cobaltstrike | f0abbcbe563766625aeab5488774b5bb19c425d758a75b9969a7478a06379c62

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
12-06-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

e1e276e368b80806d7a7df6a406205d4
SHA1

0e0c2b53161d75e182dce6415abb81e0ba829a82
SHA256

f0abbcbe563766625aeab5488774b5bb19c425d758a75b9969a7478a06379c62
SHA512

19db29e6e5f793fe32e858255cea1fce33f0f8522fcf5219e7178b28e2a7576006b133e3fb4542633533f15032ecaf42e680e8d40f0bae4783d0371e1303a2db
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUz:Q+856utgpPF8u/7z

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000012286-6.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d9f-25.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c78-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d2a-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d64-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6f-128.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d8b-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d68-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d43-95.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4b-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d32-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3b-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d5f-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d17-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ceb-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cc1-60.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c6f-46.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015dca-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d83-33.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d7b-24.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000015d12-23.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000c000000012286-6.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015d9f-25.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016c78-50.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d2a-75.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d64-118.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d6f-128.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d8b-133.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d68-123.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d43-95.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d4b-92.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d32-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d3b-82.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d5f-100.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016d17-73.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016ceb-67.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016cc1-60.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000016c6f-46.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0008000000015dca-41.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d83-33.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015d7b-24.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0031000000015d12-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 54 IoCs

resource	yara_rule
behavioral1/memory/2244-2-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x000c000000012286-6.dat	UPX
behavioral1/files/0x0009000000015d9f-25.dat	UPX
behavioral1/memory/2524-43-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/files/0x0006000000016c78-50.dat	UPX
behavioral1/memory/2692-57-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2688-64-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/files/0x0006000000016d2a-75.dat	UPX
behavioral1/files/0x0006000000016d64-118.dat	UPX
behavioral1/files/0x0006000000016d6f-128.dat	UPX
behavioral1/files/0x0006000000016d8b-133.dat	UPX
behavioral1/files/0x0006000000016d68-123.dat	UPX
behavioral1/files/0x0006000000016d43-95.dat	UPX
behavioral1/files/0x0006000000016d4b-92.dat	UPX
behavioral1/memory/2636-86-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x0006000000016d32-85.dat	UPX
behavioral1/files/0x0006000000016d3b-82.dat	UPX
behavioral1/memory/340-105-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/2512-70-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/2064-103-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/files/0x0006000000016d5f-100.dat	UPX
behavioral1/memory/1280-89-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/files/0x0006000000016d17-73.dat	UPX
behavioral1/files/0x0006000000016ceb-67.dat	UPX
behavioral1/memory/2244-63-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/files/0x0006000000016cc1-60.dat	UPX
behavioral1/memory/2784-53-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/files/0x0007000000016c6f-46.dat	UPX
behavioral1/files/0x0008000000015dca-41.dat	UPX
behavioral1/memory/1700-39-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2656-35-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/files/0x0007000000015d83-33.dat	UPX
behavioral1/memory/2384-32-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/2064-31-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/files/0x0007000000015d7b-24.dat	UPX
behavioral1/files/0x0031000000015d12-23.dat	UPX
behavioral1/memory/1708-15-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2524-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/memory/2636-137-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX
behavioral1/memory/1280-138-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/340-141-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/1708-142-0x000000013F750000-0x000000013FAA4000-memory.dmp	UPX
behavioral1/memory/2656-143-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2384-144-0x000000013F670000-0x000000013F9C4000-memory.dmp	UPX
behavioral1/memory/2064-145-0x000000013F7C0000-0x000000013FB14000-memory.dmp	UPX
behavioral1/memory/1700-146-0x000000013F700000-0x000000013FA54000-memory.dmp	UPX
behavioral1/memory/2524-148-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	UPX
behavioral1/memory/2784-147-0x000000013F940000-0x000000013FC94000-memory.dmp	UPX
behavioral1/memory/2692-149-0x000000013F7D0000-0x000000013FB24000-memory.dmp	UPX
behavioral1/memory/2688-150-0x000000013F900000-0x000000013FC54000-memory.dmp	UPX
behavioral1/memory/2512-151-0x000000013FE50000-0x00000001401A4000-memory.dmp	UPX
behavioral1/memory/340-154-0x000000013F510000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/1280-153-0x000000013F820000-0x000000013FB74000-memory.dmp	UPX
behavioral1/memory/2636-152-0x000000013FC30000-0x000000013FF84000-memory.dmp	UPX

