cobaltstrike | 88909c0fdc0214900875b173069bf07c0ba2e3d58de86928dd63951ac8cd271a

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

878800fd686a8d28ba493b3362adfb71
SHA1

2e1964110be0b63836ea0fb91ff4c456cc84f32e
SHA256

88909c0fdc0214900875b173069bf07c0ba2e3d58de86928dd63951ac8cd271a
SHA512

ef64b35dd0a641592c01b9e306b293d58949fd1711d201698d068e0b7800effe9a380d74c39d347ff8219b223ccb8157933f52efc58f233c8c4b71ce325a43a9
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUA:Q+856utgpPF8u/7A

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001225d-3.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000015d42-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015f54-11.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000160f3-25.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000015d72-29.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016133-35.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000162cc-43.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000165d4-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d3b-58.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d44-63.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d55-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4c-76.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d68-87.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d78-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016da0-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd1-129.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000171ba-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dc8-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016db2-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d70-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6c-97.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001225d-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000015d42-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015f54-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000160f3-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0036000000015d72-29.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016133-35.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000162cc-43.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00090000000165d4-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016d3b-58.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d44-63.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d55-81.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4c-76.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d68-87.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d78-109.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016da0-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016dd1-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000171ba-132.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016dc8-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016db2-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d70-104.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d6c-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 59 IoCs

resource	yara_rule
behavioral1/memory/108-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/files/0x000b00000001225d-3.dat	UPX
behavioral1/memory/2416-8-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
behavioral1/files/0x0036000000015d42-9.dat	UPX
behavioral1/memory/2556-13-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/files/0x0008000000015f54-11.dat	UPX
behavioral1/memory/2276-21-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/files/0x00070000000160f3-25.dat	UPX
behavioral1/memory/2672-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/files/0x0036000000015d72-29.dat	UPX
behavioral1/files/0x0007000000016133-35.dat	UPX
behavioral1/memory/2624-34-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2492-41-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/files/0x00070000000162cc-43.dat	UPX
behavioral1/memory/108-46-0x000000013FBF0000-0x000000013FF44000-memory.dmp	UPX
behavioral1/files/0x00090000000165d4-47.dat	UPX
behavioral1/memory/2732-55-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2696-56-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/files/0x0007000000016d3b-58.dat	UPX
behavioral1/memory/2556-62-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/files/0x0006000000016d44-63.dat	UPX
behavioral1/memory/2252-77-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/files/0x0006000000016d55-81.dat	UPX
behavioral1/memory/2356-86-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/files/0x0006000000016d4c-76.dat	UPX
behavioral1/files/0x0006000000016d68-87.dat	UPX
behavioral1/memory/2624-88-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/1232-99-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2492-98-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/memory/1464-94-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/files/0x0006000000016d78-109.dat	UPX
behavioral1/files/0x0006000000016da0-114.dat	UPX
behavioral1/files/0x0006000000016dd1-129.dat	UPX
behavioral1/files/0x00060000000171ba-132.dat	UPX
behavioral1/files/0x0006000000016dc8-124.dat	UPX
behavioral1/files/0x0006000000016db2-119.dat	UPX
behavioral1/files/0x0006000000016d70-104.dat	UPX
behavioral1/files/0x0006000000016d6c-97.dat	UPX
behavioral1/memory/2276-72-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/memory/2892-71-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2584-70-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
behavioral1/memory/2892-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2252-139-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2356-140-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/1232-141-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX
behavioral1/memory/2416-142-0x000000013FA80000-0x000000013FDD4000-memory.dmp	UPX
behavioral1/memory/2556-143-0x000000013F140000-0x000000013F494000-memory.dmp	UPX
behavioral1/memory/2276-144-0x000000013FD30000-0x0000000140084000-memory.dmp	UPX
behavioral1/memory/2672-145-0x000000013FAC0000-0x000000013FE14000-memory.dmp	UPX
behavioral1/memory/2624-146-0x000000013FFF0000-0x0000000140344000-memory.dmp	UPX
behavioral1/memory/2492-147-0x000000013FF30000-0x0000000140284000-memory.dmp	UPX
behavioral1/memory/2696-148-0x000000013FE30000-0x0000000140184000-memory.dmp	UPX
behavioral1/memory/2732-149-0x000000013F480000-0x000000013F7D4000-memory.dmp	UPX
behavioral1/memory/2584-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp	UPX
behavioral1/memory/2892-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	UPX
behavioral1/memory/2252-152-0x000000013FC10000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2356-153-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/1464-154-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/1232-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp	UPX

