cobaltstrike | 78b3835885eb90a7f12866283d1d7b8dce16ef125deae7601b1d7ba9b56c62b8

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29-05-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

bda247ae3f547898a69397190e57a898
SHA1

586ed09e7cc674ee78d4f059991375491f3431ec
SHA256

78b3835885eb90a7f12866283d1d7b8dce16ef125deae7601b1d7ba9b56c62b8
SHA512

7c4308fb80343b02e12962c4e15c19f7d8669b2e4672023a1b16705edceb92869f8db9283325123790a429fe3cb8c4db4c09461860b03eb668849dd0627c4c7f
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU8:Q+856utgpPF8u/78

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012286-6.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000015609-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cb8-31.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cdf-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cc7-39.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d17-137.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ceb-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c78-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cc1-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c52-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c6f-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a8a-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016835-99.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000165e1-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016581-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016455-76.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000162e4-66.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cf0-49.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001615c-58.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015b6e-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015693-11.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012286-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000015609-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cb8-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cdf-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cc7-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d17-137.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ceb-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c78-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cc1-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c52-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c6f-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a8a-106.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016835-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000165e1-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016581-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016455-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000162e4-66.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cf0-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000800000001615c-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015b6e-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015693-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

resource	yara_rule
behavioral1/memory/1700-0-0x000000013F420000-0x000000013F774000-memory.dmp	UPX
behavioral1/files/0x000a000000012286-6.dat	UPX
behavioral1/memory/1928-8-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/files/0x0035000000015609-12.dat	UPX
behavioral1/memory/2880-14-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2536-20-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/files/0x0007000000015cb8-31.dat	UPX
behavioral1/memory/2564-27-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x0007000000015cdf-46.dat	UPX
behavioral1/files/0x0007000000015cc7-39.dat	UPX
behavioral1/memory/2684-37-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2924-140-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/memory/2488-139-0x000000013FC00000-0x000000013FF54000-memory.dmp	UPX
behavioral1/files/0x0006000000016d17-137.dat	UPX
behavioral1/files/0x0006000000016ceb-132.dat	UPX
behavioral1/files/0x0006000000016c78-122.dat	UPX
behavioral1/files/0x0006000000016cc1-127.dat	UPX
behavioral1/files/0x0006000000016c52-113.dat	UPX
behavioral1/files/0x0006000000016c6f-116.dat	UPX
behavioral1/memory/2716-103-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/files/0x0006000000016a8a-106.dat	UPX
behavioral1/files/0x0006000000016835-99.dat	UPX
behavioral1/memory/400-96-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/files/0x00060000000165e1-92.dat	UPX
behavioral1/memory/1504-89-0x000000013F3C0000-0x000000013F714000-memory.dmp	UPX
behavioral1/memory/2564-87-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x0006000000016581-84.dat	UPX
behavioral1/memory/2256-81-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/2536-79-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/files/0x0006000000016455-76.dat	UPX
behavioral1/memory/2496-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2880-68-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/files/0x00060000000162e4-66.dat	UPX
behavioral1/memory/2924-63-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/memory/2680-52-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/files/0x0008000000015cf0-49.dat	UPX
behavioral1/memory/2488-61-0x000000013FC00000-0x000000013FF54000-memory.dmp	UPX
