cobaltstrike | 36472cc445d6f374fcaf3a3e7666e49900230b14aca1565cfba4c20a914fad93

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

e9ae093f07a1e6a52e42414755bcf90d
SHA1

3f18cdf4c26821aa947464b60f6fa9bc7fc33fa6
SHA256

36472cc445d6f374fcaf3a3e7666e49900230b14aca1565cfba4c20a914fad93
SHA512

ad4c309cb5678a79fb0f84f00f605e1c76da572972e44f4a265cf0a707c2c62d0eac1213264a8fd958c0a73b99edd22fffb8cfd08197af9b92b614706d968f81
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:Q+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012279-3.dat	cobalt_reflective_dll
behavioral1/files/0x002c000000015ca9-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015ce1-15.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015ced-26.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d02-30.dat	cobalt_reflective_dll
behavioral1/files/0x002c000000015cc2-37.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d13-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d1e-50.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c57-59.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c5b-64.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ca1-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ccd-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d10-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d46-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3e-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d21-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d2d-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d19-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf2-88.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012279-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c000000015ca9-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015ce1-15.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015ced-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d02-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002c000000015cc2-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d13-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d1e-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000016c57-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c5b-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ca1-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ccd-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d10-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d46-130.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-122.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3e-127.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d21-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d2d-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d19-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf2-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

