cobaltstrike | 50ae37b1eb10c084fcb62903ccf822fe4faa77e402d62e4c497fbea27e02e927

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

426b22a573fcc58a628a1099c6785775
SHA1

7d7c0d8b4a1bafe67c52fb8e2dfb7db489f53d52
SHA256

50ae37b1eb10c084fcb62903ccf822fe4faa77e402d62e4c497fbea27e02e927
SHA512

b212abfb0b9a3c5a20a62aea0b99d3731a56a9e86b2f2b5416c8ab72240624ce801c43dc9e8fd664691100d0c15e61ed9bfd1d53f643fdfbed95b290143d1698
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUj:Q+856utgpPF8u/7j

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000e000000014698-3.dat	cobalt_reflective_dll
behavioral1/files/0x002a000000014aec-13.dat	cobalt_reflective_dll
behavioral1/files/0x002a000000014b6d-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014fe1-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015364-30.dat	cobalt_reflective_dll
behavioral1/files/0x0013000000014c67-37.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015cb9-48.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cf0-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d24-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d11-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d01-59.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000155d4-44.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d41-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4a-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d84-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016e56-124.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001704f-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000e000000014698-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002a000000014aec-13.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002a000000014b6d-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000014fe1-22.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015364-30.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0013000000014c67-37.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015cb9-48.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cf0-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d24-69.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d11-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d01-59.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000155d4-44.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d41-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4f-102.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4a-98.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d36-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d89-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d84-112.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016e56-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000600000001704f-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

resource	yara_rule
behavioral1/memory/3008-0-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/files/0x000e000000014698-3.dat	UPX
behavioral1/files/0x002a000000014aec-13.dat	UPX
behavioral1/memory/2560-16-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/files/0x002a000000014b6d-11.dat	UPX
behavioral1/files/0x0008000000014fe1-22.dat	UPX
behavioral1/memory/2772-26-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/3008-31-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/files/0x0007000000015364-30.dat	UPX
behavioral1/memory/2420-29-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2504-12-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2704-36-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/files/0x0013000000014c67-37.dat	UPX
behavioral1/files/0x0007000000015cb9-48.dat	UPX
behavioral1/files/0x0006000000016cf0-54.dat	UPX
behavioral1/memory/3008-61-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d24-69.dat	UPX
behavioral1/memory/2252-77-0x000000013F490000-0x000000013F7E4000-memory.dmp	UPX
behavioral1/memory/2340-78-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/2460-76-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/788-80-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d11-81.dat	UPX
behavioral1/memory/2424-68-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/552-82-0x000000013FEC0000-0x0000000140214000-memory.dmp	UPX
behavioral1/memory/2468-63-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d01-59.dat	UPX
behavioral1/files/0x00070000000155d4-44.dat	UPX
behavioral1/memory/2560-84-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/files/0x0006000000016d41-90.dat	UPX
behavioral1/files/0x0006000000016d4f-102.dat	UPX
behavioral1/memory/2064-101-0x000000013FDC0000-0x0000000140114000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4a-98.dat	UPX
behavioral1/memory/292-96-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d36-85.dat	UPX
behavioral1/files/0x0006000000016d55-108.dat	UPX
behavioral1/files/0x0006000000016d89-116.dat	UPX
behavioral1/files/0x0006000000016d84-112.dat	UPX
behavioral1/files/0x0006000000016d55-117.dat	UPX
behavioral1/files/0x0006000000016e56-124.dat	UPX
behavioral1/files/0x000600000001704f-132.dat	UPX
behavioral1/memory/552-136-0x000000013FEC0000-0x0000000140214000-memory.dmp	UPX
behavioral1/memory/292-138-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX
behavioral1/memory/3008-137-0x00000000024B0000-0x0000000002804000-memory.dmp	UPX
behavioral1/memory/2504-141-0x000000013F080000-0x000000013F3D4000-memory.dmp	UPX
behavioral1/memory/2560-142-0x000000013FEB0000-0x0000000140204000-memory.dmp	UPX
behavioral1/memory/2772-143-0x000000013F3F0000-0x000000013F744000-memory.dmp	UPX
behavioral1/memory/2420-144-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2704-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	UPX
behavioral1/memory/2468-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	UPX
behavioral1/memory/2424-148-0x000000013FD50000-0x00000001400A4000-memory.dmp	UPX
behavioral1/memory/2340-149-0x000000013F210000-0x000000013F564000-memory.dmp	UPX
behavioral1/memory/2252-147-0x000000013F490000-0x000000013F7E4000-memory.dmp	UPX
behavioral1/memory/2460-150-0x000000013FD40000-0x0000000140094000-memory.dmp	UPX
behavioral1/memory/788-151-0x000000013FF50000-0x00000001402A4000-memory.dmp	UPX
behavioral1/memory/552-152-0x000000013FEC0000-0x0000000140214000-memory.dmp	UPX
behavioral1/memory/2064-154-0x000000013FDC0000-0x0000000140114000-memory.dmp	UPX
behavioral1/memory/292-153-0x000000013F570000-0x000000013F8C4000-memory.dmp	UPX

