cobaltstrike | d30ce161be048f1e894a6b0b78fd821fcf65c56e50b30a55acb3f3cee81468af

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

98740ad847e1ad61e596b0b4970769a7
SHA1

2190f54c81669f62fc2e4d17b98430f1a23d2b4b
SHA256

d30ce161be048f1e894a6b0b78fd821fcf65c56e50b30a55acb3f3cee81468af
SHA512

63d5e894da7dd0e39ba6b64b9ba09a8962957dbf7348bdf4fc6ebb387b3e55d1b8891dcda1ec715995ae9ab4c0dd776a177beb8ad7d6329c4d4ef7eb833102de
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUF:Q+856utgpPF8u/7F

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\bntQAlv.exe	cobalt_reflective_dll
C:\Windows\System\rVVIAND.exe	cobalt_reflective_dll
C:\Windows\System\nQYpfIm.exe	cobalt_reflective_dll
C:\Windows\System\dJpBcLU.exe	cobalt_reflective_dll
C:\Windows\System\CAcGMxj.exe	cobalt_reflective_dll
C:\Windows\System\AsgVYEG.exe	cobalt_reflective_dll
C:\Windows\System\usfbFgP.exe	cobalt_reflective_dll
C:\Windows\System\rZXztcq.exe	cobalt_reflective_dll
C:\Windows\System\QOOnVvp.exe	cobalt_reflective_dll
C:\Windows\System\Wtnjdyr.exe	cobalt_reflective_dll
C:\Windows\System\QCYhOTl.exe	cobalt_reflective_dll
C:\Windows\System\UcpaPnX.exe	cobalt_reflective_dll
C:\Windows\System\QamOeJI.exe	cobalt_reflective_dll
C:\Windows\System\iVteddu.exe	cobalt_reflective_dll
C:\Windows\System\maXVswj.exe	cobalt_reflective_dll
C:\Windows\System\MICVqYB.exe	cobalt_reflective_dll
C:\Windows\System\PnGONuT.exe	cobalt_reflective_dll
C:\Windows\System\xRKdlfa.exe	cobalt_reflective_dll
C:\Windows\System\JPAalcp.exe	cobalt_reflective_dll
C:\Windows\System\GMEXUXP.exe	cobalt_reflective_dll
C:\Windows\System\MKNsLbn.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\bntQAlv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rVVIAND.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nQYpfIm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dJpBcLU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CAcGMxj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AsgVYEG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\usfbFgP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rZXztcq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QOOnVvp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Wtnjdyr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QCYhOTl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UcpaPnX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QamOeJI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iVteddu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\maXVswj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MICVqYB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PnGONuT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xRKdlfa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JPAalcp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GMEXUXP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MKNsLbn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4836-0-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp	UPX
C:\Windows\System\bntQAlv.exe	UPX
behavioral2/memory/2856-6-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	UPX
C:\Windows\System\rVVIAND.exe	UPX
C:\Windows\System\nQYpfIm.exe	UPX
behavioral2/memory/3764-12-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	UPX
behavioral2/memory/1156-20-0x00007FF659770000-0x00007FF659AC4000-memory.dmp	UPX
C:\Windows\System\dJpBcLU.exe	UPX
behavioral2/memory/3688-26-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	UPX
C:\Windows\System\CAcGMxj.exe	UPX
C:\Windows\System\AsgVYEG.exe	UPX
behavioral2/memory/2632-39-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp	UPX
C:\Windows\System\usfbFgP.exe	UPX
behavioral2/memory/1676-44-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	UPX
C:\Windows\System\rZXztcq.exe	UPX
behavioral2/memory/5052-41-0x00007FF78B600000-0x00007FF78B954000-memory.dmp	UPX
C:\Windows\System\QOOnVvp.exe	UPX
C:\Windows\System\Wtnjdyr.exe	UPX
C:\Windows\System\QCYhOTl.exe	UPX
C:\Windows\System\UcpaPnX.exe	UPX
C:\Windows\System\QamOeJI.exe	UPX
C:\Windows\System\iVteddu.exe	UPX
C:\Windows\System\maXVswj.exe	UPX
C:\Windows\System\MICVqYB.exe	UPX
C:\Windows\System\PnGONuT.exe	UPX
C:\Windows\System\xRKdlfa.exe	UPX
C:\Windows\System\JPAalcp.exe	UPX
C:\Windows\System\GMEXUXP.exe	UPX
C:\Windows\System\MKNsLbn.exe	UPX
behavioral2/memory/2484-114-0x00007FF690940000-0x00007FF690C94000-memory.dmp	UPX
behavioral2/memory/1460-115-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp	UPX
behavioral2/memory/2052-117-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp	UPX
behavioral2/memory/2984-118-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp	UPX
behavioral2/memory/2288-120-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp	UPX
behavioral2/memory/4080-121-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp	UPX
behavioral2/memory/1872-123-0x00007FF642A50000-0x00007FF642DA4000-memory.dmp	UPX
behavioral2/memory/2044-124-0x00007FF7E7F60000-0x00007FF7E82B4000-memory.dmp	UPX
behavioral2/memory/1408-126-0x00007FF7F0980000-0x00007FF7F0CD4000-memory.dmp	UPX
behavioral2/memory/2440-127-0x00007FF636080000-0x00007FF6363D4000-memory.dmp	UPX
behavioral2/memory/2276-125-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp	UPX
behavioral2/memory/1928-122-0x00007FF644B70000-0x00007FF644EC4000-memory.dmp	UPX
behavioral2/memory/3852-119-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp	UPX
behavioral2/memory/2100-116-0x00007FF698650000-0x00007FF6989A4000-memory.dmp	UPX
behavioral2/memory/4836-128-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp	UPX
behavioral2/memory/2856-129-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	UPX
behavioral2/memory/3764-130-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	UPX
behavioral2/memory/3688-131-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	UPX
behavioral2/memory/1676-132-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	UPX
