cobaltstrike | 2422aef9cf3190afce395339bf0d4e2e7d839ac42fa2834fa3291359f4d1fb65

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-06-2024 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
Size

5.9MB
MD5

71be850cd8258a726b38ed6fecc33993
SHA1

ae4955f9cbe5dbf6d13a818a47258ab90e72667a
SHA256

2422aef9cf3190afce395339bf0d4e2e7d839ac42fa2834fa3291359f4d1fb65
SHA512

e3ad57ef2e8ad6e4f1c89dfa333d8729e1792b90046b4c3b53b0653237d0212cb03b8ed63602912e4b4a77d11d3f90da62fedac9d0f27b79d9d115e1959ec59d
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUb:Q+u56utgpPF8u/7b

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\GzNzwus.exe	cobalt_reflective_dll
C:\Windows\System\arUDXfO.exe	cobalt_reflective_dll
C:\Windows\System\AizELIQ.exe	cobalt_reflective_dll
C:\Windows\System\smDYNMw.exe	cobalt_reflective_dll
C:\Windows\System\sAFyEOm.exe	cobalt_reflective_dll
C:\Windows\System\IGoTktE.exe	cobalt_reflective_dll
C:\Windows\System\xyUHqzn.exe	cobalt_reflective_dll
C:\Windows\System\IdvAJrM.exe	cobalt_reflective_dll
C:\Windows\System\aHIhIiU.exe	cobalt_reflective_dll
C:\Windows\System\YzQgKor.exe	cobalt_reflective_dll
C:\Windows\System\HIIGTyK.exe	cobalt_reflective_dll
C:\Windows\System\AKwtPpf.exe	cobalt_reflective_dll
C:\Windows\System\EeaRQBE.exe	cobalt_reflective_dll
C:\Windows\System\GCrHplS.exe	cobalt_reflective_dll
C:\Windows\System\teYwCrx.exe	cobalt_reflective_dll
C:\Windows\System\DIPybji.exe	cobalt_reflective_dll
C:\Windows\System\ThHsZCO.exe	cobalt_reflective_dll
C:\Windows\System\AGElxSy.exe	cobalt_reflective_dll
C:\Windows\System\SkZeOio.exe	cobalt_reflective_dll
C:\Windows\System\sjVygAS.exe	cobalt_reflective_dll
C:\Windows\System\oOUFXQt.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\GzNzwus.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\arUDXfO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AizELIQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\smDYNMw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sAFyEOm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IGoTktE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xyUHqzn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IdvAJrM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aHIhIiU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YzQgKor.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HIIGTyK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AKwtPpf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EeaRQBE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GCrHplS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\teYwCrx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DIPybji.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ThHsZCO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AGElxSy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SkZeOio.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sjVygAS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oOUFXQt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3672-0-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp	UPX
C:\Windows\System\GzNzwus.exe	UPX
behavioral2/memory/464-8-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	UPX
C:\Windows\System\arUDXfO.exe	UPX
C:\Windows\System\AizELIQ.exe	UPX
behavioral2/memory/2868-14-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp	UPX
behavioral2/memory/1380-20-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp	UPX
C:\Windows\System\smDYNMw.exe	UPX
behavioral2/memory/4212-26-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp	UPX
C:\Windows\System\sAFyEOm.exe	UPX
C:\Windows\System\IGoTktE.exe	UPX
behavioral2/memory/4992-37-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp	UPX
C:\Windows\System\xyUHqzn.exe	UPX
behavioral2/memory/3784-41-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	UPX
behavioral2/memory/2980-42-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	UPX
C:\Windows\System\IdvAJrM.exe	UPX
behavioral2/memory/4080-50-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	UPX
C:\Windows\System\aHIhIiU.exe	UPX
behavioral2/memory/4500-56-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp	UPX
C:\Windows\System\YzQgKor.exe	UPX
behavioral2/memory/1016-62-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp	UPX
behavioral2/memory/3672-66-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp	UPX
C:\Windows\System\HIIGTyK.exe	UPX
C:\Windows\System\AKwtPpf.exe	UPX
behavioral2/memory/3016-67-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	UPX
behavioral2/memory/464-75-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	UPX
C:\Windows\System\EeaRQBE.exe	UPX
behavioral2/memory/2940-76-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	UPX
behavioral2/memory/3604-84-0x00007FF703220000-0x00007FF703574000-memory.dmp	UPX
C:\Windows\System\GCrHplS.exe	UPX
C:\Windows\System\teYwCrx.exe	UPX
behavioral2/memory/1124-93-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp	UPX
C:\Windows\System\DIPybji.exe	UPX
behavioral2/memory/3440-94-0x00007FF782F40000-0x00007FF783294000-memory.dmp	UPX
C:\Windows\System\ThHsZCO.exe	UPX
behavioral2/memory/4592-106-0x00007FF713960000-0x00007FF713CB4000-memory.dmp	UPX
C:\Windows\System\AGElxSy.exe	UPX
behavioral2/memory/4100-111-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp	UPX
behavioral2/memory/2980-110-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	UPX
C:\Windows\System\SkZeOio.exe	UPX
C:\Windows\System\sjVygAS.exe	UPX
C:\Windows\System\oOUFXQt.exe	UPX
behavioral2/memory/3716-109-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp	UPX
behavioral2/memory/3784-104-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	UPX
behavioral2/memory/1444-130-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp	UPX
behavioral2/memory/3280-131-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp	UPX
behavioral2/memory/2020-129-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp	UPX
