cobaltstrike | d56132e46463cdf42200e09296eaa1f1f06e14c7fc4dc744b6e9285a43468705

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5d59fe46c0d31b4a0eb288f172e13091
SHA1

e1cada080ecf1abb42de361f3a96a58d477fe102
SHA256

d56132e46463cdf42200e09296eaa1f1f06e14c7fc4dc744b6e9285a43468705
SHA512

3053c5ee21fbc1b77ba8c43538539932418f3f7ad80e22af0ae6301435b7a3990734ae49e006e5de248c1d2825d277417ec8e80a54e87f5d761bd39624908673
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUi:Q+u56utgpPF8u/7i

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\VVNuUjk.exe	cobalt_reflective_dll
C:\Windows\System\vhweNqx.exe	cobalt_reflective_dll
C:\Windows\System\lwpPOFS.exe	cobalt_reflective_dll
C:\Windows\System\ezbMTer.exe	cobalt_reflective_dll
C:\Windows\System\DJJitRC.exe	cobalt_reflective_dll
C:\Windows\System\MpHocIK.exe	cobalt_reflective_dll
C:\Windows\System\ApVyAlA.exe	cobalt_reflective_dll
C:\Windows\System\CELBKhM.exe	cobalt_reflective_dll
C:\Windows\System\RIHwwul.exe	cobalt_reflective_dll
C:\Windows\System\hIhfuSU.exe	cobalt_reflective_dll
C:\Windows\System\qXICYOH.exe	cobalt_reflective_dll
C:\Windows\System\yahicld.exe	cobalt_reflective_dll
C:\Windows\System\tSOZNHp.exe	cobalt_reflective_dll
C:\Windows\System\fQLlyut.exe	cobalt_reflective_dll
C:\Windows\System\yYDARfy.exe	cobalt_reflective_dll
C:\Windows\System\QHVNvoY.exe	cobalt_reflective_dll
C:\Windows\System\yZEKBeZ.exe	cobalt_reflective_dll
C:\Windows\System\upyqTWO.exe	cobalt_reflective_dll
C:\Windows\System\HyXGtpH.exe	cobalt_reflective_dll
C:\Windows\System\dCJqdmc.exe	cobalt_reflective_dll
C:\Windows\System\PwOlTGa.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\VVNuUjk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vhweNqx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lwpPOFS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ezbMTer.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DJJitRC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MpHocIK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ApVyAlA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CELBKhM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RIHwwul.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hIhfuSU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qXICYOH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yahicld.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tSOZNHp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fQLlyut.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yYDARfy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QHVNvoY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yZEKBeZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\upyqTWO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HyXGtpH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dCJqdmc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PwOlTGa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2188-0-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp	UPX
C:\Windows\System\VVNuUjk.exe	UPX
behavioral2/memory/4656-8-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	UPX
C:\Windows\System\vhweNqx.exe	UPX
C:\Windows\System\lwpPOFS.exe	UPX
C:\Windows\System\ezbMTer.exe	UPX
C:\Windows\System\DJJitRC.exe	UPX
behavioral2/memory/3044-33-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	UPX
C:\Windows\System\MpHocIK.exe	UPX
behavioral2/memory/5096-42-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp	UPX
C:\Windows\System\ApVyAlA.exe	UPX
behavioral2/memory/2300-47-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	UPX
behavioral2/memory/4480-44-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp	UPX
behavioral2/memory/3688-37-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp	UPX
C:\Windows\System\CELBKhM.exe	UPX
behavioral2/memory/2308-31-0x00007FF623540000-0x00007FF623894000-memory.dmp	UPX
behavioral2/memory/2184-19-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	UPX
behavioral2/memory/3988-56-0x00007FF6E81A0000-0x00007FF6E84F4000-memory.dmp	UPX
C:\Windows\System\RIHwwul.exe	UPX
C:\Windows\System\hIhfuSU.exe	UPX
C:\Windows\System\qXICYOH.exe	UPX
behavioral2/memory/4828-72-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp	UPX
C:\Windows\System\yahicld.exe	UPX
behavioral2/memory/4488-69-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp	UPX
C:\Windows\System\tSOZNHp.exe	UPX
behavioral2/memory/2132-60-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp	UPX
behavioral2/memory/2188-85-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp	UPX
C:\Windows\System\fQLlyut.exe	UPX
C:\Windows\System\yYDARfy.exe	UPX
C:\Windows\System\QHVNvoY.exe	UPX
behavioral2/memory/3044-103-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	UPX
behavioral2/memory/5096-105-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp	UPX
behavioral2/memory/4608-106-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp	UPX
behavioral2/memory/1704-104-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp	UPX
behavioral2/memory/2072-101-0x00007FF7CEBE0000-0x00007FF7CEF34000-memory.dmp	UPX
C:\Windows\System\yZEKBeZ.exe	UPX
C:\Windows\System\upyqTWO.exe	UPX
C:\Windows\System\HyXGtpH.exe	UPX
C:\Windows\System\dCJqdmc.exe	UPX
C:\Windows\System\PwOlTGa.exe	UPX
behavioral2/memory/2308-100-0x00007FF623540000-0x00007FF623894000-memory.dmp	UPX
behavioral2/memory/2184-96-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	UPX
behavioral2/memory/4656-95-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	UPX
behavioral2/memory/4584-89-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp	UPX
behavioral2/memory/2044-86-0x00007FF67D9A0000-0x00007FF67DCF4000-memory.dmp	UPX
behavioral2/memory/4856-130-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp	UPX
behavioral2/memory/464-131-0x00007FF728210000-0x00007FF728564000-memory.dmp	UPX
behavioral2/memory/1864-132-0x00007FF6D0A80000-0x00007FF6D0DD4000-memory.dmp	UPX