behavioral2/memory/2856-133-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	UPX
behavioral2/memory/3764-134-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	UPX
behavioral2/memory/1156-135-0x00007FF659770000-0x00007FF659AC4000-memory.dmp	UPX
behavioral2/memory/3688-136-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	UPX
behavioral2/memory/2632-137-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp	UPX
behavioral2/memory/5052-138-0x00007FF78B600000-0x00007FF78B954000-memory.dmp	UPX
behavioral2/memory/1676-139-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	UPX
behavioral2/memory/2484-140-0x00007FF690940000-0x00007FF690C94000-memory.dmp	UPX
behavioral2/memory/1460-141-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp	UPX
behavioral2/memory/2100-142-0x00007FF698650000-0x00007FF6989A4000-memory.dmp	UPX
behavioral2/memory/2052-143-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp	UPX
behavioral2/memory/2984-144-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp	UPX
behavioral2/memory/2288-145-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp	UPX
behavioral2/memory/3852-146-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp	UPX
behavioral2/memory/4080-150-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp	UPX
behavioral2/memory/2276-152-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4836-0-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp	xmrig
C:\Windows\System\bntQAlv.exe	xmrig
behavioral2/memory/2856-6-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	xmrig
C:\Windows\System\rVVIAND.exe	xmrig
C:\Windows\System\nQYpfIm.exe	xmrig
behavioral2/memory/3764-12-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	xmrig
behavioral2/memory/1156-20-0x00007FF659770000-0x00007FF659AC4000-memory.dmp	xmrig
C:\Windows\System\dJpBcLU.exe	xmrig
behavioral2/memory/3688-26-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	xmrig
C:\Windows\System\CAcGMxj.exe	xmrig
C:\Windows\System\AsgVYEG.exe	xmrig
behavioral2/memory/2632-39-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp	xmrig
C:\Windows\System\usfbFgP.exe	xmrig
behavioral2/memory/1676-44-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	xmrig
C:\Windows\System\rZXztcq.exe	xmrig
behavioral2/memory/5052-41-0x00007FF78B600000-0x00007FF78B954000-memory.dmp	xmrig
C:\Windows\System\QOOnVvp.exe	xmrig
C:\Windows\System\Wtnjdyr.exe	xmrig
C:\Windows\System\QCYhOTl.exe	xmrig
C:\Windows\System\UcpaPnX.exe	xmrig
C:\Windows\System\QamOeJI.exe	xmrig
C:\Windows\System\iVteddu.exe	xmrig
C:\Windows\System\maXVswj.exe	xmrig
C:\Windows\System\MICVqYB.exe	xmrig
C:\Windows\System\PnGONuT.exe	xmrig
C:\Windows\System\xRKdlfa.exe	xmrig
C:\Windows\System\JPAalcp.exe	xmrig
C:\Windows\System\GMEXUXP.exe	xmrig
C:\Windows\System\MKNsLbn.exe	xmrig
behavioral2/memory/2484-114-0x00007FF690940000-0x00007FF690C94000-memory.dmp	xmrig
behavioral2/memory/1460-115-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp	xmrig
behavioral2/memory/2052-117-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp	xmrig
behavioral2/memory/2984-118-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp	xmrig
behavioral2/memory/2288-120-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp	xmrig
behavioral2/memory/4080-121-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp	xmrig
behavioral2/memory/1872-123-0x00007FF642A50000-0x00007FF642DA4000-memory.dmp	xmrig
behavioral2/memory/2044-124-0x00007FF7E7F60000-0x00007FF7E82B4000-memory.dmp	xmrig
behavioral2/memory/1408-126-0x00007FF7F0980000-0x00007FF7F0CD4000-memory.dmp	xmrig
behavioral2/memory/2440-127-0x00007FF636080000-0x00007FF6363D4000-memory.dmp	xmrig
behavioral2/memory/2276-125-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp	xmrig
behavioral2/memory/1928-122-0x00007FF644B70000-0x00007FF644EC4000-memory.dmp	xmrig
behavioral2/memory/3852-119-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp	xmrig
behavioral2/memory/2100-116-0x00007FF698650000-0x00007FF6989A4000-memory.dmp	xmrig
behavioral2/memory/4836-128-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp	xmrig
behavioral2/memory/2856-129-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	xmrig
behavioral2/memory/3764-130-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	xmrig
behavioral2/memory/3688-131-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	xmrig
behavioral2/memory/1676-132-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	xmrig
behavioral2/memory/2856-133-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	xmrig
behavioral2/memory/3764-134-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	xmrig
behavioral2/memory/1156-135-0x00007FF659770000-0x00007FF659AC4000-memory.dmp	xmrig
behavioral2/memory/3688-136-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	xmrig
behavioral2/memory/2632-137-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp	xmrig
behavioral2/memory/5052-138-0x00007FF78B600000-0x00007FF78B954000-memory.dmp	xmrig
behavioral2/memory/1676-139-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	xmrig
behavioral2/memory/2484-140-0x00007FF690940000-0x00007FF690C94000-memory.dmp	xmrig
behavioral2/memory/1460-141-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp	xmrig
behavioral2/memory/2100-142-0x00007FF698650000-0x00007FF6989A4000-memory.dmp	xmrig
behavioral2/memory/2052-143-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp	xmrig
behavioral2/memory/2984-144-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp	xmrig
behavioral2/memory/2288-145-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp	xmrig
behavioral2/memory/3852-146-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp	xmrig
behavioral2/memory/4080-150-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp	xmrig
behavioral2/memory/2276-152-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

