cobaltstrike | d9444d21faf8877aaed960b53bd550431e0f5bc4bcd30a37f46664817057ea75

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

0bc51450652532933e0f8d7e599b07c6
SHA1

c736b0b00d599f008d100d706f92483c5ce6d792
SHA256

d9444d21faf8877aaed960b53bd550431e0f5bc4bcd30a37f46664817057ea75
SHA512

61e392e20d05c552d7a21dc6ac03cffa8231d803ec3f819e8061cbaa090d7baedf0f159626549fb5676ce3aade3d41ad1e830114bd0a30e1529bf31fe0cc24c0
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU9:Q+u56utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\zXirZUx.exe	cobalt_reflective_dll
C:\Windows\System\RsQrUMG.exe	cobalt_reflective_dll
C:\Windows\System\nEGGABM.exe	cobalt_reflective_dll
C:\Windows\System\CzPbnHI.exe	cobalt_reflective_dll
C:\Windows\System\uHvVzWU.exe	cobalt_reflective_dll
C:\Windows\System\sNqbRbQ.exe	cobalt_reflective_dll
C:\Windows\System\KqEApgY.exe	cobalt_reflective_dll
C:\Windows\System\ILiaDXx.exe	cobalt_reflective_dll
C:\Windows\System\MPQOFdR.exe	cobalt_reflective_dll
C:\Windows\System\OFiiqWn.exe	cobalt_reflective_dll
C:\Windows\System\FFXVJRb.exe	cobalt_reflective_dll
C:\Windows\System\odETsAG.exe	cobalt_reflective_dll
C:\Windows\System\QQLlGjx.exe	cobalt_reflective_dll
C:\Windows\System\PYyFHgW.exe	cobalt_reflective_dll
C:\Windows\System\fTsydmF.exe	cobalt_reflective_dll
C:\Windows\System\hxrKoyN.exe	cobalt_reflective_dll
C:\Windows\System\WggFIlk.exe	cobalt_reflective_dll
C:\Windows\System\LQQpOZk.exe	cobalt_reflective_dll
C:\Windows\System\KuCDbKY.exe	cobalt_reflective_dll
C:\Windows\System\SysrVtP.exe	cobalt_reflective_dll
C:\Windows\System\nRxSrAZ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\zXirZUx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RsQrUMG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nEGGABM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CzPbnHI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uHvVzWU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sNqbRbQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KqEApgY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ILiaDXx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MPQOFdR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OFiiqWn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FFXVJRb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\odETsAG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QQLlGjx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PYyFHgW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fTsydmF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hxrKoyN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WggFIlk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LQQpOZk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KuCDbKY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SysrVtP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nRxSrAZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2184-0-0x00007FF7233E0000-0x00007FF723734000-memory.dmp	UPX
C:\Windows\System\zXirZUx.exe	UPX
behavioral2/memory/1892-8-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	UPX
C:\Windows\System\RsQrUMG.exe	UPX
C:\Windows\System\nEGGABM.exe	UPX
behavioral2/memory/2900-20-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp	UPX
behavioral2/memory/3768-12-0x00007FF623230000-0x00007FF623584000-memory.dmp	UPX
C:\Windows\System\CzPbnHI.exe	UPX
behavioral2/memory/4852-26-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	UPX
C:\Windows\System\uHvVzWU.exe	UPX
behavioral2/memory/3280-32-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	UPX
C:\Windows\System\sNqbRbQ.exe	UPX
behavioral2/memory/868-36-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	UPX
C:\Windows\System\KqEApgY.exe	UPX
behavioral2/memory/4520-44-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp	UPX
C:\Windows\System\ILiaDXx.exe	UPX
behavioral2/memory/4232-50-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp	UPX
C:\Windows\System\MPQOFdR.exe	UPX
behavioral2/memory/1292-56-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp	UPX
C:\Windows\System\OFiiqWn.exe	UPX
behavioral2/memory/2184-62-0x00007FF7233E0000-0x00007FF723734000-memory.dmp	UPX
behavioral2/memory/2308-63-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp	UPX
C:\Windows\System\FFXVJRb.exe	UPX
behavioral2/memory/1892-69-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	UPX
behavioral2/memory/3768-74-0x00007FF623230000-0x00007FF623584000-memory.dmp	UPX
behavioral2/memory/3520-75-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp	UPX
behavioral2/memory/452-73-0x00007FF794C80000-0x00007FF794FD4000-memory.dmp	UPX
C:\Windows\System\odETsAG.exe	UPX
C:\Windows\System\QQLlGjx.exe	UPX
behavioral2/memory/2364-82-0x00007FF783EF0000-0x00007FF784244000-memory.dmp	UPX
C:\Windows\System\PYyFHgW.exe	UPX
behavioral2/memory/4924-89-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp	UPX
behavioral2/memory/4852-88-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	UPX
C:\Windows\System\fTsydmF.exe	UPX
C:\Windows\System\hxrKoyN.exe	UPX
behavioral2/memory/3280-96-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	UPX
behavioral2/memory/4244-98-0x00007FF6858A0000-0x00007FF685BF4000-memory.dmp	UPX
C:\Windows\System\WggFIlk.exe	UPX
behavioral2/memory/4184-105-0x00007FF7BA480000-0x00007FF7BA7D4000-memory.dmp	UPX
behavioral2/memory/868-103-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	UPX
behavioral2/memory/4004-110-0x00007FF779FC0000-0x00007FF77A314000-memory.dmp	UPX
C:\Windows\System\LQQpOZk.exe	UPX
behavioral2/memory/4656-116-0x00007FF765790000-0x00007FF765AE4000-memory.dmp	UPX
C:\Windows\System\KuCDbKY.exe	UPX
behavioral2/memory/4632-123-0x00007FF642740000-0x00007FF642A94000-memory.dmp	UPX
C:\Windows\System\SysrVtP.exe	UPX
behavioral2/memory/1456-130-0x00007FF6B9190000-0x00007FF6B94E4000-memory.dmp	UPX
