cobaltstrike | 1464a8ba6974bad190976248944b5944f9cfe193e65f55d0a64105d980aa76fd

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

bf60ad052d5f63d8736b1912510dd97b
SHA1

ed691bccd2df3615b232dbcbbe13e9a4db4a52bc
SHA256

1464a8ba6974bad190976248944b5944f9cfe193e65f55d0a64105d980aa76fd
SHA512

3f6093ccdba2008c647a227d3a20a46e654819d3fb3f391c36029fb9d7ff28954caee77d1b19c3c217c8df67b0f86caf89257a351d2150ced8e5d872803ea70c
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUg:Q+856utgpPF8u/7g

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\RZOKAJT.exe	cobalt_reflective_dll
C:\Windows\System\hjGEsuP.exe	cobalt_reflective_dll
C:\Windows\System\YboeGgq.exe	cobalt_reflective_dll
C:\Windows\System\SUUOmvh.exe	cobalt_reflective_dll
C:\Windows\System\BrHYejp.exe	cobalt_reflective_dll
C:\Windows\System\egAEzaC.exe	cobalt_reflective_dll
C:\Windows\System\iSlgCdN.exe	cobalt_reflective_dll
C:\Windows\System\sShTTPn.exe	cobalt_reflective_dll
C:\Windows\System\rDwfIpV.exe	cobalt_reflective_dll
C:\Windows\System\zsHjXCp.exe	cobalt_reflective_dll
C:\Windows\System\IXTWhsR.exe	cobalt_reflective_dll
C:\Windows\System\oEEVYTP.exe	cobalt_reflective_dll
C:\Windows\System\wlgkZSr.exe	cobalt_reflective_dll
C:\Windows\System\wOLchYO.exe	cobalt_reflective_dll
C:\Windows\System\TnwyMwm.exe	cobalt_reflective_dll
C:\Windows\System\PJZSHMQ.exe	cobalt_reflective_dll
C:\Windows\System\donooEw.exe	cobalt_reflective_dll
C:\Windows\System\npVEddd.exe	cobalt_reflective_dll
C:\Windows\System\sSVhBBb.exe	cobalt_reflective_dll
C:\Windows\System\YHjiJZR.exe	cobalt_reflective_dll
C:\Windows\System\jQqNFav.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\RZOKAJT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hjGEsuP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YboeGgq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SUUOmvh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BrHYejp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\egAEzaC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iSlgCdN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sShTTPn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rDwfIpV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zsHjXCp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IXTWhsR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oEEVYTP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wlgkZSr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wOLchYO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TnwyMwm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PJZSHMQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\donooEw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\npVEddd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sSVhBBb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YHjiJZR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jQqNFav.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3708-0-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp	UPX
C:\Windows\System\RZOKAJT.exe	UPX
behavioral2/memory/4512-8-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	UPX
C:\Windows\System\hjGEsuP.exe	UPX
C:\Windows\System\YboeGgq.exe	UPX
behavioral2/memory/3040-14-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	UPX
C:\Windows\System\SUUOmvh.exe	UPX
C:\Windows\System\BrHYejp.exe	UPX
C:\Windows\System\egAEzaC.exe	UPX
behavioral2/memory/1616-32-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	UPX
behavioral2/memory/4196-31-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	UPX
behavioral2/memory/4016-22-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp	UPX
behavioral2/memory/3212-40-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp	UPX
C:\Windows\System\iSlgCdN.exe	UPX
behavioral2/memory/4140-50-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp	UPX
C:\Windows\System\sShTTPn.exe	UPX
C:\Windows\System\rDwfIpV.exe	UPX
behavioral2/memory/4188-55-0x00007FF6485C0000-0x00007FF648914000-memory.dmp	UPX
behavioral2/memory/1436-53-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp	UPX
C:\Windows\System\zsHjXCp.exe	UPX
behavioral2/memory/3584-67-0x00007FF702090000-0x00007FF7023E4000-memory.dmp	UPX
C:\Windows\System\IXTWhsR.exe	UPX
behavioral2/memory/2656-71-0x00007FF6AC6E0000-0x00007FF6ACA34000-memory.dmp	UPX
behavioral2/memory/3708-70-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp	UPX
C:\Windows\System\oEEVYTP.exe	UPX
behavioral2/memory/2812-76-0x00007FF751C50000-0x00007FF751FA4000-memory.dmp	UPX
behavioral2/memory/4512-75-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	UPX
C:\Windows\System\wlgkZSr.exe	UPX
behavioral2/memory/3040-80-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	UPX
C:\Windows\System\wOLchYO.exe	UPX
behavioral2/memory/2156-81-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp	UPX
behavioral2/memory/624-90-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp	UPX
behavioral2/memory/4196-87-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	UPX
C:\Windows\System\TnwyMwm.exe	UPX
behavioral2/memory/3848-96-0x00007FF7B1EB0000-0x00007FF7B2204000-memory.dmp	UPX
C:\Windows\System\PJZSHMQ.exe	UPX
C:\Windows\System\donooEw.exe	UPX
behavioral2/memory/4556-105-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	UPX
behavioral2/memory/1616-101-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	UPX
behavioral2/memory/212-107-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp	UPX
C:\Windows\System\npVEddd.exe	UPX
C:\Windows\System\sSVhBBb.exe	UPX
C:\Windows\System\YHjiJZR.exe	UPX
behavioral2/memory/4268-116-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp	UPX
behavioral2/memory/4188-115-0x00007FF6485C0000-0x00007FF648914000-memory.dmp	UPX
behavioral2/memory/4836-127-0x00007FF633430000-0x00007FF633784000-memory.dmp	UPX
C:\Windows\System\jQqNFav.exe	UPX
behavioral2/memory/4540-131-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp	UPX