bntQAlv.exerVVIAND.exenQYpfIm.exedJpBcLU.exeCAcGMxj.exeAsgVYEG.exeusfbFgP.exerZXztcq.exeQOOnVvp.exeWtnjdyr.exeQCYhOTl.exeUcpaPnX.exeQamOeJI.exeiVteddu.exeMKNsLbn.exemaXVswj.exeMICVqYB.exePnGONuT.exexRKdlfa.exeJPAalcp.exeGMEXUXP.exe

pid	process
2856	bntQAlv.exe
3764	rVVIAND.exe
1156	nQYpfIm.exe
3688	dJpBcLU.exe
2632	CAcGMxj.exe
5052	AsgVYEG.exe
1676	usfbFgP.exe
2484	rZXztcq.exe
1460	QOOnVvp.exe
2100	Wtnjdyr.exe
2052	QCYhOTl.exe
2984	UcpaPnX.exe
3852	QamOeJI.exe
2288	iVteddu.exe
4080	MKNsLbn.exe
1928	maXVswj.exe
1872	MICVqYB.exe
2044	PnGONuT.exe
2276	xRKdlfa.exe
1408	JPAalcp.exe
2440	GMEXUXP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4836-0-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp	upx
C:\Windows\System\bntQAlv.exe	upx
behavioral2/memory/2856-6-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	upx
C:\Windows\System\rVVIAND.exe	upx
C:\Windows\System\nQYpfIm.exe	upx
behavioral2/memory/3764-12-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	upx
behavioral2/memory/1156-20-0x00007FF659770000-0x00007FF659AC4000-memory.dmp	upx
C:\Windows\System\dJpBcLU.exe	upx
behavioral2/memory/3688-26-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	upx
C:\Windows\System\CAcGMxj.exe	upx
C:\Windows\System\AsgVYEG.exe	upx
behavioral2/memory/2632-39-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp	upx
C:\Windows\System\usfbFgP.exe	upx
behavioral2/memory/1676-44-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	upx
C:\Windows\System\rZXztcq.exe	upx
behavioral2/memory/5052-41-0x00007FF78B600000-0x00007FF78B954000-memory.dmp	upx
C:\Windows\System\QOOnVvp.exe	upx
C:\Windows\System\Wtnjdyr.exe	upx
C:\Windows\System\QCYhOTl.exe	upx
C:\Windows\System\UcpaPnX.exe	upx
C:\Windows\System\QamOeJI.exe	upx
C:\Windows\System\iVteddu.exe	upx
C:\Windows\System\maXVswj.exe	upx
C:\Windows\System\MICVqYB.exe	upx
C:\Windows\System\PnGONuT.exe	upx
C:\Windows\System\xRKdlfa.exe	upx
C:\Windows\System\JPAalcp.exe	upx
C:\Windows\System\GMEXUXP.exe	upx
C:\Windows\System\MKNsLbn.exe	upx
behavioral2/memory/2484-114-0x00007FF690940000-0x00007FF690C94000-memory.dmp	upx
behavioral2/memory/1460-115-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp	upx
behavioral2/memory/2052-117-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp	upx
behavioral2/memory/2984-118-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp	upx
behavioral2/memory/2288-120-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp	upx
behavioral2/memory/4080-121-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp	upx
behavioral2/memory/1872-123-0x00007FF642A50000-0x00007FF642DA4000-memory.dmp	upx
behavioral2/memory/2044-124-0x00007FF7E7F60000-0x00007FF7E82B4000-memory.dmp	upx
behavioral2/memory/1408-126-0x00007FF7F0980000-0x00007FF7F0CD4000-memory.dmp	upx
behavioral2/memory/2440-127-0x00007FF636080000-0x00007FF6363D4000-memory.dmp	upx
behavioral2/memory/2276-125-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp	upx
behavioral2/memory/1928-122-0x00007FF644B70000-0x00007FF644EC4000-memory.dmp	upx
behavioral2/memory/3852-119-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp	upx
behavioral2/memory/2100-116-0x00007FF698650000-0x00007FF6989A4000-memory.dmp	upx
behavioral2/memory/4836-128-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp	upx
behavioral2/memory/2856-129-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	upx
behavioral2/memory/3764-130-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	upx
behavioral2/memory/3688-131-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	upx
behavioral2/memory/1676-132-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	upx
behavioral2/memory/2856-133-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp	upx
behavioral2/memory/3764-134-0x00007FF6111D0000-0x00007FF611524000-memory.dmp	upx
behavioral2/memory/1156-135-0x00007FF659770000-0x00007FF659AC4000-memory.dmp	upx
behavioral2/memory/3688-136-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp	upx
behavioral2/memory/2632-137-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp	upx
behavioral2/memory/5052-138-0x00007FF78B600000-0x00007FF78B954000-memory.dmp	upx
behavioral2/memory/1676-139-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp	upx
behavioral2/memory/2484-140-0x00007FF690940000-0x00007FF690C94000-memory.dmp	upx
behavioral2/memory/1460-141-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp	upx
behavioral2/memory/2100-142-0x00007FF698650000-0x00007FF6989A4000-memory.dmp	upx
behavioral2/memory/2052-143-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp	upx
behavioral2/memory/2984-144-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp	upx
behavioral2/memory/2288-145-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp	upx
behavioral2/memory/3852-146-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp	upx
behavioral2/memory/4080-150-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp	upx
