cobaltstrike | e6473b57c00e9b1ced4a5d0a68a4a18e29401b2c4d467d3b65732523c99edb29

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

d735d5a6f1e7e9b55d5834735e6c334b
SHA1

40ec2a450eeca239811475e6367f387643f247f5
SHA256

e6473b57c00e9b1ced4a5d0a68a4a18e29401b2c4d467d3b65732523c99edb29
SHA512

531ab7f62e55262dffa5ed87d4aa6f23c9b6da8e9f02f465647a18558b0c5d0800c844864ca62d128c74c68f1e63794ec36ec7ff71219dda9960e6e416693260
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU6:Q+u56utgpPF8u/76

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\GIzxQfb.exe	cobalt_reflective_dll
C:\Windows\System\yOnAaLI.exe	cobalt_reflective_dll
C:\Windows\System\WsOGZnq.exe	cobalt_reflective_dll
C:\Windows\System\zouMEVh.exe	cobalt_reflective_dll
C:\Windows\System\TboHxJc.exe	cobalt_reflective_dll
C:\Windows\System\CFfLKDw.exe	cobalt_reflective_dll
C:\Windows\System\MOTeZmt.exe	cobalt_reflective_dll
C:\Windows\System\sUjNOag.exe	cobalt_reflective_dll
C:\Windows\System\gEkPqCA.exe	cobalt_reflective_dll
C:\Windows\System\krXDjjO.exe	cobalt_reflective_dll
C:\Windows\System\lVjuOoY.exe	cobalt_reflective_dll
C:\Windows\System\qYeaQDc.exe	cobalt_reflective_dll
C:\Windows\System\WbaOpzK.exe	cobalt_reflective_dll
C:\Windows\System\cqcgPab.exe	cobalt_reflective_dll
C:\Windows\System\IhUfsXa.exe	cobalt_reflective_dll
C:\Windows\System\pOSzWbu.exe	cobalt_reflective_dll
C:\Windows\System\yhcJhlo.exe	cobalt_reflective_dll
C:\Windows\System\DCIrQrv.exe	cobalt_reflective_dll
C:\Windows\System\FSltutz.exe	cobalt_reflective_dll
C:\Windows\System\IHEWiCG.exe	cobalt_reflective_dll
C:\Windows\System\wMVCaEl.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\GIzxQfb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yOnAaLI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WsOGZnq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zouMEVh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TboHxJc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CFfLKDw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MOTeZmt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sUjNOag.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gEkPqCA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\krXDjjO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lVjuOoY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qYeaQDc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WbaOpzK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cqcgPab.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IhUfsXa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pOSzWbu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yhcJhlo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DCIrQrv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FSltutz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IHEWiCG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wMVCaEl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-0-0x00007FF640900000-0x00007FF640C54000-memory.dmp	UPX
C:\Windows\System\GIzxQfb.exe	UPX
behavioral2/memory/2316-8-0x00007FF615F00000-0x00007FF616254000-memory.dmp	UPX
C:\Windows\System\yOnAaLI.exe	UPX
C:\Windows\System\WsOGZnq.exe	UPX
behavioral2/memory/3016-19-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	UPX
C:\Windows\System\zouMEVh.exe	UPX
C:\Windows\System\TboHxJc.exe	UPX
C:\Windows\System\CFfLKDw.exe	UPX
C:\Windows\System\MOTeZmt.exe	UPX
C:\Windows\System\sUjNOag.exe	UPX
behavioral2/memory/4868-63-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp	UPX
behavioral2/memory/2468-66-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	UPX
behavioral2/memory/4744-73-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp	UPX
behavioral2/memory/4696-72-0x00007FF646320000-0x00007FF646674000-memory.dmp	UPX
C:\Windows\System\gEkPqCA.exe	UPX
C:\Windows\System\krXDjjO.exe	UPX
behavioral2/memory/5064-67-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp	UPX
behavioral2/memory/4492-65-0x00007FF765F10000-0x00007FF766264000-memory.dmp	UPX
behavioral2/memory/2208-64-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp	UPX
behavioral2/memory/2580-59-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp	UPX
behavioral2/memory/4648-42-0x00007FF7814C0000-0x00007FF781814000-memory.dmp	UPX
C:\Windows\System\lVjuOoY.exe	UPX
C:\Windows\System\qYeaQDc.exe	UPX
behavioral2/memory/4828-16-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	UPX
C:\Windows\System\WbaOpzK.exe	UPX
behavioral2/memory/828-80-0x00007FF74FE40000-0x00007FF750194000-memory.dmp	UPX
C:\Windows\System\cqcgPab.exe	UPX
C:\Windows\System\IhUfsXa.exe	UPX
behavioral2/memory/2164-98-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp	UPX
behavioral2/memory/220-100-0x00007FF640900000-0x00007FF640C54000-memory.dmp	UPX
C:\Windows\System\pOSzWbu.exe	UPX
C:\Windows\System\yhcJhlo.exe	UPX
behavioral2/memory/4356-123-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp	UPX
behavioral2/memory/1716-124-0x00007FF72F680000-0x00007FF72F9D4000-memory.dmp	UPX
C:\Windows\System\DCIrQrv.exe	UPX
behavioral2/memory/2264-118-0x00007FF755E90000-0x00007FF7561E4000-memory.dmp	UPX
behavioral2/memory/4828-116-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	UPX
C:\Windows\System\FSltutz.exe	UPX
C:\Windows\System\IHEWiCG.exe	UPX
C:\Windows\System\wMVCaEl.exe	UPX
behavioral2/memory/3556-101-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp	UPX
behavioral2/memory/3856-95-0x00007FF7082E0000-0x00007FF708634000-memory.dmp	UPX
behavioral2/memory/4140-91-0x00007FF642D70000-0x00007FF6430C4000-memory.dmp	UPX
behavioral2/memory/3016-129-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	UPX
behavioral2/memory/1376-130-0x00007FF7AD390000-0x00007FF7AD6E4000-memory.dmp	UPX
behavioral2/memory/2468-131-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	UPX
behavioral2/memory/2164-132-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp	UPX
