cobaltstrike | 90d2ffb58c48cb95a48dcc63d8bc779dcffa8e5e9620af35b6d86d879a641c17

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

7a8eecc97d22483b370e7311f0d68809
SHA1

912b9410adede3fcb27e0ee19303ab0d1c7f15ca
SHA256

90d2ffb58c48cb95a48dcc63d8bc779dcffa8e5e9620af35b6d86d879a641c17
SHA512

e09ecc96d9d8bd32a4bc3f83a8f10b1e85f7b1b9e085f974a7b09ae2ce24350d10137dc8c14699cf4f605cc2dfc8af94879444355c0cc4a19d65ef60f1266a4f
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUm:Q+u56utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\fZtJdvs.exe	cobalt_reflective_dll
C:\Windows\System\alrCORN.exe	cobalt_reflective_dll
C:\Windows\System\aOqFdNB.exe	cobalt_reflective_dll
C:\Windows\System\KbHTwhl.exe	cobalt_reflective_dll
C:\Windows\System\YGLAKqX.exe	cobalt_reflective_dll
C:\Windows\System\nHoykcc.exe	cobalt_reflective_dll
C:\Windows\System\tLCtQzz.exe	cobalt_reflective_dll
C:\Windows\System\dCINiZb.exe	cobalt_reflective_dll
C:\Windows\System\QfdjQQV.exe	cobalt_reflective_dll
C:\Windows\System\sQWUgLx.exe	cobalt_reflective_dll
C:\Windows\System\XYZPguy.exe	cobalt_reflective_dll
C:\Windows\System\GhDOAqf.exe	cobalt_reflective_dll
C:\Windows\System\xXCwlHv.exe	cobalt_reflective_dll
C:\Windows\System\bvRAVJR.exe	cobalt_reflective_dll
C:\Windows\System\xniVOGu.exe	cobalt_reflective_dll
C:\Windows\System\befpFYx.exe	cobalt_reflective_dll
C:\Windows\System\QAxBeOz.exe	cobalt_reflective_dll
C:\Windows\System\EFilbLF.exe	cobalt_reflective_dll
C:\Windows\System\lTfNrWt.exe	cobalt_reflective_dll
C:\Windows\System\WgEchlf.exe	cobalt_reflective_dll
C:\Windows\System\FoUQsbl.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\fZtJdvs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\alrCORN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aOqFdNB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KbHTwhl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YGLAKqX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nHoykcc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tLCtQzz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dCINiZb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QfdjQQV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sQWUgLx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XYZPguy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GhDOAqf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xXCwlHv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bvRAVJR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xniVOGu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\befpFYx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QAxBeOz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EFilbLF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lTfNrWt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WgEchlf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FoUQsbl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1460-0-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp	UPX
behavioral2/memory/2000-6-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	UPX
C:\Windows\System\fZtJdvs.exe	UPX
behavioral2/memory/2944-12-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	UPX
C:\Windows\System\alrCORN.exe	UPX
C:\Windows\System\aOqFdNB.exe	UPX
C:\Windows\System\KbHTwhl.exe	UPX
behavioral2/memory/1644-24-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	UPX
behavioral2/memory/4920-20-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	UPX
C:\Windows\System\YGLAKqX.exe	UPX
behavioral2/memory/536-32-0x00007FF631FC0000-0x00007FF632314000-memory.dmp	UPX
C:\Windows\System\nHoykcc.exe	UPX
behavioral2/memory/2940-36-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	UPX
C:\Windows\System\tLCtQzz.exe	UPX
behavioral2/memory/4588-44-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	UPX
C:\Windows\System\dCINiZb.exe	UPX
C:\Windows\System\QfdjQQV.exe	UPX
behavioral2/memory/4868-51-0x00007FF73E610000-0x00007FF73E964000-memory.dmp	UPX
behavioral2/memory/4084-56-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp	UPX
C:\Windows\System\sQWUgLx.exe	UPX
behavioral2/memory/1952-64-0x00007FF64F0A0000-0x00007FF64F3F4000-memory.dmp	UPX
behavioral2/memory/2000-66-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	UPX
behavioral2/memory/3248-70-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp	UPX
C:\Windows\System\XYZPguy.exe	UPX
behavioral2/memory/1460-62-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp	UPX
behavioral2/memory/2944-74-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	UPX
C:\Windows\System\GhDOAqf.exe	UPX
C:\Windows\System\xXCwlHv.exe	UPX
behavioral2/memory/2156-75-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp	UPX
behavioral2/memory/5040-83-0x00007FF78B470000-0x00007FF78B7C4000-memory.dmp	UPX
C:\Windows\System\bvRAVJR.exe	UPX
behavioral2/memory/4920-82-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	UPX
behavioral2/memory/652-90-0x00007FF623790000-0x00007FF623AE4000-memory.dmp	UPX
behavioral2/memory/1644-89-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	UPX
C:\Windows\System\xniVOGu.exe	UPX
behavioral2/memory/2364-95-0x00007FF665920000-0x00007FF665C74000-memory.dmp	UPX
C:\Windows\System\befpFYx.exe	UPX
behavioral2/memory/2940-101-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	UPX
C:\Windows\System\QAxBeOz.exe	UPX
behavioral2/memory/3996-112-0x00007FF74E660000-0x00007FF74E9B4000-memory.dmp	UPX
C:\Windows\System\EFilbLF.exe	UPX
C:\Windows\System\lTfNrWt.exe	UPX
behavioral2/memory/3176-123-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp	UPX
C:\Windows\System\WgEchlf.exe	UPX
C:\Windows\System\FoUQsbl.exe	UPX
behavioral2/memory/4716-124-0x00007FF783910000-0x00007FF783C64000-memory.dmp	UPX
behavioral2/memory/748-119-0x00007FF7CD100000-0x00007FF7CD454000-memory.dmp	UPX
