cobaltstrike | ef617b482ba035bc792feb1158a4392186891afa7200312340b6bc168f645a6f

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

f9840cd71e714941e9d8e8a14d895154
SHA1

3767a895fe743d01d632088a386cddc63553989b
SHA256

ef617b482ba035bc792feb1158a4392186891afa7200312340b6bc168f645a6f
SHA512

678ca4148846a3a48421df5c845d0c975e93d8cf2aed98dc3d12ca5da9f3fc3cb9d5f0dda8682b74ed0343a449c84c174cf531225e122669edeef713442f8937
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:Q+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	cobalt_reflective_dll
behavioral1/files/0x0037000000016581-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c6f-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cc1-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ceb-39.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000171d7-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017223-68.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173f9-88.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018673-110.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018723-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018784-138.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001871f-128.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870f-124.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870e-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017577-92.dat	cobalt_reflective_dll
behavioral1/files/0x0014000000018668-103.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173f6-81.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173ca-73.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d32-51.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d17-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c78-38.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012280-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0037000000016581-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000016c6f-12.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016cc1-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016ceb-39.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000171d7-57.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000017223-68.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000173f9-88.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000d000000018673-110.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018723-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0005000000018784-138.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001871f-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001870f-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000500000001870e-117.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000017577-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0014000000018668-103.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000173f6-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000173ca-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000016d32-51.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016d17-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016c78-38.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 57 IoCs

resource	yara_rule
behavioral1/memory/1964-0-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
behavioral1/files/0x000a000000012280-6.dat	UPX
behavioral1/files/0x0037000000016581-11.dat	UPX
behavioral1/files/0x0008000000016c6f-12.dat	UPX
behavioral1/files/0x0007000000016cc1-23.dat	UPX
behavioral1/files/0x0007000000016ceb-39.dat	UPX
behavioral1/files/0x00060000000171d7-57.dat	UPX
behavioral1/memory/2716-59-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/files/0x0006000000017223-68.dat	UPX
behavioral1/memory/2480-70-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/files/0x00060000000173f9-88.dat	UPX
behavioral1/files/0x000d000000018673-110.dat	UPX
behavioral1/files/0x0005000000018723-133.dat	UPX
behavioral1/files/0x0005000000018784-138.dat	UPX
behavioral1/files/0x000500000001871f-128.dat	UPX
behavioral1/files/0x000500000001870f-124.dat	UPX
behavioral1/files/0x000500000001870e-117.dat	UPX
behavioral1/memory/2520-114-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2604-109-0x000000013FDC0000-0x0000000140114000-memory.dmp	UPX
behavioral1/memory/2640-108-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/files/0x0006000000017577-92.dat	UPX
behavioral1/files/0x0014000000018668-103.dat	UPX
behavioral1/memory/2812-99-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2712-98-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/memory/1548-97-0x000000013F7B0000-0x000000013FB04000-memory.dmp	UPX
behavioral1/memory/2588-91-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2316-85-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/files/0x00060000000173f6-81.dat	UPX
behavioral1/memory/2260-78-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2716-140-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/1964-76-0x000000013F550000-0x000000013F8A4000-memory.dmp	UPX
behavioral1/files/0x00060000000173ca-73.dat	UPX
behavioral1/files/0x0009000000016d32-51.dat	UPX
behavioral1/memory/2604-56-0x000000013FDC0000-0x0000000140114000-memory.dmp	UPX
behavioral1/memory/2640-48-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/files/0x0007000000016d17-46.dat	UPX
behavioral1/memory/2812-42-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2712-40-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX
behavioral1/files/0x0007000000016c78-38.dat	UPX
behavioral1/memory/2588-36-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2560-31-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2952-28-0x000000013F420000-0x000000013F774000-memory.dmp	UPX
behavioral1/memory/2896-22-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/2896-145-0x000000013FF80000-0x00000001402D4000-memory.dmp	UPX
behavioral1/memory/2952-147-0x000000013F420000-0x000000013F774000-memory.dmp	UPX
behavioral1/memory/2560-146-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2588-148-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2604-152-0x000000013FDC0000-0x0000000140114000-memory.dmp	UPX
behavioral1/memory/2716-151-0x000000013F460000-0x000000013F7B4000-memory.dmp	UPX
behavioral1/memory/2640-150-0x000000013F110000-0x000000013F464000-memory.dmp	UPX
behavioral1/memory/2812-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	UPX
behavioral1/memory/2480-153-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2260-154-0x000000013FDD0000-0x0000000140124000-memory.dmp	UPX
behavioral1/memory/2316-155-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/memory/1548-156-0x000000013F7B0000-0x000000013FB04000-memory.dmp	UPX
behavioral1/memory/2520-157-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2712-158-0x000000013F370000-0x000000013F6C4000-memory.dmp	UPX

