cobaltstrike | 17a5b395d4c4074ed27e4eb021aa0727b600cc5ef63b490c109cfc2ada101923

Analysis

max time kernel
138s
max time network
148s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

cc219612674837b8e7c41018164b8802
SHA1

ad0901147e27fadef60e2128df8fea8eecc2428f
SHA256

17a5b395d4c4074ed27e4eb021aa0727b600cc5ef63b490c109cfc2ada101923
SHA512

882c97f9a17d742397f885d07c06bad635bba98462a13921eb5ef1907ce0dcdffec9855cec771539c74b95ca0cb2d50a7c8b20a0280e4675e41f5bff3df7e2a0
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012255-5.dat	cobalt_reflective_dll
behavioral1/files/0x000b000000015bb9-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cec-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cdb-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d06-39.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d6e-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c2e-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cc9-70.dat	cobalt_reflective_dll
behavioral1/files/0x0038000000015cad-64.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c7a-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ced-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d0e-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1f-129.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d27-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d17-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d06-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cfe-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf5-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ce1-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cab-86.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cf7-31.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012255-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000b000000015bb9-8.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cec-21.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cdb-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d06-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d6e-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016c2e-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cc9-70.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0038000000015cad-64.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c7a-62.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ced-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d0e-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d1f-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d27-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d17-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d06-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cfe-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf5-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ce1-89.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cab-86.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cf7-31.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral1/memory/1924-0-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/files/0x000b000000012255-5.dat	UPX
behavioral1/files/0x000b000000015bb9-8.dat	UPX
behavioral1/files/0x0007000000015cec-21.dat	UPX
behavioral1/memory/2056-26-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2592-29-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/3012-25-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/files/0x0007000000015cdb-22.dat	UPX
behavioral1/memory/2320-19-0x000000013F3C0000-0x000000013F714000-memory.dmp	UPX
behavioral1/files/0x0007000000015d06-39.dat	UPX
behavioral1/files/0x0008000000015d6e-47.dat	UPX
behavioral1/files/0x0007000000016c2e-54.dat	UPX
behavioral1/files/0x0006000000016cc9-70.dat	UPX
behavioral1/files/0x0038000000015cad-64.dat	UPX
behavioral1/files/0x0006000000016c7a-62.dat	UPX
behavioral1/files/0x0006000000016ced-95.dat	UPX
behavioral1/files/0x0006000000016d0e-119.dat	UPX
behavioral1/files/0x0006000000016d1f-129.dat	UPX
behavioral1/files/0x0006000000016d27-132.dat	UPX
behavioral1/files/0x0006000000016d17-124.dat	UPX
behavioral1/files/0x0006000000016d06-114.dat	UPX
behavioral1/files/0x0006000000016cfe-109.dat	UPX
behavioral1/memory/2520-104-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/files/0x0006000000016cf5-102.dat	UPX
behavioral1/memory/1440-98-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/2660-91-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/files/0x0006000000016ce1-89.dat	UPX
behavioral1/memory/356-88-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/1924-87-0x000000013F350000-0x000000013F6A4000-memory.dmp	UPX
behavioral1/files/0x0006000000016cab-86.dat	UPX
behavioral1/memory/1700-85-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2668-83-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/memory/2896-78-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2404-57-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2416-50-0x000000013FEE0000-0x0000000140234000-memory.dmp	UPX
behavioral1/memory/2504-43-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/2520-36-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/files/0x0007000000015cf7-31.dat	UPX
behavioral1/memory/2416-137-0x000000013FEE0000-0x0000000140234000-memory.dmp	UPX
