cobaltstrike | 65c9e538158468d5c8d37bbd8b30349bc74cad9262071b621d1b329d1ad803a8

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

ee1b789623eecd221c8e3a0f8f4c557e
SHA1

60686b9647bc483af0c3504903af2d51d8c86635
SHA256

65c9e538158468d5c8d37bbd8b30349bc74cad9262071b621d1b329d1ad803a8
SHA512

9566d696c0c2b4c1e39bf8e19be429b5e09e5381521451f745fe8a0ff8f2183731d5f31bbdd76fc113d4e3e3ce4912deeb1cf7ba3386dab8a5796eba6d9904b8
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUF:Q+856utgpPF8u/7F

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\MljTyPs.exe	cobalt_reflective_dll
C:\Windows\System\tkyftnb.exe	cobalt_reflective_dll
C:\Windows\System\VzokHIk.exe	cobalt_reflective_dll
C:\Windows\System\bgbTkVJ.exe	cobalt_reflective_dll
C:\Windows\System\MvKvCvS.exe	cobalt_reflective_dll
C:\Windows\System\oxEUHpD.exe	cobalt_reflective_dll
C:\Windows\System\JtKVUaO.exe	cobalt_reflective_dll
C:\Windows\System\LUtbSNN.exe	cobalt_reflective_dll
C:\Windows\System\kjHWXQN.exe	cobalt_reflective_dll
C:\Windows\System\GFqjewi.exe	cobalt_reflective_dll
C:\Windows\System\TAUUnop.exe	cobalt_reflective_dll
C:\Windows\System\ENfTgfB.exe	cobalt_reflective_dll
C:\Windows\System\bpcLpYz.exe	cobalt_reflective_dll
C:\Windows\System\prCJVnT.exe	cobalt_reflective_dll
C:\Windows\System\OSgfHmn.exe	cobalt_reflective_dll
C:\Windows\System\EqvoTQP.exe	cobalt_reflective_dll
C:\Windows\System\jeRcaQr.exe	cobalt_reflective_dll
C:\Windows\System\ngqGypJ.exe	cobalt_reflective_dll
C:\Windows\System\cjOsxac.exe	cobalt_reflective_dll
C:\Windows\System\RVunLGJ.exe	cobalt_reflective_dll
C:\Windows\System\FmQMNIl.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\MljTyPs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tkyftnb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VzokHIk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bgbTkVJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MvKvCvS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oxEUHpD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JtKVUaO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LUtbSNN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kjHWXQN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GFqjewi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TAUUnop.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ENfTgfB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bpcLpYz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\prCJVnT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OSgfHmn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EqvoTQP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jeRcaQr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ngqGypJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cjOsxac.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RVunLGJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FmQMNIl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4588-0-0x00007FF676020000-0x00007FF676374000-memory.dmp	UPX
C:\Windows\System\MljTyPs.exe	UPX
C:\Windows\System\tkyftnb.exe	UPX
C:\Windows\System\VzokHIk.exe	UPX
behavioral2/memory/332-18-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	UPX
C:\Windows\System\bgbTkVJ.exe	UPX
behavioral2/memory/4716-15-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	UPX
behavioral2/memory/1732-8-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp	UPX
behavioral2/memory/4392-28-0x00007FF685810000-0x00007FF685B64000-memory.dmp	UPX
C:\Windows\System\MvKvCvS.exe	UPX
C:\Windows\System\oxEUHpD.exe	UPX
C:\Windows\System\JtKVUaO.exe	UPX
behavioral2/memory/4508-34-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp	UPX
behavioral2/memory/2392-43-0x00007FF64E030000-0x00007FF64E384000-memory.dmp	UPX
behavioral2/memory/4944-44-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp	UPX
C:\Windows\System\LUtbSNN.exe	UPX
C:\Windows\System\kjHWXQN.exe	UPX
behavioral2/memory/4588-65-0x00007FF676020000-0x00007FF676374000-memory.dmp	UPX
C:\Windows\System\GFqjewi.exe	UPX
C:\Windows\System\TAUUnop.exe	UPX
C:\Windows\System\ENfTgfB.exe	UPX
C:\Windows\System\bpcLpYz.exe	UPX
C:\Windows\System\prCJVnT.exe	UPX
C:\Windows\System\OSgfHmn.exe	UPX
C:\Windows\System\EqvoTQP.exe	UPX
C:\Windows\System\jeRcaQr.exe	UPX
C:\Windows\System\ngqGypJ.exe	UPX
C:\Windows\System\cjOsxac.exe	UPX
C:\Windows\System\RVunLGJ.exe	UPX
behavioral2/memory/3604-67-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	UPX
behavioral2/memory/3920-66-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp	UPX
behavioral2/memory/1480-56-0x00007FF735340000-0x00007FF735694000-memory.dmp	UPX
C:\Windows\System\FmQMNIl.exe	UPX
behavioral2/memory/692-50-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	UPX
behavioral2/memory/4716-119-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	UPX
behavioral2/memory/4480-120-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp	UPX
behavioral2/memory/716-121-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp	UPX
behavioral2/memory/2108-122-0x00007FF741EE0000-0x00007FF742234000-memory.dmp	UPX
behavioral2/memory/936-123-0x00007FF715180000-0x00007FF7154D4000-memory.dmp	UPX
behavioral2/memory/3988-124-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp	UPX
behavioral2/memory/4572-127-0x00007FF72BA20000-0x00007FF72BD74000-memory.dmp	UPX
behavioral2/memory/2224-126-0x00007FF60B900000-0x00007FF60BC54000-memory.dmp	UPX
behavioral2/memory/3484-125-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	UPX
behavioral2/memory/5096-128-0x00007FF6DD000000-0x00007FF6DD354000-memory.dmp	UPX
behavioral2/memory/884-129-0x00007FF6CD7C0000-0x00007FF6CDB14000-memory.dmp	UPX
behavioral2/memory/332-130-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	UPX
behavioral2/memory/692-131-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	UPX