XMRig Miner payload 61 IoCs

miner

resource	yara_rule
behavioral1/memory/108-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/files/0x000b00000001225d-3.dat	xmrig
behavioral1/memory/2416-8-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/files/0x0036000000015d42-9.dat	xmrig
behavioral1/memory/2556-13-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/files/0x0008000000015f54-11.dat	xmrig
behavioral1/memory/2276-21-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/files/0x00070000000160f3-25.dat	xmrig
behavioral1/memory/2672-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/files/0x0036000000015d72-29.dat	xmrig
behavioral1/files/0x0007000000016133-35.dat	xmrig
behavioral1/memory/2624-34-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2492-41-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/files/0x00070000000162cc-43.dat	xmrig
behavioral1/memory/108-46-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/files/0x00090000000165d4-47.dat	xmrig
behavioral1/memory/2732-55-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2696-56-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d3b-58.dat	xmrig
behavioral1/memory/2556-62-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d44-63.dat	xmrig
behavioral1/memory/2252-77-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d55-81.dat	xmrig
behavioral1/memory/2356-86-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4c-76.dat	xmrig
behavioral1/files/0x0006000000016d68-87.dat	xmrig
behavioral1/memory/108-89-0x00000000022D0000-0x0000000002624000-memory.dmp	xmrig
behavioral1/memory/2624-88-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/1232-99-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2492-98-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/1464-94-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d78-109.dat	xmrig
behavioral1/files/0x0006000000016da0-114.dat	xmrig
behavioral1/files/0x0006000000016dd1-129.dat	xmrig
behavioral1/files/0x00060000000171ba-132.dat	xmrig
behavioral1/files/0x0006000000016dc8-124.dat	xmrig
behavioral1/files/0x0006000000016db2-119.dat	xmrig
behavioral1/files/0x0006000000016d70-104.dat	xmrig
behavioral1/files/0x0006000000016d6c-97.dat	xmrig
behavioral1/memory/2276-72-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2892-71-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2584-70-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/108-136-0x00000000022D0000-0x0000000002624000-memory.dmp	xmrig
behavioral1/memory/2892-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2252-139-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2356-140-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/1232-141-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2416-142-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2556-143-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2276-144-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2672-145-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2624-146-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2492-147-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2696-148-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2732-149-0x000000013F480000-0x000000013F7D4000-memory.dmp	xmrig
behavioral1/memory/2584-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/2892-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2252-152-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2356-153-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/1464-154-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/1232-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2416	FcszHwC.exe
2556	sQtrHfk.exe
2276	OqXxKDg.exe
2672	TvytNWs.exe
2624	VgFZpYn.exe
2492	xHdtWeu.exe
2696	aWtYzLO.exe
2732	TLEbvCp.exe
2584	IoNthbZ.exe
2892	dRoxliu.exe
2252	EMEbXqT.exe
2356	GIKdRgM.exe
1464	LXCxlob.exe
1232	CFbTQVt.exe
1384	tynCeKo.exe
1528	HMCsdpc.exe
956	HlTNAiw.exe
1564	zptYZiS.exe
2372	ikyVlxt.exe
1680	gkgJSwG.exe
2564	xYAjYYy.exe

