cobaltstrike | 00bdc6a8775359e6cf3ddcd7f5cf77c1bc540c5dd21cb009feacd2b835c298d1

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

eed2129441315e3ed01649605566e6a8
SHA1

c141bfb026e3de54aaf7e66ae4a95e7d1b70248b
SHA256

00bdc6a8775359e6cf3ddcd7f5cf77c1bc540c5dd21cb009feacd2b835c298d1
SHA512

37bb98059e3fb870212fe418343057dd9e89e9a6545c3b63ebc8455a16415c110583cdd1b1b0ccc4773db7fd81d2bb0f653d850d5db6d7ce530a1621661f96eb
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUu:Q+856utgpPF8u/7u

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001226d-5.dat	cobalt_reflective_dll
behavioral1/files/0x00350000000149d0-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015038-9.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001538e-26.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000153fd-33.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001562c-47.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015b63-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d97-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016448-108.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000165d4-116.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016133-101.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f54-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015fd4-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016824-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016572-113.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000162cc-107.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000160f3-99.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000014b18-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015de5-75.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d72-60.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001542b-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001226d-5.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00350000000149d0-10.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015038-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001538e-26.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000153fd-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001562c-47.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015b63-54.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015d97-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016448-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000165d4-116.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016133-101.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f54-94.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015fd4-90.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016824-121.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016572-113.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000162cc-107.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000160f3-99.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0035000000014b18-84.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015de5-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015d72-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000700000001542b-40.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral1/memory/1704-0-0x000000013FEC0000-0x0000000140214000-memory.dmp	UPX
behavioral1/files/0x000b00000001226d-5.dat	UPX
behavioral1/files/0x00350000000149d0-10.dat	UPX
behavioral1/memory/2828-15-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/2892-13-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/files/0x0008000000015038-9.dat	UPX
behavioral1/memory/1256-22-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/files/0x000700000001538e-26.dat	UPX
behavioral1/files/0x00070000000153fd-33.dat	UPX
behavioral1/files/0x000700000001562c-47.dat	UPX
behavioral1/memory/2724-50-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/files/0x0008000000015b63-54.dat	UPX
behavioral1/memory/2676-57-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2832-64-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/files/0x0006000000015d97-67.dat	UPX
behavioral1/memory/1256-80-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/files/0x0006000000016448-108.dat	UPX
behavioral1/files/0x00060000000165d4-116.dat	UPX
behavioral1/files/0x0006000000016133-101.dat	UPX
behavioral1/files/0x0006000000015f54-94.dat	UPX
behavioral1/memory/2356-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX
behavioral1/memory/2768-128-0x000000013F870000-0x000000013FBC4000-memory.dmp	UPX
behavioral1/files/0x0006000000015fd4-90.dat	UPX
behavioral1/files/0x0006000000016824-121.dat	UPX
behavioral1/files/0x0006000000016572-113.dat	UPX
behavioral1/files/0x00060000000162cc-107.dat	UPX
behavioral1/files/0x00060000000160f3-99.dat	UPX
behavioral1/memory/2876-89-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2744-87-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/712-85-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/files/0x0035000000014b18-84.dat	UPX
behavioral1/files/0x0006000000015de5-75.dat	UPX
behavioral1/memory/2584-69-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/1704-68-0x000000013FEC0000-0x0000000140214000-memory.dmp	UPX
behavioral1/files/0x0008000000015d72-60.dat	UPX
behavioral1/memory/2904-43-0x000000013F7E0000-0x000000013FB34000-memory.dmp	UPX
behavioral1/files/0x000700000001542b-40.dat	UPX
behavioral1/memory/2736-37-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2744-28-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2584-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/712-138-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2876-141-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2892-143-0x000000013F660000-0x000000013F9B4000-memory.dmp	UPX
behavioral1/memory/2828-144-0x000000013F800000-0x000000013FB54000-memory.dmp	UPX
behavioral1/memory/1256-145-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2744-146-0x000000013F170000-0x000000013F4C4000-memory.dmp	UPX
behavioral1/memory/2736-147-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2904-148-0x000000013F7E0000-0x000000013FB34000-memory.dmp	UPX
behavioral1/memory/2724-149-0x000000013F590000-0x000000013F8E4000-memory.dmp	UPX
behavioral1/memory/2676-150-0x000000013FC40000-0x000000013FF94000-memory.dmp	UPX
behavioral1/memory/2832-151-0x000000013F630000-0x000000013F984000-memory.dmp	UPX
behavioral1/memory/2584-152-0x000000013FA90000-0x000000013FDE4000-memory.dmp	UPX
behavioral1/memory/712-153-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	UPX
behavioral1/memory/2876-154-0x000000013F610000-0x000000013F964000-memory.dmp	UPX
behavioral1/memory/2768-155-0x000000013F870000-0x000000013FBC4000-memory.dmp	UPX
behavioral1/memory/2356-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	UPX

