cobaltstrike | c44321b716982f710d5f049717a620919ceaf21b21167ed7d27d55359bd1685d

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8492e738ca7a08889d69801a8f88c6b9
SHA1

8037efd780d63f6c68f7a23cab2cac16e2cb887b
SHA256

c44321b716982f710d5f049717a620919ceaf21b21167ed7d27d55359bd1685d
SHA512

e4cec60d26b49a1ecb58025ef73ecbd6d72fa451f65632e5291b40ebed4e678f97fa0b2208d92167cbeb354b131f17a2d422409c52f3ac43edf3cd0da2dcbbe8
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUQ:Q+u56utgpPF8u/7Q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\uaiRAug.exe	cobalt_reflective_dll
C:\Windows\System\kfdfhmN.exe	cobalt_reflective_dll
C:\Windows\System\dFfBEhh.exe	cobalt_reflective_dll
C:\Windows\System\BWbbGEv.exe	cobalt_reflective_dll
C:\Windows\System\xVCbXpr.exe	cobalt_reflective_dll
C:\Windows\System\vAEEYkp.exe	cobalt_reflective_dll
C:\Windows\System\IUGldUu.exe	cobalt_reflective_dll
C:\Windows\System\SMhyHUA.exe	cobalt_reflective_dll
C:\Windows\System\DEKyPon.exe	cobalt_reflective_dll
C:\Windows\System\vaSDyWi.exe	cobalt_reflective_dll
C:\Windows\System\biVUIwj.exe	cobalt_reflective_dll
C:\Windows\System\EbsIapL.exe	cobalt_reflective_dll
C:\Windows\System\iXozcwn.exe	cobalt_reflective_dll
C:\Windows\System\NyPhnei.exe	cobalt_reflective_dll
C:\Windows\System\ugbdMyE.exe	cobalt_reflective_dll
C:\Windows\System\aGcSIqj.exe	cobalt_reflective_dll
C:\Windows\System\Jvyenbo.exe	cobalt_reflective_dll
C:\Windows\System\MvEaPJk.exe	cobalt_reflective_dll
C:\Windows\System\iXvRBfs.exe	cobalt_reflective_dll
C:\Windows\System\nphwCZS.exe	cobalt_reflective_dll
C:\Windows\System\EPOMwRx.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\uaiRAug.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kfdfhmN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dFfBEhh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BWbbGEv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xVCbXpr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vAEEYkp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IUGldUu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SMhyHUA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DEKyPon.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vaSDyWi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\biVUIwj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EbsIapL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iXozcwn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NyPhnei.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ugbdMyE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aGcSIqj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Jvyenbo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MvEaPJk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iXvRBfs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nphwCZS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EPOMwRx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp	UPX
C:\Windows\System\uaiRAug.exe	UPX
behavioral2/memory/1968-8-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	UPX
C:\Windows\System\kfdfhmN.exe	UPX
C:\Windows\System\dFfBEhh.exe	UPX
behavioral2/memory/2940-17-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	UPX
C:\Windows\System\BWbbGEv.exe	UPX
behavioral2/memory/1964-26-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp	UPX
C:\Windows\System\xVCbXpr.exe	UPX
behavioral2/memory/3124-31-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	UPX
C:\Windows\System\vAEEYkp.exe	UPX
behavioral2/memory/1348-41-0x00007FF648000000-0x00007FF648354000-memory.dmp	UPX
C:\Windows\System\IUGldUu.exe	UPX
C:\Windows\System\SMhyHUA.exe	UPX
C:\Windows\System\DEKyPon.exe	UPX
C:\Windows\System\vaSDyWi.exe	UPX
behavioral2/memory/212-59-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp	UPX
C:\Windows\System\biVUIwj.exe	UPX
C:\Windows\System\EbsIapL.exe	UPX
C:\Windows\System\iXozcwn.exe	UPX
C:\Windows\System\NyPhnei.exe	UPX
C:\Windows\System\ugbdMyE.exe	UPX
C:\Windows\System\aGcSIqj.exe	UPX
C:\Windows\System\Jvyenbo.exe	UPX
C:\Windows\System\MvEaPJk.exe	UPX
C:\Windows\System\iXvRBfs.exe	UPX
C:\Windows\System\nphwCZS.exe	UPX
C:\Windows\System\EPOMwRx.exe	UPX
behavioral2/memory/2340-62-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	UPX
behavioral2/memory/4252-56-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp	UPX
behavioral2/memory/1852-42-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	UPX
behavioral2/memory/1196-12-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	UPX
behavioral2/memory/3704-117-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp	UPX
behavioral2/memory/2520-118-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp	UPX
behavioral2/memory/4508-119-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp	UPX
behavioral2/memory/4784-120-0x00007FF6FF480000-0x00007FF6FF7D4000-memory.dmp	UPX
behavioral2/memory/2800-121-0x00007FF70C650000-0x00007FF70C9A4000-memory.dmp	UPX
behavioral2/memory/4224-122-0x00007FF6E8940000-0x00007FF6E8C94000-memory.dmp	UPX
behavioral2/memory/4372-123-0x00007FF658430000-0x00007FF658784000-memory.dmp	UPX
behavioral2/memory/2720-124-0x00007FF773370000-0x00007FF7736C4000-memory.dmp	UPX
behavioral2/memory/3204-125-0x00007FF690800000-0x00007FF690B54000-memory.dmp	UPX
behavioral2/memory/1628-126-0x00007FF6E9390000-0x00007FF6E96E4000-memory.dmp	UPX
behavioral2/memory/3428-127-0x00007FF62CF50000-0x00007FF62D2A4000-memory.dmp	UPX
behavioral2/memory/4180-128-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp	UPX
behavioral2/memory/1968-129-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	UPX
behavioral2/memory/1196-130-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	UPX
behavioral2/memory/2940-131-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	UPX
behavioral2/memory/3124-132-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	UPX