XMRig Miner payload 62 IoCs

miner

resource	yara_rule
behavioral1/memory/1964-0-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/files/0x000a000000012280-6.dat	xmrig
behavioral1/files/0x0037000000016581-11.dat	xmrig
behavioral1/files/0x0008000000016c6f-12.dat	xmrig
behavioral1/files/0x0007000000016cc1-23.dat	xmrig
behavioral1/files/0x0007000000016ceb-39.dat	xmrig
behavioral1/files/0x00060000000171d7-57.dat	xmrig
behavioral1/memory/2716-59-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0006000000017223-68.dat	xmrig
behavioral1/memory/2480-70-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/files/0x00060000000173f9-88.dat	xmrig
behavioral1/files/0x000d000000018673-110.dat	xmrig
behavioral1/files/0x0005000000018723-133.dat	xmrig
behavioral1/files/0x0005000000018784-138.dat	xmrig
behavioral1/files/0x000500000001871f-128.dat	xmrig
behavioral1/files/0x000500000001870f-124.dat	xmrig
behavioral1/files/0x000500000001870e-117.dat	xmrig
behavioral1/memory/2520-114-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2604-109-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/2640-108-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/files/0x0006000000017577-92.dat	xmrig
behavioral1/files/0x0014000000018668-103.dat	xmrig
behavioral1/memory/2812-99-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2712-98-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/memory/1548-97-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
behavioral1/memory/2588-91-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2316-85-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/files/0x00060000000173f6-81.dat	xmrig
behavioral1/memory/2260-78-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/1964-77-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2716-140-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/1964-76-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/files/0x00060000000173ca-73.dat	xmrig
behavioral1/memory/1964-58-0x0000000002440000-0x0000000002794000-memory.dmp	xmrig
behavioral1/files/0x0009000000016d32-51.dat	xmrig
behavioral1/memory/2604-56-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/2640-48-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d17-46.dat	xmrig
behavioral1/memory/2812-42-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2712-40-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016c78-38.dat	xmrig
behavioral1/memory/2588-36-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/1964-32-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2560-31-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2952-28-0x000000013F420000-0x000000013F774000-memory.dmp	xmrig
behavioral1/memory/2896-22-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/1964-142-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/1964-144-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2896-145-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2952-147-0x000000013F420000-0x000000013F774000-memory.dmp	xmrig
behavioral1/memory/2560-146-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2588-148-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2604-152-0x000000013FDC0000-0x0000000140114000-memory.dmp	xmrig
behavioral1/memory/2716-151-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/memory/2640-150-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2812-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2480-153-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2260-154-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2316-155-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/memory/1548-156-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
behavioral1/memory/2520-157-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2712-158-0x000000013F370000-0x000000013F6C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2896	vkiNOwV.exe
2952	FmUjhhp.exe
2560	hzKwysy.exe
2588	NMbsLIo.exe
2712	BJyQLEf.exe
2812	PyIOSRU.exe
2640	RvZqbzc.exe
2604	sfGqhey.exe
2716	BuctPhj.exe
2480	QFpVEFe.exe
2260	ncyClOK.exe
2316	AGYVbBl.exe
1548	vaTLMTF.exe
2520	lqDLHvy.exe
2488	kmgNODd.exe
1692	hqZPgpV.exe
1012	eBYjLJe.exe
340	iLRolyz.exe
564	NVKgaUe.exe
572	XXNDePD.exe
1196	VCigNOc.exe

