cobaltstrike | b6c6c0ec13703357a1cbeedee094bd441bd924338453b876197e45603f0b7bad

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

f96c8cd3fb9dca6f231fef064df28f10
SHA1

8cb6b62a8f356e4fba22f1b50c18b8cbb29227ed
SHA256

b6c6c0ec13703357a1cbeedee094bd441bd924338453b876197e45603f0b7bad
SHA512

27c423702978a207d031eec5ba2a263d2595a8b060e6ab0833dac069a1ac7b55b30356636259bece19f5ced4d7b754d67904ec426a7e795c36d570c45ded2448
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUt:Q+u56utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\IDngfdR.exe	cobalt_reflective_dll
C:\Windows\System\jbekflD.exe	cobalt_reflective_dll
C:\Windows\System\QvWmNBy.exe	cobalt_reflective_dll
C:\Windows\System\XoaorPD.exe	cobalt_reflective_dll
C:\Windows\System\yrPZAhj.exe	cobalt_reflective_dll
C:\Windows\System\twbBgpi.exe	cobalt_reflective_dll
C:\Windows\System\cqTnzby.exe	cobalt_reflective_dll
C:\Windows\System\wJhPuMn.exe	cobalt_reflective_dll
C:\Windows\System\RtpGChw.exe	cobalt_reflective_dll
C:\Windows\System\ZrYbBjk.exe	cobalt_reflective_dll
C:\Windows\System\VdAOwJI.exe	cobalt_reflective_dll
C:\Windows\System\jnWURxw.exe	cobalt_reflective_dll
C:\Windows\System\sNsMUBs.exe	cobalt_reflective_dll
C:\Windows\System\ZuWYkdd.exe	cobalt_reflective_dll
C:\Windows\System\qwUIukq.exe	cobalt_reflective_dll
C:\Windows\System\IHRfmwF.exe	cobalt_reflective_dll
C:\Windows\System\MKihEOF.exe	cobalt_reflective_dll
C:\Windows\System\lRJcnae.exe	cobalt_reflective_dll
C:\Windows\System\dXDPpCg.exe	cobalt_reflective_dll
C:\Windows\System\spPtEEv.exe	cobalt_reflective_dll
C:\Windows\System\ULqRvsS.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\IDngfdR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jbekflD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QvWmNBy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XoaorPD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yrPZAhj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\twbBgpi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cqTnzby.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wJhPuMn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RtpGChw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZrYbBjk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VdAOwJI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jnWURxw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sNsMUBs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZuWYkdd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qwUIukq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IHRfmwF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MKihEOF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lRJcnae.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dXDPpCg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\spPtEEv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ULqRvsS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4112-0-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp	UPX
C:\Windows\System\IDngfdR.exe	UPX
C:\Windows\System\jbekflD.exe	UPX
behavioral2/memory/640-10-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp	UPX
C:\Windows\System\QvWmNBy.exe	UPX
behavioral2/memory/1052-18-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	UPX
behavioral2/memory/4124-12-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	UPX
C:\Windows\System\XoaorPD.exe	UPX
C:\Windows\System\yrPZAhj.exe	UPX
C:\Windows\System\twbBgpi.exe	UPX
C:\Windows\System\cqTnzby.exe	UPX
behavioral2/memory/4328-58-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp	UPX
C:\Windows\System\wJhPuMn.exe	UPX
behavioral2/memory/1068-72-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp	UPX
C:\Windows\System\RtpGChw.exe	UPX
behavioral2/memory/1048-95-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp	UPX
behavioral2/memory/3676-100-0x00007FF7D4E60000-0x00007FF7D51B4000-memory.dmp	UPX
behavioral2/memory/3860-104-0x00007FF64C730000-0x00007FF64CA84000-memory.dmp	UPX
C:\Windows\System\ZrYbBjk.exe	UPX
behavioral2/memory/3080-103-0x00007FF634000000-0x00007FF634354000-memory.dmp	UPX
C:\Windows\System\VdAOwJI.exe	UPX
C:\Windows\System\jnWURxw.exe	UPX
C:\Windows\System\sNsMUBs.exe	UPX
C:\Windows\System\ZuWYkdd.exe	UPX
behavioral2/memory/2228-89-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp	UPX
behavioral2/memory/1724-88-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp	UPX
C:\Windows\System\qwUIukq.exe	UPX
behavioral2/memory/5064-79-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp	UPX
C:\Windows\System\IHRfmwF.exe	UPX
behavioral2/memory/1892-61-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp	UPX
C:\Windows\System\MKihEOF.exe	UPX
behavioral2/memory/2980-52-0x00007FF653F20000-0x00007FF654274000-memory.dmp	UPX
behavioral2/memory/2884-47-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp	UPX
behavioral2/memory/3160-42-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	UPX
C:\Windows\System\lRJcnae.exe	UPX
behavioral2/memory/2488-26-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	UPX
behavioral2/memory/4908-110-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	UPX
C:\Windows\System\dXDPpCg.exe	UPX
behavioral2/memory/3128-117-0x00007FF620260000-0x00007FF6205B4000-memory.dmp	UPX
C:\Windows\System\spPtEEv.exe	UPX
behavioral2/memory/1172-122-0x00007FF7035D0000-0x00007FF703924000-memory.dmp	UPX
behavioral2/memory/556-125-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp	UPX
C:\Windows\System\ULqRvsS.exe	UPX
behavioral2/memory/4112-115-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp	UPX
behavioral2/memory/4124-129-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	UPX
behavioral2/memory/1052-130-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	UPX
behavioral2/memory/2488-131-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	UPX
behavioral2/memory/2884-133-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp	UPX
