cobaltstrike | f07ce5018cb27bb111a7d4bac222009531b21012a45858e4e1c452f636fbbe18

Analysis

max time kernel
138s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

3db46275b9a4fef941af7cb6b33b0085
SHA1

41d7721f5305f2eafa8c67307bea5d8d17877fa0
SHA256

f07ce5018cb27bb111a7d4bac222009531b21012a45858e4e1c452f636fbbe18
SHA512

fac8362c8fb990d4b8080d442331e9db2c0b1757edd84c24bee5c3fcee177ff901411e9124be519f01b524832bc85f17d05347a42de81cb5b4811864f7b926d8
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU0:Q+856utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001472f-3.dat	cobalt_reflective_dll
behavioral1/files/0x0030000000014f57-13.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000153ee-17.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001565a-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015662-31.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000158d9-36.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ae3-45.dat	cobalt_reflective_dll
behavioral1/files/0x003000000001507a-52.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d85-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f23-69.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000167bf-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a28-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016575-105.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000163eb-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016013-93.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016122-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fa6-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d9c-80.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000164ec-115.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000161ee-114.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015b85-60.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001472f-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0030000000014f57-13.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00080000000153ee-17.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001565a-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015662-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000158d9-36.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015ae3-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x003000000001507a-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d85-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f23-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000167bf-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a28-111.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016575-105.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000163eb-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016013-93.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016122-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fa6-83.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d9c-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000164ec-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000161ee-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015b85-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral1/memory/2184-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	UPX
behavioral1/files/0x000b00000001472f-3.dat	UPX
behavioral1/memory/2512-11-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x0030000000014f57-13.dat	UPX
behavioral1/memory/2592-15-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/files/0x00080000000153ee-17.dat	UPX
behavioral1/memory/2712-22-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/files/0x000700000001565a-23.dat	UPX
behavioral1/files/0x0007000000015662-31.dat	UPX
behavioral1/files/0x00070000000158d9-36.dat	UPX
behavioral1/memory/2656-37-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/files/0x0007000000015ae3-45.dat	UPX
behavioral1/memory/2264-48-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2664-40-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/1720-39-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/files/0x003000000001507a-52.dat	UPX
behavioral1/memory/2400-55-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d85-63.dat	UPX
behavioral1/memory/2120-65-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/files/0x0006000000015f23-69.dat	UPX
behavioral1/files/0x00060000000167bf-116.dat	UPX
behavioral1/memory/2912-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/files/0x0006000000016a28-111.dat	UPX
behavioral1/files/0x0006000000016575-105.dat	UPX
behavioral1/files/0x00060000000163eb-99.dat	UPX
behavioral1/files/0x0006000000016013-93.dat	UPX
behavioral1/files/0x0006000000016122-90.dat	UPX
behavioral1/files/0x0006000000015fa6-83.dat	UPX
behavioral1/files/0x0006000000015d9c-80.dat	UPX
behavioral1/memory/2764-118-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/files/0x00060000000164ec-115.dat	UPX
behavioral1/files/0x00060000000161ee-114.dat	UPX
behavioral1/memory/2296-113-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2544-86-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/2356-75-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/files/0x0009000000015b85-60.dat	UPX
