cobaltstrike | bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192

Analysis

max time kernel
140s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

b49480422c90786723fb6501c8024acd
SHA1

67528ab2fcb212d7cb36b2efae68898dc3e89b71
SHA256

bd8c88455e79dcf2211ebe1e27ee828fa94fd189943c063dc3d172ca9e968192
SHA512

ec7713af0080034612d8fa8f9ff033d120bb263e4d60cc59d495d32b3c39af6dbabdd1984d61a4dcc66d01d8d82dfc11f859f4e640e92575372eca46c0d3a631
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUp:Q+856utgpPF8u/7p

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CLhgqeN.exe	cobalt_reflective_dll
C:\Windows\System\CUShHDE.exe	cobalt_reflective_dll
C:\Windows\System\nGOdEPQ.exe	cobalt_reflective_dll
C:\Windows\System\kfpdSGF.exe	cobalt_reflective_dll
C:\Windows\System\SvzWlCP.exe	cobalt_reflective_dll
C:\Windows\System\RbGvbOT.exe	cobalt_reflective_dll
C:\Windows\System\tDQOYsi.exe	cobalt_reflective_dll
C:\Windows\System\SMbCOmg.exe	cobalt_reflective_dll
C:\Windows\System\wBjrwEL.exe	cobalt_reflective_dll
C:\Windows\System\tSTkyKO.exe	cobalt_reflective_dll
C:\Windows\System\vXuROry.exe	cobalt_reflective_dll
C:\Windows\System\IgeXUqX.exe	cobalt_reflective_dll
C:\Windows\System\niECUCb.exe	cobalt_reflective_dll
C:\Windows\System\plXUzsP.exe	cobalt_reflective_dll
C:\Windows\System\jkYBqZj.exe	cobalt_reflective_dll
C:\Windows\System\eDfWmRA.exe	cobalt_reflective_dll
C:\Windows\System\CQKCgwc.exe	cobalt_reflective_dll
C:\Windows\System\mwehoFt.exe	cobalt_reflective_dll
C:\Windows\System\UkEgBdT.exe	cobalt_reflective_dll
C:\Windows\System\SubrnTR.exe	cobalt_reflective_dll
C:\Windows\System\jhXbILX.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\CLhgqeN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CUShHDE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nGOdEPQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kfpdSGF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SvzWlCP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RbGvbOT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tDQOYsi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SMbCOmg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wBjrwEL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tSTkyKO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vXuROry.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IgeXUqX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\niECUCb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\plXUzsP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jkYBqZj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eDfWmRA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CQKCgwc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mwehoFt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UkEgBdT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SubrnTR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jhXbILX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp	UPX
C:\Windows\System\CLhgqeN.exe	UPX
behavioral2/memory/2600-8-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	UPX
C:\Windows\System\CUShHDE.exe	UPX
behavioral2/memory/1432-14-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	UPX
C:\Windows\System\nGOdEPQ.exe	UPX
behavioral2/memory/2452-20-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	UPX
C:\Windows\System\kfpdSGF.exe	UPX
behavioral2/memory/3184-26-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	UPX
C:\Windows\System\SvzWlCP.exe	UPX
behavioral2/memory/4180-32-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	UPX
C:\Windows\System\RbGvbOT.exe	UPX
behavioral2/memory/4512-37-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	UPX
C:\Windows\System\tDQOYsi.exe	UPX
behavioral2/memory/4064-44-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	UPX
behavioral2/memory/4832-50-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp	UPX
C:\Windows\System\SMbCOmg.exe	UPX
behavioral2/memory/3216-51-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp	UPX