XMRig Miner payload 62 IoCs

miner

resource	yara_rule
behavioral1/memory/2244-2-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x000c000000012286-6.dat	xmrig
behavioral1/files/0x0009000000015d9f-25.dat	xmrig
behavioral1/memory/2524-43-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c78-50.dat	xmrig
behavioral1/memory/2692-57-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2688-64-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2244-104-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d2a-75.dat	xmrig
behavioral1/files/0x0006000000016d64-118.dat	xmrig
behavioral1/files/0x0006000000016d6f-128.dat	xmrig
behavioral1/files/0x0006000000016d8b-133.dat	xmrig
behavioral1/files/0x0006000000016d68-123.dat	xmrig
behavioral1/files/0x0006000000016d43-95.dat	xmrig
behavioral1/files/0x0006000000016d4b-92.dat	xmrig
behavioral1/memory/2636-86-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d32-85.dat	xmrig
behavioral1/files/0x0006000000016d3b-82.dat	xmrig
behavioral1/memory/340-105-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/2512-70-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2064-103-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/2244-101-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d5f-100.dat	xmrig
behavioral1/memory/2244-99-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2244-91-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/1280-89-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2244-81-0x0000000002410000-0x0000000002764000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d17-73.dat	xmrig
behavioral1/files/0x0006000000016ceb-67.dat	xmrig
behavioral1/memory/2244-63-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/files/0x0006000000016cc1-60.dat	xmrig
behavioral1/memory/2244-54-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2784-53-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/files/0x0007000000016c6f-46.dat	xmrig
behavioral1/files/0x0008000000015dca-41.dat	xmrig
behavioral1/memory/2244-40-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/1700-39-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2656-35-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d83-33.dat	xmrig
behavioral1/memory/2384-32-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2064-31-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d7b-24.dat	xmrig
behavioral1/files/0x0031000000015d12-23.dat	xmrig
behavioral1/memory/1708-15-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2524-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2636-137-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/1280-138-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2244-140-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/340-141-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/1708-142-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
behavioral1/memory/2656-143-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2384-144-0x000000013F670000-0x000000013F9C4000-memory.dmp	xmrig
behavioral1/memory/2064-145-0x000000013F7C0000-0x000000013FB14000-memory.dmp	xmrig
behavioral1/memory/1700-146-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2524-148-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	xmrig
behavioral1/memory/2784-147-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/2692-149-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/2688-150-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2512-151-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/340-154-0x000000013F510000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/1280-153-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2636-152-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1708	JDEeJGd.exe
2064	DQzaAiu.exe
2384	kpFwBeB.exe
2656	gyViuGx.exe
1700	LnmKIAP.exe
2524	DFBfdQp.exe
2784	INiRFOi.exe
2692	fuNBeLW.exe
2688	cXBFatN.exe
2512	MMAGpdD.exe
2636	TnvjJsP.exe
1280	axnzipA.exe
340	bQiDPWv.exe
1620	NsGnhns.exe
2568	UTegQrT.exe
896	YOxhOaA.exe
1672	gYBWYzD.exe
1744	UnVXDUX.exe
1876	ESLmaqT.exe
1852	EKqDmnf.exe
2432	JdStPDJ.exe