behavioral2/memory/3556-133-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp	UPX
behavioral2/memory/4356-134-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp	UPX
behavioral2/memory/2316-135-0x00007FF615F00000-0x00007FF616254000-memory.dmp	UPX
behavioral2/memory/4828-136-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	UPX
behavioral2/memory/3016-137-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	UPX
behavioral2/memory/4648-138-0x00007FF7814C0000-0x00007FF781814000-memory.dmp	UPX
behavioral2/memory/2580-140-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp	UPX
behavioral2/memory/5064-139-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp	UPX
behavioral2/memory/4868-141-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp	UPX
behavioral2/memory/4492-144-0x00007FF765F10000-0x00007FF766264000-memory.dmp	UPX
behavioral2/memory/4696-143-0x00007FF646320000-0x00007FF646674000-memory.dmp	UPX
behavioral2/memory/2208-142-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp	UPX
behavioral2/memory/2468-145-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	UPX
behavioral2/memory/4744-146-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp	UPX
behavioral2/memory/828-147-0x00007FF74FE40000-0x00007FF750194000-memory.dmp	UPX
behavioral2/memory/3856-148-0x00007FF7082E0000-0x00007FF708634000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/220-0-0x00007FF640900000-0x00007FF640C54000-memory.dmp	xmrig
C:\Windows\System\GIzxQfb.exe	xmrig
behavioral2/memory/2316-8-0x00007FF615F00000-0x00007FF616254000-memory.dmp	xmrig
C:\Windows\System\yOnAaLI.exe	xmrig
C:\Windows\System\WsOGZnq.exe	xmrig
behavioral2/memory/3016-19-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	xmrig
C:\Windows\System\zouMEVh.exe	xmrig
C:\Windows\System\TboHxJc.exe	xmrig
C:\Windows\System\CFfLKDw.exe	xmrig
C:\Windows\System\MOTeZmt.exe	xmrig
C:\Windows\System\sUjNOag.exe	xmrig
behavioral2/memory/4868-63-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp	xmrig
behavioral2/memory/2468-66-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	xmrig
behavioral2/memory/4744-73-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp	xmrig
behavioral2/memory/4696-72-0x00007FF646320000-0x00007FF646674000-memory.dmp	xmrig
C:\Windows\System\gEkPqCA.exe	xmrig
C:\Windows\System\krXDjjO.exe	xmrig
behavioral2/memory/5064-67-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp	xmrig
behavioral2/memory/4492-65-0x00007FF765F10000-0x00007FF766264000-memory.dmp	xmrig
behavioral2/memory/2208-64-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp	xmrig
behavioral2/memory/2580-59-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp	xmrig
behavioral2/memory/4648-42-0x00007FF7814C0000-0x00007FF781814000-memory.dmp	xmrig
C:\Windows\System\lVjuOoY.exe	xmrig
C:\Windows\System\qYeaQDc.exe	xmrig
behavioral2/memory/4828-16-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	xmrig
C:\Windows\System\WbaOpzK.exe	xmrig
behavioral2/memory/828-80-0x00007FF74FE40000-0x00007FF750194000-memory.dmp	xmrig
C:\Windows\System\cqcgPab.exe	xmrig
C:\Windows\System\IhUfsXa.exe	xmrig
behavioral2/memory/2164-98-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp	xmrig
behavioral2/memory/220-100-0x00007FF640900000-0x00007FF640C54000-memory.dmp	xmrig
C:\Windows\System\pOSzWbu.exe	xmrig
C:\Windows\System\yhcJhlo.exe	xmrig
behavioral2/memory/4356-123-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp	xmrig
behavioral2/memory/1716-124-0x00007FF72F680000-0x00007FF72F9D4000-memory.dmp	xmrig
C:\Windows\System\DCIrQrv.exe	xmrig
behavioral2/memory/2264-118-0x00007FF755E90000-0x00007FF7561E4000-memory.dmp	xmrig
behavioral2/memory/4828-116-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	xmrig
C:\Windows\System\FSltutz.exe	xmrig
C:\Windows\System\IHEWiCG.exe	xmrig
C:\Windows\System\wMVCaEl.exe	xmrig
behavioral2/memory/3556-101-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp	xmrig
behavioral2/memory/3856-95-0x00007FF7082E0000-0x00007FF708634000-memory.dmp	xmrig
behavioral2/memory/4140-91-0x00007FF642D70000-0x00007FF6430C4000-memory.dmp	xmrig
behavioral2/memory/3016-129-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	xmrig
behavioral2/memory/1376-130-0x00007FF7AD390000-0x00007FF7AD6E4000-memory.dmp	xmrig
behavioral2/memory/2468-131-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	xmrig
behavioral2/memory/2164-132-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp	xmrig
behavioral2/memory/3556-133-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp	xmrig
behavioral2/memory/4356-134-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp	xmrig
behavioral2/memory/2316-135-0x00007FF615F00000-0x00007FF616254000-memory.dmp	xmrig
behavioral2/memory/4828-136-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	xmrig
behavioral2/memory/3016-137-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	xmrig
behavioral2/memory/4648-138-0x00007FF7814C0000-0x00007FF781814000-memory.dmp	xmrig
behavioral2/memory/2580-140-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp	xmrig
behavioral2/memory/5064-139-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp	xmrig
behavioral2/memory/4868-141-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp	xmrig
behavioral2/memory/4492-144-0x00007FF765F10000-0x00007FF766264000-memory.dmp	xmrig
behavioral2/memory/4696-143-0x00007FF646320000-0x00007FF646674000-memory.dmp	xmrig
behavioral2/memory/2208-142-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp	xmrig
behavioral2/memory/2468-145-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	xmrig
behavioral2/memory/4744-146-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp	xmrig
behavioral2/memory/828-147-0x00007FF74FE40000-0x00007FF750194000-memory.dmp	xmrig
behavioral2/memory/3856-148-0x00007FF7082E0000-0x00007FF708634000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