behavioral2/memory/3160-132-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	UPX
behavioral2/memory/2980-135-0x00007FF653F20000-0x00007FF654274000-memory.dmp	UPX
behavioral2/memory/1068-134-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp	UPX
behavioral2/memory/1724-136-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp	UPX
behavioral2/memory/1048-137-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp	UPX
behavioral2/memory/2228-138-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp	UPX
behavioral2/memory/3128-139-0x00007FF620260000-0x00007FF6205B4000-memory.dmp	UPX
behavioral2/memory/1172-140-0x00007FF7035D0000-0x00007FF703924000-memory.dmp	UPX
behavioral2/memory/556-141-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp	UPX
behavioral2/memory/640-142-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp	UPX
behavioral2/memory/4124-143-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	UPX
behavioral2/memory/1052-144-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	UPX
behavioral2/memory/2488-145-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	UPX
behavioral2/memory/4328-146-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp	UPX
behavioral2/memory/3160-147-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	UPX
behavioral2/memory/1892-148-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4112-0-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp	xmrig
C:\Windows\System\IDngfdR.exe	xmrig
C:\Windows\System\jbekflD.exe	xmrig
behavioral2/memory/640-10-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp	xmrig
C:\Windows\System\QvWmNBy.exe	xmrig
behavioral2/memory/1052-18-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	xmrig
behavioral2/memory/4124-12-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	xmrig
C:\Windows\System\XoaorPD.exe	xmrig
C:\Windows\System\yrPZAhj.exe	xmrig
C:\Windows\System\twbBgpi.exe	xmrig
C:\Windows\System\cqTnzby.exe	xmrig
behavioral2/memory/4328-58-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp	xmrig
C:\Windows\System\wJhPuMn.exe	xmrig
behavioral2/memory/1068-72-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp	xmrig
C:\Windows\System\RtpGChw.exe	xmrig
behavioral2/memory/1048-95-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp	xmrig
behavioral2/memory/3676-100-0x00007FF7D4E60000-0x00007FF7D51B4000-memory.dmp	xmrig
behavioral2/memory/3860-104-0x00007FF64C730000-0x00007FF64CA84000-memory.dmp	xmrig
C:\Windows\System\ZrYbBjk.exe	xmrig
behavioral2/memory/3080-103-0x00007FF634000000-0x00007FF634354000-memory.dmp	xmrig
C:\Windows\System\VdAOwJI.exe	xmrig
C:\Windows\System\jnWURxw.exe	xmrig
C:\Windows\System\sNsMUBs.exe	xmrig
C:\Windows\System\ZuWYkdd.exe	xmrig
behavioral2/memory/2228-89-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp	xmrig
behavioral2/memory/1724-88-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp	xmrig
C:\Windows\System\qwUIukq.exe	xmrig
behavioral2/memory/5064-79-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp	xmrig
C:\Windows\System\IHRfmwF.exe	xmrig
behavioral2/memory/1892-61-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp	xmrig
C:\Windows\System\MKihEOF.exe	xmrig
behavioral2/memory/2980-52-0x00007FF653F20000-0x00007FF654274000-memory.dmp	xmrig
behavioral2/memory/2884-47-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp	xmrig
behavioral2/memory/3160-42-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	xmrig
C:\Windows\System\lRJcnae.exe	xmrig
behavioral2/memory/2488-26-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	xmrig
behavioral2/memory/4908-110-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	xmrig
C:\Windows\System\dXDPpCg.exe	xmrig
behavioral2/memory/3128-117-0x00007FF620260000-0x00007FF6205B4000-memory.dmp	xmrig
C:\Windows\System\spPtEEv.exe	xmrig
behavioral2/memory/1172-122-0x00007FF7035D0000-0x00007FF703924000-memory.dmp	xmrig
behavioral2/memory/556-125-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp	xmrig
C:\Windows\System\ULqRvsS.exe	xmrig
behavioral2/memory/4112-115-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp	xmrig
behavioral2/memory/4124-129-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	xmrig
behavioral2/memory/1052-130-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	xmrig
behavioral2/memory/2488-131-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	xmrig
behavioral2/memory/2884-133-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp	xmrig
behavioral2/memory/3160-132-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	xmrig
behavioral2/memory/2980-135-0x00007FF653F20000-0x00007FF654274000-memory.dmp	xmrig
behavioral2/memory/1068-134-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp	xmrig
behavioral2/memory/1724-136-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp	xmrig
behavioral2/memory/1048-137-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp	xmrig
behavioral2/memory/2228-138-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp	xmrig
behavioral2/memory/3128-139-0x00007FF620260000-0x00007FF6205B4000-memory.dmp	xmrig
behavioral2/memory/1172-140-0x00007FF7035D0000-0x00007FF703924000-memory.dmp	xmrig
behavioral2/memory/556-141-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp	xmrig
behavioral2/memory/640-142-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp	xmrig
behavioral2/memory/4124-143-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	xmrig
behavioral2/memory/1052-144-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	xmrig
behavioral2/memory/2488-145-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	xmrig
behavioral2/memory/4328-146-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp	xmrig
behavioral2/memory/3160-147-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	xmrig
behavioral2/memory/1892-148-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

