cobaltstrike | 4f0a05b9d9f8d68bb125eb81fc755342896b6fdd13c9beed6d56ef76a225fc63

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

ca49fb20fa49816e96584d7adddb3817
SHA1

951d987784b1a910876565a2686eb5b14620cb3e
SHA256

4f0a05b9d9f8d68bb125eb81fc755342896b6fdd13c9beed6d56ef76a225fc63
SHA512

62125fc1871085368fd1a0d2da41b7fdce157f1f71e3068a8b72f0a063890cc894a0f914eb858d0cb77d42145f3cd8c77a5ff11a137daeb649e4092ce44af032
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:Q+856utgpPF8u/7N

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CtICIOu.exe	cobalt_reflective_dll
C:\Windows\System\suqqZNP.exe	cobalt_reflective_dll
C:\Windows\System\INpDuEZ.exe	cobalt_reflective_dll
C:\Windows\System\kQKFClq.exe	cobalt_reflective_dll
C:\Windows\System\aAszldQ.exe	cobalt_reflective_dll
C:\Windows\System\DoceKWb.exe	cobalt_reflective_dll
C:\Windows\System\GzWNGRZ.exe	cobalt_reflective_dll
C:\Windows\System\rXCyWpH.exe	cobalt_reflective_dll
C:\Windows\System\QKLyOtZ.exe	cobalt_reflective_dll
C:\Windows\System\hKEVYKD.exe	cobalt_reflective_dll
C:\Windows\System\zWxEITv.exe	cobalt_reflective_dll
C:\Windows\System\UNKZHGB.exe	cobalt_reflective_dll
C:\Windows\System\fedMgNw.exe	cobalt_reflective_dll
C:\Windows\System\rhjwFAO.exe	cobalt_reflective_dll
C:\Windows\System\qHdqusF.exe	cobalt_reflective_dll
C:\Windows\System\vWAeGwc.exe	cobalt_reflective_dll
C:\Windows\System\gqxKfeT.exe	cobalt_reflective_dll
C:\Windows\System\kZfpvGp.exe	cobalt_reflective_dll
C:\Windows\System\WotRJXp.exe	cobalt_reflective_dll
C:\Windows\System\kmjMLox.exe	cobalt_reflective_dll
C:\Windows\System\gDfenJL.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\CtICIOu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\suqqZNP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\INpDuEZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kQKFClq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aAszldQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DoceKWb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GzWNGRZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rXCyWpH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QKLyOtZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hKEVYKD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zWxEITv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UNKZHGB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fedMgNw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rhjwFAO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qHdqusF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vWAeGwc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gqxKfeT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kZfpvGp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WotRJXp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kmjMLox.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gDfenJL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3172-0-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp	UPX
C:\Windows\System\CtICIOu.exe	UPX
behavioral2/memory/1340-8-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	UPX
C:\Windows\System\suqqZNP.exe	UPX
C:\Windows\System\INpDuEZ.exe	UPX
behavioral2/memory/1420-14-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp	UPX
behavioral2/memory/3684-20-0x00007FF656090000-0x00007FF6563E4000-memory.dmp	UPX
behavioral2/memory/4776-24-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	UPX
C:\Windows\System\kQKFClq.exe	UPX
C:\Windows\System\aAszldQ.exe	UPX
behavioral2/memory/2820-31-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	UPX
C:\Windows\System\DoceKWb.exe	UPX
behavioral2/memory/5032-38-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp	UPX
C:\Windows\System\GzWNGRZ.exe	UPX
C:\Windows\System\rXCyWpH.exe	UPX
C:\Windows\System\QKLyOtZ.exe	UPX
behavioral2/memory/4452-54-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	UPX
behavioral2/memory/4744-53-0x00007FF670600000-0x00007FF670954000-memory.dmp	UPX
behavioral2/memory/4004-46-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp	UPX
C:\Windows\System\hKEVYKD.exe	UPX
behavioral2/memory/1212-60-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	UPX
C:\Windows\System\zWxEITv.exe	UPX
C:\Windows\System\UNKZHGB.exe	UPX
behavioral2/memory/1340-76-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	UPX
C:\Windows\System\fedMgNw.exe	UPX
C:\Windows\System\rhjwFAO.exe	UPX
C:\Windows\System\qHdqusF.exe	UPX
behavioral2/memory/4324-83-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp	UPX
behavioral2/memory/4268-78-0x00007FF776360000-0x00007FF7766B4000-memory.dmp	UPX
behavioral2/memory/3756-70-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	UPX
behavioral2/memory/3172-67-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp	UPX
behavioral2/memory/4188-93-0x00007FF617EF0000-0x00007FF618244000-memory.dmp	UPX
behavioral2/memory/4028-94-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	UPX
behavioral2/memory/2820-109-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	UPX
C:\Windows\System\vWAeGwc.exe	UPX
C:\Windows\System\gqxKfeT.exe	UPX
C:\Windows\System\kZfpvGp.exe	UPX
behavioral2/memory/1688-119-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp	UPX
C:\Windows\System\WotRJXp.exe	UPX
behavioral2/memory/4932-112-0x00007FF7F2560000-0x00007FF7F28B4000-memory.dmp	UPX
C:\Windows\System\kmjMLox.exe	UPX
behavioral2/memory/4948-103-0x00007FF72D660000-0x00007FF72D9B4000-memory.dmp	UPX
behavioral2/memory/4776-100-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	UPX
C:\Windows\System\gDfenJL.exe	UPX
behavioral2/memory/4612-131-0x00007FF796640000-0x00007FF796994000-memory.dmp	UPX
behavioral2/memory/4076-130-0x00007FF7B6460000-0x00007FF7B67B4000-memory.dmp	UPX
behavioral2/memory/4452-132-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	UPX
behavioral2/memory/2192-129-0x00007FF7440E0000-0x00007FF744434000-memory.dmp	UPX
behavioral2/memory/1212-133-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	UPX