Loads dropped DLL 21 IoCs

pid	Process
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1964-0-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/files/0x000a000000012280-6.dat	upx
behavioral1/files/0x0037000000016581-11.dat	upx
behavioral1/files/0x0008000000016c6f-12.dat	upx
behavioral1/files/0x0007000000016cc1-23.dat	upx
behavioral1/files/0x0007000000016ceb-39.dat	upx
behavioral1/files/0x00060000000171d7-57.dat	upx
behavioral1/memory/2716-59-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0006000000017223-68.dat	upx
behavioral1/memory/2480-70-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/files/0x00060000000173f9-88.dat	upx
behavioral1/files/0x000d000000018673-110.dat	upx
behavioral1/files/0x0005000000018723-133.dat	upx
behavioral1/files/0x0005000000018784-138.dat	upx
behavioral1/files/0x000500000001871f-128.dat	upx
behavioral1/files/0x000500000001870f-124.dat	upx
behavioral1/files/0x000500000001870e-117.dat	upx
behavioral1/memory/2520-114-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2604-109-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/2640-108-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/files/0x0006000000017577-92.dat	upx
behavioral1/files/0x0014000000018668-103.dat	upx
behavioral1/memory/2812-99-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2712-98-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/memory/1548-97-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
behavioral1/memory/2588-91-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2316-85-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/files/0x00060000000173f6-81.dat	upx
behavioral1/memory/2260-78-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2716-140-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/1964-76-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/files/0x00060000000173ca-73.dat	upx
behavioral1/files/0x0009000000016d32-51.dat	upx
behavioral1/memory/2604-56-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/2640-48-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/files/0x0007000000016d17-46.dat	upx
behavioral1/memory/2812-42-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2712-40-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx
behavioral1/files/0x0007000000016c78-38.dat	upx
behavioral1/memory/2588-36-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2560-31-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2952-28-0x000000013F420000-0x000000013F774000-memory.dmp	upx
behavioral1/memory/2896-22-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/2896-145-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/2952-147-0x000000013F420000-0x000000013F774000-memory.dmp	upx
behavioral1/memory/2560-146-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2588-148-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2604-152-0x000000013FDC0000-0x0000000140114000-memory.dmp	upx
behavioral1/memory/2716-151-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/memory/2640-150-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/2812-149-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2480-153-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2260-154-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/2316-155-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/memory/1548-156-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
behavioral1/memory/2520-157-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2712-158-0x000000013F370000-0x000000013F6C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iLRolyz.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NVKgaUe.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vkiNOwV.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hzKwysy.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\PyIOSRU.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QFpVEFe.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kmgNODd.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hqZPgpV.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NMbsLIo.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\RvZqbzc.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lqDLHvy.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eBYjLJe.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FmUjhhp.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sfGqhey.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ncyClOK.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vaTLMTF.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XXNDePD.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BJyQLEf.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BuctPhj.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AGYVbBl.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VCigNOc.exe	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2896	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	29
PID 1964 wrote to memory of 2896	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	29
PID 1964 wrote to memory of 2896	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	29
PID 1964 wrote to memory of 2952	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	30
PID 1964 wrote to memory of 2952	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	30
PID 1964 wrote to memory of 2952	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	30
PID 1964 wrote to memory of 2560	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	31
PID 1964 wrote to memory of 2560	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	31
PID 1964 wrote to memory of 2560	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	31
PID 1964 wrote to memory of 2712	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	32
PID 1964 wrote to memory of 2712	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	32
PID 1964 wrote to memory of 2712	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	32
PID 1964 wrote to memory of 2588	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	33
PID 1964 wrote to memory of 2588	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	33
PID 1964 wrote to memory of 2588	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	33
PID 1964 wrote to memory of 2812	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	34
PID 1964 wrote to memory of 2812	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	34