resource	yara_rule
behavioral1/memory/2176-1-0x000000013FD80000-0x00000001400D4000-memory.dmp	UPX
behavioral1/files/0x000b000000012279-3.dat	UPX
behavioral1/files/0x002c000000015ca9-10.dat	UPX
behavioral1/files/0x0008000000015ce1-15.dat	UPX
behavioral1/memory/1088-14-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2832-21-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/2260-18-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/files/0x0008000000015ced-26.dat	UPX
behavioral1/memory/1680-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d02-30.dat	UPX
behavioral1/files/0x002c000000015cc2-37.dat	UPX
behavioral1/memory/2176-42-0x000000013FD80000-0x00000001400D4000-memory.dmp	UPX
behavioral1/memory/2632-41-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2716-43-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/files/0x0007000000015d13-44.dat	UPX
behavioral1/memory/2788-49-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d1e-50.dat	UPX
behavioral1/memory/2536-56-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/files/0x0008000000016c57-59.dat	UPX
behavioral1/memory/2676-63-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/files/0x0006000000016c5b-64.dat	UPX
behavioral1/memory/2524-70-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/2832-66-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/files/0x0006000000016ca1-74.dat	UPX
behavioral1/memory/2936-78-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/files/0x0006000000016ccd-81.dat	UPX
behavioral1/memory/2956-84-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/files/0x0006000000016d01-95.dat	UPX
behavioral1/memory/2792-96-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d10-101.dat	UPX
behavioral1/files/0x0006000000016d46-130.dat	UPX
behavioral1/files/0x0006000000016d36-122.dat	UPX
behavioral1/files/0x0006000000016d3e-127.dat	UPX
behavioral1/files/0x0006000000016d21-112.dat	UPX
behavioral1/files/0x0006000000016d2d-117.dat	UPX
behavioral1/files/0x0006000000016d19-107.dat	UPX
behavioral1/memory/1448-90-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/files/0x0006000000016cf2-88.dat	UPX
behavioral1/memory/2524-135-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/2936-137-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2956-138-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/1448-139-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/2792-140-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX
behavioral1/memory/1088-142-0x000000013F960000-0x000000013FCB4000-memory.dmp	UPX
behavioral1/memory/2260-141-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/memory/2832-143-0x000000013F540000-0x000000013F894000-memory.dmp	UPX
behavioral1/memory/1680-144-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/memory/2632-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp	UPX
behavioral1/memory/2716-146-0x000000013F930000-0x000000013FC84000-memory.dmp	UPX
behavioral1/memory/2788-147-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2536-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	UPX
behavioral1/memory/2676-149-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2524-150-0x000000013F560000-0x000000013F8B4000-memory.dmp	UPX
behavioral1/memory/2936-151-0x000000013F970000-0x000000013FCC4000-memory.dmp	UPX
behavioral1/memory/2956-152-0x000000013F9B0000-0x000000013FD04000-memory.dmp	UPX
behavioral1/memory/1448-153-0x000000013F910000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/2792-154-0x000000013F760000-0x000000013FAB4000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral1/memory/2176-1-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/files/0x000b000000012279-3.dat	xmrig
behavioral1/files/0x002c000000015ca9-10.dat	xmrig
behavioral1/files/0x0008000000015ce1-15.dat	xmrig
behavioral1/memory/1088-14-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2832-21-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2260-18-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/files/0x0008000000015ced-26.dat	xmrig
behavioral1/memory/1680-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d02-30.dat	xmrig
behavioral1/files/0x002c000000015cc2-37.dat	xmrig
behavioral1/memory/2176-42-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/memory/2632-41-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2716-43-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d13-44.dat	xmrig
behavioral1/memory/2788-49-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d1e-50.dat	xmrig
behavioral1/memory/2536-56-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/files/0x0008000000016c57-59.dat	xmrig
behavioral1/memory/2676-63-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c5b-64.dat	xmrig
behavioral1/memory/2176-68-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2524-70-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2832-66-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ca1-74.dat	xmrig
behavioral1/memory/2936-78-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ccd-81.dat	xmrig
behavioral1/memory/2956-84-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d01-95.dat	xmrig
behavioral1/memory/2792-96-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d10-101.dat	xmrig
behavioral1/files/0x0006000000016d46-130.dat	xmrig
behavioral1/files/0x0006000000016d36-122.dat	xmrig
behavioral1/files/0x0006000000016d3e-127.dat	xmrig
behavioral1/files/0x0006000000016d21-112.dat	xmrig
behavioral1/files/0x0006000000016d2d-117.dat	xmrig
behavioral1/files/0x0006000000016d19-107.dat	xmrig
behavioral1/memory/1448-90-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cf2-88.dat	xmrig
behavioral1/memory/2524-135-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2936-137-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2956-138-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/1448-139-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2792-140-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/1088-142-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2260-141-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2832-143-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/1680-144-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2632-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2716-146-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2788-147-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2536-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/2676-149-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2524-150-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2936-151-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2956-152-0x000000013F9B0000-0x000000013FD04000-memory.dmp	xmrig
behavioral1/memory/1448-153-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2792-154-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1088	FSBWEeJ.exe
2260	TYqvKpV.exe
2832	zOszgVg.exe
1680	iptvWsl.exe
2632	JkLozZq.exe
2716	BTgRvbl.exe
2788	mEEWVEu.exe
2536	OKvEwgF.exe
2676	uvcpNyT.exe
2524	akXCooN.exe
2936	TIwNFOQ.exe
2956	cjiJxiP.exe
1448	oBERRBh.exe
2792	jjRHtIw.exe
1120	PZBgcyy.exe
1912	EYpYpZB.exe
2004	reEJhZf.exe
1284	UliNDXh.exe
2216	UVzxbYR.exe
1660	kvjxzff.exe
2932	yFsAKZE.exe

