cobaltstrike | f05388cdf43a0d1a2c044028bae15f37daf248f56f0c90b935a0a1c54531b578

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

594ffb8b1c52a8f988b9a59ea508c8f5
SHA1

a1625623e50af8a8d6a948e08a9c746024a5cbb8
SHA256

f05388cdf43a0d1a2c044028bae15f37daf248f56f0c90b935a0a1c54531b578
SHA512

fd47d0a9a5f472a1188d27439866cd83881b82b67686706558afb72ec6cd45ecb475b6b9768b3e0791a757222090b3775aa5e5eecf2b417794011921ea8c8999
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUS:Q+856utgpPF8u/7S

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\AmIFHXM.exe	cobalt_reflective_dll
C:\Windows\System\KtnzCzO.exe	cobalt_reflective_dll
C:\Windows\System\ozMNUaQ.exe	cobalt_reflective_dll
C:\Windows\System\LLiCfdG.exe	cobalt_reflective_dll
C:\Windows\System\TZCJWiw.exe	cobalt_reflective_dll
C:\Windows\System\uktMksu.exe	cobalt_reflective_dll
C:\Windows\System\yOwFeQX.exe	cobalt_reflective_dll
C:\Windows\System\VzJIbAi.exe	cobalt_reflective_dll
C:\Windows\System\ChIESgi.exe	cobalt_reflective_dll
C:\Windows\System\tPuXsFw.exe	cobalt_reflective_dll
C:\Windows\System\mxfYWBr.exe	cobalt_reflective_dll
C:\Windows\System\CFQeLdh.exe	cobalt_reflective_dll
C:\Windows\System\CTiOIiT.exe	cobalt_reflective_dll
C:\Windows\System\RnHFHMt.exe	cobalt_reflective_dll
C:\Windows\System\WnxErXS.exe	cobalt_reflective_dll
C:\Windows\System\QQUoClO.exe	cobalt_reflective_dll
C:\Windows\System\OgDTiSL.exe	cobalt_reflective_dll
C:\Windows\System\QFeoVts.exe	cobalt_reflective_dll
C:\Windows\System\djOZiUV.exe	cobalt_reflective_dll
C:\Windows\System\oqETHEn.exe	cobalt_reflective_dll
C:\Windows\System\vENbMVM.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\AmIFHXM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KtnzCzO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ozMNUaQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LLiCfdG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TZCJWiw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uktMksu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yOwFeQX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VzJIbAi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ChIESgi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tPuXsFw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mxfYWBr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CFQeLdh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CTiOIiT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RnHFHMt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WnxErXS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QQUoClO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OgDTiSL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QFeoVts.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\djOZiUV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oqETHEn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vENbMVM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2328-0-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp	UPX
C:\Windows\System\AmIFHXM.exe	UPX
C:\Windows\System\KtnzCzO.exe	UPX
behavioral2/memory/1596-13-0x00007FF600510000-0x00007FF600864000-memory.dmp	UPX
C:\Windows\System\ozMNUaQ.exe	UPX
behavioral2/memory/1660-7-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	UPX
behavioral2/memory/4524-20-0x00007FF760EE0000-0x00007FF761234000-memory.dmp	UPX
C:\Windows\System\LLiCfdG.exe	UPX
C:\Windows\System\TZCJWiw.exe	UPX
behavioral2/memory/464-29-0x00007FF74F040000-0x00007FF74F394000-memory.dmp	UPX
C:\Windows\System\uktMksu.exe	UPX
C:\Windows\System\yOwFeQX.exe	UPX
behavioral2/memory/3896-48-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp	UPX
C:\Windows\System\VzJIbAi.exe	UPX
C:\Windows\System\ChIESgi.exe	UPX
C:\Windows\System\tPuXsFw.exe	UPX
C:\Windows\System\mxfYWBr.exe	UPX
C:\Windows\System\CFQeLdh.exe	UPX
behavioral2/memory/3480-70-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	UPX
C:\Windows\System\CTiOIiT.exe	UPX
C:\Windows\System\RnHFHMt.exe	UPX
C:\Windows\System\WnxErXS.exe	UPX
behavioral2/memory/2084-90-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp	UPX
behavioral2/memory/4828-95-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp	UPX
C:\Windows\System\QQUoClO.exe	UPX
behavioral2/memory/1436-98-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp	UPX
behavioral2/memory/1704-92-0x00007FF799B40000-0x00007FF799E94000-memory.dmp	UPX
behavioral2/memory/3060-89-0x00007FF70A110000-0x00007FF70A464000-memory.dmp	UPX
C:\Windows\System\OgDTiSL.exe	UPX
behavioral2/memory/1768-82-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp	UPX
behavioral2/memory/4856-73-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp	UPX
behavioral2/memory/3208-71-0x00007FF693150000-0x00007FF6934A4000-memory.dmp	UPX
behavioral2/memory/4420-39-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp	UPX
behavioral2/memory/2812-30-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	UPX
behavioral2/memory/2328-104-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp	UPX
behavioral2/memory/4648-105-0x00007FF7321B0000-0x00007FF732504000-memory.dmp	UPX
behavioral2/memory/1596-121-0x00007FF600510000-0x00007FF600864000-memory.dmp	UPX
behavioral2/memory/3764-125-0x00007FF673650000-0x00007FF6739A4000-memory.dmp	UPX
C:\Windows\System\QFeoVts.exe	UPX
C:\Windows\System\djOZiUV.exe	UPX
behavioral2/memory/4796-126-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp	UPX
behavioral2/memory/3628-124-0x00007FF626860000-0x00007FF626BB4000-memory.dmp	UPX
C:\Windows\System\oqETHEn.exe	UPX
behavioral2/memory/3800-113-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp	UPX
behavioral2/memory/1660-111-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	UPX
C:\Windows\System\vENbMVM.exe	UPX
behavioral2/memory/2812-131-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	UPX
behavioral2/memory/3480-132-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	UPX