Loads dropped DLL 21 IoCs

pid	Process
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-2-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x000c000000012286-6.dat	upx
behavioral1/files/0x0009000000015d9f-25.dat	upx
behavioral1/memory/2524-43-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/files/0x0006000000016c78-50.dat	upx
behavioral1/memory/2692-57-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2688-64-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/files/0x0006000000016d2a-75.dat	upx
behavioral1/files/0x0006000000016d64-118.dat	upx
behavioral1/files/0x0006000000016d6f-128.dat	upx
behavioral1/files/0x0006000000016d8b-133.dat	upx
behavioral1/files/0x0006000000016d68-123.dat	upx
behavioral1/files/0x0006000000016d43-95.dat	upx
behavioral1/files/0x0006000000016d4b-92.dat	upx
behavioral1/memory/2636-86-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x0006000000016d32-85.dat	upx
behavioral1/files/0x0006000000016d3b-82.dat	upx
behavioral1/memory/340-105-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/2512-70-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2064-103-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/files/0x0006000000016d5f-100.dat	upx
behavioral1/memory/1280-89-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/files/0x0006000000016d17-73.dat	upx
behavioral1/files/0x0006000000016ceb-67.dat	upx
behavioral1/memory/2244-63-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/files/0x0006000000016cc1-60.dat	upx
behavioral1/memory/2784-53-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/files/0x0007000000016c6f-46.dat	upx
behavioral1/files/0x0008000000015dca-41.dat	upx
behavioral1/memory/1700-39-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2656-35-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/files/0x0007000000015d83-33.dat	upx
behavioral1/memory/2384-32-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/2064-31-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/files/0x0007000000015d7b-24.dat	upx
behavioral1/files/0x0031000000015d12-23.dat	upx
behavioral1/memory/1708-15-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2524-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2636-137-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/1280-138-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/340-141-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/1708-142-0x000000013F750000-0x000000013FAA4000-memory.dmp	upx
behavioral1/memory/2656-143-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2384-144-0x000000013F670000-0x000000013F9C4000-memory.dmp	upx
behavioral1/memory/2064-145-0x000000013F7C0000-0x000000013FB14000-memory.dmp	upx
behavioral1/memory/1700-146-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2524-148-0x000000013F8A0000-0x000000013FBF4000-memory.dmp	upx
behavioral1/memory/2784-147-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/2692-149-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/2688-150-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2512-151-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/340-154-0x000000013F510000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/1280-153-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/2636-152-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\JDEeJGd.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LnmKIAP.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\INiRFOi.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\fuNBeLW.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\cXBFatN.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\TnvjJsP.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UTegQrT.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\axnzipA.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\NsGnhns.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EKqDmnf.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DQzaAiu.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kpFwBeB.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DFBfdQp.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bQiDPWv.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ESLmaqT.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gyViuGx.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\MMAGpdD.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YOxhOaA.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\gYBWYzD.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\UnVXDUX.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\JdStPDJ.exe	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 1708	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	29
PID 2244 wrote to memory of 1708	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	29
PID 2244 wrote to memory of 1708	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	29
PID 2244 wrote to memory of 2064	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	30
PID 2244 wrote to memory of 2064	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	30
PID 2244 wrote to memory of 2064	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	30
PID 2244 wrote to memory of 2384	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	31
PID 2244 wrote to memory of 2384	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	31
PID 2244 wrote to memory of 2384	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	31
PID 2244 wrote to memory of 1700	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	32
PID 2244 wrote to memory of 1700	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	32
PID 2244 wrote to memory of 1700	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	32
PID 2244 wrote to memory of 2656	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	33
PID 2244 wrote to memory of 2656	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	33
PID 2244 wrote to memory of 2656	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	33
PID 2244 wrote to memory of 2524	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	34
PID 2244 wrote to memory of 2524	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	34
PID 2244 wrote to memory of 2524	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	34