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/1704-0-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/files/0x000b00000001226d-5.dat	xmrig
behavioral1/files/0x00350000000149d0-10.dat	xmrig
behavioral1/memory/2828-15-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2892-13-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015038-9.dat	xmrig
behavioral1/memory/1256-22-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/files/0x000700000001538e-26.dat	xmrig
behavioral1/files/0x00070000000153fd-33.dat	xmrig
behavioral1/files/0x000700000001562c-47.dat	xmrig
behavioral1/memory/2724-50-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015b63-54.dat	xmrig
behavioral1/memory/2676-57-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2832-64-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/files/0x0006000000015d97-67.dat	xmrig
behavioral1/memory/1256-80-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016448-108.dat	xmrig
behavioral1/files/0x00060000000165d4-116.dat	xmrig
behavioral1/files/0x0006000000016133-101.dat	xmrig
behavioral1/files/0x0006000000015f54-94.dat	xmrig
behavioral1/memory/2356-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/1704-129-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
behavioral1/memory/2768-128-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015fd4-90.dat	xmrig
behavioral1/files/0x0006000000016824-121.dat	xmrig
behavioral1/files/0x0006000000016572-113.dat	xmrig
behavioral1/files/0x00060000000162cc-107.dat	xmrig
behavioral1/files/0x00060000000160f3-99.dat	xmrig
behavioral1/memory/2876-89-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2744-87-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/1704-86-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/712-85-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/files/0x0035000000014b18-84.dat	xmrig
behavioral1/files/0x0006000000015de5-75.dat	xmrig
behavioral1/memory/2584-69-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/1704-68-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d72-60.dat	xmrig
behavioral1/memory/2904-43-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/files/0x000700000001542b-40.dat	xmrig
behavioral1/memory/2736-37-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2744-28-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2584-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/712-138-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/1704-139-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/2876-141-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2892-143-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2828-144-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/1256-145-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2744-146-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2736-147-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2904-148-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2724-149-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2676-150-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2832-151-0x000000013F630000-0x000000013F984000-memory.dmp	xmrig
behavioral1/memory/2584-152-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/712-153-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	xmrig
behavioral1/memory/2876-154-0x000000013F610000-0x000000013F964000-memory.dmp	xmrig
behavioral1/memory/2768-155-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/2356-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2892	CyJCeFZ.exe
2828	vaNETbn.exe
1256	WmGxPYZ.exe
2744	tNraFLu.exe
2736	BseypWg.exe
2904	oZhcPsm.exe
2724	CBPuaDz.exe
2676	UrYohFL.exe
2832	vRCNxZJ.exe
2584	zLEeByR.exe
712	XrbRaoX.exe
2876	nsnwgGK.exe
2768	SahLDOV.exe
2356	gsWSseB.exe
2036	OHXzMHz.exe
1968	yrEkKrm.exe
1452	UICCxbK.exe
1964	CRLRnPd.exe
1188	VacEGgR.exe
316	iWRleyb.exe
1796	gneqvDu.exe