IDngfdR.exejbekflD.exeQvWmNBy.exeXoaorPD.exelRJcnae.exeyrPZAhj.exetwbBgpi.execqTnzby.exeMKihEOF.exewJhPuMn.exeIHRfmwF.exeqwUIukq.exeZuWYkdd.exeRtpGChw.exesNsMUBs.exejnWURxw.exeVdAOwJI.exeZrYbBjk.exedXDPpCg.exespPtEEv.exeULqRvsS.exe

pid	process
640	IDngfdR.exe
4124	jbekflD.exe
1052	QvWmNBy.exe
2488	XoaorPD.exe
3160	lRJcnae.exe
4328	yrPZAhj.exe
2884	twbBgpi.exe
1892	cqTnzby.exe
2980	MKihEOF.exe
5064	wJhPuMn.exe
1068	IHRfmwF.exe
1724	qwUIukq.exe
2228	ZuWYkdd.exe
3676	RtpGChw.exe
3080	sNsMUBs.exe
1048	jnWURxw.exe
3860	VdAOwJI.exe
4908	ZrYbBjk.exe
3128	dXDPpCg.exe
556	spPtEEv.exe
1172	ULqRvsS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4112-0-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp	upx
C:\Windows\System\IDngfdR.exe	upx
C:\Windows\System\jbekflD.exe	upx
behavioral2/memory/640-10-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp	upx
C:\Windows\System\QvWmNBy.exe	upx
behavioral2/memory/1052-18-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	upx
behavioral2/memory/4124-12-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	upx
C:\Windows\System\XoaorPD.exe	upx
C:\Windows\System\yrPZAhj.exe	upx
C:\Windows\System\twbBgpi.exe	upx
C:\Windows\System\cqTnzby.exe	upx
behavioral2/memory/4328-58-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp	upx
C:\Windows\System\wJhPuMn.exe	upx
behavioral2/memory/1068-72-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp	upx
C:\Windows\System\RtpGChw.exe	upx
behavioral2/memory/1048-95-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp	upx
behavioral2/memory/3676-100-0x00007FF7D4E60000-0x00007FF7D51B4000-memory.dmp	upx
behavioral2/memory/3860-104-0x00007FF64C730000-0x00007FF64CA84000-memory.dmp	upx
C:\Windows\System\ZrYbBjk.exe	upx
behavioral2/memory/3080-103-0x00007FF634000000-0x00007FF634354000-memory.dmp	upx
C:\Windows\System\VdAOwJI.exe	upx
C:\Windows\System\jnWURxw.exe	upx
C:\Windows\System\sNsMUBs.exe	upx
C:\Windows\System\ZuWYkdd.exe	upx
behavioral2/memory/2228-89-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp	upx
behavioral2/memory/1724-88-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp	upx
C:\Windows\System\qwUIukq.exe	upx
behavioral2/memory/5064-79-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp	upx
C:\Windows\System\IHRfmwF.exe	upx
behavioral2/memory/1892-61-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp	upx
C:\Windows\System\MKihEOF.exe	upx
behavioral2/memory/2980-52-0x00007FF653F20000-0x00007FF654274000-memory.dmp	upx
behavioral2/memory/2884-47-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp	upx
behavioral2/memory/3160-42-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	upx
C:\Windows\System\lRJcnae.exe	upx
behavioral2/memory/2488-26-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	upx
behavioral2/memory/4908-110-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp	upx
C:\Windows\System\dXDPpCg.exe	upx
behavioral2/memory/3128-117-0x00007FF620260000-0x00007FF6205B4000-memory.dmp	upx
C:\Windows\System\spPtEEv.exe	upx
behavioral2/memory/1172-122-0x00007FF7035D0000-0x00007FF703924000-memory.dmp	upx
behavioral2/memory/556-125-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp	upx
C:\Windows\System\ULqRvsS.exe	upx
behavioral2/memory/4112-115-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp	upx
behavioral2/memory/4124-129-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	upx
behavioral2/memory/1052-130-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	upx
behavioral2/memory/2488-131-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	upx
behavioral2/memory/2884-133-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp	upx
behavioral2/memory/3160-132-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	upx
behavioral2/memory/2980-135-0x00007FF653F20000-0x00007FF654274000-memory.dmp	upx
behavioral2/memory/1068-134-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp	upx
behavioral2/memory/1724-136-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp	upx
behavioral2/memory/1048-137-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp	upx
behavioral2/memory/2228-138-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp	upx
behavioral2/memory/3128-139-0x00007FF620260000-0x00007FF6205B4000-memory.dmp	upx
behavioral2/memory/1172-140-0x00007FF7035D0000-0x00007FF703924000-memory.dmp	upx
behavioral2/memory/556-141-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp	upx
behavioral2/memory/640-142-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp	upx
behavioral2/memory/4124-143-0x00007FF60F640000-0x00007FF60F994000-memory.dmp	upx
behavioral2/memory/1052-144-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp	upx
behavioral2/memory/2488-145-0x00007FF768C00000-0x00007FF768F54000-memory.dmp	upx
behavioral2/memory/4328-146-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp	upx
behavioral2/memory/3160-147-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp	upx