behavioral1/memory/2184-59-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	UPX
behavioral1/memory/2592-132-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2400-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/2356-134-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/2120-135-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2296-136-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2512-137-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2592-138-0x000000013F8C0000-0x000000013FC14000-memory.dmp	UPX
behavioral1/memory/2712-139-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/2656-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/1720-141-0x000000013F710000-0x000000013FA64000-memory.dmp	UPX
behavioral1/memory/2664-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2264-143-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2400-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp	UPX
behavioral1/memory/2356-145-0x000000013F0D0000-0x000000013F424000-memory.dmp	UPX
behavioral1/memory/2120-146-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2764-148-0x000000013FC60000-0x000000013FFB4000-memory.dmp	UPX
behavioral1/memory/2544-147-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/2912-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp	UPX
behavioral1/memory/2296-150-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral1/memory/2184-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/files/0x000b00000001472f-3.dat	xmrig
behavioral1/memory/2512-11-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0030000000014f57-13.dat	xmrig
behavioral1/memory/2592-15-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/files/0x00080000000153ee-17.dat	xmrig
behavioral1/memory/2712-22-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/files/0x000700000001565a-23.dat	xmrig
behavioral1/files/0x0007000000015662-31.dat	xmrig
behavioral1/files/0x00070000000158d9-36.dat	xmrig
behavioral1/memory/2656-37-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ae3-45.dat	xmrig
behavioral1/memory/2264-48-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2664-40-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/1720-39-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/files/0x003000000001507a-52.dat	xmrig
behavioral1/memory/2400-55-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d85-63.dat	xmrig
behavioral1/memory/2120-65-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015f23-69.dat	xmrig
behavioral1/files/0x00060000000167bf-116.dat	xmrig
behavioral1/memory/2912-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016a28-111.dat	xmrig
behavioral1/files/0x0006000000016575-105.dat	xmrig
behavioral1/files/0x00060000000163eb-99.dat	xmrig
behavioral1/files/0x0006000000016013-93.dat	xmrig
behavioral1/files/0x0006000000016122-90.dat	xmrig
behavioral1/files/0x0006000000015fa6-83.dat	xmrig
behavioral1/files/0x0006000000015d9c-80.dat	xmrig
behavioral1/memory/2184-120-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2764-118-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/files/0x00060000000164ec-115.dat	xmrig
behavioral1/files/0x00060000000161ee-114.dat	xmrig
behavioral1/memory/2296-113-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2544-86-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2356-75-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/files/0x0009000000015b85-60.dat	xmrig
behavioral1/memory/2184-59-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	xmrig
behavioral1/memory/2592-132-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2400-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2356-134-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2120-135-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2296-136-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2512-137-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2592-138-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2712-139-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2656-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/1720-141-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2664-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2264-143-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2400-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2356-145-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2120-146-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2764-148-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2544-147-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2912-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2296-150-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2512	ypvMPyY.exe
2592	IgFiGHw.exe
2712	wkrkdOr.exe
2656	CFrwVMp.exe
1720	nexrRmW.exe
2664	DPdSMip.exe
2264	jNkZCXR.exe
2400	ilKhukk.exe
2120	poHoVzg.exe
2356	VlfNiKX.exe
2764	XImqeAx.exe
2544	JhnqDtX.exe
2912	vKeKEvO.exe
2296	aRtwWav.exe
1260	xYFjcPv.exe
1264	cdVNhjy.exe
2344	ZvEibJd.exe
1736	rIrsSrk.exe
1808	kFUssYy.exe
1984	vqdvNyJ.exe
1372	yyVQsBo.exe