Loads dropped DLL 21 IoCs

pid	Process
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/108-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/files/0x000b00000001225d-3.dat	upx
behavioral1/memory/2416-8-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/files/0x0036000000015d42-9.dat	upx
behavioral1/memory/2556-13-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/files/0x0008000000015f54-11.dat	upx
behavioral1/memory/2276-21-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/files/0x00070000000160f3-25.dat	upx
behavioral1/memory/2672-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/files/0x0036000000015d72-29.dat	upx
behavioral1/files/0x0007000000016133-35.dat	upx
behavioral1/memory/2624-34-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2492-41-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/files/0x00070000000162cc-43.dat	upx
behavioral1/memory/108-46-0x000000013FBF0000-0x000000013FF44000-memory.dmp	upx
behavioral1/files/0x00090000000165d4-47.dat	upx
behavioral1/memory/2732-55-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2696-56-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/files/0x0007000000016d3b-58.dat	upx
behavioral1/memory/2556-62-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/files/0x0006000000016d44-63.dat	upx
behavioral1/memory/2252-77-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/files/0x0006000000016d55-81.dat	upx
behavioral1/memory/2356-86-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/files/0x0006000000016d4c-76.dat	upx
behavioral1/files/0x0006000000016d68-87.dat	upx
behavioral1/memory/2624-88-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/1232-99-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2492-98-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/1464-94-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/files/0x0006000000016d78-109.dat	upx
behavioral1/files/0x0006000000016da0-114.dat	upx
behavioral1/files/0x0006000000016dd1-129.dat	upx
behavioral1/files/0x00060000000171ba-132.dat	upx
behavioral1/files/0x0006000000016dc8-124.dat	upx
behavioral1/files/0x0006000000016db2-119.dat	upx
behavioral1/files/0x0006000000016d70-104.dat	upx
behavioral1/files/0x0006000000016d6c-97.dat	upx
behavioral1/memory/2276-72-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2892-71-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2584-70-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2892-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2252-139-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2356-140-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/1232-141-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2416-142-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2556-143-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2276-144-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2672-145-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/2624-146-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2492-147-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2696-148-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/2732-149-0x000000013F480000-0x000000013F7D4000-memory.dmp	upx
behavioral1/memory/2584-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2892-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2252-152-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2356-153-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/1464-154-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/1232-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zptYZiS.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xYAjYYy.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TvytNWs.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IoNthbZ.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EMEbXqT.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GIKdRgM.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\FcszHwC.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TLEbvCp.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aWtYzLO.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HlTNAiw.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gkgJSwG.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sQtrHfk.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xHdtWeu.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CFbTQVt.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HMCsdpc.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tynCeKo.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ikyVlxt.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OqXxKDg.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\VgFZpYn.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dRoxliu.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LXCxlob.exe	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2416	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	29
PID 108 wrote to memory of 2416	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	29
PID 108 wrote to memory of 2416	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	29
PID 108 wrote to memory of 2556	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	30
PID 108 wrote to memory of 2556	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	30
PID 108 wrote to memory of 2556	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	30
PID 108 wrote to memory of 2276	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	31
PID 108 wrote to memory of 2276	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	31
PID 108 wrote to memory of 2276	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	31
PID 108 wrote to memory of 2672	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	32
PID 108 wrote to memory of 2672	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	32
PID 108 wrote to memory of 2672	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	32
PID 108 wrote to memory of 2624	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	33
PID 108 wrote to memory of 2624	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	33
PID 108 wrote to memory of 2624	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	33
PID 108 wrote to memory of 2492	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	34
