cobaltstrike | 033f2ba7805eb7ceee314469c6933c7e26b2a9422a8828057785a579b4bdca02

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31/05/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

53236d5c4a4bc31c3b8defb5efb4e698
SHA1

e680308add6b4d379e856ff00fc2496f47036abe
SHA256

033f2ba7805eb7ceee314469c6933c7e26b2a9422a8828057785a579b4bdca02
SHA512

74809affda452d9a6e0a9eb13727a96e113ff3cfac1d540f68a8d0efa28cb1cdeabe17c6205d21c1307a5f5431b121ddf99028f7b91ac08a662cb1d00eeb4085
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUf:T+856utgpPF8u/7f

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000015c3d-3.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015cf6-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d0f-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d1a-24.dat	cobalt_reflective_dll
behavioral1/files/0x000b000000015d27-33.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000015d31-39.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cfe-45.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015df1-54.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d98-49.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f01-67.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000160af-80.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f7a-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016287-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016448-92.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000167d5-116.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001650c-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016bfb-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016a29-107.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000165ae-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016be2-120.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016176-87.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015c3d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015cf6-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d0f-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d1a-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000b000000015d27-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000a000000015d31-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015cfe-45.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015df1-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d98-49.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015f01-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000160af-80.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015f7a-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016287-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016448-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000167d5-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001650c-115.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016bfb-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016a29-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000165ae-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016be2-120.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016176-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral1/memory/2232-0-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/files/0x000b000000015c3d-3.dat	UPX
behavioral1/memory/2232-6-0x00000000022B0000-0x0000000002604000-memory.dmp	UPX
behavioral1/files/0x0009000000015cf6-8.dat	UPX
behavioral1/files/0x0008000000015d0f-23.dat	UPX
behavioral1/memory/2316-29-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/1704-30-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/files/0x0007000000015d1a-24.dat	UPX
behavioral1/memory/3004-20-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/2348-13-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/files/0x000b000000015d27-33.dat	UPX
behavioral1/memory/2660-36-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/files/0x000a000000015d31-39.dat	UPX
behavioral1/files/0x0008000000015cfe-45.dat	UPX
behavioral1/files/0x0009000000015df1-54.dat	UPX
behavioral1/files/0x0009000000015d98-49.dat	UPX
behavioral1/memory/2604-57-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/2724-58-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2788-62-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2072-60-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/files/0x0007000000015f01-67.dat	UPX
behavioral1/memory/2168-84-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2232-83-0x000000013F9C0000-0x000000013FD14000-memory.dmp	UPX
behavioral1/memory/2924-82-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
behavioral1/files/0x00070000000160af-80.dat	UPX
behavioral1/files/0x0007000000015f7a-73.dat	UPX
behavioral1/memory/2528-69-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/files/0x0006000000016287-89.dat	UPX
behavioral1/files/0x0006000000016448-92.dat	UPX
behavioral1/memory/1992-126-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/files/0x00060000000167d5-116.dat	UPX
behavioral1/files/0x000600000001650c-115.dat	UPX
behavioral1/files/0x0006000000016bfb-114.dat	UPX
behavioral1/files/0x0006000000016a29-107.dat	UPX
behavioral1/files/0x00060000000165ae-100.dat	UPX
behavioral1/memory/2348-128-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/2500-122-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX
behavioral1/files/0x0006000000016be2-120.dat	UPX
behavioral1/memory/3004-112-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/files/0x0006000000016176-87.dat	UPX
behavioral1/memory/2316-135-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/2528-136-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2348-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp	UPX
behavioral1/memory/3004-139-0x000000013FA60000-0x000000013FDB4000-memory.dmp	UPX
behavioral1/memory/1704-141-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/2316-140-0x000000013F310000-0x000000013F664000-memory.dmp	UPX
behavioral1/memory/2660-142-0x000000013FC80000-0x000000013FFD4000-memory.dmp	UPX
behavioral1/memory/2604-143-0x000000013F1F0000-0x000000013F544000-memory.dmp	UPX
behavioral1/memory/2072-144-0x000000013F740000-0x000000013FA94000-memory.dmp	UPX
behavioral1/memory/2788-145-0x000000013FB20000-0x000000013FE74000-memory.dmp	UPX
behavioral1/memory/2724-146-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2528-148-0x000000013F020000-0x000000013F374000-memory.dmp	UPX
behavioral1/memory/2924-147-0x000000013FA20000-0x000000013FD74000-memory.dmp	UPX
behavioral1/memory/2168-149-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/1992-150-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2500-151-0x000000013FE60000-0x00000001401B4000-memory.dmp	UPX

