cobaltstrike | 5cfbd54efd105c01272016502b47acdac9410eb23169f3602b465cf30d57f289

Analysis

max time kernel
138s
max time network
152s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

ca5e5eb0c47f9f454a8172af0b3e8310
SHA1

b82218fd9b7cc35c64a68e238c0db61ce310509e
SHA256

5cfbd54efd105c01272016502b47acdac9410eb23169f3602b465cf30d57f289
SHA512

2f5b94f8fff73d3e23dc338101c1ec78c85895075f455e7f6293e9fa64aa29f78aff5eff13c5a2c6304aa1e7fdded1509bba51ab14e7c58e4c579e46e7d99239
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUs:Q+856utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c00000001441e-5.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014a94-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014ec4-21.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014e3d-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014fe1-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015264-37.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015c7c-47.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cd4-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-87.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d11-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d24-77.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf0-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ccf-52.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014aec-43.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001441e-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014a94-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014ec4-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014e3d-18.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014fe1-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015264-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015c7c-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cd4-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d11-72.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d24-77.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf0-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ccf-52.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014aec-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

resource	yara_rule
behavioral1/memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/files/0x000c00000001441e-5.dat	UPX
behavioral1/memory/2228-9-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/files/0x0009000000014a94-12.dat	UPX
behavioral1/memory/2244-14-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2980-22-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/files/0x0007000000014ec4-21.dat	UPX
behavioral1/files/0x0008000000014e3d-18.dat	UPX
behavioral1/files/0x0007000000014fe1-32.dat	UPX
behavioral1/memory/2884-30-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/files/0x0007000000015264-37.dat	UPX
behavioral1/files/0x0007000000015c7c-47.dat	UPX
behavioral1/files/0x0006000000016cd4-57.dat	UPX
behavioral1/files/0x0006000000016d4f-97.dat	UPX
behavioral1/files/0x0006000000016d84-107.dat	UPX
behavioral1/files/0x0006000000016d89-112.dat	UPX
behavioral1/files/0x0006000000016d55-102.dat	UPX
behavioral1/memory/1680-115-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2660-118-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2784-126-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2772-128-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2564-130-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2612-132-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/2592-124-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2996-122-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2472-120-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/memory/1744-116-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4a-92.dat	UPX
behavioral1/files/0x0006000000016d41-87.dat	UPX
behavioral1/files/0x0006000000016d36-82.dat	UPX
behavioral1/files/0x0006000000016d11-72.dat	UPX
behavioral1/files/0x0006000000016d24-77.dat	UPX
behavioral1/files/0x0006000000016d01-67.dat	UPX
behavioral1/files/0x0006000000016cf0-62.dat	UPX
behavioral1/memory/1152-135-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/files/0x0006000000016ccf-52.dat	UPX
behavioral1/files/0x0009000000014aec-43.dat	UPX
behavioral1/memory/2244-136-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2980-137-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2884-138-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/memory/1680-139-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/2228-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp	UPX
behavioral1/memory/2244-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp	UPX