behavioral2/memory/2300-133-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	UPX
behavioral2/memory/4780-134-0x00007FF6EC830000-0x00007FF6ECB84000-memory.dmp	UPX
behavioral2/memory/2132-135-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp	UPX
behavioral2/memory/4488-136-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp	UPX
behavioral2/memory/4828-137-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp	UPX
behavioral2/memory/4584-138-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp	UPX
behavioral2/memory/1704-139-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp	UPX
behavioral2/memory/4608-140-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp	UPX
behavioral2/memory/4856-141-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp	UPX
behavioral2/memory/4656-142-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	UPX
behavioral2/memory/2184-143-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	UPX
behavioral2/memory/3688-144-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp	UPX
behavioral2/memory/2308-145-0x00007FF623540000-0x00007FF623894000-memory.dmp	UPX
behavioral2/memory/3044-146-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	UPX
behavioral2/memory/4480-147-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp	UPX
behavioral2/memory/2300-148-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2188-0-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp	xmrig
C:\Windows\System\VVNuUjk.exe	xmrig
behavioral2/memory/4656-8-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	xmrig
C:\Windows\System\vhweNqx.exe	xmrig
C:\Windows\System\lwpPOFS.exe	xmrig
C:\Windows\System\ezbMTer.exe	xmrig
C:\Windows\System\DJJitRC.exe	xmrig
behavioral2/memory/3044-33-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	xmrig
C:\Windows\System\MpHocIK.exe	xmrig
behavioral2/memory/5096-42-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp	xmrig
C:\Windows\System\ApVyAlA.exe	xmrig
behavioral2/memory/2300-47-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	xmrig
behavioral2/memory/4480-44-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp	xmrig
behavioral2/memory/3688-37-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp	xmrig
C:\Windows\System\CELBKhM.exe	xmrig
behavioral2/memory/2308-31-0x00007FF623540000-0x00007FF623894000-memory.dmp	xmrig
behavioral2/memory/2184-19-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	xmrig
behavioral2/memory/3988-56-0x00007FF6E81A0000-0x00007FF6E84F4000-memory.dmp	xmrig
C:\Windows\System\RIHwwul.exe	xmrig
C:\Windows\System\hIhfuSU.exe	xmrig
C:\Windows\System\qXICYOH.exe	xmrig
behavioral2/memory/4828-72-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp	xmrig
C:\Windows\System\yahicld.exe	xmrig
behavioral2/memory/4488-69-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp	xmrig
C:\Windows\System\tSOZNHp.exe	xmrig
behavioral2/memory/2132-60-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp	xmrig
behavioral2/memory/2188-85-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp	xmrig
C:\Windows\System\fQLlyut.exe	xmrig
C:\Windows\System\yYDARfy.exe	xmrig
C:\Windows\System\QHVNvoY.exe	xmrig
behavioral2/memory/3044-103-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	xmrig
behavioral2/memory/5096-105-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp	xmrig
behavioral2/memory/4608-106-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp	xmrig
behavioral2/memory/1704-104-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp	xmrig
behavioral2/memory/2072-101-0x00007FF7CEBE0000-0x00007FF7CEF34000-memory.dmp	xmrig
C:\Windows\System\yZEKBeZ.exe	xmrig
C:\Windows\System\upyqTWO.exe	xmrig
C:\Windows\System\HyXGtpH.exe	xmrig
C:\Windows\System\dCJqdmc.exe	xmrig
C:\Windows\System\PwOlTGa.exe	xmrig
behavioral2/memory/2308-100-0x00007FF623540000-0x00007FF623894000-memory.dmp	xmrig
behavioral2/memory/2184-96-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	xmrig
behavioral2/memory/4656-95-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	xmrig
behavioral2/memory/4584-89-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp	xmrig
behavioral2/memory/2044-86-0x00007FF67D9A0000-0x00007FF67DCF4000-memory.dmp	xmrig
behavioral2/memory/4856-130-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp	xmrig
behavioral2/memory/464-131-0x00007FF728210000-0x00007FF728564000-memory.dmp	xmrig
behavioral2/memory/1864-132-0x00007FF6D0A80000-0x00007FF6D0DD4000-memory.dmp	xmrig
behavioral2/memory/2300-133-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	xmrig
behavioral2/memory/4780-134-0x00007FF6EC830000-0x00007FF6ECB84000-memory.dmp	xmrig
behavioral2/memory/2132-135-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp	xmrig
behavioral2/memory/4488-136-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp	xmrig
behavioral2/memory/4828-137-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp	xmrig
behavioral2/memory/4584-138-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp	xmrig
behavioral2/memory/1704-139-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp	xmrig
behavioral2/memory/4608-140-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp	xmrig
behavioral2/memory/4856-141-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp	xmrig
behavioral2/memory/4656-142-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	xmrig
behavioral2/memory/2184-143-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	xmrig
behavioral2/memory/3688-144-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp	xmrig
behavioral2/memory/2308-145-0x00007FF623540000-0x00007FF623894000-memory.dmp	xmrig
behavioral2/memory/3044-146-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	xmrig
behavioral2/memory/4480-147-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp	xmrig
behavioral2/memory/2300-148-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