behavioral1/memory/2404-139-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/356-140-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/1440-142-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX
behavioral1/memory/2320-143-0x000000013F3C0000-0x000000013F714000-memory.dmp	UPX
behavioral1/memory/3012-144-0x000000013FE70000-0x00000001401C4000-memory.dmp	UPX
behavioral1/memory/2592-146-0x000000013F330000-0x000000013F684000-memory.dmp	UPX
behavioral1/memory/2056-145-0x000000013FF90000-0x00000001402E4000-memory.dmp	UPX
behavioral1/memory/2520-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	UPX
behavioral1/memory/2504-148-0x000000013FFC0000-0x0000000140314000-memory.dmp	UPX
behavioral1/memory/2416-149-0x000000013FEE0000-0x0000000140234000-memory.dmp	UPX
behavioral1/memory/2404-150-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2896-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	UPX
behavioral1/memory/2668-153-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/memory/1700-152-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2660-154-0x000000013F3E0000-0x000000013F734000-memory.dmp	UPX
behavioral1/memory/356-155-0x000000013F0C0000-0x000000013F414000-memory.dmp	UPX
behavioral1/memory/1440-156-0x000000013FED0000-0x0000000140224000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/1924-0-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/files/0x000b000000012255-5.dat	xmrig
behavioral1/files/0x000b000000015bb9-8.dat	xmrig
behavioral1/files/0x0007000000015cec-21.dat	xmrig
behavioral1/memory/2056-26-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2592-29-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/1924-27-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/3012-25-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cdb-22.dat	xmrig
behavioral1/memory/2320-19-0x000000013F3C0000-0x000000013F714000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d06-39.dat	xmrig
behavioral1/files/0x0008000000015d6e-47.dat	xmrig
behavioral1/files/0x0007000000016c2e-54.dat	xmrig
behavioral1/files/0x0006000000016cc9-70.dat	xmrig
behavioral1/files/0x0038000000015cad-64.dat	xmrig
behavioral1/files/0x0006000000016c7a-62.dat	xmrig
behavioral1/files/0x0006000000016ced-95.dat	xmrig
behavioral1/files/0x0006000000016d0e-119.dat	xmrig
behavioral1/files/0x0006000000016d1f-129.dat	xmrig
behavioral1/files/0x0006000000016d27-132.dat	xmrig
behavioral1/files/0x0006000000016d17-124.dat	xmrig
behavioral1/files/0x0006000000016d06-114.dat	xmrig
behavioral1/files/0x0006000000016cfe-109.dat	xmrig
behavioral1/memory/2520-104-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cf5-102.dat	xmrig
behavioral1/memory/1440-98-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2660-91-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ce1-89.dat	xmrig
behavioral1/memory/356-88-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/1924-87-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cab-86.dat	xmrig
behavioral1/memory/1700-85-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/1924-84-0x0000000002350000-0x00000000026A4000-memory.dmp	xmrig
behavioral1/memory/2668-83-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/1924-79-0x0000000002350000-0x00000000026A4000-memory.dmp	xmrig
behavioral1/memory/2896-78-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2404-57-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2416-50-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/memory/2504-43-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2520-36-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015cf7-31.dat	xmrig
behavioral1/memory/2416-137-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/memory/2404-139-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/356-140-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/1440-142-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig
behavioral1/memory/2320-143-0x000000013F3C0000-0x000000013F714000-memory.dmp	xmrig
behavioral1/memory/3012-144-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2592-146-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/2056-145-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2520-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2504-148-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2416-149-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/memory/2404-150-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2896-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2668-153-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/1700-152-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2660-154-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/356-155-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/1440-156-0x000000013FED0000-0x0000000140224000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2320	OuwlcVy.exe
3012	jkpWKTf.exe
2592	QMhdQpt.exe
2056	pgdfLHj.exe
2520	CblELAU.exe
2504	RBpCJjJ.exe
2416	ShALcbP.exe
2404	cdlIcKH.exe
2896	djUFyQD.exe
1700	ZsMsfdD.exe
2668	NSauSza.exe
356	AYWWAhJ.exe
2660	eubqaeD.exe
1440	tCZrNZC.exe
1832	AnuNzcS.exe
2272	kgZgpET.exe
1352	TTdxWkN.exe
856	EQugsAu.exe
1600	JNYAHJV.exe
2164	GnIjkeV.exe
2036	SjfyJaq.exe