behavioral1/memory/2980-142-0x000000013F6C0000-0x000000013FA14000-memory.dmp	UPX
behavioral1/memory/2884-143-0x000000013F040000-0x000000013F394000-memory.dmp	UPX
behavioral1/memory/1744-144-0x000000013F230000-0x000000013F584000-memory.dmp	UPX
behavioral1/memory/2660-145-0x000000013F650000-0x000000013F9A4000-memory.dmp	UPX
behavioral1/memory/2472-146-0x000000013FE20000-0x0000000140174000-memory.dmp	UPX
behavioral1/memory/2996-147-0x000000013F360000-0x000000013F6B4000-memory.dmp	UPX
behavioral1/memory/2592-148-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2772-150-0x000000013F9E0000-0x000000013FD34000-memory.dmp	UPX
behavioral1/memory/2784-149-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2564-151-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2612-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	UPX
behavioral1/memory/1680-153-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/files/0x000c00000001441e-5.dat	xmrig
behavioral1/memory/2228-9-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/files/0x0009000000014a94-12.dat	xmrig
behavioral1/memory/2244-14-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2980-22-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/files/0x0007000000014ec4-21.dat	xmrig
behavioral1/files/0x0008000000014e3d-18.dat	xmrig
behavioral1/files/0x0007000000014fe1-32.dat	xmrig
behavioral1/memory/2884-30-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/files/0x0007000000015264-37.dat	xmrig
behavioral1/files/0x0007000000015c7c-47.dat	xmrig
behavioral1/files/0x0006000000016cd4-57.dat	xmrig
behavioral1/files/0x0006000000016d4f-97.dat	xmrig
behavioral1/files/0x0006000000016d84-107.dat	xmrig
behavioral1/files/0x0006000000016d89-112.dat	xmrig
behavioral1/files/0x0006000000016d55-102.dat	xmrig
behavioral1/memory/1680-115-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2660-118-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/1152-121-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2784-126-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2772-128-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2564-130-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2612-132-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/1152-133-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/1152-129-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/1152-125-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
behavioral1/memory/2592-124-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2996-122-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2472-120-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/1744-116-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4a-92.dat	xmrig
behavioral1/files/0x0006000000016d41-87.dat	xmrig
behavioral1/files/0x0006000000016d36-82.dat	xmrig
behavioral1/files/0x0006000000016d11-72.dat	xmrig
behavioral1/files/0x0006000000016d24-77.dat	xmrig
behavioral1/files/0x0006000000016d01-67.dat	xmrig
behavioral1/files/0x0006000000016cf0-62.dat	xmrig
behavioral1/memory/1152-135-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ccf-52.dat	xmrig
behavioral1/files/0x0009000000014aec-43.dat	xmrig
behavioral1/memory/2244-136-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2980-137-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2884-138-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/1680-139-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2228-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/2244-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2980-142-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2884-143-0x000000013F040000-0x000000013F394000-memory.dmp	xmrig
behavioral1/memory/1744-144-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2660-145-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2472-146-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/2996-147-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2592-148-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2772-150-0x000000013F9E0000-0x000000013FD34000-memory.dmp	xmrig
behavioral1/memory/2784-149-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2564-151-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2612-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/1680-153-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2228	aJnGigd.exe
2244	SchBapd.exe
2980	sgIJAUA.exe
2884	JnZunEU.exe
1680	aSLtnRd.exe
1744	jhPSXJp.exe
2660	tncBsqP.exe
2472	ZtgmsSF.exe
2996	vKduuAZ.exe
2592	mEPxBly.exe
2784	uNwjodb.exe
2772	BRtnucL.exe
2564	PnHxPkf.exe
2612	FxZCtXk.exe
2404	MrdQcbb.exe
1996	VZQFytq.exe
1732	YaiWTKu.exe
2420	QGfinsr.exe
2056	cBdbFFf.exe
3008	yelCYRS.exe
1216	cWSkgyU.exe