C:\Windows\System\wBjrwEL.exe	UPX
behavioral2/memory/2268-57-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	UPX
C:\Windows\System\tSTkyKO.exe	UPX
behavioral2/memory/4720-63-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	UPX
C:\Windows\System\vXuROry.exe	UPX
behavioral2/memory/2600-69-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	UPX
behavioral2/memory/2412-70-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp	UPX
behavioral2/memory/1432-76-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	UPX
behavioral2/memory/440-77-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp	UPX
C:\Windows\System\IgeXUqX.exe	UPX
C:\Windows\System\niECUCb.exe	UPX
behavioral2/memory/2452-83-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	UPX
behavioral2/memory/5000-84-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp	UPX
C:\Windows\System\plXUzsP.exe	UPX
behavioral2/memory/3184-90-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	UPX
behavioral2/memory/4176-91-0x00007FF7201E0000-0x00007FF720534000-memory.dmp	UPX
C:\Windows\System\jkYBqZj.exe	UPX
behavioral2/memory/4180-97-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	UPX
C:\Windows\System\eDfWmRA.exe	UPX
behavioral2/memory/4512-104-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	UPX
behavioral2/memory/2172-105-0x00007FF779690000-0x00007FF7799E4000-memory.dmp	UPX
behavioral2/memory/4000-103-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp	UPX
C:\Windows\System\CQKCgwc.exe	UPX
behavioral2/memory/4560-111-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp	UPX
C:\Windows\System\mwehoFt.exe	UPX
behavioral2/memory/4308-117-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp	UPX
C:\Windows\System\UkEgBdT.exe	UPX
behavioral2/memory/2268-122-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	UPX
C:\Windows\System\SubrnTR.exe	UPX
behavioral2/memory/4720-131-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	UPX
behavioral2/memory/3100-126-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp	UPX
C:\Windows\System\jhXbILX.exe	UPX
behavioral2/memory/3328-135-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp	UPX
behavioral2/memory/5040-136-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp	UPX
behavioral2/memory/2600-137-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	UPX
behavioral2/memory/1432-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	UPX
behavioral2/memory/2452-139-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	UPX
behavioral2/memory/3184-140-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	UPX
behavioral2/memory/4180-141-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	UPX
behavioral2/memory/4512-142-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	UPX
behavioral2/memory/4064-143-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	UPX
behavioral2/memory/3216-144-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp	UPX
behavioral2/memory/2268-145-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	UPX
behavioral2/memory/4720-146-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	UPX
behavioral2/memory/2412-147-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp	UPX
behavioral2/memory/440-148-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp	xmrig
C:\Windows\System\CLhgqeN.exe	xmrig
behavioral2/memory/2600-8-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	xmrig
C:\Windows\System\CUShHDE.exe	xmrig
behavioral2/memory/1432-14-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	xmrig
C:\Windows\System\nGOdEPQ.exe	xmrig
behavioral2/memory/2452-20-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	xmrig
C:\Windows\System\kfpdSGF.exe	xmrig
behavioral2/memory/3184-26-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	xmrig
C:\Windows\System\SvzWlCP.exe	xmrig
behavioral2/memory/4180-32-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	xmrig
C:\Windows\System\RbGvbOT.exe	xmrig