behavioral2/memory/2436-130-0x00007FF765EB0000-0x00007FF766204000-memory.dmp	UPX
behavioral2/memory/2156-134-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp	UPX
behavioral2/memory/624-135-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp	UPX
behavioral2/memory/4556-136-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	UPX
behavioral2/memory/212-137-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp	UPX
behavioral2/memory/4268-138-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp	UPX
behavioral2/memory/4540-139-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp	UPX
behavioral2/memory/4512-140-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	UPX
behavioral2/memory/3040-141-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	UPX
behavioral2/memory/4016-142-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp	UPX
behavioral2/memory/4196-143-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	UPX
behavioral2/memory/1616-144-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	UPX
behavioral2/memory/3212-145-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp	UPX
behavioral2/memory/4140-146-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp	UPX
behavioral2/memory/1436-147-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp	UPX
behavioral2/memory/3584-148-0x00007FF702090000-0x00007FF7023E4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3708-0-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp	xmrig
C:\Windows\System\RZOKAJT.exe	xmrig
behavioral2/memory/4512-8-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	xmrig
C:\Windows\System\hjGEsuP.exe	xmrig
C:\Windows\System\YboeGgq.exe	xmrig
behavioral2/memory/3040-14-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	xmrig
C:\Windows\System\SUUOmvh.exe	xmrig
C:\Windows\System\BrHYejp.exe	xmrig
C:\Windows\System\egAEzaC.exe	xmrig
behavioral2/memory/1616-32-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	xmrig
behavioral2/memory/4196-31-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	xmrig
behavioral2/memory/4016-22-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp	xmrig
behavioral2/memory/3212-40-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp	xmrig
C:\Windows\System\iSlgCdN.exe	xmrig
behavioral2/memory/4140-50-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp	xmrig
C:\Windows\System\sShTTPn.exe	xmrig
C:\Windows\System\rDwfIpV.exe	xmrig
behavioral2/memory/4188-55-0x00007FF6485C0000-0x00007FF648914000-memory.dmp	xmrig
behavioral2/memory/1436-53-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp	xmrig
C:\Windows\System\zsHjXCp.exe	xmrig
behavioral2/memory/3584-67-0x00007FF702090000-0x00007FF7023E4000-memory.dmp	xmrig
C:\Windows\System\IXTWhsR.exe	xmrig
behavioral2/memory/2656-71-0x00007FF6AC6E0000-0x00007FF6ACA34000-memory.dmp	xmrig
behavioral2/memory/3708-70-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp	xmrig
C:\Windows\System\oEEVYTP.exe	xmrig
behavioral2/memory/2812-76-0x00007FF751C50000-0x00007FF751FA4000-memory.dmp	xmrig
behavioral2/memory/4512-75-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	xmrig
C:\Windows\System\wlgkZSr.exe	xmrig
behavioral2/memory/3040-80-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	xmrig
C:\Windows\System\wOLchYO.exe	xmrig
behavioral2/memory/2156-81-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp	xmrig
behavioral2/memory/624-90-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp	xmrig
behavioral2/memory/4196-87-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	xmrig
C:\Windows\System\TnwyMwm.exe	xmrig
behavioral2/memory/3848-96-0x00007FF7B1EB0000-0x00007FF7B2204000-memory.dmp	xmrig
C:\Windows\System\PJZSHMQ.exe	xmrig
C:\Windows\System\donooEw.exe	xmrig
behavioral2/memory/4556-105-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	xmrig
behavioral2/memory/1616-101-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	xmrig
behavioral2/memory/212-107-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp	xmrig
C:\Windows\System\npVEddd.exe	xmrig
C:\Windows\System\sSVhBBb.exe	xmrig
C:\Windows\System\YHjiJZR.exe	xmrig
behavioral2/memory/4268-116-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp	xmrig
behavioral2/memory/4188-115-0x00007FF6485C0000-0x00007FF648914000-memory.dmp	xmrig
behavioral2/memory/4836-127-0x00007FF633430000-0x00007FF633784000-memory.dmp	xmrig
C:\Windows\System\jQqNFav.exe	xmrig
behavioral2/memory/4540-131-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp	xmrig
behavioral2/memory/2436-130-0x00007FF765EB0000-0x00007FF766204000-memory.dmp	xmrig
behavioral2/memory/2156-134-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp	xmrig
behavioral2/memory/624-135-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp	xmrig
behavioral2/memory/4556-136-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	xmrig
behavioral2/memory/212-137-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp	xmrig
behavioral2/memory/4268-138-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp	xmrig
behavioral2/memory/4540-139-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp	xmrig
behavioral2/memory/4512-140-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	xmrig
behavioral2/memory/3040-141-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	xmrig
behavioral2/memory/4016-142-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp	xmrig
behavioral2/memory/4196-143-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	xmrig
behavioral2/memory/1616-144-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	xmrig
behavioral2/memory/3212-145-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp	xmrig
behavioral2/memory/4140-146-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp	xmrig
behavioral2/memory/1436-147-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp	xmrig
behavioral2/memory/3584-148-0x00007FF702090000-0x00007FF7023E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