behavioral2/memory/1348-133-0x00007FF648000000-0x00007FF648354000-memory.dmp	UPX
behavioral2/memory/1852-134-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	UPX
behavioral2/memory/2340-135-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	UPX
behavioral2/memory/1968-136-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	UPX
behavioral2/memory/1196-137-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	UPX
behavioral2/memory/2940-138-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	UPX
behavioral2/memory/1964-139-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp	UPX
behavioral2/memory/3124-140-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	UPX
behavioral2/memory/1348-141-0x00007FF648000000-0x00007FF648354000-memory.dmp	UPX
behavioral2/memory/1852-142-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	UPX
behavioral2/memory/4252-143-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp	UPX
behavioral2/memory/212-144-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp	UPX
behavioral2/memory/2340-145-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	UPX
behavioral2/memory/3704-146-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp	UPX
behavioral2/memory/2520-147-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp	UPX
behavioral2/memory/4508-148-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp	xmrig
C:\Windows\System\uaiRAug.exe	xmrig
behavioral2/memory/1968-8-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	xmrig
C:\Windows\System\kfdfhmN.exe	xmrig
C:\Windows\System\dFfBEhh.exe	xmrig
behavioral2/memory/2940-17-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	xmrig
C:\Windows\System\BWbbGEv.exe	xmrig
behavioral2/memory/1964-26-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp	xmrig
C:\Windows\System\xVCbXpr.exe	xmrig
behavioral2/memory/3124-31-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	xmrig
C:\Windows\System\vAEEYkp.exe	xmrig
behavioral2/memory/1348-41-0x00007FF648000000-0x00007FF648354000-memory.dmp	xmrig
C:\Windows\System\IUGldUu.exe	xmrig
C:\Windows\System\SMhyHUA.exe	xmrig
C:\Windows\System\DEKyPon.exe	xmrig
C:\Windows\System\vaSDyWi.exe	xmrig
behavioral2/memory/212-59-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp	xmrig
C:\Windows\System\biVUIwj.exe	xmrig
C:\Windows\System\EbsIapL.exe	xmrig
C:\Windows\System\iXozcwn.exe	xmrig
C:\Windows\System\NyPhnei.exe	xmrig
C:\Windows\System\ugbdMyE.exe	xmrig
C:\Windows\System\aGcSIqj.exe	xmrig
C:\Windows\System\Jvyenbo.exe	xmrig
C:\Windows\System\MvEaPJk.exe	xmrig
C:\Windows\System\iXvRBfs.exe	xmrig
C:\Windows\System\nphwCZS.exe	xmrig
C:\Windows\System\EPOMwRx.exe	xmrig
behavioral2/memory/2340-62-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	xmrig
behavioral2/memory/4252-56-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp	xmrig
behavioral2/memory/1852-42-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	xmrig
behavioral2/memory/1196-12-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	xmrig
behavioral2/memory/3704-117-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp	xmrig
behavioral2/memory/2520-118-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp	xmrig
behavioral2/memory/4508-119-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp	xmrig
behavioral2/memory/4784-120-0x00007FF6FF480000-0x00007FF6FF7D4000-memory.dmp	xmrig
behavioral2/memory/2800-121-0x00007FF70C650000-0x00007FF70C9A4000-memory.dmp	xmrig
behavioral2/memory/4224-122-0x00007FF6E8940000-0x00007FF6E8C94000-memory.dmp	xmrig
behavioral2/memory/4372-123-0x00007FF658430000-0x00007FF658784000-memory.dmp	xmrig
behavioral2/memory/2720-124-0x00007FF773370000-0x00007FF7736C4000-memory.dmp	xmrig
behavioral2/memory/3204-125-0x00007FF690800000-0x00007FF690B54000-memory.dmp	xmrig
behavioral2/memory/1628-126-0x00007FF6E9390000-0x00007FF6E96E4000-memory.dmp	xmrig
behavioral2/memory/3428-127-0x00007FF62CF50000-0x00007FF62D2A4000-memory.dmp	xmrig
behavioral2/memory/4180-128-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp	xmrig
behavioral2/memory/1968-129-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	xmrig
behavioral2/memory/1196-130-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	xmrig
behavioral2/memory/2940-131-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	xmrig
behavioral2/memory/3124-132-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	xmrig
behavioral2/memory/1348-133-0x00007FF648000000-0x00007FF648354000-memory.dmp	xmrig
behavioral2/memory/1852-134-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	xmrig
behavioral2/memory/2340-135-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	xmrig
behavioral2/memory/1968-136-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	xmrig
behavioral2/memory/1196-137-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	xmrig
behavioral2/memory/2940-138-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	xmrig
behavioral2/memory/1964-139-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp	xmrig
behavioral2/memory/3124-140-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	xmrig
behavioral2/memory/1348-141-0x00007FF648000000-0x00007FF648354000-memory.dmp	xmrig
behavioral2/memory/1852-142-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	xmrig
behavioral2/memory/4252-143-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp	xmrig
behavioral2/memory/212-144-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp	xmrig
behavioral2/memory/2340-145-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	xmrig
behavioral2/memory/3704-146-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp	xmrig
behavioral2/memory/2520-147-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp	xmrig
behavioral2/memory/4508-148-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