XMRig Miner payload 60 IoCs

miner

resource	yara_rule
behavioral1/memory/3008-0-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/files/0x000e000000014698-3.dat	xmrig
behavioral1/files/0x002a000000014aec-13.dat	xmrig
behavioral1/memory/2560-16-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/files/0x002a000000014b6d-11.dat	xmrig
behavioral1/files/0x0008000000014fe1-22.dat	xmrig
behavioral1/memory/3008-28-0x00000000024B0000-0x0000000002804000-memory.dmp	xmrig
behavioral1/memory/2772-26-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/3008-31-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/files/0x0007000000015364-30.dat	xmrig
behavioral1/memory/2420-29-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2504-12-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2704-36-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/files/0x0013000000014c67-37.dat	xmrig
behavioral1/files/0x0007000000015cb9-48.dat	xmrig
behavioral1/files/0x0006000000016cf0-54.dat	xmrig
behavioral1/memory/3008-61-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d24-69.dat	xmrig
behavioral1/memory/2252-77-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/memory/2340-78-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2460-76-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/788-80-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d11-81.dat	xmrig
behavioral1/memory/2424-68-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/552-82-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/memory/2468-63-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d01-59.dat	xmrig
behavioral1/files/0x00070000000155d4-44.dat	xmrig
behavioral1/memory/2560-84-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d41-90.dat	xmrig
behavioral1/files/0x0006000000016d4f-102.dat	xmrig
behavioral1/memory/2064-101-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4a-98.dat	xmrig
behavioral1/memory/292-96-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d36-85.dat	xmrig
behavioral1/files/0x0006000000016d55-108.dat	xmrig
behavioral1/files/0x0006000000016d89-116.dat	xmrig
behavioral1/files/0x0006000000016d84-112.dat	xmrig
behavioral1/files/0x0006000000016d55-117.dat	xmrig
behavioral1/files/0x0006000000016e56-124.dat	xmrig
behavioral1/files/0x000600000001704f-132.dat	xmrig
behavioral1/memory/552-136-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/memory/292-138-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig
behavioral1/memory/3008-137-0x00000000024B0000-0x0000000002804000-memory.dmp	xmrig
behavioral1/memory/3008-139-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/3008-140-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2504-141-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2560-142-0x000000013FEB0000-0x0000000140204000-memory.dmp	xmrig
behavioral1/memory/2772-143-0x000000013F3F0000-0x000000013F744000-memory.dmp	xmrig
behavioral1/memory/2420-144-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2704-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2468-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2424-148-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2340-149-0x000000013F210000-0x000000013F564000-memory.dmp	xmrig
behavioral1/memory/2252-147-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/memory/2460-150-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/788-151-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/552-152-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/memory/2064-154-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/292-153-0x000000013F570000-0x000000013F8C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2504	tIFWyiy.exe
2560	ZNQtznt.exe
2772	TEnQcrR.exe
2420	VFjTbkh.exe
2704	jJMhJTw.exe
2252	yJaZgRF.exe
2468	QLqzGQY.exe
2424	lPKWCZS.exe
2340	lbliTbU.exe
2460	fRPGEPc.exe
788	ebyqYKk.exe
552	syVxwRU.exe
292	FArvgsz.exe
2064	tZZIuyZ.exe
2712	ZqASWNG.exe
2512	sAGrHHi.exe
2304	CeLNwCV.exe
1932	cUVIstB.exe
1944	lpttqjm.exe
1988	OmIDGcC.exe
1924	rTFxyVj.exe

