cobaltstrike | dba9d743d7a323673eb6d71e80ffdf19e117f8e1decb3b5bd6469004b0c6b731

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

10db1a2ff1aebf81b9b094e671f01a4c
SHA1

15984de7d4c800d6c3cf564bab9c0bdefec96840
SHA256

dba9d743d7a323673eb6d71e80ffdf19e117f8e1decb3b5bd6469004b0c6b731
SHA512

e810e5c81bfeb2aad0ed3b5ba52b52bcd5e96e9f6068d8e3fe747993af6604c56ab753ea90e1791e651f7f1f7d527f7e57b5eae19492fea0af7f754d54c9d294
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU9:Q+u56utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012269-3.dat	cobalt_reflective_dll
behavioral1/files/0x002b00000001454e-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014fc0-23.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000153d0-34.dat	cobalt_reflective_dll
behavioral1/files/0x000c0000000149ec-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cf2-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb9-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cfc-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cd2-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015cb2-53.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015602-42.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015329-32.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000014ed9-11.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015dc5-97.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f1f-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016096-129.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000162fd-139.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016231-134.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ff4-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015eb5-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e85-108.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012269-3.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x002b00000001454e-9.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000014fc0-23.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00070000000153d0-34.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x000c0000000149ec-74.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cf2-79.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb9-78.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cfc-85.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cd2-65.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015cb2-53.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000015602-42.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0007000000015329-32.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0009000000014ed9-11.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015dc5-97.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015f1f-119.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016096-129.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x00060000000162fd-139.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000016231-134.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015ff4-124.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015eb5-114.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/files/0x0006000000015e85-108.dat	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 55 IoCs

resource	yara_rule
behavioral1/memory/2236-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/files/0x000b000000012269-3.dat	UPX
behavioral1/memory/2140-8-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/files/0x002b00000001454e-9.dat	UPX
behavioral1/memory/2732-22-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/files/0x0007000000014fc0-23.dat	UPX
behavioral1/files/0x00070000000153d0-34.dat	UPX
behavioral1/files/0x000c0000000149ec-74.dat	UPX
behavioral1/memory/2236-86-0x000000013F7F0000-0x000000013FB44000-memory.dmp	UPX
behavioral1/memory/3004-84-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2480-83-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/2844-82-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2652-81-0x000000013F390000-0x000000013F6E4000-memory.dmp	UPX
behavioral1/files/0x0006000000015cf2-79.dat	UPX
behavioral1/files/0x0006000000015cb9-78.dat	UPX
behavioral1/files/0x0006000000015cfc-85.dat	UPX
behavioral1/memory/2536-71-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/2524-67-0x000000013FA00000-0x000000013FD54000-memory.dmp	UPX
behavioral1/files/0x0006000000015cd2-65.dat	UPX
behavioral1/memory/2624-28-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/files/0x0006000000015cb2-53.dat	UPX
behavioral1/memory/1752-51-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2716-43-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/files/0x0009000000015602-42.dat	UPX
behavioral1/files/0x0007000000015329-32.dat	UPX
behavioral1/memory/2044-15-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/files/0x0009000000014ed9-11.dat	UPX
behavioral1/memory/2796-96-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/files/0x0006000000015dc5-97.dat	UPX
behavioral1/memory/1752-104-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/files/0x0006000000015f1f-119.dat	UPX
behavioral1/files/0x0006000000016096-129.dat	UPX
behavioral1/files/0x00060000000162fd-139.dat	UPX
behavioral1/files/0x0006000000016231-134.dat	UPX
behavioral1/files/0x0006000000015ff4-124.dat	UPX
behavioral1/files/0x0006000000015eb5-114.dat	UPX
behavioral1/memory/2860-105-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX
behavioral1/memory/2624-100-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/files/0x0006000000015e85-108.dat	UPX
behavioral1/memory/2044-90-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/3004-141-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2140-144-0x000000013FD90000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2044-145-0x000000013F3D0000-0x000000013F724000-memory.dmp	UPX
behavioral1/memory/2732-146-0x000000013F980000-0x000000013FCD4000-memory.dmp	UPX
behavioral1/memory/2716-147-0x000000013F780000-0x000000013FAD4000-memory.dmp	UPX
behavioral1/memory/2624-148-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2524-150-0x000000013FA00000-0x000000013FD54000-memory.dmp	UPX
behavioral1/memory/2536-151-0x000000013F380000-0x000000013F6D4000-memory.dmp	UPX
behavioral1/memory/1752-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp	UPX
behavioral1/memory/2844-153-0x000000013F1C0000-0x000000013F514000-memory.dmp	UPX
behavioral1/memory/2652-152-0x000000013F390000-0x000000013F6E4000-memory.dmp	UPX
behavioral1/memory/2480-154-0x000000013F4E0000-0x000000013F834000-memory.dmp	UPX
behavioral1/memory/3004-156-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
behavioral1/memory/2796-155-0x000000013FC50000-0x000000013FFA4000-memory.dmp	UPX
behavioral1/memory/2860-157-0x000000013FCF0000-0x0000000140044000-memory.dmp	UPX