GIzxQfb.exeyOnAaLI.exeWsOGZnq.exezouMEVh.exeqYeaQDc.exeTboHxJc.exelVjuOoY.exeCFfLKDw.exesUjNOag.exeMOTeZmt.exekrXDjjO.exegEkPqCA.exeWbaOpzK.execqcgPab.exeIhUfsXa.exeIHEWiCG.exewMVCaEl.exeFSltutz.exepOSzWbu.exeyhcJhlo.exeDCIrQrv.exe

pid	process
2316	GIzxQfb.exe
4828	yOnAaLI.exe
3016	WsOGZnq.exe
4648	zouMEVh.exe
5064	qYeaQDc.exe
2580	TboHxJc.exe
4868	lVjuOoY.exe
4696	CFfLKDw.exe
2208	sUjNOag.exe
4492	MOTeZmt.exe
4744	krXDjjO.exe
2468	gEkPqCA.exe
828	WbaOpzK.exe
4140	cqcgPab.exe
3856	IhUfsXa.exe
2164	IHEWiCG.exe
3556	wMVCaEl.exe
2264	FSltutz.exe
4356	pOSzWbu.exe
1716	yhcJhlo.exe
1376	DCIrQrv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/220-0-0x00007FF640900000-0x00007FF640C54000-memory.dmp	upx
C:\Windows\System\GIzxQfb.exe	upx
behavioral2/memory/2316-8-0x00007FF615F00000-0x00007FF616254000-memory.dmp	upx
C:\Windows\System\yOnAaLI.exe	upx
C:\Windows\System\WsOGZnq.exe	upx
behavioral2/memory/3016-19-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	upx
C:\Windows\System\zouMEVh.exe	upx
C:\Windows\System\TboHxJc.exe	upx
C:\Windows\System\CFfLKDw.exe	upx
C:\Windows\System\MOTeZmt.exe	upx
C:\Windows\System\sUjNOag.exe	upx
behavioral2/memory/4868-63-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp	upx
behavioral2/memory/2468-66-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	upx
behavioral2/memory/4744-73-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp	upx
behavioral2/memory/4696-72-0x00007FF646320000-0x00007FF646674000-memory.dmp	upx
C:\Windows\System\gEkPqCA.exe	upx
C:\Windows\System\krXDjjO.exe	upx
behavioral2/memory/5064-67-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp	upx
behavioral2/memory/4492-65-0x00007FF765F10000-0x00007FF766264000-memory.dmp	upx
behavioral2/memory/2208-64-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp	upx
behavioral2/memory/2580-59-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp	upx
behavioral2/memory/4648-42-0x00007FF7814C0000-0x00007FF781814000-memory.dmp	upx
C:\Windows\System\lVjuOoY.exe	upx
C:\Windows\System\qYeaQDc.exe	upx
behavioral2/memory/4828-16-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	upx
C:\Windows\System\WbaOpzK.exe	upx
behavioral2/memory/828-80-0x00007FF74FE40000-0x00007FF750194000-memory.dmp	upx
C:\Windows\System\cqcgPab.exe	upx
C:\Windows\System\IhUfsXa.exe	upx
behavioral2/memory/2164-98-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp	upx
behavioral2/memory/220-100-0x00007FF640900000-0x00007FF640C54000-memory.dmp	upx
C:\Windows\System\pOSzWbu.exe	upx
C:\Windows\System\yhcJhlo.exe	upx
behavioral2/memory/4356-123-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp	upx
behavioral2/memory/1716-124-0x00007FF72F680000-0x00007FF72F9D4000-memory.dmp	upx
C:\Windows\System\DCIrQrv.exe	upx
behavioral2/memory/2264-118-0x00007FF755E90000-0x00007FF7561E4000-memory.dmp	upx
behavioral2/memory/4828-116-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	upx
C:\Windows\System\FSltutz.exe	upx
C:\Windows\System\IHEWiCG.exe	upx
C:\Windows\System\wMVCaEl.exe	upx
behavioral2/memory/3556-101-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp	upx
behavioral2/memory/3856-95-0x00007FF7082E0000-0x00007FF708634000-memory.dmp	upx
behavioral2/memory/4140-91-0x00007FF642D70000-0x00007FF6430C4000-memory.dmp	upx
behavioral2/memory/3016-129-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	upx
behavioral2/memory/1376-130-0x00007FF7AD390000-0x00007FF7AD6E4000-memory.dmp	upx
behavioral2/memory/2468-131-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	upx
behavioral2/memory/2164-132-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp	upx
behavioral2/memory/3556-133-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp	upx
behavioral2/memory/4356-134-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp	upx
behavioral2/memory/2316-135-0x00007FF615F00000-0x00007FF616254000-memory.dmp	upx
behavioral2/memory/4828-136-0x00007FF61B020000-0x00007FF61B374000-memory.dmp	upx
behavioral2/memory/3016-137-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp	upx
behavioral2/memory/4648-138-0x00007FF7814C0000-0x00007FF781814000-memory.dmp	upx
behavioral2/memory/2580-140-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp	upx
behavioral2/memory/5064-139-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp	upx
behavioral2/memory/4868-141-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp	upx
behavioral2/memory/4492-144-0x00007FF765F10000-0x00007FF766264000-memory.dmp	upx
behavioral2/memory/4696-143-0x00007FF646320000-0x00007FF646674000-memory.dmp	upx
behavioral2/memory/2208-142-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp	upx
behavioral2/memory/2468-145-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp	upx
behavioral2/memory/4744-146-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp	upx
behavioral2/memory/828-147-0x00007FF74FE40000-0x00007FF750194000-memory.dmp	upx
