cobaltstrike | cb58fa51dcdd9a6b1bbe1d77aff502f1286b301ea0696e89bc0fd47c83383ffb

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8fa63bf410f22f59c2cdea05a34a7557
SHA1

c79b539b7e249e0ac5993210a1bc11c731c8c876
SHA256

cb58fa51dcdd9a6b1bbe1d77aff502f1286b301ea0696e89bc0fd47c83383ffb
SHA512

bebfe4a8cef6c30f317c8cc5d461c73bae84e0ef0e4f5993742d4fb485b33562449c985f70b74da99daca706495d2794c3e617883a24767bb80fab887d2c2b5d
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\MOZgeMm.exe	cobalt_reflective_dll
C:\Windows\System\KdcyjiW.exe	cobalt_reflective_dll
C:\Windows\System\xaQaMnJ.exe	cobalt_reflective_dll
C:\Windows\System\xYpnuop.exe	cobalt_reflective_dll
C:\Windows\System\XqmQwPV.exe	cobalt_reflective_dll
C:\Windows\System\ndGNHry.exe	cobalt_reflective_dll
C:\Windows\System\FsSYzmb.exe	cobalt_reflective_dll
C:\Windows\System\BEwtrHQ.exe	cobalt_reflective_dll
C:\Windows\System\uPmmWDA.exe	cobalt_reflective_dll
C:\Windows\System\mgoMKQV.exe	cobalt_reflective_dll
C:\Windows\System\uncVOzC.exe	cobalt_reflective_dll
C:\Windows\System\BcePnrb.exe	cobalt_reflective_dll
C:\Windows\System\negbOLm.exe	cobalt_reflective_dll
C:\Windows\System\xnGBQkb.exe	cobalt_reflective_dll
C:\Windows\System\kIGnYNy.exe	cobalt_reflective_dll
C:\Windows\System\fmSfEGG.exe	cobalt_reflective_dll
C:\Windows\System\lBrEbni.exe	cobalt_reflective_dll
C:\Windows\System\pSVIhoE.exe	cobalt_reflective_dll
C:\Windows\System\QNKQnzr.exe	cobalt_reflective_dll
C:\Windows\System\vPTDxqD.exe	cobalt_reflective_dll
C:\Windows\System\fHEOxOT.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\MOZgeMm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KdcyjiW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xaQaMnJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xYpnuop.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XqmQwPV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ndGNHry.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FsSYzmb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BEwtrHQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uPmmWDA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mgoMKQV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uncVOzC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BcePnrb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\negbOLm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xnGBQkb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kIGnYNy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fmSfEGG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lBrEbni.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pSVIhoE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QNKQnzr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vPTDxqD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fHEOxOT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp	UPX
C:\Windows\System\MOZgeMm.exe	UPX
C:\Windows\System\KdcyjiW.exe	UPX
C:\Windows\System\xaQaMnJ.exe	UPX
behavioral2/memory/1432-19-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp	UPX
behavioral2/memory/2448-20-0x00007FF767490000-0x00007FF7677E4000-memory.dmp	UPX
C:\Windows\System\xYpnuop.exe	UPX
behavioral2/memory/1692-24-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	UPX
behavioral2/memory/2776-12-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp	UPX
C:\Windows\System\XqmQwPV.exe	UPX
behavioral2/memory/552-32-0x00007FF608830000-0x00007FF608B84000-memory.dmp	UPX
C:\Windows\System\ndGNHry.exe	UPX
behavioral2/memory/2584-38-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp	UPX
C:\Windows\System\FsSYzmb.exe	UPX
behavioral2/memory/5040-43-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	UPX
C:\Windows\System\BEwtrHQ.exe	UPX
behavioral2/memory/5052-48-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	UPX
C:\Windows\System\uPmmWDA.exe	UPX
behavioral2/memory/3800-57-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp	UPX
behavioral2/memory/4892-56-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp	UPX
C:\Windows\System\mgoMKQV.exe	UPX
C:\Windows\System\uncVOzC.exe	UPX
behavioral2/memory/1992-61-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	UPX
C:\Windows\System\BcePnrb.exe	UPX
behavioral2/memory/4492-70-0x00007FF6371F0000-0x00007FF637544000-memory.dmp	UPX
behavioral2/memory/4980-75-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp	UPX
C:\Windows\System\negbOLm.exe	UPX
C:\Windows\System\xnGBQkb.exe	UPX
C:\Windows\System\kIGnYNy.exe	UPX
behavioral2/memory/4652-90-0x00007FF775890000-0x00007FF775BE4000-memory.dmp	UPX
behavioral2/memory/1692-89-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	UPX
behavioral2/memory/4000-83-0x00007FF6312F0000-0x00007FF631644000-memory.dmp	UPX
behavioral2/memory/4876-95-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp	UPX
C:\Windows\System\fmSfEGG.exe	UPX
behavioral2/memory/552-94-0x00007FF608830000-0x00007FF608B84000-memory.dmp	UPX
behavioral2/memory/5040-105-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	UPX
C:\Windows\System\lBrEbni.exe	UPX
behavioral2/memory/5012-106-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp	UPX
behavioral2/memory/1616-99-0x00007FF681A20000-0x00007FF681D74000-memory.dmp	UPX
C:\Windows\System\pSVIhoE.exe	UPX
behavioral2/memory/2036-113-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp	UPX
C:\Windows\System\QNKQnzr.exe	UPX
C:\Windows\System\vPTDxqD.exe	UPX
behavioral2/memory/740-119-0x00007FF654ED0000-0x00007FF655224000-memory.dmp	UPX
C:\Windows\System\fHEOxOT.exe	UPX
behavioral2/memory/1872-129-0x00007FF65F500000-0x00007FF65F854000-memory.dmp	UPX
behavioral2/memory/1992-128-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	UPX
behavioral2/memory/5052-112-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	UPX