RZOKAJT.exehjGEsuP.exeYboeGgq.exeSUUOmvh.exeBrHYejp.exeegAEzaC.exeiSlgCdN.exeoEEVYTP.exerDwfIpV.exesShTTPn.exezsHjXCp.exeIXTWhsR.exewlgkZSr.exewOLchYO.exeTnwyMwm.exePJZSHMQ.exedonooEw.exenpVEddd.exeYHjiJZR.exesSVhBBb.exejQqNFav.exe

pid	process
4512	RZOKAJT.exe
3040	hjGEsuP.exe
4016	YboeGgq.exe
4196	SUUOmvh.exe
1616	BrHYejp.exe
3212	egAEzaC.exe
4140	iSlgCdN.exe
1436	oEEVYTP.exe
4188	rDwfIpV.exe
3584	sShTTPn.exe
2656	zsHjXCp.exe
2812	IXTWhsR.exe
2156	wlgkZSr.exe
624	wOLchYO.exe
3848	TnwyMwm.exe
4556	PJZSHMQ.exe
212	donooEw.exe
4268	npVEddd.exe
4836	YHjiJZR.exe
2436	sSVhBBb.exe
4540	jQqNFav.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3708-0-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp	upx
C:\Windows\System\RZOKAJT.exe	upx
behavioral2/memory/4512-8-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	upx
C:\Windows\System\hjGEsuP.exe	upx
C:\Windows\System\YboeGgq.exe	upx
behavioral2/memory/3040-14-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	upx
C:\Windows\System\SUUOmvh.exe	upx
C:\Windows\System\BrHYejp.exe	upx
C:\Windows\System\egAEzaC.exe	upx
behavioral2/memory/1616-32-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	upx
behavioral2/memory/4196-31-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	upx
behavioral2/memory/4016-22-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp	upx
behavioral2/memory/3212-40-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp	upx
C:\Windows\System\iSlgCdN.exe	upx
behavioral2/memory/4140-50-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp	upx
C:\Windows\System\sShTTPn.exe	upx
C:\Windows\System\rDwfIpV.exe	upx
behavioral2/memory/4188-55-0x00007FF6485C0000-0x00007FF648914000-memory.dmp	upx
behavioral2/memory/1436-53-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp	upx
C:\Windows\System\zsHjXCp.exe	upx
behavioral2/memory/3584-67-0x00007FF702090000-0x00007FF7023E4000-memory.dmp	upx
C:\Windows\System\IXTWhsR.exe	upx
behavioral2/memory/2656-71-0x00007FF6AC6E0000-0x00007FF6ACA34000-memory.dmp	upx
behavioral2/memory/3708-70-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp	upx
C:\Windows\System\oEEVYTP.exe	upx
behavioral2/memory/2812-76-0x00007FF751C50000-0x00007FF751FA4000-memory.dmp	upx
behavioral2/memory/4512-75-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	upx
C:\Windows\System\wlgkZSr.exe	upx
behavioral2/memory/3040-80-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	upx
C:\Windows\System\wOLchYO.exe	upx
behavioral2/memory/2156-81-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp	upx
behavioral2/memory/624-90-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp	upx
behavioral2/memory/4196-87-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	upx
C:\Windows\System\TnwyMwm.exe	upx
behavioral2/memory/3848-96-0x00007FF7B1EB0000-0x00007FF7B2204000-memory.dmp	upx
C:\Windows\System\PJZSHMQ.exe	upx
C:\Windows\System\donooEw.exe	upx
behavioral2/memory/4556-105-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	upx
behavioral2/memory/1616-101-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	upx
behavioral2/memory/212-107-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp	upx
C:\Windows\System\npVEddd.exe	upx
C:\Windows\System\sSVhBBb.exe	upx
C:\Windows\System\YHjiJZR.exe	upx
behavioral2/memory/4268-116-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp	upx
behavioral2/memory/4188-115-0x00007FF6485C0000-0x00007FF648914000-memory.dmp	upx
behavioral2/memory/4836-127-0x00007FF633430000-0x00007FF633784000-memory.dmp	upx
C:\Windows\System\jQqNFav.exe	upx
behavioral2/memory/4540-131-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp	upx
behavioral2/memory/2436-130-0x00007FF765EB0000-0x00007FF766204000-memory.dmp	upx
behavioral2/memory/2156-134-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp	upx
behavioral2/memory/624-135-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp	upx
behavioral2/memory/4556-136-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	upx
behavioral2/memory/212-137-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp	upx
behavioral2/memory/4268-138-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp	upx
behavioral2/memory/4540-139-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp	upx
behavioral2/memory/4512-140-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp	upx
behavioral2/memory/3040-141-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp	upx
behavioral2/memory/4016-142-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp	upx
behavioral2/memory/4196-143-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp	upx
behavioral2/memory/1616-144-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp	upx
behavioral2/memory/3212-145-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp	upx
behavioral2/memory/4140-146-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp	upx
behavioral2/memory/1436-147-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp	upx