Loads dropped DLL 21 IoCs

pid	Process
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1704-0-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/files/0x000b00000001226d-5.dat	upx
behavioral1/files/0x00350000000149d0-10.dat	upx
behavioral1/memory/2828-15-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2892-13-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/files/0x0008000000015038-9.dat	upx
behavioral1/memory/1256-22-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/files/0x000700000001538e-26.dat	upx
behavioral1/files/0x00070000000153fd-33.dat	upx
behavioral1/files/0x000700000001562c-47.dat	upx
behavioral1/memory/2724-50-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/files/0x0008000000015b63-54.dat	upx
behavioral1/memory/2676-57-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2832-64-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/files/0x0006000000015d97-67.dat	upx
behavioral1/memory/1256-80-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/files/0x0006000000016448-108.dat	upx
behavioral1/files/0x00060000000165d4-116.dat	upx
behavioral1/files/0x0006000000016133-101.dat	upx
behavioral1/files/0x0006000000015f54-94.dat	upx
behavioral1/memory/2356-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
behavioral1/memory/2768-128-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/files/0x0006000000015fd4-90.dat	upx
behavioral1/files/0x0006000000016824-121.dat	upx
behavioral1/files/0x0006000000016572-113.dat	upx
behavioral1/files/0x00060000000162cc-107.dat	upx
behavioral1/files/0x00060000000160f3-99.dat	upx
behavioral1/memory/2876-89-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2744-87-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/712-85-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/files/0x0035000000014b18-84.dat	upx
behavioral1/files/0x0006000000015de5-75.dat	upx
behavioral1/memory/2584-69-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/1704-68-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/files/0x0008000000015d72-60.dat	upx
behavioral1/memory/2904-43-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/files/0x000700000001542b-40.dat	upx
behavioral1/memory/2736-37-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2744-28-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2584-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/712-138-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2876-141-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2892-143-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2828-144-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/1256-145-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2744-146-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2736-147-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2904-148-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2724-149-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2676-150-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2832-151-0x000000013F630000-0x000000013F984000-memory.dmp	upx
behavioral1/memory/2584-152-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/712-153-0x000000013F4A0000-0x000000013F7F4000-memory.dmp	upx
behavioral1/memory/2876-154-0x000000013F610000-0x000000013F964000-memory.dmp	upx
behavioral1/memory/2768-155-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/memory/2356-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VacEGgR.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\BseypWg.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CBPuaDz.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\zLEeByR.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gsWSseB.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\OHXzMHz.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\iWRleyb.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UICCxbK.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WmGxPYZ.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oZhcPsm.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vRCNxZJ.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\nsnwgGK.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CyJCeFZ.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\tNraFLu.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SahLDOV.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CRLRnPd.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yrEkKrm.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gneqvDu.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\vaNETbn.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UrYohFL.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\XrbRaoX.exe	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2892	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	29
PID 1704 wrote to memory of 2892	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	29
PID 1704 wrote to memory of 2892	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	29
PID 1704 wrote to memory of 2828	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	30
PID 1704 wrote to memory of 2828	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	30
PID 1704 wrote to memory of 2828	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	30
PID 1704 wrote to memory of 1256	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	31
PID 1704 wrote to memory of 1256	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	31
PID 1704 wrote to memory of 1256	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	31
PID 1704 wrote to memory of 2744	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	32
PID 1704 wrote to memory of 2744	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	32
PID 1704 wrote to memory of 2744	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	32
PID 1704 wrote to memory of 2736	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	33
PID 1704 wrote to memory of 2736	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	33
PID 1704 wrote to memory of 2736	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	33
PID 1704 wrote to memory of 2904	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	34
PID 1704 wrote to memory of 2904	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	34