C:\Windows\System\nRxSrAZ.exe	UPX
behavioral2/memory/1088-131-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp	UPX
behavioral2/memory/3520-134-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp	UPX
behavioral2/memory/2364-135-0x00007FF783EF0000-0x00007FF784244000-memory.dmp	UPX
behavioral2/memory/4924-136-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp	UPX
behavioral2/memory/4656-137-0x00007FF765790000-0x00007FF765AE4000-memory.dmp	UPX
behavioral2/memory/1088-138-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp	UPX
behavioral2/memory/1892-139-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	UPX
behavioral2/memory/2900-141-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp	UPX
behavioral2/memory/3768-140-0x00007FF623230000-0x00007FF623584000-memory.dmp	UPX
behavioral2/memory/4852-142-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	UPX
behavioral2/memory/3280-143-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	UPX
behavioral2/memory/868-144-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	UPX
behavioral2/memory/4520-145-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp	UPX
behavioral2/memory/4232-146-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp	UPX
behavioral2/memory/1292-147-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp	UPX
behavioral2/memory/2308-148-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2184-0-0x00007FF7233E0000-0x00007FF723734000-memory.dmp	xmrig
C:\Windows\System\zXirZUx.exe	xmrig
behavioral2/memory/1892-8-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	xmrig
C:\Windows\System\RsQrUMG.exe	xmrig
C:\Windows\System\nEGGABM.exe	xmrig
behavioral2/memory/2900-20-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp	xmrig
behavioral2/memory/3768-12-0x00007FF623230000-0x00007FF623584000-memory.dmp	xmrig
C:\Windows\System\CzPbnHI.exe	xmrig
behavioral2/memory/4852-26-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	xmrig
C:\Windows\System\uHvVzWU.exe	xmrig
behavioral2/memory/3280-32-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	xmrig
C:\Windows\System\sNqbRbQ.exe	xmrig
behavioral2/memory/868-36-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	xmrig
C:\Windows\System\KqEApgY.exe	xmrig
behavioral2/memory/4520-44-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp	xmrig
C:\Windows\System\ILiaDXx.exe	xmrig
behavioral2/memory/4232-50-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp	xmrig
C:\Windows\System\MPQOFdR.exe	xmrig
behavioral2/memory/1292-56-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp	xmrig
C:\Windows\System\OFiiqWn.exe	xmrig
behavioral2/memory/2184-62-0x00007FF7233E0000-0x00007FF723734000-memory.dmp	xmrig
behavioral2/memory/2308-63-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp	xmrig
C:\Windows\System\FFXVJRb.exe	xmrig
behavioral2/memory/1892-69-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	xmrig
behavioral2/memory/3768-74-0x00007FF623230000-0x00007FF623584000-memory.dmp	xmrig
behavioral2/memory/3520-75-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp	xmrig
behavioral2/memory/452-73-0x00007FF794C80000-0x00007FF794FD4000-memory.dmp	xmrig
C:\Windows\System\odETsAG.exe	xmrig
C:\Windows\System\QQLlGjx.exe	xmrig
behavioral2/memory/2364-82-0x00007FF783EF0000-0x00007FF784244000-memory.dmp	xmrig
C:\Windows\System\PYyFHgW.exe	xmrig
behavioral2/memory/4924-89-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp	xmrig
behavioral2/memory/4852-88-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	xmrig
C:\Windows\System\fTsydmF.exe	xmrig
C:\Windows\System\hxrKoyN.exe	xmrig
behavioral2/memory/3280-96-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	xmrig
behavioral2/memory/4244-98-0x00007FF6858A0000-0x00007FF685BF4000-memory.dmp	xmrig
C:\Windows\System\WggFIlk.exe	xmrig
behavioral2/memory/4184-105-0x00007FF7BA480000-0x00007FF7BA7D4000-memory.dmp	xmrig
behavioral2/memory/868-103-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	xmrig
behavioral2/memory/4004-110-0x00007FF779FC0000-0x00007FF77A314000-memory.dmp	xmrig
C:\Windows\System\LQQpOZk.exe	xmrig
behavioral2/memory/4656-116-0x00007FF765790000-0x00007FF765AE4000-memory.dmp	xmrig
C:\Windows\System\KuCDbKY.exe	xmrig
behavioral2/memory/4632-123-0x00007FF642740000-0x00007FF642A94000-memory.dmp	xmrig
C:\Windows\System\SysrVtP.exe	xmrig
behavioral2/memory/1456-130-0x00007FF6B9190000-0x00007FF6B94E4000-memory.dmp	xmrig
C:\Windows\System\nRxSrAZ.exe	xmrig
behavioral2/memory/1088-131-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp	xmrig
behavioral2/memory/3520-134-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp	xmrig
behavioral2/memory/2364-135-0x00007FF783EF0000-0x00007FF784244000-memory.dmp	xmrig
behavioral2/memory/4924-136-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp	xmrig
behavioral2/memory/4656-137-0x00007FF765790000-0x00007FF765AE4000-memory.dmp	xmrig
behavioral2/memory/1088-138-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp	xmrig
behavioral2/memory/1892-139-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	xmrig
behavioral2/memory/2900-141-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp	xmrig
behavioral2/memory/3768-140-0x00007FF623230000-0x00007FF623584000-memory.dmp	xmrig
behavioral2/memory/4852-142-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	xmrig
behavioral2/memory/3280-143-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	xmrig
behavioral2/memory/868-144-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	xmrig
behavioral2/memory/4520-145-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp	xmrig
behavioral2/memory/4232-146-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp	xmrig
behavioral2/memory/1292-147-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp	xmrig
behavioral2/memory/2308-148-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