behavioral2/memory/1892-148-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\cqTnzby.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jnWURxw.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdAOwJI.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dXDPpCg.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDngfdR.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XoaorPD.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lRJcnae.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\twbBgpi.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wJhPuMn.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHRfmwF.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qwUIukq.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RtpGChw.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QvWmNBy.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ULqRvsS.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yrPZAhj.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKihEOF.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZuWYkdd.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNsMUBs.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZrYbBjk.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jbekflD.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\spPtEEv.exe	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4112 wrote to memory of 640	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	IDngfdR.exe
PID 4112 wrote to memory of 640	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	IDngfdR.exe
PID 4112 wrote to memory of 4124	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	jbekflD.exe
PID 4112 wrote to memory of 4124	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	jbekflD.exe
PID 4112 wrote to memory of 1052	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	QvWmNBy.exe
PID 4112 wrote to memory of 1052	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	QvWmNBy.exe
PID 4112 wrote to memory of 2488	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	XoaorPD.exe
PID 4112 wrote to memory of 2488	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	XoaorPD.exe
PID 4112 wrote to memory of 3160	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	lRJcnae.exe
PID 4112 wrote to memory of 3160	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	lRJcnae.exe
PID 4112 wrote to memory of 4328	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	yrPZAhj.exe
PID 4112 wrote to memory of 4328	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	yrPZAhj.exe
PID 4112 wrote to memory of 2884	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	twbBgpi.exe
PID 4112 wrote to memory of 2884	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	twbBgpi.exe
PID 4112 wrote to memory of 2980	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	MKihEOF.exe
PID 4112 wrote to memory of 2980	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	MKihEOF.exe
PID 4112 wrote to memory of 1892	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	cqTnzby.exe
PID 4112 wrote to memory of 1892	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	cqTnzby.exe
PID 4112 wrote to memory of 5064	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	wJhPuMn.exe
PID 4112 wrote to memory of 5064	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	wJhPuMn.exe
PID 4112 wrote to memory of 1068	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	IHRfmwF.exe
PID 4112 wrote to memory of 1068	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	IHRfmwF.exe
PID 4112 wrote to memory of 1724	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	qwUIukq.exe
PID 4112 wrote to memory of 1724	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	qwUIukq.exe
PID 4112 wrote to memory of 2228	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	ZuWYkdd.exe
PID 4112 wrote to memory of 2228	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	ZuWYkdd.exe
PID 4112 wrote to memory of 3676	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	RtpGChw.exe
PID 4112 wrote to memory of 3676	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	RtpGChw.exe
PID 4112 wrote to memory of 3080	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	sNsMUBs.exe
PID 4112 wrote to memory of 3080	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	sNsMUBs.exe
PID 4112 wrote to memory of 1048	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	jnWURxw.exe
PID 4112 wrote to memory of 1048	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	jnWURxw.exe
PID 4112 wrote to memory of 3860	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	VdAOwJI.exe
PID 4112 wrote to memory of 3860	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	VdAOwJI.exe
PID 4112 wrote to memory of 4908	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	ZrYbBjk.exe
PID 4112 wrote to memory of 4908	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	ZrYbBjk.exe
PID 4112 wrote to memory of 3128	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	dXDPpCg.exe
PID 4112 wrote to memory of 3128	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	dXDPpCg.exe
PID 4112 wrote to memory of 556	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	spPtEEv.exe
PID 4112 wrote to memory of 556	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	spPtEEv.exe
PID 4112 wrote to memory of 1172	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	ULqRvsS.exe
PID 4112 wrote to memory of 1172	4112	2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe	ULqRvsS.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_f96c8cd3fb9dca6f231fef064df28f10_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\System\IDngfdR.exe
C:\Windows\System\IDngfdR.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System\jbekflD.exe
C:\Windows\System\jbekflD.exe
2⤵
- Executes dropped EXE
PID:4124

C:\Windows\System\QvWmNBy.exe
C:\Windows\System\QvWmNBy.exe
2⤵
- Executes dropped EXE
PID:1052