Loads dropped DLL 21 IoCs

pid	Process
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2184-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/files/0x000b00000001472f-3.dat	upx
behavioral1/memory/2512-11-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0030000000014f57-13.dat	upx
behavioral1/memory/2592-15-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/files/0x00080000000153ee-17.dat	upx
behavioral1/memory/2712-22-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/files/0x000700000001565a-23.dat	upx
behavioral1/files/0x0007000000015662-31.dat	upx
behavioral1/files/0x00070000000158d9-36.dat	upx
behavioral1/memory/2656-37-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/files/0x0007000000015ae3-45.dat	upx
behavioral1/memory/2264-48-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2664-40-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/1720-39-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/files/0x003000000001507a-52.dat	upx
behavioral1/memory/2400-55-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/files/0x0007000000015d85-63.dat	upx
behavioral1/memory/2120-65-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/files/0x0006000000015f23-69.dat	upx
behavioral1/files/0x00060000000167bf-116.dat	upx
behavioral1/memory/2912-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/files/0x0006000000016a28-111.dat	upx
behavioral1/files/0x0006000000016575-105.dat	upx
behavioral1/files/0x00060000000163eb-99.dat	upx
behavioral1/files/0x0006000000016013-93.dat	upx
behavioral1/files/0x0006000000016122-90.dat	upx
behavioral1/files/0x0006000000015fa6-83.dat	upx
behavioral1/files/0x0006000000015d9c-80.dat	upx
behavioral1/memory/2764-118-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/files/0x00060000000164ec-115.dat	upx
behavioral1/files/0x00060000000161ee-114.dat	upx
behavioral1/memory/2296-113-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2544-86-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2356-75-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/files/0x0009000000015b85-60.dat	upx
behavioral1/memory/2184-59-0x000000013F1A0000-0x000000013F4F4000-memory.dmp	upx
behavioral1/memory/2592-132-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2400-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2356-134-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2120-135-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2296-136-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2512-137-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2592-138-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2712-139-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2656-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/1720-141-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2664-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2264-143-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2400-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp	upx
behavioral1/memory/2356-145-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2120-146-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2764-148-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2544-147-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2912-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp	upx
behavioral1/memory/2296-150-0x000000013F900000-0x000000013FC54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jNkZCXR.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aRtwWav.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xYFjcPv.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kFUssYy.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cdVNhjy.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZvEibJd.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IgFiGHw.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nexrRmW.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DPdSMip.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XImqeAx.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rIrsSrk.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ypvMPyY.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wkrkdOr.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ilKhukk.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VlfNiKX.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vqdvNyJ.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CFrwVMp.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\poHoVzg.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JhnqDtX.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vKeKEvO.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yyVQsBo.exe	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2512	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	29
PID 2184 wrote to memory of 2512	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	29
PID 2184 wrote to memory of 2512	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	29
PID 2184 wrote to memory of 2592	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	30
PID 2184 wrote to memory of 2592	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	30
PID 2184 wrote to memory of 2592	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	30
PID 2184 wrote to memory of 2712	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	31
PID 2184 wrote to memory of 2712	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	31
PID 2184 wrote to memory of 2712	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	31
PID 2184 wrote to memory of 2656	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	32
PID 2184 wrote to memory of 2656	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	32
PID 2184 wrote to memory of 2656	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	32
PID 2184 wrote to memory of 1720	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	33
PID 2184 wrote to memory of 1720	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	33
PID 2184 wrote to memory of 1720	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	33
PID 2184 wrote to memory of 2664	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	34
PID 2184 wrote to memory of 2664	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	34