Loads dropped DLL 21 IoCs

pid	Process
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/files/0x000c00000001441e-5.dat	upx
behavioral1/memory/2228-9-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/files/0x0009000000014a94-12.dat	upx
behavioral1/memory/2244-14-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2980-22-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/files/0x0007000000014ec4-21.dat	upx
behavioral1/files/0x0008000000014e3d-18.dat	upx
behavioral1/files/0x0007000000014fe1-32.dat	upx
behavioral1/memory/2884-30-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/files/0x0007000000015264-37.dat	upx
behavioral1/files/0x0007000000015c7c-47.dat	upx
behavioral1/files/0x0006000000016cd4-57.dat	upx
behavioral1/files/0x0006000000016d4f-97.dat	upx
behavioral1/files/0x0006000000016d84-107.dat	upx
behavioral1/files/0x0006000000016d89-112.dat	upx
behavioral1/files/0x0006000000016d55-102.dat	upx
behavioral1/memory/1680-115-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2660-118-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2784-126-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2772-128-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2564-130-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2612-132-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2592-124-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2996-122-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2472-120-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/1744-116-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/files/0x0006000000016d4a-92.dat	upx
behavioral1/files/0x0006000000016d41-87.dat	upx
behavioral1/files/0x0006000000016d36-82.dat	upx
behavioral1/files/0x0006000000016d11-72.dat	upx
behavioral1/files/0x0006000000016d24-77.dat	upx
behavioral1/files/0x0006000000016d01-67.dat	upx
behavioral1/files/0x0006000000016cf0-62.dat	upx
behavioral1/memory/1152-135-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/files/0x0006000000016ccf-52.dat	upx
behavioral1/files/0x0009000000014aec-43.dat	upx
behavioral1/memory/2244-136-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2980-137-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2884-138-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/1680-139-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2228-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/2244-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2980-142-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2884-143-0x000000013F040000-0x000000013F394000-memory.dmp	upx
behavioral1/memory/1744-144-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2660-145-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2472-146-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2996-147-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2592-148-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2772-150-0x000000013F9E0000-0x000000013FD34000-memory.dmp	upx
behavioral1/memory/2784-149-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2564-151-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2612-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/1680-153-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uNwjodb.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BRtnucL.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PnHxPkf.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MrdQcbb.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VZQFytq.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yelCYRS.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sgIJAUA.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vKduuAZ.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\mEPxBly.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cWSkgyU.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aSLtnRd.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tncBsqP.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FxZCtXk.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cBdbFFf.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aJnGigd.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SchBapd.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZtgmsSF.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YaiWTKu.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QGfinsr.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JnZunEU.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jhPSXJp.exe	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2228	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	29
PID 1152 wrote to memory of 2228	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	29
PID 1152 wrote to memory of 2228	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	29
PID 1152 wrote to memory of 2244	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	30
PID 1152 wrote to memory of 2244	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	30
PID 1152 wrote to memory of 2244	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	30
PID 1152 wrote to memory of 2980	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	31
PID 1152 wrote to memory of 2980	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	31
PID 1152 wrote to memory of 2980	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	31
PID 1152 wrote to memory of 2884	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	32
PID 1152 wrote to memory of 2884	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	32
PID 1152 wrote to memory of 2884	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	32
PID 1152 wrote to memory of 1680	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	33
PID 1152 wrote to memory of 1680	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	33
PID 1152 wrote to memory of 1680	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	33
PID 1152 wrote to memory of 1744	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	34
PID 1152 wrote to memory of 1744	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	34
PID 1152 wrote to memory of 1744	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	34