C:\Windows\System\XoaorPD.exe
C:\Windows\System\XoaorPD.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\lRJcnae.exe
C:\Windows\System\lRJcnae.exe
2⤵
- Executes dropped EXE
PID:3160

C:\Windows\System\yrPZAhj.exe
C:\Windows\System\yrPZAhj.exe
2⤵
- Executes dropped EXE
PID:4328

C:\Windows\System\twbBgpi.exe
C:\Windows\System\twbBgpi.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\MKihEOF.exe
C:\Windows\System\MKihEOF.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\cqTnzby.exe
C:\Windows\System\cqTnzby.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\wJhPuMn.exe
C:\Windows\System\wJhPuMn.exe
2⤵
- Executes dropped EXE
PID:5064

C:\Windows\System\IHRfmwF.exe
C:\Windows\System\IHRfmwF.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\System\qwUIukq.exe
C:\Windows\System\qwUIukq.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\System\ZuWYkdd.exe
C:\Windows\System\ZuWYkdd.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\RtpGChw.exe
C:\Windows\System\RtpGChw.exe
2⤵
- Executes dropped EXE
PID:3676

C:\Windows\System\sNsMUBs.exe
C:\Windows\System\sNsMUBs.exe
2⤵
- Executes dropped EXE
PID:3080

C:\Windows\System\jnWURxw.exe
C:\Windows\System\jnWURxw.exe
2⤵
- Executes dropped EXE
PID:1048

C:\Windows\System\VdAOwJI.exe
C:\Windows\System\VdAOwJI.exe
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\System\ZrYbBjk.exe
C:\Windows\System\ZrYbBjk.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System\dXDPpCg.exe
C:\Windows\System\dXDPpCg.exe
2⤵
- Executes dropped EXE
PID:3128

C:\Windows\System\spPtEEv.exe
C:\Windows\System\spPtEEv.exe
2⤵
- Executes dropped EXE
PID:556

C:\Windows\System\ULqRvsS.exe
C:\Windows\System\ULqRvsS.exe
2⤵
- Executes dropped EXE
PID:1172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\IDngfdR.exe
Filesize
5.9MB

MD5
03aa6e8fde5108f771eced629a7536f6

SHA1
f33de7ccbc5b4b9ec926f2f47ea49263007650ad

SHA256
578448e9a514df21c0686536bddbdaaf160ef5ffc4bc7be4dba5ff16f8a026c5

SHA512
2dc910428afdb25e431fe36f347e81529f474782aed7b2ff8758b52b3e3ed32321004486a5c17bc727315cf6cdea7e167c0b3e7821c74c5c452768ccddcc36a4

Download Submit
C:\Windows\System\IHRfmwF.exe
Filesize
5.9MB

MD5
ecc52c3feaa3e08ea8bdfe039ba64da7

SHA1
11c07177b05bfdc79a78311fabdf1cb6b15b3034

SHA256
f57b839404d57039ba3b81e7db38068556d0ce2a6e1a624f4da4151d9d47eceb

SHA512
3f44a84a8fb8e1935b357031cf84b10406d7d569aba60b2298b3cac04f02c88433dbee079f27f8aab8b67940e7c45664eeadf345eb858039a83880b8fc92df84

Download Submit
C:\Windows\System\MKihEOF.exe
Filesize
5.9MB

MD5
4f30bc8bc970f89a1694ed4b648c7d62

SHA1
dbc701f8252472a51db05ee1124f554a13238e4a

SHA256
a0205c3c48701d42bed79933475b9427f1e24ee7499e7c80010ef13342c48332

SHA512
9d8e1f7fab2436cb429d703631f9571c00a94683a295ae84801ce927a3d47df654c59240e7bf9e2917b94491bcc25891b9bfad98f159a8170cbf13cc9e0fff74

Download Submit
C:\Windows\System\QvWmNBy.exe
Filesize
5.9MB

MD5
f404f6a04e0b9175f82814d47dfc645c

SHA1
bcebff1f275843b8324706e0c53f2309af05d5a7

SHA256
0b1fa8a51b9d3f14b87a96d153529056b8bef3efdd147324214fb91b789789cf

SHA512
507b670f0e8d42bbba8189637b716c7124e4e743e2957c8cc369a5ccdb72749984d07f17b645a2498b10518341b0be6672f959b802e4e1e24c7867a446b4089e

Download Submit
C:\Windows\System\RtpGChw.exe
Filesize
5.9MB

MD5
1d298459b38ddd63a725fd90fc4a7125

SHA1
f133f99cc64ca5dc47359d2972ceca331458df99

SHA256
0eab648c509ab0b7cdcbc920dbbc531f0cf5ad39b67c2044142273a5057f2fde

SHA512
31bf7cfabf7e632857841c275a81724f189e7bd4bb8d1132b242b75af303c6b8745250e605db1f5036686c4e0f21333324f6005daea9a0f0b1b48b285ad98018