uaiRAug.exedFfBEhh.exekfdfhmN.exeBWbbGEv.exexVCbXpr.exevAEEYkp.exeSMhyHUA.exeIUGldUu.exeDEKyPon.exevaSDyWi.exeEPOMwRx.exebiVUIwj.exeEbsIapL.exenphwCZS.exeiXvRBfs.exeiXozcwn.exeMvEaPJk.exeJvyenbo.exeNyPhnei.exeugbdMyE.exeaGcSIqj.exe

pid	process
1968	uaiRAug.exe
1196	dFfBEhh.exe
2940	kfdfhmN.exe
1964	BWbbGEv.exe
3124	xVCbXpr.exe
1348	vAEEYkp.exe
1852	SMhyHUA.exe
4252	IUGldUu.exe
212	DEKyPon.exe
2340	vaSDyWi.exe
3704	EPOMwRx.exe
2520	biVUIwj.exe
4508	EbsIapL.exe
4784	nphwCZS.exe
2800	iXvRBfs.exe
4224	iXozcwn.exe
4372	MvEaPJk.exe
2720	Jvyenbo.exe
3204	NyPhnei.exe
1628	ugbdMyE.exe
3428	aGcSIqj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4180-0-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp	upx
C:\Windows\System\uaiRAug.exe	upx
behavioral2/memory/1968-8-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	upx
C:\Windows\System\kfdfhmN.exe	upx
C:\Windows\System\dFfBEhh.exe	upx
behavioral2/memory/2940-17-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	upx
C:\Windows\System\BWbbGEv.exe	upx
behavioral2/memory/1964-26-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp	upx
C:\Windows\System\xVCbXpr.exe	upx
behavioral2/memory/3124-31-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	upx
C:\Windows\System\vAEEYkp.exe	upx
behavioral2/memory/1348-41-0x00007FF648000000-0x00007FF648354000-memory.dmp	upx
C:\Windows\System\IUGldUu.exe	upx
C:\Windows\System\SMhyHUA.exe	upx
C:\Windows\System\DEKyPon.exe	upx
C:\Windows\System\vaSDyWi.exe	upx
behavioral2/memory/212-59-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp	upx
C:\Windows\System\biVUIwj.exe	upx
C:\Windows\System\EbsIapL.exe	upx
C:\Windows\System\iXozcwn.exe	upx
C:\Windows\System\NyPhnei.exe	upx
C:\Windows\System\ugbdMyE.exe	upx
C:\Windows\System\aGcSIqj.exe	upx
C:\Windows\System\Jvyenbo.exe	upx
C:\Windows\System\MvEaPJk.exe	upx
C:\Windows\System\iXvRBfs.exe	upx
C:\Windows\System\nphwCZS.exe	upx
C:\Windows\System\EPOMwRx.exe	upx
behavioral2/memory/2340-62-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	upx
behavioral2/memory/4252-56-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp	upx
behavioral2/memory/1852-42-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	upx
behavioral2/memory/1196-12-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	upx
behavioral2/memory/3704-117-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp	upx
behavioral2/memory/2520-118-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp	upx
behavioral2/memory/4508-119-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp	upx
behavioral2/memory/4784-120-0x00007FF6FF480000-0x00007FF6FF7D4000-memory.dmp	upx
behavioral2/memory/2800-121-0x00007FF70C650000-0x00007FF70C9A4000-memory.dmp	upx
behavioral2/memory/4224-122-0x00007FF6E8940000-0x00007FF6E8C94000-memory.dmp	upx
behavioral2/memory/4372-123-0x00007FF658430000-0x00007FF658784000-memory.dmp	upx
behavioral2/memory/2720-124-0x00007FF773370000-0x00007FF7736C4000-memory.dmp	upx
behavioral2/memory/3204-125-0x00007FF690800000-0x00007FF690B54000-memory.dmp	upx
behavioral2/memory/1628-126-0x00007FF6E9390000-0x00007FF6E96E4000-memory.dmp	upx
behavioral2/memory/3428-127-0x00007FF62CF50000-0x00007FF62D2A4000-memory.dmp	upx
behavioral2/memory/4180-128-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp	upx
behavioral2/memory/1968-129-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	upx
behavioral2/memory/1196-130-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	upx
behavioral2/memory/2940-131-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	upx
behavioral2/memory/3124-132-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	upx
behavioral2/memory/1348-133-0x00007FF648000000-0x00007FF648354000-memory.dmp	upx
behavioral2/memory/1852-134-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	upx
behavioral2/memory/2340-135-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	upx
behavioral2/memory/1968-136-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp	upx
behavioral2/memory/1196-137-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp	upx
behavioral2/memory/2940-138-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp	upx
behavioral2/memory/1964-139-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp	upx
behavioral2/memory/3124-140-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp	upx
behavioral2/memory/1348-141-0x00007FF648000000-0x00007FF648354000-memory.dmp	upx
behavioral2/memory/1852-142-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp	upx
behavioral2/memory/4252-143-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp	upx
behavioral2/memory/212-144-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp	upx
behavioral2/memory/2340-145-0x00007FF642780000-0x00007FF642AD4000-memory.dmp	upx
behavioral2/memory/3704-146-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp	upx
behavioral2/memory/2520-147-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp	upx