behavioral2/memory/3584-148-0x00007FF702090000-0x00007FF7023E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\hjGEsuP.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SUUOmvh.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\egAEzaC.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oEEVYTP.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\npVEddd.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YHjiJZR.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RZOKAJT.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YboeGgq.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rDwfIpV.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zsHjXCp.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wOLchYO.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iSlgCdN.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sShTTPn.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wlgkZSr.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PJZSHMQ.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\donooEw.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BrHYejp.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IXTWhsR.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TnwyMwm.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSVhBBb.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jQqNFav.exe	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3708 wrote to memory of 4512	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	RZOKAJT.exe
PID 3708 wrote to memory of 4512	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	RZOKAJT.exe
PID 3708 wrote to memory of 3040	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	hjGEsuP.exe
PID 3708 wrote to memory of 3040	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	hjGEsuP.exe
PID 3708 wrote to memory of 4016	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	YboeGgq.exe
PID 3708 wrote to memory of 4016	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	YboeGgq.exe
PID 3708 wrote to memory of 4196	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	SUUOmvh.exe
PID 3708 wrote to memory of 4196	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	SUUOmvh.exe
PID 3708 wrote to memory of 1616	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	BrHYejp.exe
PID 3708 wrote to memory of 1616	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	BrHYejp.exe
PID 3708 wrote to memory of 3212	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	egAEzaC.exe
PID 3708 wrote to memory of 3212	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	egAEzaC.exe
PID 3708 wrote to memory of 4140	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	iSlgCdN.exe
PID 3708 wrote to memory of 4140	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	iSlgCdN.exe
PID 3708 wrote to memory of 1436	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	oEEVYTP.exe
PID 3708 wrote to memory of 1436	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	oEEVYTP.exe
PID 3708 wrote to memory of 4188	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	rDwfIpV.exe
PID 3708 wrote to memory of 4188	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	rDwfIpV.exe
PID 3708 wrote to memory of 3584	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	sShTTPn.exe
PID 3708 wrote to memory of 3584	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	sShTTPn.exe
PID 3708 wrote to memory of 2656	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	zsHjXCp.exe
PID 3708 wrote to memory of 2656	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	zsHjXCp.exe
PID 3708 wrote to memory of 2812	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	IXTWhsR.exe
PID 3708 wrote to memory of 2812	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	IXTWhsR.exe
PID 3708 wrote to memory of 2156	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	wlgkZSr.exe
PID 3708 wrote to memory of 2156	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	wlgkZSr.exe
PID 3708 wrote to memory of 624	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	wOLchYO.exe
PID 3708 wrote to memory of 624	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	wOLchYO.exe
PID 3708 wrote to memory of 3848	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	TnwyMwm.exe
PID 3708 wrote to memory of 3848	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	TnwyMwm.exe
PID 3708 wrote to memory of 4556	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	PJZSHMQ.exe
PID 3708 wrote to memory of 4556	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	PJZSHMQ.exe
PID 3708 wrote to memory of 212	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	donooEw.exe
PID 3708 wrote to memory of 212	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	donooEw.exe
PID 3708 wrote to memory of 4268	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	npVEddd.exe
PID 3708 wrote to memory of 4268	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	npVEddd.exe
PID 3708 wrote to memory of 4836	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	YHjiJZR.exe
PID 3708 wrote to memory of 4836	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	YHjiJZR.exe
PID 3708 wrote to memory of 2436	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	sSVhBBb.exe
PID 3708 wrote to memory of 2436	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	sSVhBBb.exe
PID 3708 wrote to memory of 4540	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	jQqNFav.exe
PID 3708 wrote to memory of 4540	3708	2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe	jQqNFav.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_bf60ad052d5f63d8736b1912510dd97b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\System\RZOKAJT.exe
C:\Windows\System\RZOKAJT.exe
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\System\hjGEsuP.exe
C:\Windows\System\hjGEsuP.exe
2⤵
- Executes dropped EXE
PID:3040