behavioral2/memory/3604-132-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	UPX
behavioral2/memory/1732-133-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp	UPX
behavioral2/memory/4716-134-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	UPX
behavioral2/memory/332-135-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	UPX
behavioral2/memory/4392-136-0x00007FF685810000-0x00007FF685B64000-memory.dmp	UPX
behavioral2/memory/4508-137-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp	UPX
behavioral2/memory/2392-138-0x00007FF64E030000-0x00007FF64E384000-memory.dmp	UPX
behavioral2/memory/4944-139-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp	UPX
behavioral2/memory/1480-140-0x00007FF735340000-0x00007FF735694000-memory.dmp	UPX
behavioral2/memory/3920-141-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp	UPX
behavioral2/memory/692-142-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	UPX
behavioral2/memory/3604-143-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	UPX
behavioral2/memory/4480-144-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp	UPX
behavioral2/memory/716-145-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp	UPX
behavioral2/memory/2108-146-0x00007FF741EE0000-0x00007FF742234000-memory.dmp	UPX
behavioral2/memory/936-147-0x00007FF715180000-0x00007FF7154D4000-memory.dmp	UPX
behavioral2/memory/3988-148-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4588-0-0x00007FF676020000-0x00007FF676374000-memory.dmp	xmrig
C:\Windows\System\MljTyPs.exe	xmrig
C:\Windows\System\tkyftnb.exe	xmrig
C:\Windows\System\VzokHIk.exe	xmrig
behavioral2/memory/332-18-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	xmrig
C:\Windows\System\bgbTkVJ.exe	xmrig
behavioral2/memory/4716-15-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	xmrig
behavioral2/memory/1732-8-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp	xmrig
behavioral2/memory/4392-28-0x00007FF685810000-0x00007FF685B64000-memory.dmp	xmrig
C:\Windows\System\MvKvCvS.exe	xmrig
C:\Windows\System\oxEUHpD.exe	xmrig
C:\Windows\System\JtKVUaO.exe	xmrig
behavioral2/memory/4508-34-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp	xmrig
behavioral2/memory/2392-43-0x00007FF64E030000-0x00007FF64E384000-memory.dmp	xmrig
behavioral2/memory/4944-44-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp	xmrig
C:\Windows\System\LUtbSNN.exe	xmrig
C:\Windows\System\kjHWXQN.exe	xmrig
behavioral2/memory/4588-65-0x00007FF676020000-0x00007FF676374000-memory.dmp	xmrig
C:\Windows\System\GFqjewi.exe	xmrig
C:\Windows\System\TAUUnop.exe	xmrig
C:\Windows\System\ENfTgfB.exe	xmrig
C:\Windows\System\bpcLpYz.exe	xmrig
C:\Windows\System\prCJVnT.exe	xmrig
C:\Windows\System\OSgfHmn.exe	xmrig
C:\Windows\System\EqvoTQP.exe	xmrig
C:\Windows\System\jeRcaQr.exe	xmrig
C:\Windows\System\ngqGypJ.exe	xmrig
C:\Windows\System\cjOsxac.exe	xmrig
C:\Windows\System\RVunLGJ.exe	xmrig
behavioral2/memory/3604-67-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	xmrig
behavioral2/memory/3920-66-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp	xmrig
behavioral2/memory/1480-56-0x00007FF735340000-0x00007FF735694000-memory.dmp	xmrig
C:\Windows\System\FmQMNIl.exe	xmrig
behavioral2/memory/692-50-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	xmrig
behavioral2/memory/4716-119-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	xmrig
behavioral2/memory/4480-120-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp	xmrig
behavioral2/memory/716-121-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp	xmrig
behavioral2/memory/2108-122-0x00007FF741EE0000-0x00007FF742234000-memory.dmp	xmrig
behavioral2/memory/936-123-0x00007FF715180000-0x00007FF7154D4000-memory.dmp	xmrig
behavioral2/memory/3988-124-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp	xmrig
behavioral2/memory/4572-127-0x00007FF72BA20000-0x00007FF72BD74000-memory.dmp	xmrig
behavioral2/memory/2224-126-0x00007FF60B900000-0x00007FF60BC54000-memory.dmp	xmrig
behavioral2/memory/3484-125-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	xmrig
behavioral2/memory/5096-128-0x00007FF6DD000000-0x00007FF6DD354000-memory.dmp	xmrig
behavioral2/memory/884-129-0x00007FF6CD7C0000-0x00007FF6CDB14000-memory.dmp	xmrig
behavioral2/memory/332-130-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	xmrig
behavioral2/memory/692-131-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	xmrig
behavioral2/memory/3604-132-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	xmrig
behavioral2/memory/1732-133-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp	xmrig
behavioral2/memory/4716-134-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	xmrig
behavioral2/memory/332-135-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	xmrig
behavioral2/memory/4392-136-0x00007FF685810000-0x00007FF685B64000-memory.dmp	xmrig
behavioral2/memory/4508-137-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp	xmrig
behavioral2/memory/2392-138-0x00007FF64E030000-0x00007FF64E384000-memory.dmp	xmrig
behavioral2/memory/4944-139-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp	xmrig
behavioral2/memory/1480-140-0x00007FF735340000-0x00007FF735694000-memory.dmp	xmrig
behavioral2/memory/3920-141-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp	xmrig
behavioral2/memory/692-142-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	xmrig
behavioral2/memory/3604-143-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	xmrig
behavioral2/memory/4480-144-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp	xmrig
behavioral2/memory/716-145-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp	xmrig
behavioral2/memory/2108-146-0x00007FF741EE0000-0x00007FF742234000-memory.dmp	xmrig
behavioral2/memory/936-147-0x00007FF715180000-0x00007FF7154D4000-memory.dmp	xmrig
behavioral2/memory/3988-148-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