behavioral2/memory/3016-132-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	UPX
behavioral2/memory/2940-133-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	UPX
behavioral2/memory/4100-134-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp	UPX
behavioral2/memory/464-135-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	UPX
behavioral2/memory/2868-136-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp	UPX
behavioral2/memory/1380-137-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp	UPX
behavioral2/memory/4212-138-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp	UPX
behavioral2/memory/4992-139-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp	UPX
behavioral2/memory/3784-140-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	UPX
behavioral2/memory/2980-141-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	UPX
behavioral2/memory/4080-142-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	UPX
behavioral2/memory/4500-143-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp	UPX
behavioral2/memory/1016-144-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp	UPX
behavioral2/memory/3016-145-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	UPX
behavioral2/memory/2940-146-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	UPX
behavioral2/memory/3604-147-0x00007FF703220000-0x00007FF703574000-memory.dmp	UPX
behavioral2/memory/1124-149-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3672-0-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp	xmrig
C:\Windows\System\GzNzwus.exe	xmrig
behavioral2/memory/464-8-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	xmrig
C:\Windows\System\arUDXfO.exe	xmrig
C:\Windows\System\AizELIQ.exe	xmrig
behavioral2/memory/2868-14-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp	xmrig
behavioral2/memory/1380-20-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp	xmrig
C:\Windows\System\smDYNMw.exe	xmrig
behavioral2/memory/4212-26-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp	xmrig
C:\Windows\System\sAFyEOm.exe	xmrig
C:\Windows\System\IGoTktE.exe	xmrig
behavioral2/memory/4992-37-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp	xmrig
C:\Windows\System\xyUHqzn.exe	xmrig
behavioral2/memory/3784-41-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	xmrig
behavioral2/memory/2980-42-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	xmrig
C:\Windows\System\IdvAJrM.exe	xmrig
behavioral2/memory/4080-50-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	xmrig
C:\Windows\System\aHIhIiU.exe	xmrig
behavioral2/memory/4500-56-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp	xmrig
C:\Windows\System\YzQgKor.exe	xmrig
behavioral2/memory/1016-62-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp	xmrig
behavioral2/memory/3672-66-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp	xmrig
C:\Windows\System\HIIGTyK.exe	xmrig
C:\Windows\System\AKwtPpf.exe	xmrig
behavioral2/memory/3016-67-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	xmrig
behavioral2/memory/464-75-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	xmrig
C:\Windows\System\EeaRQBE.exe	xmrig
behavioral2/memory/2940-76-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	xmrig
behavioral2/memory/3604-84-0x00007FF703220000-0x00007FF703574000-memory.dmp	xmrig
C:\Windows\System\GCrHplS.exe	xmrig
C:\Windows\System\teYwCrx.exe	xmrig
behavioral2/memory/1124-93-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp	xmrig
C:\Windows\System\DIPybji.exe	xmrig
behavioral2/memory/3440-94-0x00007FF782F40000-0x00007FF783294000-memory.dmp	xmrig
C:\Windows\System\ThHsZCO.exe	xmrig
behavioral2/memory/4592-106-0x00007FF713960000-0x00007FF713CB4000-memory.dmp	xmrig
C:\Windows\System\AGElxSy.exe	xmrig
behavioral2/memory/4100-111-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp	xmrig
behavioral2/memory/2980-110-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	xmrig
C:\Windows\System\SkZeOio.exe	xmrig
C:\Windows\System\sjVygAS.exe	xmrig
C:\Windows\System\oOUFXQt.exe	xmrig
behavioral2/memory/3716-109-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp	xmrig
behavioral2/memory/3784-104-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	xmrig
behavioral2/memory/1444-130-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp	xmrig
behavioral2/memory/3280-131-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp	xmrig
behavioral2/memory/2020-129-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp	xmrig
behavioral2/memory/3016-132-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	xmrig
behavioral2/memory/2940-133-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	xmrig
behavioral2/memory/4100-134-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp	xmrig
behavioral2/memory/464-135-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	xmrig
behavioral2/memory/2868-136-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp	xmrig
behavioral2/memory/1380-137-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp	xmrig
behavioral2/memory/4212-138-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp	xmrig
behavioral2/memory/4992-139-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp	xmrig
behavioral2/memory/3784-140-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	xmrig
behavioral2/memory/2980-141-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	xmrig
behavioral2/memory/4080-142-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	xmrig
behavioral2/memory/4500-143-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp	xmrig
behavioral2/memory/1016-144-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp	xmrig
behavioral2/memory/3016-145-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	xmrig
behavioral2/memory/2940-146-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	xmrig
behavioral2/memory/3604-147-0x00007FF703220000-0x00007FF703574000-memory.dmp	xmrig
behavioral2/memory/1124-149-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