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral1/memory/2236-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/files/0x000b000000012269-3.dat	xmrig
behavioral1/memory/2140-8-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/files/0x002b00000001454e-9.dat	xmrig
behavioral1/memory/2732-22-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/files/0x0007000000014fc0-23.dat	xmrig
behavioral1/files/0x00070000000153d0-34.dat	xmrig
behavioral1/files/0x000c0000000149ec-74.dat	xmrig
behavioral1/memory/2236-87-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2236-86-0x000000013F7F0000-0x000000013FB44000-memory.dmp	xmrig
behavioral1/memory/3004-84-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2480-83-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2844-82-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2652-81-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cf2-79.dat	xmrig
behavioral1/files/0x0006000000015cb9-78.dat	xmrig
behavioral1/files/0x0006000000015cfc-85.dat	xmrig
behavioral1/memory/2536-71-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2236-68-0x0000000002360000-0x00000000026B4000-memory.dmp	xmrig
behavioral1/memory/2524-67-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cd2-65.dat	xmrig
behavioral1/memory/2624-28-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/files/0x0006000000015cb2-53.dat	xmrig
behavioral1/memory/1752-51-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2716-43-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015602-42.dat	xmrig
behavioral1/files/0x0007000000015329-32.dat	xmrig
behavioral1/memory/2044-15-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/files/0x0009000000014ed9-11.dat	xmrig
behavioral1/memory/2796-96-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/files/0x0006000000015dc5-97.dat	xmrig
behavioral1/memory/1752-104-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/files/0x0006000000015f1f-119.dat	xmrig
behavioral1/files/0x0006000000016096-129.dat	xmrig
behavioral1/files/0x00060000000162fd-139.dat	xmrig
behavioral1/files/0x0006000000016231-134.dat	xmrig
behavioral1/files/0x0006000000015ff4-124.dat	xmrig
behavioral1/files/0x0006000000015eb5-114.dat	xmrig
behavioral1/memory/2860-105-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2624-100-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/files/0x0006000000015e85-108.dat	xmrig
behavioral1/memory/2044-90-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/3004-141-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2236-142-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/2140-144-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2044-145-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2732-146-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2716-147-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2624-148-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2524-150-0x000000013FA00000-0x000000013FD54000-memory.dmp	xmrig
behavioral1/memory/2536-151-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/1752-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp	xmrig
behavioral1/memory/2844-153-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2652-152-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2480-154-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/3004-156-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2796-155-0x000000013FC50000-0x000000013FFA4000-memory.dmp	xmrig
behavioral1/memory/2860-157-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2140	kLqspAG.exe
2044	GvrKbGr.exe
2732	iulQvma.exe
2624	hkSZbln.exe
2716	dqRQFZq.exe
1752	yFICKqB.exe
2524	WZCUEzP.exe
2536	CBLMcRv.exe
2652	ARYaHKy.exe
2844	bRdpUeH.exe
2480	dSqSNYA.exe
3004	ixMfKnw.exe
2796	yhdFJSB.exe
2860	QrpTOwK.exe
1240	KjxvxEM.exe
1536	eEOoWvY.exe
1316	CemgflX.exe
2040	LvBuXQE.exe
1824	lbJpFjm.exe
1140	wMLDdZU.exe
1500	QQEDGGL.exe