zXirZUx.exenEGGABM.exeRsQrUMG.exeCzPbnHI.exeuHvVzWU.exesNqbRbQ.exeKqEApgY.exeILiaDXx.exeMPQOFdR.exeOFiiqWn.exeFFXVJRb.exeodETsAG.exeQQLlGjx.exePYyFHgW.exefTsydmF.exehxrKoyN.exeWggFIlk.exeLQQpOZk.exeKuCDbKY.exeSysrVtP.exenRxSrAZ.exe

pid	process
1892	zXirZUx.exe
3768	nEGGABM.exe
2900	RsQrUMG.exe
4852	CzPbnHI.exe
3280	uHvVzWU.exe
868	sNqbRbQ.exe
4520	KqEApgY.exe
4232	ILiaDXx.exe
1292	MPQOFdR.exe
2308	OFiiqWn.exe
452	FFXVJRb.exe
3520	odETsAG.exe
2364	QQLlGjx.exe
4924	PYyFHgW.exe
4244	fTsydmF.exe
4184	hxrKoyN.exe
4004	WggFIlk.exe
4656	LQQpOZk.exe
4632	KuCDbKY.exe
1456	SysrVtP.exe
1088	nRxSrAZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2184-0-0x00007FF7233E0000-0x00007FF723734000-memory.dmp	upx
C:\Windows\System\zXirZUx.exe	upx
behavioral2/memory/1892-8-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	upx
C:\Windows\System\RsQrUMG.exe	upx
C:\Windows\System\nEGGABM.exe	upx
behavioral2/memory/2900-20-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp	upx
behavioral2/memory/3768-12-0x00007FF623230000-0x00007FF623584000-memory.dmp	upx
C:\Windows\System\CzPbnHI.exe	upx
behavioral2/memory/4852-26-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	upx
C:\Windows\System\uHvVzWU.exe	upx
behavioral2/memory/3280-32-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	upx
C:\Windows\System\sNqbRbQ.exe	upx
behavioral2/memory/868-36-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	upx
C:\Windows\System\KqEApgY.exe	upx
behavioral2/memory/4520-44-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp	upx
C:\Windows\System\ILiaDXx.exe	upx
behavioral2/memory/4232-50-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp	upx
C:\Windows\System\MPQOFdR.exe	upx
behavioral2/memory/1292-56-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp	upx
C:\Windows\System\OFiiqWn.exe	upx
behavioral2/memory/2184-62-0x00007FF7233E0000-0x00007FF723734000-memory.dmp	upx
behavioral2/memory/2308-63-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp	upx
C:\Windows\System\FFXVJRb.exe	upx
behavioral2/memory/1892-69-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	upx
behavioral2/memory/3768-74-0x00007FF623230000-0x00007FF623584000-memory.dmp	upx
behavioral2/memory/3520-75-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp	upx
behavioral2/memory/452-73-0x00007FF794C80000-0x00007FF794FD4000-memory.dmp	upx
C:\Windows\System\odETsAG.exe	upx
C:\Windows\System\QQLlGjx.exe	upx
behavioral2/memory/2364-82-0x00007FF783EF0000-0x00007FF784244000-memory.dmp	upx
C:\Windows\System\PYyFHgW.exe	upx
behavioral2/memory/4924-89-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp	upx
behavioral2/memory/4852-88-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	upx
C:\Windows\System\fTsydmF.exe	upx
C:\Windows\System\hxrKoyN.exe	upx
behavioral2/memory/3280-96-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	upx
behavioral2/memory/4244-98-0x00007FF6858A0000-0x00007FF685BF4000-memory.dmp	upx
C:\Windows\System\WggFIlk.exe	upx
behavioral2/memory/4184-105-0x00007FF7BA480000-0x00007FF7BA7D4000-memory.dmp	upx
behavioral2/memory/868-103-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	upx
behavioral2/memory/4004-110-0x00007FF779FC0000-0x00007FF77A314000-memory.dmp	upx
C:\Windows\System\LQQpOZk.exe	upx
behavioral2/memory/4656-116-0x00007FF765790000-0x00007FF765AE4000-memory.dmp	upx
C:\Windows\System\KuCDbKY.exe	upx
behavioral2/memory/4632-123-0x00007FF642740000-0x00007FF642A94000-memory.dmp	upx
C:\Windows\System\SysrVtP.exe	upx
behavioral2/memory/1456-130-0x00007FF6B9190000-0x00007FF6B94E4000-memory.dmp	upx
C:\Windows\System\nRxSrAZ.exe	upx
behavioral2/memory/1088-131-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp	upx
behavioral2/memory/3520-134-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp	upx
behavioral2/memory/2364-135-0x00007FF783EF0000-0x00007FF784244000-memory.dmp	upx
behavioral2/memory/4924-136-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp	upx
behavioral2/memory/4656-137-0x00007FF765790000-0x00007FF765AE4000-memory.dmp	upx
behavioral2/memory/1088-138-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp	upx
behavioral2/memory/1892-139-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp	upx
behavioral2/memory/2900-141-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp	upx
behavioral2/memory/3768-140-0x00007FF623230000-0x00007FF623584000-memory.dmp	upx
behavioral2/memory/4852-142-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp	upx
behavioral2/memory/3280-143-0x00007FF767DB0000-0x00007FF768104000-memory.dmp	upx
behavioral2/memory/868-144-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp	upx
behavioral2/memory/4520-145-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp	upx
behavioral2/memory/4232-146-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp	upx
behavioral2/memory/1292-147-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp	upx