GzNzwus.exearUDXfO.exeAizELIQ.exesmDYNMw.exesAFyEOm.exeIGoTktE.exexyUHqzn.exeIdvAJrM.exeaHIhIiU.exeYzQgKor.exeHIIGTyK.exeAKwtPpf.exeEeaRQBE.exeteYwCrx.exeGCrHplS.exeDIPybji.exeThHsZCO.exeAGElxSy.exeSkZeOio.exeoOUFXQt.exesjVygAS.exe

pid	process
464	GzNzwus.exe
2868	arUDXfO.exe
1380	AizELIQ.exe
4212	smDYNMw.exe
4992	sAFyEOm.exe
3784	IGoTktE.exe
2980	xyUHqzn.exe
4080	IdvAJrM.exe
4500	aHIhIiU.exe
1016	YzQgKor.exe
3016	HIIGTyK.exe
2940	AKwtPpf.exe
3604	EeaRQBE.exe
1124	teYwCrx.exe
3440	GCrHplS.exe
4592	DIPybji.exe
3716	ThHsZCO.exe
4100	AGElxSy.exe
2020	SkZeOio.exe
1444	oOUFXQt.exe
3280	sjVygAS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3672-0-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp	upx
C:\Windows\System\GzNzwus.exe	upx
behavioral2/memory/464-8-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	upx
C:\Windows\System\arUDXfO.exe	upx
C:\Windows\System\AizELIQ.exe	upx
behavioral2/memory/2868-14-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp	upx
behavioral2/memory/1380-20-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp	upx
C:\Windows\System\smDYNMw.exe	upx
behavioral2/memory/4212-26-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp	upx
C:\Windows\System\sAFyEOm.exe	upx
C:\Windows\System\IGoTktE.exe	upx
behavioral2/memory/4992-37-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp	upx
C:\Windows\System\xyUHqzn.exe	upx
behavioral2/memory/3784-41-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	upx
behavioral2/memory/2980-42-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	upx
C:\Windows\System\IdvAJrM.exe	upx
behavioral2/memory/4080-50-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	upx
C:\Windows\System\aHIhIiU.exe	upx
behavioral2/memory/4500-56-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp	upx
C:\Windows\System\YzQgKor.exe	upx
behavioral2/memory/1016-62-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp	upx
behavioral2/memory/3672-66-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp	upx
C:\Windows\System\HIIGTyK.exe	upx
C:\Windows\System\AKwtPpf.exe	upx
behavioral2/memory/3016-67-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	upx
behavioral2/memory/464-75-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	upx
C:\Windows\System\EeaRQBE.exe	upx
behavioral2/memory/2940-76-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	upx
behavioral2/memory/3604-84-0x00007FF703220000-0x00007FF703574000-memory.dmp	upx
C:\Windows\System\GCrHplS.exe	upx
C:\Windows\System\teYwCrx.exe	upx
behavioral2/memory/1124-93-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp	upx
C:\Windows\System\DIPybji.exe	upx
behavioral2/memory/3440-94-0x00007FF782F40000-0x00007FF783294000-memory.dmp	upx
C:\Windows\System\ThHsZCO.exe	upx
behavioral2/memory/4592-106-0x00007FF713960000-0x00007FF713CB4000-memory.dmp	upx
C:\Windows\System\AGElxSy.exe	upx
behavioral2/memory/4100-111-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp	upx
behavioral2/memory/2980-110-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	upx
C:\Windows\System\SkZeOio.exe	upx
C:\Windows\System\sjVygAS.exe	upx
C:\Windows\System\oOUFXQt.exe	upx
behavioral2/memory/3716-109-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp	upx
behavioral2/memory/3784-104-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	upx
behavioral2/memory/1444-130-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp	upx
behavioral2/memory/3280-131-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp	upx
behavioral2/memory/2020-129-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp	upx
behavioral2/memory/3016-132-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	upx
behavioral2/memory/2940-133-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	upx
behavioral2/memory/4100-134-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp	upx
behavioral2/memory/464-135-0x00007FF612CE0000-0x00007FF613034000-memory.dmp	upx
behavioral2/memory/2868-136-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp	upx
behavioral2/memory/1380-137-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp	upx
behavioral2/memory/4212-138-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp	upx
behavioral2/memory/4992-139-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp	upx
behavioral2/memory/3784-140-0x00007FF7434E0000-0x00007FF743834000-memory.dmp	upx
behavioral2/memory/2980-141-0x00007FF6394F0000-0x00007FF639844000-memory.dmp	upx
behavioral2/memory/4080-142-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp	upx
behavioral2/memory/4500-143-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp	upx
behavioral2/memory/1016-144-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp	upx
behavioral2/memory/3016-145-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp	upx
behavioral2/memory/2940-146-0x00007FF730680000-0x00007FF7309D4000-memory.dmp	upx
behavioral2/memory/3604-147-0x00007FF703220000-0x00007FF703574000-memory.dmp	upx
behavioral2/memory/1124-149-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe

description	ioc	process
File created	C:\Windows\System\teYwCrx.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GCrHplS.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\ThHsZCO.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\oOUFXQt.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\GzNzwus.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sAFyEOm.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IGoTktE.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AKwtPpf.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\YzQgKor.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AGElxSy.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\arUDXfO.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\xyUHqzn.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\IdvAJrM.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\aHIhIiU.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\SkZeOio.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\AizELIQ.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\smDYNMw.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\HIIGTyK.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\EeaRQBE.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\DIPybji.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
File created	C:\Windows\System\sjVygAS.exe	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe

description	pid	process
Token: SeLockMemoryPrivilege	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
Token: SeLockMemoryPrivilege	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe

description	pid	process	target process
PID 3672 wrote to memory of 464	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	GzNzwus.exe
PID 3672 wrote to memory of 464	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	GzNzwus.exe
PID 3672 wrote to memory of 2868	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	arUDXfO.exe
PID 3672 wrote to memory of 2868	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	arUDXfO.exe
PID 3672 wrote to memory of 1380	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	AizELIQ.exe
PID 3672 wrote to memory of 1380	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	AizELIQ.exe
PID 3672 wrote to memory of 4212	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	smDYNMw.exe
PID 3672 wrote to memory of 4212	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	smDYNMw.exe
PID 3672 wrote to memory of 4992	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	sAFyEOm.exe
PID 3672 wrote to memory of 4992	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	sAFyEOm.exe
PID 3672 wrote to memory of 3784	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	IGoTktE.exe
PID 3672 wrote to memory of 3784	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	IGoTktE.exe
PID 3672 wrote to memory of 2980	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	xyUHqzn.exe
PID 3672 wrote to memory of 2980	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	xyUHqzn.exe
PID 3672 wrote to memory of 4080	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	IdvAJrM.exe
PID 3672 wrote to memory of 4080	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	IdvAJrM.exe
PID 3672 wrote to memory of 4500	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	aHIhIiU.exe
PID 3672 wrote to memory of 4500	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	aHIhIiU.exe
PID 3672 wrote to memory of 1016	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	YzQgKor.exe
PID 3672 wrote to memory of 1016	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	YzQgKor.exe
PID 3672 wrote to memory of 3016	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	HIIGTyK.exe
PID 3672 wrote to memory of 3016	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	HIIGTyK.exe
PID 3672 wrote to memory of 2940	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	AKwtPpf.exe
PID 3672 wrote to memory of 2940	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	AKwtPpf.exe
PID 3672 wrote to memory of 3604	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	EeaRQBE.exe
PID 3672 wrote to memory of 3604	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	EeaRQBE.exe
PID 3672 wrote to memory of 1124	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	teYwCrx.exe
PID 3672 wrote to memory of 1124	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	teYwCrx.exe
PID 3672 wrote to memory of 3440	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	GCrHplS.exe
PID 3672 wrote to memory of 3440	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	GCrHplS.exe
PID 3672 wrote to memory of 4592	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	DIPybji.exe
PID 3672 wrote to memory of 4592	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	DIPybji.exe
PID 3672 wrote to memory of 3716	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	ThHsZCO.exe
PID 3672 wrote to memory of 3716	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	ThHsZCO.exe
PID 3672 wrote to memory of 4100	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	AGElxSy.exe
PID 3672 wrote to memory of 4100	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	AGElxSy.exe
PID 3672 wrote to memory of 2020	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	SkZeOio.exe
PID 3672 wrote to memory of 2020	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	SkZeOio.exe
PID 3672 wrote to memory of 1444	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	oOUFXQt.exe
PID 3672 wrote to memory of 1444	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	oOUFXQt.exe
PID 3672 wrote to memory of 3280	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	sjVygAS.exe
PID 3672 wrote to memory of 3280	3672	2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe	sjVygAS.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_71be850cd8258a726b38ed6fecc33993_cobalt-strike_cobaltstrike.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672

C:\Windows\System\GzNzwus.exe
C:\Windows\System\GzNzwus.exe
2⤵
- Executes dropped EXE
PID:464

C:\Windows\System\arUDXfO.exe
C:\Windows\System\arUDXfO.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\AizELIQ.exe
C:\Windows\System\AizELIQ.exe
2⤵
- Executes dropped EXE
PID:1380