behavioral1/memory/1700-59-0x000000013F420000-0x000000013F774000-memory.dmp	UPX
behavioral1/memory/2804-42-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/files/0x000800000001615c-58.dat	UPX
behavioral1/files/0x0008000000015b6e-25.dat	UPX
behavioral1/files/0x0007000000015693-11.dat	UPX
behavioral1/memory/2496-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/1928-147-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2536-148-0x000000013F450000-0x000000013F7A4000-memory.dmp	UPX
behavioral1/memory/2684-149-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	UPX
behavioral1/memory/2564-150-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2804-151-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/2680-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2880-153-0x000000013F030000-0x000000013F384000-memory.dmp	UPX
behavioral1/memory/2488-154-0x000000013FC00000-0x000000013FF54000-memory.dmp	UPX
behavioral1/memory/2496-155-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	UPX
behavioral1/memory/2924-156-0x000000013F5E0000-0x000000013F934000-memory.dmp	UPX
behavioral1/memory/2256-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	UPX
behavioral1/memory/1504-158-0x000000013F3C0000-0x000000013F714000-memory.dmp	UPX
behavioral1/memory/400-159-0x000000013FB40000-0x000000013FE94000-memory.dmp	UPX
behavioral1/memory/2716-160-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/1700-0-0x000000013F420000-0x000000013F774000-memory.dmp	xmrig
behavioral1/files/0x000a000000012286-6.dat	xmrig
behavioral1/memory/1928-8-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/files/0x0035000000015609-12.dat	xmrig
behavioral1/memory/2880-14-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2536-20-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cb8-31.dat	xmrig
behavioral1/memory/2564-27-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cdf-46.dat	xmrig
behavioral1/files/0x0007000000015cc7-39.dat	xmrig
behavioral1/memory/2684-37-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2924-140-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2488-139-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d17-137.dat	xmrig
behavioral1/files/0x0006000000016ceb-132.dat	xmrig
behavioral1/files/0x0006000000016c78-122.dat	xmrig
behavioral1/files/0x0006000000016cc1-127.dat	xmrig
behavioral1/files/0x0006000000016c52-113.dat	xmrig
behavioral1/files/0x0006000000016c6f-116.dat	xmrig
behavioral1/memory/2716-103-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016a8a-106.dat	xmrig
behavioral1/files/0x0006000000016835-99.dat	xmrig
behavioral1/memory/400-96-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/files/0x00060000000165e1-92.dat	xmrig
behavioral1/memory/1504-89-0x000000013F3C0000-0x000000013F714000-memory.dmp	xmrig
behavioral1/memory/2564-87-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016581-84.dat	xmrig
behavioral1/memory/2256-81-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2536-79-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016455-76.dat	xmrig
behavioral1/memory/2496-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2880-68-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/files/0x00060000000162e4-66.dat	xmrig
behavioral1/memory/2924-63-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2680-52-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/files/0x0008000000015cf0-49.dat	xmrig
behavioral1/memory/2488-61-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/1700-59-0x000000013F420000-0x000000013F774000-memory.dmp	xmrig
behavioral1/memory/2804-42-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/files/0x000800000001615c-58.dat	xmrig
behavioral1/files/0x0008000000015b6e-25.dat	xmrig
behavioral1/files/0x0007000000015693-11.dat	xmrig
behavioral1/memory/1700-141-0x0000000002510000-0x0000000002864000-memory.dmp	xmrig
behavioral1/memory/2496-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/1700-145-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/1928-147-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2536-148-0x000000013F450000-0x000000013F7A4000-memory.dmp	xmrig
behavioral1/memory/2684-149-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	xmrig
behavioral1/memory/2564-150-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2804-151-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2680-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2880-153-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2488-154-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/2496-155-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2924-156-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2256-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/1504-158-0x000000013F3C0000-0x000000013F714000-memory.dmp	xmrig
behavioral1/memory/400-159-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2716-160-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1928	UZGjeeQ.exe
2880	OPUAYTc.exe
2536	mEOwnFS.exe
2564	FFDehuB.exe
2684	JJcOEzZ.exe
2804	qfKhJKM.exe
2680	OusiJYu.exe
2488	fiPnkwJ.exe
2924	uQYSgGx.exe
2496	JQzprTf.exe
2256	xFjNkAS.exe
1504	dNlAMaP.exe
400	DmajpOi.exe
2716	XEwSHOG.exe
352	uLEnsbX.exe
1452	ytCBjLo.exe
752	qHKcMGD.exe
1600	iJYdnsx.exe
1020	asQaiZb.exe
940	TkExTQb.exe
2884	dXNBfiO.exe