PID 2184 wrote to memory of 2664	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	34
PID 2184 wrote to memory of 2264	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	35
PID 2184 wrote to memory of 2264	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	35
PID 2184 wrote to memory of 2264	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	35
PID 2184 wrote to memory of 2400	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	36
PID 2184 wrote to memory of 2400	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	36
PID 2184 wrote to memory of 2400	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	36
PID 2184 wrote to memory of 2120	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	37
PID 2184 wrote to memory of 2120	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	37
PID 2184 wrote to memory of 2120	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	37
PID 2184 wrote to memory of 2356	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	38
PID 2184 wrote to memory of 2356	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	38
PID 2184 wrote to memory of 2356	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	38
PID 2184 wrote to memory of 2544	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	39
PID 2184 wrote to memory of 2544	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	39
PID 2184 wrote to memory of 2544	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	39
PID 2184 wrote to memory of 2764	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	40
PID 2184 wrote to memory of 2764	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	40
PID 2184 wrote to memory of 2764	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	40
PID 2184 wrote to memory of 2912	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	41
PID 2184 wrote to memory of 2912	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	41
PID 2184 wrote to memory of 2912	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	41
PID 2184 wrote to memory of 2296	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	42
PID 2184 wrote to memory of 2296	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	42
PID 2184 wrote to memory of 2296	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	42
PID 2184 wrote to memory of 1736	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	43
PID 2184 wrote to memory of 1736	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	43
PID 2184 wrote to memory of 1736	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	43
PID 2184 wrote to memory of 1260	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	44
PID 2184 wrote to memory of 1260	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	44
PID 2184 wrote to memory of 1260	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	44
PID 2184 wrote to memory of 1808	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	45
PID 2184 wrote to memory of 1808	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	45
PID 2184 wrote to memory of 1808	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	45
PID 2184 wrote to memory of 1264	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	46
PID 2184 wrote to memory of 1264	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	46
PID 2184 wrote to memory of 1264	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	46
PID 2184 wrote to memory of 1984	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	47
PID 2184 wrote to memory of 1984	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	47
PID 2184 wrote to memory of 1984	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	47
PID 2184 wrote to memory of 2344	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	48
PID 2184 wrote to memory of 2344	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	48
PID 2184 wrote to memory of 2344	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	48
PID 2184 wrote to memory of 1372	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	49
PID 2184 wrote to memory of 1372	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	49
PID 2184 wrote to memory of 1372	2184	2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_3db46275b9a4fef941af7cb6b33b0085_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\System\ypvMPyY.exe
  C:\Windows\System\ypvMPyY.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\IgFiGHw.exe
  C:\Windows\System\IgFiGHw.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\wkrkdOr.exe
  C:\Windows\System\wkrkdOr.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\CFrwVMp.exe
  C:\Windows\System\CFrwVMp.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\nexrRmW.exe
  C:\Windows\System\nexrRmW.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\DPdSMip.exe
  C:\Windows\System\DPdSMip.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\jNkZCXR.exe
  C:\Windows\System\jNkZCXR.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\ilKhukk.exe
  C:\Windows\System\ilKhukk.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\poHoVzg.exe
  C:\Windows\System\poHoVzg.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\VlfNiKX.exe
  C:\Windows\System\VlfNiKX.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\JhnqDtX.exe
  C:\Windows\System\JhnqDtX.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\XImqeAx.exe
  C:\Windows\System\XImqeAx.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\vKeKEvO.exe
  C:\Windows\System\vKeKEvO.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\aRtwWav.exe
  C:\Windows\System\aRtwWav.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\rIrsSrk.exe
  C:\Windows\System\rIrsSrk.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\xYFjcPv.exe
  C:\Windows\System\xYFjcPv.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\kFUssYy.exe
  C:\Windows\System\kFUssYy.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\cdVNhjy.exe
  C:\Windows\System\cdVNhjy.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\vqdvNyJ.exe
  C:\Windows\System\vqdvNyJ.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\ZvEibJd.exe
  C:\Windows\System\ZvEibJd.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\yyVQsBo.exe
  C:\Windows\System\yyVQsBo.exe
  2⤵
  - Executes dropped EXE
  PID:1372