PID 1152 wrote to memory of 2660	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	35
PID 1152 wrote to memory of 2660	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	35
PID 1152 wrote to memory of 2660	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	35
PID 1152 wrote to memory of 2472	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	36
PID 1152 wrote to memory of 2472	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	36
PID 1152 wrote to memory of 2472	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	36
PID 1152 wrote to memory of 2996	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	37
PID 1152 wrote to memory of 2996	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	37
PID 1152 wrote to memory of 2996	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	37
PID 1152 wrote to memory of 2592	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	38
PID 1152 wrote to memory of 2592	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	38
PID 1152 wrote to memory of 2592	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	38
PID 1152 wrote to memory of 2784	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	39
PID 1152 wrote to memory of 2784	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	39
PID 1152 wrote to memory of 2784	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	39
PID 1152 wrote to memory of 2772	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	40
PID 1152 wrote to memory of 2772	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	40
PID 1152 wrote to memory of 2772	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	40
PID 1152 wrote to memory of 2564	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	41
PID 1152 wrote to memory of 2564	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	41
PID 1152 wrote to memory of 2564	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	41
PID 1152 wrote to memory of 2612	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	42
PID 1152 wrote to memory of 2612	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	42
PID 1152 wrote to memory of 2612	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	42
PID 1152 wrote to memory of 2404	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	43
PID 1152 wrote to memory of 2404	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	43
PID 1152 wrote to memory of 2404	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	43
PID 1152 wrote to memory of 1996	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	44
PID 1152 wrote to memory of 1996	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	44
PID 1152 wrote to memory of 1996	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	44
PID 1152 wrote to memory of 1732	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	45
PID 1152 wrote to memory of 1732	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	45
PID 1152 wrote to memory of 1732	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	45
PID 1152 wrote to memory of 2420	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	46
PID 1152 wrote to memory of 2420	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	46
PID 1152 wrote to memory of 2420	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	46
PID 1152 wrote to memory of 2056	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	47
PID 1152 wrote to memory of 2056	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	47
PID 1152 wrote to memory of 2056	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	47
PID 1152 wrote to memory of 3008	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	48
PID 1152 wrote to memory of 3008	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	48
PID 1152 wrote to memory of 3008	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	48
PID 1152 wrote to memory of 1216	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	49
PID 1152 wrote to memory of 1216	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	49
PID 1152 wrote to memory of 1216	1152	2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_ca5e5eb0c47f9f454a8172af0b3e8310_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System\aJnGigd.exe
  C:\Windows\System\aJnGigd.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\SchBapd.exe
  C:\Windows\System\SchBapd.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\sgIJAUA.exe
  C:\Windows\System\sgIJAUA.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\JnZunEU.exe
  C:\Windows\System\JnZunEU.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\aSLtnRd.exe
  C:\Windows\System\aSLtnRd.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\jhPSXJp.exe
  C:\Windows\System\jhPSXJp.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\tncBsqP.exe
  C:\Windows\System\tncBsqP.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\ZtgmsSF.exe
  C:\Windows\System\ZtgmsSF.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\vKduuAZ.exe
  C:\Windows\System\vKduuAZ.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\mEPxBly.exe
  C:\Windows\System\mEPxBly.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\uNwjodb.exe
  C:\Windows\System\uNwjodb.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\BRtnucL.exe
  C:\Windows\System\BRtnucL.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\PnHxPkf.exe
  C:\Windows\System\PnHxPkf.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\FxZCtXk.exe
  C:\Windows\System\FxZCtXk.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\MrdQcbb.exe
  C:\Windows\System\MrdQcbb.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\VZQFytq.exe
  C:\Windows\System\VZQFytq.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\YaiWTKu.exe
  C:\Windows\System\YaiWTKu.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\QGfinsr.exe
  C:\Windows\System\QGfinsr.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\cBdbFFf.exe
  C:\Windows\System\cBdbFFf.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\yelCYRS.exe
  C:\Windows\System\yelCYRS.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\cWSkgyU.exe
  C:\Windows\System\cWSkgyU.exe
  2⤵
  - Executes dropped EXE
  PID:1216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BRtnucL.exe