VVNuUjk.exevhweNqx.exeezbMTer.exelwpPOFS.exeDJJitRC.exeCELBKhM.exeMpHocIK.exeApVyAlA.exeRIHwwul.exetSOZNHp.exehIhfuSU.exeqXICYOH.exeyahicld.exefQLlyut.exeyYDARfy.exeQHVNvoY.exeyZEKBeZ.exeupyqTWO.exeHyXGtpH.exePwOlTGa.exedCJqdmc.exe

pid	process
4656	VVNuUjk.exe
2184	vhweNqx.exe
3688	ezbMTer.exe
2308	lwpPOFS.exe
3044	DJJitRC.exe
5096	CELBKhM.exe
4480	MpHocIK.exe
2300	ApVyAlA.exe
3988	RIHwwul.exe
2132	tSOZNHp.exe
4488	hIhfuSU.exe
4828	qXICYOH.exe
2044	yahicld.exe
4584	fQLlyut.exe
2072	yYDARfy.exe
1704	QHVNvoY.exe
4608	yZEKBeZ.exe
4856	upyqTWO.exe
464	HyXGtpH.exe
4780	PwOlTGa.exe
1864	dCJqdmc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2188-0-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp	upx
C:\Windows\System\VVNuUjk.exe	upx
behavioral2/memory/4656-8-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	upx
C:\Windows\System\vhweNqx.exe	upx
C:\Windows\System\lwpPOFS.exe	upx
C:\Windows\System\ezbMTer.exe	upx
C:\Windows\System\DJJitRC.exe	upx
behavioral2/memory/3044-33-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	upx
C:\Windows\System\MpHocIK.exe	upx
behavioral2/memory/5096-42-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp	upx
C:\Windows\System\ApVyAlA.exe	upx
behavioral2/memory/2300-47-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	upx
behavioral2/memory/4480-44-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp	upx
behavioral2/memory/3688-37-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp	upx
C:\Windows\System\CELBKhM.exe	upx
behavioral2/memory/2308-31-0x00007FF623540000-0x00007FF623894000-memory.dmp	upx
behavioral2/memory/2184-19-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	upx
behavioral2/memory/3988-56-0x00007FF6E81A0000-0x00007FF6E84F4000-memory.dmp	upx
C:\Windows\System\RIHwwul.exe	upx
C:\Windows\System\hIhfuSU.exe	upx
C:\Windows\System\qXICYOH.exe	upx
behavioral2/memory/4828-72-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp	upx
C:\Windows\System\yahicld.exe	upx
behavioral2/memory/4488-69-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp	upx
C:\Windows\System\tSOZNHp.exe	upx
behavioral2/memory/2132-60-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp	upx
behavioral2/memory/2188-85-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp	upx
C:\Windows\System\fQLlyut.exe	upx
C:\Windows\System\yYDARfy.exe	upx
C:\Windows\System\QHVNvoY.exe	upx
behavioral2/memory/3044-103-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	upx
behavioral2/memory/5096-105-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp	upx
behavioral2/memory/4608-106-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp	upx
behavioral2/memory/1704-104-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp	upx
behavioral2/memory/2072-101-0x00007FF7CEBE0000-0x00007FF7CEF34000-memory.dmp	upx
C:\Windows\System\yZEKBeZ.exe	upx
C:\Windows\System\upyqTWO.exe	upx
C:\Windows\System\HyXGtpH.exe	upx
C:\Windows\System\dCJqdmc.exe	upx
C:\Windows\System\PwOlTGa.exe	upx
behavioral2/memory/2308-100-0x00007FF623540000-0x00007FF623894000-memory.dmp	upx
behavioral2/memory/2184-96-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	upx
behavioral2/memory/4656-95-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	upx
behavioral2/memory/4584-89-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp	upx
behavioral2/memory/2044-86-0x00007FF67D9A0000-0x00007FF67DCF4000-memory.dmp	upx
behavioral2/memory/4856-130-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp	upx
behavioral2/memory/464-131-0x00007FF728210000-0x00007FF728564000-memory.dmp	upx
behavioral2/memory/1864-132-0x00007FF6D0A80000-0x00007FF6D0DD4000-memory.dmp	upx
behavioral2/memory/2300-133-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	upx
behavioral2/memory/4780-134-0x00007FF6EC830000-0x00007FF6ECB84000-memory.dmp	upx
behavioral2/memory/2132-135-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp	upx
behavioral2/memory/4488-136-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp	upx
behavioral2/memory/4828-137-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp	upx
behavioral2/memory/4584-138-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp	upx
behavioral2/memory/1704-139-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp	upx
behavioral2/memory/4608-140-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp	upx
behavioral2/memory/4856-141-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp	upx
behavioral2/memory/4656-142-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp	upx
behavioral2/memory/2184-143-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp	upx
behavioral2/memory/3688-144-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp	upx
behavioral2/memory/2308-145-0x00007FF623540000-0x00007FF623894000-memory.dmp	upx
behavioral2/memory/3044-146-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp	upx
behavioral2/memory/4480-147-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp	upx