behavioral2/memory/1768-133-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp	UPX
behavioral2/memory/2084-134-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp	UPX
behavioral2/memory/1436-135-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp	UPX
behavioral2/memory/3764-136-0x00007FF673650000-0x00007FF6739A4000-memory.dmp	UPX
behavioral2/memory/4796-137-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp	UPX
behavioral2/memory/1660-138-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	UPX
behavioral2/memory/1596-139-0x00007FF600510000-0x00007FF600864000-memory.dmp	UPX
behavioral2/memory/4524-140-0x00007FF760EE0000-0x00007FF761234000-memory.dmp	UPX
behavioral2/memory/464-141-0x00007FF74F040000-0x00007FF74F394000-memory.dmp	UPX
behavioral2/memory/4420-142-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp	UPX
behavioral2/memory/2812-143-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	UPX
behavioral2/memory/3896-144-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp	UPX
behavioral2/memory/3480-148-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	UPX
behavioral2/memory/1704-147-0x00007FF799B40000-0x00007FF799E94000-memory.dmp	UPX
behavioral2/memory/4856-146-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp	UPX
behavioral2/memory/3208-145-0x00007FF693150000-0x00007FF6934A4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2328-0-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp	xmrig
C:\Windows\System\AmIFHXM.exe	xmrig
C:\Windows\System\KtnzCzO.exe	xmrig
behavioral2/memory/1596-13-0x00007FF600510000-0x00007FF600864000-memory.dmp	xmrig
C:\Windows\System\ozMNUaQ.exe	xmrig
behavioral2/memory/1660-7-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	xmrig
behavioral2/memory/4524-20-0x00007FF760EE0000-0x00007FF761234000-memory.dmp	xmrig
C:\Windows\System\LLiCfdG.exe	xmrig
C:\Windows\System\TZCJWiw.exe	xmrig
behavioral2/memory/464-29-0x00007FF74F040000-0x00007FF74F394000-memory.dmp	xmrig
C:\Windows\System\uktMksu.exe	xmrig
C:\Windows\System\yOwFeQX.exe	xmrig
behavioral2/memory/3896-48-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp	xmrig
C:\Windows\System\VzJIbAi.exe	xmrig
C:\Windows\System\ChIESgi.exe	xmrig
C:\Windows\System\tPuXsFw.exe	xmrig
C:\Windows\System\mxfYWBr.exe	xmrig
C:\Windows\System\CFQeLdh.exe	xmrig
behavioral2/memory/3480-70-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	xmrig
C:\Windows\System\CTiOIiT.exe	xmrig
C:\Windows\System\RnHFHMt.exe	xmrig
C:\Windows\System\WnxErXS.exe	xmrig
behavioral2/memory/2084-90-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp	xmrig
behavioral2/memory/4828-95-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp	xmrig
C:\Windows\System\QQUoClO.exe	xmrig
behavioral2/memory/1436-98-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp	xmrig
behavioral2/memory/1704-92-0x00007FF799B40000-0x00007FF799E94000-memory.dmp	xmrig
behavioral2/memory/3060-89-0x00007FF70A110000-0x00007FF70A464000-memory.dmp	xmrig
C:\Windows\System\OgDTiSL.exe	xmrig
behavioral2/memory/1768-82-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp	xmrig
behavioral2/memory/4856-73-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp	xmrig
behavioral2/memory/3208-71-0x00007FF693150000-0x00007FF6934A4000-memory.dmp	xmrig
behavioral2/memory/4420-39-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp	xmrig
behavioral2/memory/2812-30-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	xmrig
behavioral2/memory/2328-104-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp	xmrig
behavioral2/memory/4648-105-0x00007FF7321B0000-0x00007FF732504000-memory.dmp	xmrig
behavioral2/memory/1596-121-0x00007FF600510000-0x00007FF600864000-memory.dmp	xmrig
behavioral2/memory/3764-125-0x00007FF673650000-0x00007FF6739A4000-memory.dmp	xmrig
C:\Windows\System\QFeoVts.exe	xmrig
C:\Windows\System\djOZiUV.exe	xmrig
behavioral2/memory/4796-126-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp	xmrig
behavioral2/memory/3628-124-0x00007FF626860000-0x00007FF626BB4000-memory.dmp	xmrig
C:\Windows\System\oqETHEn.exe	xmrig
behavioral2/memory/3800-113-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp	xmrig
behavioral2/memory/1660-111-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	xmrig
C:\Windows\System\vENbMVM.exe	xmrig
behavioral2/memory/2812-131-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	xmrig
behavioral2/memory/3480-132-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	xmrig
behavioral2/memory/1768-133-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp	xmrig
behavioral2/memory/2084-134-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp	xmrig
behavioral2/memory/1436-135-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp	xmrig
behavioral2/memory/3764-136-0x00007FF673650000-0x00007FF6739A4000-memory.dmp	xmrig
behavioral2/memory/4796-137-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp	xmrig
behavioral2/memory/1660-138-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	xmrig
behavioral2/memory/1596-139-0x00007FF600510000-0x00007FF600864000-memory.dmp	xmrig
behavioral2/memory/4524-140-0x00007FF760EE0000-0x00007FF761234000-memory.dmp	xmrig
behavioral2/memory/464-141-0x00007FF74F040000-0x00007FF74F394000-memory.dmp	xmrig
behavioral2/memory/4420-142-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp	xmrig
behavioral2/memory/2812-143-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	xmrig
behavioral2/memory/3896-144-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp	xmrig
behavioral2/memory/3480-148-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	xmrig
behavioral2/memory/1704-147-0x00007FF799B40000-0x00007FF799E94000-memory.dmp	xmrig
behavioral2/memory/4856-146-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp	xmrig
behavioral2/memory/3208-145-0x00007FF693150000-0x00007FF6934A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