MljTyPs.exetkyftnb.exeVzokHIk.exebgbTkVJ.exeMvKvCvS.exeoxEUHpD.exeJtKVUaO.exeLUtbSNN.exeFmQMNIl.exekjHWXQN.exeRVunLGJ.exeGFqjewi.execjOsxac.exeTAUUnop.exengqGypJ.exeENfTgfB.exejeRcaQr.exebpcLpYz.exeprCJVnT.exeEqvoTQP.exeOSgfHmn.exe

pid	process
1732	MljTyPs.exe
4716	tkyftnb.exe
332	VzokHIk.exe
4392	bgbTkVJ.exe
4508	MvKvCvS.exe
2392	oxEUHpD.exe
4944	JtKVUaO.exe
692	LUtbSNN.exe
1480	FmQMNIl.exe
3920	kjHWXQN.exe
3604	RVunLGJ.exe
4480	GFqjewi.exe
716	cjOsxac.exe
2108	TAUUnop.exe
936	ngqGypJ.exe
3988	ENfTgfB.exe
3484	jeRcaQr.exe
2224	bpcLpYz.exe
4572	prCJVnT.exe
5096	EqvoTQP.exe
884	OSgfHmn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4588-0-0x00007FF676020000-0x00007FF676374000-memory.dmp	upx
C:\Windows\System\MljTyPs.exe	upx
C:\Windows\System\tkyftnb.exe	upx
C:\Windows\System\VzokHIk.exe	upx
behavioral2/memory/332-18-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	upx
C:\Windows\System\bgbTkVJ.exe	upx
behavioral2/memory/4716-15-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	upx
behavioral2/memory/1732-8-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp	upx
behavioral2/memory/4392-28-0x00007FF685810000-0x00007FF685B64000-memory.dmp	upx
C:\Windows\System\MvKvCvS.exe	upx
C:\Windows\System\oxEUHpD.exe	upx
C:\Windows\System\JtKVUaO.exe	upx
behavioral2/memory/4508-34-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp	upx
behavioral2/memory/2392-43-0x00007FF64E030000-0x00007FF64E384000-memory.dmp	upx
behavioral2/memory/4944-44-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp	upx
C:\Windows\System\LUtbSNN.exe	upx
C:\Windows\System\kjHWXQN.exe	upx
behavioral2/memory/4588-65-0x00007FF676020000-0x00007FF676374000-memory.dmp	upx
C:\Windows\System\GFqjewi.exe	upx
C:\Windows\System\TAUUnop.exe	upx
C:\Windows\System\ENfTgfB.exe	upx
C:\Windows\System\bpcLpYz.exe	upx
C:\Windows\System\prCJVnT.exe	upx
C:\Windows\System\OSgfHmn.exe	upx
C:\Windows\System\EqvoTQP.exe	upx
C:\Windows\System\jeRcaQr.exe	upx
C:\Windows\System\ngqGypJ.exe	upx
C:\Windows\System\cjOsxac.exe	upx
C:\Windows\System\RVunLGJ.exe	upx
behavioral2/memory/3604-67-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	upx
behavioral2/memory/3920-66-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp	upx
behavioral2/memory/1480-56-0x00007FF735340000-0x00007FF735694000-memory.dmp	upx
C:\Windows\System\FmQMNIl.exe	upx
behavioral2/memory/692-50-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	upx
behavioral2/memory/4716-119-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	upx
behavioral2/memory/4480-120-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp	upx
behavioral2/memory/716-121-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp	upx
behavioral2/memory/2108-122-0x00007FF741EE0000-0x00007FF742234000-memory.dmp	upx
behavioral2/memory/936-123-0x00007FF715180000-0x00007FF7154D4000-memory.dmp	upx
behavioral2/memory/3988-124-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp	upx
behavioral2/memory/4572-127-0x00007FF72BA20000-0x00007FF72BD74000-memory.dmp	upx
behavioral2/memory/2224-126-0x00007FF60B900000-0x00007FF60BC54000-memory.dmp	upx
behavioral2/memory/3484-125-0x00007FF773C00000-0x00007FF773F54000-memory.dmp	upx
behavioral2/memory/5096-128-0x00007FF6DD000000-0x00007FF6DD354000-memory.dmp	upx
behavioral2/memory/884-129-0x00007FF6CD7C0000-0x00007FF6CDB14000-memory.dmp	upx
behavioral2/memory/332-130-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	upx
behavioral2/memory/692-131-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	upx
behavioral2/memory/3604-132-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	upx
behavioral2/memory/1732-133-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp	upx
behavioral2/memory/4716-134-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp	upx
behavioral2/memory/332-135-0x00007FF794DB0000-0x00007FF795104000-memory.dmp	upx
behavioral2/memory/4392-136-0x00007FF685810000-0x00007FF685B64000-memory.dmp	upx
behavioral2/memory/4508-137-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp	upx
behavioral2/memory/2392-138-0x00007FF64E030000-0x00007FF64E384000-memory.dmp	upx
behavioral2/memory/4944-139-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp	upx
behavioral2/memory/1480-140-0x00007FF735340000-0x00007FF735694000-memory.dmp	upx
behavioral2/memory/3920-141-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp	upx
behavioral2/memory/692-142-0x00007FF639570000-0x00007FF6398C4000-memory.dmp	upx
behavioral2/memory/3604-143-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp	upx
behavioral2/memory/4480-144-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp	upx
behavioral2/memory/716-145-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp	upx
behavioral2/memory/2108-146-0x00007FF741EE0000-0x00007FF742234000-memory.dmp	upx
behavioral2/memory/936-147-0x00007FF715180000-0x00007FF7154D4000-memory.dmp	upx