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral1/memory/2232-0-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/files/0x000b000000015c3d-3.dat	xmrig
behavioral1/memory/2232-6-0x00000000022B0000-0x0000000002604000-memory.dmp	xmrig
behavioral1/files/0x0009000000015cf6-8.dat	xmrig
behavioral1/files/0x0008000000015d0f-23.dat	xmrig
behavioral1/memory/2316-29-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/1704-30-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d1a-24.dat	xmrig
behavioral1/memory/3004-20-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2348-13-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/files/0x000b000000015d27-33.dat	xmrig
behavioral1/memory/2660-36-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/files/0x000a000000015d31-39.dat	xmrig
behavioral1/files/0x0008000000015cfe-45.dat	xmrig
behavioral1/files/0x0009000000015df1-54.dat	xmrig
behavioral1/files/0x0009000000015d98-49.dat	xmrig
behavioral1/memory/2604-57-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2724-58-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2232-63-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2788-62-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2072-60-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/files/0x0007000000015f01-67.dat	xmrig
behavioral1/memory/2168-84-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2232-83-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2924-82-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/files/0x00070000000160af-80.dat	xmrig
behavioral1/files/0x0007000000015f7a-73.dat	xmrig
behavioral1/memory/2528-69-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/files/0x0006000000016287-89.dat	xmrig
behavioral1/files/0x0006000000016448-92.dat	xmrig
behavioral1/memory/1992-126-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/files/0x00060000000167d5-116.dat	xmrig
behavioral1/files/0x000600000001650c-115.dat	xmrig
behavioral1/files/0x0006000000016bfb-114.dat	xmrig
behavioral1/files/0x0006000000016a29-107.dat	xmrig
behavioral1/files/0x00060000000165ae-100.dat	xmrig
behavioral1/memory/2348-128-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2500-122-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016be2-120.dat	xmrig
behavioral1/memory/3004-112-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016176-87.dat	xmrig
behavioral1/memory/2316-135-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2528-136-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2348-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/3004-139-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/1704-141-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2316-140-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/memory/2660-142-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2604-143-0x000000013F1F0000-0x000000013F544000-memory.dmp	xmrig
behavioral1/memory/2072-144-0x000000013F740000-0x000000013FA94000-memory.dmp	xmrig
behavioral1/memory/2788-145-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2724-146-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2528-148-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2924-147-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/2168-149-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1992-150-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2500-151-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2348	vhgKvHP.exe
3004	jaORtHh.exe
1704	jMterOz.exe
2316	OxkMcfo.exe
2660	TPFcveO.exe
2604	hnqzUsA.exe
2724	hcwqDAa.exe
2072	qhCwkuN.exe
2788	MLwNtFH.exe
2528	uUkqdPs.exe
2924	SZPMDnp.exe
2168	KibwlcG.exe
2500	xiBwoUm.exe
1992	nXCdJGk.exe
2180	MesSaWa.exe
2744	VvVieVV.exe
2520	vkezxiV.exe
2340	hUpZYaw.exe
1308	XQNwFkx.exe
1516	fKAoprW.exe
2912	racnLUN.exe