behavioral2/memory/4588-111-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	UPX
behavioral2/memory/384-108-0x00007FF6079D0000-0x00007FF607D24000-memory.dmp	UPX
behavioral2/memory/2928-133-0x00007FF603500000-0x00007FF603854000-memory.dmp	UPX
behavioral2/memory/3248-134-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp	UPX
behavioral2/memory/2156-135-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp	UPX
behavioral2/memory/2364-136-0x00007FF665920000-0x00007FF665C74000-memory.dmp	UPX
behavioral2/memory/3176-137-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp	UPX
behavioral2/memory/4716-138-0x00007FF783910000-0x00007FF783C64000-memory.dmp	UPX
behavioral2/memory/2000-139-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	UPX
behavioral2/memory/2944-140-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	UPX
behavioral2/memory/4920-141-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	UPX
behavioral2/memory/1644-142-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	UPX
behavioral2/memory/536-143-0x00007FF631FC0000-0x00007FF632314000-memory.dmp	UPX
behavioral2/memory/2940-144-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	UPX
behavioral2/memory/4588-145-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	UPX
behavioral2/memory/4868-146-0x00007FF73E610000-0x00007FF73E964000-memory.dmp	UPX
behavioral2/memory/4084-147-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1460-0-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp	xmrig
behavioral2/memory/2000-6-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	xmrig
C:\Windows\System\fZtJdvs.exe	xmrig
behavioral2/memory/2944-12-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	xmrig
C:\Windows\System\alrCORN.exe	xmrig
C:\Windows\System\aOqFdNB.exe	xmrig
C:\Windows\System\KbHTwhl.exe	xmrig
behavioral2/memory/1644-24-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	xmrig
behavioral2/memory/4920-20-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	xmrig
C:\Windows\System\YGLAKqX.exe	xmrig
behavioral2/memory/536-32-0x00007FF631FC0000-0x00007FF632314000-memory.dmp	xmrig
C:\Windows\System\nHoykcc.exe	xmrig
behavioral2/memory/2940-36-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	xmrig
C:\Windows\System\tLCtQzz.exe	xmrig
behavioral2/memory/4588-44-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	xmrig
C:\Windows\System\dCINiZb.exe	xmrig
C:\Windows\System\QfdjQQV.exe	xmrig
behavioral2/memory/4868-51-0x00007FF73E610000-0x00007FF73E964000-memory.dmp	xmrig
behavioral2/memory/4084-56-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp	xmrig
C:\Windows\System\sQWUgLx.exe	xmrig
behavioral2/memory/1952-64-0x00007FF64F0A0000-0x00007FF64F3F4000-memory.dmp	xmrig
behavioral2/memory/2000-66-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	xmrig
behavioral2/memory/3248-70-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp	xmrig
C:\Windows\System\XYZPguy.exe	xmrig
behavioral2/memory/1460-62-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp	xmrig
behavioral2/memory/2944-74-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	xmrig
C:\Windows\System\GhDOAqf.exe	xmrig
C:\Windows\System\xXCwlHv.exe	xmrig
behavioral2/memory/2156-75-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp	xmrig
behavioral2/memory/5040-83-0x00007FF78B470000-0x00007FF78B7C4000-memory.dmp	xmrig
C:\Windows\System\bvRAVJR.exe	xmrig
behavioral2/memory/4920-82-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	xmrig
behavioral2/memory/652-90-0x00007FF623790000-0x00007FF623AE4000-memory.dmp	xmrig
behavioral2/memory/1644-89-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	xmrig
C:\Windows\System\xniVOGu.exe	xmrig
behavioral2/memory/2364-95-0x00007FF665920000-0x00007FF665C74000-memory.dmp	xmrig
C:\Windows\System\befpFYx.exe	xmrig
behavioral2/memory/2940-101-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	xmrig
C:\Windows\System\QAxBeOz.exe	xmrig
behavioral2/memory/3996-112-0x00007FF74E660000-0x00007FF74E9B4000-memory.dmp	xmrig
C:\Windows\System\EFilbLF.exe	xmrig
C:\Windows\System\lTfNrWt.exe	xmrig
behavioral2/memory/3176-123-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp	xmrig
C:\Windows\System\WgEchlf.exe	xmrig
C:\Windows\System\FoUQsbl.exe	xmrig
behavioral2/memory/4716-124-0x00007FF783910000-0x00007FF783C64000-memory.dmp	xmrig
behavioral2/memory/748-119-0x00007FF7CD100000-0x00007FF7CD454000-memory.dmp	xmrig
behavioral2/memory/4588-111-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	xmrig
behavioral2/memory/384-108-0x00007FF6079D0000-0x00007FF607D24000-memory.dmp	xmrig
behavioral2/memory/2928-133-0x00007FF603500000-0x00007FF603854000-memory.dmp	xmrig
behavioral2/memory/3248-134-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp	xmrig
behavioral2/memory/2156-135-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp	xmrig
behavioral2/memory/2364-136-0x00007FF665920000-0x00007FF665C74000-memory.dmp	xmrig
behavioral2/memory/3176-137-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp	xmrig
behavioral2/memory/4716-138-0x00007FF783910000-0x00007FF783C64000-memory.dmp	xmrig
behavioral2/memory/2000-139-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	xmrig
behavioral2/memory/2944-140-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	xmrig
behavioral2/memory/4920-141-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	xmrig
behavioral2/memory/1644-142-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	xmrig
behavioral2/memory/536-143-0x00007FF631FC0000-0x00007FF632314000-memory.dmp	xmrig
behavioral2/memory/2940-144-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	xmrig
behavioral2/memory/4588-145-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	xmrig
behavioral2/memory/4868-146-0x00007FF73E610000-0x00007FF73E964000-memory.dmp	xmrig
behavioral2/memory/4084-147-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