Loads dropped DLL 21 IoCs

pid	Process
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2176-1-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/files/0x000b000000012279-3.dat	upx
behavioral1/files/0x002c000000015ca9-10.dat	upx
behavioral1/files/0x0008000000015ce1-15.dat	upx
behavioral1/memory/1088-14-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2832-21-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2260-18-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/files/0x0008000000015ced-26.dat	upx
behavioral1/memory/1680-29-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x0007000000015d02-30.dat	upx
behavioral1/files/0x002c000000015cc2-37.dat	upx
behavioral1/memory/2176-42-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/memory/2632-41-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2716-43-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/files/0x0007000000015d13-44.dat	upx
behavioral1/memory/2788-49-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/files/0x0007000000015d1e-50.dat	upx
behavioral1/memory/2536-56-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/files/0x0008000000016c57-59.dat	upx
behavioral1/memory/2676-63-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x0006000000016c5b-64.dat	upx
behavioral1/memory/2524-70-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2832-66-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/files/0x0006000000016ca1-74.dat	upx
behavioral1/memory/2936-78-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x0006000000016ccd-81.dat	upx
behavioral1/memory/2956-84-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-95.dat	upx
behavioral1/memory/2792-96-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/files/0x0006000000016d10-101.dat	upx
behavioral1/files/0x0006000000016d46-130.dat	upx
behavioral1/files/0x0006000000016d36-122.dat	upx
behavioral1/files/0x0006000000016d3e-127.dat	upx
behavioral1/files/0x0006000000016d21-112.dat	upx
behavioral1/files/0x0006000000016d2d-117.dat	upx
behavioral1/files/0x0006000000016d19-107.dat	upx
behavioral1/memory/1448-90-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/files/0x0006000000016cf2-88.dat	upx
behavioral1/memory/2524-135-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2936-137-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2956-138-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/1448-139-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2792-140-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/1088-142-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2260-141-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2832-143-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/1680-144-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/2632-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2716-146-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2788-147-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2536-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2676-149-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2524-150-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2936-151-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2956-152-0x000000013F9B0000-0x000000013FD04000-memory.dmp	upx
behavioral1/memory/1448-153-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2792-154-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zOszgVg.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iptvWsl.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uvcpNyT.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UVzxbYR.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kvjxzff.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TIwNFOQ.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jjRHtIw.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PZBgcyy.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\reEJhZf.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UliNDXh.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EYpYpZB.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yFsAKZE.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TYqvKpV.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BTgRvbl.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JkLozZq.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OKvEwgF.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oBERRBh.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FSBWEeJ.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mEEWVEu.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\akXCooN.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cjiJxiP.exe	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2260	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	29
PID 2176 wrote to memory of 2260	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	29
PID 2176 wrote to memory of 2260	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	29
PID 2176 wrote to memory of 1088	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	30
PID 2176 wrote to memory of 1088	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	30
PID 2176 wrote to memory of 1088	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	30
PID 2176 wrote to memory of 2832	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	31
PID 2176 wrote to memory of 2832	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	31
PID 2176 wrote to memory of 2832	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	31
PID 2176 wrote to memory of 1680	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	32
PID 2176 wrote to memory of 1680	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	32
PID 2176 wrote to memory of 1680	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	32
PID 2176 wrote to memory of 2716	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	33
PID 2176 wrote to memory of 2716	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	33
PID 2176 wrote to memory of 2716	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	33
PID 2176 wrote to memory of 2632	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	34
PID 2176 wrote to memory of 2632	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	34