PID 108 wrote to memory of 2492	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	34
PID 108 wrote to memory of 2492	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	34
PID 108 wrote to memory of 2732	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	35
PID 108 wrote to memory of 2732	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	35
PID 108 wrote to memory of 2732	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	35
PID 108 wrote to memory of 2696	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	36
PID 108 wrote to memory of 2696	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	36
PID 108 wrote to memory of 2696	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	36
PID 108 wrote to memory of 2584	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	37
PID 108 wrote to memory of 2584	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	37
PID 108 wrote to memory of 2584	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	37
PID 108 wrote to memory of 2892	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	38
PID 108 wrote to memory of 2892	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	38
PID 108 wrote to memory of 2892	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	38
PID 108 wrote to memory of 2252	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	39
PID 108 wrote to memory of 2252	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	39
PID 108 wrote to memory of 2252	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	39
PID 108 wrote to memory of 2356	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	40
PID 108 wrote to memory of 2356	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	40
PID 108 wrote to memory of 2356	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	40
PID 108 wrote to memory of 1464	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	41
PID 108 wrote to memory of 1464	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	41
PID 108 wrote to memory of 1464	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	41
PID 108 wrote to memory of 1232	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	42
PID 108 wrote to memory of 1232	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	42
PID 108 wrote to memory of 1232	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	42
PID 108 wrote to memory of 1384	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	43
PID 108 wrote to memory of 1384	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	43
PID 108 wrote to memory of 1384	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	43
PID 108 wrote to memory of 1528	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	44
PID 108 wrote to memory of 1528	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	44
PID 108 wrote to memory of 1528	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	44
PID 108 wrote to memory of 956	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	45
PID 108 wrote to memory of 956	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	45
PID 108 wrote to memory of 956	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	45
PID 108 wrote to memory of 1564	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	46
PID 108 wrote to memory of 1564	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	46
PID 108 wrote to memory of 1564	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	46
PID 108 wrote to memory of 2372	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	47
PID 108 wrote to memory of 2372	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	47
PID 108 wrote to memory of 2372	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	47
PID 108 wrote to memory of 1680	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	48
PID 108 wrote to memory of 1680	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	48
PID 108 wrote to memory of 1680	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	48
PID 108 wrote to memory of 2564	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	49
PID 108 wrote to memory of 2564	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	49
PID 108 wrote to memory of 2564	108	2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-03_878800fd686a8d28ba493b3362adfb71_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\System\FcszHwC.exe
  C:\Windows\System\FcszHwC.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\sQtrHfk.exe
  C:\Windows\System\sQtrHfk.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\OqXxKDg.exe
  C:\Windows\System\OqXxKDg.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\TvytNWs.exe
  C:\Windows\System\TvytNWs.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\VgFZpYn.exe
  C:\Windows\System\VgFZpYn.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\xHdtWeu.exe
  C:\Windows\System\xHdtWeu.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\TLEbvCp.exe
  C:\Windows\System\TLEbvCp.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\aWtYzLO.exe
  C:\Windows\System\aWtYzLO.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\IoNthbZ.exe
  C:\Windows\System\IoNthbZ.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\dRoxliu.exe
  C:\Windows\System\dRoxliu.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\EMEbXqT.exe
  C:\Windows\System\EMEbXqT.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\GIKdRgM.exe
  C:\Windows\System\GIKdRgM.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\LXCxlob.exe
  C:\Windows\System\LXCxlob.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\CFbTQVt.exe
  C:\Windows\System\CFbTQVt.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\tynCeKo.exe
  C:\Windows\System\tynCeKo.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\HMCsdpc.exe
  C:\Windows\System\HMCsdpc.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\HlTNAiw.exe
  C:\Windows\System\HlTNAiw.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System\zptYZiS.exe
  C:\Windows\System\zptYZiS.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\ikyVlxt.exe
  C:\Windows\System\ikyVlxt.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\gkgJSwG.exe
  C:\Windows\System\gkgJSwG.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\xYAjYYy.exe
  C:\Windows\System\xYAjYYy.exe
  2⤵
  - Executes dropped EXE
  PID:2564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CFbTQVt.exe