Loads dropped DLL 21 IoCs

pid	Process
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3008-0-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/files/0x000e000000014698-3.dat	upx
behavioral1/files/0x002a000000014aec-13.dat	upx
behavioral1/memory/2560-16-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/files/0x002a000000014b6d-11.dat	upx
behavioral1/files/0x0008000000014fe1-22.dat	upx
behavioral1/memory/2772-26-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/3008-31-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/files/0x0007000000015364-30.dat	upx
behavioral1/memory/2420-29-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2504-12-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2704-36-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/files/0x0013000000014c67-37.dat	upx
behavioral1/files/0x0007000000015cb9-48.dat	upx
behavioral1/files/0x0006000000016cf0-54.dat	upx
behavioral1/memory/3008-61-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/files/0x0006000000016d24-69.dat	upx
behavioral1/memory/2252-77-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/memory/2340-78-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2460-76-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/788-80-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/files/0x0006000000016d11-81.dat	upx
behavioral1/memory/2424-68-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/552-82-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/memory/2468-63-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/files/0x0006000000016d01-59.dat	upx
behavioral1/files/0x00070000000155d4-44.dat	upx
behavioral1/memory/2560-84-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/files/0x0006000000016d41-90.dat	upx
behavioral1/files/0x0006000000016d4f-102.dat	upx
behavioral1/memory/2064-101-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/files/0x0006000000016d4a-98.dat	upx
behavioral1/memory/292-96-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/files/0x0006000000016d36-85.dat	upx
behavioral1/files/0x0006000000016d55-108.dat	upx
behavioral1/files/0x0006000000016d89-116.dat	upx
behavioral1/files/0x0006000000016d84-112.dat	upx
behavioral1/files/0x0006000000016d55-117.dat	upx
behavioral1/files/0x0006000000016e56-124.dat	upx
behavioral1/files/0x000600000001704f-132.dat	upx
behavioral1/memory/552-136-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/memory/292-138-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx
behavioral1/memory/3008-137-0x00000000024B0000-0x0000000002804000-memory.dmp	upx
behavioral1/memory/2504-141-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2560-142-0x000000013FEB0000-0x0000000140204000-memory.dmp	upx
behavioral1/memory/2772-143-0x000000013F3F0000-0x000000013F744000-memory.dmp	upx
behavioral1/memory/2420-144-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2704-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2468-146-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2424-148-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2340-149-0x000000013F210000-0x000000013F564000-memory.dmp	upx
behavioral1/memory/2252-147-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/memory/2460-150-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/788-151-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/552-152-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/memory/2064-154-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/292-153-0x000000013F570000-0x000000013F8C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZNQtznt.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TEnQcrR.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tZZIuyZ.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cUVIstB.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lpttqjm.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\rTFxyVj.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VFjTbkh.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\jJMhJTw.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CeLNwCV.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OmIDGcC.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tIFWyiy.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yJaZgRF.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QLqzGQY.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lbliTbU.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fRPGEPc.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ZqASWNG.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sAGrHHi.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lPKWCZS.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\syVxwRU.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ebyqYKk.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FArvgsz.exe	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 2504	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	29
PID 3008 wrote to memory of 2504	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	29
PID 3008 wrote to memory of 2504	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	29
PID 3008 wrote to memory of 2560	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	30
PID 3008 wrote to memory of 2560	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	30
PID 3008 wrote to memory of 2560	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	30
PID 3008 wrote to memory of 2772	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	31
PID 3008 wrote to memory of 2772	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	31
PID 3008 wrote to memory of 2772	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	31
PID 3008 wrote to memory of 2420	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	32
PID 3008 wrote to memory of 2420	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	32
PID 3008 wrote to memory of 2420	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	32
PID 3008 wrote to memory of 2704	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	33
PID 3008 wrote to memory of 2704	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	33
PID 3008 wrote to memory of 2704	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	33
PID 3008 wrote to memory of 2252	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	34
PID 3008 wrote to memory of 2252	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	34