behavioral2/memory/2300-148-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\VVNuUjk.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezbMTer.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ApVyAlA.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tSOZNHp.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yZEKBeZ.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\upyqTWO.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lwpPOFS.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MpHocIK.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RIHwwul.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fQLlyut.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PwOlTGa.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dCJqdmc.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DJJitRC.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CELBKhM.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hIhfuSU.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QHVNvoY.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HyXGtpH.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vhweNqx.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qXICYOH.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yahicld.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yYDARfy.exe	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2188 wrote to memory of 4656	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	VVNuUjk.exe
PID 2188 wrote to memory of 4656	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	VVNuUjk.exe
PID 2188 wrote to memory of 2184	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	vhweNqx.exe
PID 2188 wrote to memory of 2184	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	vhweNqx.exe
PID 2188 wrote to memory of 2308	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	lwpPOFS.exe
PID 2188 wrote to memory of 2308	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	lwpPOFS.exe
PID 2188 wrote to memory of 3688	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ezbMTer.exe
PID 2188 wrote to memory of 3688	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ezbMTer.exe
PID 2188 wrote to memory of 3044	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	DJJitRC.exe
PID 2188 wrote to memory of 3044	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	DJJitRC.exe
PID 2188 wrote to memory of 5096	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CELBKhM.exe
PID 2188 wrote to memory of 5096	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	CELBKhM.exe
PID 2188 wrote to memory of 4480	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	MpHocIK.exe
PID 2188 wrote to memory of 4480	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	MpHocIK.exe
PID 2188 wrote to memory of 2300	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ApVyAlA.exe
PID 2188 wrote to memory of 2300	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	ApVyAlA.exe
PID 2188 wrote to memory of 3988	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	RIHwwul.exe
PID 2188 wrote to memory of 3988	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	RIHwwul.exe
PID 2188 wrote to memory of 2132	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	tSOZNHp.exe
PID 2188 wrote to memory of 2132	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	tSOZNHp.exe
PID 2188 wrote to memory of 4488	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hIhfuSU.exe
PID 2188 wrote to memory of 4488	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	hIhfuSU.exe
PID 2188 wrote to memory of 4828	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	qXICYOH.exe
PID 2188 wrote to memory of 4828	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	qXICYOH.exe
PID 2188 wrote to memory of 2044	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	yahicld.exe
PID 2188 wrote to memory of 2044	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	yahicld.exe
PID 2188 wrote to memory of 4584	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	fQLlyut.exe
PID 2188 wrote to memory of 4584	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	fQLlyut.exe
PID 2188 wrote to memory of 2072	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	yYDARfy.exe
PID 2188 wrote to memory of 2072	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	yYDARfy.exe
PID 2188 wrote to memory of 1704	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	QHVNvoY.exe
PID 2188 wrote to memory of 1704	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	QHVNvoY.exe
PID 2188 wrote to memory of 4608	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	yZEKBeZ.exe
PID 2188 wrote to memory of 4608	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	yZEKBeZ.exe
PID 2188 wrote to memory of 4856	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	upyqTWO.exe
PID 2188 wrote to memory of 4856	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	upyqTWO.exe
PID 2188 wrote to memory of 464	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HyXGtpH.exe
PID 2188 wrote to memory of 464	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	HyXGtpH.exe
PID 2188 wrote to memory of 4780	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	PwOlTGa.exe
PID 2188 wrote to memory of 4780	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	PwOlTGa.exe
PID 2188 wrote to memory of 1864	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	dCJqdmc.exe
PID 2188 wrote to memory of 1864	2188	2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe	dCJqdmc.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_5d59fe46c0d31b4a0eb288f172e13091_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\System\VVNuUjk.exe
C:\Windows\System\VVNuUjk.exe
2⤵
- Executes dropped EXE
PID:4656