behavioral2/memory/2308-148-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\RsQrUMG.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNqbRbQ.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MPQOFdR.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QQLlGjx.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fTsydmF.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WggFIlk.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nEGGABM.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\odETsAG.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hxrKoyN.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KuCDbKY.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SysrVtP.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FFXVJRb.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQQpOZk.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nRxSrAZ.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CzPbnHI.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uHvVzWU.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KqEApgY.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ILiaDXx.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OFiiqWn.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PYyFHgW.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zXirZUx.exe	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2184 wrote to memory of 1892	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	zXirZUx.exe
PID 2184 wrote to memory of 1892	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	zXirZUx.exe
PID 2184 wrote to memory of 3768	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	nEGGABM.exe
PID 2184 wrote to memory of 3768	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	nEGGABM.exe
PID 2184 wrote to memory of 2900	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	RsQrUMG.exe
PID 2184 wrote to memory of 2900	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	RsQrUMG.exe
PID 2184 wrote to memory of 4852	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	CzPbnHI.exe
PID 2184 wrote to memory of 4852	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	CzPbnHI.exe
PID 2184 wrote to memory of 3280	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	uHvVzWU.exe
PID 2184 wrote to memory of 3280	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	uHvVzWU.exe
PID 2184 wrote to memory of 868	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	sNqbRbQ.exe
PID 2184 wrote to memory of 868	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	sNqbRbQ.exe
PID 2184 wrote to memory of 4520	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	KqEApgY.exe
PID 2184 wrote to memory of 4520	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	KqEApgY.exe
PID 2184 wrote to memory of 4232	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	ILiaDXx.exe
PID 2184 wrote to memory of 4232	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	ILiaDXx.exe
PID 2184 wrote to memory of 1292	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	MPQOFdR.exe
PID 2184 wrote to memory of 1292	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	MPQOFdR.exe
PID 2184 wrote to memory of 2308	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	OFiiqWn.exe
PID 2184 wrote to memory of 2308	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	OFiiqWn.exe
PID 2184 wrote to memory of 452	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	FFXVJRb.exe
PID 2184 wrote to memory of 452	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	FFXVJRb.exe
PID 2184 wrote to memory of 3520	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	odETsAG.exe
PID 2184 wrote to memory of 3520	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	odETsAG.exe
PID 2184 wrote to memory of 2364	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	QQLlGjx.exe
PID 2184 wrote to memory of 2364	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	QQLlGjx.exe
PID 2184 wrote to memory of 4924	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	PYyFHgW.exe
PID 2184 wrote to memory of 4924	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	PYyFHgW.exe
PID 2184 wrote to memory of 4244	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	fTsydmF.exe
PID 2184 wrote to memory of 4244	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	fTsydmF.exe
PID 2184 wrote to memory of 4184	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	hxrKoyN.exe
PID 2184 wrote to memory of 4184	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	hxrKoyN.exe
PID 2184 wrote to memory of 4004	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	WggFIlk.exe
PID 2184 wrote to memory of 4004	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	WggFIlk.exe
PID 2184 wrote to memory of 4656	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	LQQpOZk.exe
PID 2184 wrote to memory of 4656	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	LQQpOZk.exe
PID 2184 wrote to memory of 4632	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	KuCDbKY.exe
PID 2184 wrote to memory of 4632	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	KuCDbKY.exe
PID 2184 wrote to memory of 1456	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	SysrVtP.exe
PID 2184 wrote to memory of 1456	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	SysrVtP.exe
PID 2184 wrote to memory of 1088	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	nRxSrAZ.exe
PID 2184 wrote to memory of 1088	2184	2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe	nRxSrAZ.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_0bc51450652532933e0f8d7e599b07c6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\System\zXirZUx.exe
C:\Windows\System\zXirZUx.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\nEGGABM.exe
C:\Windows\System\nEGGABM.exe
2⤵
- Executes dropped EXE
PID:3768