behavioral2/memory/3756-134-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	UPX
behavioral2/memory/4324-135-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp	UPX
behavioral2/memory/1688-136-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp	UPX
behavioral2/memory/1340-137-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	UPX
behavioral2/memory/1420-138-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp	UPX
behavioral2/memory/3684-139-0x00007FF656090000-0x00007FF6563E4000-memory.dmp	UPX
behavioral2/memory/4776-140-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	UPX
behavioral2/memory/5032-142-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp	UPX
behavioral2/memory/2820-141-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	UPX
behavioral2/memory/4004-143-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp	UPX
behavioral2/memory/4744-144-0x00007FF670600000-0x00007FF670954000-memory.dmp	UPX
behavioral2/memory/4452-145-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	UPX
behavioral2/memory/1212-146-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	UPX
behavioral2/memory/3756-147-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	UPX
behavioral2/memory/4268-148-0x00007FF776360000-0x00007FF7766B4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3172-0-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp	xmrig
C:\Windows\System\CtICIOu.exe	xmrig
behavioral2/memory/1340-8-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	xmrig
C:\Windows\System\suqqZNP.exe	xmrig
C:\Windows\System\INpDuEZ.exe	xmrig
behavioral2/memory/1420-14-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp	xmrig
behavioral2/memory/3684-20-0x00007FF656090000-0x00007FF6563E4000-memory.dmp	xmrig
behavioral2/memory/4776-24-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	xmrig
C:\Windows\System\kQKFClq.exe	xmrig
C:\Windows\System\aAszldQ.exe	xmrig
behavioral2/memory/2820-31-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	xmrig
C:\Windows\System\DoceKWb.exe	xmrig
behavioral2/memory/5032-38-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp	xmrig
C:\Windows\System\GzWNGRZ.exe	xmrig
C:\Windows\System\rXCyWpH.exe	xmrig
C:\Windows\System\QKLyOtZ.exe	xmrig
behavioral2/memory/4452-54-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	xmrig
behavioral2/memory/4744-53-0x00007FF670600000-0x00007FF670954000-memory.dmp	xmrig
behavioral2/memory/4004-46-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp	xmrig
C:\Windows\System\hKEVYKD.exe	xmrig
behavioral2/memory/1212-60-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	xmrig
C:\Windows\System\zWxEITv.exe	xmrig
C:\Windows\System\UNKZHGB.exe	xmrig
behavioral2/memory/1340-76-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	xmrig
C:\Windows\System\fedMgNw.exe	xmrig
C:\Windows\System\rhjwFAO.exe	xmrig
C:\Windows\System\qHdqusF.exe	xmrig
behavioral2/memory/4324-83-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp	xmrig
behavioral2/memory/4268-78-0x00007FF776360000-0x00007FF7766B4000-memory.dmp	xmrig
behavioral2/memory/3756-70-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	xmrig
behavioral2/memory/3172-67-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp	xmrig
behavioral2/memory/4188-93-0x00007FF617EF0000-0x00007FF618244000-memory.dmp	xmrig
behavioral2/memory/4028-94-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	xmrig
behavioral2/memory/2820-109-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	xmrig
C:\Windows\System\vWAeGwc.exe	xmrig
C:\Windows\System\gqxKfeT.exe	xmrig
C:\Windows\System\kZfpvGp.exe	xmrig
behavioral2/memory/1688-119-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp	xmrig
C:\Windows\System\WotRJXp.exe	xmrig
behavioral2/memory/4932-112-0x00007FF7F2560000-0x00007FF7F28B4000-memory.dmp	xmrig
C:\Windows\System\kmjMLox.exe	xmrig
behavioral2/memory/4948-103-0x00007FF72D660000-0x00007FF72D9B4000-memory.dmp	xmrig
behavioral2/memory/4776-100-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	xmrig
C:\Windows\System\gDfenJL.exe	xmrig
behavioral2/memory/4612-131-0x00007FF796640000-0x00007FF796994000-memory.dmp	xmrig
behavioral2/memory/4076-130-0x00007FF7B6460000-0x00007FF7B67B4000-memory.dmp	xmrig
behavioral2/memory/4452-132-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	xmrig
behavioral2/memory/2192-129-0x00007FF7440E0000-0x00007FF744434000-memory.dmp	xmrig
behavioral2/memory/1212-133-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	xmrig
behavioral2/memory/3756-134-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	xmrig
behavioral2/memory/4324-135-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp	xmrig
behavioral2/memory/1688-136-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp	xmrig
behavioral2/memory/1340-137-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	xmrig
behavioral2/memory/1420-138-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp	xmrig
behavioral2/memory/3684-139-0x00007FF656090000-0x00007FF6563E4000-memory.dmp	xmrig
behavioral2/memory/4776-140-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	xmrig
behavioral2/memory/5032-142-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp	xmrig
behavioral2/memory/2820-141-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	xmrig
behavioral2/memory/4004-143-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp	xmrig
behavioral2/memory/4744-144-0x00007FF670600000-0x00007FF670954000-memory.dmp	xmrig
behavioral2/memory/4452-145-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	xmrig
behavioral2/memory/1212-146-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	xmrig
behavioral2/memory/3756-147-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	xmrig
behavioral2/memory/4268-148-0x00007FF776360000-0x00007FF7766B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CtICIOu.exesuqqZNP.exeINpDuEZ.exeaAszldQ.exekQKFClq.exeDoceKWb.exeGzWNGRZ.exerXCyWpH.exeQKLyOtZ.exehKEVYKD.exezWxEITv.exeUNKZHGB.exeqHdqusF.exefedMgNw.exerhjwFAO.exegDfenJL.exekmjMLox.exeWotRJXp.exevWAeGwc.exegqxKfeT.exekZfpvGp.exe