PID 1704 wrote to memory of 2904	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	34
PID 1704 wrote to memory of 2724	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	35
PID 1704 wrote to memory of 2724	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	35
PID 1704 wrote to memory of 2724	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	35
PID 1704 wrote to memory of 2676	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	36
PID 1704 wrote to memory of 2676	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	36
PID 1704 wrote to memory of 2676	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	36
PID 1704 wrote to memory of 2832	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	37
PID 1704 wrote to memory of 2832	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	37
PID 1704 wrote to memory of 2832	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	37
PID 1704 wrote to memory of 2584	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	38
PID 1704 wrote to memory of 2584	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	38
PID 1704 wrote to memory of 2584	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	38
PID 1704 wrote to memory of 712	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	39
PID 1704 wrote to memory of 712	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	39
PID 1704 wrote to memory of 712	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	39
PID 1704 wrote to memory of 2768	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	40
PID 1704 wrote to memory of 2768	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	40
PID 1704 wrote to memory of 2768	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	40
PID 1704 wrote to memory of 2876	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	41
PID 1704 wrote to memory of 2876	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	41
PID 1704 wrote to memory of 2876	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	41
PID 1704 wrote to memory of 1964	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	42
PID 1704 wrote to memory of 1964	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	42
PID 1704 wrote to memory of 1964	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	42
PID 1704 wrote to memory of 2356	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	43
PID 1704 wrote to memory of 2356	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	43
PID 1704 wrote to memory of 2356	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	43
PID 1704 wrote to memory of 1188	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	44
PID 1704 wrote to memory of 1188	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	44
PID 1704 wrote to memory of 1188	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	44
PID 1704 wrote to memory of 2036	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	45
PID 1704 wrote to memory of 2036	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	45
PID 1704 wrote to memory of 2036	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	45
PID 1704 wrote to memory of 316	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	46
PID 1704 wrote to memory of 316	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	46
PID 1704 wrote to memory of 316	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	46
PID 1704 wrote to memory of 1968	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	47
PID 1704 wrote to memory of 1968	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	47
PID 1704 wrote to memory of 1968	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	47
PID 1704 wrote to memory of 1796	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	48
PID 1704 wrote to memory of 1796	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	48
PID 1704 wrote to memory of 1796	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	48
PID 1704 wrote to memory of 1452	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	49
PID 1704 wrote to memory of 1452	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	49
PID 1704 wrote to memory of 1452	1704	2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-05_eed2129441315e3ed01649605566e6a8_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\System\CyJCeFZ.exe
  C:\Windows\System\CyJCeFZ.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\vaNETbn.exe
  C:\Windows\System\vaNETbn.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\WmGxPYZ.exe
  C:\Windows\System\WmGxPYZ.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\tNraFLu.exe
  C:\Windows\System\tNraFLu.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\BseypWg.exe
  C:\Windows\System\BseypWg.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\oZhcPsm.exe
  C:\Windows\System\oZhcPsm.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\CBPuaDz.exe
  C:\Windows\System\CBPuaDz.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\UrYohFL.exe
  C:\Windows\System\UrYohFL.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\vRCNxZJ.exe
  C:\Windows\System\vRCNxZJ.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\zLEeByR.exe
  C:\Windows\System\zLEeByR.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\XrbRaoX.exe
  C:\Windows\System\XrbRaoX.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\SahLDOV.exe
  C:\Windows\System\SahLDOV.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\nsnwgGK.exe
  C:\Windows\System\nsnwgGK.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\CRLRnPd.exe
  C:\Windows\System\CRLRnPd.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\gsWSseB.exe
  C:\Windows\System\gsWSseB.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\VacEGgR.exe
  C:\Windows\System\VacEGgR.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\OHXzMHz.exe
  C:\Windows\System\OHXzMHz.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\iWRleyb.exe
  C:\Windows\System\iWRleyb.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\yrEkKrm.exe
  C:\Windows\System\yrEkKrm.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\gneqvDu.exe
  C:\Windows\System\gneqvDu.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\UICCxbK.exe
  C:\Windows\System\UICCxbK.exe
  2⤵
  - Executes dropped EXE
  PID:1452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BseypWg.exe

