cobaltstrike | c866fd74a259d82124228e798b2b359742482802064e606ac015187b32bc9546

Analysis

max time kernel
157s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

359a0df22cf70e52e442d48b89b54d2f
SHA1

d9c5bbdc24c1084f03943f05d03d8cd71f188fda
SHA256

c866fd74a259d82124228e798b2b359742482802064e606ac015187b32bc9546
SHA512

8271be36b2440d8826b02a49fed44cadca44e147d382f3c9ee7cdd84a245fb1ef0d77b54f3012b085cf581955514f51d0f0366e151bd1d38db618b730367ba27
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUH:Q+856utgpPF8u/7H

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\mElHPpi.exe	cobalt_reflective_dll
C:\Windows\System\aMIuLwN.exe	cobalt_reflective_dll
C:\Windows\System\akWthba.exe	cobalt_reflective_dll
C:\Windows\System\ydOCuGI.exe	cobalt_reflective_dll
C:\Windows\System\KRJHAJM.exe	cobalt_reflective_dll
C:\Windows\System\jIhfjMN.exe	cobalt_reflective_dll
C:\Windows\System\ElsHgtI.exe	cobalt_reflective_dll
C:\Windows\System\kXbduzy.exe	cobalt_reflective_dll
C:\Windows\System\DdOtKnm.exe	cobalt_reflective_dll
C:\Windows\System\ENSEawX.exe	cobalt_reflective_dll
C:\Windows\System\VZbiPtN.exe	cobalt_reflective_dll
C:\Windows\System\XRbSxuN.exe	cobalt_reflective_dll
C:\Windows\System\kTCKACZ.exe	cobalt_reflective_dll
C:\Windows\System\gbfwXKy.exe	cobalt_reflective_dll
C:\Windows\System\IUfEnMw.exe	cobalt_reflective_dll
C:\Windows\System\OpgNKXS.exe	cobalt_reflective_dll
C:\Windows\System\QxQxrBg.exe	cobalt_reflective_dll
C:\Windows\System\lwPaLKK.exe	cobalt_reflective_dll
C:\Windows\System\ibwPEaK.exe	cobalt_reflective_dll
C:\Windows\System\IZQfjVr.exe	cobalt_reflective_dll
C:\Windows\System\EuZdOnh.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\mElHPpi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aMIuLwN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\akWthba.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ydOCuGI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KRJHAJM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jIhfjMN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ElsHgtI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kXbduzy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DdOtKnm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ENSEawX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VZbiPtN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XRbSxuN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kTCKACZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gbfwXKy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IUfEnMw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OpgNKXS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QxQxrBg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lwPaLKK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ibwPEaK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IZQfjVr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EuZdOnh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4660-0-0x00007FF76B200000-0x00007FF76B554000-memory.dmp	UPX
C:\Windows\System\mElHPpi.exe	UPX
behavioral2/memory/4384-8-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	UPX
C:\Windows\System\aMIuLwN.exe	UPX
behavioral2/memory/2320-14-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	UPX
C:\Windows\System\akWthba.exe	UPX
behavioral2/memory/1844-20-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	UPX
C:\Windows\System\ydOCuGI.exe	UPX
behavioral2/memory/928-26-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	UPX
C:\Windows\System\KRJHAJM.exe	UPX
behavioral2/memory/1568-32-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	UPX
C:\Windows\System\jIhfjMN.exe	UPX
behavioral2/memory/3808-38-0x00007FF69E030000-0x00007FF69E384000-memory.dmp	UPX
C:\Windows\System\ElsHgtI.exe	UPX
behavioral2/memory/2304-43-0x00007FF710230000-0x00007FF710584000-memory.dmp	UPX
C:\Windows\System\kXbduzy.exe	UPX
behavioral2/memory/2884-50-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	UPX
C:\Windows\System\DdOtKnm.exe	UPX
behavioral2/memory/448-56-0x00007FF702580000-0x00007FF7028D4000-memory.dmp	UPX
C:\Windows\System\ENSEawX.exe	UPX
behavioral2/memory/4660-62-0x00007FF76B200000-0x00007FF76B554000-memory.dmp	UPX
behavioral2/memory/4676-63-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp	UPX
C:\Windows\System\VZbiPtN.exe	UPX
behavioral2/memory/4384-67-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	UPX
behavioral2/memory/3756-70-0x00007FF77E110000-0x00007FF77E464000-memory.dmp	UPX
C:\Windows\System\XRbSxuN.exe	UPX
behavioral2/memory/2320-75-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	UPX
behavioral2/memory/2696-77-0x00007FF706820000-0x00007FF706B74000-memory.dmp	UPX
C:\Windows\System\kTCKACZ.exe	UPX
behavioral2/memory/1216-84-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp	UPX
behavioral2/memory/1844-83-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	UPX
C:\Windows\System\gbfwXKy.exe	UPX
behavioral2/memory/1792-89-0x00007FF724050000-0x00007FF7243A4000-memory.dmp	UPX
behavioral2/memory/928-88-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	UPX
C:\Windows\System\IUfEnMw.exe	UPX
behavioral2/memory/1568-96-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	UPX
behavioral2/memory/224-98-0x00007FF677FC0000-0x00007FF678314000-memory.dmp	UPX
C:\Windows\System\OpgNKXS.exe	UPX
behavioral2/memory/4084-106-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp	UPX
C:\Windows\System\QxQxrBg.exe	UPX
behavioral2/memory/2304-110-0x00007FF710230000-0x00007FF710584000-memory.dmp	UPX
behavioral2/memory/1728-113-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp	UPX
C:\Windows\System\lwPaLKK.exe	UPX
C:\Windows\System\ibwPEaK.exe	UPX
behavioral2/memory/2884-120-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	UPX
C:\Windows\System\IZQfjVr.exe	UPX
behavioral2/memory/3580-126-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp	UPX