PID 3008 wrote to memory of 2252	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	34
PID 3008 wrote to memory of 2468	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	35
PID 3008 wrote to memory of 2468	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	35
PID 3008 wrote to memory of 2468	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	35
PID 3008 wrote to memory of 2424	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	36
PID 3008 wrote to memory of 2424	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	36
PID 3008 wrote to memory of 2424	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	36
PID 3008 wrote to memory of 2340	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	37
PID 3008 wrote to memory of 2340	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	37
PID 3008 wrote to memory of 2340	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	37
PID 3008 wrote to memory of 2460	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	38
PID 3008 wrote to memory of 2460	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	38
PID 3008 wrote to memory of 2460	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	38
PID 3008 wrote to memory of 552	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	39
PID 3008 wrote to memory of 552	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	39
PID 3008 wrote to memory of 552	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	39
PID 3008 wrote to memory of 788	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	40
PID 3008 wrote to memory of 788	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	40
PID 3008 wrote to memory of 788	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	40
PID 3008 wrote to memory of 292	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	41
PID 3008 wrote to memory of 292	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	41
PID 3008 wrote to memory of 292	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	41
PID 3008 wrote to memory of 2064	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	42
PID 3008 wrote to memory of 2064	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	42
PID 3008 wrote to memory of 2064	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	42
PID 3008 wrote to memory of 2712	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	43
PID 3008 wrote to memory of 2712	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	43
PID 3008 wrote to memory of 2712	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	43
PID 3008 wrote to memory of 2512	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	44
PID 3008 wrote to memory of 2512	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	44
PID 3008 wrote to memory of 2512	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	44
PID 3008 wrote to memory of 2304	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	45
PID 3008 wrote to memory of 2304	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	45
PID 3008 wrote to memory of 2304	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	45
PID 3008 wrote to memory of 1932	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	46
PID 3008 wrote to memory of 1932	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	46
PID 3008 wrote to memory of 1932	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	46
PID 3008 wrote to memory of 1944	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	47
PID 3008 wrote to memory of 1944	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	47
PID 3008 wrote to memory of 1944	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	47
PID 3008 wrote to memory of 1988	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	48
PID 3008 wrote to memory of 1988	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	48
PID 3008 wrote to memory of 1988	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	48
PID 3008 wrote to memory of 1924	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	49
PID 3008 wrote to memory of 1924	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	49
PID 3008 wrote to memory of 1924	3008	2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_426b22a573fcc58a628a1099c6785775_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\System\tIFWyiy.exe
  C:\Windows\System\tIFWyiy.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\ZNQtznt.exe
  C:\Windows\System\ZNQtznt.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\TEnQcrR.exe
  C:\Windows\System\TEnQcrR.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\VFjTbkh.exe
  C:\Windows\System\VFjTbkh.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\jJMhJTw.exe
  C:\Windows\System\jJMhJTw.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\yJaZgRF.exe
  C:\Windows\System\yJaZgRF.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\QLqzGQY.exe
  C:\Windows\System\QLqzGQY.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\lPKWCZS.exe
  C:\Windows\System\lPKWCZS.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\lbliTbU.exe
  C:\Windows\System\lbliTbU.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\fRPGEPc.exe
  C:\Windows\System\fRPGEPc.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\syVxwRU.exe
  C:\Windows\System\syVxwRU.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\ebyqYKk.exe
  C:\Windows\System\ebyqYKk.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\FArvgsz.exe
  C:\Windows\System\FArvgsz.exe
  2⤵
  - Executes dropped EXE
  PID:292
- C:\Windows\System\tZZIuyZ.exe
  C:\Windows\System\tZZIuyZ.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\ZqASWNG.exe
  C:\Windows\System\ZqASWNG.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\sAGrHHi.exe
  C:\Windows\System\sAGrHHi.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\CeLNwCV.exe
  C:\Windows\System\CeLNwCV.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\cUVIstB.exe
  C:\Windows\System\cUVIstB.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\lpttqjm.exe
  C:\Windows\System\lpttqjm.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\OmIDGcC.exe
  C:\Windows\System\OmIDGcC.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\rTFxyVj.exe
  C:\Windows\System\rTFxyVj.exe
  2⤵
  - Executes dropped EXE
  PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CeLNwCV.exe