PID 2244 wrote to memory of 2784	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	35
PID 2244 wrote to memory of 2784	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	35
PID 2244 wrote to memory of 2784	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	35
PID 2244 wrote to memory of 2692	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	36
PID 2244 wrote to memory of 2692	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	36
PID 2244 wrote to memory of 2692	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	36
PID 2244 wrote to memory of 2688	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	37
PID 2244 wrote to memory of 2688	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	37
PID 2244 wrote to memory of 2688	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	37
PID 2244 wrote to memory of 2512	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	38
PID 2244 wrote to memory of 2512	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	38
PID 2244 wrote to memory of 2512	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	38
PID 2244 wrote to memory of 2636	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	39
PID 2244 wrote to memory of 2636	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	39
PID 2244 wrote to memory of 2636	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	39
PID 2244 wrote to memory of 2568	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	40
PID 2244 wrote to memory of 2568	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	40
PID 2244 wrote to memory of 2568	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	40
PID 2244 wrote to memory of 1280	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	41
PID 2244 wrote to memory of 1280	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	41
PID 2244 wrote to memory of 1280	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	41
PID 2244 wrote to memory of 896	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	42
PID 2244 wrote to memory of 896	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	42
PID 2244 wrote to memory of 896	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	42
PID 2244 wrote to memory of 340	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	43
PID 2244 wrote to memory of 340	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	43
PID 2244 wrote to memory of 340	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	43
PID 2244 wrote to memory of 1672	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	44
PID 2244 wrote to memory of 1672	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	44
PID 2244 wrote to memory of 1672	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	44
PID 2244 wrote to memory of 1620	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	45
PID 2244 wrote to memory of 1620	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	45
PID 2244 wrote to memory of 1620	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	45
PID 2244 wrote to memory of 1744	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	46
PID 2244 wrote to memory of 1744	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	46
PID 2244 wrote to memory of 1744	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	46
PID 2244 wrote to memory of 1876	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	47
PID 2244 wrote to memory of 1876	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	47
PID 2244 wrote to memory of 1876	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	47
PID 2244 wrote to memory of 1852	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	48
PID 2244 wrote to memory of 1852	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	48
PID 2244 wrote to memory of 1852	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	48
PID 2244 wrote to memory of 2432	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	49
PID 2244 wrote to memory of 2432	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	49
PID 2244 wrote to memory of 2432	2244	2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_e1e276e368b80806d7a7df6a406205d4_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\System\JDEeJGd.exe
  C:\Windows\System\JDEeJGd.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\DQzaAiu.exe
  C:\Windows\System\DQzaAiu.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\kpFwBeB.exe
  C:\Windows\System\kpFwBeB.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\LnmKIAP.exe
  C:\Windows\System\LnmKIAP.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\gyViuGx.exe
  C:\Windows\System\gyViuGx.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\DFBfdQp.exe
  C:\Windows\System\DFBfdQp.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\INiRFOi.exe
  C:\Windows\System\INiRFOi.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\fuNBeLW.exe
  C:\Windows\System\fuNBeLW.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\cXBFatN.exe
  C:\Windows\System\cXBFatN.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\MMAGpdD.exe
  C:\Windows\System\MMAGpdD.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\TnvjJsP.exe
  C:\Windows\System\TnvjJsP.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\UTegQrT.exe
  C:\Windows\System\UTegQrT.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\axnzipA.exe
  C:\Windows\System\axnzipA.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\YOxhOaA.exe
  C:\Windows\System\YOxhOaA.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System\bQiDPWv.exe
  C:\Windows\System\bQiDPWv.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\gYBWYzD.exe
  C:\Windows\System\gYBWYzD.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\NsGnhns.exe
  C:\Windows\System\NsGnhns.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\UnVXDUX.exe
  C:\Windows\System\UnVXDUX.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ESLmaqT.exe
  C:\Windows\System\ESLmaqT.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\EKqDmnf.exe
  C:\Windows\System\EKqDmnf.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\JdStPDJ.exe
  C:\Windows\System\JdStPDJ.exe
  2⤵
  - Executes dropped EXE
  PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DFBfdQp.exe