behavioral2/memory/3988-148-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\EqvoTQP.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tkyftnb.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzokHIk.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFqjewi.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\prCJVnT.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MljTyPs.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cjOsxac.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpcLpYz.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVunLGJ.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TAUUnop.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OSgfHmn.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvKvCvS.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FmQMNIl.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjHWXQN.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LUtbSNN.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ngqGypJ.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENfTgfB.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jeRcaQr.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bgbTkVJ.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxEUHpD.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JtKVUaO.exe	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4588 wrote to memory of 1732	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	MljTyPs.exe
PID 4588 wrote to memory of 1732	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	MljTyPs.exe
PID 4588 wrote to memory of 4716	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	tkyftnb.exe
PID 4588 wrote to memory of 4716	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	tkyftnb.exe
PID 4588 wrote to memory of 332	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	VzokHIk.exe
PID 4588 wrote to memory of 332	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	VzokHIk.exe
PID 4588 wrote to memory of 4392	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	bgbTkVJ.exe
PID 4588 wrote to memory of 4392	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	bgbTkVJ.exe
PID 4588 wrote to memory of 4508	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	MvKvCvS.exe
PID 4588 wrote to memory of 4508	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	MvKvCvS.exe
PID 4588 wrote to memory of 2392	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	oxEUHpD.exe
PID 4588 wrote to memory of 2392	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	oxEUHpD.exe
PID 4588 wrote to memory of 4944	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	JtKVUaO.exe
PID 4588 wrote to memory of 4944	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	JtKVUaO.exe
PID 4588 wrote to memory of 692	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	LUtbSNN.exe
PID 4588 wrote to memory of 692	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	LUtbSNN.exe
PID 4588 wrote to memory of 1480	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	FmQMNIl.exe
PID 4588 wrote to memory of 1480	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	FmQMNIl.exe
PID 4588 wrote to memory of 3920	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	kjHWXQN.exe
PID 4588 wrote to memory of 3920	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	kjHWXQN.exe
PID 4588 wrote to memory of 3604	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	RVunLGJ.exe
PID 4588 wrote to memory of 3604	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	RVunLGJ.exe
PID 4588 wrote to memory of 4480	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	GFqjewi.exe
PID 4588 wrote to memory of 4480	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	GFqjewi.exe
PID 4588 wrote to memory of 716	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	cjOsxac.exe
PID 4588 wrote to memory of 716	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	cjOsxac.exe
PID 4588 wrote to memory of 2108	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	TAUUnop.exe
PID 4588 wrote to memory of 2108	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	TAUUnop.exe
PID 4588 wrote to memory of 936	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	ngqGypJ.exe
PID 4588 wrote to memory of 936	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	ngqGypJ.exe
PID 4588 wrote to memory of 3988	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	ENfTgfB.exe
PID 4588 wrote to memory of 3988	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	ENfTgfB.exe
PID 4588 wrote to memory of 3484	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	jeRcaQr.exe
PID 4588 wrote to memory of 3484	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	jeRcaQr.exe
PID 4588 wrote to memory of 2224	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	bpcLpYz.exe
PID 4588 wrote to memory of 2224	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	bpcLpYz.exe
PID 4588 wrote to memory of 4572	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	prCJVnT.exe
PID 4588 wrote to memory of 4572	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	prCJVnT.exe
PID 4588 wrote to memory of 5096	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	EqvoTQP.exe
PID 4588 wrote to memory of 5096	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	EqvoTQP.exe
PID 4588 wrote to memory of 884	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	OSgfHmn.exe
PID 4588 wrote to memory of 884	4588	2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe	OSgfHmn.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_ee1b789623eecd221c8e3a0f8f4c557e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\System\MljTyPs.exe
C:\Windows\System\MljTyPs.exe
2⤵
- Executes dropped EXE
PID:1732