AmIFHXM.exeKtnzCzO.exeozMNUaQ.exeLLiCfdG.exeTZCJWiw.exeuktMksu.exeyOwFeQX.exemxfYWBr.exeChIESgi.exeVzJIbAi.exetPuXsFw.exeCFQeLdh.exeCTiOIiT.exeOgDTiSL.exeRnHFHMt.exeWnxErXS.exeQQUoClO.exevENbMVM.exeoqETHEn.exedjOZiUV.exeQFeoVts.exe

pid	process
1660	AmIFHXM.exe
1596	KtnzCzO.exe
4524	ozMNUaQ.exe
464	LLiCfdG.exe
2812	TZCJWiw.exe
4420	uktMksu.exe
3896	yOwFeQX.exe
3480	mxfYWBr.exe
1704	ChIESgi.exe
3208	VzJIbAi.exe
4856	tPuXsFw.exe
1768	CFQeLdh.exe
3060	CTiOIiT.exe
4828	OgDTiSL.exe
1436	RnHFHMt.exe
2084	WnxErXS.exe
4648	QQUoClO.exe
3800	vENbMVM.exe
3628	oqETHEn.exe
3764	djOZiUV.exe
4796	QFeoVts.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2328-0-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp	upx
C:\Windows\System\AmIFHXM.exe	upx
C:\Windows\System\KtnzCzO.exe	upx
behavioral2/memory/1596-13-0x00007FF600510000-0x00007FF600864000-memory.dmp	upx
C:\Windows\System\ozMNUaQ.exe	upx
behavioral2/memory/1660-7-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	upx
behavioral2/memory/4524-20-0x00007FF760EE0000-0x00007FF761234000-memory.dmp	upx
C:\Windows\System\LLiCfdG.exe	upx
C:\Windows\System\TZCJWiw.exe	upx
behavioral2/memory/464-29-0x00007FF74F040000-0x00007FF74F394000-memory.dmp	upx
C:\Windows\System\uktMksu.exe	upx
C:\Windows\System\yOwFeQX.exe	upx
behavioral2/memory/3896-48-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp	upx
C:\Windows\System\VzJIbAi.exe	upx
C:\Windows\System\ChIESgi.exe	upx
C:\Windows\System\tPuXsFw.exe	upx
C:\Windows\System\mxfYWBr.exe	upx
C:\Windows\System\CFQeLdh.exe	upx
behavioral2/memory/3480-70-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	upx
C:\Windows\System\CTiOIiT.exe	upx
C:\Windows\System\RnHFHMt.exe	upx
C:\Windows\System\WnxErXS.exe	upx
behavioral2/memory/2084-90-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp	upx
behavioral2/memory/4828-95-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp	upx
C:\Windows\System\QQUoClO.exe	upx
behavioral2/memory/1436-98-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp	upx
behavioral2/memory/1704-92-0x00007FF799B40000-0x00007FF799E94000-memory.dmp	upx
behavioral2/memory/3060-89-0x00007FF70A110000-0x00007FF70A464000-memory.dmp	upx
C:\Windows\System\OgDTiSL.exe	upx
behavioral2/memory/1768-82-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp	upx
behavioral2/memory/4856-73-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp	upx
behavioral2/memory/3208-71-0x00007FF693150000-0x00007FF6934A4000-memory.dmp	upx
behavioral2/memory/4420-39-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp	upx
behavioral2/memory/2812-30-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	upx
behavioral2/memory/2328-104-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp	upx
behavioral2/memory/4648-105-0x00007FF7321B0000-0x00007FF732504000-memory.dmp	upx
behavioral2/memory/1596-121-0x00007FF600510000-0x00007FF600864000-memory.dmp	upx
behavioral2/memory/3764-125-0x00007FF673650000-0x00007FF6739A4000-memory.dmp	upx
C:\Windows\System\QFeoVts.exe	upx
C:\Windows\System\djOZiUV.exe	upx
behavioral2/memory/4796-126-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp	upx
behavioral2/memory/3628-124-0x00007FF626860000-0x00007FF626BB4000-memory.dmp	upx
C:\Windows\System\oqETHEn.exe	upx
behavioral2/memory/3800-113-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp	upx
behavioral2/memory/1660-111-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	upx
C:\Windows\System\vENbMVM.exe	upx
behavioral2/memory/2812-131-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	upx
behavioral2/memory/3480-132-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	upx
behavioral2/memory/1768-133-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp	upx
behavioral2/memory/2084-134-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp	upx
behavioral2/memory/1436-135-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp	upx
behavioral2/memory/3764-136-0x00007FF673650000-0x00007FF6739A4000-memory.dmp	upx
behavioral2/memory/4796-137-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp	upx
behavioral2/memory/1660-138-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp	upx
behavioral2/memory/1596-139-0x00007FF600510000-0x00007FF600864000-memory.dmp	upx
behavioral2/memory/4524-140-0x00007FF760EE0000-0x00007FF761234000-memory.dmp	upx
behavioral2/memory/464-141-0x00007FF74F040000-0x00007FF74F394000-memory.dmp	upx
behavioral2/memory/4420-142-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp	upx
behavioral2/memory/2812-143-0x00007FF703570000-0x00007FF7038C4000-memory.dmp	upx
behavioral2/memory/3896-144-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp	upx
behavioral2/memory/3480-148-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp	upx
behavioral2/memory/1704-147-0x00007FF799B40000-0x00007FF799E94000-memory.dmp	upx
behavioral2/memory/4856-146-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp	upx