C:\Windows\System\vhweNqx.exe
C:\Windows\System\vhweNqx.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\System\lwpPOFS.exe
C:\Windows\System\lwpPOFS.exe
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\System\ezbMTer.exe
C:\Windows\System\ezbMTer.exe
2⤵
- Executes dropped EXE
PID:3688

C:\Windows\System\DJJitRC.exe
C:\Windows\System\DJJitRC.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\CELBKhM.exe
C:\Windows\System\CELBKhM.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System\MpHocIK.exe
C:\Windows\System\MpHocIK.exe
2⤵
- Executes dropped EXE
PID:4480

C:\Windows\System\ApVyAlA.exe
C:\Windows\System\ApVyAlA.exe
2⤵
- Executes dropped EXE
PID:2300

C:\Windows\System\RIHwwul.exe
C:\Windows\System\RIHwwul.exe
2⤵
- Executes dropped EXE
PID:3988

C:\Windows\System\tSOZNHp.exe
C:\Windows\System\tSOZNHp.exe
2⤵
- Executes dropped EXE
PID:2132

C:\Windows\System\hIhfuSU.exe
C:\Windows\System\hIhfuSU.exe
2⤵
- Executes dropped EXE
PID:4488

C:\Windows\System\qXICYOH.exe
C:\Windows\System\qXICYOH.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Windows\System\yahicld.exe
C:\Windows\System\yahicld.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\fQLlyut.exe
C:\Windows\System\fQLlyut.exe
2⤵
- Executes dropped EXE
PID:4584

C:\Windows\System\yYDARfy.exe
C:\Windows\System\yYDARfy.exe
2⤵
- Executes dropped EXE
PID:2072

C:\Windows\System\QHVNvoY.exe
C:\Windows\System\QHVNvoY.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\System\yZEKBeZ.exe
C:\Windows\System\yZEKBeZ.exe
2⤵
- Executes dropped EXE
PID:4608

C:\Windows\System\upyqTWO.exe
C:\Windows\System\upyqTWO.exe
2⤵
- Executes dropped EXE
PID:4856

C:\Windows\System\HyXGtpH.exe
C:\Windows\System\HyXGtpH.exe
2⤵
- Executes dropped EXE
PID:464

C:\Windows\System\PwOlTGa.exe
C:\Windows\System\PwOlTGa.exe
2⤵
- Executes dropped EXE
PID:4780

C:\Windows\System\dCJqdmc.exe
C:\Windows\System\dCJqdmc.exe
2⤵
- Executes dropped EXE
PID:1864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ApVyAlA.exe
Filesize
5.9MB

MD5
cc88badde5f27a93b8028889fdf20974

SHA1
85942f00420b110d0aa5834e844abacd15761896

SHA256
74b0ffb1934f05bcb783e1cd20111e852bae3b94ad7178dae2c3a1c2d4278c23

SHA512
a9289c2d2682c4abb6ece1f6ba37bde025e575d9b0abb21ff8b38ddeee2d529a786c881f52ee36240592cfcafb1ed3cbe35bcc46277f48ee07a9be3be8f0345a

Download Submit
C:\Windows\System\CELBKhM.exe
Filesize
5.9MB

MD5
1d4e10a01ef58da29b5d281ae3625330

SHA1
59d1debe25fe7d43694bfd8b4279065205510c18

SHA256
0de16208dda41003dea2b863e3b5d9c73822a5293e72f29ef21f606dc7d52d47

SHA512
9407f52664da5ffa85e70ccbfa4ab2761dce33d9711214d5fbabc60d2f73219177d86cb76d2f647ad4f1174135fd33b69670671cb14c9980725fae06c0daf1d0

Download Submit
C:\Windows\System\DJJitRC.exe
Filesize
5.9MB

MD5
45b6ff2792f2e681337f4178603f2a73

SHA1
9d029854401b4d771d420d787523ad0f419174c7

SHA256
4d431318abb6aa544e528f83f212b279ea3f700e9763f722c110329aba094f3d

SHA512
b34218d6a883820bbdeab19568627852586fac042a7b24c7c74213b5e6da493991e1713bc24e5baedbb26c0ffdd85a8c164c1bb1b1f32408835ab9d71bf11827

Download Submit
C:\Windows\System\HyXGtpH.exe
Filesize
5.9MB

MD5
9d464b15fa9e2c9990e2600edc03a768

SHA1
48a93b430e3c73ccfc9fa0fec602b78999a07d0f

SHA256
b246e809ca48d8984740e029b71e340ed5bdf4af5509af882b7de3d4a9bedeec

SHA512
411ac32ad84353809c9036f74f479177679f92f3b10a15a648ab2de8c983b0a3db9376b9f4eaffe02f4504d2b0c809eca360ff2965a7bae8b66e1bf0853edfd1