C:\Windows\System\tkyftnb.exe
C:\Windows\System\tkyftnb.exe
2⤵
- Executes dropped EXE
PID:4716

C:\Windows\System\VzokHIk.exe
C:\Windows\System\VzokHIk.exe
2⤵
- Executes dropped EXE
PID:332

C:\Windows\System\bgbTkVJ.exe
C:\Windows\System\bgbTkVJ.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Windows\System\MvKvCvS.exe
C:\Windows\System\MvKvCvS.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Windows\System\oxEUHpD.exe
C:\Windows\System\oxEUHpD.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\JtKVUaO.exe
C:\Windows\System\JtKVUaO.exe
2⤵
- Executes dropped EXE
PID:4944

C:\Windows\System\LUtbSNN.exe
C:\Windows\System\LUtbSNN.exe
2⤵
- Executes dropped EXE
PID:692

C:\Windows\System\FmQMNIl.exe
C:\Windows\System\FmQMNIl.exe
2⤵
- Executes dropped EXE
PID:1480

C:\Windows\System\kjHWXQN.exe
C:\Windows\System\kjHWXQN.exe
2⤵
- Executes dropped EXE
PID:3920

C:\Windows\System\RVunLGJ.exe
C:\Windows\System\RVunLGJ.exe
2⤵
- Executes dropped EXE
PID:3604

C:\Windows\System\GFqjewi.exe
C:\Windows\System\GFqjewi.exe
2⤵
- Executes dropped EXE
PID:4480

C:\Windows\System\cjOsxac.exe
C:\Windows\System\cjOsxac.exe
2⤵
- Executes dropped EXE
PID:716

C:\Windows\System\TAUUnop.exe
C:\Windows\System\TAUUnop.exe
2⤵
- Executes dropped EXE
PID:2108

C:\Windows\System\ngqGypJ.exe
C:\Windows\System\ngqGypJ.exe
2⤵
- Executes dropped EXE
PID:936

C:\Windows\System\ENfTgfB.exe
C:\Windows\System\ENfTgfB.exe
2⤵
- Executes dropped EXE
PID:3988

C:\Windows\System\jeRcaQr.exe
C:\Windows\System\jeRcaQr.exe
2⤵
- Executes dropped EXE
PID:3484

C:\Windows\System\bpcLpYz.exe
C:\Windows\System\bpcLpYz.exe
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\System\prCJVnT.exe
C:\Windows\System\prCJVnT.exe
2⤵
- Executes dropped EXE
PID:4572

C:\Windows\System\EqvoTQP.exe
C:\Windows\System\EqvoTQP.exe
2⤵
- Executes dropped EXE
PID:5096

C:\Windows\System\OSgfHmn.exe
C:\Windows\System\OSgfHmn.exe
2⤵
- Executes dropped EXE
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3776,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:1020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ENfTgfB.exe
Filesize
5.9MB

MD5
d502df8248876e46af31a8f87941e59d

SHA1
e8326bb67e4bffece16c5017fbb5d3385bf7405d

SHA256
68c5a6133486885bf7ef7d728a4dfa5841827bb4c70f9c4055844ae93ecc869b

SHA512
d141b10d4af2cd57fa7c391806977e6ec570611fc21d93495ca6ff87605d3bb199cb53483e54be1fcd307c0770c5a9681f5d7f5390a5cc6aaa9966605e288df7

Download Submit
C:\Windows\System\EqvoTQP.exe
Filesize
5.9MB

MD5
3196fd14d86320713d6d763bd9814d58

SHA1
283f85beb17e290de1f03f7f4f81ea2667575425

SHA256
628f0278293648f856bfb292482323a511619cfb97897f4f309772a01c4ad4fb

SHA512
883698f0fd720b52708927fae4e428458718ca82875bedea000ae10f7d6770dd91b859c0915ffbc99c4f22d57280f3d92c5830fceee1611b136783b848ab4daf

Download Submit
C:\Windows\System\FmQMNIl.exe
Filesize
5.9MB

MD5
c78397fc503d2ed2a96ef0bd4884a364

SHA1
29a1d1bd002b39fce15b89e1ddfa2abd7b75e99a

SHA256
f678228e20337de428b44235376fb3b4e3697b4dcc200a43f6fe342f25762267

SHA512
bb88460767334a6e0d4c45aedd0207b03507b989fc43a41c7ca7e6701282c817f60df6009f97704920fb885d3dfcbc3f30f5bd98ffb694c68ce8cba1018cf995