Download Submit
C:\Windows\System\ULqRvsS.exe
Filesize
5.9MB

MD5
338be64c1ada847d299bfc7e83bfdd85

SHA1
d5b689fd86edfb21db3811450e474edd5166c9b9

SHA256
009793ce81db7c5746afe850a987c8804a1c0a160d282f97be2eb43130bdacb6

SHA512
ec664ae6037dc75f73cec554383b6ca4193d0d47ef84c3248df1da7cef63896e25337bcde0bd846e9dddd113ddb8b5d645095a39761705c3587e5ac8e0fd2bd5

Download Submit
C:\Windows\System\VdAOwJI.exe
Filesize
5.9MB

MD5
6ad9a38611da2ec2a423f87e09cf570d

SHA1
dc94e08b2e1c72459b47b5f9f3ff50e3219b32c2

SHA256
ad56a0c250f698e3a593a6d144c0dbe0554ef04edb82c1d60b7085b15f3780e9

SHA512
19dc24ab204458b8b9e8eaf2b690cd2fc00c165ad68d6ce3c07b0a0f5baed001b0bedb39b23c106a244d8d26cd80e59fd31f0265a97f74f78ba0f2054cc6e751

Download Submit
C:\Windows\System\XoaorPD.exe
Filesize
5.9MB

MD5
39307518d3e8844f4c5e74d845b231c6

SHA1
9bc2b5a185a14dbbb513d72bca6486179305eeac

SHA256
51728ab3a4ec0d7a73283833ea64d696e7306319b9693c2c9c32b301afb520f8

SHA512
b9ca9574f3c7d983f463b55089ece6b264fe9c011c639337bf5f5eba69371b2be88315f341ccead3e9a77991803f68d3b91c234c556e2fc838b356c62369af95

Download Submit
C:\Windows\System\ZrYbBjk.exe
Filesize
5.9MB

MD5
07cd6ce64a247858809679593a607d5b

SHA1
59a77e7b85ffd44c5d865800cd75282aa9338553

SHA256
02e8c4001a09d18bbb61f7db50f801c069049111e0eb896a56e6203933d3a2fb

SHA512
9a685df8128c50b2819aa522ec4d23f0e4d7e01125e578398ab162da4397230965f32230c8cc6769bf129df7c9ae676377225953c559bbc1907649738f46e955

Download Submit
C:\Windows\System\ZuWYkdd.exe
Filesize
5.9MB

MD5
7354cd4d6ad1661b771a2463ceecd562

SHA1
a608a5c3953f9e6ad4bc87916d4a1f6d3b4b27e3

SHA256
ff5832406f0b1b8c9eda46ca0e9e13e2fd444eefbd2a9d189e55d5dad142f000

SHA512
95a32c15ed1a26faefb44336ce5d9450aa9f043bf61981f705816a2af79e8da516e1d30db600d20e607baa5377cd547b4d40a65da68b49e5ca772ef9b37cd64f

Download Submit
C:\Windows\System\cqTnzby.exe
Filesize
5.9MB

MD5
b50cb3d5a9ab5011af46b9c4fe61de16

SHA1
0d0d229cd53e3e80cccc18a62493604d16a39b06

SHA256
8b45aa6b37e967c164ff5cc1eccb1c0f14a09321b6edb52cf132e53b96f4be03

SHA512
ef3c3f727e2d95942beda0a585e5e4aac3a4fa9cfe9f8991d9075791968d4e4e89f84e53f2317be2cb21a6ac71656f168ffdaba3c42ea685105251c6798299f6

Download Submit
C:\Windows\System\dXDPpCg.exe
Filesize
5.9MB

MD5
01618436845edf42279fa09faf99242e

SHA1
73ae305753a9f5d8234ca3c57b5e3cbd7950cd81

SHA256
86581a498476a37d8b232374183203b2204b5b73b6ba0c9ac5c79ff6ad04b017

SHA512
85d317a89218863eb0c31c683e96e6289326073d128dd0cc536f06e4624ef60ba01e14938c61a468bbb94681188aafd2e2f3ce621b34c2836e2c41068e8c5635

Download Submit
C:\Windows\System\jbekflD.exe
Filesize
5.9MB

MD5
dfba752975aa9850657d05b66a9b9970

SHA1
161d33c53503a6abda95d49ec97431fb55bb24d7

SHA256
a520bc7c7dbd854ff90cad7c1b348bf322a2ae68291826db1978312947b13469

SHA512
d3dab3b22b34ca6822abec7b6ed72fb59606f6a14ecd21dc79e1c74384f3caac7e23e4dcb549cb9112beed1e337e49808ba49f1a9b0e634bb0f5e86aaee99ed5

Download Submit
C:\Windows\System\jnWURxw.exe
Filesize
5.9MB

MD5
b472c38c26bebbe6fd4ea23ce6d4b8cc

SHA1
c7dc1cec8b8648acf6f5079c12cd8d3668a6f020

SHA256
2d06c57637a7046d3614e667280cdedf085c13f6847fb92cab04032f3fabad8c

SHA512
ca9c616136d418cd3fcd2013d164f7cc70ced2cbd88e994cfdcb34895c492865c07fa1adbd294ddbbf85b1b29882a37fc8cf1d5d7bbcd453edc6c8cd7b8dd008