Download Submit
C:\Windows\System\MpHocIK.exe
Filesize
5.9MB

MD5
a2f2be7220e9e46d73e6698ae2c7a8e2

SHA1
08237a536c4db1faaff5b2859599603ad788d938

SHA256
25a4a5029e7551516e169070fe702708d531f4b35d590054abcb40856e6015a9

SHA512
577fa5f9ff082f4a7f9474bcca5239c6df49ec62dcabd9c874164d68246bf94507f292314d47c1345f15b366adac7d43e3b0fe79757939531d8e7632ff526c45

Download Submit
C:\Windows\System\PwOlTGa.exe
Filesize
5.9MB

MD5
e6aaf7b0c29c31afae00610c25a39e21

SHA1
cb05acb8b658a4b91bdc0db862b678937d744e5d

SHA256
0065c74b6f40e35e7e155b3b04e777d871e6a8f7095488e349c9d8cbd840cde4

SHA512
8a020b5fa8d77fcd73dd00aa916092a366471829de15d55558895769b14c41947082eab4d7401a7acb83541e1b0fcb9376fcdd3e9ccfa7c8c95a08e999710163

Download Submit
C:\Windows\System\QHVNvoY.exe
Filesize
5.9MB

MD5
3de4d1ee6e9ca7c5c31c51b70157e241

SHA1
85e858837f23da46f6248e736d1409c47492a62a

SHA256
f2b6c14b09c6b1ae330afa4f0016d5eb505330a7127bae502cee9e4de291dad0

SHA512
e958a27e3484752e7c0192b90d2d172b6b27a4ee3608112f1dcb30b808a06fedc22150d049e9fae97c9c770e77eae9d18fd74f84d623c29baba2a032ee7ca22d

Download Submit
C:\Windows\System\RIHwwul.exe
Filesize
5.9MB

MD5
d9d23f24ce1f07d200a06b397e14bd7f

SHA1
a6967c192f9cd68a86245952cae9c3c55f3d74f7

SHA256
8b26cd52bb3e5dd25b69b9f1191bcee85f09a19cd31e2130b264b01afdd63c08

SHA512
d65c7a3415a7f5c4c7c2b4e642c8752483c43bd4e1e8c3770fe9f5bd532ad5ccdd8dcee7d332d9a00b7663b9c4ada6c31b8bd4242d1000f388f99902807085ff

Download Submit
C:\Windows\System\VVNuUjk.exe
Filesize
5.9MB

MD5
c39ff2de23a406f198275d409869bb0c

SHA1
e9428a1a41127651fe5e61278d14b0ef40086782

SHA256
a0e5e57e71ac26ccfdef494e75e07b161a73d008c1dde4ff7b757cf8c15839ca

SHA512
8f620b7dd2cb0e5e16b7a16c2a09159d14390e1c935c88feccefffb48bca9d58a95e7ea463030627c71aaef7d9b4d9c5b441b1c96d0daa8d617f9a8c88a1e594

Download Submit
C:\Windows\System\dCJqdmc.exe
Filesize
5.9MB

MD5
4d659c94aedda51be9b83b099e90ca94

SHA1
29a40334b275c90b77ba93c00285527d2eecfabf

SHA256
3ef49a0e121a0f1ae9836ce4398716c5149fafa81c0e922ffc7c7c94280164da

SHA512
98ded90577b8c212bbc6d77ff0cc33f2eddee692e4a4e5bfc9fe7fbe1025caecfcebac5bbcf3a942adba009f5f54bd5ef83de7c4e9b71be0296752e4821bfa63

Download Submit
C:\Windows\System\ezbMTer.exe
Filesize
5.9MB

MD5
e7f0ec7341ef1d94b95f059e3e74d274

SHA1
b70cd20ff39306eb80ff99cd72a0307bbdce7b00

SHA256
aeb7e85cde28eed6bb4d4bf8e6d1ab3055a7342bf418e02160c0b7b2c58a882d

SHA512
e2e30978115756ea531a685ad7ee8b69ba245ffad8ee9f44aa7da07ee56cf374cd86fde1738f316c635139b73af928d9b43e643ac82a8bfbc26152d7a82173a7

Download Submit
C:\Windows\System\fQLlyut.exe
Filesize
5.9MB

MD5
d1c37595914d6b799ef0aaa624679234

SHA1
3564fd3b0bc6a2f792b96c5068de59e7e0ee08de

SHA256
1aae16806999d32b492ffb3c60de4d2a98209b3e9849377813bb41ab05247d1e

SHA512
2772bed8da156e54cb77d4f65e3bb905769f39ed67c12a4378adf57cd812a18f6291f6ca4eb70574016edbf5cdcc857cf409b23e42d481b2b1290b5c094e1ab2