Filesize
5.9MB

MD5
5791d75115a225b90a127247c892a7e6

SHA1
080bc8eee5b82e889a0271450775a4d073d428a5

SHA256
d34142320e673d86ad8b8c658c4a1fc6e29ea00b9c72dfad12b95d4bdb349769

SHA512
10a648e2f98edde74d6adef781125d5373d71704c21609a28decd8f1b709d87a5d7905b32a3371e8b40054d0a234556e31f91556d5d83a61dc075676acd9f3eb

Download Submit
C:\Windows\system\FxZCtXk.exe

Filesize
5.9MB

MD5
61eca69da466ba7c2fcc02610fa396bd

SHA1
5f7ca91211122dd45a6be6df9741a3ddb025622d

SHA256
b30ee4ba743fef5114bf908a7e67c9664a4c85c2d5d0e10080d85363a29d9716

SHA512
fa6bf402c007061abc33edb852446e32d7a24e311d68a1b0aad6c6f2482a39f5f833e5368629145f852b698bc18617b9d288a4a98704e5ec41e58f83a1e5435b

Download Submit
C:\Windows\system\MrdQcbb.exe

Filesize
5.9MB

MD5
e9d2084905cff36813e6d10c7707f1ed

SHA1
1bef7f52be358738e31f5aae90cbc0bce329b74c

SHA256
c525d9cb901a41576df78a30259d16208522be86a286b471b233920016a58728

SHA512
9454b721bebea3851a93a02cc6c3f4e2ab3ad29311ea42f3930f20be8d6c8372dc7831bc5795df539146c3cd7c6be542b25a3fb709d51b1821c35193694a85ab

Download Submit
C:\Windows\system\PnHxPkf.exe

Filesize
5.9MB

MD5
76e5d54765dbc7614e05e48d3a052964

SHA1
6caf25b5a6f3e7851eb0ee1d58a9e3fed9752bc7

SHA256
728965350febc587dad9265a22096aa03800f660d45001f2aa562baf48d6ccd5

SHA512
8f65192e9018c290ba82335e7326eac16b158b540ef1351c515c38950900b3defd53a36b5810431fa903a9f3bcb36acb25f8637298eae8940fc40f662d2aecd1

Download Submit
C:\Windows\system\QGfinsr.exe

Filesize
5.9MB

MD5
f3b11a9874e27627ae5d61e4451b28b6

SHA1
bcfceea514a1a72ca4b76e3276a94300cd3b5460

SHA256
ebedf06fd7e6f5994d7f0cb46a5be9fcc0472ba84aec707406b8b1a3edde39f1

SHA512
f5bb21f3c10f0859db765ee5984b80bbad29ae2fe97d69d3246c65bc01904261fbf58ad95588fb58fe54a85e0ed201acec930bfe548459cd34dd26204949e082

Download Submit
C:\Windows\system\SchBapd.exe

Filesize
5.9MB

MD5
d21bf1db9561b7b66dcf5c6275afeda8

SHA1
35836456f61a07116eb57dc0f8a5cf1c1207f72d

SHA256
c16e23d5611c1205a0f5923b756b4862b1ebaec203121afefc8a6e3a3df7d3e6

SHA512
6d6c427790606d029039eb7dffd8fa684e47f597ebff182030b5ab8c664825d9b6dcf5628e407747a419752953440b28e81d8c2f34be77612b833ad27b74b757

Download Submit
C:\Windows\system\VZQFytq.exe

Filesize
5.9MB

MD5
157889c2cb96a2ab2e97ebe454748820

SHA1
76406c16ef3c816e560f827aeb33c7d8a0a09281

SHA256
97341d7c39f9364fecd16017e030f6d91454a9694feb8736d3b226a62066ad12

SHA512
13369a150ee01d382ed014abeee30f93df7275e2488f0b8d141965913219b5a83d82dbf4b20b1248c7cc4d5e2ed51e666e6b4338aeda690660d6e7b94cacae7c

Download Submit
C:\Windows\system\YaiWTKu.exe

Filesize
5.9MB

MD5
9219cbf14545fa61b4deb6d81c03e831

SHA1
ee2eb20f2ae1634407955dc1bd088b5a1e131e2c

SHA256
6cfbbe3270570af9c3b739fe48b850a4418c3d4bc4adddbbafcd7423e5344c8c

SHA512
99a2bd14217cd100dab2e5c1da5e086ef517c88a7e096cac1084f137f46db6cd143edb3b338a6d7f1d5d7ad9b7a4351dd82938215afbedad7b4ea516da283df4

Download Submit
C:\Windows\system\ZtgmsSF.exe

Filesize
5.9MB

MD5
bb5d19b3c0cacb224c78c98a99cccdbb

SHA1
48344a3dca42da5176b48fe45692c955e4f36aef

SHA256
941d6a5ea9989d174329962ccb6f9ffb5dd553d5aec6937af4eb53563b3bb2a0

SHA512
2f280b0f3da885b6b6e2d1bf9c64df78fac791f294b47f31a4eaf21b5680a650d442bca8601b0bcd38fcd8435e1de2687d65ba323cc6c7cc06e61c68faab009d