PID 2176 wrote to memory of 2632	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	34
PID 2176 wrote to memory of 2788	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	35
PID 2176 wrote to memory of 2788	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	35
PID 2176 wrote to memory of 2788	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	35
PID 2176 wrote to memory of 2536	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	36
PID 2176 wrote to memory of 2536	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	36
PID 2176 wrote to memory of 2536	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	36
PID 2176 wrote to memory of 2676	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	37
PID 2176 wrote to memory of 2676	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	37
PID 2176 wrote to memory of 2676	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	37
PID 2176 wrote to memory of 2524	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	38
PID 2176 wrote to memory of 2524	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	38
PID 2176 wrote to memory of 2524	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	38
PID 2176 wrote to memory of 2936	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	39
PID 2176 wrote to memory of 2936	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	39
PID 2176 wrote to memory of 2936	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	39
PID 2176 wrote to memory of 2956	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	40
PID 2176 wrote to memory of 2956	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	40
PID 2176 wrote to memory of 2956	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	40
PID 2176 wrote to memory of 1448	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	41
PID 2176 wrote to memory of 1448	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	41
PID 2176 wrote to memory of 1448	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	41
PID 2176 wrote to memory of 2792	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	42
PID 2176 wrote to memory of 2792	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	42
PID 2176 wrote to memory of 2792	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	42
PID 2176 wrote to memory of 1120	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	43
PID 2176 wrote to memory of 1120	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	43
PID 2176 wrote to memory of 1120	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	43
PID 2176 wrote to memory of 1912	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	44
PID 2176 wrote to memory of 1912	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	44
PID 2176 wrote to memory of 1912	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	44
PID 2176 wrote to memory of 2004	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	45
PID 2176 wrote to memory of 2004	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	45
PID 2176 wrote to memory of 2004	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	45
PID 2176 wrote to memory of 1284	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	46
PID 2176 wrote to memory of 1284	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	46
PID 2176 wrote to memory of 1284	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	46
PID 2176 wrote to memory of 2216	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	47
PID 2176 wrote to memory of 2216	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	47
PID 2176 wrote to memory of 2216	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	47
PID 2176 wrote to memory of 1660	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	48
PID 2176 wrote to memory of 1660	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	48
PID 2176 wrote to memory of 1660	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	48
PID 2176 wrote to memory of 2932	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	49
PID 2176 wrote to memory of 2932	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	49
PID 2176 wrote to memory of 2932	2176	2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_e9ae093f07a1e6a52e42414755bcf90d_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\System\TYqvKpV.exe
  C:\Windows\System\TYqvKpV.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\FSBWEeJ.exe
  C:\Windows\System\FSBWEeJ.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\zOszgVg.exe
  C:\Windows\System\zOszgVg.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\iptvWsl.exe
  C:\Windows\System\iptvWsl.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\BTgRvbl.exe
  C:\Windows\System\BTgRvbl.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\JkLozZq.exe
  C:\Windows\System\JkLozZq.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\mEEWVEu.exe
  C:\Windows\System\mEEWVEu.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\OKvEwgF.exe
  C:\Windows\System\OKvEwgF.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\uvcpNyT.exe
  C:\Windows\System\uvcpNyT.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\akXCooN.exe
  C:\Windows\System\akXCooN.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\TIwNFOQ.exe
  C:\Windows\System\TIwNFOQ.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\cjiJxiP.exe
  C:\Windows\System\cjiJxiP.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\oBERRBh.exe
  C:\Windows\System\oBERRBh.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\jjRHtIw.exe
  C:\Windows\System\jjRHtIw.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\PZBgcyy.exe
  C:\Windows\System\PZBgcyy.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\EYpYpZB.exe
  C:\Windows\System\EYpYpZB.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\reEJhZf.exe
  C:\Windows\System\reEJhZf.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\UliNDXh.exe
  C:\Windows\System\UliNDXh.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\UVzxbYR.exe
  C:\Windows\System\UVzxbYR.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\kvjxzff.exe
  C:\Windows\System\kvjxzff.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\yFsAKZE.exe
  C:\Windows\System\yFsAKZE.exe
  2⤵
  - Executes dropped EXE
  PID:2932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EYpYpZB.exe