Filesize
5.9MB

MD5
0dfbd8b12c383a050782b2b22e007165

SHA1
620d8245f39ee9fdc194d0b6bdc94642c1f4b8f6

SHA256
dc286e4682430529808274a7262e7b1e585d12b6e02ddea3583b7a76cbfdb15b

SHA512
ca76f90beaf240f100139a84209422e2c14b4aab94fd88fda5ad84b05a33cfedf9feee0885241c03af0e1992d21d99031713eed55f9af956217d3b861efeeac9

Download Submit
C:\Windows\system\CBPuaDz.exe

Filesize
5.9MB

MD5
d9adf015250da89c51d02813c7450947

SHA1
d81dea0e85e822366b1f37adce355d0e06362887

SHA256
85e84b5563d0e78e0a6aa0c3512f279d20b94f226874ca55e323fe4ac63efef2

SHA512
696cc5f43ba1ae650239b5baf0b3afc1d182431ff3e3ce0463c51b074cfc49ff44715570406290fab7ba4faf43af8be7088622a5bc71076c72632cea1ec4deea

Download Submit
C:\Windows\system\CyJCeFZ.exe

Filesize
5.9MB

MD5
4a4872f0e23b410bd28b06615c9c5888

SHA1
2a898dc6a8ea30551335b7debbf9385fa1faa005

SHA256
b2bf0f9a79de7737f79553ded90ee9807156cc175bdfdd2466290abb21f0ba6e

SHA512
9f632026ede30e91d6f4815e2d623f120e00bd43c4b1f3edfad19b765424b39db816d3f7d31c8dbe7149017ff6064640715d79e3baf120fe2a09ccc678346596

Download Submit
C:\Windows\system\OHXzMHz.exe

Filesize
5.9MB

MD5
7e6d13265e171673c248edcc6c3e247c

SHA1
a2f754bc10d388d0c9f0e0ba9d679cfc701275d2

SHA256
d007d46e52d04256db142840f7ce1f2ceb055496ed2e8d5af8c81dd657b765f5

SHA512
47d403fd50aad94c4cf35a281fced8a54483b4fcf8e9c44de1c49cbb0dc3265610f0daea20ba224401a8e211f72d9b24e5abead102b35bb12c13bf3352cc8051

Download Submit
C:\Windows\system\SahLDOV.exe

Filesize
5.9MB

MD5
cd784562d52ca29fb008f22ec7c51bfa

SHA1
94feeb1cf980179aa45cd03943cbcbf8c850723e

SHA256
6ff3fbabf6ed7cc8d802a014a3cbea5e6938ad11e2226d9bf2d2fb717b22689c

SHA512
1103713e4528031783facf1f9d13aeaac46430ce9ecb5746adf1ff052e2972c3dfc14c90e474fede2cd0166b7d23ba83fba56122022c213463d1398b4c765dd6

Download Submit
C:\Windows\system\UICCxbK.exe

Filesize
5.9MB

MD5
ca4cd0bf44e0a08e9b63a1a26ecd7eeb

SHA1
67db3d2564ed072308abf2a7c7fe157137715341

SHA256
3c861292b6cba1f4b761ffb5669bcb6dca707f18899035cd6dde2447d520fac6

SHA512
38d239ad3d94ca572ad000ecf28d8ee82c5c7622222ae44572c17c13a59ed24969730c15747782728285025824c935a3583a124a1d4a4cdfb29b6c22e4d2ab6e

Download Submit
C:\Windows\system\UrYohFL.exe

Filesize
5.9MB

MD5
10d3e91295328ed1d17f4827488b1293

SHA1
eb3f19b19946686d48e74d88ccd2bea7bf158c45

SHA256
73058ef298ae19daf263881de059898e9eef19535d725d390b80066ab177a2c9

SHA512
5df105c440c3d725bd9c922246b095fcd6ee4356d91a57edc3e1a6d40fc8a172e4a37d1b4e7e5d582f321656ee8d328a10501380b2ed17b05572fdc16ae83495

Download Submit
C:\Windows\system\WmGxPYZ.exe

Filesize
5.9MB

MD5
7bcf931d96f9b019fef7bc2b973db554

SHA1
36c6429c2893bbcb2d2a04a8d3a479978556e62c

SHA256
20848228519b1a366443a11d7d2fc82e8957b6775a00f27cc3d4e1f4e35210ce

SHA512
6c018b15fb42dbeb470259391ade6d234c7637a410480a55421860d9b9c2a252bd3c8665b977b58dd1a19ac3a7feb57033b51eff0e9be22499a79bd5cde8212a

Download Submit
C:\Windows\system\XrbRaoX.exe

Filesize
5.9MB

MD5
38b5a58382ad54941063575383edc5b8

SHA1
63288c5e9768f551c707486484a2f9f1d6ac686f

SHA256
4c68dfe7d8f5de36fdee9194a938c62ba56324647f31ff1bfdb6910ea3e7909f

SHA512
b78f0c811e43ec6048e975611ee7cf5f22bc80c51c66bc18067bc319e4c5ce8e01094077fd8492f9fc9b7c2bf610f66d3458b77d605471f21cb42d090a0892d8