behavioral2/memory/4508-148-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\MvEaPJk.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugbdMyE.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uaiRAug.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BWbbGEv.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAEEYkp.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NyPhnei.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dFfBEhh.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SMhyHUA.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EbsIapL.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kfdfhmN.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Jvyenbo.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGcSIqj.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vaSDyWi.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPOMwRx.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\biVUIwj.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nphwCZS.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iXvRBfs.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xVCbXpr.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IUGldUu.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DEKyPon.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iXozcwn.exe	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4180 wrote to memory of 1968	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	uaiRAug.exe
PID 4180 wrote to memory of 1968	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	uaiRAug.exe
PID 4180 wrote to memory of 1196	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	dFfBEhh.exe
PID 4180 wrote to memory of 1196	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	dFfBEhh.exe
PID 4180 wrote to memory of 2940	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	kfdfhmN.exe
PID 4180 wrote to memory of 2940	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	kfdfhmN.exe
PID 4180 wrote to memory of 1964	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	BWbbGEv.exe
PID 4180 wrote to memory of 1964	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	BWbbGEv.exe
PID 4180 wrote to memory of 3124	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	xVCbXpr.exe
PID 4180 wrote to memory of 3124	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	xVCbXpr.exe
PID 4180 wrote to memory of 1348	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	vAEEYkp.exe
PID 4180 wrote to memory of 1348	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	vAEEYkp.exe
PID 4180 wrote to memory of 1852	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	SMhyHUA.exe
PID 4180 wrote to memory of 1852	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	SMhyHUA.exe
PID 4180 wrote to memory of 4252	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	IUGldUu.exe
PID 4180 wrote to memory of 4252	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	IUGldUu.exe
PID 4180 wrote to memory of 212	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	DEKyPon.exe
PID 4180 wrote to memory of 212	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	DEKyPon.exe
PID 4180 wrote to memory of 2340	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	vaSDyWi.exe
PID 4180 wrote to memory of 2340	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	vaSDyWi.exe
PID 4180 wrote to memory of 3704	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	EPOMwRx.exe
PID 4180 wrote to memory of 3704	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	EPOMwRx.exe
PID 4180 wrote to memory of 2520	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	biVUIwj.exe
PID 4180 wrote to memory of 2520	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	biVUIwj.exe
PID 4180 wrote to memory of 4508	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	EbsIapL.exe
PID 4180 wrote to memory of 4508	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	EbsIapL.exe
PID 4180 wrote to memory of 4784	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	nphwCZS.exe
PID 4180 wrote to memory of 4784	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	nphwCZS.exe
PID 4180 wrote to memory of 2800	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	iXvRBfs.exe
PID 4180 wrote to memory of 2800	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	iXvRBfs.exe
PID 4180 wrote to memory of 4224	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	iXozcwn.exe
PID 4180 wrote to memory of 4224	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	iXozcwn.exe
PID 4180 wrote to memory of 4372	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	MvEaPJk.exe
PID 4180 wrote to memory of 4372	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	MvEaPJk.exe
PID 4180 wrote to memory of 2720	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	Jvyenbo.exe
PID 4180 wrote to memory of 2720	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	Jvyenbo.exe
PID 4180 wrote to memory of 3204	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	NyPhnei.exe
PID 4180 wrote to memory of 3204	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	NyPhnei.exe
PID 4180 wrote to memory of 1628	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	ugbdMyE.exe
PID 4180 wrote to memory of 1628	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	ugbdMyE.exe
PID 4180 wrote to memory of 3428	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	aGcSIqj.exe
PID 4180 wrote to memory of 3428	4180	2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe	aGcSIqj.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_8492e738ca7a08889d69801a8f88c6b9_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\System\uaiRAug.exe
C:\Windows\System\uaiRAug.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\dFfBEhh.exe
C:\Windows\System\dFfBEhh.exe
2⤵
- Executes dropped EXE
PID:1196