Loads dropped DLL 21 IoCs

pid	Process
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2232-0-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/files/0x000b000000015c3d-3.dat	upx
behavioral1/memory/2232-6-0x00000000022B0000-0x0000000002604000-memory.dmp	upx
behavioral1/files/0x0009000000015cf6-8.dat	upx
behavioral1/files/0x0008000000015d0f-23.dat	upx
behavioral1/memory/2316-29-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/1704-30-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/files/0x0007000000015d1a-24.dat	upx
behavioral1/memory/3004-20-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2348-13-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/files/0x000b000000015d27-33.dat	upx
behavioral1/memory/2660-36-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/files/0x000a000000015d31-39.dat	upx
behavioral1/files/0x0008000000015cfe-45.dat	upx
behavioral1/files/0x0009000000015df1-54.dat	upx
behavioral1/files/0x0009000000015d98-49.dat	upx
behavioral1/memory/2604-57-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2724-58-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2788-62-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2072-60-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/files/0x0007000000015f01-67.dat	upx
behavioral1/memory/2168-84-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2232-83-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2924-82-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/files/0x00070000000160af-80.dat	upx
behavioral1/files/0x0007000000015f7a-73.dat	upx
behavioral1/memory/2528-69-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/files/0x0006000000016287-89.dat	upx
behavioral1/files/0x0006000000016448-92.dat	upx
behavioral1/memory/1992-126-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/files/0x00060000000167d5-116.dat	upx
behavioral1/files/0x000600000001650c-115.dat	upx
behavioral1/files/0x0006000000016bfb-114.dat	upx
behavioral1/files/0x0006000000016a29-107.dat	upx
behavioral1/files/0x00060000000165ae-100.dat	upx
behavioral1/memory/2348-128-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2500-122-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/files/0x0006000000016be2-120.dat	upx
behavioral1/memory/3004-112-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/files/0x0006000000016176-87.dat	upx
behavioral1/memory/2316-135-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2528-136-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2348-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/3004-139-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1704-141-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/2316-140-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/memory/2660-142-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2604-143-0x000000013F1F0000-0x000000013F544000-memory.dmp	upx
behavioral1/memory/2072-144-0x000000013F740000-0x000000013FA94000-memory.dmp	upx
behavioral1/memory/2788-145-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2724-146-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2528-148-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2924-147-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/2168-149-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/1992-150-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2500-151-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jaORtHh.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jMterOz.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SZPMDnp.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xiBwoUm.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fKAoprW.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\racnLUN.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OxkMcfo.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nXCdJGk.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hUpZYaw.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vkezxiV.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hcwqDAa.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MLwNtFH.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KibwlcG.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MesSaWa.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VvVieVV.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vhgKvHP.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TPFcveO.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hnqzUsA.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\qhCwkuN.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\uUkqdPs.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XQNwFkx.exe	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2348	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	29
PID 2232 wrote to memory of 2348	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	29
PID 2232 wrote to memory of 2348	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	29
PID 2232 wrote to memory of 3004	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	30
PID 2232 wrote to memory of 3004	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	30
PID 2232 wrote to memory of 3004	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	30
PID 2232 wrote to memory of 1704	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	31
PID 2232 wrote to memory of 1704	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	31
PID 2232 wrote to memory of 1704	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	31
PID 2232 wrote to memory of 2316	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	32
PID 2232 wrote to memory of 2316	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	32
PID 2232 wrote to memory of 2316	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	32
PID 2232 wrote to memory of 2660	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	33
PID 2232 wrote to memory of 2660	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	33
PID 2232 wrote to memory of 2660	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	33
PID 2232 wrote to memory of 2604	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	34
PID 2232 wrote to memory of 2604	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	34