behavioral2/memory/3276-128-0x00007FF7174E0000-0x00007FF717834000-memory.dmp	UPX
C:\Windows\System\EuZdOnh.exe	UPX
behavioral2/memory/2512-123-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp	UPX
behavioral2/memory/1520-135-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp	UPX
behavioral2/memory/1792-136-0x00007FF724050000-0x00007FF7243A4000-memory.dmp	UPX
behavioral2/memory/2512-137-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp	UPX
behavioral2/memory/4384-138-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	UPX
behavioral2/memory/3276-139-0x00007FF7174E0000-0x00007FF717834000-memory.dmp	UPX
behavioral2/memory/2320-140-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	UPX
behavioral2/memory/1844-141-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	UPX
behavioral2/memory/928-142-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	UPX
behavioral2/memory/1568-143-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	UPX
behavioral2/memory/3808-144-0x00007FF69E030000-0x00007FF69E384000-memory.dmp	UPX
behavioral2/memory/2304-145-0x00007FF710230000-0x00007FF710584000-memory.dmp	UPX
behavioral2/memory/2884-146-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	UPX
behavioral2/memory/448-147-0x00007FF702580000-0x00007FF7028D4000-memory.dmp	UPX
behavioral2/memory/4676-148-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4660-0-0x00007FF76B200000-0x00007FF76B554000-memory.dmp	xmrig
C:\Windows\System\mElHPpi.exe	xmrig
behavioral2/memory/4384-8-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	xmrig
C:\Windows\System\aMIuLwN.exe	xmrig
behavioral2/memory/2320-14-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	xmrig
C:\Windows\System\akWthba.exe	xmrig
behavioral2/memory/1844-20-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	xmrig
C:\Windows\System\ydOCuGI.exe	xmrig
behavioral2/memory/928-26-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	xmrig
C:\Windows\System\KRJHAJM.exe	xmrig
behavioral2/memory/1568-32-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	xmrig
C:\Windows\System\jIhfjMN.exe	xmrig
behavioral2/memory/3808-38-0x00007FF69E030000-0x00007FF69E384000-memory.dmp	xmrig
C:\Windows\System\ElsHgtI.exe	xmrig
behavioral2/memory/2304-43-0x00007FF710230000-0x00007FF710584000-memory.dmp	xmrig
C:\Windows\System\kXbduzy.exe	xmrig
behavioral2/memory/2884-50-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	xmrig
C:\Windows\System\DdOtKnm.exe	xmrig
behavioral2/memory/448-56-0x00007FF702580000-0x00007FF7028D4000-memory.dmp	xmrig
C:\Windows\System\ENSEawX.exe	xmrig
behavioral2/memory/4660-62-0x00007FF76B200000-0x00007FF76B554000-memory.dmp	xmrig
behavioral2/memory/4676-63-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp	xmrig
C:\Windows\System\VZbiPtN.exe	xmrig
behavioral2/memory/4384-67-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	xmrig
behavioral2/memory/3756-70-0x00007FF77E110000-0x00007FF77E464000-memory.dmp	xmrig
C:\Windows\System\XRbSxuN.exe	xmrig
behavioral2/memory/2320-75-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	xmrig
behavioral2/memory/2696-77-0x00007FF706820000-0x00007FF706B74000-memory.dmp	xmrig
C:\Windows\System\kTCKACZ.exe	xmrig
behavioral2/memory/1216-84-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp	xmrig
behavioral2/memory/1844-83-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	xmrig
C:\Windows\System\gbfwXKy.exe	xmrig
behavioral2/memory/1792-89-0x00007FF724050000-0x00007FF7243A4000-memory.dmp	xmrig
behavioral2/memory/928-88-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	xmrig
C:\Windows\System\IUfEnMw.exe	xmrig
behavioral2/memory/1568-96-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	xmrig
behavioral2/memory/224-98-0x00007FF677FC0000-0x00007FF678314000-memory.dmp	xmrig
C:\Windows\System\OpgNKXS.exe	xmrig
behavioral2/memory/4084-106-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp	xmrig
C:\Windows\System\QxQxrBg.exe	xmrig
behavioral2/memory/2304-110-0x00007FF710230000-0x00007FF710584000-memory.dmp	xmrig
behavioral2/memory/1728-113-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp	xmrig
C:\Windows\System\lwPaLKK.exe	xmrig
C:\Windows\System\ibwPEaK.exe	xmrig
behavioral2/memory/2884-120-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	xmrig
C:\Windows\System\IZQfjVr.exe	xmrig
behavioral2/memory/3580-126-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp	xmrig
behavioral2/memory/3276-128-0x00007FF7174E0000-0x00007FF717834000-memory.dmp	xmrig
C:\Windows\System\EuZdOnh.exe	xmrig
behavioral2/memory/2512-123-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp	xmrig
behavioral2/memory/1520-135-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp	xmrig
behavioral2/memory/1792-136-0x00007FF724050000-0x00007FF7243A4000-memory.dmp	xmrig
behavioral2/memory/2512-137-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp	xmrig
behavioral2/memory/4384-138-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	xmrig
behavioral2/memory/3276-139-0x00007FF7174E0000-0x00007FF717834000-memory.dmp	xmrig
behavioral2/memory/2320-140-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	xmrig
behavioral2/memory/1844-141-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	xmrig
behavioral2/memory/928-142-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	xmrig
behavioral2/memory/1568-143-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	xmrig
behavioral2/memory/3808-144-0x00007FF69E030000-0x00007FF69E384000-memory.dmp	xmrig
behavioral2/memory/2304-145-0x00007FF710230000-0x00007FF710584000-memory.dmp	xmrig
behavioral2/memory/2884-146-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	xmrig
behavioral2/memory/448-147-0x00007FF702580000-0x00007FF7028D4000-memory.dmp	xmrig
behavioral2/memory/4676-148-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