Download Submit
C:\Windows\System\GFqjewi.exe
Filesize
5.9MB

MD5
d61f85460842c130a089cf1380b3e286

SHA1
0812495a366397da08da367fcdb639e24e9315b8

SHA256
69b19906c23dab7b97eff18ce50a1c2dd796799ecf0ebd1b86021d850d846766

SHA512
33967d63b78e61d17035c3e49c55c59fedd5548a5b4e77eeff23513526f9b81a97ed6c72ca025c8fa52fcf82d63b6bab826e09a34190666f5a8b7a9eb4149fb2

Download Submit
C:\Windows\System\JtKVUaO.exe
Filesize
5.9MB

MD5
40fe19fc1d874b69ac55581a9c2300ff

SHA1
3fa2fa51848beb8037320c60cf2150e628dd3b27

SHA256
93e1e3adde2216d6b1731a3a1ef93680fff073932812f0e04921e8d2e4ee2241

SHA512
4205e4704ac363c26328a3440bdf073b267f02bed765401f9769ef403306d4f5a19819bff310358aaca735d52012b62037a5afb26f029d71c4bf1d6b82126c0d

Download Submit
C:\Windows\System\LUtbSNN.exe
Filesize
5.9MB

MD5
3f43b2ef384235921b7aa4dca2fd839b

SHA1
d9bb7620a720b6688a83e00453a1c0f4cbb64401

SHA256
b981c79201c9b80b3a74be0457912cf57738e9327f1f49e3a2b60c9c63fe4000

SHA512
524b73ed81f2ace6c0dd4e37d84de2288f28c20bf0fb791a9ceb659f4fca9a2547afa1b74cbd77d466fbde2dc12228dba67a844b99a2e5ed26b4fb81012ad468

Download Submit
C:\Windows\System\MljTyPs.exe
Filesize
5.9MB

MD5
8a185d8fcde3e86b001746eaf56a13dc

SHA1
0380c3502a263cdef666fa25ad2bafaa03d4b12a

SHA256
f6d94894ee4e7e5da473292602c93d9749c1662ae8257f6a95b51580e2930e41

SHA512
999fde719b34895e7f3b3e6c95ad0034748a3e6bd28c5e9cd6c1c882357dbf465910564fdb81fbf1f874403017619e0ee4ca0538dd87a817449f3eb8b4685aa9

Download Submit
C:\Windows\System\MvKvCvS.exe
Filesize
5.9MB

MD5
8783010f7172f3825ccb6690dd352a1e

SHA1
830981971560249da5f221aa6d32fbb944d8e712

SHA256
4b880bbc2aa299f98d24ad5550fa590bf5e7c31a297d5bcd754aee432de64f72

SHA512
661a173722e0a494793f5e7e9258fb13a90659bb38645de035354399fd70e5d5704c2edb00c033a4e68bcb6f9b3da454f58c07de7836f8c159315e80e06eb437

Download Submit
C:\Windows\System\OSgfHmn.exe
Filesize
5.9MB

MD5
16df60ca8439bba4310b70a9c1b0628f

SHA1
ecf6825c78efb4725fac56e23064c150dc230760

SHA256
2beb855d1df8b944914d0ca8ba485fd2423b143e885be087a1725cc8cf330da9

SHA512
53c7f772ba534df429450b41ac26dbe3be947002c2fc61ae1e4e20e4bc1793d203c5eb02b953fd17dea6a40da920dfa4c9ee5cb011087aa7f4e5ee43733cf8f1

Download Submit
C:\Windows\System\RVunLGJ.exe
Filesize
5.9MB

MD5
743d64ecd4a968387acad17ef73894ba

SHA1
91cbee2283a7fc109f4ef15c38304429e13ce34f

SHA256
422c4272fa32980e5b9c3298e6ed9f5a9d8c014c79fa74d61f44da01b8e68917

SHA512
b591c48686a727193bb840976e7dddedad1d74547755b6ec4c9a711485924865c6bf47050d20b7b3b840b61c645568d9f23785be4719dca948a946d4e1de7426

Download Submit
C:\Windows\System\TAUUnop.exe
Filesize
5.9MB

MD5
9cb432e42675907fbe91d1c70e292787

SHA1
f5ea0ad1e469926bb144a5f489ca3b1c94953541

SHA256
6c439022119338d07feff49195ed10eb44f38df0e6e618eaf4d1bdbe9a3d924f

SHA512
5160fcf4c9ba3be33b490a2435224ddc5c01aa22587cbadb6c35f759209ee589453444e5f58459f60dbe5735185f2e94cb211276ba27824d6f370717bb50f1a9

Download Submit
C:\Windows\System\VzokHIk.exe
Filesize
5.9MB

MD5
4c757406b305b922cfebf7636f40f6c5

SHA1
8fa874aa845b2981251b2fbcd130c9c9dd0c2148

SHA256
9a746014936c87d677189d1f61b60fb6ea46da4c8aa8522424589e0ece6795ee

SHA512
2643641c3d9cdc98cf29e4db88e7eb127bc9e9250caf282d7e593726ad632f7aa95100ecb6ba27179df822c09a18586c02ae28ff730df5561250b874cbe48a15