alrCORN.exeaOqFdNB.exefZtJdvs.exeKbHTwhl.exeYGLAKqX.exenHoykcc.exetLCtQzz.exedCINiZb.exeQfdjQQV.exesQWUgLx.exeXYZPguy.exexXCwlHv.exeGhDOAqf.exebvRAVJR.exexniVOGu.exebefpFYx.exeQAxBeOz.exeEFilbLF.exeFoUQsbl.exelTfNrWt.exeWgEchlf.exe

pid	process
2000	alrCORN.exe
2944	aOqFdNB.exe
4920	fZtJdvs.exe
1644	KbHTwhl.exe
536	YGLAKqX.exe
2940	nHoykcc.exe
4588	tLCtQzz.exe
4868	dCINiZb.exe
4084	QfdjQQV.exe
1952	sQWUgLx.exe
3248	XYZPguy.exe
2156	xXCwlHv.exe
5040	GhDOAqf.exe
652	bvRAVJR.exe
2364	xniVOGu.exe
384	befpFYx.exe
3996	QAxBeOz.exe
748	EFilbLF.exe
4716	FoUQsbl.exe
3176	lTfNrWt.exe
2928	WgEchlf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1460-0-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp	upx
behavioral2/memory/2000-6-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	upx
C:\Windows\System\fZtJdvs.exe	upx
behavioral2/memory/2944-12-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	upx
C:\Windows\System\alrCORN.exe	upx
C:\Windows\System\aOqFdNB.exe	upx
C:\Windows\System\KbHTwhl.exe	upx
behavioral2/memory/1644-24-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	upx
behavioral2/memory/4920-20-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	upx
C:\Windows\System\YGLAKqX.exe	upx
behavioral2/memory/536-32-0x00007FF631FC0000-0x00007FF632314000-memory.dmp	upx
C:\Windows\System\nHoykcc.exe	upx
behavioral2/memory/2940-36-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	upx
C:\Windows\System\tLCtQzz.exe	upx
behavioral2/memory/4588-44-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	upx
C:\Windows\System\dCINiZb.exe	upx
C:\Windows\System\QfdjQQV.exe	upx
behavioral2/memory/4868-51-0x00007FF73E610000-0x00007FF73E964000-memory.dmp	upx
behavioral2/memory/4084-56-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp	upx
C:\Windows\System\sQWUgLx.exe	upx
behavioral2/memory/1952-64-0x00007FF64F0A0000-0x00007FF64F3F4000-memory.dmp	upx
behavioral2/memory/2000-66-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	upx
behavioral2/memory/3248-70-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp	upx
C:\Windows\System\XYZPguy.exe	upx
behavioral2/memory/1460-62-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp	upx
behavioral2/memory/2944-74-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	upx
C:\Windows\System\GhDOAqf.exe	upx
C:\Windows\System\xXCwlHv.exe	upx
behavioral2/memory/2156-75-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp	upx
behavioral2/memory/5040-83-0x00007FF78B470000-0x00007FF78B7C4000-memory.dmp	upx
C:\Windows\System\bvRAVJR.exe	upx
behavioral2/memory/4920-82-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	upx
behavioral2/memory/652-90-0x00007FF623790000-0x00007FF623AE4000-memory.dmp	upx
behavioral2/memory/1644-89-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	upx
C:\Windows\System\xniVOGu.exe	upx
behavioral2/memory/2364-95-0x00007FF665920000-0x00007FF665C74000-memory.dmp	upx
C:\Windows\System\befpFYx.exe	upx
behavioral2/memory/2940-101-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	upx
C:\Windows\System\QAxBeOz.exe	upx
behavioral2/memory/3996-112-0x00007FF74E660000-0x00007FF74E9B4000-memory.dmp	upx
C:\Windows\System\EFilbLF.exe	upx
C:\Windows\System\lTfNrWt.exe	upx
behavioral2/memory/3176-123-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp	upx
C:\Windows\System\WgEchlf.exe	upx
C:\Windows\System\FoUQsbl.exe	upx
behavioral2/memory/4716-124-0x00007FF783910000-0x00007FF783C64000-memory.dmp	upx
behavioral2/memory/748-119-0x00007FF7CD100000-0x00007FF7CD454000-memory.dmp	upx
behavioral2/memory/4588-111-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	upx
behavioral2/memory/384-108-0x00007FF6079D0000-0x00007FF607D24000-memory.dmp	upx
behavioral2/memory/2928-133-0x00007FF603500000-0x00007FF603854000-memory.dmp	upx
behavioral2/memory/3248-134-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp	upx
behavioral2/memory/2156-135-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp	upx
behavioral2/memory/2364-136-0x00007FF665920000-0x00007FF665C74000-memory.dmp	upx
behavioral2/memory/3176-137-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp	upx
behavioral2/memory/4716-138-0x00007FF783910000-0x00007FF783C64000-memory.dmp	upx
behavioral2/memory/2000-139-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp	upx
behavioral2/memory/2944-140-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp	upx
behavioral2/memory/4920-141-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp	upx
behavioral2/memory/1644-142-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp	upx
behavioral2/memory/536-143-0x00007FF631FC0000-0x00007FF632314000-memory.dmp	upx
behavioral2/memory/2940-144-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp	upx
behavioral2/memory/4588-145-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp	upx
behavioral2/memory/4868-146-0x00007FF73E610000-0x00007FF73E964000-memory.dmp	upx