pid	process
1340	CtICIOu.exe
1420	suqqZNP.exe
3684	INpDuEZ.exe
4776	aAszldQ.exe
2820	kQKFClq.exe
5032	DoceKWb.exe
4004	GzWNGRZ.exe
4744	rXCyWpH.exe
4452	QKLyOtZ.exe
1212	hKEVYKD.exe
3756	zWxEITv.exe
4268	UNKZHGB.exe
4324	qHdqusF.exe
4188	fedMgNw.exe
4028	rhjwFAO.exe
4948	gDfenJL.exe
4932	kmjMLox.exe
1688	WotRJXp.exe
2192	vWAeGwc.exe
4612	gqxKfeT.exe
4076	kZfpvGp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3172-0-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp	upx
C:\Windows\System\CtICIOu.exe	upx
behavioral2/memory/1340-8-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	upx
C:\Windows\System\suqqZNP.exe	upx
C:\Windows\System\INpDuEZ.exe	upx
behavioral2/memory/1420-14-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp	upx
behavioral2/memory/3684-20-0x00007FF656090000-0x00007FF6563E4000-memory.dmp	upx
behavioral2/memory/4776-24-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	upx
C:\Windows\System\kQKFClq.exe	upx
C:\Windows\System\aAszldQ.exe	upx
behavioral2/memory/2820-31-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	upx
C:\Windows\System\DoceKWb.exe	upx
behavioral2/memory/5032-38-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp	upx
C:\Windows\System\GzWNGRZ.exe	upx
C:\Windows\System\rXCyWpH.exe	upx
C:\Windows\System\QKLyOtZ.exe	upx
behavioral2/memory/4452-54-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	upx
behavioral2/memory/4744-53-0x00007FF670600000-0x00007FF670954000-memory.dmp	upx
behavioral2/memory/4004-46-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp	upx
C:\Windows\System\hKEVYKD.exe	upx
behavioral2/memory/1212-60-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	upx
C:\Windows\System\zWxEITv.exe	upx
C:\Windows\System\UNKZHGB.exe	upx
behavioral2/memory/1340-76-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	upx
C:\Windows\System\fedMgNw.exe	upx
C:\Windows\System\rhjwFAO.exe	upx
C:\Windows\System\qHdqusF.exe	upx
behavioral2/memory/4324-83-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp	upx
behavioral2/memory/4268-78-0x00007FF776360000-0x00007FF7766B4000-memory.dmp	upx
behavioral2/memory/3756-70-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	upx
behavioral2/memory/3172-67-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp	upx
behavioral2/memory/4188-93-0x00007FF617EF0000-0x00007FF618244000-memory.dmp	upx
behavioral2/memory/4028-94-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp	upx
behavioral2/memory/2820-109-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	upx
C:\Windows\System\vWAeGwc.exe	upx
C:\Windows\System\gqxKfeT.exe	upx
C:\Windows\System\kZfpvGp.exe	upx
behavioral2/memory/1688-119-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp	upx
C:\Windows\System\WotRJXp.exe	upx
behavioral2/memory/4932-112-0x00007FF7F2560000-0x00007FF7F28B4000-memory.dmp	upx
C:\Windows\System\kmjMLox.exe	upx
behavioral2/memory/4948-103-0x00007FF72D660000-0x00007FF72D9B4000-memory.dmp	upx
behavioral2/memory/4776-100-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	upx
C:\Windows\System\gDfenJL.exe	upx
behavioral2/memory/4612-131-0x00007FF796640000-0x00007FF796994000-memory.dmp	upx
behavioral2/memory/4076-130-0x00007FF7B6460000-0x00007FF7B67B4000-memory.dmp	upx
behavioral2/memory/4452-132-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	upx
behavioral2/memory/2192-129-0x00007FF7440E0000-0x00007FF744434000-memory.dmp	upx
behavioral2/memory/1212-133-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	upx
behavioral2/memory/3756-134-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	upx
behavioral2/memory/4324-135-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp	upx
behavioral2/memory/1688-136-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp	upx
behavioral2/memory/1340-137-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp	upx
behavioral2/memory/1420-138-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp	upx
behavioral2/memory/3684-139-0x00007FF656090000-0x00007FF6563E4000-memory.dmp	upx
behavioral2/memory/4776-140-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp	upx
behavioral2/memory/5032-142-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp	upx
behavioral2/memory/2820-141-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	upx
behavioral2/memory/4004-143-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp	upx
behavioral2/memory/4744-144-0x00007FF670600000-0x00007FF670954000-memory.dmp	upx
behavioral2/memory/4452-145-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp	upx
behavioral2/memory/1212-146-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp	upx
behavioral2/memory/3756-147-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp	upx