Filesize
5.9MB

MD5
26b42d401d849950ea45715ac4c2b027

SHA1
3b68bcaff2fa236ac103c8399675ccd9504b6ab3

SHA256
1cc669c32e4c663b979e49912b534b22f1eba3743e059626d35801256d77a18d

SHA512
3fec41d682c51d0cfaa560813c8345bb3a7bdb5fa9be03d6a8e138caf0ae25461b82c0e316bdedd9deac5d47cf5cc0d046a0995d4990dc74173d24d3fa5e260a

Download Submit
C:\Windows\system\EMEbXqT.exe

Filesize
5.9MB

MD5
b5bddfde55806fe4c90cb8162b2c2d63

SHA1
fe2ba5b285a272e25a427e74ec5cd5acff9f2cdc

SHA256
69e42b5138fd29f4bab116432d15b64a9456dfde25471a70cfff07859f8819d9

SHA512
f38800b6318ded2d906cd93b73ed82c07f5c504ccae4abd684022bd56984589aee7edde819d4ca4dedcc1c9176225f7e934428afe93108ef7181ca155ec3749e

Download Submit
C:\Windows\system\GIKdRgM.exe

Filesize
5.9MB

MD5
6ed08d68ca0ebe16d99a990791d4b797

SHA1
5a179f9de2cc1cc7acb7c66d62736add78dcc859

SHA256
f538b2e401770b788008ef3d3fc96a580c6504da900b14639b45dbc63fd02050

SHA512
869d4092d7e56a59c4277953c52a0fb94be71a9bdb9e9ce663b34a7a991cdbba3bf568cb03a76eaf3a75908e9a5ebd996183a68e3231e5658e2411ec543c011c

Download Submit
C:\Windows\system\HMCsdpc.exe

Filesize
5.9MB

MD5
0cf7caff4bda9fe68d01ca1deaf783d8

SHA1
abdd14bfb2de87b361afde52330d9ac2968baa23

SHA256
2d3b194ff6881fe4143e756e6cef6838b18a3ca37f39167257466df75294c3fa

SHA512
75103ca49b60617aa2b86570adc4096ab640639bd4f2d85208ac5231ce5367e956452a7fe38d12b80e3177102b0e9ab2e481cedea176ac3bf1cf71c7cfbf73d6

Download Submit
C:\Windows\system\HlTNAiw.exe

Filesize
5.9MB

MD5
f6b84cedf07c965fd2cc871e778f1458

SHA1
5b2cb6125d90976dbd200bb41d02b3806abc7c0c

SHA256
3aaebc11c26c20cb9c974b7c79de825d580fa3176d5f138a4319d4a013812efd

SHA512
98f7bb98c7d3c08268fd7f528fbaeaa809e91ea29a380009a8e64166ff66f614837a288fcce1f0ec0b7c041f9282a81c8d00a4946e6ef632b9b59b460caccb59

Download Submit
C:\Windows\system\OqXxKDg.exe

Filesize
5.9MB

MD5
b21f15c9da1834a0ba7ba691247f054c

SHA1
90ec38a321e54815988172cde0d9fc9379e1563e

SHA256
8b015492a23b01d17f54f4c52ffc19630648662a37943f594210cf4cc923eb95

SHA512
6ad7600800a5e44f0e0662f906694079ce554570beb5659c3e4637675fba812dac0aeb9133b4acebe8ea6bd02a8f28790899bc363a69ac36c6ee24130373d981

Download Submit
C:\Windows\system\TvytNWs.exe

Filesize
5.9MB

MD5
21a6949a565b76fe45b7b47faf243c62

SHA1
48ab0c65430ca971a2ad9671550ccc5c9b935cb3

SHA256
d202cc325112ed94fae84246d2a4b9e35277c853922cb6d7141273f851888b16

SHA512
592439ab832873b944112447223c8ee418734f65aeba64c18e168df19c8ff6772e84a3da1889a20cba42ebdf35b235eb027b4c47557feb2f4b207e42b47ead3e

Download Submit
C:\Windows\system\gkgJSwG.exe

Filesize
5.9MB

MD5
c80600396a2b8d59fc494a1f541c3284

SHA1
d396e72e45cc3cd40cc641de6a93ef65cea85538

SHA256
ebb23baa603ed6b637c015f3a6e732d81e0ddb5e796c8cac758c2185c7790b7e

SHA512
3dc8ea3f7a1f225b4dff3c8c3b474a447380d5da5bb291dbedc7408e6f13cfb03fbad27ebb86e06a9f4a20cb10a0ed19d4eb2bcdfe27c8b70cb8e8904dee34e0