C:\Windows\System\YboeGgq.exe
C:\Windows\System\YboeGgq.exe
2⤵
- Executes dropped EXE
PID:4016

C:\Windows\System\SUUOmvh.exe
C:\Windows\System\SUUOmvh.exe
2⤵
- Executes dropped EXE
PID:4196

C:\Windows\System\BrHYejp.exe
C:\Windows\System\BrHYejp.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\System\egAEzaC.exe
C:\Windows\System\egAEzaC.exe
2⤵
- Executes dropped EXE
PID:3212

C:\Windows\System\iSlgCdN.exe
C:\Windows\System\iSlgCdN.exe
2⤵
- Executes dropped EXE
PID:4140

C:\Windows\System\oEEVYTP.exe
C:\Windows\System\oEEVYTP.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\rDwfIpV.exe
C:\Windows\System\rDwfIpV.exe
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\System\sShTTPn.exe
C:\Windows\System\sShTTPn.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\System\zsHjXCp.exe
C:\Windows\System\zsHjXCp.exe
2⤵
- Executes dropped EXE
PID:2656

C:\Windows\System\IXTWhsR.exe
C:\Windows\System\IXTWhsR.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\wlgkZSr.exe
C:\Windows\System\wlgkZSr.exe
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\System\wOLchYO.exe
C:\Windows\System\wOLchYO.exe
2⤵
- Executes dropped EXE
PID:624

C:\Windows\System\TnwyMwm.exe
C:\Windows\System\TnwyMwm.exe
2⤵
- Executes dropped EXE
PID:3848

C:\Windows\System\PJZSHMQ.exe
C:\Windows\System\PJZSHMQ.exe
2⤵
- Executes dropped EXE
PID:4556

C:\Windows\System\donooEw.exe
C:\Windows\System\donooEw.exe
2⤵
- Executes dropped EXE
PID:212

C:\Windows\System\npVEddd.exe
C:\Windows\System\npVEddd.exe
2⤵
- Executes dropped EXE
PID:4268

C:\Windows\System\YHjiJZR.exe
C:\Windows\System\YHjiJZR.exe
2⤵
- Executes dropped EXE
PID:4836

C:\Windows\System\sSVhBBb.exe
C:\Windows\System\sSVhBBb.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\System\jQqNFav.exe
C:\Windows\System\jQqNFav.exe
2⤵
- Executes dropped EXE
PID:4540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BrHYejp.exe
Filesize
5.9MB

MD5
7bf89613a3209c16c5065db608ed09b3

SHA1
f665d082d503f8d3c0dae98af624d7231ad33e46

SHA256
8746411c9e8d34938081eac9dc7a964e05dae0c1e9b60ab97c0b164dc0fb329f

SHA512
7102d93bdfc41d8e97977e22f9b91c7d4c9fd076d4ad8b3666f6d1602ff36169333be52ba146c7e78ef91e040242d2dce6216b7c8234b96a2de5f0c91089b786

Download Submit
C:\Windows\System\IXTWhsR.exe
Filesize
5.9MB

MD5
c07da01cf5b06ccc13a4a3ac14cce263

SHA1
a97f9748f69ee1532edf69f03491a09b4c8d2f0e

SHA256
47c98e560cfa1503c4d3eeff24a79ed284aab27f41e97728f169012ed0e3f67f

SHA512
68d70d2e4e21dc60c7d91f7ee7197e13b5580efc0985c408425d9585f152e7eb21dcab6f7e4cdfcc29d5697ff68d8e6b4ace3e9161e080795ca4b6e94eec2159

Download Submit
C:\Windows\System\PJZSHMQ.exe
Filesize
5.9MB

MD5
8d2698441ae75851ca958e52440c0c31

SHA1
12d3c94ef3d0501503ab18c556a80a8970ced27b

SHA256
ccb28494bebfc0d8b5c2feafc4a4427ff1ceb4af848a0247f3575076b9d447ce

SHA512
b0b8425d186b740cd3369218167228e546ebaa93bcd3451318e325eb807a05c56845b5c826e23eb81635b73d45487cfdf302b53de651af50c1e34b5bd9651c8d

Download Submit
C:\Windows\System\RZOKAJT.exe
Filesize
5.9MB

MD5
7ac450fe04901ddcf58f2c41d194b38c

SHA1
dfd13b5b01bdb1273da88ad2d6458a5c71355c15

SHA256
e7522c2902811a63737caf31286ea4cb32cd79a5d32bc97693241486a8288670

SHA512
5de4822e33d43704d31d876660d73b9cd94f90cd10468de768b9e1f8a330baf979c9f6fb892061fe5c509a5ff3b1ecd4c6b9c613aadd55fd8daadd472b3880b7