behavioral2/memory/1496-133-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp	UPX
behavioral2/memory/1616-134-0x00007FF681A20000-0x00007FF681D74000-memory.dmp	UPX
behavioral2/memory/5012-135-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp	UPX
behavioral2/memory/2036-136-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp	UPX
behavioral2/memory/740-137-0x00007FF654ED0000-0x00007FF655224000-memory.dmp	UPX
behavioral2/memory/2776-138-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp	UPX
behavioral2/memory/1432-139-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp	UPX
behavioral2/memory/2448-140-0x00007FF767490000-0x00007FF7677E4000-memory.dmp	UPX
behavioral2/memory/1692-141-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	UPX
behavioral2/memory/552-142-0x00007FF608830000-0x00007FF608B84000-memory.dmp	UPX
behavioral2/memory/2584-143-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp	UPX
behavioral2/memory/5040-144-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	UPX
behavioral2/memory/5052-145-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	UPX
behavioral2/memory/3800-146-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp	UPX
behavioral2/memory/1992-147-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	UPX
behavioral2/memory/4492-148-0x00007FF6371F0000-0x00007FF637544000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp	xmrig
C:\Windows\System\MOZgeMm.exe	xmrig
C:\Windows\System\KdcyjiW.exe	xmrig
C:\Windows\System\xaQaMnJ.exe	xmrig
behavioral2/memory/1432-19-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp	xmrig
behavioral2/memory/2448-20-0x00007FF767490000-0x00007FF7677E4000-memory.dmp	xmrig
C:\Windows\System\xYpnuop.exe	xmrig
behavioral2/memory/1692-24-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	xmrig
behavioral2/memory/2776-12-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp	xmrig
C:\Windows\System\XqmQwPV.exe	xmrig
behavioral2/memory/552-32-0x00007FF608830000-0x00007FF608B84000-memory.dmp	xmrig
C:\Windows\System\ndGNHry.exe	xmrig
behavioral2/memory/2584-38-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp	xmrig
C:\Windows\System\FsSYzmb.exe	xmrig
behavioral2/memory/5040-43-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	xmrig
C:\Windows\System\BEwtrHQ.exe	xmrig
behavioral2/memory/5052-48-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	xmrig
C:\Windows\System\uPmmWDA.exe	xmrig
behavioral2/memory/3800-57-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp	xmrig
behavioral2/memory/4892-56-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp	xmrig
C:\Windows\System\mgoMKQV.exe	xmrig
C:\Windows\System\uncVOzC.exe	xmrig
behavioral2/memory/1992-61-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	xmrig
C:\Windows\System\BcePnrb.exe	xmrig
behavioral2/memory/4492-70-0x00007FF6371F0000-0x00007FF637544000-memory.dmp	xmrig
behavioral2/memory/4980-75-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp	xmrig
C:\Windows\System\negbOLm.exe	xmrig
C:\Windows\System\xnGBQkb.exe	xmrig
C:\Windows\System\kIGnYNy.exe	xmrig
behavioral2/memory/4652-90-0x00007FF775890000-0x00007FF775BE4000-memory.dmp	xmrig
behavioral2/memory/1692-89-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	xmrig
behavioral2/memory/4000-83-0x00007FF6312F0000-0x00007FF631644000-memory.dmp	xmrig
behavioral2/memory/4876-95-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp	xmrig
C:\Windows\System\fmSfEGG.exe	xmrig
behavioral2/memory/552-94-0x00007FF608830000-0x00007FF608B84000-memory.dmp	xmrig
behavioral2/memory/5040-105-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	xmrig
C:\Windows\System\lBrEbni.exe	xmrig
behavioral2/memory/5012-106-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp	xmrig
behavioral2/memory/1616-99-0x00007FF681A20000-0x00007FF681D74000-memory.dmp	xmrig
C:\Windows\System\pSVIhoE.exe	xmrig
behavioral2/memory/2036-113-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp	xmrig
C:\Windows\System\QNKQnzr.exe	xmrig
C:\Windows\System\vPTDxqD.exe	xmrig
behavioral2/memory/740-119-0x00007FF654ED0000-0x00007FF655224000-memory.dmp	xmrig
C:\Windows\System\fHEOxOT.exe	xmrig
behavioral2/memory/1872-129-0x00007FF65F500000-0x00007FF65F854000-memory.dmp	xmrig
behavioral2/memory/1992-128-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	xmrig
behavioral2/memory/5052-112-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	xmrig
behavioral2/memory/1496-133-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp	xmrig
behavioral2/memory/1616-134-0x00007FF681A20000-0x00007FF681D74000-memory.dmp	xmrig
behavioral2/memory/5012-135-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp	xmrig
behavioral2/memory/2036-136-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp	xmrig
behavioral2/memory/740-137-0x00007FF654ED0000-0x00007FF655224000-memory.dmp	xmrig
behavioral2/memory/2776-138-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp	xmrig
behavioral2/memory/1432-139-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp	xmrig
behavioral2/memory/2448-140-0x00007FF767490000-0x00007FF7677E4000-memory.dmp	xmrig
behavioral2/memory/1692-141-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	xmrig
behavioral2/memory/552-142-0x00007FF608830000-0x00007FF608B84000-memory.dmp	xmrig
behavioral2/memory/2584-143-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp	xmrig
behavioral2/memory/5040-144-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	xmrig
behavioral2/memory/5052-145-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	xmrig
behavioral2/memory/3800-146-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp	xmrig
behavioral2/memory/1992-147-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	xmrig
behavioral2/memory/4492-148-0x00007FF6371F0000-0x00007FF637544000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