behavioral2/memory/3856-148-0x00007FF7082E0000-0x00007FF708634000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\qYeaQDc.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lVjuOoY.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOTeZmt.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gEkPqCA.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHEWiCG.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wMVCaEl.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSltutz.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WsOGZnq.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCIrQrv.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sUjNOag.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\krXDjjO.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WbaOpzK.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yhcJhlo.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TboHxJc.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zouMEVh.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cqcgPab.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pOSzWbu.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOnAaLI.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFfLKDw.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IhUfsXa.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GIzxQfb.exe	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 220 wrote to memory of 2316	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	GIzxQfb.exe
PID 220 wrote to memory of 2316	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	GIzxQfb.exe
PID 220 wrote to memory of 4828	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	yOnAaLI.exe
PID 220 wrote to memory of 4828	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	yOnAaLI.exe
PID 220 wrote to memory of 3016	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	WsOGZnq.exe
PID 220 wrote to memory of 3016	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	WsOGZnq.exe
PID 220 wrote to memory of 4648	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	zouMEVh.exe
PID 220 wrote to memory of 4648	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	zouMEVh.exe
PID 220 wrote to memory of 2580	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	TboHxJc.exe
PID 220 wrote to memory of 2580	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	TboHxJc.exe
PID 220 wrote to memory of 5064	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	qYeaQDc.exe
PID 220 wrote to memory of 5064	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	qYeaQDc.exe
PID 220 wrote to memory of 4868	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	lVjuOoY.exe
PID 220 wrote to memory of 4868	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	lVjuOoY.exe
PID 220 wrote to memory of 4696	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	CFfLKDw.exe
PID 220 wrote to memory of 4696	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	CFfLKDw.exe
PID 220 wrote to memory of 2208	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	sUjNOag.exe
PID 220 wrote to memory of 2208	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	sUjNOag.exe
PID 220 wrote to memory of 4492	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	MOTeZmt.exe
PID 220 wrote to memory of 4492	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	MOTeZmt.exe
PID 220 wrote to memory of 4744	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	krXDjjO.exe
PID 220 wrote to memory of 4744	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	krXDjjO.exe
PID 220 wrote to memory of 2468	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	gEkPqCA.exe
PID 220 wrote to memory of 2468	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	gEkPqCA.exe
PID 220 wrote to memory of 828	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	WbaOpzK.exe
PID 220 wrote to memory of 828	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	WbaOpzK.exe
PID 220 wrote to memory of 4140	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	cqcgPab.exe
PID 220 wrote to memory of 4140	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	cqcgPab.exe
PID 220 wrote to memory of 3856	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	IhUfsXa.exe
PID 220 wrote to memory of 3856	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	IhUfsXa.exe
PID 220 wrote to memory of 2164	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	IHEWiCG.exe
PID 220 wrote to memory of 2164	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	IHEWiCG.exe
PID 220 wrote to memory of 3556	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	wMVCaEl.exe
PID 220 wrote to memory of 3556	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	wMVCaEl.exe
PID 220 wrote to memory of 2264	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	FSltutz.exe
PID 220 wrote to memory of 2264	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	FSltutz.exe
PID 220 wrote to memory of 4356	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	pOSzWbu.exe
PID 220 wrote to memory of 4356	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	pOSzWbu.exe
PID 220 wrote to memory of 1716	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	yhcJhlo.exe
PID 220 wrote to memory of 1716	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	yhcJhlo.exe
PID 220 wrote to memory of 1376	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	DCIrQrv.exe
PID 220 wrote to memory of 1376	220	2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe	DCIrQrv.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_d735d5a6f1e7e9b55d5834735e6c334b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\System\GIzxQfb.exe
C:\Windows\System\GIzxQfb.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\yOnAaLI.exe
C:\Windows\System\yOnAaLI.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Windows\System\WsOGZnq.exe
C:\Windows\System\WsOGZnq.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\zouMEVh.exe
C:\Windows\System\zouMEVh.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\TboHxJc.exe
C:\Windows\System\TboHxJc.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\qYeaQDc.exe
C:\Windows\System\qYeaQDc.exe
2⤵
- Executes dropped EXE
PID:5064