Download Submit
C:\Windows\System\SUUOmvh.exe
Filesize
5.9MB

MD5
288cb942a15f739aa45ad56ecff8f2e6

SHA1
9eda5770a15a80721bf6fc56ecca63a00cfb1da7

SHA256
598eae8e2f9fb59cd1715bd599707d8d76573e5252ffa83c4a8854e35a697bfc

SHA512
14b24e60871fff50a0f2f4e44bd8735abdca7f2e98bad957d3933c858a4a7a6862398b59a24f6b76c65ee94f2863498cdc062345915614f54670aa087989b702

Download Submit
C:\Windows\System\TnwyMwm.exe
Filesize
5.9MB

MD5
37c0281991dbd40d9862be913d67fcaf

SHA1
fc62f364c9bd8f0ca68d003611c6304e2ecd66e9

SHA256
7e6dca6dbf2dc9de9d0f5e3877b7996e55232a8a42b601167a5d5045eca52fc0

SHA512
41a1b69d0014862aa4d82f1ae8afc137e39b611563ae6bdc91ac92568846c098bdf2379c685b5911aff9c695db71c1a062f9ded0d3f9166d627046994f968e5f

Download Submit
C:\Windows\System\YHjiJZR.exe
Filesize
5.9MB

MD5
c780ef6946b6e23b17cd3965a23e09b8

SHA1
faafb5db145dbd7591961a46554d3bce8326fc4f

SHA256
cffb74243eb1b341ad4caec5651b8057d52ca039ac236743f9986d38b29de2b2

SHA512
b3a6ef45a449c540b9fab927b56235a1c47b9a75a25a14d8201b63047182484ad89ef47e90b41b19a1b85feb0c2639a5e5b7a5f02b46f6a1f7c7f648b4b184da

Download Submit
C:\Windows\System\YboeGgq.exe
Filesize
5.9MB

MD5
469a0964c7707d4688b1c902946b959b

SHA1
10ee9cc46c084587aa8a3412aebe9ecfbc0b06b8

SHA256
4f45d6b79b1775dfdc1157cde0f41e71b905e82b60899a243325bcd32294892e

SHA512
2e99259691f9c6ce028c60d4e87835b64c11787bb145b75bffebdf6f9990a0b848a4da5b7a86f652f97c5b9991c1eeedbd9e494c6136feeae9715258ebf7fb2a

Download Submit
C:\Windows\System\donooEw.exe
Filesize
5.9MB

MD5
3b8fe3974a38ee13da52f800db4a5f70

SHA1
b46df90a4059bbfdbc1aec7178ae0c562b089a33

SHA256
df7d110d6661cad98b8068b68f86534cae421b3e575707f2c88cee839be7184d

SHA512
00250a34550ad35c75893e2f8f231562cfb0b6f58545fa961e1fd3279980ab6801d073d4f9364ea00f1329670d5a65500310acc361b877f8c75bf130f5405f9e

Download Submit
C:\Windows\System\egAEzaC.exe
Filesize
5.9MB

MD5
31c215a6f0a8d34cb0d743548d32ced1

SHA1
aee43970228fbcf5ad840b9db02ee741f2649023

SHA256
c7f1ca5026fc239aa4d504f1484a7d45d950dddd3ebdb43210b3d559ba306c2f

SHA512
0a03f5513b08e88705ed5fb7022ca437cbaaee24242f3155885ee3ff1e52ff9cddc4814987b095793e756e91f474a2150b98e402a221e9066496704cb2906919

Download Submit
C:\Windows\System\hjGEsuP.exe
Filesize
5.9MB

MD5
4209b6026860c8a8c486994bf3b261d6

SHA1
fd7fcb84f097c1bb8b9a9c5c7c5e8a3ecdcd71da

SHA256
7d5e076ac92172fbfda73449c6b3d40ab956bb7f1d696b0ed29fdf7152ae2b71

SHA512
1b4d0c7329164d9e8c64cd4c8db946989c679db4b927143263f7edca33e1d0794cc1b0c8daeacaf6a65f68879e1d5becdbc9f52f8b11e36efcce83ab2582b543

Download Submit
C:\Windows\System\iSlgCdN.exe
Filesize
5.9MB

MD5
47089f296899b8b16beb664eaf1ccdd4

SHA1
5df4c5138bfd28e18e2177ca63939f9f0d9fa765

SHA256
2b4e98ba84a6b4d370316ac656efff676b4b9b4cf7adcef53eb131741a7cc1e4

SHA512
2c6ef0907f289ca448426e2e2c379505b0cb702572426b4194156636617609bd2e7030a763d0da6b5bf6ff87bf9fc9f3b2c5801fea6d488fbeb51e2acef60c38