Download Submit
C:\Windows\system\ikyVlxt.exe

Filesize
5.9MB

MD5
219d238e8733a39d8a2836735b22379d

SHA1
3e8c38740fa995e1bf0833e7f6426def344179ed

SHA256
7f9cd06a164a8ba8102173fc749dc95fd99bf3005e7bae39a379c8328d60ab42

SHA512
d790c3180f58fcd6c1143c9e1b80012d25d1453b86c0ac08019920281b37a712f7bb2e1b97faec182ca0db49694ec9455243d0af3dc66c121fabdc7145ae56e3

Download Submit
C:\Windows\system\tynCeKo.exe

Filesize
5.9MB

MD5
6c5a4afcf3182adb7f0bb5b9b841e8b7

SHA1
74ded17b2b53f55042682940db6f4e6510767b33

SHA256
9c7be005b204ea9002e4c110825c9eafdbe9ceb4b05f61376076838c5f91eb95

SHA512
6874a55777818e253fa9961dacd54dcd896b56af58ba5ca6ca0dfdeb39b2fa8ea5780c1c3bc6b9162b1d973bd6fb3f4187bb54e011d445ba45c7021c1d1e2a8b

Download Submit
C:\Windows\system\zptYZiS.exe

Filesize
5.9MB

MD5
712e3b6fedcae978e640e3a2671c3f00

SHA1
3392ce1ae5e28813862626d1e8f65ffa18b6cc2d

SHA256
b2efd30430e9dbf28ca4d66dedb90c128403146c4af75bdf1f512a82ac358027

SHA512
09e9e8796fb2155eecaa073f7654e6cf9313280dea4bb3ab6c888254eb9f4159066b6c6f47d8e46fe6e40b90b8eb443f00c96b6f99cf77f4f7d0e8814802e7c8

Download Submit
\Windows\system\FcszHwC.exe

Filesize
5.9MB

MD5
b1969126a27d1888b27c4a5bb25be4f1

SHA1
f4994386ee24339610e68e86257de7876619db82

SHA256
aee2ecb32e62d481f1db45039eccf32870a9ff4c7073de5b22725acf324a5a4b

SHA512
eecbc4ca0d48f037392eebaf790125b7a8fd184a394005bbe908df4623785236ac0d9871fdcf950ff6c922a1443ae3fe5249a367bf4e03659ac9c348e7c33c85

Download Submit
\Windows\system\IoNthbZ.exe

Filesize
5.9MB

MD5
9732a46d32b720b9304b581d0f1c5573

SHA1
815649b536e35f575e2a07d7d9a9edbe6bc70d8a

SHA256
0a43148fc0b15e465173569a43fb2fdb4264aaf235ff9045c832789f7812278a

SHA512
afa42ae9b7ae256d6db3d3e166805eb4dc7b891c919a53913069bdb735fde5586cd9cf7b088cf9957a94d8e0e89fc4cb8fba21f45615e41ce1fe60da3d78cb63

Download Submit
\Windows\system\LXCxlob.exe

Filesize
5.9MB

MD5
ab3fd5a6872f5e427554ed0823a7e4d6

SHA1
f371c78446aef6d2e61a88a4c19bc17b1890e6fc

SHA256
feee18b5496206a62b85d9c73bf43f4076562c94e22fa98e6248956597a509d6

SHA512
bd09b2cd9dd5d02ec3851bf6c5a1238d48a097e996a04e4524c3471e298a88a765a042060f051f9c1ad00abad3199b28317dfccd41b12cc9be99b14f11661f53

Download Submit
\Windows\system\TLEbvCp.exe

Filesize
5.9MB

MD5
ee46ce1d43f246f5d4d8bbeb96a4de3c

SHA1
f4323a5898c4b7ae8253718f9aa893168582c1bb

SHA256
5a81a54765a1cc13c557a45f37638ab46d7c2a0acc1bdce44bc59dbed36e6821

SHA512
92054e1cf03138c3824a0a502e7547f0109cdaeb53cd97b8d5332520231e19a08f43e213daf5ca051bb9cafc05ddacacf0896519d7c37f50c4953c8561f5d035