C:\Windows\System\lVjuOoY.exe
C:\Windows\System\lVjuOoY.exe
2⤵
- Executes dropped EXE
PID:4868

C:\Windows\System\CFfLKDw.exe
C:\Windows\System\CFfLKDw.exe
2⤵
- Executes dropped EXE
PID:4696

C:\Windows\System\sUjNOag.exe
C:\Windows\System\sUjNOag.exe
2⤵
- Executes dropped EXE
PID:2208

C:\Windows\System\MOTeZmt.exe
C:\Windows\System\MOTeZmt.exe
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\System\krXDjjO.exe
C:\Windows\System\krXDjjO.exe
2⤵
- Executes dropped EXE
PID:4744

C:\Windows\System\gEkPqCA.exe
C:\Windows\System\gEkPqCA.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\WbaOpzK.exe
C:\Windows\System\WbaOpzK.exe
2⤵
- Executes dropped EXE
PID:828

C:\Windows\System\cqcgPab.exe
C:\Windows\System\cqcgPab.exe
2⤵
- Executes dropped EXE
PID:4140

C:\Windows\System\IhUfsXa.exe
C:\Windows\System\IhUfsXa.exe
2⤵
- Executes dropped EXE
PID:3856

C:\Windows\System\IHEWiCG.exe
C:\Windows\System\IHEWiCG.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\System\wMVCaEl.exe
C:\Windows\System\wMVCaEl.exe
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\System\FSltutz.exe
C:\Windows\System\FSltutz.exe
2⤵
- Executes dropped EXE
PID:2264

C:\Windows\System\pOSzWbu.exe
C:\Windows\System\pOSzWbu.exe
2⤵
- Executes dropped EXE
PID:4356

C:\Windows\System\yhcJhlo.exe
C:\Windows\System\yhcJhlo.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System\DCIrQrv.exe
C:\Windows\System\DCIrQrv.exe
2⤵
- Executes dropped EXE
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CFfLKDw.exe
Filesize
5.9MB

MD5
6aec07b4ed1d23ed26b756fd26e04e88

SHA1
f2d51506386ee292047f413881410bafd26a8fa9

SHA256
6db825b09991583f12dec1550d80a27a04252ebad7a7c71ef10bc25e834a55e4

SHA512
2ee3ac3a90da1e16e03c76e5d5283dacb7c64cd6743c35b4f84a77917298467855f16f26a75795b88cce53f989cfa7ee87255e6dcd6e422cf47d65c105ff1ea6

Download Submit
C:\Windows\System\DCIrQrv.exe
Filesize
5.9MB

MD5
9a3e978a4166f78cf49cb1a925d04372

SHA1
bb7ec9dbf54e4f2fcc9f876b12b8b001986eac3d

SHA256
d2a7e4ec74b3ee4f62b04fdd8635a2c894561df12402c24bbf5ff9c9e727d8db

SHA512
3698cb8025f991f8d7af73404657fef9653577dd5602131c1c91c9ad5649e5be84a4455d0657e4d84d2b6863b1965ad8f345c5c3625f6e47ac3266ba433c03bb

Download Submit
C:\Windows\System\FSltutz.exe
Filesize
5.9MB

MD5
6b217c41b079f721921b588ad979df31

SHA1
5e65fcbd2c3545dfaf7a15cbed2717da2394c5ad

SHA256
ab76a7c93877bcb60294fc0bcd89eb61b3cfa29087639184d4b7a7d05c7bc4f0

SHA512
1a8ab07183671c187ae82d87c3483903cdbfa7be677917cf622d41fa1472ce3812397969e3d3215ff84be16bdba013f3f7670af72837fb55a9b5db7f5634776a