behavioral2/memory/2276-152-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\usfbFgP.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZXztcq.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QOOnVvp.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QCYhOTl.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UcpaPnX.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QamOeJI.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVteddu.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bntQAlv.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\maXVswj.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MICVqYB.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xRKdlfa.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GMEXUXP.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CAcGMxj.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKNsLbn.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PnGONuT.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JPAalcp.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQYpfIm.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dJpBcLU.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AsgVYEG.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Wtnjdyr.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rVVIAND.exe	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4836 wrote to memory of 2856	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	bntQAlv.exe
PID 4836 wrote to memory of 2856	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	bntQAlv.exe
PID 4836 wrote to memory of 3764	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	rVVIAND.exe
PID 4836 wrote to memory of 3764	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	rVVIAND.exe
PID 4836 wrote to memory of 1156	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	nQYpfIm.exe
PID 4836 wrote to memory of 1156	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	nQYpfIm.exe
PID 4836 wrote to memory of 3688	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	dJpBcLU.exe
PID 4836 wrote to memory of 3688	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	dJpBcLU.exe
PID 4836 wrote to memory of 2632	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	CAcGMxj.exe
PID 4836 wrote to memory of 2632	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	CAcGMxj.exe
PID 4836 wrote to memory of 5052	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	AsgVYEG.exe
PID 4836 wrote to memory of 5052	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	AsgVYEG.exe
PID 4836 wrote to memory of 1676	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	usfbFgP.exe
PID 4836 wrote to memory of 1676	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	usfbFgP.exe
PID 4836 wrote to memory of 2484	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	rZXztcq.exe
PID 4836 wrote to memory of 2484	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	rZXztcq.exe
PID 4836 wrote to memory of 1460	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	QOOnVvp.exe
PID 4836 wrote to memory of 1460	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	QOOnVvp.exe
PID 4836 wrote to memory of 2100	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	Wtnjdyr.exe
PID 4836 wrote to memory of 2100	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	Wtnjdyr.exe
PID 4836 wrote to memory of 2052	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	QCYhOTl.exe
PID 4836 wrote to memory of 2052	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	QCYhOTl.exe
PID 4836 wrote to memory of 2984	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	UcpaPnX.exe
PID 4836 wrote to memory of 2984	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	UcpaPnX.exe
PID 4836 wrote to memory of 3852	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	QamOeJI.exe
PID 4836 wrote to memory of 3852	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	QamOeJI.exe
PID 4836 wrote to memory of 2288	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	iVteddu.exe
PID 4836 wrote to memory of 2288	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	iVteddu.exe
PID 4836 wrote to memory of 4080	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	MKNsLbn.exe
PID 4836 wrote to memory of 4080	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	MKNsLbn.exe
PID 4836 wrote to memory of 1928	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	maXVswj.exe
PID 4836 wrote to memory of 1928	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	maXVswj.exe
PID 4836 wrote to memory of 1872	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	MICVqYB.exe
PID 4836 wrote to memory of 1872	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	MICVqYB.exe
PID 4836 wrote to memory of 2044	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	PnGONuT.exe
PID 4836 wrote to memory of 2044	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	PnGONuT.exe
PID 4836 wrote to memory of 2276	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	xRKdlfa.exe
PID 4836 wrote to memory of 2276	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	xRKdlfa.exe
PID 4836 wrote to memory of 1408	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	JPAalcp.exe
PID 4836 wrote to memory of 1408	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	JPAalcp.exe
PID 4836 wrote to memory of 2440	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	GMEXUXP.exe
PID 4836 wrote to memory of 2440	4836	2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe	GMEXUXP.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_98740ad847e1ad61e596b0b4970769a7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4836