behavioral2/memory/4268-148-0x00007FF776360000-0x00007FF7766B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\hKEVYKD.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fedMgNw.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDfenJL.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kZfpvGp.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\INpDuEZ.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aAszldQ.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzWNGRZ.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zWxEITv.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UNKZHGB.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rhjwFAO.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kmjMLox.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gqxKfeT.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DoceKWb.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QKLyOtZ.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qHdqusF.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vWAeGwc.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CtICIOu.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\suqqZNP.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kQKFClq.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rXCyWpH.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WotRJXp.exe	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3172 wrote to memory of 1340	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	CtICIOu.exe
PID 3172 wrote to memory of 1340	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	CtICIOu.exe
PID 3172 wrote to memory of 1420	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	suqqZNP.exe
PID 3172 wrote to memory of 1420	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	suqqZNP.exe
PID 3172 wrote to memory of 3684	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	INpDuEZ.exe
PID 3172 wrote to memory of 3684	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	INpDuEZ.exe
PID 3172 wrote to memory of 4776	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	aAszldQ.exe
PID 3172 wrote to memory of 4776	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	aAszldQ.exe
PID 3172 wrote to memory of 2820	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	kQKFClq.exe
PID 3172 wrote to memory of 2820	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	kQKFClq.exe
PID 3172 wrote to memory of 5032	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	DoceKWb.exe
PID 3172 wrote to memory of 5032	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	DoceKWb.exe
PID 3172 wrote to memory of 4004	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	GzWNGRZ.exe
PID 3172 wrote to memory of 4004	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	GzWNGRZ.exe
PID 3172 wrote to memory of 4744	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	rXCyWpH.exe
PID 3172 wrote to memory of 4744	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	rXCyWpH.exe
PID 3172 wrote to memory of 4452	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	QKLyOtZ.exe
PID 3172 wrote to memory of 4452	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	QKLyOtZ.exe
PID 3172 wrote to memory of 1212	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	hKEVYKD.exe
PID 3172 wrote to memory of 1212	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	hKEVYKD.exe
PID 3172 wrote to memory of 3756	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	zWxEITv.exe
PID 3172 wrote to memory of 3756	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	zWxEITv.exe
PID 3172 wrote to memory of 4268	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	UNKZHGB.exe
PID 3172 wrote to memory of 4268	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	UNKZHGB.exe
PID 3172 wrote to memory of 4324	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	qHdqusF.exe
PID 3172 wrote to memory of 4324	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	qHdqusF.exe
PID 3172 wrote to memory of 4188	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	fedMgNw.exe
PID 3172 wrote to memory of 4188	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	fedMgNw.exe
PID 3172 wrote to memory of 4028	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	rhjwFAO.exe
PID 3172 wrote to memory of 4028	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	rhjwFAO.exe
PID 3172 wrote to memory of 4948	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	gDfenJL.exe
PID 3172 wrote to memory of 4948	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	gDfenJL.exe
PID 3172 wrote to memory of 4932	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	kmjMLox.exe
PID 3172 wrote to memory of 4932	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	kmjMLox.exe
PID 3172 wrote to memory of 1688	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	WotRJXp.exe
PID 3172 wrote to memory of 1688	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	WotRJXp.exe
PID 3172 wrote to memory of 2192	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	vWAeGwc.exe
PID 3172 wrote to memory of 2192	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	vWAeGwc.exe
PID 3172 wrote to memory of 4612	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	gqxKfeT.exe
PID 3172 wrote to memory of 4612	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	gqxKfeT.exe
PID 3172 wrote to memory of 4076	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	kZfpvGp.exe
PID 3172 wrote to memory of 4076	3172	2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe	kZfpvGp.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_ca49fb20fa49816e96584d7adddb3817_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\System\CtICIOu.exe
C:\Windows\System\CtICIOu.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\System\suqqZNP.exe
C:\Windows\System\suqqZNP.exe
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\System\INpDuEZ.exe
C:\Windows\System\INpDuEZ.exe
2⤵
- Executes dropped EXE
PID:3684