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DPdSMip.exe

Filesize
5.9MB

MD5
b978b47ed46cc91868c8c07ba2a1e12b

SHA1
5c14ae6f2fccb7a1e9ff24e38e841567fa30c488

SHA256
d7351c91398a5a0a17a838612f63a7477d184c8130ccd1194275ca4990a7dcf8

SHA512
360ba141e8515efea3ea100ea5e4dc74e159bfef8ef9ff4a2f0d3c375d839255e9d411b7ad6683788b1a7c1869fff995b0ea97a4a78197dcf186fe03ebcdca97

Download Submit
C:\Windows\system\IgFiGHw.exe

Filesize
5.9MB

MD5
ef1a99dd43e6e8b25235972e9d769c67

SHA1
5d6af4280e5aeabd840ccb993df01c0ca0e80d75

SHA256
a70d0e8747ce0d913814777b9aa9d5a79821eebe433c877563571d2932078dce

SHA512
d0dfefdedc3c1f8d9762bc9bfaa90702b6220a237e5fd98f506a8fa5627b6854eb23e7edfe838c33c93f44a7b1ce223a0e6f78e253e956b99acfa3f3973aa9d7

Download Submit
C:\Windows\system\JhnqDtX.exe

Filesize
5.9MB

MD5
5798f1474e34c604b833116df9ca6931

SHA1
5d302c2e8300082d3f7d3f0ecfc5687ad6f69f60

SHA256
17b9fda3f10827b3eabb21cde7b548c127398e4004a71bb9ca68936abf7c3613

SHA512
7dca68a668ecbf1f479909175f4da2afb8c0e58cd56817e5f6d5b6b60ba2ed85fc77f23c38f38a5bbba66a33279a742cc2825888d0c2fbd7ce3334d988f1fd37

Download Submit
C:\Windows\system\VlfNiKX.exe

Filesize
5.9MB

MD5
4540ced4fc0375b79e31ce9ae9359393

SHA1
e25a84c0849354b7b148452f7ee99c7a2acda66a

SHA256
e6ca8211cdf45406e0414eafc1eb79d50a4bbc6be885c82e318b3d4bf0c067d1

SHA512
ec53d55ced8de0008664edb7c92455436c651898d142a5d03eeefe3251d8e159f0ff6bc3e5924036061c5bc6a269577d3521b02d7398ae03854372657868136d

Download Submit
C:\Windows\system\ZvEibJd.exe

Filesize
5.9MB

MD5
9da1bd9b40e5d0eba6502d752615e77b

SHA1
7dcef4ade51e7156d1699e9decdd0c6c4acc9486

SHA256
e474512de3aae2ce4e93b1d4af0be972e4c0be4f56cae11ebfccc6dd16fdc45b

SHA512
4ef450c770b92f7f5cb6f65495711beb5d8fe86da762fe56c1f59878ea8aad9667d5303c4b2a53028dc5551ee9cc1f142cd63b8775087f2df83f3a47ba72adcd

Download Submit
C:\Windows\system\aRtwWav.exe

Filesize
5.9MB

MD5
871176ddbcd0416329967d706d8f2cc4

SHA1
77215dbbc1de68d0b79c141aab15d344d5cef609

SHA256
79918215928534468af617f8c5261c3d3b1226fca167a3cfbb05e5093418ca14

SHA512
25a436692b51a2958dfab54757d1584453152f592512e28e6f54e3d0170d8e74cfa056d4d48d2ab711c3a4b12aafa5bbbcc3cf95a469c20f73d914d552e073a2

Download Submit
C:\Windows\system\cdVNhjy.exe

Filesize
5.9MB

MD5
45806603525e981caaa55e4f87135bd3

SHA1
0fc201db1f744055264d5851bbe2f5780312d0fa

SHA256
17d21ab4a9d1d06d48c5fc9daa57e106db8689cf36053618292343954de35275

SHA512
e4288d26dfd5d496e85d9ca9f8119d5f11b38f5696b9f63009067e0be8ea1ea7784d89ba1c57933f7a2f67670fd976bc0e7f832567dd75e01d40bdf71cc7c9c4

Download Submit
C:\Windows\system\ilKhukk.exe

Filesize
5.9MB

MD5
71251758e882aa07872af0d6899ae87c

SHA1
b3a1739779183f978827cec9ec76cf71a3512c78

SHA256
68f3f3fb0ebf76c86ac8d0e1ecc874060b1d553c38447d22d12477983f483e61

SHA512
c18c13fad0cc6ccb62a15de34c488168d8cef2987c554857af622c907e406167df4e470daa2caab5920cfb87b51810308699fdfeb0341c38b1bc8e40d5c04e99

Download Submit
C:\Windows\system\jNkZCXR.exe

Filesize
5.9MB

MD5
df94d220921d2ec9d63f5ecc20cc34ec

SHA1
375c7996342c7e039c70effcf8dc4c17a43c0ebe

SHA256
eb94e19832ce70e3d71b2c7f443653a5ddc0f2478aac328c815036d984ab4713

SHA512
378408c5501606239865a70eb0af1d60878ac93cd091c5749076a19882bfb19eb7a8b6c70af535b79b5dfafd039b67b5308bd919c87a34d37d15f3a78ef3fd1e