C:\Windows\System\bntQAlv.exe
C:\Windows\System\bntQAlv.exe
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\System\rVVIAND.exe
C:\Windows\System\rVVIAND.exe
2⤵
- Executes dropped EXE
PID:3764

C:\Windows\System\nQYpfIm.exe
C:\Windows\System\nQYpfIm.exe
2⤵
- Executes dropped EXE
PID:1156

C:\Windows\System\dJpBcLU.exe
C:\Windows\System\dJpBcLU.exe
2⤵
- Executes dropped EXE
PID:3688

C:\Windows\System\CAcGMxj.exe
C:\Windows\System\CAcGMxj.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System\AsgVYEG.exe
C:\Windows\System\AsgVYEG.exe
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\System\usfbFgP.exe
C:\Windows\System\usfbFgP.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\System\rZXztcq.exe
C:\Windows\System\rZXztcq.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\QOOnVvp.exe
C:\Windows\System\QOOnVvp.exe
2⤵
- Executes dropped EXE
PID:1460

C:\Windows\System\Wtnjdyr.exe
C:\Windows\System\Wtnjdyr.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\QCYhOTl.exe
C:\Windows\System\QCYhOTl.exe
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\System\UcpaPnX.exe
C:\Windows\System\UcpaPnX.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Windows\System\QamOeJI.exe
C:\Windows\System\QamOeJI.exe
2⤵
- Executes dropped EXE
PID:3852

C:\Windows\System\iVteddu.exe
C:\Windows\System\iVteddu.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\System\MKNsLbn.exe
C:\Windows\System\MKNsLbn.exe
2⤵
- Executes dropped EXE
PID:4080

C:\Windows\System\maXVswj.exe
C:\Windows\System\maXVswj.exe
2⤵
- Executes dropped EXE
PID:1928

C:\Windows\System\MICVqYB.exe
C:\Windows\System\MICVqYB.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\PnGONuT.exe
C:\Windows\System\PnGONuT.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\xRKdlfa.exe
C:\Windows\System\xRKdlfa.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\JPAalcp.exe
C:\Windows\System\JPAalcp.exe
2⤵
- Executes dropped EXE
PID:1408

C:\Windows\System\GMEXUXP.exe
C:\Windows\System\GMEXUXP.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AsgVYEG.exe
Filesize
5.9MB

MD5
8f9d49340e8ab605fd8cd886c9ac5feb

SHA1
412d10f72d577a2457e1a9d63db87af5155fc315

SHA256
e03acd223fda9ced6ee58ccce90c66015ffaf2d1a100f04e55a43f676398f057

SHA512
380088cdd55acc95978bb0b456d5ad14a7dda29f2491862975d3fee4ebe4033452d6fe8c7257025a30de9900c757a23a4b8cca5030f1607f6f2738fcdbceda58

Download Submit
C:\Windows\System\CAcGMxj.exe
Filesize
5.9MB

MD5
3e76a2d4409a20fca3eaa781f327734f

SHA1
c731535d02998216f4e260b72d998a7c48e874be

SHA256
974dfc565e44be0583f59e5f135e45040b459897c622873bbb5070593dbfe1d8

SHA512
002158fe69b52805e28be8e31aa3908d4ea5c65257cb771ded009d586758f89e92c79e1574cb784b9d5b842d9232d002ab86009c0c35fddc78cf70707d454e1f

Download Submit
C:\Windows\System\GMEXUXP.exe
Filesize
5.9MB

MD5
f42a5c596eb5581d3b765e8490b42218

SHA1
8c425d8e01fd00296aef7e2e7465febe084dcb1c

SHA256
647435660929430695be7a4f63f4225f7e3774c438d2dccab3a8ffdfd768d73e

SHA512
9eaf8d461010560164439ee564fea44d92a6fc26a3dd92d44da75b51683365ebcb2a8dfe730dda43debe12a257a7f17683a30510a7c0b8dabfc1bf7bdf61e197