C:\Windows\System\kfdfhmN.exe
C:\Windows\System\kfdfhmN.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\System\BWbbGEv.exe
C:\Windows\System\BWbbGEv.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\xVCbXpr.exe
C:\Windows\System\xVCbXpr.exe
2⤵
- Executes dropped EXE
PID:3124

C:\Windows\System\vAEEYkp.exe
C:\Windows\System\vAEEYkp.exe
2⤵
- Executes dropped EXE
PID:1348

C:\Windows\System\SMhyHUA.exe
C:\Windows\System\SMhyHUA.exe
2⤵
- Executes dropped EXE
PID:1852

C:\Windows\System\IUGldUu.exe
C:\Windows\System\IUGldUu.exe
2⤵
- Executes dropped EXE
PID:4252

C:\Windows\System\DEKyPon.exe
C:\Windows\System\DEKyPon.exe
2⤵
- Executes dropped EXE
PID:212

C:\Windows\System\vaSDyWi.exe
C:\Windows\System\vaSDyWi.exe
2⤵
- Executes dropped EXE
PID:2340

C:\Windows\System\EPOMwRx.exe
C:\Windows\System\EPOMwRx.exe
2⤵
- Executes dropped EXE
PID:3704

C:\Windows\System\biVUIwj.exe
C:\Windows\System\biVUIwj.exe
2⤵
- Executes dropped EXE
PID:2520

C:\Windows\System\EbsIapL.exe
C:\Windows\System\EbsIapL.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Windows\System\nphwCZS.exe
C:\Windows\System\nphwCZS.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\iXvRBfs.exe
C:\Windows\System\iXvRBfs.exe
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\System\iXozcwn.exe
C:\Windows\System\iXozcwn.exe
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\System\MvEaPJk.exe
C:\Windows\System\MvEaPJk.exe
2⤵
- Executes dropped EXE
PID:4372

C:\Windows\System\Jvyenbo.exe
C:\Windows\System\Jvyenbo.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\NyPhnei.exe
C:\Windows\System\NyPhnei.exe
2⤵
- Executes dropped EXE
PID:3204

C:\Windows\System\ugbdMyE.exe
C:\Windows\System\ugbdMyE.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\System\aGcSIqj.exe
C:\Windows\System\aGcSIqj.exe
2⤵
- Executes dropped EXE
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4316,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3124 /prefetch:8
1⤵
PID:876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BWbbGEv.exe
Filesize
5.9MB

MD5
e781aee55a0368f7336d591cd1792fe1

SHA1
685a8a63ff075ddb84aec7bd5c05bfc1ccdbef2d

SHA256
69c251e6e6c172a6e92684b6a67c083cc90f883d63f989cfe5e56bc857e07b9c

SHA512
0ccdd6152d26223d8e4f586f64afb58162d5626cd6f9cca58b09ddeebd21fe0731de5238a6c72ff6d191d105589658993debe773a52bb7a4bcd3d2aa95d7853a

Download Submit
C:\Windows\System\DEKyPon.exe
Filesize
5.9MB

MD5
a49d6d8585298329c60a0e652c8954e4

SHA1
04e48b6ca66c5f97e861dd09d9731b2c9ebc7a67

SHA256
f01ed16084dd26189a9d7d2ca75b1a2cc241f52c8a3cee81e4c0b1f4f59340fb

SHA512
304c31ccfc76fd3141bcd1a2ae023c976cbb3e751d688ea3646ee0dfb24c24fe3fbca30bf46b66a1d45e22f1d3d40f0debe89f395766d3af912e7bc11c92f1b8

Download Submit
C:\Windows\System\EPOMwRx.exe
Filesize
5.9MB

MD5
5013a115860c6b31cc42f3f875453ecc

SHA1
31ea7a4234fd5a712e78d71e36fb9d0ff0f5a3f6

SHA256
081f0a4c585d40d15846265e3499b917feeb58bd72514b242361925fea217a1e

SHA512
fec1ac72067ce4e2ab6cf6be6124217d8f4ed8bf2a64ac5a147b6fcc77ddc1975a839ac154dc5d26158b9ac0ec50f6bea06a3a8f2732d47d32341d780142e205