Download Submit
C:\Windows\system\aJnGigd.exe

Filesize
5.9MB

MD5
b05dccbfee0bfa0340038b8f873f2578

SHA1
47262fd8e9eed7666095cc7c1ef0f4913a0599a5

SHA256
84a21539b6aea8ccdad991b86b7b03658336e8dd4269a02826bec7ddcbe1128a

SHA512
57df28c89de492fb073ed233478f6b8b7965912e3c92400b6e6560cfd8d38f8d1374372dd7501fd949753181f0d72e751a7c85b88a78980e5eea398adb378c11

Download Submit
C:\Windows\system\aSLtnRd.exe

Filesize
5.9MB

MD5
de4a21975d9c37abec502ed6c75ab822

SHA1
9e3eaa900730b9c27030b96064c19363f6053afa

SHA256
6ab6c18912e7466a439d29645314c463d38bcafa9b7cb5adbd8a051a68a85745

SHA512
aab03a790c5a758323ea404745d2d018fc1aade4b8588a242ec1c3f6e8fdf3f745c806453207e103192e1161f4ca7fce81d2e266263ae4ef471a3be67ceb7495

Download Submit
C:\Windows\system\cBdbFFf.exe

Filesize
5.9MB

MD5
6c028133f80d04b37dd6970893bca76e

SHA1
226c809f1a9e925437d50f149c4a66567a568adc

SHA256
73eab7bf54d65147db77f40091f3d28491907f5bca155d35af1276d010a56e76

SHA512
4029f66628d6d580841474c2c3777f0a774e350fe55a5bf4004cb4dd6687f15ad8deb479361cc6c021ea5d4f541dbf4c8294432e54bda9ec1f5ac65e1e7f7169

Download Submit
C:\Windows\system\cWSkgyU.exe

Filesize
5.9MB

MD5
e65a666d8081eb0a59680b28b661fe8f

SHA1
73a76a2187410b7aaec1868bdc7fd83667ccf8ac

SHA256
813bf00e12b3cb0fb3a7bd619d7e221e5fe4be76cb373cc54d94266fb512ef73

SHA512
480a3d88fac0aba4e050dfabeec9e2fc3d9be19e0a2057a018deb8c4bdddb259bac7fb74afb84f00292865cec956b8ed5cbeab95009f180b769b73434616e782

Download Submit
C:\Windows\system\jhPSXJp.exe

Filesize
5.9MB

MD5
ae9718d4ca6d2a43d4c70a05e28e1ae0

SHA1
9c1467d0f83209819d1bc00206778ede6608cb39

SHA256
158f74c2ecad9ed400f934d2831aee9a17981290bf60eebbffa082d2c65577a1

SHA512
d19c3a550cb9abcc81686145db9be75145a66fd6113f94ad1651515136ba8337cb843ac9f5734d21a6d3d0d50c52caf6559368eea1a2c1ae8e120060ac4563c7

Download Submit
C:\Windows\system\mEPxBly.exe

Filesize
5.9MB

MD5
fbac5e88314577d3122a6e158a952ffe

SHA1
fcd3393a1c4fb4f3f55c368d968b233566616e6d

SHA256
3f714487565257ca8308ae056e459dab8a879a66b4ce00682f6761d5e46b72ff

SHA512
5fee940b15312f125f8bdb51eb90209d3845df854e6f0d39b4e4ef5e8d3640416458caddd35161797f326efd510abbc906783fe506c0d24d5629e70e8b0eef01

Download Submit
C:\Windows\system\sgIJAUA.exe

Filesize
5.9MB

MD5
dc52d8a7a492bd1d64d24f8d595bd248

SHA1
b9bb575d6a9db10a09e89d5e54c6e1e4709d647c

SHA256
da61bc02bdf59f4227953a748a707a496b70d69a868135e2b0e01b0d4a442718

SHA512
ffbb219580c14ec4d525c6c52352e58b67ac0e4036ab615dbe44816b90ae0e2d775dc5b2c2cd1200438dc9110125b1c91732c1dcb2c11192f748bf6721d80ec6