PID 1964 wrote to memory of 2812	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	34
PID 1964 wrote to memory of 2640	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	35
PID 1964 wrote to memory of 2640	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	35
PID 1964 wrote to memory of 2640	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	35
PID 1964 wrote to memory of 2604	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	36
PID 1964 wrote to memory of 2604	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	36
PID 1964 wrote to memory of 2604	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	36
PID 1964 wrote to memory of 2716	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	37
PID 1964 wrote to memory of 2716	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	37
PID 1964 wrote to memory of 2716	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	37
PID 1964 wrote to memory of 2480	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	38
PID 1964 wrote to memory of 2480	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	38
PID 1964 wrote to memory of 2480	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	38
PID 1964 wrote to memory of 2260	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	39
PID 1964 wrote to memory of 2260	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	39
PID 1964 wrote to memory of 2260	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	39
PID 1964 wrote to memory of 2316	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	40
PID 1964 wrote to memory of 2316	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	40
PID 1964 wrote to memory of 2316	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	40
PID 1964 wrote to memory of 1548	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	41
PID 1964 wrote to memory of 1548	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	41
PID 1964 wrote to memory of 1548	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	41
PID 1964 wrote to memory of 2488	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	42
PID 1964 wrote to memory of 2488	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	42
PID 1964 wrote to memory of 2488	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	42
PID 1964 wrote to memory of 2520	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	43
PID 1964 wrote to memory of 2520	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	43
PID 1964 wrote to memory of 2520	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	43
PID 1964 wrote to memory of 1012	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	44
PID 1964 wrote to memory of 1012	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	44
PID 1964 wrote to memory of 1012	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	44
PID 1964 wrote to memory of 1692	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	45
PID 1964 wrote to memory of 1692	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	45
PID 1964 wrote to memory of 1692	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	45
PID 1964 wrote to memory of 340	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	46
PID 1964 wrote to memory of 340	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	46
PID 1964 wrote to memory of 340	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	46
PID 1964 wrote to memory of 564	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	47
PID 1964 wrote to memory of 564	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	47
PID 1964 wrote to memory of 564	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	47
PID 1964 wrote to memory of 572	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	48
PID 1964 wrote to memory of 572	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	48
PID 1964 wrote to memory of 572	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	48
PID 1964 wrote to memory of 1196	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	49
PID 1964 wrote to memory of 1196	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	49
PID 1964 wrote to memory of 1196	1964	2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_f9840cd71e714941e9d8e8a14d895154_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System\vkiNOwV.exe
  C:\Windows\System\vkiNOwV.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\FmUjhhp.exe
  C:\Windows\System\FmUjhhp.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\hzKwysy.exe
  C:\Windows\System\hzKwysy.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\BJyQLEf.exe
  C:\Windows\System\BJyQLEf.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\NMbsLIo.exe
  C:\Windows\System\NMbsLIo.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\PyIOSRU.exe
  C:\Windows\System\PyIOSRU.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\RvZqbzc.exe
  C:\Windows\System\RvZqbzc.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\sfGqhey.exe
  C:\Windows\System\sfGqhey.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\BuctPhj.exe
  C:\Windows\System\BuctPhj.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\QFpVEFe.exe
  C:\Windows\System\QFpVEFe.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\ncyClOK.exe
  C:\Windows\System\ncyClOK.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\AGYVbBl.exe
  C:\Windows\System\AGYVbBl.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\vaTLMTF.exe
  C:\Windows\System\vaTLMTF.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\kmgNODd.exe
  C:\Windows\System\kmgNODd.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\lqDLHvy.exe
  C:\Windows\System\lqDLHvy.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\eBYjLJe.exe
  C:\Windows\System\eBYjLJe.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\hqZPgpV.exe
  C:\Windows\System\hqZPgpV.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\iLRolyz.exe
  C:\Windows\System\iLRolyz.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\NVKgaUe.exe
  C:\Windows\System\NVKgaUe.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System\XXNDePD.exe
  C:\Windows\System\XXNDePD.exe
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Windows\System\VCigNOc.exe
  C:\Windows\System\VCigNOc.exe
  2⤵
  - Executes dropped EXE
  PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AGYVbBl.exe