Download Submit
C:\Windows\System\EbsIapL.exe
Filesize
5.9MB

MD5
b0a6d3f9f6811d70666e59c14dd5ba14

SHA1
1dd35023481b38abb6f43a97787703b45ecad149

SHA256
7cfd394f67319b505d636a6f2ac7048c31f85bf441d7615acd47c32c5797f818

SHA512
4635cd52d850b7e705be7b3c01f7a01c45f3492987eda1cf2fa949f2761b7f34b6fe0bd2af0abb429afae769448fae3d8b306c762906b3ffbe0ebb6162ecf625

Download Submit
C:\Windows\System\IUGldUu.exe
Filesize
5.9MB

MD5
5c5a036b7eac66a184baa63b3ef8d3cc

SHA1
c1ca679593a5c537012f70f1248c64ee408393d6

SHA256
a8bfe513649cf193a94dda141425a74dabc752d449d12897c6249a4b93c07874

SHA512
2bf676cd8367c4cca99caca2e2842f80fdd2245e082dcc1e803e322c07db76e27b8211e59e8dbecfae149da27c7b37760d73628a9bf0d309e98feeeb44542456

Download Submit
C:\Windows\System\Jvyenbo.exe
Filesize
5.9MB

MD5
48520b4d7ad581e0df0d0710bc966832

SHA1
e3548a0f4527141892bd2c9e82cb5a3c7f97e37e

SHA256
0daa21efedbf23276f898cf88dc4eaaa114f4e72cad97e06a52da07f8f54b5be

SHA512
14e964ecf158a60d9e3b0028cbbf8c62bb8e3731314bc1ba0a94a8aaf33ff5d156a143dfa004e66f0e0d69be7a54545f27077797bd79c86bef84674dd6ce1851

Download Submit
C:\Windows\System\MvEaPJk.exe
Filesize
5.9MB

MD5
ca5d8a3906d8d932b2e9b3f8d421ca92

SHA1
19f0a9643007d10a3db0b9f04efa13b6ec5a12a0

SHA256
fb6bb969ae5d79c98de183de8f3801b0a79db0ae11197d33dc8de8586567ee6c

SHA512
725b2e36940de3088c88ecd2c552f53d7d53b69338b5ca62b51d2ab341b66486c53488b20ab1f27d5c7ef48f152acffd9b6c994800bf477f9dfacaf17bac9e97

Download Submit
C:\Windows\System\NyPhnei.exe
Filesize
5.9MB

MD5
73b61227b9569252ef3eb90ddf278708

SHA1
13b3abc0afa1e9978e874e7f0571235f1f889753

SHA256
2ed7942d8fe20a65ea716dfa4d8229f97521c1accc7a436025b4fd0b72578e41

SHA512
60f436f3674e240c6a58c5dbd977488ae1de63ee41ccd0e2ca33ea76a8eb8d4a2ecde261463957961aa3c2768cd4405f9e6f5abfce8b8d69132aa778744e8632

Download Submit
C:\Windows\System\SMhyHUA.exe
Filesize
5.9MB

MD5
0154b1d67909d596e8832a8d9851e8fa

SHA1
72015dc2694a7ba26f50309898007b5b69a94415

SHA256
d06b3e8bee0bf9a8c242795193d6ace9d1becb9a19e5e3e2134cbd77dc355d49

SHA512
100493a536e7485f85068ac24685eda745f95e056bcaaf17f5fe1da4c7461318a4996cd050b06f67dccd94f8d9e64879b10ef7bda2933676c60be20d815afceb

Download Submit
C:\Windows\System\aGcSIqj.exe
Filesize
5.9MB

MD5
983408e1efb3d3099364ce534dcdba28

SHA1
de018cd1de0d9d8cfe8a3e0ff0a4127d53ea0a01

SHA256
3ff392c38b84de50d3d3fae3318e939eb34d6a590578c360e65c48fdcc3ca0f6

SHA512
8d74c7f40203967bb33f227d805958709d099692cb3713741b5e55fd4100289439e29be7b69412b9c9992bbbcfbbd6622dc39834fb9f03f8a35be91b91f0ccc4

Download Submit
C:\Windows\System\biVUIwj.exe
Filesize
5.9MB

MD5
9b011ab0f87558057ad59f749ee3d726

SHA1
fd34175d48b9c5e169fed44da57ad420dd644efc

SHA256
c42c71eea80a2d4c3460c3b7a1edfebcda929e47496d6b2c30ed71c0a9f5ee32

SHA512
7357ab4804df83a9157de655c294905c781682ad5470e091b5d8838ee4be343d1ff40182e1df6e9637c8a5ae31b6fd3c3e709f3861193d14ecd072cb445729dd

Download Submit
C:\Windows\System\dFfBEhh.exe
Filesize
5.9MB

MD5
c16a93447af3acb0151fea12f3b08add

SHA1
e06d3e24844fa758715678754240b6828ef7403b

SHA256
63c4f03e166733b4a9ed94e32b59aa31e8ca54b88ca128cdcacc8946711fa0e3

SHA512
19e01a00dfd3bbeb62b8ed908a313b126da3a5ccd6a0e3a6462418b4d216a4185932fb301e0cfb6dcd7a88769b351cb283fa18333de87ce466a92f26cc0c8a5c