Loads dropped DLL 21 IoCs

pid	Process
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x000000013F420000-0x000000013F774000-memory.dmp	upx
behavioral1/files/0x000a000000012286-6.dat	upx
behavioral1/memory/1928-8-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/files/0x0035000000015609-12.dat	upx
behavioral1/memory/2880-14-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2536-20-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/files/0x0007000000015cb8-31.dat	upx
behavioral1/memory/2564-27-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0007000000015cdf-46.dat	upx
behavioral1/files/0x0007000000015cc7-39.dat	upx
behavioral1/memory/2684-37-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2924-140-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2488-139-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/files/0x0006000000016d17-137.dat	upx
behavioral1/files/0x0006000000016ceb-132.dat	upx
behavioral1/files/0x0006000000016c78-122.dat	upx
behavioral1/files/0x0006000000016cc1-127.dat	upx
behavioral1/files/0x0006000000016c52-113.dat	upx
behavioral1/files/0x0006000000016c6f-116.dat	upx
behavioral1/memory/2716-103-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x0006000000016a8a-106.dat	upx
behavioral1/files/0x0006000000016835-99.dat	upx
behavioral1/memory/400-96-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/files/0x00060000000165e1-92.dat	upx
behavioral1/memory/1504-89-0x000000013F3C0000-0x000000013F714000-memory.dmp	upx
behavioral1/memory/2564-87-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0006000000016581-84.dat	upx
behavioral1/memory/2256-81-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2536-79-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/files/0x0006000000016455-76.dat	upx
behavioral1/memory/2496-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2880-68-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/files/0x00060000000162e4-66.dat	upx
behavioral1/memory/2924-63-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2680-52-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/files/0x0008000000015cf0-49.dat	upx
behavioral1/memory/2488-61-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/1700-59-0x000000013F420000-0x000000013F774000-memory.dmp	upx
behavioral1/memory/2804-42-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/files/0x000800000001615c-58.dat	upx
behavioral1/files/0x0008000000015b6e-25.dat	upx
behavioral1/files/0x0007000000015693-11.dat	upx
behavioral1/memory/2496-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1928-147-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2536-148-0x000000013F450000-0x000000013F7A4000-memory.dmp	upx
behavioral1/memory/2684-149-0x000000013F6A0000-0x000000013F9F4000-memory.dmp	upx
behavioral1/memory/2564-150-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2804-151-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2680-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2880-153-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2488-154-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/2496-155-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2924-156-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2256-157-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/1504-158-0x000000013F3C0000-0x000000013F714000-memory.dmp	upx
behavioral1/memory/400-159-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2716-160-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DmajpOi.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TkExTQb.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UZGjeeQ.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JQzprTf.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XEwSHOG.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\asQaiZb.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dXNBfiO.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OPUAYTc.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xFjNkAS.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JJcOEzZ.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qfKhJKM.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OusiJYu.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fiPnkwJ.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uLEnsbX.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iJYdnsx.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mEOwnFS.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FFDehuB.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ytCBjLo.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qHKcMGD.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uQYSgGx.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dNlAMaP.exe	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1928	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	30
PID 1700 wrote to memory of 1928	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	30
PID 1700 wrote to memory of 1928	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	30
PID 1700 wrote to memory of 2880	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	31
PID 1700 wrote to memory of 2880	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	31
PID 1700 wrote to memory of 2880	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	31
PID 1700 wrote to memory of 2536	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	32
PID 1700 wrote to memory of 2536	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	32
PID 1700 wrote to memory of 2536	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	32
PID 1700 wrote to memory of 2564	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	33
PID 1700 wrote to memory of 2564	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	33
PID 1700 wrote to memory of 2564	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	33
PID 1700 wrote to memory of 2684	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	34
PID 1700 wrote to memory of 2684	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	34
PID 1700 wrote to memory of 2684	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	34
PID 1700 wrote to memory of 2804	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	35
PID 1700 wrote to memory of 2804	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	35