Filesize
5.9MB

MD5
070c0b666cffbaa0cbbc565f0b259e1a

SHA1
b573f6fd2741660335b3f1a95a96fcc8411d3193

SHA256
7ef2e962a9eda7692bb8321ab816bed3e399098bdbdab3e0e6ab70a9a5daa51f

SHA512
7a9835783691bff6022262a8496eabacaa528e6392323498b1e2ca6ae7e258e45912a813ecdd76bc90e12d2f8688eadcba5ee1dfc79c599ec59e19a4aeae713b

Download Submit
C:\Windows\system\BJyQLEf.exe

Filesize
5.9MB

MD5
437a2f0e32a1daf770d18974cd915157

SHA1
e3d275bae2e39c159ee9ac7af55056869c5c9135

SHA256
c324daac6ccbb9f7173423535a659e52be2de5c73311e9bb6b934021a42bf2f5

SHA512
daa108069b459ba3a2b4040f0f78f26d1b703dd9fc7158455d71dff564b3ea86d344871128610011bffaf9f7c3162be1f91dff467a9faedd7e86b33f02ef23e6

Download Submit
C:\Windows\system\BuctPhj.exe

Filesize
5.9MB

MD5
e359c7bc5cef88b427670ae297bd5b9e

SHA1
01f9fba6544f0504b2897261484c4ff205c7753e

SHA256
5eac697a25af0a34d155ebc4c14189b93ae25a3170147d12122ef4402718a270

SHA512
5393453ba4b858e232c55807b433551b15a65df47064f77c44da52f6392a89cc73dec3fe445320fdcd0952258a746677b5797abf60a38717c199fa7b017e29c8

Download Submit
C:\Windows\system\FmUjhhp.exe

Filesize
5.9MB

MD5
d4aa3c1e8715d6640d80cbd0b77bd7e2

SHA1
e24fb82449b3ef12aa6b01d4220ec0fca29630da

SHA256
8977e1255ba03b8621a1a72c0800e9f7d1838e9a47a9df84490ab2693973e799

SHA512
622a129f2a9b1b8966850ec43eaf85ee93d58444060f5a449e7ec68f1cc83290fe2e339e255e4762893bc57a73047eec4412e55d1dc560f0dcaf51b68ad2dbbd

Download Submit
C:\Windows\system\NVKgaUe.exe

Filesize
5.9MB

MD5
cb3a549ed3d0c13966dd1c424e17bdfa

SHA1
8eae0220b18747803f3664e13aff9249428ad01a

SHA256
5fff7326713573f7b43777366260b680adddaa325d1cf82c32fd33397f80e7da

SHA512
67e0648444941ef7614621150751078634749cae8b633cb10f30254181e88e94821970d1f9bc2b5d87bcfb3cf80e8fbe25e6cd53c8ce194b9cfdaf8a4abc4db4

Download Submit
C:\Windows\system\PyIOSRU.exe

Filesize
5.9MB

MD5
67c8b8fcbd807064457c414682d6ad9a

SHA1
39fbf171b21766dfbb7be6fed10051ac891a3853

SHA256
484d5751989cdfaab8cf682e2180a6547d3290bcc90426c01e85a9265de7a2c2

SHA512
34d776b891125ac65023f6ccf754852d17e83146ac904832cf5e759516464eb7c169e7c2b50e5e32ac4ac43787f16af69bed8bfaeda482a606d7ed6f9bf32e6a

Download Submit
C:\Windows\system\QFpVEFe.exe

Filesize
5.9MB

MD5
49a469ec36f6c8de98dbf56b665220f2

SHA1
249cb6730dea497517cd1fdf492dab2f4cba004d

SHA256
f0f28c4d55fe8ce1b2fd8ea92ae517b891aa5d7f6634a8accd591bcd48b7bc43

SHA512
b7d7afb5d6b4a8b3e9da11ab02178cab6240c73e6ea237ba1576dc3de5f817ebfd37fcf814d337975c6c7410389c27407c35f432fbd354c25f6cfdac0f9d4c38

Download Submit
C:\Windows\system\RvZqbzc.exe

Filesize
5.9MB

MD5
d5abacca84245965954b73befe6b74ce

SHA1
4a5613ac8d6dabf873458a4509dc7965d2bf4ca6

SHA256
7e92260839d43869062b0a5116064ae63173e110c2bbcaa8a8cec32032694c95

SHA512
118b88147eb30afdecc6a4eb3778d67a5c8f322c4727f240eba71ce3c31d74f90a3682cf1d2ca52ad50993aaddffa07f8e1f5b4937006273b5c240ab7ac91d8b