Download Submit
C:\Windows\System\bgbTkVJ.exe
Filesize
5.9MB

MD5
8acd25983f6aa5ea62f325b48dbe0a6c

SHA1
39eb04b0db3e9d659ab838f4480981f5995175f1

SHA256
275b3618ac142e5e371ee02cfe7825a7165f4bc0bdb8dbd7f9ac58ee70f337d5

SHA512
0fc9b7c4bd551eeb69a244018f3cdc72905997526f868b3ec8bd320b3875b369ae427611d796e15adf33c1c1d1c32cf21534055f82285cedcb7d6bbf63d6378a

Download Submit
C:\Windows\System\bpcLpYz.exe
Filesize
5.9MB

MD5
d3157a0f24245a4e4a8a37842e94eaff

SHA1
c10d40855b8fe0fda01c4d33ca4bebfb672af807

SHA256
f1e22ea1a05b9695bf4174213c5cb22e3a703d214c30873ae3273e31f72d45ee

SHA512
9716ffb4ecb4485fd8a13dea116cdde96841438a9ba2573c2991c4b31e9df4b4932f708923b21c9b5139131b7bfcbfe26260c84800506bf4233239c056a83c78

Download Submit
C:\Windows\System\cjOsxac.exe
Filesize
5.9MB

MD5
d4c2a739151a2deadc8b8b373f786cf6

SHA1
00bf998edb0d1aa3e6d24b3434657d8ef5318a3b

SHA256
62102269dd031102b9dc977743a48ce50ba65ed90bfde40aaecb201c1c304866

SHA512
84e495f2ff95f775d4616d3f9f2c51ebbea176bf6bf5e224e7d86c0762b151675c9c0d391824fd848aef26a03b7dca0ae3d8438d4cef735c5ada559e767a5fe1

Download Submit
C:\Windows\System\jeRcaQr.exe
Filesize
5.9MB

MD5
95d1abbdb9cc09a700a01d28d0e4aaff

SHA1
c4534666a7692ad1695b53601814918cbaaa25c2

SHA256
1ac5d7ead3991e925672643c41374953536adbb2ccc12bd696ead17f18a73a18

SHA512
23da83151a2db215b4edc71a2a7296e29c1b00c46834cbed65ccebc1841ac67164b4b19a0f3230451690b8aa129aa608f2480a3c6136b1e87d299a6cc82e8ea6

Download Submit
C:\Windows\System\kjHWXQN.exe
Filesize
5.9MB

MD5
c1bb758bf4e5f7d2e368d772d716431b

SHA1
a07ab176ab9563dafff60547ee5412a08b20548d

SHA256
0782ee022d85b38f61aceb299e3f7858665dc5ae0745f40d65e522824d9cfd92

SHA512
fee45cc1bec9ccfdc04de80faf502b92801bc3fe8b62f7f162d58151ef1b132cc554ba45ed1dbcb68952199528650a8d1bbb8c16854e9495b6f9fa5a450a167e

Download Submit
C:\Windows\System\ngqGypJ.exe
Filesize
5.9MB

MD5
953eb5ce4cd80dd53bd3e38ae28cf54a

SHA1
c4a6c34a3578d95fe286b523f77e75c98360431e

SHA256
964e8c3ef0041a3debc3a926c8e05b92b9dce7ab52a48bc865ceb2b925eb6e7c

SHA512
7fb0433567c57da85349e8b890aed88b7ba87434268a21d18cd85b084711d9efe0dbb9b09e1e116dae1e34816a13d9371f48b7b192a568e59e6d65e040590701

Download Submit
C:\Windows\System\oxEUHpD.exe
Filesize
5.9MB

MD5
d802b3bfa0140d18ad86d6abd233264d

SHA1
50eadbb5262104deec1fbebc1ccfb2b262651290

SHA256
117034553a0dbd85b8ccbd7139cd58b30884d477030e74b33c304b8086d02448

SHA512
5977868ffbc806c16c4fbc8f8eea5e961c61620b5515e16ee3d6c3509f638543db21c9a3eeb22bc9ab4ff95b95a2937d86903679280122caf4a49b5d07957a41

Download Submit
C:\Windows\System\prCJVnT.exe
Filesize
5.9MB

MD5
a90808acbf98df38a7453ce09dff3c60

SHA1
7bf15a4c342d8c8b3e1139dd1990bb41b2774a8e

SHA256
0671895339c94e31600a3224cf8770d59141787d6c1cfb4cf918976e4de5d5c1

SHA512
b2ae4279b80b39ab2e2fb5e8c8f932fec216ad4255ef59798847c8868c48051c28dc48b3aa60fa139ae822839b7be589740e6c2f5e60b0470c56f8c416c329bc

Download Submit
C:\Windows\System\tkyftnb.exe
Filesize
5.9MB

MD5
19392ee79971c9ed46c4092be09d1f85

SHA1
f5da6d7f521405107ef377b5da6c5fa87061000e

SHA256
8a306ed2fc02eb6123c75cb6b40ce6ae0a16d8e879df32218670b2b2499b2d5e

SHA512
6aa948660e8e835673bd8eccf659d7474635880b58568a543fe598466f95d70309abc27c2baeaf02db54634aa3c3f6f1d4be112f30de861512bedb70edbcb3ac