Download Submit
C:\Windows\System\hIhfuSU.exe
Filesize
5.9MB

MD5
21f6d9623391820cf760b1e4e8526e0a

SHA1
82bda5a1b57a9ed74b81128ad5b2cddc0025a5df

SHA256
c010f0fdc016b48bfc3fdc66debcbcf445aa23e1520ad4f2127aef03a424521f

SHA512
920ffa093e4afe0f6b1e7e0a7a3e3d9e418fcd9af452d051e6a630d6090ac054c2a5e154573ba0794ec0882ca5d12e52691e1645ba0c32ba9a18821791c4346d

Download Submit
C:\Windows\System\lwpPOFS.exe
Filesize
5.9MB

MD5
152c7d5fc4d1ec8dc95e8d1f2a45c088

SHA1
7152dc27d1848af2754fe9f24dfb9a69c81d118c

SHA256
309d46e7ad56da66841199925a7de1095faedcddd2014d7843690a3413ff6d08

SHA512
c96174fc5191891f333b3e34571e9b4e577eec972afe4e31654ca81096099acf3a222aaa1bbea7b2abfd5fb9b122766a0f1e18d7f7041b9c0fa9e8a05a759cd1

Download Submit
C:\Windows\System\qXICYOH.exe
Filesize
5.9MB

MD5
e2477b0076a3429f03b97b0ae64702ae

SHA1
a3c6506411d2e78d64839f2b52329cc0c927a8b6

SHA256
08c78a077a63f440aef4827d790a5452b32879a5155f35608d2f46ebed5112fb

SHA512
63492ba8c48d5d16a52758fd5bdebb16552571877a0facdad24c3ac7fffd378789417593a570687782b8af0686dd3b9518463fa3bb58161805f0557ef8daf87a

Download Submit
C:\Windows\System\tSOZNHp.exe
Filesize
5.9MB

MD5
c19c3144bb11cd6c3340f2e4e126cc11

SHA1
e6590b8620114d589813f7a3c33c5c25f00f3944

SHA256
ad076e506eadfbff83d44a787b940459df7c46b79833edcef51cdef22df3ebed

SHA512
df8c194977018350a617fb76acaf5ade8e1bea3b0ce20fb5eb04e6c1042b2c61142b67fee20b04be1fa1cd61458e1d3c2e590784cf7ac17b63b6db77b5eb53d2

Download Submit
C:\Windows\System\upyqTWO.exe
Filesize
5.9MB

MD5
1b56ed7630972f968eeeb32a3afeadc6

SHA1
d3984cd67fed98f951aba4f65b8a285b5dda13fa

SHA256
00abdf77c8431e972f67b42230b39a40eac3cb23d3108c324e65fcf95998d57e

SHA512
84b20a6760b82b84f593b48be4a08d5cbfa160a416712298ff94bc3e2721211e7b00cb8b36f7a46ebffcffb253d0b5fb60bd53f13c33d5973521a1bf2b6eb65f

Download Submit
C:\Windows\System\vhweNqx.exe
Filesize
5.9MB

MD5
8f3ff26c31fb03874aa346e4846621ff

SHA1
4f440d04f2e9e2133113f6cc73eeb414ae371945

SHA256
8e1b4c1c3d7b6ab5df7f3fefff9c751101fdc4221e3df5985e286bffed424a10

SHA512
c74f8be75ed9acd068c5e10e4ab908d6c241bde9b8f8e1f40e2c722ff2be48e676018f54fe2723609470e7a4e1d122b8724e9b82de5ec7d46d12a51cebbfe706

Download Submit
C:\Windows\System\yYDARfy.exe
Filesize
5.9MB

MD5
9c1a8b6c53fafee275063bfb0073c9ac

SHA1
8d689a62d99c4bb9407ea6ea4d473f99f7f906af

SHA256
3093303b44c1b4e2f48a4a64d8bf834f5262f7e210d0263eb5da1bb9d08031c3

SHA512
8f62885d8cdaad916686d4ba90c3a75bf74528ee4d1aa242f846cd6e334214b27059e315182f6b19db36a7f39b0004d6dcbf3c5f1c2b5055f6a1149a96ce98c9

Download Submit
C:\Windows\System\yZEKBeZ.exe
Filesize
5.9MB

MD5
6dc61d80bbeb7939d10ffe7a99be1897

SHA1
ded3c8b45213bf32c9b4ff3c0509b816dad6c361

SHA256
f51fc3458699d5a4dc593de3750738ee470dbab3787a0df5963f79555cbde38f

SHA512
fc150f26a06c4b196e211af6676b62477dc3b5250b84f06e360882adb127fe413f33d6bc69f2f5623b1624ea9d03f8b48dacbf17c7eb5cb6c91e9339fa69ed16