PID 1700 wrote to memory of 2804	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	35
PID 1700 wrote to memory of 2680	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	36
PID 1700 wrote to memory of 2680	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	36
PID 1700 wrote to memory of 2680	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	36
PID 1700 wrote to memory of 2924	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	37
PID 1700 wrote to memory of 2924	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	37
PID 1700 wrote to memory of 2924	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	37
PID 1700 wrote to memory of 2488	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	38
PID 1700 wrote to memory of 2488	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	38
PID 1700 wrote to memory of 2488	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	38
PID 1700 wrote to memory of 2496	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	39
PID 1700 wrote to memory of 2496	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	39
PID 1700 wrote to memory of 2496	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	39
PID 1700 wrote to memory of 2256	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	40
PID 1700 wrote to memory of 2256	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	40
PID 1700 wrote to memory of 2256	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	40
PID 1700 wrote to memory of 1504	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	41
PID 1700 wrote to memory of 1504	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	41
PID 1700 wrote to memory of 1504	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	41
PID 1700 wrote to memory of 400	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	42
PID 1700 wrote to memory of 400	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	42
PID 1700 wrote to memory of 400	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	42
PID 1700 wrote to memory of 2716	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	43
PID 1700 wrote to memory of 2716	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	43
PID 1700 wrote to memory of 2716	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	43
PID 1700 wrote to memory of 352	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	44
PID 1700 wrote to memory of 352	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	44
PID 1700 wrote to memory of 352	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	44
PID 1700 wrote to memory of 1452	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	45
PID 1700 wrote to memory of 1452	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	45
PID 1700 wrote to memory of 1452	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	45
PID 1700 wrote to memory of 752	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	46
PID 1700 wrote to memory of 752	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	46
PID 1700 wrote to memory of 752	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	46
PID 1700 wrote to memory of 1600	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	47
PID 1700 wrote to memory of 1600	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	47
PID 1700 wrote to memory of 1600	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	47
PID 1700 wrote to memory of 1020	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	48
PID 1700 wrote to memory of 1020	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	48
PID 1700 wrote to memory of 1020	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	48
PID 1700 wrote to memory of 940	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	49
PID 1700 wrote to memory of 940	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	49
PID 1700 wrote to memory of 940	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	49
PID 1700 wrote to memory of 2884	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	50
PID 1700 wrote to memory of 2884	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	50
PID 1700 wrote to memory of 2884	1700	2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_bda247ae3f547898a69397190e57a898_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\System\UZGjeeQ.exe
  C:\Windows\System\UZGjeeQ.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\OPUAYTc.exe
  C:\Windows\System\OPUAYTc.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\mEOwnFS.exe
  C:\Windows\System\mEOwnFS.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\FFDehuB.exe
  C:\Windows\System\FFDehuB.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\JJcOEzZ.exe
  C:\Windows\System\JJcOEzZ.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\qfKhJKM.exe
  C:\Windows\System\qfKhJKM.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\OusiJYu.exe
  C:\Windows\System\OusiJYu.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\uQYSgGx.exe
  C:\Windows\System\uQYSgGx.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\fiPnkwJ.exe
  C:\Windows\System\fiPnkwJ.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\JQzprTf.exe
  C:\Windows\System\JQzprTf.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\xFjNkAS.exe
  C:\Windows\System\xFjNkAS.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\dNlAMaP.exe
  C:\Windows\System\dNlAMaP.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\DmajpOi.exe
  C:\Windows\System\DmajpOi.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\XEwSHOG.exe
  C:\Windows\System\XEwSHOG.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\uLEnsbX.exe
  C:\Windows\System\uLEnsbX.exe
  2⤵
  - Executes dropped EXE
  PID:352
- C:\Windows\System\ytCBjLo.exe
  C:\Windows\System\ytCBjLo.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\qHKcMGD.exe
  C:\Windows\System\qHKcMGD.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\iJYdnsx.exe
  C:\Windows\System\iJYdnsx.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\asQaiZb.exe
  C:\Windows\System\asQaiZb.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\TkExTQb.exe
  C:\Windows\System\TkExTQb.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\dXNBfiO.exe
  C:\Windows\System\dXNBfiO.exe
  2⤵
  - Executes dropped EXE
  PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DmajpOi.exe