Download Submit
C:\Windows\system\VCigNOc.exe

Filesize
5.9MB

MD5
e18783e634a562d0d207ce1dd5471d93

SHA1
0f59c06d48f2de68006780dc30d3b1bec9f78eae

SHA256
b0eb4fa4542e32932fd3fd41353d09cde6f26217463046b9801f8316ede93a4c

SHA512
35f73d6b9d19ffde80000f616c2bb4a4de82ddf371a27f146322b981a51e4cfb436773baa9736337f7c7a6e5ee14012f6225e63514a08ccfa1d569663c231b94

Download Submit
C:\Windows\system\XXNDePD.exe

Filesize
5.9MB

MD5
5f3585a6409b704b2fe42de405c2119a

SHA1
7637ab7919bd86e8cef40915090cb24ba1b5d79b

SHA256
2dd0d391d14f83cbbe35fd7caf1ba2e323ecbb286453068dbdfe8ef66b360293

SHA512
33e1d1da4594846fd1ea113cc13732a30b1e743e43d379624cb392dd425772ef3e901115ee9bad882d148f46647585eb82599298c2fdf3c4ee3dab3c894576cf

Download Submit
C:\Windows\system\hqZPgpV.exe

Filesize
5.9MB

MD5
0485eb73e81d27355219461c0f117f47

SHA1
4a084f32fd2c87c8412c01fc4f87266c21c049ee

SHA256
91df99e92efa2dabbe7622fcc4dc6608c5062f65bc846918b217a3d8e2cb5b46

SHA512
222f4b85193b9045e7ff2e03f88bad8a4d2d34eb841cf17368082297e45d8534ea0efb6820b189d9ae26b52b0a3a39939e2c52f448fcb36bdf0c6aef7d4674d6

Download Submit
C:\Windows\system\iLRolyz.exe

Filesize
5.9MB

MD5
6f33f2d62e5bb6ffd6eacd34ff09bf4f

SHA1
74078a88204646503a8d73139f454365a305777e

SHA256
fee1819130e09d10b92a6eddb25a530820d4f1495f14b12341e7b963a03e0320

SHA512
4ecc0e595b46a902f71adf1b8b6be992b83e77934f551df1592e0212edba3fa58a0aad2ebd59617a37901eeaa847057dbc6500faeca18b976218678a07dd9269

Download Submit
C:\Windows\system\lqDLHvy.exe

Filesize
5.9MB

MD5
aa74e17ba62dfc3cff07a0f489ad81e1

SHA1
b02bee1e1d14bc4d5f3526e47b6526bfa6196079

SHA256
9c40dd9ebe1673d5b1fc6d57c30660c690d72264f38a25243bc7b926886cfbc8

SHA512
ebe77e3840f1b9861edd23901cdfd16f2adc2c9fd7ef6a8c4f4fbe05d15a0ec7dffed58d2458f1d131134042ecfb27582936ae3d0d01e46a220dd3deff9cc868

Download Submit
C:\Windows\system\ncyClOK.exe

Filesize
5.9MB

MD5
c2e4e2bd63c05485dcfdc751dd35a1d7

SHA1
872542c6827eb332eaad524b8992803497993411

SHA256
4df163eadbd922d7428f3e5f7b1094554bc0e8a0a486b978ab2a324fea56f0d3

SHA512
1aefb0fae94d05025153da76405a52d76472620550e2505e22774fb0bcb4bcc67ec20f307382039671bf63819f6f72606c851f8de3f6d73b7a9a8c6146c4e77f

Download Submit
C:\Windows\system\sfGqhey.exe

Filesize
5.9MB

MD5
5de47c88cb0d67f65b827d7594873579

SHA1
6626ffe175db52c0b3e2813d275499aebce40653

SHA256
79992f5c0b221d7165ac3fce485e303dca92238d3f45a78c359169feaaf58b55

SHA512
01331943cef58e72b940e4c5705df10f79b46bef0c149bf6567f228b718276b825faef82f45a0a014a5e620039ff23ad469f12cf709edf1bff500f25ffd5b233

Download Submit
C:\Windows\system\vaTLMTF.exe

Filesize
5.9MB

MD5
0ffc1d393ad20bea3ba5e7ea1e75e125

SHA1
2f685dd628a2e2533daf5494d950c2e146ada82a

SHA256
e9dc1a75f607712fc6500d4fc873bc0030e5334176a9bc9e2de6d34261dbc5a8

SHA512
4af3c6ddda5e08ddc0622776d10af75a92e61336ecef02c938660d0b96a98a44787a77fd36778df7e49f3f147253edc1165c3d10492132642fc566d222ff513e