Loads dropped DLL 21 IoCs

pid	Process
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1924-0-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/files/0x000b000000012255-5.dat	upx
behavioral1/files/0x000b000000015bb9-8.dat	upx
behavioral1/files/0x0007000000015cec-21.dat	upx
behavioral1/memory/2056-26-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2592-29-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/3012-25-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/files/0x0007000000015cdb-22.dat	upx
behavioral1/memory/2320-19-0x000000013F3C0000-0x000000013F714000-memory.dmp	upx
behavioral1/files/0x0007000000015d06-39.dat	upx
behavioral1/files/0x0008000000015d6e-47.dat	upx
behavioral1/files/0x0007000000016c2e-54.dat	upx
behavioral1/files/0x0006000000016cc9-70.dat	upx
behavioral1/files/0x0038000000015cad-64.dat	upx
behavioral1/files/0x0006000000016c7a-62.dat	upx
behavioral1/files/0x0006000000016ced-95.dat	upx
behavioral1/files/0x0006000000016d0e-119.dat	upx
behavioral1/files/0x0006000000016d1f-129.dat	upx
behavioral1/files/0x0006000000016d27-132.dat	upx
behavioral1/files/0x0006000000016d17-124.dat	upx
behavioral1/files/0x0006000000016d06-114.dat	upx
behavioral1/files/0x0006000000016cfe-109.dat	upx
behavioral1/memory/2520-104-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/files/0x0006000000016cf5-102.dat	upx
behavioral1/memory/1440-98-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/2660-91-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/files/0x0006000000016ce1-89.dat	upx
behavioral1/memory/356-88-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/1924-87-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/files/0x0006000000016cab-86.dat	upx
behavioral1/memory/1700-85-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2668-83-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2896-78-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2404-57-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2416-50-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2504-43-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2520-36-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/files/0x0007000000015cf7-31.dat	upx
behavioral1/memory/2416-137-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2404-139-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/356-140-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/1440-142-0x000000013FED0000-0x0000000140224000-memory.dmp	upx
behavioral1/memory/2320-143-0x000000013F3C0000-0x000000013F714000-memory.dmp	upx
behavioral1/memory/3012-144-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/2592-146-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/2056-145-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2520-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2504-148-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2416-149-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2404-150-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2896-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2668-153-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/1700-152-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2660-154-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/356-155-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/1440-156-0x000000013FED0000-0x0000000140224000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\QMhdQpt.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cdlIcKH.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tCZrNZC.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GnIjkeV.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SjfyJaq.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OuwlcVy.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\pgdfLHj.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RBpCJjJ.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZsMsfdD.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eubqaeD.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kgZgpET.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jkpWKTf.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CblELAU.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AYWWAhJ.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AnuNzcS.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ShALcbP.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\djUFyQD.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NSauSza.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TTdxWkN.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EQugsAu.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JNYAHJV.exe	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2320	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	29
PID 1924 wrote to memory of 2320	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	29
PID 1924 wrote to memory of 2320	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	29
PID 1924 wrote to memory of 3012	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	30
PID 1924 wrote to memory of 3012	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	30
PID 1924 wrote to memory of 3012	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	30
PID 1924 wrote to memory of 2056	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	31
PID 1924 wrote to memory of 2056	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	31
PID 1924 wrote to memory of 2056	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	31
PID 1924 wrote to memory of 2592	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	32
PID 1924 wrote to memory of 2592	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	32
PID 1924 wrote to memory of 2592	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	32
PID 1924 wrote to memory of 2520	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	33
PID 1924 wrote to memory of 2520	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	33
PID 1924 wrote to memory of 2520	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	33
PID 1924 wrote to memory of 2504	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	34
PID 1924 wrote to memory of 2504	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	34