Filesize
5.9MB

MD5
d9215ae55025dd0d0a6b3046ebf940e5

SHA1
81160148b8b2dced3e6c57bc1f17ba169d09e6ae

SHA256
d1f2affdf1d63026dd98c3e9476af2e39388955c32d641485c0d64de3d49e193

SHA512
ba9734148065b9564e20fba1123322246e7d32bfd6c6a46f4ba595bc75dc28fe14a47035bff2feaa9b79364cb8734c6f6ad19adf6391f51ec3c9135070757b6c

Download Submit
C:\Windows\system\FSBWEeJ.exe

Filesize
5.9MB

MD5
73527677e4b808206ed8e213ff7248d0

SHA1
8f9a524ab95f46d5d11d9600892972f1cc459168

SHA256
863e46a6513e3b686e60692dc457b702a4cea2c675b73eb6dda853a119e2ccff

SHA512
17bf4195d2f09334eaf88895580fc49cc33a6d8d0258694b47fae268804d828098316b5ed9fec7ba1b771894b38a40513c79450699e8755b1aeacc81bfd1a3ac

Download Submit
C:\Windows\system\JkLozZq.exe

Filesize
5.9MB

MD5
38a4582d53d77bbe82b1fb341fed70c8

SHA1
6a1a17f3b7779100adfa7d28d55a716b600f2b89

SHA256
f803b87f7efb5a2fd50ebec3e06f4983dd9fddefab1e186df0efa4c4848e5282

SHA512
1dbe153853c9b74ff10b04421f770509b96f9171e0d250678d148bdd6f46d68e48f87334b0095ecdf65974e33738ce224b1cfad2505658cd542dccbaf88a5147

Download Submit
C:\Windows\system\PZBgcyy.exe

Filesize
5.9MB

MD5
ceb764a53ee4467a0fe6c629ae87ee0b

SHA1
ac196c447a039319e797051d909528b41c8730da

SHA256
cc142968b533601590e4449858e26599944fa0d99398bbb50788d557b50d982e

SHA512
d63b8c0218ab01028b386ec97e37de343518ad0063e6fbe25a365331396eef2d1ed876ee83dc372976b0f1868c333fc0613e90074bb19199b8861a1565995d31

Download Submit
C:\Windows\system\TIwNFOQ.exe

Filesize
5.9MB

MD5
518d8e7a20d51ac89391a88560f1993a

SHA1
2d9f137d312f79c8d3dc37200ccc7683d4110ee7

SHA256
8607a9bf5eb644561939cd64e5c427c9e83d36a2bf7b0fa70fbbc3b8edf8ffe1

SHA512
74fb9f6952f0f4630e8061f02247dec08d3e74712e5ac122c7c1ffe9871edd6316473d903967438f9aabb7b6db56e7fdf7abb7f659a9606ee1c1a4a3ee22abac

Download Submit
C:\Windows\system\UVzxbYR.exe

Filesize
5.9MB

MD5
a4346bf51fdda6090be2172ebf44bb05

SHA1
b18c74271e75760bd569fe96594c0da8bcd59334

SHA256
e79d0bb0bd9ccb1a8f0d1e4bf2dd59dcd27916f58ed99b31b3e5a13e6397ec37

SHA512
c4dfc375ce22e8581f2a3eac69fa5d1001843eaa7f8dd856a5332c473cff2171649c413ec74bdf4c0a7a3461aa49a952a59e79e5d0e3e3d7fc1c79f0fdada760

Download Submit
C:\Windows\system\UliNDXh.exe

Filesize
5.9MB

MD5
ce772ce873bd1c9ef4deaa9dd42aee3f

SHA1
a2f8a72abb321477a635f089845d4e4baa216d1a

SHA256
e8a319dcde77391c3ac5097aa0e5e997cfa75c58da576dd3c4b8d9b68800a940

SHA512
850ead09815e258a39016650124c972ddd1b951ee24a70f2c5739ec937538270afb310a0c6bfa5e07600fbe2478db6cb8ff705cd18af41e6c93f07ba5304f3de

Download Submit
C:\Windows\system\cjiJxiP.exe

Filesize
5.9MB

MD5
e6c363440780bc2961c290398252de20

SHA1
12b027686cdc692abcfbe0d267974c593f04275a

SHA256
045ffa9d2b55f55cb80ba12a629156113c48e9b90ae9d33e6d6baa78cba00446

SHA512
fd5213f50abd5ea80d0e912e2c31c7b0544e12ce5e8cccba06463d46bf33dae2f5b19613ebaec66dc176f8fcc72c2e4994926384d4ef435417ecaf0cdd6ceac9

Download Submit
C:\Windows\system\iptvWsl.exe

Filesize
5.9MB

MD5
5601d9f593c5c8351359e539e597ea66

SHA1
c233b2eb9f5f4d38a396f36e86def6b71cd0c738

SHA256
8da7552da10f7c2735404fae40358e799c71ef6eb35f5004f1f332293efd8ca8

SHA512
f2bd7a20fcdffde8b3c63749481c4b25d03b1980a9634bfb97fa8a43cd11ce18eecd62dbe3e0de59b91995d2eae2237665329bc5e7f480ff2e59e60a9c2507b9