Download Submit
C:\Windows\System\GIzxQfb.exe
Filesize
5.9MB

MD5
d8dcd3bb142881f6614d320d6721f878

SHA1
97542d12c4ba45152feedff7a26e722f4e76fa36

SHA256
30f9d4e24d5529cc0f9643b2e0ad958be926136f227f0485f0145cbdec2444d0

SHA512
0f7f4bb7d3f8f21fc75e49d8088d76a41279eab5f9b1bfcc542398fbd640b9b61bc628f9a699d91b2314c6425b360e5ceb3e7cb28fdf81b4688420111c7534a0

Download Submit
C:\Windows\System\IHEWiCG.exe
Filesize
5.9MB

MD5
5918dfdc65e7bd8f30ade8a73d9a5e51

SHA1
4b44231c111a926cc26feb93d5c7e34d0d283a2e

SHA256
a07f86f1998d5def84dc939bbd1806dbdcc30cf8360249a791e1146b82ab9deb

SHA512
42c8c9400014cf3a946fd00bb6cc562438fb9516ad23dfc9266f4e35473ed60ccfa62e9b79eb144bd2aee7d4ed8c5dc29b6d87685624953e461f1aa05188057d

Download Submit
C:\Windows\System\IhUfsXa.exe
Filesize
5.9MB

MD5
4b2aa37d64117d071914205f4f5ca88c

SHA1
d0f03255c490391fb05ed869c36ba1d5efcbcaa5

SHA256
4040a4f7d185c60dc94e89304fe1d718ab5769c2e479c67b3ec3b13ec636ca92

SHA512
4e2c6b098a613284ed7b041e615fc5d4d5945e4163ea4393fe588a91e04aa0e7449eb79dec6b42907c9d51acb376abebc3b2ad7d53e0b9534e2d3956079540d9

Download Submit
C:\Windows\System\MOTeZmt.exe
Filesize
5.9MB

MD5
292e9e3f305ffb4f734eba65f4b7294b

SHA1
3117634c963cc3de0c90b9690149703a67e2235c

SHA256
03abda9fb7869476f6f4cc1820232d5a28b5a12eb2fa7859041a9364eb28f474

SHA512
2eccb64ee11ebf97ebef6d39bf37e09650adf7c3b761df18525f3f36baa5abab8facec4e3506857d61deac489d74e96a5726f04492416da7b624b5079c2cf8ad

Download Submit
C:\Windows\System\TboHxJc.exe
Filesize
5.9MB

MD5
58c3129f336d47222f106db8584e2fa9

SHA1
e8d2a5df568d0623fa8f64ba7c631f4c7c61bc93

SHA256
3c5e0378d6fb0bf08d7bb52514c0021037564153a6ce83c13d2023915c5a1194

SHA512
4a9435b1c0f6a33eeeca6db27f551661e73ca1ee29a201af732f61df53d7e620773fb06b72fdcbe8c63555e40b36ffca242ecf41f1ec92589fb38b5ee274f0d2

Download Submit
C:\Windows\System\WbaOpzK.exe
Filesize
5.9MB

MD5
f6dc96adc9a0fd46c4cbe203e0cb26fb

SHA1
12e2e67816a473af64c302c7538c55df314a29cb

SHA256
569920714862ea2169cd8c9efb0def353f2b8e74bcabd65f4e8e8aab2fb144eb

SHA512
1dfd33e57cb47a5c074c4ac604beb3803e577377dff9ff42b1f880bbfd948ddd0cb60dde7df5f18ee76b557a0573a09a7695d0e4777d2b23c06d908b25c92016

Download Submit
C:\Windows\System\WsOGZnq.exe
Filesize
5.9MB

MD5
80ddf19d140fdad9dedc67a9a48b8abd

SHA1
53b2ca74bf9a445e61fc2e5a72729e3dc89d4c14

SHA256
99fd27a5eb1c99fa48d2123a4844dfc1337be2971c9ee5e2364d86317ba640a9

SHA512
b5e14a85ae214b2af8a44878a3263d8665dd2e0839b70c9cc235fa9f3b1318bb4a40072bc77f951fcdc946376dc21b555ca5714726bc8339836687b58e3d6485

Download Submit
C:\Windows\System\cqcgPab.exe
Filesize
5.9MB

MD5
4b432a80c7723b543f25efb4f46fec51

SHA1
be87e3b9c75afd8accf8cb1919f59feddb866481

SHA256
31dd4fa02658dc8afecab97b9f713f0b7bd645d26166c0a21d3008ae84b96e96

SHA512
d7affcd82cf6982426b19896b8f895be082c10d9af6cc75bb79fc6f8407c2703e34197ecbda55b7e575db0a3ce1d834c40d95aaafc3fb2261394b50f763c9262

Download Submit
C:\Windows\System\gEkPqCA.exe
Filesize
5.9MB

MD5
c5d14034e31936b3145e0bc99e1bd090

SHA1
db043cd6832cfc20ab1f0f7ff6a140aa422eafc2

SHA256
026691d27ec61acee1dab4b63c8992de8f7e7630e6bfb6e6978b16e3635ec767

SHA512
058f93d82d74b57fa16d4211a4032df1d77dc48c0dca85dc90b032395b293d83ef525799b501bc44bc6b508fd214f9bdd9e4d5bf4a2775cd4027afa1707bfb9d