behavioral2/memory/3208-145-0x00007FF693150000-0x00007FF6934A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\uktMksu.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tPuXsFw.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QFeoVts.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZCJWiw.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLiCfdG.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VzJIbAi.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CTiOIiT.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnHFHMt.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QQUoClO.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqETHEn.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtnzCzO.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ozMNUaQ.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOwFeQX.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\djOZiUV.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AmIFHXM.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxfYWBr.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFQeLdh.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OgDTiSL.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnxErXS.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vENbMVM.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ChIESgi.exe	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2328 wrote to memory of 1660	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	AmIFHXM.exe
PID 2328 wrote to memory of 1660	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	AmIFHXM.exe
PID 2328 wrote to memory of 1596	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	KtnzCzO.exe
PID 2328 wrote to memory of 1596	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	KtnzCzO.exe
PID 2328 wrote to memory of 4524	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	ozMNUaQ.exe
PID 2328 wrote to memory of 4524	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	ozMNUaQ.exe
PID 2328 wrote to memory of 464	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	LLiCfdG.exe
PID 2328 wrote to memory of 464	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	LLiCfdG.exe
PID 2328 wrote to memory of 2812	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	TZCJWiw.exe
PID 2328 wrote to memory of 2812	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	TZCJWiw.exe
PID 2328 wrote to memory of 4420	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	uktMksu.exe
PID 2328 wrote to memory of 4420	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	uktMksu.exe
PID 2328 wrote to memory of 3896	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	yOwFeQX.exe
PID 2328 wrote to memory of 3896	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	yOwFeQX.exe
PID 2328 wrote to memory of 1704	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	ChIESgi.exe
PID 2328 wrote to memory of 1704	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	ChIESgi.exe
PID 2328 wrote to memory of 3480	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	mxfYWBr.exe
PID 2328 wrote to memory of 3480	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	mxfYWBr.exe
PID 2328 wrote to memory of 3208	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	VzJIbAi.exe
PID 2328 wrote to memory of 3208	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	VzJIbAi.exe
PID 2328 wrote to memory of 4856	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	tPuXsFw.exe
PID 2328 wrote to memory of 4856	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	tPuXsFw.exe
PID 2328 wrote to memory of 1768	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	CFQeLdh.exe
PID 2328 wrote to memory of 1768	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	CFQeLdh.exe
PID 2328 wrote to memory of 3060	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	CTiOIiT.exe
PID 2328 wrote to memory of 3060	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	CTiOIiT.exe
PID 2328 wrote to memory of 4828	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	OgDTiSL.exe
PID 2328 wrote to memory of 4828	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	OgDTiSL.exe
PID 2328 wrote to memory of 1436	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	RnHFHMt.exe
PID 2328 wrote to memory of 1436	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	RnHFHMt.exe
PID 2328 wrote to memory of 2084	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	WnxErXS.exe
PID 2328 wrote to memory of 2084	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	WnxErXS.exe
PID 2328 wrote to memory of 4648	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	QQUoClO.exe
PID 2328 wrote to memory of 4648	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	QQUoClO.exe
PID 2328 wrote to memory of 3800	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	vENbMVM.exe
PID 2328 wrote to memory of 3800	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	vENbMVM.exe
PID 2328 wrote to memory of 3628	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	oqETHEn.exe
PID 2328 wrote to memory of 3628	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	oqETHEn.exe
PID 2328 wrote to memory of 3764	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	djOZiUV.exe
PID 2328 wrote to memory of 3764	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	djOZiUV.exe
PID 2328 wrote to memory of 4796	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	QFeoVts.exe
PID 2328 wrote to memory of 4796	2328	2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe	QFeoVts.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_594ffb8b1c52a8f988b9a59ea508c8f5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\System\AmIFHXM.exe
C:\Windows\System\AmIFHXM.exe
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\System\KtnzCzO.exe
C:\Windows\System\KtnzCzO.exe
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\System\ozMNUaQ.exe
C:\Windows\System\ozMNUaQ.exe
2⤵
- Executes dropped EXE
PID:4524