PID 1924 wrote to memory of 2504	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	34
PID 1924 wrote to memory of 2416	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	35
PID 1924 wrote to memory of 2416	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	35
PID 1924 wrote to memory of 2416	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	35
PID 1924 wrote to memory of 2404	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	36
PID 1924 wrote to memory of 2404	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	36
PID 1924 wrote to memory of 2404	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	36
PID 1924 wrote to memory of 2896	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	37
PID 1924 wrote to memory of 2896	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	37
PID 1924 wrote to memory of 2896	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	37
PID 1924 wrote to memory of 1700	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	38
PID 1924 wrote to memory of 1700	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	38
PID 1924 wrote to memory of 1700	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	38
PID 1924 wrote to memory of 356	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	39
PID 1924 wrote to memory of 356	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	39
PID 1924 wrote to memory of 356	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	39
PID 1924 wrote to memory of 2668	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	40
PID 1924 wrote to memory of 2668	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	40
PID 1924 wrote to memory of 2668	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	40
PID 1924 wrote to memory of 2660	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	41
PID 1924 wrote to memory of 2660	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	41
PID 1924 wrote to memory of 2660	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	41
PID 1924 wrote to memory of 1440	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	42
PID 1924 wrote to memory of 1440	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	42
PID 1924 wrote to memory of 1440	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	42
PID 1924 wrote to memory of 1832	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	43
PID 1924 wrote to memory of 1832	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	43
PID 1924 wrote to memory of 1832	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	43
PID 1924 wrote to memory of 2272	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	44
PID 1924 wrote to memory of 2272	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	44
PID 1924 wrote to memory of 2272	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	44
PID 1924 wrote to memory of 1352	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	45
PID 1924 wrote to memory of 1352	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	45
PID 1924 wrote to memory of 1352	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	45
PID 1924 wrote to memory of 856	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	46
PID 1924 wrote to memory of 856	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	46
PID 1924 wrote to memory of 856	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	46
PID 1924 wrote to memory of 1600	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	47
PID 1924 wrote to memory of 1600	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	47
PID 1924 wrote to memory of 1600	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	47
PID 1924 wrote to memory of 2164	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	48
PID 1924 wrote to memory of 2164	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	48
PID 1924 wrote to memory of 2164	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	48
PID 1924 wrote to memory of 2036	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	49
PID 1924 wrote to memory of 2036	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	49
PID 1924 wrote to memory of 2036	1924	2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-02_cc219612674837b8e7c41018164b8802_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\System\OuwlcVy.exe
  C:\Windows\System\OuwlcVy.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\jkpWKTf.exe
  C:\Windows\System\jkpWKTf.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\pgdfLHj.exe
  C:\Windows\System\pgdfLHj.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\QMhdQpt.exe
  C:\Windows\System\QMhdQpt.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\CblELAU.exe
  C:\Windows\System\CblELAU.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\RBpCJjJ.exe
  C:\Windows\System\RBpCJjJ.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\ShALcbP.exe
  C:\Windows\System\ShALcbP.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\cdlIcKH.exe
  C:\Windows\System\cdlIcKH.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\djUFyQD.exe
  C:\Windows\System\djUFyQD.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\ZsMsfdD.exe
  C:\Windows\System\ZsMsfdD.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\AYWWAhJ.exe
  C:\Windows\System\AYWWAhJ.exe
  2⤵
  - Executes dropped EXE
  PID:356
- C:\Windows\System\NSauSza.exe
  C:\Windows\System\NSauSza.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\eubqaeD.exe
  C:\Windows\System\eubqaeD.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\tCZrNZC.exe
  C:\Windows\System\tCZrNZC.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\AnuNzcS.exe
  C:\Windows\System\AnuNzcS.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\kgZgpET.exe
  C:\Windows\System\kgZgpET.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\TTdxWkN.exe
  C:\Windows\System\TTdxWkN.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\EQugsAu.exe
  C:\Windows\System\EQugsAu.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\JNYAHJV.exe
  C:\Windows\System\JNYAHJV.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\GnIjkeV.exe
  C:\Windows\System\GnIjkeV.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\SjfyJaq.exe
  C:\Windows\System\SjfyJaq.exe
  2⤵
  - Executes dropped EXE
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AYWWAhJ.exe