mElHPpi.exeaMIuLwN.exeakWthba.exeydOCuGI.exeKRJHAJM.exejIhfjMN.exeElsHgtI.exekXbduzy.exeDdOtKnm.exeENSEawX.exeVZbiPtN.exeXRbSxuN.exekTCKACZ.exegbfwXKy.exeIUfEnMw.exeOpgNKXS.exeQxQxrBg.exeibwPEaK.exelwPaLKK.exeIZQfjVr.exeEuZdOnh.exe

pid	process
4384	mElHPpi.exe
2320	aMIuLwN.exe
1844	akWthba.exe
928	ydOCuGI.exe
1568	KRJHAJM.exe
3808	jIhfjMN.exe
2304	ElsHgtI.exe
2884	kXbduzy.exe
448	DdOtKnm.exe
4676	ENSEawX.exe
3756	VZbiPtN.exe
2696	XRbSxuN.exe
1216	kTCKACZ.exe
1792	gbfwXKy.exe
224	IUfEnMw.exe
4084	OpgNKXS.exe
1728	QxQxrBg.exe
2512	ibwPEaK.exe
3580	lwPaLKK.exe
3276	IZQfjVr.exe
1520	EuZdOnh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4660-0-0x00007FF76B200000-0x00007FF76B554000-memory.dmp	upx
C:\Windows\System\mElHPpi.exe	upx
behavioral2/memory/4384-8-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	upx
C:\Windows\System\aMIuLwN.exe	upx
behavioral2/memory/2320-14-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	upx
C:\Windows\System\akWthba.exe	upx
behavioral2/memory/1844-20-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	upx
C:\Windows\System\ydOCuGI.exe	upx
behavioral2/memory/928-26-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	upx
C:\Windows\System\KRJHAJM.exe	upx
behavioral2/memory/1568-32-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	upx
C:\Windows\System\jIhfjMN.exe	upx
behavioral2/memory/3808-38-0x00007FF69E030000-0x00007FF69E384000-memory.dmp	upx
C:\Windows\System\ElsHgtI.exe	upx
behavioral2/memory/2304-43-0x00007FF710230000-0x00007FF710584000-memory.dmp	upx
C:\Windows\System\kXbduzy.exe	upx
behavioral2/memory/2884-50-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	upx
C:\Windows\System\DdOtKnm.exe	upx
behavioral2/memory/448-56-0x00007FF702580000-0x00007FF7028D4000-memory.dmp	upx
C:\Windows\System\ENSEawX.exe	upx
behavioral2/memory/4660-62-0x00007FF76B200000-0x00007FF76B554000-memory.dmp	upx
behavioral2/memory/4676-63-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp	upx
C:\Windows\System\VZbiPtN.exe	upx
behavioral2/memory/4384-67-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	upx
behavioral2/memory/3756-70-0x00007FF77E110000-0x00007FF77E464000-memory.dmp	upx
C:\Windows\System\XRbSxuN.exe	upx
behavioral2/memory/2320-75-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	upx
behavioral2/memory/2696-77-0x00007FF706820000-0x00007FF706B74000-memory.dmp	upx
C:\Windows\System\kTCKACZ.exe	upx
behavioral2/memory/1216-84-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp	upx
behavioral2/memory/1844-83-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	upx
C:\Windows\System\gbfwXKy.exe	upx
behavioral2/memory/1792-89-0x00007FF724050000-0x00007FF7243A4000-memory.dmp	upx
behavioral2/memory/928-88-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	upx
C:\Windows\System\IUfEnMw.exe	upx
behavioral2/memory/1568-96-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	upx
behavioral2/memory/224-98-0x00007FF677FC0000-0x00007FF678314000-memory.dmp	upx
C:\Windows\System\OpgNKXS.exe	upx
behavioral2/memory/4084-106-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp	upx
C:\Windows\System\QxQxrBg.exe	upx
behavioral2/memory/2304-110-0x00007FF710230000-0x00007FF710584000-memory.dmp	upx
behavioral2/memory/1728-113-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp	upx
C:\Windows\System\lwPaLKK.exe	upx
C:\Windows\System\ibwPEaK.exe	upx
behavioral2/memory/2884-120-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	upx
C:\Windows\System\IZQfjVr.exe	upx
behavioral2/memory/3580-126-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp	upx
behavioral2/memory/3276-128-0x00007FF7174E0000-0x00007FF717834000-memory.dmp	upx
C:\Windows\System\EuZdOnh.exe	upx
behavioral2/memory/2512-123-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp	upx
behavioral2/memory/1520-135-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp	upx
behavioral2/memory/1792-136-0x00007FF724050000-0x00007FF7243A4000-memory.dmp	upx
behavioral2/memory/2512-137-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp	upx
behavioral2/memory/4384-138-0x00007FF6024D0000-0x00007FF602824000-memory.dmp	upx
behavioral2/memory/3276-139-0x00007FF7174E0000-0x00007FF717834000-memory.dmp	upx
behavioral2/memory/2320-140-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp	upx
behavioral2/memory/1844-141-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp	upx
behavioral2/memory/928-142-0x00007FF620570000-0x00007FF6208C4000-memory.dmp	upx
behavioral2/memory/1568-143-0x00007FF7851D0000-0x00007FF785524000-memory.dmp	upx
behavioral2/memory/3808-144-0x00007FF69E030000-0x00007FF69E384000-memory.dmp	upx
behavioral2/memory/2304-145-0x00007FF710230000-0x00007FF710584000-memory.dmp	upx
behavioral2/memory/2884-146-0x00007FF71B200000-0x00007FF71B554000-memory.dmp	upx
behavioral2/memory/448-147-0x00007FF702580000-0x00007FF7028D4000-memory.dmp	upx