C:\Windows\System\aAszldQ.exe
C:\Windows\System\aAszldQ.exe
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\System\kQKFClq.exe
C:\Windows\System\kQKFClq.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\DoceKWb.exe
C:\Windows\System\DoceKWb.exe
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\System\GzWNGRZ.exe
C:\Windows\System\GzWNGRZ.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\System\rXCyWpH.exe
C:\Windows\System\rXCyWpH.exe
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\System\QKLyOtZ.exe
C:\Windows\System\QKLyOtZ.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\System\hKEVYKD.exe
C:\Windows\System\hKEVYKD.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\System\zWxEITv.exe
C:\Windows\System\zWxEITv.exe
2⤵
- Executes dropped EXE
PID:3756

C:\Windows\System\UNKZHGB.exe
C:\Windows\System\UNKZHGB.exe
2⤵
- Executes dropped EXE
PID:4268

C:\Windows\System\qHdqusF.exe
C:\Windows\System\qHdqusF.exe
2⤵
- Executes dropped EXE
PID:4324

C:\Windows\System\fedMgNw.exe
C:\Windows\System\fedMgNw.exe
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\System\rhjwFAO.exe
C:\Windows\System\rhjwFAO.exe
2⤵
- Executes dropped EXE
PID:4028

C:\Windows\System\gDfenJL.exe
C:\Windows\System\gDfenJL.exe
2⤵
- Executes dropped EXE
PID:4948

C:\Windows\System\kmjMLox.exe
C:\Windows\System\kmjMLox.exe
2⤵
- Executes dropped EXE
PID:4932

C:\Windows\System\WotRJXp.exe
C:\Windows\System\WotRJXp.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System\vWAeGwc.exe
C:\Windows\System\vWAeGwc.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\gqxKfeT.exe
C:\Windows\System\gqxKfeT.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\System\kZfpvGp.exe
C:\Windows\System\kZfpvGp.exe
2⤵
- Executes dropped EXE
PID:4076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CtICIOu.exe
Filesize
5.9MB

MD5
520b23f50d659a1cca21e2f14f5c51d2

SHA1
ebe9e4440757e101d010824675ea98d5e9d54dd4

SHA256
ce1cc03e493c6756d6a7d4c1723727075949cec7754088fa3518338290851923

SHA512
2bbdd977a5417a20099a34f4d19a98fe720ff0b57b5dc26bd6eec5b7df37502a21b5de3b8728fe842d217763b7797777485a215217bf3a883d5bf5728fc73148

Download Submit
C:\Windows\System\DoceKWb.exe
Filesize
5.9MB

MD5
aaaddf1fa80473776d2f030384ccf02c

SHA1
b6d8b9d8616bb191780da05ee6043e5d977cbfb8

SHA256
631f60881977873752e1c54c4b7f6ae95f2b1a07b32fcc3f00badf894d590ab2

SHA512
d7d233abbdf64a23cd07a98c0b830ad8cf18541d6c065da8c610af10137dfffd34fe367de281325f0aa395e4eda247678112ec69d6d0c2c5458600134f08a7b3

Download Submit
C:\Windows\System\GzWNGRZ.exe
Filesize
5.9MB

MD5
5c4281ee3ebe217a57e7572d90c0cbca

SHA1
784c88bb6392420100346579d2a8bec0659c2c45

SHA256
9a61850b1a121dc0351edb0d10473b9e03966b4dd29835dd78bd3160a6494de7

SHA512
ad43e461a52ef08f61adb452854a5afa340d71569f32aec03e395bca98b1464856eed3eb5e27179d7a6233f7e036d4d75adf2529b58a800c520978c6bfb5dbe1

Download Submit
C:\Windows\System\INpDuEZ.exe
Filesize
5.9MB

MD5
5599086b09980d3e5d1f5aac5ff45e9a

SHA1
9b466afe492ab8cf408310a79f2f1936f44607e8

SHA256
e361ddf25be6e9687fd1c53a2be2c8ab2051882a38e381e998319f88084622ff

SHA512
bf36a33dcec03c53ab888247b58d3e18bb2ac71b9ababa85190e96d7b649f62bc7d9b9b63369ccd05789fba63de6c72ef329fa7fd7c5007a11e1f2c36f509f0d