MOZgeMm.exeKdcyjiW.exexaQaMnJ.exexYpnuop.exeXqmQwPV.exendGNHry.exeFsSYzmb.exeBEwtrHQ.exeuPmmWDA.exemgoMKQV.exeuncVOzC.exeBcePnrb.exenegbOLm.exexnGBQkb.exekIGnYNy.exefmSfEGG.exelBrEbni.exepSVIhoE.exeQNKQnzr.exevPTDxqD.exefHEOxOT.exe

pid	process
2776	MOZgeMm.exe
1432	KdcyjiW.exe
2448	xaQaMnJ.exe
1692	xYpnuop.exe
552	XqmQwPV.exe
2584	ndGNHry.exe
5040	FsSYzmb.exe
5052	BEwtrHQ.exe
3800	uPmmWDA.exe
1992	mgoMKQV.exe
4492	uncVOzC.exe
4980	BcePnrb.exe
4000	negbOLm.exe
4652	xnGBQkb.exe
4876	kIGnYNy.exe
1616	fmSfEGG.exe
5012	lBrEbni.exe
2036	pSVIhoE.exe
740	QNKQnzr.exe
1872	vPTDxqD.exe
1496	fHEOxOT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp	upx
C:\Windows\System\MOZgeMm.exe	upx
C:\Windows\System\KdcyjiW.exe	upx
C:\Windows\System\xaQaMnJ.exe	upx
behavioral2/memory/1432-19-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp	upx
behavioral2/memory/2448-20-0x00007FF767490000-0x00007FF7677E4000-memory.dmp	upx
C:\Windows\System\xYpnuop.exe	upx
behavioral2/memory/1692-24-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	upx
behavioral2/memory/2776-12-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp	upx
C:\Windows\System\XqmQwPV.exe	upx
behavioral2/memory/552-32-0x00007FF608830000-0x00007FF608B84000-memory.dmp	upx
C:\Windows\System\ndGNHry.exe	upx
behavioral2/memory/2584-38-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp	upx
C:\Windows\System\FsSYzmb.exe	upx
behavioral2/memory/5040-43-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	upx
C:\Windows\System\BEwtrHQ.exe	upx
behavioral2/memory/5052-48-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	upx
C:\Windows\System\uPmmWDA.exe	upx
behavioral2/memory/3800-57-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp	upx
behavioral2/memory/4892-56-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp	upx
C:\Windows\System\mgoMKQV.exe	upx
C:\Windows\System\uncVOzC.exe	upx
behavioral2/memory/1992-61-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	upx
C:\Windows\System\BcePnrb.exe	upx
behavioral2/memory/4492-70-0x00007FF6371F0000-0x00007FF637544000-memory.dmp	upx
behavioral2/memory/4980-75-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp	upx
C:\Windows\System\negbOLm.exe	upx
C:\Windows\System\xnGBQkb.exe	upx
C:\Windows\System\kIGnYNy.exe	upx
behavioral2/memory/4652-90-0x00007FF775890000-0x00007FF775BE4000-memory.dmp	upx
behavioral2/memory/1692-89-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	upx
behavioral2/memory/4000-83-0x00007FF6312F0000-0x00007FF631644000-memory.dmp	upx
behavioral2/memory/4876-95-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp	upx
C:\Windows\System\fmSfEGG.exe	upx
behavioral2/memory/552-94-0x00007FF608830000-0x00007FF608B84000-memory.dmp	upx
behavioral2/memory/5040-105-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	upx
C:\Windows\System\lBrEbni.exe	upx
behavioral2/memory/5012-106-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp	upx
behavioral2/memory/1616-99-0x00007FF681A20000-0x00007FF681D74000-memory.dmp	upx
C:\Windows\System\pSVIhoE.exe	upx
behavioral2/memory/2036-113-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp	upx
C:\Windows\System\QNKQnzr.exe	upx
C:\Windows\System\vPTDxqD.exe	upx
behavioral2/memory/740-119-0x00007FF654ED0000-0x00007FF655224000-memory.dmp	upx
C:\Windows\System\fHEOxOT.exe	upx
behavioral2/memory/1872-129-0x00007FF65F500000-0x00007FF65F854000-memory.dmp	upx
behavioral2/memory/1992-128-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	upx
behavioral2/memory/5052-112-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	upx
behavioral2/memory/1496-133-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp	upx
behavioral2/memory/1616-134-0x00007FF681A20000-0x00007FF681D74000-memory.dmp	upx
behavioral2/memory/5012-135-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp	upx
behavioral2/memory/2036-136-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp	upx
behavioral2/memory/740-137-0x00007FF654ED0000-0x00007FF655224000-memory.dmp	upx
behavioral2/memory/2776-138-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp	upx
behavioral2/memory/1432-139-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp	upx
behavioral2/memory/2448-140-0x00007FF767490000-0x00007FF7677E4000-memory.dmp	upx
behavioral2/memory/1692-141-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	upx
behavioral2/memory/552-142-0x00007FF608830000-0x00007FF608B84000-memory.dmp	upx
behavioral2/memory/2584-143-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp	upx
behavioral2/memory/5040-144-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp	upx
behavioral2/memory/5052-145-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp	upx
behavioral2/memory/3800-146-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp	upx
behavioral2/memory/1992-147-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp	upx