C:\Windows\System\LLiCfdG.exe
C:\Windows\System\LLiCfdG.exe
2⤵
- Executes dropped EXE
PID:464

C:\Windows\System\TZCJWiw.exe
C:\Windows\System\TZCJWiw.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Windows\System\uktMksu.exe
C:\Windows\System\uktMksu.exe
2⤵
- Executes dropped EXE
PID:4420

C:\Windows\System\yOwFeQX.exe
C:\Windows\System\yOwFeQX.exe
2⤵
- Executes dropped EXE
PID:3896

C:\Windows\System\ChIESgi.exe
C:\Windows\System\ChIESgi.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\System\mxfYWBr.exe
C:\Windows\System\mxfYWBr.exe
2⤵
- Executes dropped EXE
PID:3480

C:\Windows\System\VzJIbAi.exe
C:\Windows\System\VzJIbAi.exe
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\System\tPuXsFw.exe
C:\Windows\System\tPuXsFw.exe
2⤵
- Executes dropped EXE
PID:4856

C:\Windows\System\CFQeLdh.exe
C:\Windows\System\CFQeLdh.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\System\CTiOIiT.exe
C:\Windows\System\CTiOIiT.exe
2⤵
- Executes dropped EXE
PID:3060

C:\Windows\System\OgDTiSL.exe
C:\Windows\System\OgDTiSL.exe
2⤵
- Executes dropped EXE
PID:4828

C:\Windows\System\RnHFHMt.exe
C:\Windows\System\RnHFHMt.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\WnxErXS.exe
C:\Windows\System\WnxErXS.exe
2⤵
- Executes dropped EXE
PID:2084

C:\Windows\System\QQUoClO.exe
C:\Windows\System\QQUoClO.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\vENbMVM.exe
C:\Windows\System\vENbMVM.exe
2⤵
- Executes dropped EXE
PID:3800

C:\Windows\System\oqETHEn.exe
C:\Windows\System\oqETHEn.exe
2⤵
- Executes dropped EXE
PID:3628

C:\Windows\System\djOZiUV.exe
C:\Windows\System\djOZiUV.exe
2⤵
- Executes dropped EXE
PID:3764

C:\Windows\System\QFeoVts.exe
C:\Windows\System\QFeoVts.exe
2⤵
- Executes dropped EXE
PID:4796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AmIFHXM.exe
Filesize
5.9MB

MD5
dd7a5bc3f6731f507532219539a3023b

SHA1
7ada8ed66fe65949dd31e4131c176c63b034a88f

SHA256
6e59326f057ed34ec83a49a3a46c5cd04d55405846bddf4270318824ef398fa5

SHA512
97fe9b0ed5f6d69319c291405ea209baa918b95bc9f03f5a2bdec7253a255b5c920860796c5ade225c066b297cec8f4fa4422a240ddd6150eeaf78c46dd2f6bb

Download Submit
C:\Windows\System\CFQeLdh.exe
Filesize
5.9MB

MD5
7a7c5839632f94e25d84c8f0bd27631d

SHA1
ddf9edac1181f686904c5551bd87a0fc049c2cea

SHA256
584ad761d5cd6391cb01a81fe01c29c6928a6ab5e09eee574ead7781d17fd604

SHA512
6f4f245f157507877d9df39599a12882da8b1523aa14292ba880c932b1798507ecdcac5d901447d7befabfd0f0523245c73a9f10805813a8ecc2dd04a250e6cb

Download Submit
C:\Windows\System\CTiOIiT.exe
Filesize
5.9MB

MD5
87b3dd1516dba00f2977f84553583d0c

SHA1
a7188940c6e9e4742095522bb754c6af6dd9f429

SHA256
1ed5669a3a1aa0636d3b53fd70cdbc08f2710548786b23b85081ca1f4c08deb2

SHA512
7119ab66f20a6f29656f4e82000098025b9806b56eb94901c3df285d7372f1dfcc28627ebc81b4732abd50c1aef6b0b3d32d0a7be5b0daf762e961222192dbd7