Filesize
5.9MB

MD5
3018f97e43a47a289e02c8d6a8e16b86

SHA1
8513a7374ebd44ba8063693b5dd0d7b101a4dd9b

SHA256
1e9af5f6a8d4f9ea04dd616d8ebb178ff4faa0ebec9b0bad30f7c0abe4d7da4b

SHA512
021b42e969bc1be6695cdb5f8df63f4b4512d1e1d65713c0e67b17b0dbe6ad234c1b9670b51fb0fbad02e743c01e02e39f1c6975e677aa8638ce19250cbc2863

Download Submit
C:\Windows\system\FFDehuB.exe

Filesize
5.9MB

MD5
a90b97fcc2aae554ce86f5705ad3354a

SHA1
34c59fd73ff1b54fbe8df1d2c872e2424ba8f195

SHA256
b340f5309a4e36706000b7b9633cd74363ad00542827f210daf5f3ff34f26d77

SHA512
8fac3ba64683bb42e9a8e2f497033af39880e4c7b1d6508f3a01432e5cfc5e5df442d20a576eebc5d2a8f72b16a70341415f54da11c7aa4b717cb64fc53d1dda

Download Submit
C:\Windows\system\JJcOEzZ.exe

Filesize
5.9MB

MD5
bd8642cee7f675ea6faa14a6f8bfef2a

SHA1
120b4da63573c5da3201f5dc46977044bb92fc05

SHA256
fd7f454a47672e8840ade476cc8781f7c2424624baf01c1946fb0898ab17f10b

SHA512
f16a384a86644f004ff8e3d5b7feade0b6c46ce57ccfd7024d411c6fe226e7c92a7a737a1ad4a6123408a572ce9163742df539b9f9cb5a4f38bd796c50d27e75

Download Submit
C:\Windows\system\JQzprTf.exe

Filesize
5.9MB

MD5
c84cd853833181c98fadb42b2778f38e

SHA1
17403329f1af75868e7933bc93f77cbf56c4e06d

SHA256
42df21f125377b2ac47d8b159c99365ba74beb0a853e74181971a8dfc64dcd11

SHA512
6082db89a9f69369d6be114c56e6b7d2fc014644040ad1ee15f6cde3851382a0d0525be51fb7204f2b7d46c99731a8252356a42864f829ad40e94b1d45016688

Download Submit
C:\Windows\system\OPUAYTc.exe

Filesize
5.9MB

MD5
424a949b8d0e09f12d20f5b0efd7ddd1

SHA1
a4ede5024114082078d545f284eba9c1a0614350

SHA256
f2274654158551a62c155fd869aa1606527b46b25e29a2324db4695592273168

SHA512
a23f09ec28dde909587db95b5be391dedf7f55667f45abc6a0bba0d33ed2b572a73c372a0570ff2177c05cf990492a2b5bf99471cf68ba749c7048c64228f13e

Download Submit
C:\Windows\system\OusiJYu.exe

Filesize
5.9MB

MD5
066bb0d158a2379bdf9f57082c195f3c

SHA1
3982f7f90ddc281740b1dc244365a7d30a0997f1

SHA256
10a997ff8885367da5b5b00e089897e5d98c67dc98f1249a17be13ee69495adf

SHA512
466a388d35e7526526babd984089d82052c1fae9594c5edb32ad3999c1856d82df1cc44d18786640172c0d7b2a3b951a049c138cb4f57077f77b1f3a077fe4cc

Download Submit
C:\Windows\system\TkExTQb.exe

Filesize
5.9MB

MD5
976e767a16230b3bd9a904261d0e0bee

SHA1
4ed5ca64e2ae555f3fbcba453b68404b1c82224b

SHA256
744a3de7bbf0a23f4b170cfeddebe61429f49f6a375083c2981147dadf63dc35

SHA512
aae8fe2f9e57e3a0c3d87161e34d9c92d9e509326be262f99be67fee524e4d96253feaa870ea31bc355bcd4f1f6cac6f8df0735274de26e500780e437f4d5244

Download Submit
C:\Windows\system\UZGjeeQ.exe

Filesize
5.9MB

MD5
8daba81a0d12708e6e11a13bf06c2980

SHA1
259922f3b8227c70e655a9422214622d7053da6e

SHA256
fe23cf96907b83b25c6643a7f794763a214b0d2b883d2ade1aa6c1de175cf03e

SHA512
2f5aa7b95ac2e03da5a7d67069d13807b3c9d935e4f0a115eccd4caa4e4620d5b9c5f9f6a2f4facb3ad04709b123d2b73b0a85d5880fdeb8fae96a6301fd9401