Download Submit
C:\Windows\System\jQqNFav.exe
Filesize
5.9MB

MD5
ae4fc11d77f9eabeda50c51cb0da7b7f

SHA1
74c2e531603267f3394e7fdb8da059e56f3c7d88

SHA256
41c32bd6aebf7fd215e1509db82d17538ab4cae4601db15009c957546dd647ab

SHA512
491e781b9396f564b4ac5a5bf4a9ce055cf82cdfcca0665a8eda18b6b2a345d40fcdd006e73c4f713e3f93458bfc3245f24350b7cc3b28f745a07714dde08077

Download Submit
C:\Windows\System\npVEddd.exe
Filesize
5.9MB

MD5
eb4cc31b1a1c8fdb8dc2eedc13238f1b

SHA1
a63a53fb25a03435d22a6c8b45622efac6093ec6

SHA256
c84ebefa14235260acd09474e974dd736d9f149a3c0189ff52ed07255e86341e

SHA512
511d77dfa2ab1ef67ff0925b10c01e15192adadcbd0709618c862bad3424ca7aaa32c1181be746bc64a597853f6be6e9e1ac5641145c5e7efe0ce4bded7da326

Download Submit
C:\Windows\System\oEEVYTP.exe
Filesize
5.9MB

MD5
3f637efb81cbc1c4256cce780ea7b2f4

SHA1
6c7eadcf202ee125e867e5595f210f50b836b8ec

SHA256
06a43a9893149ab5768c331bdd1debb66d40526ab56db597543cfd421d3f0e48

SHA512
2a07fcb5be766f3513f4b7d6bf62e392f192980d5aec9e739b8e93133a53dcf40411bd9d3ade55c5f095f7cd3f7a8d3480405fedd1b7483a0ba9311a1ab35d6b

Download Submit
C:\Windows\System\rDwfIpV.exe
Filesize
5.9MB

MD5
f94f9de41286b7ea7ef200fe775ace97

SHA1
bde9bff6b33ee109bbd73dba6c277d5a8ae79289

SHA256
e8a14a1b61344c46db7e3b67dc4647b1bf0fd7926f5b54cfeb58d6bc236e2d37

SHA512
daf14eaf40faa98f09fbaa66d190eb5ceb5a969f176b87f60385cfbfbc39fd04a5f692b4f35789e9001e48ec44c74a95e82c8d512d5d16bb70fcc1365a5f77e9

Download Submit
C:\Windows\System\sSVhBBb.exe
Filesize
5.9MB

MD5
0708b78a2b322e2544d69507a709b17a

SHA1
3b79fc57a9180233843902a1f2dd3718af4332e2

SHA256
921c8e27d3e49adcfc26506128683542ddfb9a5316dd727123ea6f694ddbbb64

SHA512
ee0a8f29e3b1ee912e30077f232ab972e39904c5077a17a7e16afc060c38cd149cc15c3f8d16de0d96440d25ace79e2f3bf89fc8ccfbfcf35c7a9413f281ae21

Download Submit
C:\Windows\System\sShTTPn.exe
Filesize
5.9MB

MD5
cd136295ba63307b77ce28c64d580cac

SHA1
1621425dd4b89feba29b61103b0ca47354174577

SHA256
315989960c9116e03029d05104834959bc88fe7ab647616c69993d8b1d7e6681

SHA512
2f6336e35823e8154edd05d937bc8fc448a3d19f9d64f720db9dd52aa04b1a292e9ba4555728e21c16be6ee42ffc5c7cdf55fef25bfaff6734f05abd209c60a8

Download Submit
C:\Windows\System\wOLchYO.exe
Filesize
5.9MB

MD5
174d84d627a20fcd2bb2952a86f29dbc

SHA1
9adaca0a5c8bf4c039da94034d66ecbe93efffcb

SHA256
3c50d5def613f7036d04921b9395853360b654f1e47a9045ffa9d8be8d71ec8c

SHA512
af6ddd387efa7df1b785ae3d74d9459493a32c41b4716a3531a8fccebe177e3cd7a8ccac677a98255a92b6fa53e4696d1ce583d1f6a277c64f6c35d7570d35c8

Download Submit
C:\Windows\System\wlgkZSr.exe
Filesize
5.9MB

MD5
b5dfb0d74883a9fa259fba7cb244712d

SHA1
e8e3fc3d07cdaf2ada2a3561e9d8773328b02777

SHA256
d2fa28b289ae198f5b07b3199da2193d96fccdbcf80a00feea165ff153ee5669

SHA512
0bc8c7de917e52e1614eea26c09a3d49724eefb184102dd491e30c3fb15941ce39c76de209ac867f09d60d81c912f5be774ae80e48445eaa8131f01264ca90d4

Download Submit
C:\Windows\System\zsHjXCp.exe
Filesize
5.9MB

MD5
f34f4a878ff6e517fcedeea8f554d8a1

SHA1
eb35a9f80b2a84e09c4224a59df42b3ad2206529

SHA256
8bc7a9c25c82145c49fd977a6c368385ce4c818f9950c63be5fbe8432ad29502

SHA512
8ffe0f2c5f1d07728cb2444e823c733ffff99c8782b35faf559d6a8aee9030d84d884f9f9cc36d2c4388786e0755cdd72d4561c10a501c28fe2860b9c134098d