Loads dropped DLL 21 IoCs

pid	Process
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/files/0x000b000000012269-3.dat	upx
behavioral1/memory/2140-8-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/files/0x002b00000001454e-9.dat	upx
behavioral1/memory/2732-22-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/files/0x0007000000014fc0-23.dat	upx
behavioral1/files/0x00070000000153d0-34.dat	upx
behavioral1/files/0x000c0000000149ec-74.dat	upx
behavioral1/memory/2236-86-0x000000013F7F0000-0x000000013FB44000-memory.dmp	upx
behavioral1/memory/3004-84-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2480-83-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2844-82-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2652-81-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/files/0x0006000000015cf2-79.dat	upx
behavioral1/files/0x0006000000015cb9-78.dat	upx
behavioral1/files/0x0006000000015cfc-85.dat	upx
behavioral1/memory/2536-71-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/2524-67-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/files/0x0006000000015cd2-65.dat	upx
behavioral1/memory/2624-28-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/files/0x0006000000015cb2-53.dat	upx
behavioral1/memory/1752-51-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2716-43-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/files/0x0009000000015602-42.dat	upx
behavioral1/files/0x0007000000015329-32.dat	upx
behavioral1/memory/2044-15-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/files/0x0009000000014ed9-11.dat	upx
behavioral1/memory/2796-96-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/files/0x0006000000015dc5-97.dat	upx
behavioral1/memory/1752-104-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/files/0x0006000000015f1f-119.dat	upx
behavioral1/files/0x0006000000016096-129.dat	upx
behavioral1/files/0x00060000000162fd-139.dat	upx
behavioral1/files/0x0006000000016231-134.dat	upx
behavioral1/files/0x0006000000015ff4-124.dat	upx
behavioral1/files/0x0006000000015eb5-114.dat	upx
behavioral1/memory/2860-105-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/2624-100-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/files/0x0006000000015e85-108.dat	upx
behavioral1/memory/2044-90-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/3004-141-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2140-144-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2044-145-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2732-146-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2716-147-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2624-148-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2524-150-0x000000013FA00000-0x000000013FD54000-memory.dmp	upx
behavioral1/memory/2536-151-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/1752-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp	upx
behavioral1/memory/2844-153-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2652-152-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2480-154-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/3004-156-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2796-155-0x000000013FC50000-0x000000013FFA4000-memory.dmp	upx
behavioral1/memory/2860-157-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iulQvma.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dqRQFZq.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yFICKqB.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\yhdFJSB.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QrpTOwK.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\lbJpFjm.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\hkSZbln.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\bRdpUeH.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\KjxvxEM.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\dSqSNYA.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CemgflX.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\LvBuXQE.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\wMLDdZU.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\QQEDGGL.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\kLqspAG.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GvrKbGr.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ARYaHKy.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\WZCUEzP.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\CBLMcRv.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ixMfKnw.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\eEOoWvY.exe	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2140	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	29
PID 2236 wrote to memory of 2140	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	29
PID 2236 wrote to memory of 2140	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	29
PID 2236 wrote to memory of 2044	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	30
PID 2236 wrote to memory of 2044	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	30
PID 2236 wrote to memory of 2044	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	30
PID 2236 wrote to memory of 2732	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	31
PID 2236 wrote to memory of 2732	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	31
PID 2236 wrote to memory of 2732	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	31
PID 2236 wrote to memory of 2624	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	32
PID 2236 wrote to memory of 2624	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	32
PID 2236 wrote to memory of 2624	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	32
PID 2236 wrote to memory of 2716	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	33
PID 2236 wrote to memory of 2716	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	33
PID 2236 wrote to memory of 2716	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	33
PID 2236 wrote to memory of 2652	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	34
PID 2236 wrote to memory of 2652	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	34
PID 2236 wrote to memory of 2652	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	34