C:\Windows\System\smDYNMw.exe
C:\Windows\System\smDYNMw.exe
2⤵
- Executes dropped EXE
PID:4212

C:\Windows\System\sAFyEOm.exe
C:\Windows\System\sAFyEOm.exe
2⤵
- Executes dropped EXE
PID:4992

C:\Windows\System\IGoTktE.exe
C:\Windows\System\IGoTktE.exe
2⤵
- Executes dropped EXE
PID:3784

C:\Windows\System\xyUHqzn.exe
C:\Windows\System\xyUHqzn.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\IdvAJrM.exe
C:\Windows\System\IdvAJrM.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\System\aHIhIiU.exe
C:\Windows\System\aHIhIiU.exe
2⤵
- Executes dropped EXE
PID:4500

C:\Windows\System\YzQgKor.exe
C:\Windows\System\YzQgKor.exe
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\System\HIIGTyK.exe
C:\Windows\System\HIIGTyK.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\AKwtPpf.exe
C:\Windows\System\AKwtPpf.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\System\EeaRQBE.exe
C:\Windows\System\EeaRQBE.exe
2⤵
- Executes dropped EXE
PID:3604

C:\Windows\System\teYwCrx.exe
C:\Windows\System\teYwCrx.exe
2⤵
- Executes dropped EXE
PID:1124

C:\Windows\System\GCrHplS.exe
C:\Windows\System\GCrHplS.exe
2⤵
- Executes dropped EXE
PID:3440

C:\Windows\System\DIPybji.exe
C:\Windows\System\DIPybji.exe
2⤵
- Executes dropped EXE
PID:4592

C:\Windows\System\ThHsZCO.exe
C:\Windows\System\ThHsZCO.exe
2⤵
- Executes dropped EXE
PID:3716

C:\Windows\System\AGElxSy.exe
C:\Windows\System\AGElxSy.exe
2⤵
- Executes dropped EXE
PID:4100

C:\Windows\System\SkZeOio.exe
C:\Windows\System\SkZeOio.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\System\oOUFXQt.exe
C:\Windows\System\oOUFXQt.exe
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\System\sjVygAS.exe
C:\Windows\System\sjVygAS.exe
2⤵
- Executes dropped EXE
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:452

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AGElxSy.exe
Filesize
5.9MB

MD5
bc85fdfc2e780bd11137bf76b6046422

SHA1
5b49ca483da50da79aa4e3fe0b6681eae8c86407

SHA256
22683a4563a3a23387eb1a8c8a9504c45aee7ad074de061a93e39e8fdc0196c9

SHA512
0f9935b9010d5332f5540e9e2b87b1a511d511fb516c1e015a73c48225a7f7466016601628d231e84ef295131625da74bceb338c9d52dfe541d50199544b47a9

Download Submit
C:\Windows\System\AKwtPpf.exe
Filesize
5.9MB

MD5
861e54b2b513a032a90d3efd84663abe

SHA1
edc70c01e5c7224c0c417084824adc969d52765b

SHA256
b5ab0511990894a3d563114d8c4fdfe96812fe127ce6e5f2e0bc3efb9a982cf3

SHA512
b23d856a383f370dd7bf6312a1572085fe358a2e6b743361bbb1bf7c0d2fb0e57e38e67afb6868e00094b65830ad6240cc77ea2e67fde2a69e9827fd4726927e

Download Submit
C:\Windows\System\AizELIQ.exe
Filesize
5.9MB

MD5
16511d3fbf984064aa4afa80e465e4ae

SHA1
e86d43b8ec3f7ee2bfc92e33369595764d6d62b6

SHA256
66d3141212d099a6fe9f270e5abc03e310fd3033be5e5ead3fd4fc7df3af76bc

SHA512
aec7f10cb754a12627549dd4fa9b2c0784eb33eccc9e7a5f2541b01b038f7b551d4f5ba19704c032c89769f135661fc35488e5e2390ba9fc2a1bf4dcdfa4929d

Download Submit
C:\Windows\System\DIPybji.exe
Filesize
5.9MB

MD5
2d0394aa2d8c4a32a0019a1177a1f697

SHA1
998589ebcdcb7c4bf05dd72eccf887f7bf945c3c

SHA256
b2cc0385e97d4db2bb23a3a50222720a955784e11061be4aba0dd7929c2f611d

SHA512
eb98b7a7a26bb1c315999eb8d994046565dae5af7c0852e77d203d26f512634f648c6fb444dca9c43fbd34128ecb933908c8d694ac89c12adda19939900ee31c

Download Submit
C:\Windows\System\EeaRQBE.exe
Filesize
5.9MB

MD5
e150996d5517418d6aa8af411ac330be

SHA1
984df17c6bbfa7fe48c7c34d8f2ccb0b8d99f995

SHA256
fbb8252b9a36bbf7c84b2dc81e24db7cf0d21e973f3dbac89682aea90397b8da

SHA512
25e0043c258b26c9073099ecbf7772f8a93c43c2148593bd68b9155d41d43f160d70a706f1b7f0944fe9291c26caec155584dc7391db29d321acd6c5757e4915