Download Submit
C:\Windows\system\vkiNOwV.exe

Filesize
5.9MB

MD5
b785f14794b10a63f903af43db6b72bf

SHA1
e2e02b4b4592644b72a6570d6330a452ac12d4ad

SHA256
2e40e11af47ce12541582c183a609f96710f27b4526b71be445180fc9ced23d4

SHA512
05180e19a51aa23a98ed830e0b60184ff00edfbd64b683b7dfd0fa1054ce61603057c206c75b93d0593c05a91965df922ec1a5aeae7c5fe41aa53f4bed175cb8

Download Submit
\Windows\system\NMbsLIo.exe

Filesize
5.9MB

MD5
80cb5aac96c351e7406a5de4096e328c

SHA1
c045893c57f5560735dd5dcff6c3c3dcbc7a2339

SHA256
0b5c7c4822bfb8d1be2cfcfb6cc755dc8d6d52b479458936c5a9482db6e3b4fc

SHA512
705a9d5cd8e887ae0eaed27a6b983a4efd4c826efe367cf8636dc7bbca993ca0004e5b26585974637bbe7645db7f5d0a28d927763c12cdc9e9e8e0233fdf8cb6

Download Submit
\Windows\system\eBYjLJe.exe

Filesize
5.9MB

MD5
24312aa68a4f26b97733d5a3d84d5774

SHA1
c751a7de91b15316915e75ccacde299dfb70b981

SHA256
13ece794b688fb06b3893b174e4d39b77028c9c5da5165109ef5011a3fe7d71e

SHA512
f421c9c2da8ffda4b555e1289781e3eae0ef6ed11a2f9bebd1da40c8cf8977467e0f698eb7cf186f59dce28bf4f42a5abbb571a775a0be24ad9215817145369e

Download Submit
\Windows\system\hzKwysy.exe

Filesize
5.9MB

MD5
c2a6b930477707c534a8bdd0a7161e2b

SHA1
ddaada46c1ac3bce2afc81b7fac1ada5ae098d6c

SHA256
72c6181e55b92df167c3d1945ed9bf40c11e82cf4f797845333dfc901cbeec8c

SHA512
0ab42cbbd11cbf621b799c875ea1740b01a5dbcc15d1b6fcdb79c8108bd16736db7e109cdb64b958b2a7a3b26221340ce52c549da0b954743855b75b317a07c8

Download Submit
\Windows\system\kmgNODd.exe

Filesize
5.9MB

MD5
b6ec92d59ef7e74ee66fdbb895f68a80

SHA1
594d1dee465492dcd3c0a59900d07b5f59d6c377

SHA256
afd16497fda0bb362e776644d45184ad0662371caa3b3a4d98b108ca89236398

SHA512
c19cc2fcb9af68c61d9ae7499c9ddf4870fae2e16127c4bd7f9fa6c3ade95b0fb00dc37b2f5c781eb82ad89145a0c376ed99fbd613ad15e50fe922ca4d4c0551

Download Submit
memory/1548-156-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/1548-97-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/1964-101-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-30-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/1964-100-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/1964-34-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-144-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/1964-95-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-143-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1964-84-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-33-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-32-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-77-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/1964-142-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/1964-76-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-47-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1964-67-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1964-58-0x0000000002440000-0x0000000002794000-memory.dmp

Filesize
3.3MB

Download
memory/1964-0-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-17-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-35-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2260-78-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2260-154-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2316-155-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2316-85-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2480-70-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2480-153-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2520-114-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-157-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-146-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2560-31-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2588-36-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-91-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2588-148-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2604-109-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2604-56-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2604-152-0x000000013FDC0000-0x0000000140114000-memory.dmp

Filesize
3.3MB

Download
memory/2640-108-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2640-150-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2640-48-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2712-158-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2712-98-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2712-40-0x000000013F370000-0x000000013F6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-59-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-140-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-151-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-42-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2812-149-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2812-99-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2896-22-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2896-145-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2952-147-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download
memory/2952-28-0x000000013F420000-0x000000013F774000-memory.dmp

Filesize
3.3MB

Download