Download Submit
C:\Windows\System\yahicld.exe
Filesize
5.9MB

MD5
f0bc5cf6f12566d40bc4434b877c3cef

SHA1
545869607ece77d78e5cb4a5040da246c93ee0b3

SHA256
4ac036d6f309775afc18d77ea8a0603c6cd3277612c7e628a8bc2290602f9d04

SHA512
1a37db3397352eb992fdea3d0ba4b1fd9dfecc3bdb2549ca45de0a9bdc80d273fb97c54d2f95d0da77d2a94368cc9fa6ae27e5f7db4c18cc104a8137b827bde2

Download Submit
memory/464-160-0x00007FF728210000-0x00007FF728564000-memory.dmp

Filesize
3.3MB

Download
memory/464-131-0x00007FF728210000-0x00007FF728564000-memory.dmp

Filesize
3.3MB

Download
memory/1704-157-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-139-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-104-0x00007FF6E7360000-0x00007FF6E76B4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-132-0x00007FF6D0A80000-0x00007FF6D0DD4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-161-0x00007FF6D0A80000-0x00007FF6D0DD4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-86-0x00007FF67D9A0000-0x00007FF67DCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-154-0x00007FF67D9A0000-0x00007FF67DCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-101-0x00007FF7CEBE0000-0x00007FF7CEF34000-memory.dmp

Filesize
3.3MB

Download
memory/2072-155-0x00007FF7CEBE0000-0x00007FF7CEF34000-memory.dmp

Filesize
3.3MB

Download
memory/2132-151-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp

Filesize
3.3MB

Download
memory/2132-60-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp

Filesize
3.3MB

Download
memory/2132-135-0x00007FF65D720000-0x00007FF65DA74000-memory.dmp

Filesize
3.3MB

Download
memory/2184-19-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-143-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-96-0x00007FF731D80000-0x00007FF7320D4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-0-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp

Filesize
3.3MB

Download
memory/2188-1-0x000002695D930000-0x000002695D940000-memory.dmp

Filesize
64KB

Download
memory/2188-85-0x00007FF6AFAF0000-0x00007FF6AFE44000-memory.dmp

Filesize
3.3MB

Download
memory/2300-47-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-133-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-148-0x00007FF6A2E50000-0x00007FF6A31A4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-31-0x00007FF623540000-0x00007FF623894000-memory.dmp

Filesize
3.3MB

Download
memory/2308-100-0x00007FF623540000-0x00007FF623894000-memory.dmp

Filesize
3.3MB

Download
memory/2308-145-0x00007FF623540000-0x00007FF623894000-memory.dmp

Filesize
3.3MB

Download
memory/3044-146-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp

Filesize
3.3MB

Download
memory/3044-103-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp

Filesize
3.3MB

Download
memory/3044-33-0x00007FF6B7AC0000-0x00007FF6B7E14000-memory.dmp

Filesize
3.3MB

Download
memory/3688-144-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-37-0x00007FF63B370000-0x00007FF63B6C4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-150-0x00007FF6E81A0000-0x00007FF6E84F4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-56-0x00007FF6E81A0000-0x00007FF6E84F4000-memory.dmp

Filesize
3.3MB

Download
memory/4480-147-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp

Filesize
3.3MB

Download
memory/4480-44-0x00007FF69F6D0000-0x00007FF69FA24000-memory.dmp

Filesize
3.3MB

Download
memory/4488-136-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp

Filesize
3.3MB

Download
memory/4488-69-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp

Filesize
3.3MB

Download
memory/4488-152-0x00007FF6BA810000-0x00007FF6BAB64000-memory.dmp

Filesize
3.3MB

Download
memory/4584-156-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-138-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-89-0x00007FF7F1E90000-0x00007FF7F21E4000-memory.dmp

Filesize
3.3MB

Download
memory/4608-106-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp

Filesize
3.3MB

Download
memory/4608-140-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp

Filesize
3.3MB

Download
memory/4608-162-0x00007FF7D52A0000-0x00007FF7D55F4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-8-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp

Filesize
3.3MB

Download
memory/4656-142-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp

Filesize
3.3MB

Download
memory/4656-95-0x00007FF6F8840000-0x00007FF6F8B94000-memory.dmp

Filesize
3.3MB

Download
memory/4780-159-0x00007FF6EC830000-0x00007FF6ECB84000-memory.dmp

Filesize
3.3MB

Download
memory/4780-134-0x00007FF6EC830000-0x00007FF6ECB84000-memory.dmp

Filesize
3.3MB

Download
memory/4828-153-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-72-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-137-0x00007FF639CA0000-0x00007FF639FF4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-130-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-158-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-141-0x00007FF63CC50000-0x00007FF63CFA4000-memory.dmp

Filesize
3.3MB

Download
memory/5096-42-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp

Filesize
3.3MB

Download
memory/5096-149-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp

Filesize
3.3MB

Download
memory/5096-105-0x00007FF6F8510000-0x00007FF6F8864000-memory.dmp

Filesize
3.3MB

Download