Download Submit
C:\Windows\System\QKLyOtZ.exe
Filesize
5.9MB

MD5
a631b9ad783b6b71a4cef2dc1d1ca243

SHA1
f7f7248f3248132f8e4fbb23c81e6280313e146b

SHA256
6ca894d7be5611bbddc97a39e68426b701b89b7804f37cbb0c62fe28c15a0cbf

SHA512
007dd40328e12971b3220836106c1cfccf559fb9c42c8a7d5f91b62ec4c736f8c3c81ce9648ec4a67b0545a5183bf142ab645c0c19dbdbc4e6da305c687cbe6c

Download Submit
C:\Windows\System\UNKZHGB.exe
Filesize
5.9MB

MD5
ab5f4eb1e36f73dbe2d85ae88d53ea5b

SHA1
08daa342cf13cb09af40cabb029a388ba5be3389

SHA256
1c06acf136853b1b1dfa4a087edf2df20e01ee9cc35bed2661ade831fa227515

SHA512
340f755b2521212bb5652f0b82720511972297da5ed7013bd2121a4413004412e4c9efac5d3d8201675117719361c4007e6247e6fb9b72c266d8b80c26b51eb3

Download Submit
C:\Windows\System\WotRJXp.exe
Filesize
5.9MB

MD5
87bf9f552171f45fdd5fead270201f2a

SHA1
832ebfb056a9016d11a39ed25abac68c4398e231

SHA256
a7fb9f89324cf9f8fc49d5b8cd76cc9eefc6dbe47efa43d2a7ba0bcd8ef5ebb6

SHA512
8c2b2b16c74b5a7d5a02ab501cdca9b09fefae86d9ede504ae18bc1558a259364d6a031d9fbe388acf6ab88ce10713802af2e042b5d0dffd970b41873e25cf2d

Download Submit
C:\Windows\System\aAszldQ.exe
Filesize
5.9MB

MD5
33dcc15c88b0897984e8bac35e9c9a05

SHA1
f9ef4166ff860169b4512e0973c7b8fb6eea3d5f

SHA256
7cc7b1e92daf965de28c730b2fc07842d3afdbcded8863a681317b42ef5ffb20

SHA512
df88cc4a7382b42781a3008a1294fd0bc6dbe0db3b8567e0ea5c58f3d011e00c673d7423c5d1d65c4d9bba549a62e253f54b491c7894e1331365cd49d47c6f7d

Download Submit
C:\Windows\System\fedMgNw.exe
Filesize
5.9MB

MD5
0fc5cbd986058ed3a5fce3abb83b5091

SHA1
b61ba965d175f1d825bffabc16c899a2d6f51138

SHA256
ccbd302532b46435c33ab4b0cb8dacc8b88abcb4cb057d64e316f746ef654487

SHA512
532b6f32fce3c497bfccb98af2eb3712d8a76912608e8fece4a46bac83371e6a54c9952f88650bdf3cb70c05c1f586a4f4f0d7fe99fd628cd8c0524f77063601

Download Submit
C:\Windows\System\gDfenJL.exe
Filesize
5.9MB

MD5
f1bddbc87a35193a5d993abb8564487b

SHA1
73ee91ae20e44ef1122430efc240e17edf3a0e66

SHA256
01ede19c7214b1151f9e8e4a41058d606e108bf383b691c5c66f15ceb23b473f

SHA512
812f24165656b628c954450fb24bb929570f45356ac7e8ede39e1160870a742c8e0c8e4b613a65b0c62d78afe49c5f933d81e3592e9f9c35594eca627610d243

Download Submit
C:\Windows\System\gqxKfeT.exe
Filesize
5.9MB

MD5
b6adc9152b919bf79b97e507b8b710bc

SHA1
0ca64fd1d00cc9a77d353d98cdeb0656a08d98d3

SHA256
8c4c8cb9abb1243277e6c5d460c90f41ca3d5827adb3b121ed41c63333f22f37

SHA512
e2f220499edfa9f5fafe6676995d6afb303286d40c7dbc0807db0eb838835b48617fab9e17e4ed993c810bb6fd46cabaa99023f9964f6221937483e82591d058

Download Submit
C:\Windows\System\hKEVYKD.exe
Filesize
5.9MB

MD5
44f4ba5fd87554729e7af8677dcbf5f2

SHA1
2bf6a81ca1a4f70189fd979327ecdd5ab88b7961

SHA256
a6fed97aaf52324ebf5eef97bd4523ddacac7edd1c4fda4dc56a23f213f2817c

SHA512
dd938caf55b3821abfe69bf3a027d8c5907ebac32f3460a07f6d9aecde00663fd8e28a2cb7d0e4cd5d128394bfbc3f8a5f478257abc1e78d138c706651ab34f1