Download Submit
C:\Windows\System\iXozcwn.exe
Filesize
5.9MB

MD5
7c4cf8432dcbc33157a9ebb00459cdde

SHA1
84679a04464912fe6877790bb1e0778522eecd55

SHA256
04fac416558435d496ae88be1e6da6c69a10073072451ae84081b68df2e25f98

SHA512
3a17ee625e9b5b46870adf796ff5f493e0c9d81afde322fcae9a1b208e24b9ab07b502c2533ef1835e4e0be2a5f6a90c05d6b70ca036056869873e28e04cdd79

Download Submit
C:\Windows\System\iXvRBfs.exe
Filesize
5.9MB

MD5
5ab3507aa1c65619cca4af60a00d5ef7

SHA1
963a7084fedb368ed57b9c9aff221fea8dcc5ff0

SHA256
f678c85e5d7144069559231acc777a83f778a8b0524df11995c312bb0a58a63c

SHA512
9323f84de2a87e2f923ca44d3777e4750bf5e923d76f2e81d0f182dfbedd6645a45eddebdfb2b32f13a3dcea5663d3e10abc512d0468679804ef2d2deb2428b8

Download Submit
C:\Windows\System\kfdfhmN.exe
Filesize
5.9MB

MD5
8fae90ae28df6158ffe6cf3126e19eb4

SHA1
d0f466b46fd2d1bdcd6836e292c057f9dd5fbe0a

SHA256
6ca7f39d9f7c2e455ea6963f2e50d81e0e75854c256d1b105cc7f13041c5ecb1

SHA512
95ba124da32443a7af9dac1755f681e8863928c88fa65d860154969f55b76ce2d141b8c4ed332bca9500fd7812a4d14c8395e3090a3c43ac3b8ef411e9a4145a

Download Submit
C:\Windows\System\nphwCZS.exe
Filesize
5.9MB

MD5
454c063f96123c11902c1265ae764364

SHA1
849424fcfd393841fd2db44ef3cbba8a35309c6c

SHA256
c9bbf6907f9a4ce0b377a1db15577bf62748a73367335f1a71dcad97592129c8

SHA512
b71df9e5be7ef4e566b9b77c2841f91aff7cfb82770a4db91859bc93705b12b7524f2c1c8935ac29da5d935629f575e4cd3c13eb9b85717ca3ea5edd61ec82ca

Download Submit
C:\Windows\System\uaiRAug.exe
Filesize
5.9MB

MD5
80fe3617985930070250e9769b080a66

SHA1
6ce994954985e320a5b25cd4ba7f4c90ce58cd2e

SHA256
3818ab255ceeb4f76b4ac37dd96d91b83adb4f98fce83629be4a9e762b2624e0

SHA512
2df52b2f80482a54a64d60cc93155b511dbb17c0375d893b037eec534daede6ead6fdc3dd3ffdcfbe930eaacea294a60a25fe695e4957e6f4b59fcc47b1585e8

Download Submit
C:\Windows\System\ugbdMyE.exe
Filesize
5.9MB

MD5
0efa324bd608144830f82290425fdb6e

SHA1
159860c883f8726052d91667f3046671fa51958d

SHA256
67c7543719e2b20a337c3ade252469b485551b5521fcd3b4756fba26667d8df9

SHA512
24baff626ed8569dedcb9e6655ca03546706ab8ea4cc22fb726296d2a0758605c278b5a41f2f5f551e1383a0c59573a97092d19eb93a8e420908905128dfcfe7

Download Submit
C:\Windows\System\vAEEYkp.exe
Filesize
5.9MB

MD5
2a6bb0fbcd372b1e75ec8a1bc556c5ea

SHA1
93b437922b4422a51c18403fafa2dea77d3df900

SHA256
475b025294bf7846493381e15b4bc6543962bc8880adaa872a2eb8998f06037c

SHA512
bd2f8cd16d7c802a9228ed9e0671908e09241ff08548b477106206deda2b6d22edc185ec9653d6363a118082582976de6daed648dc60b7f95429fc0459c6bab3

Download Submit
C:\Windows\System\vaSDyWi.exe
Filesize
5.9MB

MD5
416483b0989fd506f38e8ebdd8f93034

SHA1
01933ab01f4f51ae338d7582b4d74d98ef6c58e8

SHA256
87c94d3d4bafb069609f4fed4cc6eb6186309a45739e9d07cef7b3a507f39a4c

SHA512
14d1413871c4c15622299165f68edc041a9a3b82d50b637dc60b7f2c923a9df63d3c337a24c4592da7bb100c17a3af9cb195ed7f0cb080280a01d965fb4c03bd