C:\Windows\System\RsQrUMG.exe
C:\Windows\System\RsQrUMG.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\CzPbnHI.exe
C:\Windows\System\CzPbnHI.exe
2⤵
- Executes dropped EXE
PID:4852

C:\Windows\System\uHvVzWU.exe
C:\Windows\System\uHvVzWU.exe
2⤵
- Executes dropped EXE
PID:3280

C:\Windows\System\sNqbRbQ.exe
C:\Windows\System\sNqbRbQ.exe
2⤵
- Executes dropped EXE
PID:868

C:\Windows\System\KqEApgY.exe
C:\Windows\System\KqEApgY.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\System\ILiaDXx.exe
C:\Windows\System\ILiaDXx.exe
2⤵
- Executes dropped EXE
PID:4232

C:\Windows\System\MPQOFdR.exe
C:\Windows\System\MPQOFdR.exe
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\System\OFiiqWn.exe
C:\Windows\System\OFiiqWn.exe
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\System\FFXVJRb.exe
C:\Windows\System\FFXVJRb.exe
2⤵
- Executes dropped EXE
PID:452

C:\Windows\System\odETsAG.exe
C:\Windows\System\odETsAG.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Windows\System\QQLlGjx.exe
C:\Windows\System\QQLlGjx.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\PYyFHgW.exe
C:\Windows\System\PYyFHgW.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\System\fTsydmF.exe
C:\Windows\System\fTsydmF.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Windows\System\hxrKoyN.exe
C:\Windows\System\hxrKoyN.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Windows\System\WggFIlk.exe
C:\Windows\System\WggFIlk.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\System\LQQpOZk.exe
C:\Windows\System\LQQpOZk.exe
2⤵
- Executes dropped EXE
PID:4656

C:\Windows\System\KuCDbKY.exe
C:\Windows\System\KuCDbKY.exe
2⤵
- Executes dropped EXE
PID:4632

C:\Windows\System\SysrVtP.exe
C:\Windows\System\SysrVtP.exe
2⤵
- Executes dropped EXE
PID:1456

C:\Windows\System\nRxSrAZ.exe
C:\Windows\System\nRxSrAZ.exe
2⤵
- Executes dropped EXE
PID:1088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CzPbnHI.exe
Filesize
5.9MB

MD5
abf4cffd854444936e31b09f50d687ac

SHA1
bb5f401de3b55b264a71c2c251c763639751a486

SHA256
bd9ade0868edfba47eb8c9ed9b30aebca8b9020c028c2bbc91ab38a09b5d94ef

SHA512
363075cb01bae38779f6b10098935b57e3999e3234b16e100f1627bbda84e6f607f46de0d00b47024290d822b31c8f1ee8898dda3ed03ae2617bc899c5a5cc04

Download Submit
C:\Windows\System\FFXVJRb.exe
Filesize
5.9MB

MD5
d1a49ef6e23c07adf8ca70c2864e3c7e

SHA1
2d11fb0ec10691f9ca480b8eac8e19e097ee4434

SHA256
3998aa3598aa6b65241a6876868188f957ae7a0798c05fc7ba36db44571d3d22

SHA512
54abc526e7eeaaf2ad149ca6f5ad1b1a7c7badb37373056578d29762df5017e31080efafa9f8bbb6f67d70241fca957612c641de2f8a474db2269c19abe99c84

Download Submit
C:\Windows\System\ILiaDXx.exe
Filesize
5.9MB

MD5
f02694ef92ae555388d0157cb6784c32

SHA1
2790f38e4675ab70eba33a106012ffea1c9be059

SHA256
f89d45d5fbf6430ba896c8cc613d051789cd83bd4739dcec3fe7b052850f83a4

SHA512
39d259baaf7969d3f27a633df942faec346f6237b090abfee6f443ad0208d31448bac0f7d312ef9af273badd09822582371d3fe9bfdfc21c963da163844be1c2

Download Submit
C:\Windows\System\KqEApgY.exe
Filesize
5.9MB

MD5
2c0de39b04d9a4bb6eeea7279be8accb

SHA1
eca72212cd8427351bb245327847ec00ba2d01e1

SHA256
9e0bdfaec5556bda3cdce81e5ff25c530b6b5ce5a4d5c157c8957ee2b8835b82

SHA512
3becca9603504e8018294b36c194958c6ede419ac3ed80a06c9652723108588ba2dddb1c3e502e78d32976d2ffb1419e8406bd82a9ed589d387d1e8d973c3a03