Filesize
5.9MB

MD5
941eaa21e459c6459018053c2b25420a

SHA1
7789f39272e1d4da2ea9b7269653058e40f41b83

SHA256
f21362508e312e3850778c7da60dac00f128f375fb2b21a2b182033dbd8e08a3

SHA512
4bd23be0da9d6b5df4f8f40be876f4a3d6202576af5c771116ca4af200be83a076c41a6508e0eec7cb0d553a866016b25be5252c8198997e35c06ac732811d44

Download Submit
C:\Windows\system\AnuNzcS.exe

Filesize
5.9MB

MD5
95d3841fe582d7ca01c0da3a741faf08

SHA1
aeb969ec23525adf5fd566cfdb162c9c5491702d

SHA256
dacc397a8b616be5813b310c06e2132e3f36a9fceb6d80505004b7ce759bac99

SHA512
08e0ab04551e661854c25cb08af752a4ac39a0e7eaee80cd1ef36538381f5b7b8e4b3aa247d523a7e3affd767f4f1cfef9f5f421bce2e57abe493eb0c7a61a77

Download Submit
C:\Windows\system\CblELAU.exe

Filesize
5.9MB

MD5
cf58a4cc77d7565b338593be8c4a8471

SHA1
116503a558945dbe269054c0b8cb6c7233fca1bf

SHA256
73071a80b7327431a03b7fde34f34dac0de67ea92d4c92c6d44e57e4457b411a

SHA512
062b58ea7b1e84c6c5ea453646cd4b589c21d81c95daac2104b01dc28a9c9ba431973c2d438c31f4ed85f73c8b7c96cf08039d3524111252cd885f05e2d799ff

Download Submit
C:\Windows\system\EQugsAu.exe

Filesize
5.9MB

MD5
aa4d3e4acef4f565752548cfa6dedfdc

SHA1
ec6cf7c5b7fd062044f90e742023d83d771e654d

SHA256
cf5a234b6e90a20379b5369bc761fa372a7a94e64f8eb8669addd18b28dbc128

SHA512
dc968e8926dea4425cc44af86d9ef7968b7f20f72d648263b426fe05773a41850c76251f1e74cb4e0f1c323937028cd55775577a37126ced21715b3af7d7962a

Download Submit
C:\Windows\system\GnIjkeV.exe

Filesize
5.9MB

MD5
5f39316aa45cbbce1bed5821a9dea47a

SHA1
a76d908d43c26f6b9d8bc99d1c13767c2f0cea2f

SHA256
14dba1c9d98f936f3564204f1d0137b5699c5978f6d317b7fbe27d1dc826dabf

SHA512
a53925441e7375386b044e918c912fba903912c8e1ed458e205c177644400c2f85c71b8a3fce60dbd03c88cc39654544b2e4b801e75b9ef24f1d3e58c99b8b51

Download Submit
C:\Windows\system\JNYAHJV.exe

Filesize
5.9MB

MD5
41e2cea0e32a4bde2805a87d34fd836e

SHA1
70338e3e0df350346523951faa7c2f5f72896378

SHA256
a56203003380f97af14738ed91d90fffb0a1f43cb903e8bf55f2d550bf528811

SHA512
9d390ba344b216adbfa35497896d1a0a7bcc791cac4e16beba6ab17afa87537180771b1833e1d0703f5745d9637025066f2bbe54fc0f471eb2ec78303127c652

Download Submit
C:\Windows\system\OuwlcVy.exe

Filesize
5.9MB

MD5
2d6ac927f30d07b4b4d68683ef5afbdf

SHA1
4aa16fda646414ea2a61c9ad045a11ba8ac6a645

SHA256
74029a31ff00ea52a345ec2fd6882293f62c1eba65689b327351a18c2e6e5119

SHA512
9f6f6147cd174e79f0def87911537221567ee630be7432177f723bdc6af7f22589cc422f50bd82ca33fda91334975469f4270d32b743078454204a9d923be4df

Download Submit
C:\Windows\system\QMhdQpt.exe

Filesize
5.9MB

MD5
a84ff765272bcccca91b7c66c3ecefdb

SHA1
0141541914a0ba00bbd60352a03d3681d56a5b58

SHA256
0d3995cd902484f803360e29f8fd8ced329cab7216afdf32b9fd10315b845e0f

SHA512
e4802756198f8e56e22bb206fabb030466fb2b8605710fd66c86d063c26edebb3d289081634ed328a4d619b642e38f30099f3d5a3d33207335f1230268d64c18