behavioral2/memory/4512-37-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	xmrig
C:\Windows\System\tDQOYsi.exe	xmrig
behavioral2/memory/4064-44-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	xmrig
behavioral2/memory/4832-50-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp	xmrig
C:\Windows\System\SMbCOmg.exe	xmrig
behavioral2/memory/3216-51-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp	xmrig
C:\Windows\System\wBjrwEL.exe	xmrig
behavioral2/memory/2268-57-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	xmrig
C:\Windows\System\tSTkyKO.exe	xmrig
behavioral2/memory/4720-63-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	xmrig
C:\Windows\System\vXuROry.exe	xmrig
behavioral2/memory/2600-69-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	xmrig
behavioral2/memory/2412-70-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp	xmrig
behavioral2/memory/1432-76-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	xmrig
behavioral2/memory/440-77-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp	xmrig
C:\Windows\System\IgeXUqX.exe	xmrig
C:\Windows\System\niECUCb.exe	xmrig
behavioral2/memory/2452-83-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	xmrig
behavioral2/memory/5000-84-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp	xmrig
C:\Windows\System\plXUzsP.exe	xmrig
behavioral2/memory/3184-90-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	xmrig
behavioral2/memory/4176-91-0x00007FF7201E0000-0x00007FF720534000-memory.dmp	xmrig
C:\Windows\System\jkYBqZj.exe	xmrig
behavioral2/memory/4180-97-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	xmrig
C:\Windows\System\eDfWmRA.exe	xmrig
behavioral2/memory/4512-104-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	xmrig
behavioral2/memory/2172-105-0x00007FF779690000-0x00007FF7799E4000-memory.dmp	xmrig
behavioral2/memory/4000-103-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp	xmrig
C:\Windows\System\CQKCgwc.exe	xmrig
behavioral2/memory/4560-111-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp	xmrig
C:\Windows\System\mwehoFt.exe	xmrig
behavioral2/memory/4308-117-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp	xmrig
C:\Windows\System\UkEgBdT.exe	xmrig
behavioral2/memory/2268-122-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	xmrig
C:\Windows\System\SubrnTR.exe	xmrig
behavioral2/memory/4720-131-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	xmrig
behavioral2/memory/3100-126-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp	xmrig
C:\Windows\System\jhXbILX.exe	xmrig
behavioral2/memory/3328-135-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp	xmrig
behavioral2/memory/5040-136-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp	xmrig
behavioral2/memory/2600-137-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	xmrig
behavioral2/memory/1432-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	xmrig
behavioral2/memory/2452-139-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	xmrig
behavioral2/memory/3184-140-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	xmrig
behavioral2/memory/4180-141-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	xmrig
behavioral2/memory/4512-142-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	xmrig
behavioral2/memory/4064-143-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	xmrig
behavioral2/memory/3216-144-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp	xmrig
behavioral2/memory/2268-145-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	xmrig
behavioral2/memory/4720-146-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	xmrig
behavioral2/memory/2412-147-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp	xmrig
behavioral2/memory/440-148-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CLhgqeN.exeCUShHDE.exenGOdEPQ.exekfpdSGF.exeSvzWlCP.exeRbGvbOT.exetDQOYsi.exeSMbCOmg.exewBjrwEL.exetSTkyKO.exevXuROry.exeIgeXUqX.exeniECUCb.exeplXUzsP.exejkYBqZj.exeeDfWmRA.exeCQKCgwc.exemwehoFt.exejhXbILX.exeUkEgBdT.exeSubrnTR.exe