behavioral2/memory/4676-148-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ydOCuGI.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ElsHgtI.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XRbSxuN.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gbfwXKy.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpgNKXS.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aMIuLwN.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRJHAJM.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kXbduzy.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lwPaLKK.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IZQfjVr.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mElHPpi.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENSEawX.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VZbiPtN.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kTCKACZ.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IUfEnMw.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ibwPEaK.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EuZdOnh.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DdOtKnm.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jIhfjMN.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QxQxrBg.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\akWthba.exe	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4660 wrote to memory of 4384	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	mElHPpi.exe
PID 4660 wrote to memory of 4384	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	mElHPpi.exe
PID 4660 wrote to memory of 2320	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	aMIuLwN.exe
PID 4660 wrote to memory of 2320	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	aMIuLwN.exe
PID 4660 wrote to memory of 1844	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	akWthba.exe
PID 4660 wrote to memory of 1844	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	akWthba.exe
PID 4660 wrote to memory of 928	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ydOCuGI.exe
PID 4660 wrote to memory of 928	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ydOCuGI.exe
PID 4660 wrote to memory of 1568	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	KRJHAJM.exe
PID 4660 wrote to memory of 1568	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	KRJHAJM.exe
PID 4660 wrote to memory of 3808	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	jIhfjMN.exe
PID 4660 wrote to memory of 3808	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	jIhfjMN.exe
PID 4660 wrote to memory of 2304	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ElsHgtI.exe
PID 4660 wrote to memory of 2304	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ElsHgtI.exe
PID 4660 wrote to memory of 2884	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	kXbduzy.exe
PID 4660 wrote to memory of 2884	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	kXbduzy.exe
PID 4660 wrote to memory of 448	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	DdOtKnm.exe
PID 4660 wrote to memory of 448	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	DdOtKnm.exe
PID 4660 wrote to memory of 4676	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ENSEawX.exe
PID 4660 wrote to memory of 4676	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ENSEawX.exe
PID 4660 wrote to memory of 3756	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	VZbiPtN.exe
PID 4660 wrote to memory of 3756	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	VZbiPtN.exe
PID 4660 wrote to memory of 2696	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	XRbSxuN.exe
PID 4660 wrote to memory of 2696	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	XRbSxuN.exe
PID 4660 wrote to memory of 1216	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	kTCKACZ.exe
PID 4660 wrote to memory of 1216	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	kTCKACZ.exe
PID 4660 wrote to memory of 1792	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	gbfwXKy.exe
PID 4660 wrote to memory of 1792	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	gbfwXKy.exe
PID 4660 wrote to memory of 224	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	IUfEnMw.exe
PID 4660 wrote to memory of 224	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	IUfEnMw.exe
PID 4660 wrote to memory of 4084	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	OpgNKXS.exe
PID 4660 wrote to memory of 4084	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	OpgNKXS.exe
PID 4660 wrote to memory of 1728	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	QxQxrBg.exe
PID 4660 wrote to memory of 1728	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	QxQxrBg.exe
PID 4660 wrote to memory of 2512	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ibwPEaK.exe
PID 4660 wrote to memory of 2512	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	ibwPEaK.exe
PID 4660 wrote to memory of 3580	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	lwPaLKK.exe
PID 4660 wrote to memory of 3580	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	lwPaLKK.exe
PID 4660 wrote to memory of 3276	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	IZQfjVr.exe
PID 4660 wrote to memory of 3276	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	IZQfjVr.exe
PID 4660 wrote to memory of 1520	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	EuZdOnh.exe
PID 4660 wrote to memory of 1520	4660	2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe	EuZdOnh.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_359a0df22cf70e52e442d48b89b54d2f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\System\mElHPpi.exe
C:\Windows\System\mElHPpi.exe
2⤵
- Executes dropped EXE
PID:4384