Filesize
5.9MB

MD5
e3a97b3035632e5ded91275aa2641438

SHA1
dbbefc90b52695b45b4385227ed6bf49a91747cd

SHA256
c40e29c6bfa9001c4611874fa69dd6279b2a1752a4c3af0a4aed299f36bffab3

SHA512
ae979eae3d4750eccb32947536a4dfc68da3f02a0fe1f3b7797244ebf626b86c3d2550b2467177ae7df9bfa496fdbceb5a10388464dae86406518887e742ab1f

Download Submit
C:\Windows\system\QLqzGQY.exe

Filesize
5.9MB

MD5
8dcb76324c028b247c00a8de45126287

SHA1
cf840c4dd9adaafdab04a044ed9cfbbb5bbf5431

SHA256
55156dc7ab6f1abeaa327f13a0fd54e2d5fc47020a258a1b0ce2deeba8cd75ee

SHA512
21d9bc02ff646559f2b7a651e4d7603b9b11b1d611299ade2e288a581546dfff12d62ff358746faf178499adcf86e5c7aed5ff7e6c1a232b60aab7b9d732b7d1

Download Submit
C:\Windows\system\TEnQcrR.exe

Filesize
5.9MB

MD5
58390e29a266632c8acbad00b44c3e07

SHA1
5cade3babbbca12193d8eb253a6fb30da8ca931a

SHA256
7c08b8edcb2f6b2176b67f736e3b927cc07dd98edbf21876268efa8c40f8a421

SHA512
f156440594531feccde553094aecded0c01f2241b921c1dc205742e4786efb756999aceed429e2ac5620c9b142f16605520924a2659a6b2d372409341d77810d

Download Submit
C:\Windows\system\ZNQtznt.exe

Filesize
5.9MB

MD5
0cb490d5e3e79a5614fc3903215249a1

SHA1
579f938fcdf95c41235316344264de1dd83d4740

SHA256
6f54b8b1daa12de0c852751e91a25c76f558b9b034c3d901c461ce14db0f5339

SHA512
defcf3be0a243eaedccf8f2b54edd41279c84635bb953afb978e26756da175c55aac696068410a8af3a78e55008bb83d9d975969c8e55af8bcbe396c5ae06d69

Download Submit
C:\Windows\system\fRPGEPc.exe

Filesize
5.9MB

MD5
460cee5a2a4bd3aa7210598010d4b741

SHA1
df758bf6c7ce613f73f44613811c77da3371a65a

SHA256
cbc1e44875931c8e85dc46004c1c81f14e0711389ff9f9a666f8809277f8f7ca

SHA512
570b3d922ca68aab26426256261fa8930fb547d805d0f3d5301eafd88c5e281d16d51d32c7664e03c7271de3360054d693ae979ad43063dfccea436c034eebfb

Download Submit
C:\Windows\system\lPKWCZS.exe

Filesize
5.9MB

MD5
61e0d6156b62c30cfd430ee012724a8b

SHA1
532228a3dd336ebf226304aa4712dd8da724dc87

SHA256
d5b90ed7985c1ddc37730dd6225533ef0eaf0436fc58a81b62aca664668ec2dd

SHA512
3094ae5823eadc530f765327caa0713ce56c4ec76b53af012fdd2093702e0c3117fe0e3d08fd88142b5fa5b3734d7b9bf81b932deaa1966b26fbdc61e8f479d4

Download Submit
C:\Windows\system\lbliTbU.exe

Filesize
5.9MB

MD5
2fe6d33d702d3ece58b8bb6d5ce17b1c

SHA1
8974b71425873265caa898e06381817d6f290e52

SHA256
874d22dd9a195aaa38631428a7dbdc613ff3d7195c130877fba765b86f8e2b52

SHA512
5ce65cf012ec8ddfe7594d6d8ca3a591468fb63e8361b2c557601015bfb6a945e8a2944ed761b510891b33e4e057f9af21c04e2e786b24a9c7a3df3b582e6eac

Download Submit
C:\Windows\system\rTFxyVj.exe

Filesize
5.9MB

MD5
487c785cf7ae08c07b65667fe1251749

SHA1
f6947f7ca30eb36becadc7070daa8b47909b3fa3

SHA256
0894b23153296c18fad1683842a92489c8be52a07d66bed4526e53dc45889d0e

SHA512
fd67a75435157644edd52e047d94d8782837ce1f12247884abd45f0ed5a8434d1db67c9aafaf821ede9048b95fc3227429508f532636f2b18c69bf58e09900d3

Download Submit
C:\Windows\system\syVxwRU.exe

Filesize
5.9MB

MD5
95a8758f324fa90eee0aab1c2d8f5372

SHA1
4939f14fc1336d68df0ee2553c2bcbcae5e4f560

SHA256
0b8ca98e517ecc0e0636daeed00c5edae82a202e54ae27627bee9e7256024da7

SHA512
47702204f7e831135339920f90500aefb6c022843bcb637aee3d465f57641d84a24743f1cd73cf7a72ba20f6c50efefdf8e709ab327a541ae26aa6e7ddc61650