behavioral2/memory/4492-148-0x00007FF6371F0000-0x00007FF637544000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\xnGBQkb.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fHEOxOT.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KdcyjiW.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XqmQwPV.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FsSYzmb.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pSVIhoE.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xaQaMnJ.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mgoMKQV.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kIGnYNy.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fmSfEGG.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lBrEbni.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPTDxqD.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOZgeMm.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uPmmWDA.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uncVOzC.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BcePnrb.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\negbOLm.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QNKQnzr.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xYpnuop.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndGNHry.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BEwtrHQ.exe	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4892 wrote to memory of 2776	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	MOZgeMm.exe
PID 4892 wrote to memory of 2776	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	MOZgeMm.exe
PID 4892 wrote to memory of 1432	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	KdcyjiW.exe
PID 4892 wrote to memory of 1432	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	KdcyjiW.exe
PID 4892 wrote to memory of 2448	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	xaQaMnJ.exe
PID 4892 wrote to memory of 2448	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	xaQaMnJ.exe
PID 4892 wrote to memory of 1692	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	xYpnuop.exe
PID 4892 wrote to memory of 1692	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	xYpnuop.exe
PID 4892 wrote to memory of 552	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	XqmQwPV.exe
PID 4892 wrote to memory of 552	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	XqmQwPV.exe
PID 4892 wrote to memory of 2584	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	ndGNHry.exe
PID 4892 wrote to memory of 2584	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	ndGNHry.exe
PID 4892 wrote to memory of 5040	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	FsSYzmb.exe
PID 4892 wrote to memory of 5040	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	FsSYzmb.exe
PID 4892 wrote to memory of 5052	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	BEwtrHQ.exe
PID 4892 wrote to memory of 5052	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	BEwtrHQ.exe
PID 4892 wrote to memory of 3800	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	uPmmWDA.exe
PID 4892 wrote to memory of 3800	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	uPmmWDA.exe
PID 4892 wrote to memory of 1992	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	mgoMKQV.exe
PID 4892 wrote to memory of 1992	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	mgoMKQV.exe
PID 4892 wrote to memory of 4492	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	uncVOzC.exe
PID 4892 wrote to memory of 4492	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	uncVOzC.exe
PID 4892 wrote to memory of 4980	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	BcePnrb.exe
PID 4892 wrote to memory of 4980	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	BcePnrb.exe
PID 4892 wrote to memory of 4000	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	negbOLm.exe
PID 4892 wrote to memory of 4000	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	negbOLm.exe
PID 4892 wrote to memory of 4652	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	xnGBQkb.exe
PID 4892 wrote to memory of 4652	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	xnGBQkb.exe
PID 4892 wrote to memory of 4876	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	kIGnYNy.exe
PID 4892 wrote to memory of 4876	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	kIGnYNy.exe
PID 4892 wrote to memory of 1616	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	fmSfEGG.exe
PID 4892 wrote to memory of 1616	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	fmSfEGG.exe
PID 4892 wrote to memory of 5012	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	lBrEbni.exe
PID 4892 wrote to memory of 5012	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	lBrEbni.exe
PID 4892 wrote to memory of 2036	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	pSVIhoE.exe
PID 4892 wrote to memory of 2036	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	pSVIhoE.exe
PID 4892 wrote to memory of 740	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	QNKQnzr.exe
PID 4892 wrote to memory of 740	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	QNKQnzr.exe
PID 4892 wrote to memory of 1872	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	vPTDxqD.exe
PID 4892 wrote to memory of 1872	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	vPTDxqD.exe
PID 4892 wrote to memory of 1496	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	fHEOxOT.exe
PID 4892 wrote to memory of 1496	4892	2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe	fHEOxOT.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_8fa63bf410f22f59c2cdea05a34a7557_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System\MOZgeMm.exe
C:\Windows\System\MOZgeMm.exe
2⤵
- Executes dropped EXE
PID:2776