PID 2232 wrote to memory of 2604	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	34
PID 2232 wrote to memory of 2724	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	35
PID 2232 wrote to memory of 2724	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	35
PID 2232 wrote to memory of 2724	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	35
PID 2232 wrote to memory of 2072	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	36
PID 2232 wrote to memory of 2072	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	36
PID 2232 wrote to memory of 2072	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	36
PID 2232 wrote to memory of 2788	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	37
PID 2232 wrote to memory of 2788	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	37
PID 2232 wrote to memory of 2788	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	37
PID 2232 wrote to memory of 2528	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	38
PID 2232 wrote to memory of 2528	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	38
PID 2232 wrote to memory of 2528	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	38
PID 2232 wrote to memory of 2924	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	39
PID 2232 wrote to memory of 2924	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	39
PID 2232 wrote to memory of 2924	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	39
PID 2232 wrote to memory of 2168	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	40
PID 2232 wrote to memory of 2168	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	40
PID 2232 wrote to memory of 2168	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	40
PID 2232 wrote to memory of 2500	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	41
PID 2232 wrote to memory of 2500	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	41
PID 2232 wrote to memory of 2500	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	41
PID 2232 wrote to memory of 1992	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	42
PID 2232 wrote to memory of 1992	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	42
PID 2232 wrote to memory of 1992	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	42
PID 2232 wrote to memory of 2340	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	43
PID 2232 wrote to memory of 2340	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	43
PID 2232 wrote to memory of 2340	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	43
PID 2232 wrote to memory of 2180	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	44
PID 2232 wrote to memory of 2180	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	44
PID 2232 wrote to memory of 2180	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	44
PID 2232 wrote to memory of 1308	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	45
PID 2232 wrote to memory of 1308	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	45
PID 2232 wrote to memory of 1308	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	45
PID 2232 wrote to memory of 2744	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	46
PID 2232 wrote to memory of 2744	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	46
PID 2232 wrote to memory of 2744	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	46
PID 2232 wrote to memory of 1516	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	47
PID 2232 wrote to memory of 1516	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	47
PID 2232 wrote to memory of 1516	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	47
PID 2232 wrote to memory of 2520	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	48
PID 2232 wrote to memory of 2520	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	48
PID 2232 wrote to memory of 2520	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	48
PID 2232 wrote to memory of 2912	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	49
PID 2232 wrote to memory of 2912	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	49
PID 2232 wrote to memory of 2912	2232	2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-31_53236d5c4a4bc31c3b8defb5efb4e698_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\System\vhgKvHP.exe
  C:\Windows\System\vhgKvHP.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\jaORtHh.exe
  C:\Windows\System\jaORtHh.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\jMterOz.exe
  C:\Windows\System\jMterOz.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\OxkMcfo.exe
  C:\Windows\System\OxkMcfo.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\TPFcveO.exe
  C:\Windows\System\TPFcveO.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\hnqzUsA.exe
  C:\Windows\System\hnqzUsA.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\hcwqDAa.exe
  C:\Windows\System\hcwqDAa.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\qhCwkuN.exe
  C:\Windows\System\qhCwkuN.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\MLwNtFH.exe
  C:\Windows\System\MLwNtFH.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\uUkqdPs.exe
  C:\Windows\System\uUkqdPs.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\SZPMDnp.exe
  C:\Windows\System\SZPMDnp.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\KibwlcG.exe
  C:\Windows\System\KibwlcG.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\xiBwoUm.exe
  C:\Windows\System\xiBwoUm.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\nXCdJGk.exe
  C:\Windows\System\nXCdJGk.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\hUpZYaw.exe
  C:\Windows\System\hUpZYaw.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\MesSaWa.exe
  C:\Windows\System\MesSaWa.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\XQNwFkx.exe
  C:\Windows\System\XQNwFkx.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\VvVieVV.exe
  C:\Windows\System\VvVieVV.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\fKAoprW.exe
  C:\Windows\System\fKAoprW.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\vkezxiV.exe
  C:\Windows\System\vkezxiV.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\racnLUN.exe
  C:\Windows\System\racnLUN.exe
  2⤵
  - Executes dropped EXE
  PID:2912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KibwlcG.exe