behavioral2/memory/4084-147-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\sQWUgLx.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QAxBeOz.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EFilbLF.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YGLAKqX.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tLCtQzz.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfdjQQV.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xXCwlHv.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\alrCORN.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nHoykcc.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dCINiZb.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bvRAVJR.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fZtJdvs.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XYZPguy.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GhDOAqf.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\befpFYx.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FoUQsbl.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lTfNrWt.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WgEchlf.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aOqFdNB.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbHTwhl.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xniVOGu.exe	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1460 wrote to memory of 2000	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	alrCORN.exe
PID 1460 wrote to memory of 2000	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	alrCORN.exe
PID 1460 wrote to memory of 2944	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	aOqFdNB.exe
PID 1460 wrote to memory of 2944	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	aOqFdNB.exe
PID 1460 wrote to memory of 4920	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	fZtJdvs.exe
PID 1460 wrote to memory of 4920	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	fZtJdvs.exe
PID 1460 wrote to memory of 1644	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	KbHTwhl.exe
PID 1460 wrote to memory of 1644	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	KbHTwhl.exe
PID 1460 wrote to memory of 536	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	YGLAKqX.exe
PID 1460 wrote to memory of 536	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	YGLAKqX.exe
PID 1460 wrote to memory of 2940	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	nHoykcc.exe
PID 1460 wrote to memory of 2940	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	nHoykcc.exe
PID 1460 wrote to memory of 4588	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	tLCtQzz.exe
PID 1460 wrote to memory of 4588	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	tLCtQzz.exe
PID 1460 wrote to memory of 4868	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	dCINiZb.exe
PID 1460 wrote to memory of 4868	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	dCINiZb.exe
PID 1460 wrote to memory of 4084	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	QfdjQQV.exe
PID 1460 wrote to memory of 4084	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	QfdjQQV.exe
PID 1460 wrote to memory of 1952	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	sQWUgLx.exe
PID 1460 wrote to memory of 1952	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	sQWUgLx.exe
PID 1460 wrote to memory of 3248	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	XYZPguy.exe
PID 1460 wrote to memory of 3248	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	XYZPguy.exe
PID 1460 wrote to memory of 2156	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xXCwlHv.exe
PID 1460 wrote to memory of 2156	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xXCwlHv.exe
PID 1460 wrote to memory of 5040	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	GhDOAqf.exe
PID 1460 wrote to memory of 5040	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	GhDOAqf.exe
PID 1460 wrote to memory of 652	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	bvRAVJR.exe
PID 1460 wrote to memory of 652	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	bvRAVJR.exe
PID 1460 wrote to memory of 2364	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xniVOGu.exe
PID 1460 wrote to memory of 2364	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	xniVOGu.exe
PID 1460 wrote to memory of 384	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	befpFYx.exe
PID 1460 wrote to memory of 384	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	befpFYx.exe
PID 1460 wrote to memory of 3996	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	QAxBeOz.exe
PID 1460 wrote to memory of 3996	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	QAxBeOz.exe
PID 1460 wrote to memory of 748	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	EFilbLF.exe
PID 1460 wrote to memory of 748	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	EFilbLF.exe
PID 1460 wrote to memory of 4716	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	FoUQsbl.exe
PID 1460 wrote to memory of 4716	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	FoUQsbl.exe
PID 1460 wrote to memory of 3176	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	lTfNrWt.exe
PID 1460 wrote to memory of 3176	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	lTfNrWt.exe
PID 1460 wrote to memory of 2928	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	WgEchlf.exe
PID 1460 wrote to memory of 2928	1460	2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe	WgEchlf.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_7a8eecc97d22483b370e7311f0d68809_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System\alrCORN.exe
C:\Windows\System\alrCORN.exe
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\System\aOqFdNB.exe
C:\Windows\System\aOqFdNB.exe
2⤵
- Executes dropped EXE
PID:2944