Download Submit
C:\Windows\System\lRJcnae.exe
Filesize
5.9MB

MD5
5963193628b671396a2e74920c47e00e

SHA1
b08472cecc3805596c29363fe362ee7cc2f1408a

SHA256
2642ae6753ab743aad2479545cb45b3cd1591f955b71be39abe47035cb14ce6c

SHA512
a7a9471d4b780d4c5f823919ab887938a1023ed84f8bece9f8d203dbbc747fa7876df3c30ee5652cc029379f20edb50e5abf76b190cf1271feda4602b7277e20

Download Submit
C:\Windows\System\qwUIukq.exe
Filesize
5.9MB

MD5
792d1f18f7994b122611a373b653263e

SHA1
5f9b5d8d28643b0e55d3265dbf0446bb375d6539

SHA256
5dd56bbabebbecf9d1356e1dc1c3f48ad89958be8925d93dc66798f6bc2be2f6

SHA512
40a727e9008379358ae3b0f229534327c12bd78d242b42531e76740b5cfd91edfb6a48d8e6168c4309405ab6eb90fdf0a2560953c944f4458e6b497597d7b907

Download Submit
C:\Windows\System\sNsMUBs.exe
Filesize
5.9MB

MD5
8b5669d6e8ed7c7d0ab5b7af0c13e095

SHA1
868b9b748673304740f4cc4611f083081318300f

SHA256
dd86bce74ec91b945bb0b301894a0bd1fe6b79b91ca7048b4b844b7ee8fea308

SHA512
252bbb40763ac9dc64eb2980adf2317b6acc4ceb214eb1039e9c14e996c61f5232521473c3e3032b03dc1f0e780f72ac4f8955be728de5a5b76026cdf4b58c64

Download Submit
C:\Windows\System\spPtEEv.exe
Filesize
5.9MB

MD5
a0ce5d833ce32fee084dbdc6e4715969

SHA1
41e8c4fc04f8006200f595d17603ed4b20588751

SHA256
e546bcc0bdbf44d3851aca1d8ad671f210a2a96a736842311effb3b262eae8e5

SHA512
a609ad9edfca71b9c787b5c6b37a05fb2e71c96a74542c2719c1cb7c20fbc372cfe603d637b539cc9a4c97d9bb53062d54d99f08bc832ff0ba6e435152d32ff2

Download Submit
C:\Windows\System\twbBgpi.exe
Filesize
5.9MB

MD5
7ae916f4896991fc62baed7701dc0a7e

SHA1
f0f79e023887a833fc89ab4512e9e1a4f6e3ff55

SHA256
e224f3a8a9c6acaab24c582bf69f95432015f6d6cea9b0aeaf0aeb3f4f089029

SHA512
eefc4a7b5fb385290a634ffec560125a2da8909c22f1079e00f9bbdae553f8134efb45d591e247035fa07003a24ee04b1da1df4d523d95350783779372a14f31

Download Submit
C:\Windows\System\wJhPuMn.exe
Filesize
5.9MB

MD5
18ad52ba1e93b1605cb43f819c1fbdbd

SHA1
dd338ba383828b93a342c408956d11c7a23b36f1

SHA256
402f34f636c55cdfe818467f643d49f9d14691c33afde671135deedb0e7c9e34

SHA512
ea772b5f679ec5172c50aba64d2d9ff73e8140866ff9012d976b671f1eb9e0914ac1cc4e6c2bdf9e102b875035fb8018211c66292a76c4a86c9f45339fb8e679

Download Submit
C:\Windows\System\yrPZAhj.exe
Filesize
5.9MB

MD5
f58da99e6d950961df857d7bd4e19aba

SHA1
53c04c21f8328010ccd6b2eb588813b023adfc0d

SHA256
feff93da15e3d3a8c94a300b76d69c0f49e8c78337bdd3219efe2e9049c824dd

SHA512
763db1c72d2824fb7121b716e5002a5a0e44cab85f8a60a0d5c98f2d4760a8f20dfe5215c956572ab237854766aad9bfcbed861891d43a411396004d6bd4156f

Download Submit
memory/556-125-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp

Filesize
3.3MB

Download
memory/556-141-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp

Filesize
3.3MB

Download
memory/556-162-0x00007FF7B4BD0000-0x00007FF7B4F24000-memory.dmp

Filesize
3.3MB

Download
memory/640-142-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp

Filesize
3.3MB

Download
memory/640-10-0x00007FF6DD790000-0x00007FF6DDAE4000-memory.dmp

Filesize
3.3MB

Download
memory/1048-157-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp

Filesize
3.3MB

Download
memory/1048-137-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp

Filesize
3.3MB

Download
memory/1048-95-0x00007FF7D5AC0000-0x00007FF7D5E14000-memory.dmp

Filesize
3.3MB

Download
memory/1052-130-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp

Filesize
3.3MB

Download
memory/1052-144-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp

Filesize
3.3MB

Download
memory/1052-18-0x00007FF61FCF0000-0x00007FF620044000-memory.dmp

Filesize
3.3MB

Download
memory/1068-72-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp

Filesize
3.3MB

Download
memory/1068-152-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp

Filesize
3.3MB

Download
memory/1068-134-0x00007FF739EF0000-0x00007FF73A244000-memory.dmp

Filesize
3.3MB

Download
memory/1172-161-0x00007FF7035D0000-0x00007FF703924000-memory.dmp

Filesize
3.3MB

Download
memory/1172-122-0x00007FF7035D0000-0x00007FF703924000-memory.dmp

Filesize
3.3MB

Download
memory/1172-140-0x00007FF7035D0000-0x00007FF703924000-memory.dmp

Filesize
3.3MB

Download
memory/1724-88-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-136-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-153-0x00007FF6C3770000-0x00007FF6C3AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-61-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp

Filesize
3.3MB

Download
memory/1892-148-0x00007FF7E88E0000-0x00007FF7E8C34000-memory.dmp

Filesize
3.3MB

Download
memory/2228-89-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp

Filesize
3.3MB

Download
memory/2228-154-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp

Filesize
3.3MB

Download
memory/2228-138-0x00007FF6FBA40000-0x00007FF6FBD94000-memory.dmp

Filesize
3.3MB

Download
memory/2488-26-0x00007FF768C00000-0x00007FF768F54000-memory.dmp

Filesize
3.3MB

Download
memory/2488-145-0x00007FF768C00000-0x00007FF768F54000-memory.dmp

Filesize
3.3MB

Download
memory/2488-131-0x00007FF768C00000-0x00007FF768F54000-memory.dmp

Filesize
3.3MB

Download
memory/2884-149-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp

Filesize
3.3MB

Download
memory/2884-133-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp

Filesize
3.3MB

Download
memory/2884-47-0x00007FF61ED20000-0x00007FF61F074000-memory.dmp

Filesize
3.3MB

Download
memory/2980-135-0x00007FF653F20000-0x00007FF654274000-memory.dmp

Filesize
3.3MB

Download
memory/2980-52-0x00007FF653F20000-0x00007FF654274000-memory.dmp

Filesize
3.3MB

Download
memory/2980-150-0x00007FF653F20000-0x00007FF654274000-memory.dmp

Filesize
3.3MB

Download
memory/3080-103-0x00007FF634000000-0x00007FF634354000-memory.dmp

Filesize
3.3MB

Download
memory/3080-155-0x00007FF634000000-0x00007FF634354000-memory.dmp

Filesize
3.3MB

Download
memory/3128-160-0x00007FF620260000-0x00007FF6205B4000-memory.dmp

Filesize
3.3MB

Download
memory/3128-139-0x00007FF620260000-0x00007FF6205B4000-memory.dmp

Filesize
3.3MB

Download
memory/3128-117-0x00007FF620260000-0x00007FF6205B4000-memory.dmp

Filesize
3.3MB

Download
memory/3160-147-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp

Filesize
3.3MB

Download
memory/3160-132-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp

Filesize
3.3MB

Download
memory/3160-42-0x00007FF63A0D0000-0x00007FF63A424000-memory.dmp

Filesize
3.3MB

Download
memory/3676-156-0x00007FF7D4E60000-0x00007FF7D51B4000-memory.dmp

Filesize
3.3MB

Download
memory/3676-100-0x00007FF7D4E60000-0x00007FF7D51B4000-memory.dmp

Filesize
3.3MB

Download
memory/3860-158-0x00007FF64C730000-0x00007FF64CA84000-memory.dmp

Filesize
3.3MB

Download
memory/3860-104-0x00007FF64C730000-0x00007FF64CA84000-memory.dmp

Filesize
3.3MB

Download
memory/4112-1-0x0000023D96700000-0x0000023D96710000-memory.dmp

Filesize
64KB

Download
memory/4112-0-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp

Filesize
3.3MB

Download
memory/4112-115-0x00007FF7A6370000-0x00007FF7A66C4000-memory.dmp

Filesize
3.3MB

Download
memory/4124-143-0x00007FF60F640000-0x00007FF60F994000-memory.dmp

Filesize
3.3MB

Download
memory/4124-12-0x00007FF60F640000-0x00007FF60F994000-memory.dmp

Filesize
3.3MB

Download
memory/4124-129-0x00007FF60F640000-0x00007FF60F994000-memory.dmp

Filesize
3.3MB

Download
memory/4328-58-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp

Filesize
3.3MB

Download
memory/4328-146-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp

Filesize
3.3MB

Download
memory/4908-110-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp

Filesize
3.3MB

Download
memory/4908-159-0x00007FF6EAA80000-0x00007FF6EADD4000-memory.dmp

Filesize
3.3MB

Download
memory/5064-79-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp

Filesize
3.3MB

Download
memory/5064-151-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp

Filesize
3.3MB

Download