Download Submit
C:\Windows\System\JPAalcp.exe
Filesize
5.9MB

MD5
8fdb44063150eb83781642d08864b798

SHA1
f7a78a67d03befc3ad4266648d321e11c08a8d96

SHA256
998ebd0d686969a4c48416744f6b4334127cb73219588c568bf8a0f2ea48ca0e

SHA512
802d8238714ef67d9120ba3d8dc87b9ba4a3b7611b52e32df822a80d3aea38aedab9a888b2d640d69ff1842f6a55dd78e67628609013e99f5d54ddbec88518d3

Download Submit
C:\Windows\System\MICVqYB.exe
Filesize
5.9MB

MD5
b4f8e6cadeea24f582f84a78fd16afc6

SHA1
6567f9d4626338a3809ee92bb45b0964323c451d

SHA256
a961b527de4914e711fb305664eec969de7975665a312cf11c4b1f066854b4c3

SHA512
a97d546ec59ad001bb4df63864942f54ccb6be6852c4e7a7cbb162356e9ee01e58e18fa5e172cb500dcdf451fe4362ad016b37a04f51ba42ee15347b9d15772a

Download Submit
C:\Windows\System\MKNsLbn.exe
Filesize
5.9MB

MD5
6cdb76dc0ab42f8758771b8805c71f57

SHA1
41285df03d61b66f01bd77aa6d079af8cc480c7b

SHA256
4a94e2cdd50a4777cac2ca2b673984f7ef6de3a8556ca6b152723c5d2565cb45

SHA512
8eb11056f15259537678b1032a7b3603e4c205d2420978e9e77eb822636e7e7c564a27a59f8c394ad4030d91edd9510b45417af9c24bd4e42a76d261347d522c

Download Submit
C:\Windows\System\PnGONuT.exe
Filesize
5.9MB

MD5
c7bd57326375c5d3aeb45a2fa3255c62

SHA1
bd32f0f8071e0adf86ed0fdbaf316b713b4a2eb6

SHA256
66cc72c7a842cfd9a599c8d9c5a0b5c7cc9a014d1b8867ce6017eb3b8fbdb83f

SHA512
c7635031d37cb54bffd61418560d55ed0d57458e300607faacfd5d9eff16fe9a39e6719db8941de31b4d0acffb2a6cf8dde625458d07634ad74fcd950707ffd2

Download Submit
C:\Windows\System\QCYhOTl.exe
Filesize
5.9MB

MD5
a11847cfb5c1fb6d0b79c82ba30fe923

SHA1
18d7cadd9e50c9b107c960de2a217f92dea13dd6

SHA256
a9b1ad6f9cabd2b82532ecbac5412a23d8ac4f9d71722b6f0b4d0defb0e2d837

SHA512
5ce49d9b16c87a2382967c7ca194b44ae3a8db06de430057349bc44b0144304faa02793b4be06efec446503b78b431973c51aac68edb4424926d48dcc777b59c

Download Submit
C:\Windows\System\QOOnVvp.exe
Filesize
5.9MB

MD5
55455b102041ae478cf2da54759f0e04

SHA1
934e9dc32108d17de0017903b52e2db0f2199083

SHA256
ddda684fb2d3bdb6ca2954c5db0ba8fbc75e9656560c396218e1be443b509cee

SHA512
b010a83f7adc16a8332e76f3e807fa69b9c0163488653a52a4cf984ac9d514ffc40dfbe24dbeadd75027fc6c2d34745a27d4df6eeb5aaf29b40491ddab64dc66

Download Submit
C:\Windows\System\QamOeJI.exe
Filesize
5.9MB

MD5
cf8d008ea1a47d8d5afbdd9ed5e5ff88

SHA1
d15f69dafdc8b09a9b99699eb3454e80a30d9463

SHA256
efb75c6f2698090562ee9b819fff8a0dae1eca17f1874006ac76b0e7414143d4

SHA512
d4c66fa43895de4da8acceb3e8a5df99e9240d112c113f24c63355c2f0f1f5c1680fb96eba83e5c3ef914016a08a521cc6c5af9de14f58af656d55edc4573cd0

Download Submit
C:\Windows\System\UcpaPnX.exe
Filesize
5.9MB

MD5
845c8590707b3670149534a2df744263

SHA1
9951f955cdaea910a66d00bd8ffb1515a0294d10

SHA256
fed06fabda6f86da333ac075562f1e1137c3ef4e7629284699968441d0ded12d

SHA512
8bcbb89a306c9037fa2161817391537153356825a9bedc7ab9548e4bf2213ded8a95c92d39eb6fd3373d5eb519a775a42b0c3f2d3b2ea15edead4e2bd45eaa78

Download Submit
C:\Windows\System\Wtnjdyr.exe
Filesize
5.9MB

MD5
fc013eaf79c8a90d643f1f7c1644320a

SHA1
49d60b5d2984c2578e2ac6d86fd5c6c5ddb3a15b

SHA256
65a429126105ca7d65001567f327f5d998704d64fbab278727dbb635343b565e

SHA512
3e77ebc613c7e2d9e2bea3180d7c2dd304c1cd4bf9e57578b6e9f4b8b0322ab48a990c8e74c69b80539dee179c62f6ed3f4a27a2be6b86c7a3d69db9bac31b4b