C:\Windows\System\KdcyjiW.exe
C:\Windows\System\KdcyjiW.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\xaQaMnJ.exe
C:\Windows\System\xaQaMnJ.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\xYpnuop.exe
C:\Windows\System\xYpnuop.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\XqmQwPV.exe
C:\Windows\System\XqmQwPV.exe
2⤵
- Executes dropped EXE
PID:552

C:\Windows\System\ndGNHry.exe
C:\Windows\System\ndGNHry.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\FsSYzmb.exe
C:\Windows\System\FsSYzmb.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System\BEwtrHQ.exe
C:\Windows\System\BEwtrHQ.exe
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\System\uPmmWDA.exe
C:\Windows\System\uPmmWDA.exe
2⤵
- Executes dropped EXE
PID:3800

C:\Windows\System\mgoMKQV.exe
C:\Windows\System\mgoMKQV.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\System\uncVOzC.exe
C:\Windows\System\uncVOzC.exe
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\System\BcePnrb.exe
C:\Windows\System\BcePnrb.exe
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\System\negbOLm.exe
C:\Windows\System\negbOLm.exe
2⤵
- Executes dropped EXE
PID:4000

C:\Windows\System\xnGBQkb.exe
C:\Windows\System\xnGBQkb.exe
2⤵
- Executes dropped EXE
PID:4652

C:\Windows\System\kIGnYNy.exe
C:\Windows\System\kIGnYNy.exe
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\System\fmSfEGG.exe
C:\Windows\System\fmSfEGG.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\System\lBrEbni.exe
C:\Windows\System\lBrEbni.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System\pSVIhoE.exe
C:\Windows\System\pSVIhoE.exe
2⤵
- Executes dropped EXE
PID:2036

C:\Windows\System\QNKQnzr.exe
C:\Windows\System\QNKQnzr.exe
2⤵
- Executes dropped EXE
PID:740

C:\Windows\System\vPTDxqD.exe
C:\Windows\System\vPTDxqD.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\fHEOxOT.exe
C:\Windows\System\fHEOxOT.exe
2⤵
- Executes dropped EXE
PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BEwtrHQ.exe
Filesize
5.9MB

MD5
a320fca53ab458b508bbb484067a77c5

SHA1
7daac9c7c22d5695591503648ea36ac0284d35f0

SHA256
4d6d0ad97e0dab5dbbba3384f8ea03bdedee622a20ed29b750e5a0940ec9aa4a

SHA512
fd97742fffea5622b081dc28174d5ec501c348f1433daabeb6a09562e39e0dc8cea6eee64f7e601231510d3b05d7fa5eccc5b1dcfeaefce6888159f8558b46ac

Download Submit
C:\Windows\System\BcePnrb.exe
Filesize
5.9MB

MD5
d030d5dfacc8eb4681a44d9a08c2fc33

SHA1
e5865bde1da0da36e832482b7239643bd9d9b2d4

SHA256
e551da40d444c3dd4022a26db1c264236cecc8857b3ef73cacf907d3b5ff50c3

SHA512
6c1a46e46e2cfa3c2b13fe803d5c86e4988aeec5f265d120dd19d1d67637216738c86140683e16007d47e8fbb327b6fe87ded3a86475b047e434656be720a91c

Download Submit
C:\Windows\System\FsSYzmb.exe
Filesize
5.9MB

MD5
17dabfe31cb73d66e256e510dd820dc0

SHA1
f6cf7286b606771ef439028f1b8b8ebec53e373b

SHA256
08e58f33d0aa6dee7e7a69df0d0c39dfc3efbc96ca73aabc91696e8aa38411cf

SHA512
c87f5d7ab9e1448568fcab5a9933bb046ec5084ee8af254a155141d7a50ba059d318fcdd00e7a42903cc955a0ec20ff1b5348a721839a8bec90f0e15e56adf3b

Download Submit
C:\Windows\System\KdcyjiW.exe
Filesize
5.9MB

MD5
9683780eb366372e51978a9c0a0bb097

SHA1
46b05e1cfaa22c275ea413ffd6825be63664faf7

SHA256
a05cbc2862fe3dd70c076c8abb02bdc0eb04ee2d2fba69e518ae01e485e2daed

SHA512
9160be6a52fd51e197976d9fe67c44eb238ffe1089ceac266e4af3e92f648da7a4baaf326b4a0ccd6dfeb81bd483ec7ddea6ee0ae3517b4d05e290fdb1a145ca