Download Submit
C:\Windows\system\XEwSHOG.exe

Filesize
5.9MB

MD5
36b533c00cdb8e8f2c06b39a60e35106

SHA1
ec67f9447bbbfcb1a36d8d06705619ebd23224c9

SHA256
acce35477b7d0b01c562fbe7a0293525248101dc442ad2b63d41903de8ac91f9

SHA512
9c51fcd73ec31ea35cd776a68c2875ec8e47a7805b83af952ea99396391214d946b9d6f84d1e1d3ab4ec4cc09acfdb03aebb453f7e703d450c78b81c32b0169c

Download Submit
C:\Windows\system\asQaiZb.exe

Filesize
5.9MB

MD5
4c99083d4927f5ea643396ae75ae0ea1

SHA1
ba834a922a65203f759beffc55eea1c9aeacbdef

SHA256
c3e2081395059be927bbd6e2fe7fc84d411b1c22000e2fa909b7a3c0efd64f57

SHA512
e274dd7ea083e544f6bdbe4a6aae6e9dff8788f58fe4aa39234b781a99c26074a5d8fadc047550e70ce75985158a52bae36d450cdf6fc82ee0c930d7611e97ab

Download Submit
C:\Windows\system\dNlAMaP.exe

Filesize
5.9MB

MD5
6a0172a163d580f5828b4ac58a2a7a9c

SHA1
8ba6d0f0ba808f18ef81ef038168353c7fd9e4f1

SHA256
4399b82c073d59e397a6161e09bed331ef25b4f2fcbb5d7cd8759dec58b67513

SHA512
7bf57c5113c473cb6f77c302bf41decb7a68eeca7722155a85bbf89ba949777f28d59eb34ce3f4face41326a6baaa6eee620b37f3f4589f19540b6069aa4ee23

Download Submit
C:\Windows\system\dXNBfiO.exe

Filesize
5.9MB

MD5
e28d21846ae97d4590910bbf29030380

SHA1
4d3c903679f70d2b5075b6e65859af51561035ec

SHA256
3c03f58d5fcfe10edd3f9fbb790a1358a123c31b27bce3b93132e8d2c112ec22

SHA512
c30d7db338a6cdfa1962fd897a7246a343e56b1a43b8a416cca356afc55dab435d91a8ead5ffcc8302e747d1e83fcd9a4e75d36f0c0991278a678bbccf21b638

Download Submit
C:\Windows\system\fiPnkwJ.exe

Filesize
5.9MB

MD5
a9662c534eb1f5bef2d22bc6c94b8cd1

SHA1
17b34c9d2cd58a7a944ec919a07aa480133c2027

SHA256
3e0d8db0f21cee9d537750eeb3a91c49aeb6251af37fac1cf99ba9682bd54f7b

SHA512
de4c47c3d061b71c35991b4c3e55e149236fbbd1c63f19dd94440e5645e4636627a88c855e097769ced595a5c0baf8a5e1e5c8f73cdfee12d390bdcb43e69310

Download Submit
C:\Windows\system\iJYdnsx.exe

Filesize
5.9MB

MD5
3685f1d43e177b5b6a423d208d3a3133

SHA1
98c21aafa34554d8c1cf65cf6b707c256c32ec8d

SHA256
d354895ac7e7f9362ff523c3e40a6e7d7b18577078969f73bcb35541cb65fc71

SHA512
bef246048b83b5e68f82fb6d75eb23d7f518b912bf3a876ec9272d3aea49b52d7e6f0f9f65bc959759d5d00144e48bbecb0395b836a919d864b0d8b0be56e77a

Download Submit
C:\Windows\system\mEOwnFS.exe

Filesize
5.9MB

MD5
c4f8b2dec254a06d4aa4dafaca299a7b

SHA1
ef2d4fc624cd89eb9c6d14bc89928d7e6e10bfae

SHA256
4f06765a8718d8fc7078b8e73b1a229d6daf25298fcc21443b16ff35a75d8b0c

SHA512
2e6800780d7c5219965cf15189292b47ba2f65f4b05116d04e277fb2c2b8f72787557671dbf96e1462c90935b0f5083c9ed9b18c006688fc17b913308bc0b711