C:\Windows\System\aMIuLwN.exe
C:\Windows\System\aMIuLwN.exe
2⤵
- Executes dropped EXE
PID:2320

C:\Windows\System\akWthba.exe
C:\Windows\System\akWthba.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Windows\System\ydOCuGI.exe
C:\Windows\System\ydOCuGI.exe
2⤵
- Executes dropped EXE
PID:928

C:\Windows\System\KRJHAJM.exe
C:\Windows\System\KRJHAJM.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System\jIhfjMN.exe
C:\Windows\System\jIhfjMN.exe
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\System\ElsHgtI.exe
C:\Windows\System\ElsHgtI.exe
2⤵
- Executes dropped EXE
PID:2304

C:\Windows\System\kXbduzy.exe
C:\Windows\System\kXbduzy.exe
2⤵
- Executes dropped EXE
PID:2884

C:\Windows\System\DdOtKnm.exe
C:\Windows\System\DdOtKnm.exe
2⤵
- Executes dropped EXE
PID:448

C:\Windows\System\ENSEawX.exe
C:\Windows\System\ENSEawX.exe
2⤵
- Executes dropped EXE
PID:4676

C:\Windows\System\VZbiPtN.exe
C:\Windows\System\VZbiPtN.exe
2⤵
- Executes dropped EXE
PID:3756

C:\Windows\System\XRbSxuN.exe
C:\Windows\System\XRbSxuN.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\kTCKACZ.exe
C:\Windows\System\kTCKACZ.exe
2⤵
- Executes dropped EXE
PID:1216

C:\Windows\System\gbfwXKy.exe
C:\Windows\System\gbfwXKy.exe
2⤵
- Executes dropped EXE
PID:1792

C:\Windows\System\IUfEnMw.exe
C:\Windows\System\IUfEnMw.exe
2⤵
- Executes dropped EXE
PID:224

C:\Windows\System\OpgNKXS.exe
C:\Windows\System\OpgNKXS.exe
2⤵
- Executes dropped EXE
PID:4084

C:\Windows\System\QxQxrBg.exe
C:\Windows\System\QxQxrBg.exe
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\System\ibwPEaK.exe
C:\Windows\System\ibwPEaK.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\lwPaLKK.exe
C:\Windows\System\lwPaLKK.exe
2⤵
- Executes dropped EXE
PID:3580

C:\Windows\System\IZQfjVr.exe
C:\Windows\System\IZQfjVr.exe
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\System\EuZdOnh.exe
C:\Windows\System\EuZdOnh.exe
2⤵
- Executes dropped EXE
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DdOtKnm.exe
Filesize
5.9MB

MD5
9e19aa8cfcbcdc44d6c379ecaa6cca31

SHA1
0bd6f23b2a90fe3cf79cc0b02f48faaaa6367a14

SHA256
02122060e255938e33f25f7d0e98d6be6209ba7ffbc85ab6874a95eb4d9200b0

SHA512
a38ba9f1a4c7342465717affd168b30add520788f62a72f63959a7ed63524e1b7d7690c9ba5b7801cb09f84683263a70cf5ac5574753cad8f80ba433dac8901a

Download Submit
C:\Windows\System\ENSEawX.exe
Filesize
5.9MB

MD5
f5143e3027e0939a7cd566b63adc6fa6

SHA1
431444e9256d564a862e7be670340e3cdc2a5585

SHA256
e915527ada344341cf413f1b222c2c3372ff838950abb4898d6fe24d3053855c

SHA512
221223b520fdc25505d3be7640e2909a667f883cb6f0a3463e4436fe78c04397e44ce21edaf9e7fc41ffd4083e4d2ce0ade15245518dbf0c5e5eb89cf04917e3

Download Submit
C:\Windows\System\ElsHgtI.exe
Filesize
5.9MB

MD5
308461950a8a0437affd703bc8db14f4

SHA1
86f4e094011b8a5e4a95422671a273250d155794

SHA256
e7dfd015ac5fcc7044297965bbcadcbb2861cde03b2d9240972b45547b0ea670

SHA512
7e794e7236404b4d12ee4692199d43bca32acadb78c7ca87b4490fbee1acf5472de2639989d1a4adfd35695e376bf61a13625c2d7ba7fcbda4bfca7e02f7d23f

Download Submit
C:\Windows\System\EuZdOnh.exe
Filesize
5.9MB

MD5
b318be8a8be73f74666abf604a161d94

SHA1
a574ad915c3cda7df439faede5a3459241a1a931

SHA256
0c4dd9cc572c8a479dd0e29081a13a72d3ab5ecd254d49a20acf4bcfd8684798

SHA512
230cc26c325ab5865fc001833ec4060ed2892986a2fddfefe41381ca5ec47400ae45affb3b244ce36f75216c8bac6f6b33a45fa29a0447780ce8d17773aafa4b