Download Submit
C:\Windows\System\ChIESgi.exe
Filesize
5.9MB

MD5
3fdac4f9b57b8f85dfc80a6f756cc7c0

SHA1
217d6aa70ce5bd349ef86b0c35f3106a6eb2a061

SHA256
c0b7acbb7b52fdd54af9343167c651e858f37e284a65a8291251166ff9d21af9

SHA512
d1a0ac8cc5b6b7f9d93bca60f0a430198daa08a8ce2353896fdbc5c7ddfb0528a2c8540a845b53e906ea50d3190e5d156f6e1720d4fc85aabb48940aaf026b52

Download Submit
C:\Windows\System\KtnzCzO.exe
Filesize
5.9MB

MD5
ef096a231130c1303f78de3b727c6a9b

SHA1
e11fe955dd2d103dca264119ad919ba843c2f745

SHA256
168b302617a60abe4bb1b85972c1c43fc49b4127f8aa17977ddcf1d4bdd540b2

SHA512
35a592a0e35f278f1682d1e73bd102d3dc445c8bce917ff288471632f1a9c2081ba578e4ee499b7d153881b0ddd5e4671eab93b1fdc63b04412dcaaa5a9e57af

Download Submit
C:\Windows\System\LLiCfdG.exe
Filesize
5.9MB

MD5
dba357c746d6ba431431c054d4d67aa3

SHA1
7eccefe4248a59c1cced2c07700f2fe4d5d7b44e

SHA256
ac7cc97ceccf92bfc3308c4e3df96ca741b63f33a228d8e497b8b40d7de6761f

SHA512
f30858b6ed36da54ef6dff84b1e127bc8657bed6cbe05ed0b87a6cfb14d502e898715515e3f16d1bf8bcb14ed2356010c45b39a308043cfc443c4c3734c08cbb

Download Submit
C:\Windows\System\OgDTiSL.exe
Filesize
5.9MB

MD5
462c54b01918502a5ed1b474afe48907

SHA1
967b5da5e3ccbe1129455f9588022f44cd7b3e80

SHA256
eba33156debd0b6fd06925bda27a1fbece5a36d2fb8d2bfa9978c19b74cb3559

SHA512
b9fc3600c7d1e4882714103433e82398d532da70d6266f59a9e989d96026aab20d12c35cfe9620ac5cc65f54d712db0fb88070d64f89c898be5754616f07e30e

Download Submit
C:\Windows\System\QFeoVts.exe
Filesize
5.9MB

MD5
f4318d14c24c63aee7e7d0317755ed5d

SHA1
6674e72e9e506cf5f8311a7176473d811c8bec4c

SHA256
c213dc2ac3ac9e3abefd7cf2126149612b5bf2f090a1ea7ee606c371bdd937df

SHA512
2874d542735e8528849ce968bb6c308407603bcde6e10caeaed6bd6a7eaf5d3030189e32181eb818d4005d0f8fd150b00885330524edc625dd6a0e051ea792c1

Download Submit
C:\Windows\System\QQUoClO.exe
Filesize
5.9MB

MD5
3568c4e5a878a52dca7bb05867efbca1

SHA1
7a9204b70cfd41c4e28c9b0ac9f8da78317a769e

SHA256
fbaee43a0397033ff03ae813f1688a65d2d2234952f33b2d47e6abcb01bb969a

SHA512
026aca1e8af077f3237c0fc7aa1aa4e0eba00067351dcef5402109a60438d5818ecca56132a9aa634c46247a3261b0c302f8baf3331b03f8f18aacc2dbd12f1e

Download Submit
C:\Windows\System\RnHFHMt.exe
Filesize
5.9MB

MD5
d83d341bbf3c5e277ab600efd29b244c

SHA1
38fa9c3ccbd6d18d83048aef1c645de3805bfea6

SHA256
1004d81b8108529f682a216777210daac2811ffd42efabfa73de381f8893eea9

SHA512
8c9c6a6b9d7f3a3be6225a4d29c2497e1dcaa5b2b68c8e1ee5a6d9f9c731b8e15cdce8cf0e136be2c6d0f46e12aaba030a6ea3e8a660265eec39db2289aba5c3

Download Submit
C:\Windows\System\TZCJWiw.exe
Filesize
5.9MB

MD5
55bcb11d35054c88ffe8687d03000ac0

SHA1
7d65072a3b2e40032ccf1bdc86b611ca65c0ea9c

SHA256
665aab2b9daf77f7fa17470d319a78c7994625ee44808066619074c0f9def981

SHA512
9fb8e01535b22063f395bbf12593c804f9c9a9d5916fc699f1755af8367b2e825bec2ee79ebc7b11ee10e7f5d5fca3b11533c0e511c2bd6b2e76643bd498743b

Download Submit
C:\Windows\System\VzJIbAi.exe
Filesize
5.9MB

MD5
221eb3ba97534a15321b657e44f0409f

SHA1
647e3c6fbcc59fe9ff0cc89dbeacad512802a48a

SHA256
2d3c0570c6c50968bcabd0e1665b2757485fbef3ee80fb8872957262396d6eee

SHA512
178ba13488b316b3ba9f67a2f59040c91ae2bc52c2465176c75948d61f0e2c5be6ef0cb2e30f586cfef85139fd76e8ad4ecaf7b3d64d5cd5fe6e4d0f5b5dd086