Download Submit
\Windows\system\VgFZpYn.exe

Filesize
5.9MB

MD5
53eff6c771b6594c07e27461757e6c14

SHA1
d58b4646e4e24c3de8973eebe9c9e3f263d86937

SHA256
08fe0f348390f438bfbdb83bab640659a91b5164f79948b25b310e93c7b84c37

SHA512
fdc21ac04b735441f8dca9691c06a5424c9cc9cbe786b22b9790196257ddaa5cb4fcd73df4deb5779a96058629ed2a0ab321d5d468ce0b4d45cf227d742f2226

Download Submit
\Windows\system\aWtYzLO.exe

Filesize
5.9MB

MD5
a93b0bfb6014b44b99fe0e6daaa39b3b

SHA1
ba4f30eea4bf084a6b14c8aadcce8a086fbc2c23

SHA256
5d32f7be9f5ce50206e51a8e852005ebfcee6df305778535116789655c7ca80c

SHA512
5d6045f64ef56269cc027258ab192a65791680b1bf430a1c406eb4c9d9a054f1b72c1b5a55a3e7d684abdad186d518736a006dc49b40ef0da09c5567ef77566f

Download Submit
\Windows\system\dRoxliu.exe

Filesize
5.9MB

MD5
4dd3508fcacaed10a8809f368b5f76ee

SHA1
bed92f56b935a5052ba88d456ed78e59c545af7d

SHA256
ca3ba9596932326f884c16467e25923c9f5d143132397500c91706d978805439

SHA512
0fa5249db56c83e3d89f6bfe5ad49b89e5e230478661cef471c3b07a06715260541a0a0913b5ce711f0048a08deb9d811485fe24ee90b4a3927d9f6a333462c2

Download Submit
\Windows\system\sQtrHfk.exe

Filesize
5.9MB

MD5
c8dde5501ce57fe2de982a1c9194c4de

SHA1
2e7b3db55fbce548a0ab76b8e591a21d142f6e6a

SHA256
ed8c12d40e22586305e5d9c67189c3dd0f1f2772c96bc3423acfc83ad5ca7236

SHA512
168f76d1f907c9219198be2973f9f65ec38749fbfc78e20ab0ebb81b1efb7e7f404b493c4e1a2a39c87f8dd31fe1d615a74df22ad755e47f1a39a9306801c1b6

Download Submit
\Windows\system\xHdtWeu.exe

Filesize
5.9MB

MD5
9e781e602661452dd2e8c05eba43fbaf

SHA1
2183dac44a45642583bcb48024bcdc443f57aa6d

SHA256
06070ec563d350e07eac0b1f4006341cdbcfffec70fb46d09085a3416918b601

SHA512
249fc5fb2d3a31cfcf1be21f0be8de97bd0117beabf0d478e750cbe1bfa493519abe844ad387b3b15aca886556f0de100f022d475740b8417305e940ed082b8d

Download Submit
\Windows\system\xYAjYYy.exe

Filesize
5.9MB

MD5
3af6bf8f11290d366a23676d80b80d48

SHA1
5f35801a4c1b57cc6dda1a3a4e85eeceeda86a3e

SHA256
d20ed9b033c5ee45f417b72702f17ca8b4a63cb6b41698edb131ea5f7977a981

SHA512
0564af54213bb8b0e27cc70f043128bcf76036b706db7f4043d1c05adddaa57e7d35df1b1285a567a54ac44b4a55035e4e847f714fe8118c2254c796b634faca

Download Submit
memory/108-27-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-74-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-46-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/108-54-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-38-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-19-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-75-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-57-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/108-136-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-84-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-32-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/108-138-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/108-89-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/108-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/1232-99-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1232-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1232-141-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-94-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/1464-154-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-139-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2252-77-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2252-152-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2276-144-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2276-21-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2276-72-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2356-86-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2356-153-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2356-140-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2416-8-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-142-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-98-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2492-147-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2492-41-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2556-13-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2556-62-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2556-143-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2584-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2584-70-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2624-34-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2624-88-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2624-146-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2672-145-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2672-28-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2696-148-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2696-56-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2732-149-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-55-0x000000013F480000-0x000000013F7D4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-137-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2892-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2892-71-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download