Download Submit
C:\Windows\System\MOZgeMm.exe
Filesize
5.9MB

MD5
a49212db9c2d5138183fc477c021849c

SHA1
7231de13b07b3dad7187b4e545cd84d9efdcfca3

SHA256
ced8031f0d4968fe69c9d61a8c22b569c3c8b9c0492759869f0170432a7f02d4

SHA512
5b0301b38d14f12e09580d0d489640eb52d2065ff6921bc6efbfdfd2004e305eb7e1f6371322c026e7923c7eb577fa32fe8777aa937db02a0d3ac5cfc98713f2

Download Submit
C:\Windows\System\QNKQnzr.exe
Filesize
5.9MB

MD5
f79db33abde91e4825214ae735abeea6

SHA1
8228e71a46902e399ecbf2f3d9860bb2c31af501

SHA256
e5c12a647149a6bbdad1556b41e4f10c9e8c3dde2aae9df3534478fae6c2cde8

SHA512
d23814902bdd3dcc9f357cd23951a56ac396aac435eff4c7ced5cceb69c6a75d44489b117c550e569fea556e34fd4402047447e6a7b188832f9058614e10074a

Download Submit
C:\Windows\System\XqmQwPV.exe
Filesize
5.9MB

MD5
7d6e0c6ecd521ce5b560b9920a372af2

SHA1
0b5421b52474c2315b4658ac75b71190f101cdff

SHA256
7d9fc5883ed85a3219987920bdcd90f7f960654a273504c38c459b3a6339bf42

SHA512
8777813ccc6e5ede18a580c7396917bca009bed371db3ad3a63f281f8ea839d6d481dac3f0cadbe1751fa5c58a3ff1f003d7cff858e4b7ce297e2f69019d9906

Download Submit
C:\Windows\System\fHEOxOT.exe
Filesize
5.9MB

MD5
63148a7a090e256c946dc2ba640d4400

SHA1
e9cdcc153229101a099c1bf635d4a104b71d9659

SHA256
dbc185db363ccc1d74646404bbb601183476233d252e0f390d06973d03243295

SHA512
2223c49fd01fdf879cc90280f13db1c731d41bb2a7a6cc48ddcea7108027dfd8d70998184e360706b0989ccf22f797e18c64287574c8b359290ba266d284ab80

Download Submit
C:\Windows\System\fmSfEGG.exe
Filesize
5.9MB

MD5
dab54fc3f68992f5a2943ddb82dab4b0

SHA1
1ada026db366b5725fb982f31d03dc526a98afa3

SHA256
8818fd1e7b6871f54059791a1c50c1dd244b3e79ae509d904dfa679a312c6ca8

SHA512
ff901a77e13fd181a6358e6313db2e1a17980c64705fd6a156a77b157cd68f22dc367480bb90748d9637bfe90477fafd48a2bd1c33c8d7e3120d5194a378d43b

Download Submit
C:\Windows\System\kIGnYNy.exe
Filesize
5.9MB

MD5
1310b6d1537331e092bbe9c16213e8c1

SHA1
62283415421431c9acb849e363974f029a2412cc

SHA256
0335cf6f1ea51103de853c37996b9ea4d81f387dabb8d84970bc8e42ff39e67e

SHA512
9a0887d77678657d9d73b00b74a38e19d51a2f4a7884d88e27a71169d78e5cc1a1d7096c05f12fa790e7f0024a80c2f13b926ec7070d2c32f5feb5ad217cb2e3

Download Submit
C:\Windows\System\lBrEbni.exe
Filesize
5.9MB

MD5
74782875cbe17eaf178c0d53e6110377

SHA1
7e8655b412e4bd6eb88a4369df032f5dc23d71df

SHA256
8714fb3516cfe05c0abfe10e06e13ea932b1f173af39239973f2b6471a829707

SHA512
7d23e9dc8918e146500208b92a3301398d1972069e1621f3ffeb7333f9c5a66ef3079f457b564d40a958db77c52d982b0b2b4b8fe79c428cc415590efd9cce86

Download Submit
C:\Windows\System\mgoMKQV.exe
Filesize
5.9MB

MD5
7462f66317242d50e408ca6d80621146

SHA1
096008fe572dcc1ab620c868a02bcfd6162f9cdc

SHA256
7ea7f38c9d9bc2a8155e63a5fd614901399df69d4681cd16c9f117543e520ebf

SHA512
467d4f2e55eec6b4735ce19a2bd4c96ee3ee68db1eccd484e298985d5e5494724caa9ff5bd1dbb432201db93e9a1fbfbf81339ae83762258d83900124d6663bd