PID 2236 wrote to memory of 1752	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	35
PID 2236 wrote to memory of 1752	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	35
PID 2236 wrote to memory of 1752	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	35
PID 2236 wrote to memory of 2844	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	36
PID 2236 wrote to memory of 2844	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	36
PID 2236 wrote to memory of 2844	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	36
PID 2236 wrote to memory of 2524	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	37
PID 2236 wrote to memory of 2524	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	37
PID 2236 wrote to memory of 2524	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	37
PID 2236 wrote to memory of 2480	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	38
PID 2236 wrote to memory of 2480	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	38
PID 2236 wrote to memory of 2480	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	38
PID 2236 wrote to memory of 2536	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	39
PID 2236 wrote to memory of 2536	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	39
PID 2236 wrote to memory of 2536	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	39
PID 2236 wrote to memory of 3004	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	40
PID 2236 wrote to memory of 3004	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	40
PID 2236 wrote to memory of 3004	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	40
PID 2236 wrote to memory of 2796	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	41
PID 2236 wrote to memory of 2796	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	41
PID 2236 wrote to memory of 2796	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	41
PID 2236 wrote to memory of 2860	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	42
PID 2236 wrote to memory of 2860	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	42
PID 2236 wrote to memory of 2860	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	42
PID 2236 wrote to memory of 1240	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	43
PID 2236 wrote to memory of 1240	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	43
PID 2236 wrote to memory of 1240	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	43
PID 2236 wrote to memory of 1536	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	44
PID 2236 wrote to memory of 1536	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	44
PID 2236 wrote to memory of 1536	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	44
PID 2236 wrote to memory of 1316	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	45
PID 2236 wrote to memory of 1316	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	45
PID 2236 wrote to memory of 1316	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	45
PID 2236 wrote to memory of 2040	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	46
PID 2236 wrote to memory of 2040	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	46
PID 2236 wrote to memory of 2040	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	46
PID 2236 wrote to memory of 1824	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	47
PID 2236 wrote to memory of 1824	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	47
PID 2236 wrote to memory of 1824	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	47
PID 2236 wrote to memory of 1140	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	48
PID 2236 wrote to memory of 1140	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	48
PID 2236 wrote to memory of 1140	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	48
PID 2236 wrote to memory of 1500	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	49
PID 2236 wrote to memory of 1500	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	49
PID 2236 wrote to memory of 1500	2236	2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_10db1a2ff1aebf81b9b094e671f01a4c_cobalt-strike_cobaltstrike.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System\kLqspAG.exe
  C:\Windows\System\kLqspAG.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\GvrKbGr.exe
  C:\Windows\System\GvrKbGr.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\iulQvma.exe
  C:\Windows\System\iulQvma.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\hkSZbln.exe
  C:\Windows\System\hkSZbln.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\dqRQFZq.exe
  C:\Windows\System\dqRQFZq.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\ARYaHKy.exe
  C:\Windows\System\ARYaHKy.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\yFICKqB.exe
  C:\Windows\System\yFICKqB.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\bRdpUeH.exe
  C:\Windows\System\bRdpUeH.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\WZCUEzP.exe
  C:\Windows\System\WZCUEzP.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\dSqSNYA.exe
  C:\Windows\System\dSqSNYA.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\CBLMcRv.exe
  C:\Windows\System\CBLMcRv.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\ixMfKnw.exe
  C:\Windows\System\ixMfKnw.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\yhdFJSB.exe
  C:\Windows\System\yhdFJSB.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\QrpTOwK.exe
  C:\Windows\System\QrpTOwK.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\KjxvxEM.exe
  C:\Windows\System\KjxvxEM.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\eEOoWvY.exe
  C:\Windows\System\eEOoWvY.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\CemgflX.exe
  C:\Windows\System\CemgflX.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\LvBuXQE.exe
  C:\Windows\System\LvBuXQE.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\lbJpFjm.exe
  C:\Windows\System\lbJpFjm.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\wMLDdZU.exe
  C:\Windows\System\wMLDdZU.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\QQEDGGL.exe
  C:\Windows\System\QQEDGGL.exe
  2⤵
  - Executes dropped EXE
  PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CBLMcRv.exe