Download Submit
C:\Windows\system\jjRHtIw.exe

Filesize
5.9MB

MD5
3bc4b39a2c75c0872456d052c82d1997

SHA1
e4aa8ef15e819d1336831069ed9d21a22b7f5c60

SHA256
829cd48b47af0a7f72ebd8f3c28f41a5f717c15d9ef111ac883b915e6780ed5f

SHA512
645c502445fb6898922f8e0000ab212168bfd65faea9fa0e6c74f37614e28b7bc7da14f41ee632f1a219351fe96e3ad6d7f5f8ac10c8ad3548ab16bbe718505f

Download Submit
C:\Windows\system\kvjxzff.exe

Filesize
5.9MB

MD5
8b585119776b61d2055d80a0104774c5

SHA1
4e5ed47d9127aab70192053ae03c40ec15f35eee

SHA256
72e1aedb260f613be65f91bba1fb05345d280e6b4827812bb8eae808eafbbe06

SHA512
b0c5a7e15e94c5f05081fdf44a1babd1c8e97a9477a022cbcfda8618bb0435def6701c5b2a06fe3eaeceea06db431c0c1a634d9c2b2331d4ceaa1b88c33b337b

Download Submit
C:\Windows\system\oBERRBh.exe

Filesize
5.9MB

MD5
996369426d61ba53d78b605a992b429a

SHA1
201e76cc7e4e6e5283d6ad982bde7e867d8ddd2d

SHA256
7dbe52f077dcb36bc3aac2c959de8e2729736ca613dbd565525641d0af348f0f

SHA512
ad159afb7ee001e44ade3331076f93ae8be5b2c93f33c60dc5c911b9e5d8703185a82e7728221425fd7f71bd94f84d31b16f93afab5ab9005f12b5480095e937

Download Submit
C:\Windows\system\reEJhZf.exe

Filesize
5.9MB

MD5
cf2b78e50784764c4ae7b811322c5c22

SHA1
832ac43d33d3a8b02485acbf867cdd6952e3ffe9

SHA256
b6d6f327120ed80ee9e9a6eda9f241ef0f8fc2aed9c3b3bb4554793f914b8290

SHA512
cb513273da94fdd249e7b477ded95fa8740679c3d765eb94ea0797aa2a6cbfb7cca33198d4f1284e03b8f0acb6102b1a93052377baaf28ab2114c98e2d0ae9ae

Download Submit
C:\Windows\system\uvcpNyT.exe

Filesize
5.9MB

MD5
7fb0c9c227a2f74537ce92e3d3ebb7db

SHA1
a9097402fc2ae45fce01c2907a4969e1b52e39c1

SHA256
9eee03c707ef679ed7c88fe12298c7c2a8b909a068d762a75a08688f0b349744

SHA512
a2a8739f10e511a23281677bf4dd46736536206beee2dfbf2427046db30b6f025e16d5a231f8e2f5eb05cc508985b9de61220dd53f94a30685dae68a50793134

Download Submit
\Windows\system\BTgRvbl.exe

Filesize
5.9MB

MD5
0d1631a1bb08453b38c7bace6a19c4b6

SHA1
c7a6d2bad051def9262f0c2e7a677c88bc1bfb3e

SHA256
0384da488c800931a48d59f4cbdd6d4b12dc7bad9af463911aaa254c82482167

SHA512
937a05f3b82f85ab8c06f7bf035c41adec49a4b52aebc62f2b157840693a0004e6e0c2a61f1b2d2d4a0db2fd1636f908b485e2ea349428df86ab64303cfff778