Download Submit
C:\Windows\System\GCrHplS.exe
Filesize
5.9MB

MD5
32bdf71b2c92fdb1cdd22882dd6add1b

SHA1
50ae2fa5b94dd769cb0f568d454f71d52180b243

SHA256
cc7c1dfda9a5719e17e1da4d0374f8e359484d94c1f90a87cc43fed5eed01560

SHA512
76ad08d3668a7804e0636e2e3571bd6b1d93a54f3bef1ef4cec08902160af2a8ef744b40e9c91f82d0af7fc6897ac20ab0afd592ae076e52c5fb1747e9d45181

Download Submit
C:\Windows\System\GzNzwus.exe
Filesize
5.9MB

MD5
a08e26de7d72313f1168cee04cf1bd25

SHA1
57df32127a5d803e2ee8d5ce343b2f1c68fbff73

SHA256
aa77f4330a02f794eadffa4f244c413d1256a79bebf03dd1bcf0412606550869

SHA512
5681276e89f7a81aad39cb3e88fd0a1a1644f89bd7a262d7708117a4424d1aa36a5d99fcd56a21b891579f8bcfdbf9021854bb90be8e19984e07cc211c88e7d4

Download Submit
C:\Windows\System\HIIGTyK.exe
Filesize
5.9MB

MD5
9d8d94bb08aab8475353bb73b136eddb

SHA1
738549078a466080eff9234671707f5fc005f4fe

SHA256
3e0622fe15f3ed0794d06eee20d20b0247094edd1b29d3d8d07dc7dd4ee458d0

SHA512
9d049a7170fb4d1dca89b9bd40ae8a997524bba6edc87c15a98221318c1f98d26c6e92645b463c320c2b01ee6fd6d84c225a5107f829c81ffb98af56648acfde

Download Submit
C:\Windows\System\IGoTktE.exe
Filesize
5.9MB

MD5
9330ec702be38dd873e078e5deca0e61

SHA1
7987e6e36d4669b7a34315b7ffe6b2ceeae5edd5

SHA256
7c393fcf312a600fbd637160078a3090f395aaff21b46eaefa72358e79875857

SHA512
c8d34a845cfe10a1d51cdb83889f9ff68ab8374cf1b2167194f9dc887ffc15f5da9f75af20ec3b432192f01f1fa9656ffa3c5c0bef270696749a83eca70da169

Download Submit
C:\Windows\System\IdvAJrM.exe
Filesize
5.9MB

MD5
bf0f9fb09f48d50abc0196aab71bf4cf

SHA1
89d3048ba18b9d970548ae6c53261293d920ab69

SHA256
386c78ec6a84fd98329d35b688950303546c579d020870a8741aeb8c3a9a79b1

SHA512
7a3c61f3cb5c4678b03279e6b9910d859ab0912a8f0790685995350ebfe68089cf93d3491b6a59c8070d494aaec65f49b97d1f6203068e9b4862775111a4f0f6

Download Submit
C:\Windows\System\SkZeOio.exe
Filesize
5.9MB

MD5
434924e49fa5c97e25f096ed796cc452

SHA1
6e12c8ad9e58632bbf4c95f418881618446103dd

SHA256
9b5966303542f3d036f540b90276dfcf36818255e07751091e3ee2ba46c8f0b8

SHA512
1f3d1d8c93c75e5e20d6ed7f266f58234c6e9a9f51e60650a5920d12d21915a8dbd34024b7a97abf2f4f691a621a399a8e5d339386789ded231ed48323610546

Download Submit
C:\Windows\System\ThHsZCO.exe
Filesize
5.9MB

MD5
51a875ba806f5ef1b3f65622771f6f91

SHA1
65637941f91263b0f874ac1ea53e86f88768654f

SHA256
7c4c8f0060dd046db4b4186026496c6256e468f21c4bc4b3b81909d7c554a161

SHA512
6b543e58aadda55505f040824393c7eb91a8c56cfc1bd36d11365bd168638b4ecfc1a1eef3e5c3b224b5f3d4315d63b5e0f0ea123f0f5caa1beb2c73c07104fe

Download Submit
C:\Windows\System\YzQgKor.exe
Filesize
5.9MB

MD5
ae009d23b5c2ff7cd5eeab6d83ed6301

SHA1
be8eec4e45a8a8c2695ac2b627cffc56b7965f58

SHA256
11a3dcd0d872bbbbb1eb99fa3572e6c150c5411cd2df25d3e7bce8776c9310d9

SHA512
d28a6bebb533f94bb6efd9b791bc6e8967ef863f7cf51e787e4725db4d305422cbeb4a52bfb1701863654891f5555c0e8e897c059dbe43ee615e644544a7b4d4