Download Submit
C:\Windows\System\KuCDbKY.exe
Filesize
5.9MB

MD5
a7676995500874af2fc291b1e7f06e12

SHA1
7a6e49742634ddd2a345be9ea43b1a1f8fcdc875

SHA256
a0060fe64c09c3e3de2f93814d13893a255bc1fff6221cec15439b124b95897b

SHA512
ae68890392bb2b888daadea21270eb7a5d6a4841bb6311713f3c7aa8c4334f10c7b7d1b1a110f114a52fbe2e281ff374c62460913b16593a1e27cfc7c19436cc

Download Submit
C:\Windows\System\LQQpOZk.exe
Filesize
5.9MB

MD5
a775b14e8dbcfbc02d3deca1d87ab778

SHA1
94b7017fadf9f7ce8749ed448e55f916dc103b34

SHA256
0ec68ab91fa57dd89ac5720fd1a27b8f79bfd24594cbe0793dfbf87c3335e7c5

SHA512
52a03ca4dcc24103284c8fbadaffe5740b54d22147860b7b1d55b2da498824eed288be5591c47b1323c7d4debb1cf5571c0a04a841311f4c3f14041c709caabd

Download Submit
C:\Windows\System\MPQOFdR.exe
Filesize
5.9MB

MD5
11184c755a97f75d9636a92ac0ed7e7e

SHA1
d4b2faaa9f259b57aeb176b5100960d2b3bccbd5

SHA256
75d283ac72d05a6b32d015381685b42db892e51c5ca029c88c0c97a7c6d50060

SHA512
70ca5da49052008ae2d7e7132a1b6ecfc00b31299f3798c00731f34dab8147075d8b25e5acba874453b6caa61c78be4d62e71c2e5f9c7dff3fa0e6c685b36d88

Download Submit
C:\Windows\System\OFiiqWn.exe
Filesize
5.9MB

MD5
d185157ad978e05aaae7e5c70dbd5ce1

SHA1
7eecf4c2c79154e531fe545aca968d102f2ef12e

SHA256
9a1f94ccabea136b39d6bbf881e380ffa8f4bfacf9428aed226c2cfb0b8f1d76

SHA512
e08906032c8e94c169663c25604cef79c4cea741a3b3507d9a3119c6729e12f0542f0460f1ceafe42a4cc71e83ef1c188a058f415d8e815ee413e62b92908645

Download Submit
C:\Windows\System\PYyFHgW.exe
Filesize
5.9MB

MD5
c22c82947d5312bae809dcc53dedc2fb

SHA1
1c754aad5bb38d54e5b04f5a651ef5bc27c423b3

SHA256
ba7999c1514cc5129d82bd2586c80ac86105836964297d6ba59e6d260e1cdb5d

SHA512
0a99495051501cfc0cebc1fc41825eda0222d42f97ce71494100a68fff02fd6e0aa60c2c4523ec353072551df47f1854119fb7257f04b6a3c449bec806324b16

Download Submit
C:\Windows\System\QQLlGjx.exe
Filesize
5.9MB

MD5
714ad378df89823074df35ee0101100e

SHA1
63b22e132bb470c9548e5ae9a3c529e5558b5344

SHA256
8f48802a01527fca746cd4bacfc0862035b7ae2fab5dc1e5403eb1b38e509a69

SHA512
c7bab6c587b62d0c8c947f9c3347e24e8fda61bbb2f09aa294ec4499c65bfcc9d48626527eda7cdca62bd1e880cd213232414659beaed763c76cd149b23a8ce1

Download Submit
C:\Windows\System\RsQrUMG.exe
Filesize
5.9MB

MD5
fc76f75078d914d0f129d8b85a3acbff

SHA1
60bf66c99f21e8593a0e5a1c7094ae48413253cb

SHA256
ed517a92dcefad91bc0624638edc6ae4aa3db70d6db273f15feb76c6ba02d7f0

SHA512
972681c29f439cacb74edce91394c7ed610f8a073f7c69b4da4284ad9ee04dc439ded30e76bbc5054227418ba927f94a33d94da160dffd196d21bf5c3bb2aabf

Download Submit
C:\Windows\System\SysrVtP.exe
Filesize
5.9MB

MD5
9bcf97816037a0dbeeafa1416abcb514

SHA1
5ccb812c83ac6cd1dc08f2b74e031102658ace9c

SHA256
48713eae5904d76696995d8dbd2677f6d23ced72ff058bb2e67cb06819d58b97

SHA512
9d132d260a6ce689518f5363070d6cdc515e36bf1d6721988ec0ac3e65fc795ef6d0aa0b197f647a271e1ee769710d36fbc3d0ada7a2e3b4b600c79703bd5e8a