Download Submit
C:\Windows\system\RBpCJjJ.exe

Filesize
5.9MB

MD5
a3320533fc018d54163559e587699138

SHA1
d69aba67d9a8930349ad2751d5086695588fc68e

SHA256
9d1a63633335666ffe8f0c9dbdecf9e53c846a3ca50b20cf69c04fa660c6823c

SHA512
16ce9f5b22b2630c9aeabd50ceadbb7b306a9d57e18fcdef57879c6025c97e2c0f57f2b1950ff7a756d98e77d7a9a457b2984439be5030af6c76c4bcb6f08903

Download Submit
C:\Windows\system\ShALcbP.exe

Filesize
5.9MB

MD5
55823d617093072cdfd157fedf021f1e

SHA1
e1f5fbf52b7485d266cde07c5760dad9ce4c0844

SHA256
7a95b93666a0d2b0392c4a6ce1385035e8378a9981673b852b567c09db4dd21a

SHA512
e4e03ec9f9b2bedc592b429dc9c183ef5c1cfa706d316050d9acf1cb40d1cbbfc34df6bcb0e9a5a170a51223c013133437a33603061d5da29b644703d36e155e

Download Submit
C:\Windows\system\TTdxWkN.exe

Filesize
5.9MB

MD5
9b378c7b56eca8f7e7c0b7eb6dcab272

SHA1
0a1e1195fd259713397a14c3e2dbd848a842a08c

SHA256
bb47f6e91d13c184f11c1027df7196417311cff901c27560721eac49f51051be

SHA512
5d33d8e3cb6c1a7560c421607abd140b00c3e5e6b31697247d1282d3c52f59c874cd124d2a35183e1ab91c4203cdc127beb1cc388ae7d0426956cba3ca18e193

Download Submit
C:\Windows\system\cdlIcKH.exe

Filesize
5.9MB

MD5
99f011727dbaf0c10fe7cd3a0d550b20

SHA1
fe2bf009e6b3c10f17ad5ee4253a486ac67ef021

SHA256
2ec169371db06c64c2fc665d2f4ed1138faefb083a6accc448d172d12a5e9dcd

SHA512
e19bd0346343c4988f18e896beaec41f3414c4dc80519460e27ed9db50145ff2324de7fd3214694c7ed8dafc7f62d7e2e1ce2b6dcc8fca4440c4a9d2f1e0b9d6

Download Submit
C:\Windows\system\djUFyQD.exe

Filesize
5.9MB

MD5
2ce8546f8bc55b4fd6ba8da21ba3d540

SHA1
e7066ac2d5410c8ef2c323187f26faaea3f5aaf8

SHA256
f53b4c62cebc0d2bda30632547b4f9c4c4b22838b6715225d7accfbf22b008da

SHA512
bc789cd8b510f734ff14bdb9d65a16e3e7b69ae78a33ad3a40143e0b55e8a77a1797a5fbedfe91e544549c5c4f6ef25795e8c827721177b5ae96aec274d5f242

Download Submit
C:\Windows\system\eubqaeD.exe

Filesize
5.9MB

MD5
fb38ee25ebe72f0ec696ce80302886d7

SHA1
4186431bb2932030ecd8b6df44918bdfd702d1af

SHA256
aeb35a6260e308e4bd64c9170b897cfa1d81a139f6750b0385832954475e8dc4

SHA512
b4d244b09ae2ce75a4c024c8427ef24f1e414af1fc5cd9a84b8262c70b9dc6470b6df0c7313ca04bb1cf6ed5235c86226782c9e60713a9d792de155a80df63dc

Download Submit
C:\Windows\system\kgZgpET.exe

Filesize
5.9MB

MD5
db182d08fa779a28a3c7a0850e245809

SHA1
81f68c18092376031e9ad5782c373f3f43d6333d

SHA256
f0b563044977164e2a4b09b9f197801015601d94e7f87cb3c8d60dfb211a3321

SHA512
661aeac5c05a0d6a3773cfdca7756b5512ae8ad60cbbb0153e8e3720bf0ef337c4a70f7bb23227c742b350e7ed56c8aa970d49be8b95ca8f0d0d99640307b8cc