Download Submit
C:\Windows\System\aHIhIiU.exe
Filesize
5.9MB

MD5
12ed092ae077a62dbbd52413b5360df4

SHA1
8cdee273eed3a3eb7aa18fbba53daf6de76a2a4d

SHA256
49af7cd791832d3f7aa9ac82d85aa23656aeb018b45ed6d92f5fd3cb502c0b64

SHA512
9c83bf98a9585ec41c26d676d5acd5b6753e8c98eba5b641c168213a60d6fc5ede7bc2ca249383cf776e2f9552b56ad2d6fceaee7a61ff814625d51f53938a28

Download Submit
C:\Windows\System\arUDXfO.exe
Filesize
5.9MB

MD5
98f70b204ecce6bbb7c8708390d836ca

SHA1
8b1823c1a5594da6cd2d8cf5b35abc3c44ce1d02

SHA256
9eece92896de9df1197cff80aba1f9126b78825705661fb0407606c6083adbdc

SHA512
7f19f9eecb345e06194071d9fa5185af62397c2456cec9c2910e54a0e6fb241a7d23139de257db6f23f3e4960aae8b6ce3035f721dcdc94788e292963e6dab2e

Download Submit
C:\Windows\System\oOUFXQt.exe
Filesize
5.9MB

MD5
d64118d0199f94fc73aa03703f74c623

SHA1
f7458edbd41ce6dd36ba903328d6d63e273babc0

SHA256
f7ecf5fadb7a6d63c90af087790cc2ca9a7b8ac39633a96fc43a29cb054fc041

SHA512
e7d29603273dcba56215d55d3a25c7b2a1b5607d43e2e473fc6a9996385a19f19a0e5464899a72cb5d6cb698d5e250563115d67e311563898c33cf057925381a

Download Submit
C:\Windows\System\sAFyEOm.exe
Filesize
5.9MB

MD5
91ecd12773e4a0d90610ae304abcffd5

SHA1
f0bb139d8bf6fb7a1d134ee4aaabfbe8d71b6aec

SHA256
276056a125aaa4cbb646618e442b65af79b6c5dd80db5df9ded524fbcbc96029

SHA512
00123d0432a352c8da70c54d416d7557136806c6cb21a557c54600057b012b35839a378533774dad73dbe121d7098a8bccdbca85937519bdc31266b9441cd6c8

Download Submit
C:\Windows\System\sjVygAS.exe
Filesize
5.9MB

MD5
4393bcf9bddaa6d82e6ac0175c61fc1d

SHA1
efe328d11636db1f812748dbf9887546b94d0f06

SHA256
527ff44d857cc592d5fd588e0896a1bcc12c1f04f1ddf39b1c943754206a3f6f

SHA512
b58436ad160d252a674dc27a1c3dd2de8dfefcb730f16e255e88b1d491235a54fb642cf6119ddc8aab1ac72f157d9febc9f7aa1461e6bd52d0ff42f0a56c0817

Download Submit
C:\Windows\System\smDYNMw.exe
Filesize
5.9MB

MD5
36d883317be83e322d1bd6b32aee39af

SHA1
29ac95b501bf165a3d57203efb55fe44c56cf47b

SHA256
e533b24d84376ab6a9da17148ec81fa88559f6df886ca41962ca52eb24c68140

SHA512
3592f1338e96a2218f909c39c908885efe881adbdd22bc1d455382080daa685cfd8a2eb1c773a2e5bc2824a59060c0bd179418669e14ca7243311b08bdc52e2c

Download Submit
C:\Windows\System\teYwCrx.exe
Filesize
5.9MB

MD5
b60a2ce0a832bcd28b5e376d920b6a49

SHA1
be598efe9bb2cc0a02c6d0ba2fb3100ea5defffd

SHA256
7a1a67b1a5560fb6e67bb8ec44863656771478e3d4ee11e62d81f0968cab8aaa

SHA512
cc8ea3ca83ac40eabbe6e3eeb15150ead2fa6bf52117b7157108571cb1d16d782c8bb71e408d326812bdfd382a5f5dd39cbe5f1a8af4eb221871b5bf744f130e

Download Submit
C:\Windows\System\xyUHqzn.exe
Filesize
5.9MB

MD5
02d1d029a3c44657da4a190c7a4ae65b

SHA1
c1348b41461e4ddac501224ed4e0ad5590d2ce3f

SHA256
ea36ffee02e2398e6011ecc356248fde71bd5d9bf334d7868cbbf48bf7243a44

SHA512
4d449b3f7a321252318bfe5e31972dfafd609c2512379667f157e2f8b6976c6e20e8b0145f5fe3e51eafe4052946197c142750ca52f6037bcdcab529335a1498