Download Submit
\Windows\system\CeLNwCV.exe

Filesize
2.8MB

MD5
7ca4c7d08ec840a69d3101c638d4b72f

SHA1
9a0bd3c709f755b63121fadc936f446aec1e7ee6

SHA256
ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7

SHA512
93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b

Download Submit
\Windows\system\FArvgsz.exe

Filesize
5.9MB

MD5
69184313dea90df71785f254c3daf879

SHA1
bcf4c5e28da12db1396f4dabbeda61c362ee072c

SHA256
711748dd84f1a1c2d57c93833d9db6b051008860feb30495beb7fd819e064a4a

SHA512
43cae6651b7f89b3c5a1fe9084cf89a9165ca90da7bd5d9458144560fef71196b641d0af8bbe087ad646ec1cb640b5f38efc6bd7a73f25affe69cf85fd929500

Download Submit
\Windows\system\OmIDGcC.exe

Filesize
5.9MB

MD5
e7261883d2b20216a2247baf33b75a23

SHA1
5a3bb157fcd793e2700dc8d816825df0d04c9d58

SHA256
10372ee9624fe8a63762968daba639dfda3eb3b2a0996831994a4154d7c70b07

SHA512
c0369feb0ef9c2b60c6c08c9ef3e0418cdcc2fc417956a066c2ae2025ca52de06915d2c6216c76779934e5b42043e0bac239b8cf1c7ab5cd25ea0ca749200a9e

Download Submit
\Windows\system\VFjTbkh.exe

Filesize
5.9MB

MD5
fca5b4b5e55788277198eb2c5b84e6fb

SHA1
86328292a8d0488ac3873a4f9744a65fa450521f

SHA256
7af57d976ffd2744121b7909af14e1d629352ada1bf893bf13e92cf07a01ced0

SHA512
ec7cd0f154b53fd6e0aacec9fef5d29892b4207432bb8d2beb217215956712924dc546c7f153696bb049d02b814cd5f676a836f17cc7d476943743257bf43ac4

Download Submit
\Windows\system\ZqASWNG.exe

Filesize
5.9MB

MD5
4e56d943cf9e0bf3fb773694340c42fb

SHA1
a4e5e23b65cbddc2d2bc876e6857be2011a430a0

SHA256
aeea9c0e61126bea7355d3a0ce393ba9ea25da76ebf6e6a00409d6184dc91e8e

SHA512
20702f2c95e3286b0d0c220bab0b0a55b71099d57f30c50e65276425cd81b3c0b68eb1d623f268ad01f04db0f2f181e60aae1e48e92188676edd9f6d49c64fa6

Download Submit
\Windows\system\cUVIstB.exe

Filesize
5.9MB

MD5
f3c93f2a3140e46ca7948bac1c38fa3c

SHA1
69b65a2cc9e1066f0321fbe04c84b8a6b4fe13f0

SHA256
6a2155a843b263fa07690c9e75d5bc9e7e38eb97d9d20044dd4a937c0a8b9a29

SHA512
3fc7ac9315e7d9bdfd92126cb5f8459d05ba5c551b724143cf263b74917112a86c1a89083192632fd2161eefc14b271ecdc89d56ed95243fa52a2d04fe05144c

Download Submit
\Windows\system\ebyqYKk.exe

Filesize
5.9MB

MD5
3d69c9e7ca88c1fb82a6634ba4fe7356

SHA1
8a89f121a017967b07f4f5992c72b45940357d5e

SHA256
62a358d7c8ae29436444d61cbe47beb68c236a1082d87bf531ed7fcf28512bf9

SHA512
39469e63f2dffeef4f97280c2198a99244827bdda47828e2458a91381faf7c0c70dce65b20d5f97cd11ccd201b6155ddee37339e8ff7767973114d532f5b9e8c

Download Submit
\Windows\system\jJMhJTw.exe

Filesize
5.9MB

MD5
aa812c8fddf9980560f343637254b992

SHA1
04f990400a91d1cf4ee6a39dcc1f8d642c09650c

SHA256
7ccc69e2ffb305ac6c09bd8bd26f2dd503c1198530c4527b923bf5fdf05e01e5

SHA512
75a81d4445e27497f1a7e7b3aedc570aacf850184aba15c2e6fc43679e11bd908bad699e7bd73c0fd5412fff9100c1d2f84b82866b515dc78610fd974ef18b3b