Download Submit
C:\Windows\System\WnxErXS.exe
Filesize
5.9MB

MD5
67dc7e9ea6031deabb56f15061e8e8d5

SHA1
cf496b65cd87de7da990ab3942790c9f084da754

SHA256
84ebfa50b2f0b214970bbaad4151266a441075cb6657df9a97c4216cc7caef0b

SHA512
b9ed72bc829c9b44ffa7d66239b41f6f4549c94f6edd33e48f2a4c0824b18ff64f5d168237f87973d2de74cfa4ad875c3bd1671d281357b28f5a228216f79eb1

Download Submit
C:\Windows\System\djOZiUV.exe
Filesize
5.9MB

MD5
90a9fcc86a3aa0e9066d39a940202313

SHA1
66e2544f20ace57d9c0449ee39be1e3dff8b3ad7

SHA256
0907b145ccd902177cde951903ba36add005d6d982ff63f33611eac0c8c73253

SHA512
da50a8230c8f242d53cb4146803245806dcad93d1b6c36c5c0dfb574ccb59b3f217664e69dbda5e86586f67c64e8feac32c04e78c70a335ae99e8944b7238ba5

Download Submit
C:\Windows\System\mxfYWBr.exe
Filesize
5.9MB

MD5
8552d4493ec0356276df99b5694747dd

SHA1
129ea6198f076f6213e025392010241f0540244d

SHA256
c2c4a901cb1b38e523d7eea1692a47067c8a87f73c2b450b9a858425b0c78402

SHA512
ba51f81506abe2747b8483ecfb8a140e2c07eea73eb154d2f879f4438acdb8f67d669772bab1a3f30e6b7c6add39430b8503b36bda2ae8616e9b23af94fb69bf

Download Submit
C:\Windows\System\oqETHEn.exe
Filesize
5.9MB

MD5
bf577045d5b9dc534f0aae6999c3191c

SHA1
a264f1210abb387f0215518234786e3a56a35cf1

SHA256
c4136518f5d809dd11a070e415aa1d46a6d61f6c36797334b720e512ec364475

SHA512
ac4f5c15ad78c8a2ad6600b86572397ba0a7374d2f163200993f7172f0f5a291b050ce0d6ea4accfb0f2b9c0f68c8be458f56055394da46427408168f1eadac0

Download Submit
C:\Windows\System\ozMNUaQ.exe
Filesize
5.9MB

MD5
2e0c0c7b8c75282633391d679087c90f

SHA1
f2f62a53d06f51ad616394b70ca063d5968b1d82

SHA256
b394922c926a1bb5f57164e75ee8c72c9c8899ce7b0c5bcd62ae91957021c797

SHA512
c8f242c496d308e2048afcd74489bbd43530502ee3498809c3253bc7f5d6da5cab8300a891c6a86fa8dfa37d41e9ffb0f74590ef55f3035f52efd87bb1858f79

Download Submit
C:\Windows\System\tPuXsFw.exe
Filesize
5.9MB

MD5
4c4ccfc04e6ea5a043fc46df3255d35b

SHA1
8f2b15dc0ba881dcdc7f216d8da00df5ee702a8e

SHA256
a832c8ff37aedb34fd407faec1f344411a91749d63e9419f71ce20d33da62a48

SHA512
ed798b5870e51feab14082ad61a699a7dadb118895a7703ba5c9fd729f9a4f3805e31a4523eb89cd737215b84679648bbb91262ad37e0594277403f5f77e4e03

Download Submit
C:\Windows\System\uktMksu.exe
Filesize
5.9MB

MD5
c3d1c73bd82842b6f8b6a0beff25d9fb

SHA1
2038da6baa81a33a00732abbbd7a3c4d7e036f2b

SHA256
5398c4a918106ae6402997d04b1e335d6f631d3a49d2686bbc8905fab7b2b958

SHA512
9a0e390ea8375fba67a1b53f30eb01ae03fb7263e21dab6c9736a732b149caf49561ad5bd176d209433ff4327906e0e830438fa2e52a340c9883517ab4e7dee9

Download Submit
C:\Windows\System\vENbMVM.exe
Filesize
5.9MB

MD5
6118f8fe1063767319d994a20d92ebd6

SHA1
ca4ebde8c16319452f2af385ba9b9184c6affcb3

SHA256
32f6133b994eb6c8d89ba7cb1f64793f2ded0d03fd63f1e5b0fc1ffdc965c2ea

SHA512
19598bcab5778056a343c58407b87c012b2b1a8f5e64c0c2aefa7dfd697561ba2fa0c6a20756186c9c7d15e91241f533d0b231fbfc9ae5ad077ccd3a2b8516dd

Download Submit
C:\Windows\System\yOwFeQX.exe
Filesize
5.9MB

MD5
7a2fb44900e5550f9026ae7f5559ad76

SHA1
8e972f77fe73391cd8eb1c760f716c1ac0cf70a0

SHA256
c9a96e25e63c93d3a4131e83f1c2eba5067a061302009aaa4b4b31e7a9190b6e

SHA512
68f52b6d6babd93030182fb9dc5d167f71d2022b2890db9ce3230aa1707c9ae3a75414952f41fc49f381fd8267ed7c24d1c96bb838701f82dd734ac5724adf01