Download Submit
C:\Windows\System\kQKFClq.exe
Filesize
5.9MB

MD5
a771946fb3f405e4d2cce9f269d54229

SHA1
4faaf01dacf38138d70aa018c301828b7cc6dc14

SHA256
ee682108695958afe9188b0b4ebb92cfe40f9c92be60f313e89d74a4fa79556a

SHA512
dfb7b81e3c9c8ed8371d33155ac8b5933b3b887b6f232a734d78521d7cbaa678119edd7aa72084280ff0e30a13ab8087344b475f83089dcdcdbf2e07cc1c3f22

Download Submit
C:\Windows\System\kZfpvGp.exe
Filesize
5.9MB

MD5
93a02ce2730eecd8f08b2a5775bc7d52

SHA1
80cdd7739b7654a22868899c3eecb0e910002a39

SHA256
93efe316fab8506614054c2f6b632bb63a0077c8bc17f6fe6f48a249ed508f19

SHA512
726a019885d74e9757094a2b339e7ed0e8edd1a9a21015e003495600ef32542c04c63bfb2158a486bbc4d4e9ca4b9508f2b8366ddeabb0ff7fc90da03e0d8972

Download Submit
C:\Windows\System\kmjMLox.exe
Filesize
5.9MB

MD5
db5dadda9d4a8d62d94c4db97b4e6225

SHA1
c89a7e6bb258b1bb9dbb824712811a77347e40a2

SHA256
467bfccddc8bc33cc8131f41e537b69132b6ced6c0a566bf683a361eaf641b7e

SHA512
b23239e7ce942614d7b7eacad7c602bc497cfbebac090395fef6ca3017da1f6bb11de3641512c693ce55885927ef4feb3c2f151b9de708bdf690da70b817a551

Download Submit
C:\Windows\System\qHdqusF.exe
Filesize
5.9MB

MD5
e86c65bd51b3e08c9168d6568ee2b2db

SHA1
271128c6c9279ca5f8d27756344d86bc847f8a3d

SHA256
59049ee038e6f46231ff55c152726b0ac84eef6acc071feb17bbf0fae68e59f7

SHA512
0d11e4e10b55f7a56e9eee02841f1c45ebdb0060e35ff23b40b9a153a0088827ef5b5acfef57f616021fbe8a04ef7d19984828a2051a3550e5c885b6606d7e46

Download Submit
C:\Windows\System\rXCyWpH.exe
Filesize
5.9MB

MD5
c7e96395bfaba2676a707e69ee97c595

SHA1
7e408545529073a182ee787620870cd0f618eadd

SHA256
e21dcc2fc0762dbdd84ab7d20373f7c246adfae970965cdd3ccc514c2e57af37

SHA512
4ad1bc3ec819021659f82b3983514642f0b705fa5ca75d7216c0f96a4737b2aadee7e5b3727c77c23528f73a4572a03a5f21b1fdea443224e55d811c9564b54e

Download Submit
C:\Windows\System\rhjwFAO.exe
Filesize
5.9MB

MD5
3b48eb43b3cd168965b9694b09299e00

SHA1
914aed1d6f9d95946a218e6cff630ed6a2661177

SHA256
b7d7dc99ef8785edb7e473f58ce94fba87b6af70b5d47d6c5c1e4fb29fb5477e

SHA512
fcbbbf4d58dae4ca13d943444fce6b09b4bff7cd56c525e6e49784d79839c507d8e50583b63847651f6e212df16c76db941efbafdb8455248d9e8fb2f899aa6f

Download Submit
C:\Windows\System\suqqZNP.exe
Filesize
5.9MB

MD5
3b8a8612feb5c1100b05ff9f98713209

SHA1
9cb433ed3eaedee5e3dbd72fd47aee835524fb80

SHA256
aff9a3384388e3bc32731eb2c94945af1f5bfff95c005e60228642c2f0467401

SHA512
3a1ecc0b9e7d324d8090ae8b3b20a4e83cf83a89a8ee614c403cafb384ef42d73ecf118e1feacfcc7a05cf187184282155ae5a0d1b99c6c04b39074c61e0b982

Download Submit
C:\Windows\System\vWAeGwc.exe
Filesize
5.9MB

MD5
884696e9513ad0e2bbb34a743ce055e3

SHA1
197b4c825d4447669d120ba0d0c4fbbd31697a76

SHA256
602602b671bf5fa1747f9c5d85434a5b627bc4468d88522637adb9979ac1a184

SHA512
43aed41bcf750a84adde80bed5f923eac4ac9ad875a5a51162c60ea47cca82b065124ec70b902cd69734bd4243daa81db3517b6cf9e557e276600d5d242a6bcb