Download Submit
C:\Windows\system\gsWSseB.exe

Filesize
5.9MB

MD5
d66d9f4bc80e820c8458d2fa92e2d682

SHA1
2fbba3b9ce6a9b0f100652bc5254fe59251f7ca2

SHA256
475f0a2584e31e36ba8709b2ea1155f20347481c36881f7b74cbc8c6884e04cc

SHA512
e20e9f39e736808f01c8edf7c3d93b86fb9fb0367703aac21a050b15c92c957ce97b21fa714ad0f3deb6df7d1674bc810ec1fca90d99d5fcc7868a8e32fc34b2

Download Submit
C:\Windows\system\nsnwgGK.exe

Filesize
5.9MB

MD5
52a06593adc70fed4be39d67e34adefa

SHA1
c7d043a348426c6d961b3524484e70868303511a

SHA256
9e5c3aff9b5bed46b38e7d1d7d25f330ba69cddf3e463102173f60806b9494c7

SHA512
c4258257edda9eb2acc2528596c9d51c31ddde85a8cdc670ca79412ba07f0a04c87fb0c84cde1fb19b1f6c53afd67920fe78ec6eb44e6910007d293ed734218c

Download Submit
C:\Windows\system\oZhcPsm.exe

Filesize
5.9MB

MD5
a613f6db627fa5a785285f8bc3d01474

SHA1
6f824a513f0e116c274d25eb984645b894c6accc

SHA256
5c1e69e218dc9fd59e7a158469c1e31861368b04bc27f4aab50c9a7d477e0b82

SHA512
1ec6df567d1a0c970505c1d06d7d56e301db24c1013655e70d9db9e1fed16a34fdc4c28466ebe007e9c11587b6a64426a5d14b3a8e4690a3e7ab43e510861edf

Download Submit
C:\Windows\system\tNraFLu.exe

Filesize
5.9MB

MD5
6c53b0abf96b9981dff23b9e93f39bdb

SHA1
442e01e0ece2ebc57632978b0191a5be81246a9e

SHA256
c680f81cbdeb0a161ba6c8eee03f0ef4cb0609c3612c7f612719e60e637d7ad7

SHA512
4c5db9bff509a271067f70e5d17b10d4ecdc94f21f17e3483d9e5d47e94896677ce1bc8db3cfc3223b8482de3fdcda209e8fa117e13112e1d72a03ee6e858ff0

Download Submit
C:\Windows\system\vRCNxZJ.exe

Filesize
5.9MB

MD5
f2f2fcca4b9dc70698809443a24ac3df

SHA1
12de40988ba6b7402a18ae47e1fa53e4a312edf9

SHA256
c5d740e3b3dd6d9e755b2c52551e95b59ce035269cabf582cd6b090872d79145

SHA512
933549939f130fc6bf9516cb4c1ad1dd271d0bb50018b28a99abb01a7f9666a0021d814ca34acee034b7d7d776ca9395f2d4c81fed87cf722e4b3e842a0b0cb8

Download Submit
C:\Windows\system\vaNETbn.exe

Filesize
5.9MB

MD5
a075440fc3eb2700137099d488a18aaf

SHA1
a6f9f3e2952f96a259e5a29ad3b4ec5234461deb

SHA256
c65e5c88b1246f5aff0caa789a917f67a45b728503f84a5040af1d766ede4acd

SHA512
a4844cf03fd0f7d1cbd75235c9de1009212fa825c3c7c2b6481dfaa906b1f460c7bf347d1a575dd7b7c87834443585f01fc663338c26e67fb9a2eb475178a3e8

Download Submit
C:\Windows\system\yrEkKrm.exe

Filesize
5.9MB

MD5
8ae3b8a9b44240619827d34186fbaf5d

SHA1
c4293b5b3c7cf52d07dd8a290b7d6d5024f64cd0

SHA256
a05758cd5429207eb3cd177c0dcb5083a548abcd7e22a56abd16222688848c68

SHA512
26eae3836fb1e3e7e1fe5a69c1df4dbb459fc2918da37210ad020fde9b94364343c46ad62544dc5ed0d47dfc0ff50e481c4cc9c30e1c73e49da4a62154b23cda