Filesize
5.9MB

MD5
f95bcada27c8f7085190a1d7f62e545d

SHA1
2575e55ee405ab83a4a4d7ff8bce80ad7e0a9b8b

SHA256
135f0177ee0003a1eeead8654d15de51bb474b74ff7daa1cad28912173ddc8c9

SHA512
9f9eb96bd238f3e98d31784ceec3aee6054b7a98fa12439db3e3a67b467916b9345ff891a19b93c1091fe8571acb3ac4974681dc0713ef73d1e052ff42ddb4c3

Download Submit
C:\Windows\system\CemgflX.exe

Filesize
5.9MB

MD5
3cadc137c7b0774ebebd52f11c11d761

SHA1
49d470300b271daad537e3920482068d976d2fa0

SHA256
175ea6b4689a61817acd7bf22ec340a5e625892b5c41063518fb9aa7a31a4a38

SHA512
e008e0dd4a8b079a8c88df669d88129efc951f5c943e1ec5975d01ebd9071b45b2c1ec7104b313e3900392935012ccf2027efe339e34a9deac036e3af09d3cd2

Download Submit
C:\Windows\system\KjxvxEM.exe

Filesize
5.9MB

MD5
765e1e7e4bc1fbe156202f7fc1df1979

SHA1
0a3c9cc1aaaaaaa7ac2fb4c6770bc8a1a101b8eb

SHA256
568ca9341c721b31de3c3694654bf80391156a6041991001ae05519134f715be

SHA512
a3f865d90482063daf6a1ae6f79ecb7737e8d09bac94f4946c93455b04b036fcbd3ce1a806cd87242e69caffdff1d8546c2f1cdc256b31c45d3cb82c977f2209

Download Submit
C:\Windows\system\LvBuXQE.exe

Filesize
5.9MB

MD5
ef1fdc6b4c6f160fb47f7930442f2833

SHA1
8a963c94cf7f2c05de2d684d64f14ad14cf65648

SHA256
8e12cc2a97eafdc854634d46fac092326549bf95e6b29032318539aaeea61642

SHA512
dc79f46e37090b96c0b49b29bace6789add4b1063353727c773cbcb01db6b8d5d90135d4d912dc1bf4bb40ef9649be880e00e4269d4cb17a94bfeed38282f080

Download Submit
C:\Windows\system\QQEDGGL.exe

Filesize
5.9MB

MD5
8a27d50b82a17bdc40d2825d6f91ecf1

SHA1
a2deffaee5e40d8c5ccf272e883e6635a68f9fa2

SHA256
8913da1270a28d8853ca56e78554a60535fef69b4f9898b4691bfb367317b704

SHA512
bf910ab2ddd459a2dc085d1c0e38797d5e0dedc28175ede8e15366656d9ee088ee98ed397e941d43503784c620c669e351e7f0204f565df47c80e8310e388f38

Download Submit
C:\Windows\system\WZCUEzP.exe

Filesize
5.9MB

MD5
e881e910e10150ae335ae2018ac81758

SHA1
d0493805abb3b09969c673c114b32ada308368ba

SHA256
fc820ef0f447e9ac0e38a79d3071a104fb75c3be697dbc7d095046267d9097bf

SHA512
40ad3fac50228f81815e705f7194b0c828d32eb724cd19b35155fa53304e25e28239d1be0e04ab783aabdde7e6daac6fe8caf2776a11dfc43f995fef8b0289bb

Download Submit
C:\Windows\system\bRdpUeH.exe

Filesize
5.9MB

MD5
688765b8b0e4702ccb0dc0d68fc80a9e

SHA1
b63dfcbdddab9d629902a49fd560a3b204267aea

SHA256
8a04f85a4043b131a223401fb9731a8dc87564c4ace060f31dacd39cbed4940c

SHA512
15c9247c8219da855d605f869de09cafc6469c04212e14741d024f02571c2c2274b975d4624d9351e967995ed4a190aae07e77c3c0f11e7e55ecfc493a7336ce

Download Submit
C:\Windows\system\dSqSNYA.exe

Filesize
5.9MB

MD5
664271075c2b260af5748978117dd19e

SHA1
c6e8d86f00dd994a390ccf790771c360d2d673cf

SHA256
7cf20a98627df1666311503596f63b61adb325d45d2d361585f68a5890c76372

SHA512
f932fa97f8e7529658afadc7d0ee94a0606b16dcd8bf08ef6a795f5dba9c504f1575dca550391ed00f85bc30ebe1cdfde4a860da17177aaac415d712d5d9810b