C:\Windows\System\fZtJdvs.exe
C:\Windows\System\fZtJdvs.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\System\KbHTwhl.exe
C:\Windows\System\KbHTwhl.exe
2⤵
- Executes dropped EXE
PID:1644

C:\Windows\System\YGLAKqX.exe
C:\Windows\System\YGLAKqX.exe
2⤵
- Executes dropped EXE
PID:536

C:\Windows\System\nHoykcc.exe
C:\Windows\System\nHoykcc.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\System\tLCtQzz.exe
C:\Windows\System\tLCtQzz.exe
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\System\dCINiZb.exe
C:\Windows\System\dCINiZb.exe
2⤵
- Executes dropped EXE
PID:4868

C:\Windows\System\QfdjQQV.exe
C:\Windows\System\QfdjQQV.exe
2⤵
- Executes dropped EXE
PID:4084

C:\Windows\System\sQWUgLx.exe
C:\Windows\System\sQWUgLx.exe
2⤵
- Executes dropped EXE
PID:1952

C:\Windows\System\XYZPguy.exe
C:\Windows\System\XYZPguy.exe
2⤵
- Executes dropped EXE
PID:3248

C:\Windows\System\xXCwlHv.exe
C:\Windows\System\xXCwlHv.exe
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\System\GhDOAqf.exe
C:\Windows\System\GhDOAqf.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System\bvRAVJR.exe
C:\Windows\System\bvRAVJR.exe
2⤵
- Executes dropped EXE
PID:652

C:\Windows\System\xniVOGu.exe
C:\Windows\System\xniVOGu.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\befpFYx.exe
C:\Windows\System\befpFYx.exe
2⤵
- Executes dropped EXE
PID:384

C:\Windows\System\QAxBeOz.exe
C:\Windows\System\QAxBeOz.exe
2⤵
- Executes dropped EXE
PID:3996

C:\Windows\System\EFilbLF.exe
C:\Windows\System\EFilbLF.exe
2⤵
- Executes dropped EXE
PID:748

C:\Windows\System\FoUQsbl.exe
C:\Windows\System\FoUQsbl.exe
2⤵
- Executes dropped EXE
PID:4716

C:\Windows\System\lTfNrWt.exe
C:\Windows\System\lTfNrWt.exe
2⤵
- Executes dropped EXE
PID:3176

C:\Windows\System\WgEchlf.exe
C:\Windows\System\WgEchlf.exe
2⤵
- Executes dropped EXE
PID:2928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EFilbLF.exe
Filesize
5.9MB

MD5
b7cf9fcd25bc6fac70c0988e74ec777d

SHA1
c62648b0c7dc64b34a2a09e5b3aac6bd68a1fbb8

SHA256
12894eadfa6106d69772fa60eecc9d62c38eddf28628afe3b1ecfdc56862cc1c

SHA512
004c831812c46cb9243e6e6845aad44d6c7689fece76ae303e80f0cf85e7f756d1dbc9c5ad4cf238fb023d498ddf9c68354b702dcf8f2d6100be6066f2af51e9

Download Submit
C:\Windows\System\FoUQsbl.exe
Filesize
5.9MB

MD5
27727e4b4e6a5c3f02af7c674e3ee66e

SHA1
73a2cc9024946fcd5ab2c20142d64a9357ea92af

SHA256
b2979a17a8dc63ce4baac43c6c642e89e47684d4c2c0fe722caffcd33030f310

SHA512
091ba8b5bb01df20e5af459094a76a2cc83c29340d554fcae1cb2854ede52760055cc40889e38fec9c988021e7a753d87e862667e20e461c626e8bc5c7f55077

Download Submit
C:\Windows\System\GhDOAqf.exe
Filesize
5.9MB

MD5
40330f125413b87e27f76c5c1792284b

SHA1
64dbbef79b55ce0878bc64a3f1e07ed96f08f4e0

SHA256
9dc584dbca2fac24be85ce45084b1c977dd1b8d985780214e19097f4196e463b

SHA512
f7f5bc9e017e5c2fa3738d685591fd4df85357514646f8f6000a7b8f6dd225fb9eb652f843de36ce2f78099b176fa11abb88aa9d88aeff0d50511c0e6c52e066