Download Submit
C:\Windows\System\IUfEnMw.exe
Filesize
5.9MB

MD5
d9c47551abb1da741e331264e37482e3

SHA1
bdcb2273ad4279db53bc5ee460d901fd36b26891

SHA256
3c060e48ba5e312f44101bcfbb40361b7c4185a18ab0c4986314187a69f437c5

SHA512
01244f3d5796d24d412c3b159245baf1d9bda65e9b6d52a63a700f22d5e130d4926e391bc0fa18681fd37cb5d17b3b3937b4325421dfb6f3f09367a36cf81cdd

Download Submit
C:\Windows\System\IZQfjVr.exe
Filesize
5.9MB

MD5
09da4b4a77600120113d13b61a6890ad

SHA1
5e2f07d3bf577f22156026345773e1641525cc2a

SHA256
2a1d019d5502599a5ab7e658e25af27950f1f8a7e48b62ef17849a041433a28e

SHA512
6772217ddf42dde26787ff763ac165256c3d7c20a2689496cf1e531115c56ae26982d327a6425bba735be114eabac0f20953f18a5b8dabc97cd73495672df352

Download Submit
C:\Windows\System\KRJHAJM.exe
Filesize
5.9MB

MD5
5408772a47d89ed7a3c84a69438887c9

SHA1
54ac9cca64bb400925abc90ed82ebd3118afd7be

SHA256
75ba0a0adc9aa0734eb479cef523d66077ed7d2f22fe25f9d3180efaa5cab715

SHA512
d369ff6f6f330d5e5404979e6dec7ca70e245d1a8e4494eaef37df09763e2cb5ed87cfcd854da4ef5955382dcff0eda69481cd6254a1fd3dfc5323fc4cde1ffc

Download Submit
C:\Windows\System\OpgNKXS.exe
Filesize
5.9MB

MD5
bbb07ef29759ac2adb7b100a54b6df75

SHA1
9e1296c03f92deb6b70ff6a63b6a1bf25e0bb99e

SHA256
de533be185e47a10a46d410a480b1fcd9ad9a912bccaded6d28ff1f1de35880d

SHA512
f6f5f8a0499e20652358526040e30939e8f855a5677be546b5f34882b5ca113ced8813fe46d30870b0ceafd1d806778a44e28b95ff3aa7aab163c0fa1ce55bbb

Download Submit
C:\Windows\System\QxQxrBg.exe
Filesize
5.9MB

MD5
d6d0fab8e3366af3fe71f10b45108d69

SHA1
656ff75b349ae9236a227874f699946f3525a9a2

SHA256
072ed5f3daf1330353e4b821b3d27cbc8c8fed66a4c494bb07d331391ce6f6f6

SHA512
8d41fc82137c516d6c0b2d135c088fc6ea224a379df10d8e13876ec4cb1e92369a7fc351ef77d60b08769c1fb922bfec2b084c3c27ad9e67274fb23d586e8357

Download Submit
C:\Windows\System\VZbiPtN.exe
Filesize
5.9MB

MD5
681297d9e62e2ece64a3006213c84e75

SHA1
01d3d16e879f39de3a4658fc6712af5cd87c22f4

SHA256
75f9d16168e63fea76215d633f073a48025673b6db3e009b0c6e378a67ce2770

SHA512
c2759e9a4f6799af07a814915cca1c735ea80f21b3f345705e7b75c0bdc16abf0c896725053f50c4b80d146e017a6c4b558817df20816747bab969096d270bf3

Download Submit
C:\Windows\System\XRbSxuN.exe
Filesize
5.9MB

MD5
0027c5a1661375a61198060dbe9ec874

SHA1
768fb1aff5f4f11ea975e372446ad2c537dca9af

SHA256
0c204a98a3b8bc343d9b420eb3535390fd468d230730242ae4abf22eb61d611a

SHA512
c975c7161bb235234b2e1adbc42614dc73503a4523080f77afb6121f88d022c7dccf0def9e3b2bda062f2e800c524f14635528b42f502afcff134180affc987d

Download Submit
C:\Windows\System\aMIuLwN.exe
Filesize
5.9MB

MD5
670d86bffc00e96da48a0aa7bd6f4642

SHA1
2395439546d5aadc32aadebc82ea80f59f9497d3

SHA256
d01f4e05b4c260b39a3b1449adc65de27337069fe071d73c41d05e46bda9161c

SHA512
5cfa538b611ce9e19b5c110b9a697ac9c82f93f5b1997cbd40ef5106cd4ab76333afd2df722265e8d6ba4fc0a0e31888cd03e497312a1c6807edccfc6a554c5c

Download Submit
C:\Windows\System\akWthba.exe
Filesize
5.9MB

MD5
9b4afd2bd671931379d01f20afe7bb06

SHA1
942463ed57e3a31ebae5fcdeac67c57ee8a5d8bb

SHA256
432c74aac08dfd0caea381590e07f55fc131d629f2bbd6806145b95fce558cdc

SHA512
f8f238bb1cb259a16d8003622c3ce0640ca9618a88c31222e361f931cad72bea7e8d799a3a06bc8c79d791cf6a4c6c57a2518a207f311ecbd4e04f26397bfc92