Download Submit
C:\Windows\System\bntQAlv.exe
Filesize
5.9MB

MD5
1fe4eb93db88773592c272611caebbe9

SHA1
0c2ce4bcf95f8498fb5549274d3b32f24a78c8e7

SHA256
ff4ad5124f87e6e93c28bf6eafaac3aed6a7e9a2f8804b9bab42593a6d2a48a5

SHA512
aad9887df6f6e25cff3c66698fe95cf091d624ae80465922d73f4e28e8456fcdaec309d7144074347bb0d59a3afbb187cf7e04773bc6c36c1c45ee46cf44d354

Download Submit
C:\Windows\System\dJpBcLU.exe
Filesize
5.9MB

MD5
8cef46264797f86dbd56069a8dea850a

SHA1
126f3f625b594c414bff9a6079fd2c7680d72f3d

SHA256
9c14f207189fe4c242aa782feea2403b200d9683459a95f54e8ba730b6369221

SHA512
68fefdfa02f33a72d59f270bd6835acf59611c38a2f1d9e0d7adaab84117ab61eed76cb4c0fd452b8e329c4e5b32548832fdd01b7c792f1b62f6b3d79191a4b4

Download Submit
C:\Windows\System\iVteddu.exe
Filesize
5.9MB

MD5
73e79ba7e479b28d5feff82a528ecdad

SHA1
b54c1c2275316d17af997a9eb1baf13e74bf5c53

SHA256
a7b835b2a5576b7059bfdfe5e0a1e20fd5d2398a200940820a71250d9d9d77ee

SHA512
a1776360c4bf33b5b1647e9545d205e9662042a40aebe6be4bf67f559527e4ae15248e79afc4982dd8c1e255dad175a2e70e7e0375d034ae8751f915d418f86f

Download Submit
C:\Windows\System\maXVswj.exe
Filesize
5.9MB

MD5
1e9830776651f74577ed431dcc7949b1

SHA1
362fe8b72eb708ef66216777b2141bd8b1404a89

SHA256
bcf695b9029d4861533cf108a4401e647c0f8dcd93a7106e0564278a5b62977d

SHA512
09aa3448e3a52abbbb907eb082a4cafbc0d683c2cc1b453a8f6f1f65e25fc6a4cd7ab463967a8f5de8c6095cef55b1f9ac01a9786f19624e6697310befee1c63

Download Submit
C:\Windows\System\nQYpfIm.exe
Filesize
5.9MB

MD5
04aaabf7cdb1d9a6714ab8a09a0fba48

SHA1
8fd5f4797f8a372f68768fab0e91f9e3078cef67

SHA256
78a73bf6b5de629e68699a758897bb2db8c401d9735a6cc720f49ebb1e0d1c8f

SHA512
f17ca11bb2cd003cdc990c9733de6bd8b8beaaaeaa85dbfb3b98804b574626618f22fdef5331d55a32b5ecee87f8d7f8b2a5ab30bc890550a0e5afe687a73618

Download Submit
C:\Windows\System\rVVIAND.exe
Filesize
5.9MB

MD5
18d1650828a7e31876dbb5dd509ff2d9

SHA1
3ad3e2327f7b7a4e353959c587a802accc11167a

SHA256
4a5a8ef1e5d15ec1e437ddf313c56b5bafb805ba7949b00d90866698171b17e2

SHA512
23fa8538726c47dad1cd01a9b10a486f9fe239c2409eb1a00eb9622bbfd8d520fd3862bf554defb98f24d6f64b591c63825eb0f665e33b10a440363a3c7eebcc

Download Submit
C:\Windows\System\rZXztcq.exe
Filesize
5.9MB

MD5
892a69f865fce132f33567ea3bfab189

SHA1
f370859f4c3e18567d5577c5e26d8dd41861025b

SHA256
e03f4ceed7e1db065781bd26d9f177012ccdea039171e6fc8a6e0875ba1972db

SHA512
082a4d88bafd51d0944ba6a085c7b887793477b87fa702bda0b1cff084ba17d1800d5647a2d74bc517293ed19f8d4efbf7566d1bf16b227ede4200aa3433a5a5

Download Submit
C:\Windows\System\usfbFgP.exe
Filesize
5.9MB

MD5
e15f34533ea8436320f9b6d9f1e919c4

SHA1
25a06c1f278e7d9a2dbc851194cd469d67e7b06d

SHA256
30ef0bf9890f12a7e930c65ba0ac2f92d92f37f3d9a3afcac1e2b3d675deb28c

SHA512
04b4c095564655b146ceaa63c241747bbda5bcd40a04dff1d36e434eb6d2793f5623bbfc881863f53fdbed32e7297ce4d71c19a7378b51716e383db5d0fe847b