Download Submit
C:\Windows\System\KbHTwhl.exe
Filesize
5.9MB

MD5
cb54dbcaf19d346b81d4945ea0c066bd

SHA1
6921cd27333ec9fb24181d68f94431fa6d550105

SHA256
10e97bd74b3acb846174c03dd3f163fcafa7c469997420304486e265ea0d2b26

SHA512
e8c03d97b13223c396a5af83d4104eb7b0885fb32504ce496d558c4d9b640535ace694d606c392fc0a3546b48a756df23169d9ffb391c0aa9d8074da94fa9297

Download Submit
C:\Windows\System\QAxBeOz.exe
Filesize
5.9MB

MD5
7ccb65abcdee271e1d1f150c184d01fa

SHA1
929a157aa5410e8e400ef4c7758c37b2476ec2e7

SHA256
6ab33b83e5d4aaf7eeb673b10b0df8387891e39b154a3ef0d67ea3312a79b2a8

SHA512
9e1c70466df5c915d74d9fb17f76427931a9dc3236ddb338b03c6c07a9746c36880cfd8460c7cdba9e5b25b1d552c78ecb479d028de043650207904919ab9f1c

Download Submit
C:\Windows\System\QfdjQQV.exe
Filesize
5.9MB

MD5
18a5298821854b1d64e1d13d31c9d636

SHA1
d054806f161659e218daedcc5522fbfdbf6fedf6

SHA256
f7844dedec198ea2f60a61cc69d4f71b60819de22fe219336d02f41a883ee0ef

SHA512
606ec2c9157486b5d6d9d0eafd08aebc7e6de86918dc917948947c0f453976f7fa90a46e0554c864f835eeccb14f8bfdeaf9b3a488f4ad23f06d05d1a24a5701

Download Submit
C:\Windows\System\WgEchlf.exe
Filesize
5.9MB

MD5
d2ba839538a871212d48192800e38d86

SHA1
3698908ffee4b3cc462818e0b02dad3b517ea7e2

SHA256
689937a319426fcbb8eb76f6521bb48b65ec9d03509e433b1d657a026bca6e84

SHA512
58f66db775dc850dbd3a9bddaa3e5011bc3c264d20ad05b76d7fe50c0f2f6dc8312e1cacc181a7554b03d01654263e34d04d00e03efe3cefd00611c0ebf248ef

Download Submit
C:\Windows\System\XYZPguy.exe
Filesize
5.9MB

MD5
08b7b29e9bd214900236cc6ebc4cfc6c

SHA1
413480eac079c100b806b28612df9fa4ca91826c

SHA256
403008598b71ec6963f8cdf1b356d5ee01bf1c531e4560ba07f44b8ca93921b3

SHA512
7aa6d7659cd9bbd7345e72555aeeadb4139a507c2eaeee2b268bbe044f816ce5c1721fe1a59ff876b34616b6ff4ec5ab0561814f16212685f4f155dfecd5a973

Download Submit
C:\Windows\System\YGLAKqX.exe
Filesize
5.9MB

MD5
c428c9e0c4f2cab03b2e2c7791e6d21a

SHA1
da4353de73814bd1f3d0f08d9acb61fdcc8d598f

SHA256
576198344e8251d29b84b7aa9a870982720fcb15da6fd7a603f19eab81de6466

SHA512
b42ae527db8d5f1968c9f838a740e9f87a22af6eaf05586aa020645c9dd85f759b5edf45af2a79215152c181eda8f9a28cec9a7aa39a5cd851d433b3015d8bfa

Download Submit
C:\Windows\System\aOqFdNB.exe
Filesize
5.9MB

MD5
1567aa41b8ec22610661f31f89cadb42

SHA1
eb3c1d4ac6a584c871005358515d6ae31a8e768d

SHA256
9bbaec80cd87cac5d2461a179abbb190753a483df93b0486ba2b30612d59b64c

SHA512
1dc897c3464a34d0ba4e73b6122f282ec70ad6221d601ccef88990d97a3200a23eb2f06bd9956cf11d0efbc286fbcd4a58a39b389e9bbc942d2fa84178d43c22

Download Submit
C:\Windows\System\alrCORN.exe
Filesize
5.9MB

MD5
e1ddaab50c792668f50fab2f9b65bed5

SHA1
b89e4080c92dc2222d9f261878c3b93e13461baf

SHA256
f65d4a9a59f44b6af608a7d4f4ff51ceacea87941b0b8f4c67af9f1f28796adc

SHA512
eb7cad7e29a4f302090b70c4ae2eaf51f345db7ad71eac090f1ba63ed952e129272b0e3a569d8dc5562da752712a3912717248c37b73ede009c6447c7efde5cc

Download Submit
C:\Windows\System\befpFYx.exe
Filesize
5.9MB

MD5
7158d53d6fbebdf86b7a0043898633aa

SHA1
a5a242dbeddd8aad5e5ba454d51aa3bde721b7d8

SHA256
ca3d0b22122658953f59f29c92fa1070a821956e5da427cb5e8a251a340e76c2

SHA512
ca88176e8859e0063ee051616253d53310926a6c620b753cb3e584cf90ff30f4066ad06ed0f2af1a49c7efbefaf269a23a9df1ea9eb2e0e8ef41f511a8e57543