Filesize
5.9MB

MD5
573c53a0a9c87e871612b35a40fc8013

SHA1
7703c50929fb7abfc02c9ec392ebf95c11c0a7fe

SHA256
386073c6b771a1527f39efa4f550e24eb4906c1057557a2623e82d8437d4a112

SHA512
23df8cc39635c42169b3b0333a6b2dc75c607a7d4f9d2017ffcc7db4d46fdef56141bba41e2fd906d99c2e787f4622128d6e7a180cc0be1de98d974e22d616a1

Download Submit
C:\Windows\system\MLwNtFH.exe

Filesize
5.9MB

MD5
24bc591fa2237226ecd5c7abe093f891

SHA1
c3f18a4cf4c84c002bf0d5cd26cd715bdc466f0f

SHA256
e38de7e90252e015c41c6364fc569449c283ac8d74881915addb99fd5b9ddaf6

SHA512
619649a1e8ff91d3aaee4423f94d4c0bc7857c927b44d506a772ebc93c1fbaf4b9b09a03bbdd38c9bb031cc5d23de6ff72ced8be425d126c2ff8f47a6b0d3d23

Download Submit
C:\Windows\system\MesSaWa.exe

Filesize
5.9MB

MD5
589d440e0435454da7fd3a35dcf25b38

SHA1
6bbd4ebe233d2cda60a90bffbbcb19499ec616e8

SHA256
58678ff6304f52d4e5da5a090dc1bc63e65e03403edcc420b3b2dceb1044dfb4

SHA512
4b2116d6527689b51cd7bab4edbcf11c09355252447853f5660d2504b6852bf71d5ac4a6c0d7e71661addc0f2ca6300cce19166bb151b0b49a63643ce012fb94

Download Submit
C:\Windows\system\OxkMcfo.exe

Filesize
5.9MB

MD5
e62ef6b83d46c683f0747924cef7aea1

SHA1
8e2c67c1878a4003120c1dbebc4edda853d2fb5d

SHA256
545bfac3c4d06ade3d83d255c246cfdba32e161680ad539a11f33622940f535e

SHA512
a1fe0a30384e215b8cf1728fdf591edda6bbb5a892b866077a4a071db19d8cabb1b8b66f54a00bcb7f26c0c997a90b9b549b8854e4f4fb38bd24d0069888599a

Download Submit
C:\Windows\system\SZPMDnp.exe

Filesize
5.9MB

MD5
a12f3ed55ee3c84bf65d14da4a432bd3

SHA1
f24f44e4359dc72a1c2d89f60392dfca1378ac77

SHA256
9a7c316e13a943b0d633c37d10ddb556f94a5ecfe93d8707450b445f95aee47e

SHA512
842debe28e671ce6f99b18205e50f26fec5e98801f5b7abf069134e51ac33f4eb2e0780da2344482517d1f22b3047b9db793f73f56cda62b9eb56fa429257d26

Download Submit
C:\Windows\system\TPFcveO.exe

Filesize
5.9MB

MD5
7f757e8ecc60e3ed3dc79ff3ff6bfa05

SHA1
abe6bbdab8ccc82d2fabab962528c305f46b5d0d

SHA256
121b6d4b50eb214664801b702f5077718dcd4754efbd1a3ae59235848fcd9f81

SHA512
851035603e3c17ad2ea129d9830a02e8e475ed9464f95503a0450a6a00ec52ab794a7b4f9c2a9a48e7849692567e6fe63c32245aaf127536abb1533989e3f186

Download Submit
C:\Windows\system\VvVieVV.exe

Filesize
5.9MB

MD5
ec1a64ceb92c2230df499042d36e32d8

SHA1
559a73ad8bd20a9de0dd5ae3771bc189236beb57

SHA256
25b9e96295e29bb35de770b7d4bdea6017e7c285f807a7e8520d98824fd65c41

SHA512
1d7e3968d79391d1080a367e97b236599d87a27ec76e41554167f4401ad6666978634f9be789b6353aae7493a9baa1b30a1b191d2fd9e051d9e601223c278c80

Download Submit
C:\Windows\system\hcwqDAa.exe

Filesize
5.9MB

MD5
123e5bc35c019a573cf92615c5b2c20b

SHA1
3730a185a5af0d01bdc31550ce8d72c7d9a5eb0b

SHA256
97557a479a91891957463cab79050f17be620f155dda035eb18911f35c228db1

SHA512
242ecb1968ac4aae822b1675e5d7166435fe4fa9cc2ea78dd447773fe1e56f128ae93b7dc4b85a8268cef8fb81353cef856348e1b1b97fa0124cb7064be93ee0