Download Submit
C:\Windows\System\WggFIlk.exe
Filesize
5.9MB

MD5
d529d53ea9aa2624350b9dc21310b7e2

SHA1
2950eda1077150e2b65b99f9e04fb9c29e5130fa

SHA256
7e5040f2bc38b7a03ca06697829a727ed67f44fc6523510904e69f4e691613fd

SHA512
3e8b192563acce0a8665c73bd46e618e700fa639185f7152d36bb485c5208bc17e4f7f438bad1f0732dc993b73b401e225b13b20a14493c4070115bb3cac33e7

Download Submit
C:\Windows\System\fTsydmF.exe
Filesize
5.9MB

MD5
fcb42959bc3a82485236b0e64e8c94a5

SHA1
4aa785b5a9a0d617c47e8727532d0bd3db345f30

SHA256
74d4c41a0ada59848681a5675de65c047b59544f0a007d7cfbd4f79831190ddc

SHA512
9d58ee2f2cffe5e99491bc193f1cc39554fe4e55c176712a75b9c26c762a40c995f4e693f1354ab18f73c048bd0bdbd0e8971222ad4e68872aaee5fa8a213bcc

Download Submit
C:\Windows\System\hxrKoyN.exe
Filesize
5.9MB

MD5
a855f82b9acc05cd2fce9cf0039bb214

SHA1
2049f721018d707cb69efb82b9d7665c4baf65ff

SHA256
58cd457325a9ba3d01012dea439735bd94f1d791d85009506d83ea83920e74ed

SHA512
5abb9a64ee45e0a3365eead89616750f388dfdd96dffbae13c6c63ab38e214ecde2ba6d2ad80cee1dece8a261e51d910b1a2116da9cc52a6220a570d5d719df4

Download Submit
C:\Windows\System\nEGGABM.exe
Filesize
5.9MB

MD5
9622d9bd2eaa2f500d88c2ffce3e3ec2

SHA1
d33f9c37a37ab986555eb8a21ea913c4f0599beb

SHA256
304b81e47e66be17a113a7ece7aec5e12cda31652f75f8ae89455fc052b6651a

SHA512
f6f44ae935c09230e9d1b4ea91ecb20a379e395875d4a85209a682563b056ac5f423bd1f04a9eb4f43364607340acbe21a428b645e4a72c893dd32198156201d

Download Submit
C:\Windows\System\nRxSrAZ.exe
Filesize
5.9MB

MD5
b8644af5aa4fd681c5eddc24aff0de5c

SHA1
26bf257409a4db06ea60ad0fa33a50c09e9c1fd7

SHA256
a2ec04113b6063f0c7f063fadba294051c8ab4355d285df13ce70223a7be0bd1

SHA512
7ac38887575822f5b1e3d1ac0e7fd80039f3155c5b372cd8e4b0aa2d4421705ec6015619ead0dc29bf213a09a20e84ca9e8b8bfcdd5d5e0b2290df41744478bc

Download Submit
C:\Windows\System\odETsAG.exe
Filesize
5.9MB

MD5
24a59d85531cc4ac389dfaef22982f32

SHA1
ebc2faaddc3d4ec02c03bacd9ba2bbf5b3e8d39c

SHA256
88121528ce16e1f0cf417561ee02f55fd73d170611c924f1bdffe31ada716dde

SHA512
43bf66cef998fe7343fbb36dcee02a0499711804ccedcd40d1c2fb2b0b440097f3c6e0c06319bcec7ad638885f90000f9ecc6bd436e044e6842f4818537819dc

Download Submit
C:\Windows\System\sNqbRbQ.exe
Filesize
5.9MB

MD5
7d0a38e72d60fa7e68c7e079a7c20c77

SHA1
16807f6302ce9523630646652ad7e888145a37f2

SHA256
7d83703fe0712176400ca8365765e2085e3f935e024eb49dce31ed76735c4095

SHA512
9afd975362c44fedcc5cab010a858194b830dbdd1ec563e693a091d8513e1e0b1ee1083cfd943b393bbf3e21120b662f7aaf31ce1adfabe89b77562494666a05

Download Submit
C:\Windows\System\uHvVzWU.exe
Filesize
5.9MB

MD5
e4ff5f8157dec5c08f37ce5224629d84

SHA1
d7921a5519320d45af444d9b48dfd4573f4bc535

SHA256
8bab4e59839105e7f935167ddadb40fdeec44506340324b4077900eac57494fa

SHA512
af0844363e13893ce6ba9ff34b4e01d3dbb3562795656d1499d8fac35686bcd77c8c70d3c24e4ee8f5d958f643743f71c083f8dde47082052c17478f4445b819

Download Submit
C:\Windows\System\zXirZUx.exe
Filesize
5.9MB

MD5
20d1c64b8cf6f529fffca56003c733d5

SHA1
c0902d6b3f48787866e3b28e9be99b0d7a92fb17

SHA256
764c2e39e6d3a7a976c98d44fb8baf5f012ea79ef5188930aa7dfa78d45176ea

SHA512
594e8d4141639abd341566356bfa84efb2b7aadb11a39d66f573fe811cadd4071c761297be80e117bae6b713caf40a552773f1a51a2fbc1ffc5a5f3159233728