Download Submit
C:\Windows\System\xRKdlfa.exe
Filesize
5.9MB

MD5
184646eed8bae5ebb7a117894d65b5be

SHA1
9d3bfccbb295443470a0bc9445eee77df9701ca8

SHA256
75167285f1b690e60f69e20fc5439a2c3b97a766b272451f5edd22f24911f39e

SHA512
f84f9a3ba88fa4b135f30de9261fdecf1a9e59df7a1980b1eca6078dea71e6526e94c9fafb420db0ba653057292a2a063a56380d9c1f673046ab78627b5700cf

Download Submit
memory/1156-20-0x00007FF659770000-0x00007FF659AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-135-0x00007FF659770000-0x00007FF659AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1408-126-0x00007FF7F0980000-0x00007FF7F0CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1408-151-0x00007FF7F0980000-0x00007FF7F0CD4000-memory.dmp

Filesize
3.3MB

Download
memory/1460-141-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp

Filesize
3.3MB

Download
memory/1460-115-0x00007FF604AE0000-0x00007FF604E34000-memory.dmp

Filesize
3.3MB

Download
memory/1676-44-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-139-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-132-0x00007FF721B90000-0x00007FF721EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-123-0x00007FF642A50000-0x00007FF642DA4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-147-0x00007FF642A50000-0x00007FF642DA4000-memory.dmp

Filesize
3.3MB

Download
memory/1928-122-0x00007FF644B70000-0x00007FF644EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1928-148-0x00007FF644B70000-0x00007FF644EC4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-153-0x00007FF7E7F60000-0x00007FF7E82B4000-memory.dmp

Filesize
3.3MB

Download
memory/2044-124-0x00007FF7E7F60000-0x00007FF7E82B4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-117-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp

Filesize
3.3MB

Download
memory/2052-143-0x00007FF6DAF40000-0x00007FF6DB294000-memory.dmp

Filesize
3.3MB

Download
memory/2100-142-0x00007FF698650000-0x00007FF6989A4000-memory.dmp

Filesize
3.3MB

Download
memory/2100-116-0x00007FF698650000-0x00007FF6989A4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-125-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp

Filesize
3.3MB

Download
memory/2276-152-0x00007FF6CF700000-0x00007FF6CFA54000-memory.dmp

Filesize
3.3MB

Download
memory/2288-145-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp

Filesize
3.3MB

Download
memory/2288-120-0x00007FF6A96C0000-0x00007FF6A9A14000-memory.dmp

Filesize
3.3MB

Download
memory/2440-127-0x00007FF636080000-0x00007FF6363D4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-149-0x00007FF636080000-0x00007FF6363D4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-140-0x00007FF690940000-0x00007FF690C94000-memory.dmp

Filesize
3.3MB

Download
memory/2484-114-0x00007FF690940000-0x00007FF690C94000-memory.dmp

Filesize
3.3MB

Download
memory/2632-137-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-39-0x00007FF6537A0000-0x00007FF653AF4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-129-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp

Filesize
3.3MB

Download
memory/2856-6-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp

Filesize
3.3MB

Download
memory/2856-133-0x00007FF7A4710000-0x00007FF7A4A64000-memory.dmp

Filesize
3.3MB

Download
memory/2984-118-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp

Filesize
3.3MB

Download
memory/2984-144-0x00007FF6698F0000-0x00007FF669C44000-memory.dmp

Filesize
3.3MB

Download
memory/3688-26-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-136-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp

Filesize
3.3MB

Download
memory/3688-131-0x00007FF6AD1A0000-0x00007FF6AD4F4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-134-0x00007FF6111D0000-0x00007FF611524000-memory.dmp

Filesize
3.3MB

Download
memory/3764-130-0x00007FF6111D0000-0x00007FF611524000-memory.dmp

Filesize
3.3MB

Download
memory/3764-12-0x00007FF6111D0000-0x00007FF611524000-memory.dmp

Filesize
3.3MB

Download
memory/3852-146-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp

Filesize
3.3MB

Download
memory/3852-119-0x00007FF6E9C40000-0x00007FF6E9F94000-memory.dmp

Filesize
3.3MB

Download
memory/4080-150-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp

Filesize
3.3MB

Download
memory/4080-121-0x00007FF6BD270000-0x00007FF6BD5C4000-memory.dmp

Filesize
3.3MB

Download
memory/4836-0-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp

Filesize
3.3MB

Download
memory/4836-128-0x00007FF7AB3C0000-0x00007FF7AB714000-memory.dmp

Filesize
3.3MB

Download
memory/4836-1-0x00000251D39F0000-0x00000251D3A00000-memory.dmp

Filesize
64KB

Download
memory/5052-138-0x00007FF78B600000-0x00007FF78B954000-memory.dmp

Filesize
3.3MB

Download
memory/5052-41-0x00007FF78B600000-0x00007FF78B954000-memory.dmp

Filesize
3.3MB

Download