Download Submit
\Windows\system\lpttqjm.exe

Filesize
5.9MB

MD5
b96b2d558021ac9609b363794ffff0ba

SHA1
9006d983531ab58cc620cdf7fadcdcb3c98a8b6a

SHA256
d0d61b955a95630f71f85710d869f3c3685ab4b99f650ffbcdb8402fc33a15d6

SHA512
35bdb45e471db88aa353cfc5625a1e978699e67730761058837704025cb96f99f6b5339811bcbd3e50603287f25bc98afcc0b839bc75cd5c6f1239a543b981e4

Download Submit
\Windows\system\sAGrHHi.exe

Filesize
5.9MB

MD5
661ceddb24caa93a0a8a028966eee953

SHA1
f388679698562d95170bcade28682c9a9ef5d4fa

SHA256
e27db8d6b7e06c931103ed4c81e1b565a5d5bd112009897c8cf852b97d7048d5

SHA512
2a02b13e9820d656e7e8c54538a36b18c21941d624176e9d5a1992f335fa8acf717c4bb355aa955af9dd7ef22a4f60a278dceb44b69dfbe11c8b75e5d197593c

Download Submit
\Windows\system\tIFWyiy.exe

Filesize
5.9MB

MD5
c7ce75fca1b8d44e335d7b18b297f591

SHA1
8c62130eec5c4662fb0425ef560a9e4d9979882f

SHA256
6b7ea014799edfb3df4b6626b529a357b9e82f1a12c1080435802ad6dcc27b23

SHA512
2e7530165b982a804d49071fea883fee09a61e7f37d92dd5a4894af9fb98c8d798b301ce24a143e450d41ce961f3b75c83e2f44336b28f90ae548d96ef39344a

Download Submit
\Windows\system\tZZIuyZ.exe

Filesize
5.9MB

MD5
c2ea4d17672c49d1ce0fc67106d8f6b9

SHA1
fce187ae2edf82fded6618ac25ed76cb69762b92

SHA256
7b9a78d1839d71b23bb35d71d52eda6ff42097faee6643df002bc7d52313b752

SHA512
40db938149027a3fac4610b8b8977c3ba1cf3f1b82b2057b4702b212060c49f310d7d9227283e4e7354fafd849781fd57c332ec4f9f44b67a5b949b8c9461a0e

Download Submit
\Windows\system\yJaZgRF.exe

Filesize
5.9MB

MD5
d422970bc650d82a93417d441b0c47aa

SHA1
60c14bab7d4a4813d0d48bb3350fb05c6fe219d3

SHA256
7bf38ac5ed8b7d4294c4124c5e22ced302aa34182335fb005ae4063da58c2bac

SHA512
7bed080bd72ad96c44cc71fb1aa33bb7b8f46b2131ccdb8eaed10378a6a50c11377d0ec3fd3705da88b41e3a7ecaf3e29e20fb0688cdfd80796c3554b71ee23a

Download Submit
memory/292-96-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/292-138-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/292-153-0x000000013F570000-0x000000013F8C4000-memory.dmp

Filesize
3.3MB

Download
memory/552-82-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/552-136-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/552-152-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/788-151-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/788-80-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-101-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2064-154-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2252-77-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-147-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-78-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2340-149-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/2420-144-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2420-29-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2424-68-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2424-148-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2460-150-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2460-76-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2468-63-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-146-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-12-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-141-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-16-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2560-84-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2560-142-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/2704-145-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2704-36-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2772-26-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/2772-143-0x000000013F3F0000-0x000000013F744000-memory.dmp

Filesize
3.3MB

Download
memory/3008-87-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/3008-134-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/3008-137-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/3008-139-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/3008-140-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/3008-135-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/3008-8-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-14-0x000000013FEB0000-0x0000000140204000-memory.dmp

Filesize
3.3MB

Download
memory/3008-28-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/3008-72-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/3008-31-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/3008-97-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/3008-103-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/3008-0-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-70-0x000000013F210000-0x000000013F564000-memory.dmp

Filesize
3.3MB

Download
memory/3008-79-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-66-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-61-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download