Download Submit
C:\Windows\system\pgdfLHj.exe

Filesize
5.9MB

MD5
d64dff82125a5fbf9d95aa196516a79f

SHA1
fafd1afafdc4b8189cac0a49ddf9de36da989be3

SHA256
38b39cdebdcf4e731ad9fdcb79112a9d1a563d6c575ffe2432cc8e9493b8ae96

SHA512
61d005455d4f373680ac82b3283e96a2b4613d24904798d72b460b098994986a1e8d1bb8b39c8fb8713bffc1cf562a3007bd458fbb563dfe68b21bc47786ab7a

Download Submit
C:\Windows\system\tCZrNZC.exe

Filesize
5.9MB

MD5
1a2e728dec87737dccc6c2ec4dd6a8f2

SHA1
754be80740c7e0f6df195c407df5118362ea88f6

SHA256
95d590e079c10cfa6fcdbb5efdd09b234b2c493d03f79aec640add6ec4e43384

SHA512
fb89c9b6ddf6e9d88e72838718c7e73516bc5c4b836db0518df0dddf46afd877414c060e7c4b9d8dfe4b72b706eeda247ae55233edf59f928f6e88c296caa5b9

Download Submit
\Windows\system\NSauSza.exe

Filesize
5.9MB

MD5
b6dee31190a4eb402a4465670380e177

SHA1
3d960ed8e57199571a63680901a0ad5e79cebd09

SHA256
5cbdcc31f392b01b0b37bfe74e38e86b6a0dd8fc06738ded5e5ff887e247be3c

SHA512
72498f73d0ffc9600ae7e06f8350dcdf9243a9230a7ce4a639a7a12dcdb5a683bf23fd8255549e65ba8d255fecd93673b7e419ae44c8c7ee7adddacfdad4ee25

Download Submit
\Windows\system\SjfyJaq.exe

Filesize
5.9MB

MD5
ce91eee7def996a0ed6d0bfaf13a6d3b

SHA1
a11085608fb38087b1bb04d1fb9859847425fe02

SHA256
e5050ff29fa200a61e3ab6f669634b73f31b9c606ae6798c8597d70a1fa748e3

SHA512
229c7d6c96835aa7060a1fa862ce8cacf92f51e378318553c3715969df4a221fa4fe5c7bf38ed664258b7ffff8affcd49531bf041a1e5ace6878a014cb99a840

Download Submit
\Windows\system\ZsMsfdD.exe

Filesize
5.9MB

MD5
52851f4a4df48c832271a6b443fb34b7

SHA1
c596fa0d792e0a11e6fb51e7c87680f1b036eda5

SHA256
15ca0dceb001a2cb9713a8270b6c2d8d49d0d8364a3b2b1c7fefc290cff276ef

SHA512
9a75d942f33a9d2df49de6c8fe039c5c04d0ccc11c635ec0be45569cef1e6f0314bcab3d9799e7fef71694e7c184c85893fd1a098a172a9d6a044579a42c6620

Download Submit
\Windows\system\jkpWKTf.exe

Filesize
5.9MB

MD5
9c5ce8dd349acad974b5fcd0b4ded3cd

SHA1
920e09d9ee8ece01c654aeb35b7ac957c4dbc728

SHA256
ce1750b4d676d2d6e992b1b1b38f13a9fbd9420c97c575821a2b2eb2d55926be

SHA512
e8bcd9146a6a3b5e4359ea55584163c4414ee53c850725222a263d29dc6d55749c19d8dacc44344683c40828ec8aec894ec7e719e8d262d41c82d4d56aaabab4

Download Submit
memory/356-88-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/356-140-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/356-155-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/1440-156-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1440-142-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1440-98-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1700-152-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1700-85-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1924-61-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-27-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-105-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-97-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1924-28-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-48-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/1924-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1924-87-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-13-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-141-0x000000013FED0000-0x0000000140224000-memory.dmp

Filesize
3.3MB

Download
memory/1924-84-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-136-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/1924-34-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-82-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/1924-79-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-138-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-0-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-55-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/1924-42-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2056-26-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-145-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-143-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/2320-19-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/2404-139-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2404-150-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2404-57-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2416-149-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2416-137-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2416-50-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2504-43-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2504-148-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2520-147-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-104-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-36-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-146-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2592-29-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2660-91-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2660-154-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2668-83-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2668-153-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2896-78-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2896-151-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-25-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/3012-144-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download