Download Submit
C:\Windows\System\krXDjjO.exe
Filesize
5.9MB

MD5
b7566eb02fa628fec54e62748ec16e25

SHA1
34b4f3f409c96e2056aebeedc477dcbaf8624695

SHA256
f703844a00ada39edc92009127b455f86795a1eee86fc6ef77b67bd955e9754f

SHA512
196fac18f8d6e2e719211ee99647ee61f8cd0d2d1fba21cad3af7c9a43eaa5a1271f136327431c4578388e53716d4c10e223ee7bae53fecbe767a3f530ebbb32

Download Submit
C:\Windows\System\lVjuOoY.exe
Filesize
5.9MB

MD5
28f406ea47ccfb892ba54d4cd60f790c

SHA1
56068a6efaa2a2a74d515ba053f22f09fa233051

SHA256
110755c11200d512dc3b15bb74a5ddfb7b47a100c19a102d522da90b4485f303

SHA512
f34cae896aa9df6a50ab7cc70bd3c8081fd418ea2f9a7d7955718e4cb5b6d12631177a026770ae9f3bf96789814309ec1c7d6c7ce0b4c2e54b164f4cc38540de

Download Submit
C:\Windows\System\pOSzWbu.exe
Filesize
5.9MB

MD5
6f562f2603c4c74bb9077cfac87201a3

SHA1
22a03876813abcb65394923b5a6f0f8f0a169e0a

SHA256
5b59abba68df754120d9f99a00fed1d57cf2346ceaa06a2260494417d8a2542d

SHA512
968877ed520140a2e899fc5192445c30771a30a33af023832b2ddc848c62b9fddca0429a1e13daea9ceb6ed6d908c86c3fc70608710e52012f1b2dc02324d302

Download Submit
C:\Windows\System\qYeaQDc.exe
Filesize
5.9MB

MD5
1b932bb60f124825b48883f316e78cc4

SHA1
c4d64e93f16ca807a04129ee145e00e2641f2023

SHA256
1f99ab884292ced67fa99e77156b00f437b02aef39474c3c4ffc07d9eb9c5131

SHA512
63ef552ec3cb92661287f76fed2d1c3bb340f0e16757e7e43ddc509eab485eb1cff8d34e691205a8cd8e2c3b27d800e9289a81a48c23bb0fa1baedf3a4c94fcf

Download Submit
C:\Windows\System\sUjNOag.exe
Filesize
5.9MB

MD5
10bd2fd5b59e7fb852dcd076336d6b94

SHA1
6dd9dfa53038129b97b19f0177a46700bfb47232

SHA256
5888202705a0f84ea1d9c80fccad17a5308c50f21f4b12e7f087af41882f7114

SHA512
62c6b905b91445e7f2cfd87450487d0403cdc591fef32e68475e68c1d966d22adb611686d83b6e8217b73c5963975b6cd500c97428dda5fb0d44a814adf7de2a

Download Submit
C:\Windows\System\wMVCaEl.exe
Filesize
5.9MB

MD5
7a1259db77b6a02f2a0c788905416608

SHA1
8921e974e1d46c22e25a5ed20bd6c6899f55b8c8

SHA256
b00da0d1cee372303634969993d53bdb95b26a6b9043547a6dbe5ff13da72454

SHA512
6ec4273e16a98871cb8a46b00a0c33fcb1d58053b83a89ec66948447e28b2366e90ef62f0cc4648e3574585288859fe1305da77e0991b44441c5a596a47ebbf5

Download Submit
C:\Windows\System\yOnAaLI.exe
Filesize
5.9MB

MD5
57c93c4a2eea8f81cb75ccf3cc348499

SHA1
95609224e760786029d6d8263dda00a75ac40c7a

SHA256
ff2563b31c3d798b7fcb59ee34af81912360519c8b8d027676c87b2145572a62

SHA512
4bedf46f3e789a0bbd3f644d30235531d78b4b1d337f3d31392430226a5d5c606347e0d869caa367271fc605af1b939dd59e020e800d22b373e4de8db74bfaf7

Download Submit
C:\Windows\System\yhcJhlo.exe
Filesize
5.9MB

MD5
4fca83dc34e4d9dfa1659885e48702b7

SHA1
c3da0f052b9e71c8603c12a505a6d9f7e0499786

SHA256
a63454dc0e1b5e87b38adef87dec9bf5824bce4f5d46c3e0a5505005e3792dc5

SHA512
4138e28462639040211c2dc8e6dd5d9b1ad8baaa603c78004b728e530f31dff991d92b9cde6f5e7695d7fa09bf0f618c24785c3d6abec04fee79c7aa114a2453