Download Submit
memory/452-73-0x00007FF794C80000-0x00007FF794FD4000-memory.dmp

Filesize
3.3MB

Download
memory/452-149-0x00007FF794C80000-0x00007FF794FD4000-memory.dmp

Filesize
3.3MB

Download
memory/868-103-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp

Filesize
3.3MB

Download
memory/868-144-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp

Filesize
3.3MB

Download
memory/868-36-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-138-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp

Filesize
3.3MB

Download
memory/1088-131-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp

Filesize
3.3MB

Download
memory/1088-159-0x00007FF6B3DC0000-0x00007FF6B4114000-memory.dmp

Filesize
3.3MB

Download
memory/1292-147-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp

Filesize
3.3MB

Download
memory/1292-56-0x00007FF7F0B40000-0x00007FF7F0E94000-memory.dmp

Filesize
3.3MB

Download
memory/1456-130-0x00007FF6B9190000-0x00007FF6B94E4000-memory.dmp

Filesize
3.3MB

Download
memory/1456-158-0x00007FF6B9190000-0x00007FF6B94E4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-8-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp

Filesize
3.3MB

Download
memory/1892-139-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp

Filesize
3.3MB

Download
memory/1892-69-0x00007FF7A94C0000-0x00007FF7A9814000-memory.dmp

Filesize
3.3MB

Download
memory/2184-0-0x00007FF7233E0000-0x00007FF723734000-memory.dmp

Filesize
3.3MB

Download
memory/2184-62-0x00007FF7233E0000-0x00007FF723734000-memory.dmp

Filesize
3.3MB

Download
memory/2184-1-0x00000289E2D80000-0x00000289E2D90000-memory.dmp

Filesize
64KB

Download
memory/2308-63-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp

Filesize
3.3MB

Download
memory/2308-148-0x00007FF73EB40000-0x00007FF73EE94000-memory.dmp

Filesize
3.3MB

Download
memory/2364-151-0x00007FF783EF0000-0x00007FF784244000-memory.dmp

Filesize
3.3MB

Download
memory/2364-82-0x00007FF783EF0000-0x00007FF784244000-memory.dmp

Filesize
3.3MB

Download
memory/2364-135-0x00007FF783EF0000-0x00007FF784244000-memory.dmp

Filesize
3.3MB

Download
memory/2900-141-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp

Filesize
3.3MB

Download
memory/2900-20-0x00007FF68D1C0000-0x00007FF68D514000-memory.dmp

Filesize
3.3MB

Download
memory/3280-96-0x00007FF767DB0000-0x00007FF768104000-memory.dmp

Filesize
3.3MB

Download
memory/3280-143-0x00007FF767DB0000-0x00007FF768104000-memory.dmp

Filesize
3.3MB

Download
memory/3280-32-0x00007FF767DB0000-0x00007FF768104000-memory.dmp

Filesize
3.3MB

Download
memory/3520-150-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp

Filesize
3.3MB

Download
memory/3520-134-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp

Filesize
3.3MB

Download
memory/3520-75-0x00007FF7FAB00000-0x00007FF7FAE54000-memory.dmp

Filesize
3.3MB

Download
memory/3768-140-0x00007FF623230000-0x00007FF623584000-memory.dmp

Filesize
3.3MB

Download
memory/3768-74-0x00007FF623230000-0x00007FF623584000-memory.dmp

Filesize
3.3MB

Download
memory/3768-12-0x00007FF623230000-0x00007FF623584000-memory.dmp

Filesize
3.3MB

Download
memory/4004-110-0x00007FF779FC0000-0x00007FF77A314000-memory.dmp

Filesize
3.3MB

Download
memory/4004-155-0x00007FF779FC0000-0x00007FF77A314000-memory.dmp

Filesize
3.3MB

Download
memory/4184-105-0x00007FF7BA480000-0x00007FF7BA7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4184-154-0x00007FF7BA480000-0x00007FF7BA7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4232-146-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp

Filesize
3.3MB

Download
memory/4232-50-0x00007FF6AFB10000-0x00007FF6AFE64000-memory.dmp

Filesize
3.3MB

Download
memory/4244-98-0x00007FF6858A0000-0x00007FF685BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-153-0x00007FF6858A0000-0x00007FF685BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-145-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-44-0x00007FF7E5560000-0x00007FF7E58B4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-123-0x00007FF642740000-0x00007FF642A94000-memory.dmp

Filesize
3.3MB

Download
memory/4632-157-0x00007FF642740000-0x00007FF642A94000-memory.dmp

Filesize
3.3MB

Download
memory/4656-116-0x00007FF765790000-0x00007FF765AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-137-0x00007FF765790000-0x00007FF765AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-156-0x00007FF765790000-0x00007FF765AE4000-memory.dmp

Filesize
3.3MB

Download
memory/4852-88-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp

Filesize
3.3MB

Download
memory/4852-142-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp

Filesize
3.3MB

Download
memory/4852-26-0x00007FF72A650000-0x00007FF72A9A4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-152-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-89-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp

Filesize
3.3MB

Download
memory/4924-136-0x00007FF79A750000-0x00007FF79AAA4000-memory.dmp

Filesize
3.3MB

Download