Download Submit
C:\Windows\System\bvRAVJR.exe
Filesize
5.9MB

MD5
f1328e10f8f8cca4b6078b748ddc5561

SHA1
70672c4df58a864f6641f510ba95bcb2728042e6

SHA256
b81b61ad5ae2ec7f37d700e6f25686073d37934e4c1ff1cbd8198344db50c28c

SHA512
b7670acc9ac766bd914771823c455c6e4a330cbe5373161594a7251a41f87e51eb927b1f847f326fb14ce44ba9e825d5d95e5fe88ea9014467244530cf6e7073

Download Submit
C:\Windows\System\dCINiZb.exe
Filesize
5.9MB

MD5
9f81f89295ca14397d9a3800b2170265

SHA1
c9750d9fa8827539eef71486c4e8dbf7ffb5d9f4

SHA256
e9c8b7628132f4f3bf8fdbf9ec8d77e7567306ffd12629d31bcd476f2a32e1fa

SHA512
791f72c8983454b7f86ec9ebfdc7a631777818fa154d8db20e02116034b94ebe8c4a9bf99a0148629237f41e922bc7af714629e627230aa481415c0dc3c9942e

Download Submit
C:\Windows\System\fZtJdvs.exe
Filesize
5.9MB

MD5
636500b0a70928315fe62f4c41c2b1e0

SHA1
f15035dc65500476f408fdb277b9fbe021c49224

SHA256
097d3a1b14947fcb378719cd164989edfc59061126979562d1efdc985bbf6e48

SHA512
254dd458c35bd5b25f4dd315dad04cea0033612612a67d1e688fe9fcfcffb3a57d7276b613558707f1b2ed28d85bf1522b851bc481a40139221d424fe0164f8b

Download Submit
C:\Windows\System\lTfNrWt.exe
Filesize
5.9MB

MD5
716bc4068bcb9ac438f1535811a88718

SHA1
3e1e2c163703f31b01f60ed9db8134be91dbe04d

SHA256
b8352e421bb7946898446b32dfbb4cb41ac6900601c1120bad38adeee562c0ef

SHA512
b69e2bcae52829c692e2a047d3bc8a5fa411fc49c51d76875bad1b3be9453498210edcbec9dd4daef680809c9648ce8660412fa39357fc55f0232701ecdc2727

Download Submit
C:\Windows\System\nHoykcc.exe
Filesize
5.9MB

MD5
515b3a26e0b3402d18e7b3393a36d097

SHA1
5cb65c85f1a54278eef13bb12d5b7aba01b7d521

SHA256
f17e0fe7362d767ac49d7c704824699301ab6c241a7e59392a335511fedd438b

SHA512
8439be3bde0092e62ae73c8fc8604d9ed1905d14d490e4d89f1c55c93c9d0f73c10c58765e4b4b76434e9f4a06f64da90652b9d55929062363bbd687a55c0ffd

Download Submit
C:\Windows\System\sQWUgLx.exe
Filesize
5.9MB

MD5
10d18611d8c4e945a8e92a69852b866c

SHA1
961addbd350e5438afb508e69b644efb51a72655

SHA256
348bbea8544c5048a08807842b52ec90208cd578553fcd0e88ea3c30e640e833

SHA512
ba4448887bae4922e57ea2ff9de3bada6033a7a1f88756e5cddd63fb3dceaa3c0d8c7228ca306a63bb1034ab6dd1682b5a9e2e9ce48146fa13bc627851ff62c1

Download Submit
C:\Windows\System\tLCtQzz.exe
Filesize
5.9MB

MD5
8b83b9436936ab1037c0a677604dd253

SHA1
899275d56ad2d411678e29edc7a5cc9c79f01282

SHA256
3d0a82abc7653c6cf4be8e4d4a306de7f2dee340e90ec2fcffad3149c630615d

SHA512
bafb56fca5b01cfe2528875ef23f3cdd1d0c254066333c020f9733bbc7c8393184e52acd4371582be591da971e31edad707d4334307325e3e97b4affa146eaca

Download Submit
C:\Windows\System\xXCwlHv.exe
Filesize
5.9MB

MD5
f96b90bb593a0570a60955e1f86454ca

SHA1
9764281d23fc349a447207ec39eddf428dc0316d

SHA256
994e541284ef31f78f50f350f510eb745d1c78090a7acda3db6ec31435016c30

SHA512
61ee10d2e4c78271cf754d2e91734648716fe46e565ff883b31872de31f99eeada6c98fb6464bcfe8ddfa25f8afd6645fa1ae537096852dec9905bd841319ec8

Download Submit
C:\Windows\System\xniVOGu.exe
Filesize
5.9MB

MD5
9edbe711da0273fab58a4c61a2a24857

SHA1
728f688f44b0afb2b6e8b37129887dc19df4051c

SHA256
5b079dffede68da1c4c6ad501dceba41a7ea2fa9b120e889d0af929ace1021c6

SHA512
4d02a74cffd6307c81d798d3a644d67d90cf9808d3fec5696e172a7c613ebe8cd112915cd4e4e8a96e20ae4cd3c7d3878e198a014c647e9fc3011197b6b29177