Download Submit
C:\Windows\system\nexrRmW.exe

Filesize
5.9MB

MD5
8d2c01f7acf4a8d888c54a4e38ade9fb

SHA1
6beffe921a2285f2ced8241e572684278f350a68

SHA256
8f8ad74657089c4d4125abf83e7b4852f22a55bdd73e923399c5cc65354db06d

SHA512
481a655d2a7bf5184aaa409cd1ab514baa8047c139600bcafac902fd342835a6a35ee71b44e1d03bc8ad8d262a4f1720022ad9ecb570cca2ece8b1562c25262d

Download Submit
C:\Windows\system\poHoVzg.exe

Filesize
5.9MB

MD5
87008f300cc63497b524d911c6030398

SHA1
6cbb88db23b8be9b65aefcf0a4b8cb430144c226

SHA256
8c2d926ed0432caa6f380b25e8bcbaddde9dfaf4b6b82eef4ffe6960046eb3e0

SHA512
1a77ce4420645e9757a6e16ccc06de05485496795d4259b9a310f5716f9f22d4a2851795317b4d5bae6daba775d7dc8ace975e793dd3dddfbe6aa44e72aed628

Download Submit
C:\Windows\system\vKeKEvO.exe

Filesize
5.9MB

MD5
6b7648c70b4813403da5aa7036ea0788

SHA1
13e10fb111ef439fda88e92ed99e44cb28a2ab5e

SHA256
c15d74541cd9bf8fdf1a2698bec1dac375683f90db3903fe858b9045d4da2400

SHA512
16adae860db76a14264924e11326a20f93773961a58f13c11565aca0e075f766ad95fd1d9f525a5303b260d6455abe9c1585c710bfca20d30e3279ca54a8ffa6

Download Submit
C:\Windows\system\xYFjcPv.exe

Filesize
5.9MB

MD5
4427476f5a9f6ec64e44f217c6aa15d0

SHA1
122ecd7c71e74f7f662b88c78da6550e255c0fbb

SHA256
d266dfb5aba11d1c6915929777eee6ea6b67797a0074942786b35005d708c7bd

SHA512
5a85e520e5d59c449af661f2db78026dc30aceb7b6494b234570b15009122e78aa8f600eca7382a4d2fe621e8eb084731caabd30aef9cf714df1bc126e48ac93

Download Submit
\Windows\system\CFrwVMp.exe

Filesize
5.9MB

MD5
6158c1851b8ea80622852f86b8c9311e

SHA1
9e41e7e25cad9eca82cc9464e943e43d3419b067

SHA256
da19196d38573d1e9b840db322e0ff8c1e85d81a0e775682d090a740f30fc640

SHA512
6fc4de72a7d41448ab3ea35ca512c010a2ab5390c6bda62989b7748f837aa12437dd51802b90785e2b6b28abdf4d19a9d49a690793db10ff853c9e5eb83848b0

Download Submit
\Windows\system\XImqeAx.exe

Filesize
5.9MB

MD5
31e933dca66e8e795b1bd6b8edb34ec4

SHA1
0dd2186e3a0decc977dd14ed6846a50b16cc537f

SHA256
0a0a6ea354d7d48bd59ef9c2d998e45fd94dbdec722adc99a64927025cc06802

SHA512
f3ec57091f999581fe33596b1a6b4d00cd271dcbcc0328bf2340931618f53ab37e560717e3ddd656ffe9dd5ed59c32a8c764a1f3bbc21098f0a65275404348ff