Download Submit
memory/332-18-0x00007FF794DB0000-0x00007FF795104000-memory.dmp

Filesize
3.3MB

Download
memory/332-135-0x00007FF794DB0000-0x00007FF795104000-memory.dmp

Filesize
3.3MB

Download
memory/332-130-0x00007FF794DB0000-0x00007FF795104000-memory.dmp

Filesize
3.3MB

Download
memory/692-50-0x00007FF639570000-0x00007FF6398C4000-memory.dmp

Filesize
3.3MB

Download
memory/692-142-0x00007FF639570000-0x00007FF6398C4000-memory.dmp

Filesize
3.3MB

Download
memory/692-131-0x00007FF639570000-0x00007FF6398C4000-memory.dmp

Filesize
3.3MB

Download
memory/716-121-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp

Filesize
3.3MB

Download
memory/716-145-0x00007FF7DFF10000-0x00007FF7E0264000-memory.dmp

Filesize
3.3MB

Download
memory/884-129-0x00007FF6CD7C0000-0x00007FF6CDB14000-memory.dmp

Filesize
3.3MB

Download
memory/884-151-0x00007FF6CD7C0000-0x00007FF6CDB14000-memory.dmp

Filesize
3.3MB

Download
memory/936-147-0x00007FF715180000-0x00007FF7154D4000-memory.dmp

Filesize
3.3MB

Download
memory/936-123-0x00007FF715180000-0x00007FF7154D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-56-0x00007FF735340000-0x00007FF735694000-memory.dmp

Filesize
3.3MB

Download
memory/1480-140-0x00007FF735340000-0x00007FF735694000-memory.dmp

Filesize
3.3MB

Download
memory/1732-8-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp

Filesize
3.3MB

Download
memory/1732-133-0x00007FF722AB0000-0x00007FF722E04000-memory.dmp

Filesize
3.3MB

Download
memory/2108-146-0x00007FF741EE0000-0x00007FF742234000-memory.dmp

Filesize
3.3MB

Download
memory/2108-122-0x00007FF741EE0000-0x00007FF742234000-memory.dmp

Filesize
3.3MB

Download
memory/2224-153-0x00007FF60B900000-0x00007FF60BC54000-memory.dmp

Filesize
3.3MB

Download
memory/2224-126-0x00007FF60B900000-0x00007FF60BC54000-memory.dmp

Filesize
3.3MB

Download
memory/2392-138-0x00007FF64E030000-0x00007FF64E384000-memory.dmp

Filesize
3.3MB

Download
memory/2392-43-0x00007FF64E030000-0x00007FF64E384000-memory.dmp

Filesize
3.3MB

Download
memory/3484-125-0x00007FF773C00000-0x00007FF773F54000-memory.dmp

Filesize
3.3MB

Download
memory/3484-149-0x00007FF773C00000-0x00007FF773F54000-memory.dmp

Filesize
3.3MB

Download
memory/3604-143-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp

Filesize
3.3MB

Download
memory/3604-67-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp

Filesize
3.3MB

Download
memory/3604-132-0x00007FF6F36E0000-0x00007FF6F3A34000-memory.dmp

Filesize
3.3MB

Download
memory/3920-141-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3920-66-0x00007FF668AA0000-0x00007FF668DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-148-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-124-0x00007FF662BA0000-0x00007FF662EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-136-0x00007FF685810000-0x00007FF685B64000-memory.dmp

Filesize
3.3MB

Download
memory/4392-28-0x00007FF685810000-0x00007FF685B64000-memory.dmp

Filesize
3.3MB

Download
memory/4480-120-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp

Filesize
3.3MB

Download
memory/4480-144-0x00007FF7758D0000-0x00007FF775C24000-memory.dmp

Filesize
3.3MB

Download
memory/4508-137-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp

Filesize
3.3MB

Download
memory/4508-34-0x00007FF6F3430000-0x00007FF6F3784000-memory.dmp

Filesize
3.3MB

Download
memory/4572-127-0x00007FF72BA20000-0x00007FF72BD74000-memory.dmp

Filesize
3.3MB

Download
memory/4572-150-0x00007FF72BA20000-0x00007FF72BD74000-memory.dmp

Filesize
3.3MB

Download
memory/4588-0-0x00007FF676020000-0x00007FF676374000-memory.dmp

Filesize
3.3MB

Download
memory/4588-1-0x0000015CEEA30000-0x0000015CEEA40000-memory.dmp

Filesize
64KB

Download
memory/4588-65-0x00007FF676020000-0x00007FF676374000-memory.dmp

Filesize
3.3MB

Download
memory/4716-119-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp

Filesize
3.3MB

Download
memory/4716-134-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp

Filesize
3.3MB

Download
memory/4716-15-0x00007FF774C50000-0x00007FF774FA4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-44-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-139-0x00007FF7C7E90000-0x00007FF7C81E4000-memory.dmp

Filesize
3.3MB

Download
memory/5096-128-0x00007FF6DD000000-0x00007FF6DD354000-memory.dmp

Filesize
3.3MB

Download
memory/5096-152-0x00007FF6DD000000-0x00007FF6DD354000-memory.dmp

Filesize
3.3MB

Download