Download Submit
C:\Windows\system\qHKcMGD.exe

Filesize
5.9MB

MD5
36ce3bbb02bb5e6bd0edd755a60f90be

SHA1
d5376eaf4932aa67218329ed13328ad410359f15

SHA256
533bb49f606b2f34d3d3499b1a7e5dde751ab6eae931e327434a44629fbf8456

SHA512
91c9a38839febfd63982a3a129b8c7235825d432827ee6a3b6a1c64e91b66c34df0d48d3467ee601a65f7d6618269794574b1f519e1fec5f07c17086ad067b25

Download Submit
C:\Windows\system\qfKhJKM.exe

Filesize
5.9MB

MD5
b263362f2ba53db856e7c9c243a1f4ff

SHA1
501e400c127c158ba8473d8ca12409d565843045

SHA256
9b6beb4e19410ef578d001656e678ab5966c65ca34d62b1ba5dead9b92cb446f

SHA512
5793397c20aea0f5340ecb55f2df394683b6b687e192eca01bc24a45c067e5e0106d36b491b13df05ab0c249498e4c38072258e3c3901df1cc69e9962991ead1

Download Submit
C:\Windows\system\uLEnsbX.exe

Filesize
5.9MB

MD5
b61bb5d3c02def9c49219e9dd93056a8

SHA1
79286c0d95a6b8520107cbf7cbfe6518029e8f88

SHA256
af275089b7d14ae6ef1bc93747d104e5ee7a5c8a9ed2be92d96ffc6ede9e3fc3

SHA512
d71b89b2e91eae5a31068400663158ff06025d5e1e3ebcaadffaa6f3022550021973258a63f3051e5655c3dda6aec760cf65c74fb69102f373df4ea8fb061b1e

Download Submit
C:\Windows\system\xFjNkAS.exe

Filesize
5.9MB

MD5
edbf5775924113ecc62a02237131ff32

SHA1
f52aceab403956cceb76fc88bb0a115ad00538f1

SHA256
958f150c6643ce61155f319b55c3112d0a394fc3768fca862f874055f7580ddb

SHA512
85bbfad89f26c107d3b5cf8f2942b0750a948fb99ffd43424e5e2d91376bf547daabadbfe38956239afd92025e94390e78fd73c8e2886cf21fe412d7ee5c51da

Download Submit
C:\Windows\system\ytCBjLo.exe

Filesize
5.9MB

MD5
820c5c6685548f8839745514666917fd

SHA1
4361279783e6f3295e64ca210f10f1b926221deb

SHA256
077b87aacf3b8e53fd657e404fd0b6e626d69670289619cfad5492adafc3a027

SHA512
b94b5e6df3bc37f2c85b68fcd7d0f0261a4785b638120216f9bc1bedd7196778ee4217127d02bde777bfb3fc1cce8335ce5ba58847a0f317d2d3260b6ece044b

Download Submit
\Windows\system\uQYSgGx.exe

Filesize
5.9MB

MD5
8fc6ae33787c7148374e88580e1ad6c9

SHA1
53f8e72b045fc9824a52c7b2a638b35ec9581add

SHA256
56be8cc9a2b32233a63a8695bc969ada542c5c59829443f83e309564d88a1a2d

SHA512
e04ee9bea0cb2bc748e59aa9980c9854e08488ceee227022b693a79ff15ac9d4e9ffea2b3c7e429dd490e25a79688cd567fd34fd6f43a7fb33c319add8ed7928

Download Submit
memory/400-96-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/400-159-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/1504-89-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/1504-158-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/1700-141-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-38-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1700-102-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-112-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1700-19-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-95-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/1700-36-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-54-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-88-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-146-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-59-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download
memory/1700-145-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1700-80-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-144-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/1700-48-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/1700-143-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-69-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1700-0-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download
memory/1700-67-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1700-13-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/1700-26-0x0000000002510000-0x0000000002864000-memory.dmp

Filesize
3.3MB

Download
memory/1928-147-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1928-8-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-81-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2256-157-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2488-154-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2488-139-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2488-61-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2496-155-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2496-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-20-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-148-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-79-0x000000013F450000-0x000000013F7A4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-27-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-150-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-87-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-152-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2680-52-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2684-149-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2684-37-0x000000013F6A0000-0x000000013F9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-103-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-160-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-151-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2804-42-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2880-14-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2880-153-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2880-68-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2924-63-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2924-156-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2924-140-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download