Download Submit
C:\Windows\system\hnqzUsA.exe

Filesize
5.9MB

MD5
3010cfcfa83ad8853ea954d84b1d30f5

SHA1
6aa6de6aa491921f880badef83bb6502b8de2336

SHA256
c1f1210fe563494df2ba75e9b6b6cfc4016ba1c520b280d0e8377e0f690c52ee

SHA512
171d41848a39c8c32c635f2273843472d4bcd360fdc7c6b2a16f86179bd6ffe6820427057e1495fbf93bcc4e2989ef87f7f4393556422300506c9ab64b51b222

Download Submit
C:\Windows\system\jMterOz.exe

Filesize
5.9MB

MD5
13ae1b096db54ecf1185a92b11cb860a

SHA1
ad8e8864a2fda143e0eecf9a1bed4a5085be749d

SHA256
dcff28b4abf41ac4dd5120d86a97879f2ba314adb013fcd98cab13a4527c9290

SHA512
4c0a68c527192772e209475bc956062e355d6493f321b8b81bc46dd4ca38dbf6fba763100e08b859d2b356e9defd6940989afc63a682d7db8136ed2321f830cf

Download Submit
C:\Windows\system\qhCwkuN.exe

Filesize
5.9MB

MD5
c4b7755e8379153056ea792d831a009d

SHA1
2196b365f2d4de9f39b4d4d077bf5c8345804e18

SHA256
111d178e82942df785598fa97e8c14cc57445b43598a7034eaaa2923b5266a3c

SHA512
eaf72759075b049ce5b818e324b6578668239486b25af9d1d172eae7c2a6cabe4635191fa65360aaec87f7cec8c58738357c1eccfd4916ee321c8fcd370e48a1

Download Submit
C:\Windows\system\uUkqdPs.exe

Filesize
5.9MB

MD5
9dd9b702433d569023418c24ef02186c

SHA1
720f1eba3b56f600d7e09155b0560b964223a2c9

SHA256
5426c3e1b00bd698b6fc27e1d73bf47821d214b960e46aa30d4b0cba2751e751

SHA512
b05b6678614a6e46db850ed8c864ba053beb363c55d0b13dcc2fda888dd8e9cce9a27b3c0c9123c35cccf31b83421cfa0fb2e474fe1d0c65708045946cc8b60d

Download Submit
C:\Windows\system\vkezxiV.exe

Filesize
5.9MB

MD5
cee03aaa8840e1f48739740a1ff15cb6

SHA1
e59ad35d4595e775ccef185ed71e58ea2b7dbd17

SHA256
62f1e3998eb2fa60e95ed4e73aadac59e1022e71d9dd3f3ec1c4e9002fb421f1

SHA512
822c6286c32002d6367db319771e3e5f90ec9e4c250d2dd3d84a4446806c3a87f8f504134a02ee21c78172a56fb5a283ae5e9d8d29f0dd13fc2858ba5766b516

Download Submit
C:\Windows\system\xiBwoUm.exe

Filesize
5.9MB

MD5
a8d165d6a399075c7e7c5bd54780a83f

SHA1
b9fb2ced2bf044a15b76fb98605e44bf7bc22d37

SHA256
bc3f5b55849dc58f3236e758b0b95ac6c94c45dc9374d63a31969433b01e1289

SHA512
35c844698aec5ecca126ecf27f093397fd0542921a2b02ebbe411c0c6eef1568499a370bc71ee092a33027718e9ae9b2762592ab739b59403ec090a627d92e1e

Download Submit
\Windows\system\XQNwFkx.exe

Filesize
5.9MB

MD5
a93eb62f68421103f89e94dad0f6fa81

SHA1
71522fb4be4682e667d28226f8e446416676bc08

SHA256
d0b9ed92e558065bcb14e5522b25f9a7336a7d939dea8f42ee8c02bcb3917a2b

SHA512
667ce4a850e599aa83151ff5b5642d55bc6a4a5626898fe2a6f371c6154b5cf2537115ad3d2195270c98ebb403012477fca0ee0bd5484feb2983d266086e87e3