Download Submit
C:\Windows\system\zLEeByR.exe

Filesize
5.9MB

MD5
38adcccfdd6cd276431f0c493ac0e6b3

SHA1
17e37176ae19c77273eca55dd9855350fb7a6787

SHA256
5b5f3f3bc3d932ebcf394604dcc4e5b00b1013c2dc535ee46700be58cc2bcfb1

SHA512
f2245ff0618a1f021e988d69ccb0b2d6cabadf281d8545e744d28c28c035a88566b83e723789c29ce5b81d2ed786e026869d3b27dd68e8e3eaf37c32ef44e804

Download Submit
\Windows\system\CRLRnPd.exe

Filesize
5.9MB

MD5
bb78cfe8f418d515dd8b0c20d5d7facc

SHA1
bcf560be686f98b6ba96370959c0f136981c67bb

SHA256
f684a107d3d56c7a57569a26ba752a5ca10de69c5ed67402cb8873aa093fb8a9

SHA512
31e28175aa1589d27da5adef8be023112ca814ba3bc568a0246b36cad9f2454a3c7d9a51109dd7b944cf558865fe34055fd12fe7c2f30fd7af6f03202f97fb0a

Download Submit
\Windows\system\VacEGgR.exe

Filesize
5.9MB

MD5
0303f3d39f8a4b004dd6e346305c3512

SHA1
0befda7288d4e04d4d3c1ad22fb5fdf8f1a21e80

SHA256
3971c86f132dc7fdc930fa439edfebfe63c28e560e51c5fd34efdd204916ba4e

SHA512
0d83a0e5f934df1b0562b928cc0b01b0bb655f6d478ba2454ed2e133e50c3a1823b0f379526b45b2aedb9b4b25c65040a0b25eaf6eb70fa003aef64d1ee61389

Download Submit
\Windows\system\gneqvDu.exe

Filesize
5.9MB

MD5
1ee6f9c388a23ec2396cbaa3c50efd8c

SHA1
9df94e7e80eebdcb3d256cac3fb8c5a81503f803

SHA256
f480256a7b5d1c6291a2ebb663f67173d3695ca4e903cb444c907b37a4ca6459

SHA512
1a489868793bdc48d61b3caf821e5a6886733d88cdc933cb9c1711fbe6513ac3a2523f030bddcd3e396f709d45e4ec56c8d91d8a8e9d444d2fda68f33aef6d0b

Download Submit
\Windows\system\iWRleyb.exe

Filesize
5.9MB

MD5
5fb1e3f4e2e8598f361524aed20b4eae

SHA1
7cf61ff8c4d8cb56295c5f02e1a846e04985ddb5

SHA256
9a89dd8c0c650622ce22fc93a3e92cb31bf43c46134348ffba488a96877f70af

SHA512
e9fbff429d38b0c0e8c5fe7a50bce700c9c6e29997905723520e206e8dedee8608057a05032b35940f511bc2535fc744e9958455cae646596179858323928c42

Download Submit
memory/712-85-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/712-153-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/712-138-0x000000013F4A0000-0x000000013F7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1256-22-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/1256-145-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/1256-80-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-142-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-63-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/1704-27-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-35-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-20-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-129-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-88-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/1704-140-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/1704-86-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-0-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/1704-139-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-127-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-73-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1704-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1704-68-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/1704-38-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/1704-14-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/1704-56-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-49-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-130-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-156-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-152-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-69-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-137-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2676-57-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2676-150-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2724-149-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-50-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-37-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-147-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-146-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-87-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-28-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-128-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-155-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-144-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2828-15-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2832-64-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2832-151-0x000000013F630000-0x000000013F984000-memory.dmp

Filesize
3.3MB

Download
memory/2876-89-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2876-154-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2876-141-0x000000013F610000-0x000000013F964000-memory.dmp

Filesize
3.3MB

Download
memory/2892-143-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-13-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2904-148-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2904-43-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download