Download Submit
C:\Windows\System\ndGNHry.exe
Filesize
5.9MB

MD5
63adea601a1770307c45b4c6d73e0d9b

SHA1
949428bffca791f823fc64ab43743f86488472c9

SHA256
6df1d28b16c4f7397dc8e792a7f48357a966ee98e70ff6959efb79b45b771c11

SHA512
3cfc8b2cdfb920a12a483984a970f402bc72ecc1d68c230c84335deb9581715601350a5561df8f45fc46f1c78d0686f7178940e52fe49b1c031e3de87b23d460

Download Submit
C:\Windows\System\negbOLm.exe
Filesize
5.9MB

MD5
e6e8e99bbb77f364247790baf8bc46bd

SHA1
c54e3cec677f79a13e0b23df20bfbb063cb56bfe

SHA256
95924da6a87cbe2a1cc9a83b68cc9c84ca37614e8e3c01ba34a2cc98f1d15067

SHA512
d3d00e458b4e53db85f0c275ce95f0949a9e6f337071c701a801c8d76d33796714b402f23afbbc4efdd874af54cc840ef1817761f55ef56c955afbe803bf72ba

Download Submit
C:\Windows\System\pSVIhoE.exe
Filesize
5.9MB

MD5
594c4893dddf4477e39f0af7121b2dd3

SHA1
491f4c8d1241a7994b5a1c3f1469050b8807d94d

SHA256
1ac2d991beec66fbe80a610ab5750757335b70c2b3e02ee48b17428e5e1beefc

SHA512
4418e68c2b1f90a360f01e0cbb06e7b6b5936b24b99c50afaf171fbc71d600e5fe359c278e955c23f62293e7acc4bb823604a2ad42bf342b8247dc88333ef165

Download Submit
C:\Windows\System\uPmmWDA.exe
Filesize
5.9MB

MD5
57ef304594f26b46134f00448361e450

SHA1
b83d11db7e04b69df34c3b1df0c3a2676605eafd

SHA256
2b50d3da6e1224664fefc594398da72dcab317b6f63f2f8a262e3186348715c0

SHA512
14b881595b856a0e4b9d4ecbb669d420cef5fd0c3bb7da7266e9190067694cb95c95fdfb23941ba2fdc627e46bf543dfc6a0216180b967481026a1f49aa68d27

Download Submit
C:\Windows\System\uncVOzC.exe
Filesize
5.9MB

MD5
c3063c6a8040738d76b5abaac2b6d330

SHA1
4a75764c655bbdfdd5b708f969c87628ebe262df

SHA256
d7b263404d165051ebc7ceb6ef3e33f37534d3b5ffa814d54cd774201643b6fb

SHA512
10966fee31e9307b0c7dbb7024b0ee122ddfbc46f3f27a3cf803f9dc3f9155d05a6ee2f55fef57c097e581ef03ce5887bae559fd2ddef1e868f7b18c07f9a661

Download Submit
C:\Windows\System\vPTDxqD.exe
Filesize
5.9MB

MD5
36c05e6b67f56f47eb4ca759153268d9

SHA1
58b6cfbd4bc420ecbdb7635ea9653df0a7048de1

SHA256
b55a4b507e84b5d8571f12c8e7077a255eb40c055158f0ab706ae220681c75a7

SHA512
fa75e646e0530b91f465e4f71ff29503f27dde840a70b0eb9a199faf7746d9214c16576235c101458c3390226c74ae6b902f82db5f3a9977d21749795d2f2996

Download Submit
C:\Windows\System\xYpnuop.exe
Filesize
5.9MB

MD5
f458103f408c06d8f6023f06059961d8

SHA1
a8194c402bed1335310d62a5f540d66a35add031

SHA256
c0ade637b34f4736c33998bd0b333b5f8e5116bfac8a7945ab502ac41181cfa7

SHA512
87606e5c6f29bae04f310e7de99dee2fd852edd72e1e0b9c5e4df26e658a6bbbfc1076099b7329bf920a69969f970acd0b1ba3b5b2b0e94016e23cfb4b70d15f

Download Submit
C:\Windows\System\xaQaMnJ.exe
Filesize
5.9MB

MD5
1f4cecc2cc041edcafa77e3b557c9069

SHA1
8902075d45bedd0f206e0258b396459b48d6603e

SHA256
5e41a374d67b9c5a8b97b0cc7f5f19c014f9a943220468eaeac9cf3abced8702

SHA512
8a8541e6bde289b6b82b3176a938cc9fd0f222d1c3cf8530ce47e17b5c5e004af3f91a9bda60764ce7b18f638fa2e625921f6f3b8df6c34f656ecb95be5aabd7

Download Submit
C:\Windows\System\xnGBQkb.exe
Filesize
5.9MB

MD5
4182349233c7d3b500362217646d594e

SHA1
571c3c4c5b6124dfcccb3aa512003328729c5a52

SHA256
4cc733a347d4e273df207834f04211129f028d070e7a4b64a2224de61c29811d

SHA512
e4ac8f4db12b86d7fd140b626ab9a83fd334cd60b4ba647f6a02d9823fdf9aac641c5ff9d1ea251620d17193652ba6c21789c1bc24407fc828bbde0a1dba7d60