Download Submit
C:\Windows\System\zouMEVh.exe
Filesize
5.9MB

MD5
6661f21d5f75e4af928c8b1d6678679e

SHA1
11c0791a793653768b203c71fab37df5ec77093c

SHA256
56992c09207c31cf0a37edd16978205e3d823d1382e534a024a8dbc04d8bbe70

SHA512
3818c44024c9c75046e4f9cca46c01d205bd2046ee397d6f3b481ef715b80f9911eb964121a895e4048198e3019029d79591a23234c27c12c5ddb18999ad6833

Download Submit
memory/220-100-0x00007FF640900000-0x00007FF640C54000-memory.dmp

Filesize
3.3MB

Download
memory/220-1-0x00000218BDAC0000-0x00000218BDAD0000-memory.dmp

Filesize
64KB

Download
memory/220-0-0x00007FF640900000-0x00007FF640C54000-memory.dmp

Filesize
3.3MB

Download
memory/828-147-0x00007FF74FE40000-0x00007FF750194000-memory.dmp

Filesize
3.3MB

Download
memory/828-80-0x00007FF74FE40000-0x00007FF750194000-memory.dmp

Filesize
3.3MB

Download
memory/1376-155-0x00007FF7AD390000-0x00007FF7AD6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1376-130-0x00007FF7AD390000-0x00007FF7AD6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-124-0x00007FF72F680000-0x00007FF72F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-153-0x00007FF72F680000-0x00007FF72F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2164-150-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp

Filesize
3.3MB

Download
memory/2164-98-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp

Filesize
3.3MB

Download
memory/2164-132-0x00007FF64D5F0000-0x00007FF64D944000-memory.dmp

Filesize
3.3MB

Download
memory/2208-142-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2208-64-0x00007FF65DC90000-0x00007FF65DFE4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-118-0x00007FF755E90000-0x00007FF7561E4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-152-0x00007FF755E90000-0x00007FF7561E4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-135-0x00007FF615F00000-0x00007FF616254000-memory.dmp

Filesize
3.3MB

Download
memory/2316-8-0x00007FF615F00000-0x00007FF616254000-memory.dmp

Filesize
3.3MB

Download
memory/2468-145-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-66-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-131-0x00007FF7EF590000-0x00007FF7EF8E4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-140-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp

Filesize
3.3MB

Download
memory/2580-59-0x00007FF79C9E0000-0x00007FF79CD34000-memory.dmp

Filesize
3.3MB

Download
memory/3016-137-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp

Filesize
3.3MB

Download
memory/3016-19-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp

Filesize
3.3MB

Download
memory/3016-129-0x00007FF6B27E0000-0x00007FF6B2B34000-memory.dmp

Filesize
3.3MB

Download
memory/3556-151-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp

Filesize
3.3MB

Download
memory/3556-101-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp

Filesize
3.3MB

Download
memory/3556-133-0x00007FF60B9C0000-0x00007FF60BD14000-memory.dmp

Filesize
3.3MB

Download
memory/3856-148-0x00007FF7082E0000-0x00007FF708634000-memory.dmp

Filesize
3.3MB

Download
memory/3856-95-0x00007FF7082E0000-0x00007FF708634000-memory.dmp

Filesize
3.3MB

Download
memory/4140-149-0x00007FF642D70000-0x00007FF6430C4000-memory.dmp

Filesize
3.3MB

Download
memory/4140-91-0x00007FF642D70000-0x00007FF6430C4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-134-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-123-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp

Filesize
3.3MB

Download
memory/4356-154-0x00007FF74A770000-0x00007FF74AAC4000-memory.dmp

Filesize
3.3MB

Download
memory/4492-65-0x00007FF765F10000-0x00007FF766264000-memory.dmp

Filesize
3.3MB

Download
memory/4492-144-0x00007FF765F10000-0x00007FF766264000-memory.dmp

Filesize
3.3MB

Download
memory/4648-42-0x00007FF7814C0000-0x00007FF781814000-memory.dmp

Filesize
3.3MB

Download
memory/4648-138-0x00007FF7814C0000-0x00007FF781814000-memory.dmp

Filesize
3.3MB

Download
memory/4696-143-0x00007FF646320000-0x00007FF646674000-memory.dmp

Filesize
3.3MB

Download
memory/4696-72-0x00007FF646320000-0x00007FF646674000-memory.dmp

Filesize
3.3MB

Download
memory/4744-73-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp

Filesize
3.3MB

Download
memory/4744-146-0x00007FF69D0B0000-0x00007FF69D404000-memory.dmp

Filesize
3.3MB

Download
memory/4828-16-0x00007FF61B020000-0x00007FF61B374000-memory.dmp

Filesize
3.3MB

Download
memory/4828-136-0x00007FF61B020000-0x00007FF61B374000-memory.dmp

Filesize
3.3MB

Download
memory/4828-116-0x00007FF61B020000-0x00007FF61B374000-memory.dmp

Filesize
3.3MB

Download
memory/4868-141-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp

Filesize
3.3MB

Download
memory/4868-63-0x00007FF7A1620000-0x00007FF7A1974000-memory.dmp

Filesize
3.3MB

Download
memory/5064-67-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp

Filesize
3.3MB

Download
memory/5064-139-0x00007FF6A2C00000-0x00007FF6A2F54000-memory.dmp

Filesize
3.3MB

Download