Filesize
5.9MB

MD5
74ea50329298ee9b2c31d30054f958d5

SHA1
402b388a98c7f70b6567bab8386d90d5a7476cb1

SHA256
affdde050ae63770758829bf941edfd8f9a2421c1211272b29c555f6fc4bef13

SHA512
01c0dc9af208242ffaf1cb3d387fcd4a7ba5a99ea406092c15457283be1641d7be4092a256557ad08561bcd0d144235079664ad6ed67617803f53b1cf1f213b8

Download Submit
C:\Windows\system\DQzaAiu.exe

Filesize
5.9MB

MD5
cfc7cf67b434c6a67ef15a27f77f0fc7

SHA1
a870b562f4648b8f2f65f70ee381f050577b2cdc

SHA256
67d4b035c37089118712c67e2f8947abd0a31fad93b4084f89e4ef36be441f65

SHA512
7d5b6a09dd5fc379395fdeb9f9eee0ba216f7d2d729f5563ff8f3c3067c0acd75ddd1c3bad06449a089370b2d601f43f25f211f092fcc9bc6abca3dd8ef54e6e

Download Submit
C:\Windows\system\EKqDmnf.exe

Filesize
5.9MB

MD5
403007a9092349ea6c2d4ab19b45710b

SHA1
b1c3a3d1f842b35d84367393964e0d058cb8d1c6

SHA256
8dd906d4e265494cb9a75cec99fd281e0617decbfea1ee9093aee4d23850c5f9

SHA512
6359838c1ea101f1e1fda9e197f280951d26ab2d380f0703a4ddddd4ace69e879f11b5a58fe99b2e4d2f40f8fa20ad8a63d2ad89a696b77418df45bcb76f28a9

Download Submit
C:\Windows\system\ESLmaqT.exe

Filesize
5.9MB

MD5
bdf7d06f8667b89284cae21677ede71a

SHA1
0f1b21b438b3f46b633669dcf31c3626d790a502

SHA256
cf2ac880a59c40ba604c38d7ad03a3251531d6e591affc666a213f4f687ee768

SHA512
d930c37cd9c325fd8189c0dbad885468fa588f2f99da20de40712331d4749d9fb8a0c280ea3cda59e4c77a270a6752e2dc20558248305a8a0f4ac68ffc7b2506

Download Submit
C:\Windows\system\INiRFOi.exe

Filesize
5.9MB

MD5
f46a9bf99725fb947a4ff973a8be73ac

SHA1
6a5533f47d8bb60f870b1a52b2fe82ce81c3ca8f

SHA256
dc3cfd0e2c4509d8a4b0bf28699fb77db39e39f363d4ba307289c424e4e7122e

SHA512
c6ec2376e5277ba23db7d99ff8c474761da6b2e7ac928cbc8ec0a17fb80cb09a5b48279452d2d2fbb078ebb106f292e1410c9108f9d5fd49e4c963ec2e54663a

Download Submit
C:\Windows\system\JDEeJGd.exe

Filesize
5.9MB

MD5
9029d437468d906e405ace05207e5a4e

SHA1
82c92d976340e94ce89dc303e3ea622ae3bf8a02

SHA256
5dece72a4c0ff53ae3d34f53ae8e8f5ed6523c0a78af6925ed0eb3eff8bcf061

SHA512
017759fcd370aa5410c0760312ecf6a44e25a3956696adac7d267a80f110aed12e2a3bbffc9c8191db97de8e2b17cac5edc9bf875ec9b863e1b5419008df1739

Download Submit
C:\Windows\system\JdStPDJ.exe

Filesize
5.9MB

MD5
5495fa57cec9c5ab8621a3fd4a8df173

SHA1
1bcad1cf578f34ea59e47b12a0a9d8480aed141e

SHA256
b160ceb999bd87fe052017a1c4e4d13738ad02af2d5c6e79d8e5cbbdd8717ff1

SHA512
41203ab1702dd3251556a87e9a8ea0c109e8b25ca58148c5c9f5016b0bcbaa61d304427a32cecbfe198d8945f34ef6eb480349e6e5fc5a79ba366ca8098c96e9

Download Submit
C:\Windows\system\LnmKIAP.exe

Filesize
5.9MB

MD5
df6407c27db89e02ae08bf0c4c036748

SHA1
3cf9709052c33d00becda3cfa1e50e4910c074c8

SHA256
4f6ea66b404531a1fc01a45b8e70fc51a1f043b704e3bb680b91b6c453e11fff

SHA512
01f41a1c09d212c440f71b6d9aef7582f7132b08c779e1b8923974d042c1bdc929e06ed8091e0be7b5b029376da2fd3fc3e402342cf62b79d5e61db35be22fed

Download Submit
C:\Windows\system\MMAGpdD.exe

Filesize
5.9MB

MD5
2b4243c021a08b7ddeac250c465621a0

SHA1
a2f5023f6ea5bbf11a7ab4dbd15054ead5afeb0c

SHA256
e27aa2f89e5a90abf83324459c5debacbd172ba5830bd63ecabc538125e95f91

SHA512
e77e0d3de71288aca102a349ae5ea45513425ac96fb255ef63bf3e18fb2971db925fb27f09fd365ca88092fb3e4bcccad4ba3305837ef72bf55c92e6c2dee0d7