Download Submit
memory/552-32-0x00007FF608830000-0x00007FF608B84000-memory.dmp

Filesize
3.3MB

Download
memory/552-94-0x00007FF608830000-0x00007FF608B84000-memory.dmp

Filesize
3.3MB

Download
memory/552-142-0x00007FF608830000-0x00007FF608B84000-memory.dmp

Filesize
3.3MB

Download
memory/740-119-0x00007FF654ED0000-0x00007FF655224000-memory.dmp

Filesize
3.3MB

Download
memory/740-137-0x00007FF654ED0000-0x00007FF655224000-memory.dmp

Filesize
3.3MB

Download
memory/740-157-0x00007FF654ED0000-0x00007FF655224000-memory.dmp

Filesize
3.3MB

Download
memory/1432-139-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp

Filesize
3.3MB

Download
memory/1432-19-0x00007FF7CE200000-0x00007FF7CE554000-memory.dmp

Filesize
3.3MB

Download
memory/1496-133-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1496-158-0x00007FF69BAA0000-0x00007FF69BDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1616-134-0x00007FF681A20000-0x00007FF681D74000-memory.dmp

Filesize
3.3MB

Download
memory/1616-153-0x00007FF681A20000-0x00007FF681D74000-memory.dmp

Filesize
3.3MB

Download
memory/1616-99-0x00007FF681A20000-0x00007FF681D74000-memory.dmp

Filesize
3.3MB

Download
memory/1692-141-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1692-89-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1692-24-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-156-0x00007FF65F500000-0x00007FF65F854000-memory.dmp

Filesize
3.3MB

Download
memory/1872-129-0x00007FF65F500000-0x00007FF65F854000-memory.dmp

Filesize
3.3MB

Download
memory/1992-128-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp

Filesize
3.3MB

Download
memory/1992-147-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp

Filesize
3.3MB

Download
memory/1992-61-0x00007FF6C8030000-0x00007FF6C8384000-memory.dmp

Filesize
3.3MB

Download
memory/2036-113-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp

Filesize
3.3MB

Download
memory/2036-155-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp

Filesize
3.3MB

Download
memory/2036-136-0x00007FF61C9D0000-0x00007FF61CD24000-memory.dmp

Filesize
3.3MB

Download
memory/2448-140-0x00007FF767490000-0x00007FF7677E4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-20-0x00007FF767490000-0x00007FF7677E4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-143-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp

Filesize
3.3MB

Download
memory/2584-38-0x00007FF61E7E0000-0x00007FF61EB34000-memory.dmp

Filesize
3.3MB

Download
memory/2776-138-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2776-12-0x00007FF6DED80000-0x00007FF6DF0D4000-memory.dmp

Filesize
3.3MB

Download
memory/3800-146-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp

Filesize
3.3MB

Download
memory/3800-57-0x00007FF6CE510000-0x00007FF6CE864000-memory.dmp

Filesize
3.3MB

Download
memory/4000-83-0x00007FF6312F0000-0x00007FF631644000-memory.dmp

Filesize
3.3MB

Download
memory/4000-150-0x00007FF6312F0000-0x00007FF631644000-memory.dmp

Filesize
3.3MB

Download
memory/4492-70-0x00007FF6371F0000-0x00007FF637544000-memory.dmp

Filesize
3.3MB

Download
memory/4492-148-0x00007FF6371F0000-0x00007FF637544000-memory.dmp

Filesize
3.3MB

Download
memory/4652-151-0x00007FF775890000-0x00007FF775BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4652-90-0x00007FF775890000-0x00007FF775BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4876-95-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp

Filesize
3.3MB

Download
memory/4876-152-0x00007FF6B6120000-0x00007FF6B6474000-memory.dmp

Filesize
3.3MB

Download
memory/4892-1-0x0000019227990000-0x00000192279A0000-memory.dmp

Filesize
64KB

Download
memory/4892-56-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp

Filesize
3.3MB

Download
memory/4892-0-0x00007FF63F720000-0x00007FF63FA74000-memory.dmp

Filesize
3.3MB

Download
memory/4980-149-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp

Filesize
3.3MB

Download
memory/4980-75-0x00007FF6F90B0000-0x00007FF6F9404000-memory.dmp

Filesize
3.3MB

Download
memory/5012-154-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-106-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-135-0x00007FF7D3190000-0x00007FF7D34E4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-43-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp

Filesize
3.3MB

Download
memory/5040-105-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp

Filesize
3.3MB

Download
memory/5040-144-0x00007FF7AA010000-0x00007FF7AA364000-memory.dmp

Filesize
3.3MB

Download
memory/5052-48-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp

Filesize
3.3MB

Download
memory/5052-145-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp

Filesize
3.3MB

Download
memory/5052-112-0x00007FF7F6760000-0x00007FF7F6AB4000-memory.dmp

Filesize
3.3MB

Download