Download Submit
memory/464-141-0x00007FF74F040000-0x00007FF74F394000-memory.dmp

Filesize
3.3MB

Download
memory/464-29-0x00007FF74F040000-0x00007FF74F394000-memory.dmp

Filesize
3.3MB

Download
memory/1436-135-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp

Filesize
3.3MB

Download
memory/1436-98-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp

Filesize
3.3MB

Download
memory/1436-153-0x00007FF64D3B0000-0x00007FF64D704000-memory.dmp

Filesize
3.3MB

Download
memory/1596-139-0x00007FF600510000-0x00007FF600864000-memory.dmp

Filesize
3.3MB

Download
memory/1596-13-0x00007FF600510000-0x00007FF600864000-memory.dmp

Filesize
3.3MB

Download
memory/1596-121-0x00007FF600510000-0x00007FF600864000-memory.dmp

Filesize
3.3MB

Download
memory/1660-138-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1660-111-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1660-7-0x00007FF76A690000-0x00007FF76A9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-92-0x00007FF799B40000-0x00007FF799E94000-memory.dmp

Filesize
3.3MB

Download
memory/1704-147-0x00007FF799B40000-0x00007FF799E94000-memory.dmp

Filesize
3.3MB

Download
memory/1768-82-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp

Filesize
3.3MB

Download
memory/1768-151-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp

Filesize
3.3MB

Download
memory/1768-133-0x00007FF6A7380000-0x00007FF6A76D4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-134-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-90-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-152-0x00007FF608C80000-0x00007FF608FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2328-104-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp

Filesize
3.3MB

Download
memory/2328-0-0x00007FF6A5E70000-0x00007FF6A61C4000-memory.dmp

Filesize
3.3MB

Download
memory/2328-1-0x00000247D72D0000-0x00000247D72E0000-memory.dmp

Filesize
64KB

Download
memory/2812-143-0x00007FF703570000-0x00007FF7038C4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-30-0x00007FF703570000-0x00007FF7038C4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-131-0x00007FF703570000-0x00007FF7038C4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-89-0x00007FF70A110000-0x00007FF70A464000-memory.dmp

Filesize
3.3MB

Download
memory/3060-149-0x00007FF70A110000-0x00007FF70A464000-memory.dmp

Filesize
3.3MB

Download
memory/3208-71-0x00007FF693150000-0x00007FF6934A4000-memory.dmp

Filesize
3.3MB

Download
memory/3208-145-0x00007FF693150000-0x00007FF6934A4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-132-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp

Filesize
3.3MB

Download
memory/3480-70-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp

Filesize
3.3MB

Download
memory/3480-148-0x00007FF7B6ED0000-0x00007FF7B7224000-memory.dmp

Filesize
3.3MB

Download
memory/3628-124-0x00007FF626860000-0x00007FF626BB4000-memory.dmp

Filesize
3.3MB

Download
memory/3628-156-0x00007FF626860000-0x00007FF626BB4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-158-0x00007FF673650000-0x00007FF6739A4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-125-0x00007FF673650000-0x00007FF6739A4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-136-0x00007FF673650000-0x00007FF6739A4000-memory.dmp

Filesize
3.3MB

Download
memory/3800-155-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp

Filesize
3.3MB

Download
memory/3800-113-0x00007FF72A590000-0x00007FF72A8E4000-memory.dmp

Filesize
3.3MB

Download
memory/3896-144-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp

Filesize
3.3MB

Download
memory/3896-48-0x00007FF788AF0000-0x00007FF788E44000-memory.dmp

Filesize
3.3MB

Download
memory/4420-39-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp

Filesize
3.3MB

Download
memory/4420-142-0x00007FF6097C0000-0x00007FF609B14000-memory.dmp

Filesize
3.3MB

Download
memory/4524-140-0x00007FF760EE0000-0x00007FF761234000-memory.dmp

Filesize
3.3MB

Download
memory/4524-20-0x00007FF760EE0000-0x00007FF761234000-memory.dmp

Filesize
3.3MB

Download
memory/4648-105-0x00007FF7321B0000-0x00007FF732504000-memory.dmp

Filesize
3.3MB

Download
memory/4648-154-0x00007FF7321B0000-0x00007FF732504000-memory.dmp

Filesize
3.3MB

Download
memory/4796-126-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp

Filesize
3.3MB

Download
memory/4796-137-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp

Filesize
3.3MB

Download
memory/4796-157-0x00007FF7BC1C0000-0x00007FF7BC514000-memory.dmp

Filesize
3.3MB

Download
memory/4828-150-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp

Filesize
3.3MB

Download
memory/4828-95-0x00007FF6A0660000-0x00007FF6A09B4000-memory.dmp

Filesize
3.3MB

Download
memory/4856-146-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp

Filesize
3.3MB

Download
memory/4856-73-0x00007FF6CF210000-0x00007FF6CF564000-memory.dmp

Filesize
3.3MB

Download