Download Submit
C:\Windows\system\tncBsqP.exe

Filesize
5.9MB

MD5
f5f156fd00750380371dbe3df68b5c20

SHA1
e8e71c508e201664e561fc1cbcdf2edc44844a5e

SHA256
d0aab93db96e52970dcfe3ed5a9ef795dc19eec457dd87db543ccad868ee6d96

SHA512
e664ad24a5e8902a4f107cd8697d4ce56e94447d96742ed4ae75a1925be912132f269e085d36188e6449fccefa76b33e816dc9805a91e5ccaa9f2e0f509247f0

Download Submit
C:\Windows\system\uNwjodb.exe

Filesize
5.9MB

MD5
996af320750abf634f171951325641f2

SHA1
cbe1be73d2888a39d1c48c1d5f77a5bf3e83573d

SHA256
db59c578963a44323986cd05439e9397c35ba0a8139dd99c47de30934c705c1d

SHA512
72b35d6221496db4433a3b31e3a23204540a0b3b1b27952d463476d5f0624aaf748d17218ce3cb32603a3aee9b20346ba35dbb9500cb0b009b6d7c78d2c25fec

Download Submit
C:\Windows\system\vKduuAZ.exe

Filesize
5.9MB

MD5
dbb8783758cf4fa79fe80ab9c6a85d02

SHA1
9f11c233878ade4965d97d6616d04886fd3f2e91

SHA256
95b95aadd66f308022834fa6e4e960bba0d0b41d61d925490d8e59529b4a0c7a

SHA512
b4683cd2a563e2aa8cf280cc25af1dd4a8a41b5d6c603040ab594ebfe711d7b274dda7e506d9fdd60eaf1b777924c2ffa6d571a1de4395924670806b9b5d3841

Download Submit
C:\Windows\system\yelCYRS.exe

Filesize
5.9MB

MD5
d036c2659a44cee90b8fc7196eb0d88a

SHA1
074ace010daf63c6c19bb0133a1961d63acae587

SHA256
674a657cbcfd484056639fa4c663ae72514852a8d05c0ea03e11308629f470f7

SHA512
6f43f5e6e828bc514ac02ec99a0aea51cd7d89bc10b511d0dd3c46d328e36ee72db8795a832e584c6fe7b4859b1482ccc89bb7abf329bbb0eae0b4b6b02cc839

Download Submit
\Windows\system\JnZunEU.exe

Filesize
5.9MB

MD5
f7f1ad00ed3ff49707e8fa1822058600

SHA1
e3fbb5315d873d3364a35a7c714d910eba7cce4f

SHA256
fe5e96a552fd33ae1ece75305ce6173f24526609e42293848d84ed54aede5ac4

SHA512
86c0ed09e8898f587692cdad9960b02968a551477210035aa87fcaffeaf9799e0050e7260b048a382253e1b962d354ecaa2cd7e3705ea1e33f19c9f623089f74

Download Submit
memory/1152-33-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1152-117-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-135-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1152-119-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1152-121-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-123-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/1152-20-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1152-28-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/1152-0-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1152-8-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/1152-134-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1152-133-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/1152-131-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1152-129-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1152-127-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/1152-125-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1152-1-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1680-139-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1680-115-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1680-153-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1744-116-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1744-144-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2228-140-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2228-9-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/2244-136-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-141-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-14-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2472-146-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2472-120-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2564-130-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2564-151-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2592-124-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2592-148-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2612-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-132-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-118-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-145-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-150-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2772-128-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2784-149-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2784-126-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2884-138-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2884-143-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2884-30-0x000000013F040000-0x000000013F394000-memory.dmp

Filesize
3.3MB

Download
memory/2980-142-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2980-22-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2980-137-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2996-147-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-122-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download