Download Submit
\Windows\system\kFUssYy.exe

Filesize
5.9MB

MD5
40eb0637a1cb68b24fd63d34fce87085

SHA1
32606d997162422244abc3448ec428278a7af1f5

SHA256
a3f456582e85955f17f0edbebd16f27e17852e61b5e66db7b40656a9bb686115

SHA512
5e5ddca53f7ffb1c0a0b1f05f17d40d13c277c549e97fccc524c1f7ab000457ae0ce6fe461ecd601877760cfd42fe068a2691ce5c2a0053427b925d74e5f9172

Download Submit
\Windows\system\rIrsSrk.exe

Filesize
5.9MB

MD5
f80a417333273b9f0d030601de0aaccc

SHA1
7c4a975108311b1a31fee5176ba8e5cfb935841d

SHA256
33c817c017ca1a446480b0a0050ce47320edbfc11bca937b71f5c60f0e53d081

SHA512
6c82e236fdc8f700e769378531a563357ea3226b7449920a5381620a2ad017cab96656a77b65fc04495d7ee28d1dfe984dc9c1a61bbeba2dd513636acfa574b6

Download Submit
\Windows\system\vqdvNyJ.exe

Filesize
5.9MB

MD5
ba89517cfa8375f6031905fefcf4ef48

SHA1
cd83fd3166064e89124a51075b2f7e652da5cb2b

SHA256
39a0f16444c37e2278783544c9c07b4788ddbc91770a7dc63b182c895133c649

SHA512
8e8df70bb01dcdec0f9a8f6c8cfe998907122f281b86c082ccb067d5ed52fdccc1c60e07df1030f9e5a1f9bdd6dd94c9e0b1cd7f4221c13a11aa6a4827fc95ad

Download Submit
\Windows\system\wkrkdOr.exe

Filesize
5.9MB

MD5
ff9ed77924d1d560c19b566716ffef7a

SHA1
b9d1b1fa2ed4861cb7942a749e65f6c549d21a7e

SHA256
5a4e9438cbcf2a97f1918717377d45bab9aac58f525254058337fb16cfd83683

SHA512
0d5d511b8c788d95c91c28b0777ba2562961002082f339d8b93ee00e2131c4a2f5eacc4d73d1eb30c6a2f0e6cfb563b4933921df2dbb64d36a4eb19020364993

Download Submit
\Windows\system\ypvMPyY.exe

Filesize
5.9MB

MD5
f44245a8ad8e1f8a9ae878905f4ec66a

SHA1
82e823ce37ae105ac51212a794259c8bc52f4476

SHA256
f6368e7c8648d63819fff5090646f0e0adb8f608b4060de29e2da8cb738153e6

SHA512
db6bb2db77f33ed578ad458ef1d65b16de59e26f1030509d4de68830c14a1925e847af3f614cd0e14fdb5bbc33f5571099579db54644662974464ce850fbc82c

Download Submit
\Windows\system\yyVQsBo.exe

Filesize
5.9MB

MD5
36cb81cb9e4c52d0e88b5f96e4614bbf

SHA1
1ab42e2f32a3fc282f6907de00881b31a4f2d0e7

SHA256
d13f46f9f96e9565294e7adde7cc163e8319bd7afbc667e5a7150e9545425698

SHA512
5b5a8fdaa27fe25ebd6868595024096f74a414b9eca65551501101714a31b37a63493d82d218e12d5b86ec98ef9e14e1810a8829d538685ec93370d7fb8b7b43

Download Submit
memory/1720-39-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/1720-141-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2120-146-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-65-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-135-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-47-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2184-59-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2184-94-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2184-77-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-53-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-14-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2184-78-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-0-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-43-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2184-7-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2184-120-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2184-117-0x00000000022E0000-0x0000000002634000-memory.dmp

Filesize
3.3MB

Download
memory/2264-48-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2264-143-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2296-150-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2296-113-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2296-136-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2356-134-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2356-145-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2356-75-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2400-144-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-55-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-137-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-11-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2544-147-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2544-86-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2592-132-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2592-138-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2592-15-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2656-37-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-142-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2664-40-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2712-139-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2712-22-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2764-148-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-118-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-119-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download