Download Submit
C:\Windows\system\dqRQFZq.exe

Filesize
5.9MB

MD5
2f0c9efb79a2bc61ba2fc6b151f474d9

SHA1
34b175736b1f73a6185ce9a27129354ee3b13402

SHA256
a57702b62754baf96699460d6dddaffcba2642c10a94340614df833cfa3a28b9

SHA512
03f158553394c519d08e449d29dd76eb418115987318281a48d8a0b9f94b988ab0e89e268b6e6d6142c70861aae0ccb96aefff6880397590d83e1295b1ddf83d

Download Submit
C:\Windows\system\eEOoWvY.exe

Filesize
5.9MB

MD5
1bf7b23648112161745f56d82b8cbfe4

SHA1
88e8fa38eca823000fd1b1f9ce3392aad727c11a

SHA256
309d726633633c9699deda44bd836586e093467c14dda3e6f6cc60be2d97080e

SHA512
a0271e087a7f9ba5de68e1e3e28c936952b3a2ec872626dce1460daedada87e46255e10e26057ab096d9ac624b775b0f295938447b78ddcd131dce263f3ef864

Download Submit
C:\Windows\system\iulQvma.exe

Filesize
5.9MB

MD5
92ff0ee7b9205beb7acdc4a858412404

SHA1
dc010bedca91e93822e63a1d81df57850d6f9197

SHA256
6d680418228559477a70f2198dc6bd131be36fc26ac1ea141377f40553613a2a

SHA512
b0ad79c7819887fa7aab2a76c037fb2f376d214f87bc3580a64bc9acf048ad919c61c5d122e1e63fe54bf9cef40a0b46cdf5b5618ed1d548f4a4d4e018c56df2

Download Submit
C:\Windows\system\ixMfKnw.exe

Filesize
5.9MB

MD5
b62eecc73e148a43a69edbd5062e9c5e

SHA1
833ede705eef8d8a2dc8bf141f5a353cf741916b

SHA256
831d7eca7e133770f14d8981a56a1ffdd03de728a92116b14ce51f2cfd080056

SHA512
2887fb4f9a2aadfe555e4c30bec78d2344f024009e6fc43b82efc496d21ce0dd960316b3d569eaac9652ffefc9ccd790324436d833c9bb68f18421bb9df0b51d

Download Submit
C:\Windows\system\lbJpFjm.exe

Filesize
5.9MB

MD5
6ebe917d85e7216a13a6f29641fb1f04

SHA1
fce32ad0522da91e823f8842822af605ff989fb9

SHA256
f1c15ab70af17e2257f80d5ee5893179fb352de520dce3e26c940ae2dc4fd9bf

SHA512
c982fa4923a0fc98d91875ec90ec03e71fa2859f4c78c249ee0584636168e31a87fcaf42bd26a0edfd1ac976230ed331ae3c1e1453f7d0487f9ab6ceeebec2df

Download Submit
C:\Windows\system\wMLDdZU.exe

Filesize
5.9MB

MD5
a9e2aa563da5f35cb5c7f0565d4057f7

SHA1
a7d1bb9da1cd6521fc8d2946ba77adc754f28716

SHA256
a5e62a891fb9ffdee6d9a4c1baf72c5fdaa8aa4e1e8c29541a3ba4a6931800c0

SHA512
97e9c3b4676f102a5eb81950cc7f001321a07fd0163f7e3fec77d47420899eeee10f3b589222607e1db95c7394682a5e0c165c5d3c073aebd2413768dd10ea91

Download Submit
C:\Windows\system\yFICKqB.exe

Filesize
5.9MB

MD5
c00941995592824e147fd8f40b8ca80f

SHA1
6426a28a8c336ec97abafa1cb8a6a79d123786f1

SHA256
4cecef458bf35bd8411d674c3d6f4ff8ef76f489f1d1e7310d634e5c748a44da

SHA512
7f52f607b6ac6f5dcb786abb8f3d5507712ad17de04c32947fddb34a00772cf68dfce322b244eb658f95852dcdaac7d8f1f3f0d090cbe9583a46193c9a6524a1

Download Submit
\Windows\system\ARYaHKy.exe

Filesize
5.9MB

MD5
e42a02019b6eed86786cdac64e6e125f

SHA1
ea842f5615e179730c93e1703c18c7eea5d2db84

SHA256
8cc11eb100a3124b487a08c352a48f345aea482fa902618bdf5d6bbf2f5c144e

SHA512
dcac89e5b3ca489637f3a7edc2f93029e7114f0ad10228ea2b28a14ee6e58d3a61266bedae6dfd3a36cecd3348a7b6dd1380709f72d4357bd815ff74108a80f0