Download Submit
memory/464-8-0x00007FF612CE0000-0x00007FF613034000-memory.dmp

Filesize
3.3MB

Download
memory/464-135-0x00007FF612CE0000-0x00007FF613034000-memory.dmp

Filesize
3.3MB

Download
memory/464-75-0x00007FF612CE0000-0x00007FF613034000-memory.dmp

Filesize
3.3MB

Download
memory/1016-144-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp

Filesize
3.3MB

Download
memory/1016-62-0x00007FF7711A0000-0x00007FF7714F4000-memory.dmp

Filesize
3.3MB

Download
memory/1124-149-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp

Filesize
3.3MB

Download
memory/1124-93-0x00007FF791BB0000-0x00007FF791F04000-memory.dmp

Filesize
3.3MB

Download
memory/1380-20-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp

Filesize
3.3MB

Download
memory/1380-137-0x00007FF6D4A00000-0x00007FF6D4D54000-memory.dmp

Filesize
3.3MB

Download
memory/1444-155-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp

Filesize
3.3MB

Download
memory/1444-130-0x00007FF79E460000-0x00007FF79E7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-153-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-129-0x00007FF7DF880000-0x00007FF7DFBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-14-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp

Filesize
3.3MB

Download
memory/2868-136-0x00007FF7C18B0000-0x00007FF7C1C04000-memory.dmp

Filesize
3.3MB

Download
memory/2940-76-0x00007FF730680000-0x00007FF7309D4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-146-0x00007FF730680000-0x00007FF7309D4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-133-0x00007FF730680000-0x00007FF7309D4000-memory.dmp

Filesize
3.3MB

Download
memory/2980-110-0x00007FF6394F0000-0x00007FF639844000-memory.dmp

Filesize
3.3MB

Download
memory/2980-141-0x00007FF6394F0000-0x00007FF639844000-memory.dmp

Filesize
3.3MB

Download
memory/2980-42-0x00007FF6394F0000-0x00007FF639844000-memory.dmp

Filesize
3.3MB

Download
memory/3016-132-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp

Filesize
3.3MB

Download
memory/3016-145-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp

Filesize
3.3MB

Download
memory/3016-67-0x00007FF63CA00000-0x00007FF63CD54000-memory.dmp

Filesize
3.3MB

Download
memory/3280-154-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp

Filesize
3.3MB

Download
memory/3280-131-0x00007FF7A8120000-0x00007FF7A8474000-memory.dmp

Filesize
3.3MB

Download
memory/3440-148-0x00007FF782F40000-0x00007FF783294000-memory.dmp

Filesize
3.3MB

Download
memory/3440-94-0x00007FF782F40000-0x00007FF783294000-memory.dmp

Filesize
3.3MB

Download
memory/3604-147-0x00007FF703220000-0x00007FF703574000-memory.dmp

Filesize
3.3MB

Download
memory/3604-84-0x00007FF703220000-0x00007FF703574000-memory.dmp

Filesize
3.3MB

Download
memory/3672-0-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp

Filesize
3.3MB

Download
memory/3672-66-0x00007FF76CC10000-0x00007FF76CF64000-memory.dmp

Filesize
3.3MB

Download
memory/3672-1-0x00000211297C0000-0x00000211297D0000-memory.dmp

Filesize
64KB

Download
memory/3716-151-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3716-109-0x00007FF6F0B60000-0x00007FF6F0EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3784-41-0x00007FF7434E0000-0x00007FF743834000-memory.dmp

Filesize
3.3MB

Download
memory/3784-140-0x00007FF7434E0000-0x00007FF743834000-memory.dmp

Filesize
3.3MB

Download
memory/3784-104-0x00007FF7434E0000-0x00007FF743834000-memory.dmp

Filesize
3.3MB

Download
memory/4080-50-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

Filesize
3.3MB

Download
memory/4080-142-0x00007FF633BF0000-0x00007FF633F44000-memory.dmp

Filesize
3.3MB

Download
memory/4100-134-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp

Filesize
3.3MB

Download
memory/4100-111-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp

Filesize
3.3MB

Download
memory/4100-152-0x00007FF7A3900000-0x00007FF7A3C54000-memory.dmp

Filesize
3.3MB

Download
memory/4212-138-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp

Filesize
3.3MB

Download
memory/4212-26-0x00007FF6FB050000-0x00007FF6FB3A4000-memory.dmp

Filesize
3.3MB

Download
memory/4500-143-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp

Filesize
3.3MB

Download
memory/4500-56-0x00007FF7F5500000-0x00007FF7F5854000-memory.dmp

Filesize
3.3MB

Download
memory/4592-150-0x00007FF713960000-0x00007FF713CB4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-106-0x00007FF713960000-0x00007FF713CB4000-memory.dmp

Filesize
3.3MB

Download
memory/4992-139-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp

Filesize
3.3MB

Download
memory/4992-37-0x00007FF6BFE60000-0x00007FF6C01B4000-memory.dmp

Filesize
3.3MB

Download