Download Submit
C:\Windows\system\NsGnhns.exe

Filesize
5.9MB

MD5
5eaecf6f75ed6f3c01bea672ba314098

SHA1
119386dc62332f451591aab5f51a6ff5592f8b3c

SHA256
e77508b1453ff975907e2c025048b66d943f43555e1ea8e33f88271b125bbb71

SHA512
93cbe2d83bd77ca708a3c9f83abc7962891ae04cd3855473755b1e2a249e84e19165ce6c6be63ace3d0b225b3a5066de9cf43b0b2e2165bfb61c0afad9fbbfd2

Download Submit
C:\Windows\system\TnvjJsP.exe

Filesize
5.9MB

MD5
5299af940af153e2d05c3ae1945835ab

SHA1
504ddb9df6e3b24ab8a3c1beec3c8603edde923e

SHA256
272a0f1c21585655907f78cfa30617763fd1336f8df77a0fc9473ea13346d3c8

SHA512
78989323581df09fd145e651735bf00e1f2d4c2a106be54de1f297456ee1f663bd782f195b8bfb3e4387f94274a0c80737918f259bd2b98c0f1638cf18fab3a1

Download Submit
C:\Windows\system\UnVXDUX.exe

Filesize
5.9MB

MD5
8950de2fc06a67bb378fad247509f470

SHA1
6f4e0c91cc689f13c512cba517403c472dd6f7e9

SHA256
2b64b23b3b79b370556a6cfce5b53d939782c72750d68344b1dbf478198d3fe3

SHA512
04119f589a7ce164d584168977af67c2cd152054f2e0c77e4ff36a654e7a6307fd2206e696367d6750b790adf6a57dbaef1bfc5688c614ac157b1096f59eac4b

Download Submit
C:\Windows\system\axnzipA.exe

Filesize
5.9MB

MD5
0c0fc8d2e579b8a58541198de70a5e42

SHA1
6cb73ef749e2467d75edfbefdbad9eec1b6768b1

SHA256
ba458e9cdc72230215de9661f3b0fd663b3cf590db93e42b70974cfae70c59e3

SHA512
c4393767975e1bc215e03d614a3685f25c3a4c38a199fe9c92cd2b5e2c77ca0728767ebc650b6bf3a3d620519409022e18627136f5a233e57808ccabe1b851ee

Download Submit
C:\Windows\system\bQiDPWv.exe

Filesize
5.9MB

MD5
1ab685a0d0e74824193c57dbba6e7306

SHA1
3f274e7b3bea6df2c08b6a40969cff91162991d5

SHA256
44c6604c4d2415dde2a519245bbd29dcb94ae31785b80cbfeb81a9ac0c18451e

SHA512
3a5b8392c8949592cc781cffeaccf2694fdf711e5eb3495cf8583c4b01c8d1372f373336e7a48d65e060ce572cb87d962347c8121fe05c1d1feb1dd7ce86ed06

Download Submit
C:\Windows\system\cXBFatN.exe

Filesize
5.9MB

MD5
24ae2968fcd613b459686bfc5956ff8a

SHA1
8c3c6db58a50be1750eb13a5d8ffe94e227ec78c

SHA256
5a6931a0fe983335ddbefb37d07270e7e96be71af5ce961517df02449ab7c684

SHA512
50a534f767c06b38f993c232a833e5d1a39423e9eaa1e418d357553d01a45b6b90981ada754942cb102814cb4af92ca265416e2de1d6cd819f840136e6c314d5

Download Submit
C:\Windows\system\gyViuGx.exe

Filesize
5.9MB

MD5
aedd9b8d4021e7d781601fb0da516a76

SHA1
33d5229258d31a2ee04456df7a0b61b3af746915

SHA256
a16eb87c57bb73fced357204cdb65adf13a875e9f664ba4322d77a104eda346a

SHA512
9155aec450c060c20dd07ff3e7c2ce1e634bda8ba3170f9bb61d4e924230b8d0f09a9cfbbf2f8a3730a630198783cbf82c1c80d245c54632d756ed2548d2b7b9