Download Submit
C:\Windows\System\xVCbXpr.exe
Filesize
5.9MB

MD5
413b69aa2af3f550236c854f585966a8

SHA1
5db0ffd2a45db30675299d1afd2f7435bf7b85d3

SHA256
a1f36aef8dd93dc66d82b10e8211699ada7885651cc34bdcd899f3dd3ecedd4a

SHA512
2ee04f324c4882fe619ed1819372e9138bdeafd6ac41966b8cf1a9caf4e07256eaac227f96315a5a6a9f289d0660ca1b9054d437074c3412f974cdf99ad24e44

Download Submit
memory/212-59-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp

Filesize
3.3MB

Download
memory/212-144-0x00007FF6178D0000-0x00007FF617C24000-memory.dmp

Filesize
3.3MB

Download
memory/1196-12-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp

Filesize
3.3MB

Download
memory/1196-137-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp

Filesize
3.3MB

Download
memory/1196-130-0x00007FF6E0280000-0x00007FF6E05D4000-memory.dmp

Filesize
3.3MB

Download
memory/1348-41-0x00007FF648000000-0x00007FF648354000-memory.dmp

Filesize
3.3MB

Download
memory/1348-141-0x00007FF648000000-0x00007FF648354000-memory.dmp

Filesize
3.3MB

Download
memory/1348-133-0x00007FF648000000-0x00007FF648354000-memory.dmp

Filesize
3.3MB

Download
memory/1628-126-0x00007FF6E9390000-0x00007FF6E96E4000-memory.dmp

Filesize
3.3MB

Download
memory/1628-154-0x00007FF6E9390000-0x00007FF6E96E4000-memory.dmp

Filesize
3.3MB

Download
memory/1852-142-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1852-42-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1852-134-0x00007FF72F770000-0x00007FF72FAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-139-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-26-0x00007FF6F9F60000-0x00007FF6FA2B4000-memory.dmp

Filesize
3.3MB

Download
memory/1968-129-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp

Filesize
3.3MB

Download
memory/1968-8-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp

Filesize
3.3MB

Download
memory/1968-136-0x00007FF67CEC0000-0x00007FF67D214000-memory.dmp

Filesize
3.3MB

Download
memory/2340-62-0x00007FF642780000-0x00007FF642AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-135-0x00007FF642780000-0x00007FF642AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2340-145-0x00007FF642780000-0x00007FF642AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-118-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-147-0x00007FF6FCB90000-0x00007FF6FCEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-156-0x00007FF773370000-0x00007FF7736C4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-124-0x00007FF773370000-0x00007FF7736C4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-121-0x00007FF70C650000-0x00007FF70C9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-151-0x00007FF70C650000-0x00007FF70C9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-138-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-131-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2940-17-0x00007FF67E170000-0x00007FF67E4C4000-memory.dmp

Filesize
3.3MB

Download
memory/3124-132-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp

Filesize
3.3MB

Download
memory/3124-31-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp

Filesize
3.3MB

Download
memory/3124-140-0x00007FF6597C0000-0x00007FF659B14000-memory.dmp

Filesize
3.3MB

Download
memory/3204-155-0x00007FF690800000-0x00007FF690B54000-memory.dmp

Filesize
3.3MB

Download
memory/3204-125-0x00007FF690800000-0x00007FF690B54000-memory.dmp

Filesize
3.3MB

Download
memory/3428-153-0x00007FF62CF50000-0x00007FF62D2A4000-memory.dmp

Filesize
3.3MB

Download
memory/3428-127-0x00007FF62CF50000-0x00007FF62D2A4000-memory.dmp

Filesize
3.3MB

Download
memory/3704-146-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp

Filesize
3.3MB

Download
memory/3704-117-0x00007FF613BE0000-0x00007FF613F34000-memory.dmp

Filesize
3.3MB

Download
memory/4180-0-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp

Filesize
3.3MB

Download
memory/4180-1-0x000001E48EDB0000-0x000001E48EDC0000-memory.dmp

Filesize
64KB

Download
memory/4180-128-0x00007FF6349E0000-0x00007FF634D34000-memory.dmp

Filesize
3.3MB

Download
memory/4224-122-0x00007FF6E8940000-0x00007FF6E8C94000-memory.dmp

Filesize
3.3MB

Download
memory/4224-150-0x00007FF6E8940000-0x00007FF6E8C94000-memory.dmp

Filesize
3.3MB

Download
memory/4252-56-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4252-143-0x00007FF6C9880000-0x00007FF6C9BD4000-memory.dmp

Filesize
3.3MB

Download
memory/4372-123-0x00007FF658430000-0x00007FF658784000-memory.dmp

Filesize
3.3MB

Download
memory/4372-152-0x00007FF658430000-0x00007FF658784000-memory.dmp

Filesize
3.3MB

Download
memory/4508-119-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-148-0x00007FF6EF2A0000-0x00007FF6EF5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-149-0x00007FF6FF480000-0x00007FF6FF7D4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-120-0x00007FF6FF480000-0x00007FF6FF7D4000-memory.dmp

Filesize
3.3MB

Download