02badc234

SHA1
fb28e0b6df58413bfb9e75f8a7ae05f027e01923

SHA256
7c9253cfb7f9d6481da56c9d9184f282f240f69bc5981fae6901542e94f3b0b5

SHA512
3790e558f8fa6c8c641bff956c50f4c8f25ba31ec5dc01e89b7206cf32cf98f8296fe7f86e98f145e9d54c424b29c65b250391b8539ab2afc454d5238bf90436

Download Submit
\Windows\system\zKLhgNZ.exe

Filesize
5.9MB

MD5
d17e67a0c96a64056cd1df1bf91e88a2

SHA1
2c8acd885052b2375589debd6ad6aef34563313f

SHA256
7a7e51b5f90933136ef83dfa0bcd844eb95b03b855e0ff3aa7d5ab966f3a8676

SHA512
7c40ce347e2c40180ab5aa50d02cd7a9ed0038af52bc934c41cae603f92d6e0634b930f664574ba7d384cfeb32604a548aa4d279e269d1e161fd4f91ccc39d9e

Download Submit
memory/2244-118-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2244-135-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2244-7-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2244-0-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2244-104-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2244-138-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2244-129-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-106-0x00000000023E0000-0x0000000002734000-memory.dmp

Filesize
3.3MB

Download
memory/2244-137-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2244-13-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2244-102-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2244-133-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2244-90-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2244-132-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2244-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2244-120-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-124-0x000000013F990000-0x000000013FCE4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-127-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-121-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-144-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-148-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2408-119-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2412-125-0x000000013F990000-0x000000013FCE4000-memory.dmp

Filesize
3.3MB

Download
memory/2412-150-0x000000013F990000-0x000000013FCE4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-153-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-122-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2432-128-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2432-152-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2548-145-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2548-126-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2588-143-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-134-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-89-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-99-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2616-136-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2616-149-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2624-146-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2624-123-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2696-117-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2696-142-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2788-141-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2788-103-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/2948-140-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2948-130-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2952-139-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2952-147-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2952-105-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/3044-151-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/3044-131-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download