Download Submit
C:\Windows\System\zWxEITv.exe
Filesize
5.9MB

MD5
ade0ebfc1b9720a319987544754f4c4f

SHA1
69a4dbeb1cbcc5d0adbec0d5dcd3213d80d72f2c

SHA256
14c115688dc72d80dd0b849cbb73c7f0a8b5530c228a8a8b70cdf4b56ea25fc0

SHA512
ba4f4ea7e32144ce3755ca65fc5168afd95a944012305de7db29e6449822ad9215b8ff907e6cd9db4c408eb8e956c0fa39d2b3c1950272a3ca3e8b81a6e81e3a

Download Submit
memory/1212-60-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp

Filesize
3.3MB

Download
memory/1212-146-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp

Filesize
3.3MB

Download
memory/1212-133-0x00007FF7AE720000-0x00007FF7AEA74000-memory.dmp

Filesize
3.3MB

Download
memory/1340-137-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-8-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-76-0x00007FF65E090000-0x00007FF65E3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1420-138-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp

Filesize
3.3MB

Download
memory/1420-14-0x00007FF603FA0000-0x00007FF6042F4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-154-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp

Filesize
3.3MB

Download
memory/1688-119-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp

Filesize
3.3MB

Download
memory/1688-136-0x00007FF7ABCB0000-0x00007FF7AC004000-memory.dmp

Filesize
3.3MB

Download
memory/2192-156-0x00007FF7440E0000-0x00007FF744434000-memory.dmp

Filesize
3.3MB

Download
memory/2192-129-0x00007FF7440E0000-0x00007FF744434000-memory.dmp

Filesize
3.3MB

Download
memory/2820-31-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-109-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-141-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

Filesize
3.3MB

Download
memory/3172-0-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp

Filesize
3.3MB

Download
memory/3172-67-0x00007FF7BAAE0000-0x00007FF7BAE34000-memory.dmp

Filesize
3.3MB

Download
memory/3172-1-0x0000021FBEE90000-0x0000021FBEEA0000-memory.dmp

Filesize
64KB

Download
memory/3684-20-0x00007FF656090000-0x00007FF6563E4000-memory.dmp

Filesize
3.3MB

Download
memory/3684-139-0x00007FF656090000-0x00007FF6563E4000-memory.dmp

Filesize
3.3MB

Download
memory/3756-147-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3756-134-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/3756-70-0x00007FF69BB60000-0x00007FF69BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4004-46-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp

Filesize
3.3MB

Download
memory/4004-143-0x00007FF7A7820000-0x00007FF7A7B74000-memory.dmp

Filesize
3.3MB

Download
memory/4028-149-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp

Filesize
3.3MB

Download
memory/4028-94-0x00007FF6AC120000-0x00007FF6AC474000-memory.dmp

Filesize
3.3MB

Download
memory/4076-130-0x00007FF7B6460000-0x00007FF7B67B4000-memory.dmp

Filesize
3.3MB

Download
memory/4076-157-0x00007FF7B6460000-0x00007FF7B67B4000-memory.dmp

Filesize
3.3MB

Download
memory/4188-150-0x00007FF617EF0000-0x00007FF618244000-memory.dmp

Filesize
3.3MB

Download
memory/4188-93-0x00007FF617EF0000-0x00007FF618244000-memory.dmp

Filesize
3.3MB

Download
memory/4268-148-0x00007FF776360000-0x00007FF7766B4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-78-0x00007FF776360000-0x00007FF7766B4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-151-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp

Filesize
3.3MB

Download
memory/4324-135-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp

Filesize
3.3MB

Download
memory/4324-83-0x00007FF7B9FE0000-0x00007FF7BA334000-memory.dmp

Filesize
3.3MB

Download
memory/4452-145-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp

Filesize
3.3MB

Download
memory/4452-54-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp

Filesize
3.3MB

Download
memory/4452-132-0x00007FF7CB600000-0x00007FF7CB954000-memory.dmp

Filesize
3.3MB

Download
memory/4612-131-0x00007FF796640000-0x00007FF796994000-memory.dmp

Filesize
3.3MB

Download
memory/4612-155-0x00007FF796640000-0x00007FF796994000-memory.dmp

Filesize
3.3MB

Download
memory/4744-144-0x00007FF670600000-0x00007FF670954000-memory.dmp

Filesize
3.3MB

Download
memory/4744-53-0x00007FF670600000-0x00007FF670954000-memory.dmp

Filesize
3.3MB

Download
memory/4776-100-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp

Filesize
3.3MB

Download
memory/4776-24-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp

Filesize
3.3MB

Download
memory/4776-140-0x00007FF6458E0000-0x00007FF645C34000-memory.dmp

Filesize
3.3MB

Download
memory/4932-112-0x00007FF7F2560000-0x00007FF7F28B4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-153-0x00007FF7F2560000-0x00007FF7F28B4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-103-0x00007FF72D660000-0x00007FF72D9B4000-memory.dmp

Filesize
3.3MB

Download
memory/4948-152-0x00007FF72D660000-0x00007FF72D9B4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-38-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-142-0x00007FF7D3E60000-0x00007FF7D41B4000-memory.dmp

Filesize
3.3MB

Download