Download Submit
memory/384-154-0x00007FF6079D0000-0x00007FF607D24000-memory.dmp

Filesize
3.3MB

Download
memory/384-108-0x00007FF6079D0000-0x00007FF607D24000-memory.dmp

Filesize
3.3MB

Download
memory/536-32-0x00007FF631FC0000-0x00007FF632314000-memory.dmp

Filesize
3.3MB

Download
memory/536-143-0x00007FF631FC0000-0x00007FF632314000-memory.dmp

Filesize
3.3MB

Download
memory/652-152-0x00007FF623790000-0x00007FF623AE4000-memory.dmp

Filesize
3.3MB

Download
memory/652-90-0x00007FF623790000-0x00007FF623AE4000-memory.dmp

Filesize
3.3MB

Download
memory/748-119-0x00007FF7CD100000-0x00007FF7CD454000-memory.dmp

Filesize
3.3MB

Download
memory/748-156-0x00007FF7CD100000-0x00007FF7CD454000-memory.dmp

Filesize
3.3MB

Download
memory/1460-62-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1460-0-0x00007FF60F190000-0x00007FF60F4E4000-memory.dmp

Filesize
3.3MB

Download
memory/1460-1-0x000002881A8B0000-0x000002881A8C0000-memory.dmp

Filesize
64KB

Download
memory/1644-24-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp

Filesize
3.3MB

Download
memory/1644-142-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp

Filesize
3.3MB

Download
memory/1644-89-0x00007FF7B9730000-0x00007FF7B9A84000-memory.dmp

Filesize
3.3MB

Download
memory/1952-64-0x00007FF64F0A0000-0x00007FF64F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/1952-148-0x00007FF64F0A0000-0x00007FF64F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-139-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-6-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp

Filesize
3.3MB

Download
memory/2000-66-0x00007FF6F1190000-0x00007FF6F14E4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-151-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-135-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2156-75-0x00007FF6BAC50000-0x00007FF6BAFA4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-95-0x00007FF665920000-0x00007FF665C74000-memory.dmp

Filesize
3.3MB

Download
memory/2364-153-0x00007FF665920000-0x00007FF665C74000-memory.dmp

Filesize
3.3MB

Download
memory/2364-136-0x00007FF665920000-0x00007FF665C74000-memory.dmp

Filesize
3.3MB

Download
memory/2928-159-0x00007FF603500000-0x00007FF603854000-memory.dmp

Filesize
3.3MB

Download
memory/2928-133-0x00007FF603500000-0x00007FF603854000-memory.dmp

Filesize
3.3MB

Download
memory/2940-101-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-36-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-144-0x00007FF784B60000-0x00007FF784EB4000-memory.dmp

Filesize
3.3MB

Download
memory/2944-140-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp

Filesize
3.3MB

Download
memory/2944-74-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp

Filesize
3.3MB

Download
memory/2944-12-0x00007FF7806C0000-0x00007FF780A14000-memory.dmp

Filesize
3.3MB

Download
memory/3176-137-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp

Filesize
3.3MB

Download
memory/3176-123-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp

Filesize
3.3MB

Download
memory/3176-158-0x00007FF6B4570000-0x00007FF6B48C4000-memory.dmp

Filesize
3.3MB

Download
memory/3248-70-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp

Filesize
3.3MB

Download
memory/3248-149-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp

Filesize
3.3MB

Download
memory/3248-134-0x00007FF6F6070000-0x00007FF6F63C4000-memory.dmp

Filesize
3.3MB

Download
memory/3996-155-0x00007FF74E660000-0x00007FF74E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3996-112-0x00007FF74E660000-0x00007FF74E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/4084-147-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp

Filesize
3.3MB

Download
memory/4084-56-0x00007FF79A7A0000-0x00007FF79AAF4000-memory.dmp

Filesize
3.3MB

Download
memory/4588-145-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp

Filesize
3.3MB

Download
memory/4588-44-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp

Filesize
3.3MB

Download
memory/4588-111-0x00007FF6A7C00000-0x00007FF6A7F54000-memory.dmp

Filesize
3.3MB

Download
memory/4716-157-0x00007FF783910000-0x00007FF783C64000-memory.dmp

Filesize
3.3MB

Download
memory/4716-124-0x00007FF783910000-0x00007FF783C64000-memory.dmp

Filesize
3.3MB

Download
memory/4716-138-0x00007FF783910000-0x00007FF783C64000-memory.dmp

Filesize
3.3MB

Download
memory/4868-51-0x00007FF73E610000-0x00007FF73E964000-memory.dmp

Filesize
3.3MB

Download
memory/4868-146-0x00007FF73E610000-0x00007FF73E964000-memory.dmp

Filesize
3.3MB

Download
memory/4920-20-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-82-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-141-0x00007FF630A50000-0x00007FF630DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-150-0x00007FF78B470000-0x00007FF78B7C4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-83-0x00007FF78B470000-0x00007FF78B7C4000-memory.dmp

Filesize
3.3MB

Download