Download Submit
\Windows\system\OKvEwgF.exe

Filesize
5.9MB

MD5
54d842864087d723f933874c72f7eb2c

SHA1
77185ce06776545bdc2a6a44f3d04225b27ef729

SHA256
3aa69d55ced9831b6339e4fd6f6c137161b9a5c1b63b9e988b14294951f73ea4

SHA512
4984c74a406fd81210eba987eabe2f3b8ce0d5c8de294771ec6cc8d3274a2ffb85749916df7d5eea6ff2859aac97a1b59ff84300064cb2fd9b7c9ed7630d7723

Download Submit
\Windows\system\TYqvKpV.exe

Filesize
5.9MB

MD5
8441d833e92fdc6bf0e574a3dd77b1f0

SHA1
507ad5ad0e5391efdb94306d90a69e5eec23a9db

SHA256
30d85b20fe44e33e7321d536c3c5d4da89a09ad2b506e81d410241be1e824f7c

SHA512
5315b84079a183995aaabf070135edd27933f99cb0033a8714a35d5b7e46d7f1b92768018c16c26007d7c0798f111ab9d33eeee4de9c1a178303f9a19b31bf1e

Download Submit
\Windows\system\akXCooN.exe

Filesize
5.9MB

MD5
cfa86df9eb52e8570730fab928ce0752

SHA1
9ca35fef2cb5bab5ac38341bad5fa4c57019c52c

SHA256
2ea14e2ae2911c1470f16d67408bf915c603d2c0a1bbe8e1e363fa8a2996771a

SHA512
ec1b863ea40c42a7c70ddde44651b6386fee25d56c635d6748ef637d2c416f004466c1b3b5710baf334fb072bee125d050a81cec7de470558dca56385aa32b38

Download Submit
\Windows\system\mEEWVEu.exe

Filesize
5.9MB

MD5
b9452a90b26bf6eef45a5979d6836b99

SHA1
440f242f3b01ed8a86ba183189ae66f9197fa38e

SHA256
2305f667a7b5b41abb2e57d149a7f7649c3305eebebe824f7c25733fa300a085

SHA512
78c697be39c93cb078e8be600e9606b696e2f14f276f856e737c43147428c103f9bb2239dabf9c2dcd961c2edba763d7571043aca7ba5682ba267c682183c754

Download Submit
\Windows\system\yFsAKZE.exe

Filesize
5.9MB

MD5
8d530fb0af3a7993f510b9b3ea92163b

SHA1
7bec2c9acf685636ec33e8ca51f5fc7fd5ee3205

SHA256
9080eb4f292d9b098da866b7672777f293f85ed1b8056b9e9d0b79fc790c7c07

SHA512
27aec798606c9339e27bf0d97907f68621472fb99148996274f96f6b1f849d506c6c18298905b8a7c4eb06b850242f15f1ec770a06cb42b15843ff8840c5f797

Download Submit
\Windows\system\zOszgVg.exe

Filesize
5.9MB

MD5
eb2344355d21a09e6ca7b9307cf1c1c2

SHA1
25a0309544e56bef6aca702c365ace1caefd07ab

SHA256
e980ea1f47986d7fe92cb546a239f0a146f1cc9c4419dcf4f535cfa0881f6948

SHA512
6c6fc024c957589a43f14b07e711efbe0651e61385fd9f22f42e078b7f25bc578485c6b68dba7e51f7e3a1a3025e2afd2f6916c15373cfa4e2864b7d03b00a31

Download Submit
memory/1088-142-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-14-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/1448-90-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1448-139-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1448-153-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1680-29-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/1680-144-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-136-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-62-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-1-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-20-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2176-68-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-0-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2176-77-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-76-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2176-134-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2176-8-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2176-89-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2176-55-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2176-28-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2176-36-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2176-103-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/2176-42-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-18-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2260-141-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2524-70-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-150-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-135-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-56-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2536-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/2632-41-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2632-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2676-149-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2676-63-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-146-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2716-43-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2788-147-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-49-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-154-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-140-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-96-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-143-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2832-66-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2832-21-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2936-137-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2936-151-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2936-78-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-84-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2956-152-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download
memory/2956-138-0x000000013F9B0000-0x000000013FD04000-memory.dmp

Filesize
3.3MB

Download