Download Submit
memory/212-107-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp

Filesize
3.3MB

Download
memory/212-137-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp

Filesize
3.3MB

Download
memory/212-156-0x00007FF633A60000-0x00007FF633DB4000-memory.dmp

Filesize
3.3MB

Download
memory/624-153-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp

Filesize
3.3MB

Download
memory/624-90-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp

Filesize
3.3MB

Download
memory/624-135-0x00007FF6B34C0000-0x00007FF6B3814000-memory.dmp

Filesize
3.3MB

Download
memory/1436-147-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp

Filesize
3.3MB

Download
memory/1436-53-0x00007FF776D80000-0x00007FF7770D4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-101-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp

Filesize
3.3MB

Download
memory/1616-144-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp

Filesize
3.3MB

Download
memory/1616-32-0x00007FF7ADEB0000-0x00007FF7AE204000-memory.dmp

Filesize
3.3MB

Download
memory/2156-134-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp

Filesize
3.3MB

Download
memory/2156-152-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp

Filesize
3.3MB

Download
memory/2156-81-0x00007FF7F6DF0000-0x00007FF7F7144000-memory.dmp

Filesize
3.3MB

Download
memory/2436-130-0x00007FF765EB0000-0x00007FF766204000-memory.dmp

Filesize
3.3MB

Download
memory/2436-159-0x00007FF765EB0000-0x00007FF766204000-memory.dmp

Filesize
3.3MB

Download
memory/2656-150-0x00007FF6AC6E0000-0x00007FF6ACA34000-memory.dmp

Filesize
3.3MB

Download
memory/2656-71-0x00007FF6AC6E0000-0x00007FF6ACA34000-memory.dmp

Filesize
3.3MB

Download
memory/2812-76-0x00007FF751C50000-0x00007FF751FA4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-151-0x00007FF751C50000-0x00007FF751FA4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-14-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-80-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-141-0x00007FF6AE770000-0x00007FF6AEAC4000-memory.dmp

Filesize
3.3MB

Download
memory/3212-40-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp

Filesize
3.3MB

Download
memory/3212-145-0x00007FF76FFD0000-0x00007FF770324000-memory.dmp

Filesize
3.3MB

Download
memory/3584-148-0x00007FF702090000-0x00007FF7023E4000-memory.dmp

Filesize
3.3MB

Download
memory/3584-67-0x00007FF702090000-0x00007FF7023E4000-memory.dmp

Filesize
3.3MB

Download
memory/3708-70-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp

Filesize
3.3MB

Download
memory/3708-0-0x00007FF79E4F0000-0x00007FF79E844000-memory.dmp

Filesize
3.3MB

Download
memory/3708-1-0x0000029C08080000-0x0000029C08090000-memory.dmp

Filesize
64KB

Download
memory/3848-154-0x00007FF7B1EB0000-0x00007FF7B2204000-memory.dmp

Filesize
3.3MB

Download
memory/3848-96-0x00007FF7B1EB0000-0x00007FF7B2204000-memory.dmp

Filesize
3.3MB

Download
memory/4016-22-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp

Filesize
3.3MB

Download
memory/4016-142-0x00007FF6C7420000-0x00007FF6C7774000-memory.dmp

Filesize
3.3MB

Download
memory/4140-50-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp

Filesize
3.3MB

Download
memory/4140-146-0x00007FF6ED9C0000-0x00007FF6EDD14000-memory.dmp

Filesize
3.3MB

Download
memory/4188-55-0x00007FF6485C0000-0x00007FF648914000-memory.dmp

Filesize
3.3MB

Download
memory/4188-115-0x00007FF6485C0000-0x00007FF648914000-memory.dmp

Filesize
3.3MB

Download
memory/4188-149-0x00007FF6485C0000-0x00007FF648914000-memory.dmp

Filesize
3.3MB

Download
memory/4196-31-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4196-143-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4196-87-0x00007FF67AFA0000-0x00007FF67B2F4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-138-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-116-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp

Filesize
3.3MB

Download
memory/4268-157-0x00007FF742F50000-0x00007FF7432A4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-75-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-8-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-140-0x00007FF674E70000-0x00007FF6751C4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-131-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-160-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4540-139-0x00007FF61A5A0000-0x00007FF61A8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4556-105-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

Filesize
3.3MB

Download
memory/4556-155-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

Filesize
3.3MB

Download
memory/4556-136-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

Filesize
3.3MB

Download
memory/4836-158-0x00007FF633430000-0x00007FF633784000-memory.dmp

Filesize
3.3MB

Download
memory/4836-127-0x00007FF633430000-0x00007FF633784000-memory.dmp

Filesize
3.3MB

Download