Download Submit
C:\Windows\system\kpFwBeB.exe

Filesize
5.9MB

MD5
df89b658a08098097ee1f4f73217cfe0

SHA1
766c017e2e8587e43751a347039e48e686063ad9

SHA256
118514f8699f58eb0f9623abf57fa28d93c15db8ffe4f47e49900e9236e857b6

SHA512
d8a1c7bdfde5cf0f93a880ad09adb2f7e911c52e4b145926851e927717e6bd01dd6dbbfafcbb7a7ca02adc1a6debf8593110ad9ee5ce0937197ccbbb59f3a38e

Download Submit
\Windows\system\UTegQrT.exe

Filesize
5.9MB

MD5
1b27fddfc889478e9d11826224b4ffdf

SHA1
ba37a10820f4a0d334073295f7bed8ad095d1503

SHA256
7faca3c071b318799c4c02111c9d394a175a8a1e27ea7afae1bc37a0b65b73b3

SHA512
b1a61c9db542b36d731a0bb80100897794453e82322398cee252b55b769c178bda9860f52b890bee85694639371d3e8d61c57b2baec0a48abe2d48e5d9d22e52

Download Submit
\Windows\system\YOxhOaA.exe

Filesize
5.9MB

MD5
d99712d0ccc1ae82a66843021c89f1f2

SHA1
0ee2d319c88fd9f340561b16ab71df25e3b8a0d6

SHA256
727bc32cb8fa898c48acd2c989866903c619ad5634e71a506b3e3526a41b4251

SHA512
fad9652c3786ffde5482910b46dc923a185bda8536c7e8d52f6113f4b360edbddf27b4f3a6d904d15e8ab51ac31ea377ab0313457f0ef96ec615d6af69d8a2a2

Download Submit
\Windows\system\fuNBeLW.exe

Filesize
5.9MB

MD5
7d02361193ac7fe23f8a3b093a499e76

SHA1
11b5958002fddb2686597694014340d99a318c57

SHA256
774a37074fbdf8169b94f1bc8a25fdb9cd8f15ba1e29eaa2ca2e47f6626cf429

SHA512
00beebab15c62bdd01c1923768f33756f72b6ba64557cf8b6d7a8bc026556c13a62de7ae5b36e5a0ef6d487cb80e26a361e6e0724127c410a0ae8d9f1bb589b1

Download Submit
\Windows\system\gYBWYzD.exe

Filesize
5.9MB

MD5
808417ba099ef18aaa859e3c1b9e0bb5

SHA1
bff0b5abe413f683050f6fae6a1edb068d346af8

SHA256
c63d240ead668aeefe3186fd10ac178feece52afb38196b10a82bf6f6b3569d4

SHA512
75666164b58540254e7908375f9202e92c4246d7379b55aeded29105a7ad8373f89a1b66337d8a6ca90e11e4d08547584f3ba44e377e8f80db844cec6bc856b3

Download Submit
memory/340-154-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/340-105-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/340-141-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/1280-153-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/1280-89-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/1280-138-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/1700-146-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/1700-39-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/1708-15-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1708-142-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-103-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2064-145-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2064-31-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2244-99-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2244-27-0x000000013F7C0000-0x000000013FB14000-memory.dmp

Filesize
3.3MB

Download
memory/2244-54-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2244-104-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-36-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2244-63-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2244-40-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-19-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-102-0x000000013F510000-0x000000013F864000-memory.dmp

Filesize
3.3MB

Download
memory/2244-8-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-140-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-139-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2244-29-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2244-101-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2244-81-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2244-2-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2244-91-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-0-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2244-136-0x0000000002410000-0x0000000002764000-memory.dmp

Filesize
3.3MB

Download
memory/2384-144-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-32-0x000000013F670000-0x000000013F9C4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-151-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-70-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-43-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-148-0x000000013F8A0000-0x000000013FBF4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-137-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2636-86-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2636-152-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2656-143-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2656-35-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2688-150-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2688-64-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2692-57-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2692-149-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/2784-147-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/2784-53-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download