Download Submit
C:\Windows\System\gbfwXKy.exe
Filesize
5.9MB

MD5
5d74c32d4bbe2c8d9216173228567498

SHA1
cc85b93f1543294cde77d5a847d4368cc7183ec9

SHA256
739bc2cca7cf5bd9b5aa13fcbd92d220fa6a55b5f4854e920bd2893f118fd126

SHA512
4f063c9d5ff633821a2cc2736c3d42b669547f6763b1fd7d9f52cdbdad2f555a546bf1bca587116b85242a45dec0aec80dbc44ce01d07cb1bf4c895cacc5b0b5

Download Submit
C:\Windows\System\ibwPEaK.exe
Filesize
5.9MB

MD5
afec3d42486cab33c1006f08b39c37df

SHA1
5607e20183b6ff673e8fcb537267098949e853da

SHA256
d0d26d69cba64f9c0ca292b13a4ab4ce06e41bffa782d7a4e119038e022a09cb

SHA512
c4c8b707e0bb43b1cab09a264b18c0925c273ec3f29fe958944e0e6f929d1dda743e61376b7d9b1812011c6e54a7d684468a92a5817f3778dd935d0960406da7

Download Submit
C:\Windows\System\jIhfjMN.exe
Filesize
5.9MB

MD5
3955cd0de42c1efe9b90a042345054ec

SHA1
b0b1e44d95aa651390e87de2b0025d114cf59ba3

SHA256
4a5f862f19b7ea5eb360e1fc405752ed2e3968bfb1b9be599f07a7b9d8412e2c

SHA512
dd6c2bf38b8fc417bdb6f690e9fd4530c76079acbbf75a32331fcbe7e3a2ef7f8dc3c2d8d159df1e1a8ba6ccdaea0880794f8b9d0bf8dd0ec34a1a7bde10c7ba

Download Submit
C:\Windows\System\kTCKACZ.exe
Filesize
5.9MB

MD5
8b20a082bc612a2a5a1776f3776d912f

SHA1
9e07642cc3f5dec7146f666df05e1dcccfe9fff2

SHA256
20a7163c5f552e24772287d9159cdef0a54d57677347187e790a870b3840d6e0

SHA512
ddbd943d7b0eaf390cdd258ec57768658158fe8f7a3afca95b8e6f35762a16937a10de7ef94233074983ac440515cd60537fe4ffedc788f19bdc2ab60f8b005c

Download Submit
C:\Windows\System\kXbduzy.exe
Filesize
5.9MB

MD5
3d2b915d14cbde7bab25beef9e941aa9

SHA1
ab879e6314254f86fa301c4c9d92c43cf55e1f6a

SHA256
ab6e461d864062085f4065b62b84dc3d8dd41c8f09def985cbe59badc7974171

SHA512
8fe18f84fe605b04bccfea202fda1485fc1da017f5f7e48ea2578ed51d6d78039d00c0e8d88cd5f5c4f47d50bc00e299d25d17f610b9a58c75c763c0a450c7d6

Download Submit
C:\Windows\System\lwPaLKK.exe
Filesize
5.9MB

MD5
ae16963c08318d0535886a3a299f6fc8

SHA1
253bd00f44563d77da40cf717ef8ddc532c99bcf

SHA256
335e1409b03f8d18aa909ee9455a1716ad269d9fc06e907ca57ec3a0c31a5874

SHA512
6dd37f5496da0dd95d4827b82ea8207e7ad6b0219c7bbfb4ede6ac340fa8230f3409617bb987543d855895caa850a93ab0abd58e26ab66370eedccc0726a352e

Download Submit
C:\Windows\System\mElHPpi.exe
Filesize
5.9MB

MD5
24431caeba60865396028200fbd3720a

SHA1
ed68acba72d9f8bc963f7f6b7e58fa1aa1036aa8

SHA256
923c96a3b5dc87b43af4265c73feba9af3579c12ec22a66fc2ce63ca8065084c

SHA512
eee61b5122c3b7da7ca761c03884781b97900b1d838a4e41661e2f5d44e0e5ef7bcdcc5b4ee90e6715c5f1b3e615cc4fcc1d4f3e1d6aa205ebbde8bfb3f1677e

Download Submit
C:\Windows\System\ydOCuGI.exe
Filesize
5.9MB

MD5
8d9645a9e195ed1e82661a86fbccee31

SHA1
b6710ade85d0895e6dabe238d2c381d0fe6aa7bc

SHA256
1b974b8ec64200ad618ce300bfe4870fe86cc78b1842f9794f996aedd7d11085

SHA512
53afe635cbf31b63f8e3ecbfc7373d7eae380942f6f9f166e07a9cf0f95f99a598ff6f7ea9a7ee83f1feb91a084538d052e70495b7b7404a8ec19b1d5d98ff7a

Download Submit
memory/224-98-0x00007FF677FC0000-0x00007FF678314000-memory.dmp

Filesize
3.3MB

Download
memory/224-153-0x00007FF677FC0000-0x00007FF678314000-memory.dmp

Filesize
3.3MB

Download
memory/448-56-0x00007FF702580000-0x00007FF7028D4000-memory.dmp

Filesize
3.3MB

Download
memory/448-147-0x00007FF702580000-0x00007FF7028D4000-memory.dmp

Filesize
3.3MB

Download
memory/928-88-0x00007FF620570000-0x00007FF6208C4000-memory.dmp

Filesize
3.3MB

Download
memory/928-142-0x00007FF620570000-0x00007FF6208C4000-memory.dmp

Filesize
3.3MB

Download
memory/928-26-0x00007FF620570000-0x00007FF6208C4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-84-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp

Filesize
3.3MB

Download
memory/1216-151-0x00007FF7D4790000-0x00007FF7D4AE4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-159-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp

Filesize
3.3MB

Download
memory/1520-135-0x00007FF7E9F50000-0x00007FF7EA2A4000-memory.dmp

Filesize
3.3MB

Download
memory/1568-32-0x00007FF7851D0000-0x00007FF785524000-memory.dmp

Filesize
3.3MB

Download
memory/1568-96-0x00007FF7851D0000-0x00007FF785524000-memory.dmp

Filesize
3.3MB

Download
memory/1568-143-0x00007FF7851D0000-0x00007FF785524000-memory.dmp

Filesize
3.3MB

Download
memory/1728-113-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1728-155-0x00007FF680B60000-0x00007FF680EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-136-0x00007FF724050000-0x00007FF7243A4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-152-0x00007FF724050000-0x00007FF7243A4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-89-0x00007FF724050000-0x00007FF7243A4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-20-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp

Filesize
3.3MB

Download
memory/1844-141-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp

Filesize
3.3MB

Download
memory/1844-83-0x00007FF7009B0000-0x00007FF700D04000-memory.dmp

Filesize
3.3MB

Download
memory/2304-145-0x00007FF710230000-0x00007FF710584000-memory.dmp

Filesize
3.3MB

Download
memory/2304-43-0x00007FF710230000-0x00007FF710584000-memory.dmp

Filesize
3.3MB

Download
memory/2304-110-0x00007FF710230000-0x00007FF710584000-memory.dmp

Filesize
3.3MB

Download
memory/2320-140-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp

Filesize
3.3MB

Download
memory/2320-75-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp

Filesize
3.3MB

Download
memory/2320-14-0x00007FF7ED2B0000-0x00007FF7ED604000-memory.dmp

Filesize
3.3MB

Download
memory/2512-123-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp

Filesize
3.3MB

Download
memory/2512-158-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp

Filesize
3.3MB

Download
memory/2512-137-0x00007FF6C88F0000-0x00007FF6C8C44000-memory.dmp

Filesize
3.3MB

Download
memory/2696-150-0x00007FF706820000-0x00007FF706B74000-memory.dmp

Filesize
3.3MB

Download
memory/2696-77-0x00007FF706820000-0x00007FF706B74000-memory.dmp

Filesize
3.3MB

Download
memory/2884-146-0x00007FF71B200000-0x00007FF71B554000-memory.dmp

Filesize
3.3MB

Download
memory/2884-50-0x00007FF71B200000-0x00007FF71B554000-memory.dmp

Filesize
3.3MB

Download
memory/2884-120-0x00007FF71B200000-0x00007FF71B554000-memory.dmp

Filesize
3.3MB

Download
memory/3276-157-0x00007FF7174E0000-0x00007FF717834000-memory.dmp

Filesize
3.3MB

Download
memory/3276-128-0x00007FF7174E0000-0x00007FF717834000-memory.dmp

Filesize
3.3MB

Download
memory/3276-139-0x00007FF7174E0000-0x00007FF717834000-memory.dmp

Filesize
3.3MB

Download
memory/3580-156-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp

Filesize
3.3MB

Download
memory/3580-126-0x00007FF7BF0F0000-0x00007FF7BF444000-memory.dmp

Filesize
3.3MB

Download
memory/3756-149-0x00007FF77E110000-0x00007FF77E464000-memory.dmp

Filesize
3.3MB

Download
memory/3756-70-0x00007FF77E110000-0x00007FF77E464000-memory.dmp

Filesize
3.3MB

Download
memory/3808-144-0x00007FF69E030000-0x00007FF69E384000-memory.dmp

Filesize
3.3MB

Download
memory/3808-38-0x00007FF69E030000-0x00007FF69E384000-memory.dmp

Filesize
3.3MB

Download
memory/4084-106-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp

Filesize
3.3MB

Download
memory/4084-154-0x00007FF602D80000-0x00007FF6030D4000-memory.dmp

Filesize
3.3MB

Download
memory/4384-8-0x00007FF6024D0000-0x00007FF602824000-memory.dmp

Filesize
3.3MB

Download
memory/4384-138-0x00007FF6024D0000-0x00007FF602824000-memory.dmp

Filesize
3.3MB

Download
memory/4384-67-0x00007FF6024D0000-0x00007FF602824000-memory.dmp

Filesize
3.3MB

Download
memory/4660-0-0x00007FF76B200000-0x00007FF76B554000-memory.dmp

Filesize
3.3MB

Download
memory/4660-1-0x0000019E59BA0000-0x0000019E59BB0000-memory.dmp

Filesize
64KB

Download
memory/4660-62-0x00007FF76B200000-0x00007FF76B554000-memory.dmp

Filesize
3.3MB

Download
memory/4676-148-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4676-63-0x00007FF73F5A0000-0x00007FF73F8F4000-memory.dmp

Filesize
3.3MB

Download