Download Submit
\Windows\system\GvrKbGr.exe

Filesize
5.9MB

MD5
2ee5bceaacba67839d2370b2f46b2bf5

SHA1
d6fba01d36161378b46b19e1366dbc4fa1ed62fa

SHA256
b3268246f67709eac0bf0ab6b239e37db7313186cc252af2987e9eccdd5b85d5

SHA512
17c25e7df47040474af123ea020dece0911180c91e244a277a107094ed2ce9a10f3c7d2a8f70bed101d0e1750d8a706d537ded55dd7e08f4a56127ab6d7c7947

Download Submit
\Windows\system\QrpTOwK.exe

Filesize
5.9MB

MD5
e6ee36ce916d4fc0ccc3e059dba4068d

SHA1
adafc038066ee816f319df0a7d2f1d74b98b1faf

SHA256
a22548e82a8812d49d15a91546ba12e326b1fb1457518c73074153712afd7d55

SHA512
6a42b1621cc05729e0f0502b753c0d1cd02f278215ddb10afba3c4f5ebd27381e15eca9bf23ec0589847eb48906c038ff9cb2d4d297eec72b80b3abc64fd8f4f

Download Submit
\Windows\system\hkSZbln.exe

Filesize
5.9MB

MD5
b533e05d5541e835ac424f080a11ef2a

SHA1
0d7636029e31cda5013b4694d318ae3160944501

SHA256
00ea042d815f234c1a0a30ce485d123c64e1c0c977646f22eb9e3cf816054824

SHA512
0db9ecce92bddb73b6886cc540ac6586fdf037598b1f34181d00c7c16bee7e43232c6ba3a2d6e25f1421596f0397038798bd29fd1b2328d4d6faaf6670283b41

Download Submit
\Windows\system\kLqspAG.exe

Filesize
5.9MB

MD5
7d1e776905519ea65a9ecea674b4d4dd

SHA1
e8839f9b00188d0cd1540f4d1f422f28bb6ed4b1

SHA256
0ecd9d7858008e65b650f1649b623783c114a8defe9d81eb3bd4ca92dfd42244

SHA512
4c59353b4203e239c1f25a87c20586ef332a179425ff668dbcaf71b45b4b5f28d89ff7b278489d143efde06c294c14f922c8a0540cd5f6f94012cdd51a1b2354

Download Submit
\Windows\system\yhdFJSB.exe

Filesize
5.9MB

MD5
01e1b9fea96a0ac37a49739533ca7ae5

SHA1
a870e231032ba85a73868fe07d4e13164d3471a1

SHA256
466b45505eb2c713aca4245bc504c3891e3405e3ed2396649ce80553831308fa

SHA512
1fa885730250ebf968a41b43a4699ea47ecd0f085b4e2700262fbc7c9cf5564fda9a717c91f41eee0b616141d6f11a48e46a12e0e977cc57163a23a7e4cd67f0

Download Submit
memory/1752-51-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/1752-104-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/1752-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2044-90-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2044-145-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2044-15-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2140-8-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-144-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-87-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-111-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2236-143-0x000000013F0B0000-0x000000013F404000-memory.dmp

Filesize
3.3MB

Download
memory/2236-45-0x000000013FBC0000-0x000000013FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2236-44-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-142-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2236-0-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2236-39-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-88-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-57-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-13-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2236-27-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2236-89-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2236-64-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2236-86-0x000000013F7F0000-0x000000013FB44000-memory.dmp

Filesize
3.3MB

Download
memory/2236-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2236-102-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2236-70-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-21-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-68-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-69-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2480-83-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2480-154-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2524-67-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2524-150-0x000000013FA00000-0x000000013FD54000-memory.dmp

Filesize
3.3MB

Download
memory/2536-151-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-71-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2624-100-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2624-28-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2624-148-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2652-81-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-152-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-147-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-43-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-146-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-22-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-96-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-155-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-82-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2844-153-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2860-105-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2860-157-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/3004-84-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/3004-141-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/3004-156-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download