Download Submit
\Windows\system\fKAoprW.exe

Filesize
5.9MB

MD5
096ca9377175361d5efa1e0b2dfd490d

SHA1
c8f77b0fea602fbdb19f00807edf5dde2eb41ff8

SHA256
664f506579439e89f24883fb9fccba39c8e87385f787d811c725fd34b164e564

SHA512
bc626292053056b9da284c6502bfc93222a2dbd779b0ee74d813e9d34fd25b3433d5799fd339b19a1e02487aafe55fb0f7b09b1f656a1eb1544f4872d89e6f1e

Download Submit
\Windows\system\hUpZYaw.exe

Filesize
5.9MB

MD5
008d2530c0dcca9d10bb1f5b5cc2364e

SHA1
d04d9387c45f1b31448378b11146e740aa44602d

SHA256
9e9db80a08c8dd59d45a19ea3ab5bc985436e07d5cbd1303c85bb68bdb24ed08

SHA512
0b07a21fc8f341cf6b5385c53921a1e92b90c705efa403ca7a83a6ef288e5ec6eed3857668bd98939d04a73257a4c4ab65c7c7872a683dc9ef79769f49ac012a

Download Submit
\Windows\system\jaORtHh.exe

Filesize
5.9MB

MD5
a0ed59ce14519ea9016a417da42fad3d

SHA1
94cf9f518c3f4946de2f2a6c98cd05de6719b760

SHA256
9afe0f3bdb0bb33e4f88bba0a5c27d6e441547d204d140fad20d40109e730ff3

SHA512
24392679457e02abaed22a0119650aa1e7314f86552c97b7a2833b1a267ee322db2854f6fe4aef817c75e1777608e4cd7270685396ca7cace3482f3ce1f270cb

Download Submit
\Windows\system\nXCdJGk.exe

Filesize
5.9MB

MD5
bc9639a476e6224cce8a4e051804187b

SHA1
723c3a0dcd563facb89e91d4587ebb70b90adfca

SHA256
b229bf405868e94d8079226ae48d3d33930715a91f1186848bffe6853519087c

SHA512
15c8664dd7a7a832710edd3720da4fbe72f7e1cfb8fdb3bd9fcb959c576d9c6eaec9a1efc32153706c441ec3146807ecf2304821cde9cdde3c6921df3a59873f

Download Submit
\Windows\system\racnLUN.exe

Filesize
5.9MB

MD5
7da22d564abfedf7579f340c7f2df83f

SHA1
b012bb71086a7910d231909560760e5a1699b047

SHA256
4d24de739cd96f85015586e88fa4196412fd387c20a35d1f49b06156258be222

SHA512
7288f6fa2ebe0ac675a11849c60b83aa775d4e835374d9a1b160e435bc9160c7a8c3df984210d8176fced48027e006016ea974a74b5508ec3d7f10a97836fe94

Download Submit
\Windows\system\vhgKvHP.exe

Filesize
5.9MB

MD5
eb106f9e5b356363a1407f685f63517f

SHA1
54a6efa12e05430bd9e68351595f6aaf0d17c549

SHA256
337355d70eb247fcdda271d66c19b0545a8951248b065947f442e47239c11f04

SHA512
c87a8dfd969e620df754c4b06693d54efcb8cbb6390467d8b337fa41bea3b274fcac8cb0348b4cf19950e7a91fb6e904c0f47c4f8a16f69bc3e01942829bc800

Download Submit
memory/1704-141-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-30-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-126-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/1992-150-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-144-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2072-60-0x000000013F740000-0x000000013FA94000-memory.dmp

Filesize
3.3MB

Download
memory/2168-149-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2168-84-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2232-68-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2232-127-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2232-78-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2232-61-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2232-6-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2232-0-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2232-15-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2232-63-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-83-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2232-137-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-59-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2232-26-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2232-25-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-124-0x00000000022B0000-0x0000000002604000-memory.dmp

Filesize
3.3MB

Download
memory/2316-140-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2316-135-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2316-29-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/2348-13-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2348-128-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2348-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2500-151-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-122-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-148-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2528-69-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2528-136-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2604-57-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2604-143-0x000000013F1F0000-0x000000013F544000-memory.dmp

Filesize
3.3MB

Download
memory/2660-142-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-36-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-146-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-58-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-62-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2788-145-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2924-147-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2924-82-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/3004-139-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-112-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-20-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download