pid	process
2600	CLhgqeN.exe
1432	CUShHDE.exe
2452	nGOdEPQ.exe
3184	kfpdSGF.exe
4180	SvzWlCP.exe
4512	RbGvbOT.exe
4064	tDQOYsi.exe
3216	SMbCOmg.exe
2268	wBjrwEL.exe
4720	tSTkyKO.exe
2412	vXuROry.exe
440	IgeXUqX.exe
5000	niECUCb.exe
4176	plXUzsP.exe
4000	jkYBqZj.exe
2172	eDfWmRA.exe
4560	CQKCgwc.exe
4308	mwehoFt.exe
3100	jhXbILX.exe
3328	UkEgBdT.exe
5040	SubrnTR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4832-0-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp	upx
C:\Windows\System\CLhgqeN.exe	upx
behavioral2/memory/2600-8-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	upx
C:\Windows\System\CUShHDE.exe	upx
behavioral2/memory/1432-14-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	upx
C:\Windows\System\nGOdEPQ.exe	upx
behavioral2/memory/2452-20-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	upx
C:\Windows\System\kfpdSGF.exe	upx
behavioral2/memory/3184-26-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	upx
C:\Windows\System\SvzWlCP.exe	upx
behavioral2/memory/4180-32-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	upx
C:\Windows\System\RbGvbOT.exe	upx
behavioral2/memory/4512-37-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	upx
C:\Windows\System\tDQOYsi.exe	upx
behavioral2/memory/4064-44-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	upx
behavioral2/memory/4832-50-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp	upx
C:\Windows\System\SMbCOmg.exe	upx
behavioral2/memory/3216-51-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp	upx
C:\Windows\System\wBjrwEL.exe	upx
behavioral2/memory/2268-57-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	upx
C:\Windows\System\tSTkyKO.exe	upx
behavioral2/memory/4720-63-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	upx
C:\Windows\System\vXuROry.exe	upx
behavioral2/memory/2600-69-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	upx
behavioral2/memory/2412-70-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp	upx
behavioral2/memory/1432-76-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	upx
behavioral2/memory/440-77-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp	upx
C:\Windows\System\IgeXUqX.exe	upx
C:\Windows\System\niECUCb.exe	upx
behavioral2/memory/2452-83-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	upx
behavioral2/memory/5000-84-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp	upx
C:\Windows\System\plXUzsP.exe	upx
behavioral2/memory/3184-90-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	upx
behavioral2/memory/4176-91-0x00007FF7201E0000-0x00007FF720534000-memory.dmp	upx
C:\Windows\System\jkYBqZj.exe	upx
behavioral2/memory/4180-97-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	upx
C:\Windows\System\eDfWmRA.exe	upx
behavioral2/memory/4512-104-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	upx
behavioral2/memory/2172-105-0x00007FF779690000-0x00007FF7799E4000-memory.dmp	upx
behavioral2/memory/4000-103-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp	upx
C:\Windows\System\CQKCgwc.exe	upx
behavioral2/memory/4560-111-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp	upx
C:\Windows\System\mwehoFt.exe	upx
behavioral2/memory/4308-117-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp	upx
C:\Windows\System\UkEgBdT.exe	upx
behavioral2/memory/2268-122-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	upx
C:\Windows\System\SubrnTR.exe	upx
behavioral2/memory/4720-131-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	upx
behavioral2/memory/3100-126-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp	upx
C:\Windows\System\jhXbILX.exe	upx
behavioral2/memory/3328-135-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp	upx
behavioral2/memory/5040-136-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp	upx
behavioral2/memory/2600-137-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp	upx
behavioral2/memory/1432-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp	upx
behavioral2/memory/2452-139-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp	upx
behavioral2/memory/3184-140-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp	upx
behavioral2/memory/4180-141-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp	upx
behavioral2/memory/4512-142-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp	upx
behavioral2/memory/4064-143-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp	upx
behavioral2/memory/3216-144-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp	upx
behavioral2/memory/2268-145-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp	upx
behavioral2/memory/4720-146-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp	upx
behavioral2/memory/2412-147-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp	upx
behavioral2/memory/440-148-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\eDfWmRA.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhXbILX.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CUShHDE.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SMbCOmg.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tSTkyKO.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vXuROry.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\niECUCb.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RbGvbOT.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwehoFt.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UkEgBdT.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SubrnTR.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SvzWlCP.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tDQOYsi.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wBjrwEL.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jkYBqZj.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CQKCgwc.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLhgqeN.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGOdEPQ.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kfpdSGF.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IgeXUqX.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\plXUzsP.exe	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4832 wrote to memory of 2600	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CLhgqeN.exe
PID 4832 wrote to memory of 2600	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CLhgqeN.exe
PID 4832 wrote to memory of 1432	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CUShHDE.exe
PID 4832 wrote to memory of 1432	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CUShHDE.exe
PID 4832 wrote to memory of 2452	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	nGOdEPQ.exe
PID 4832 wrote to memory of 2452	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	nGOdEPQ.exe
PID 4832 wrote to memory of 3184	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kfpdSGF.exe
PID 4832 wrote to memory of 3184	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	kfpdSGF.exe
PID 4832 wrote to memory of 4180	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	SvzWlCP.exe
PID 4832 wrote to memory of 4180	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	SvzWlCP.exe
PID 4832 wrote to memory of 4512	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	RbGvbOT.exe
PID 4832 wrote to memory of 4512	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	RbGvbOT.exe
PID 4832 wrote to memory of 4064	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	tDQOYsi.exe
PID 4832 wrote to memory of 4064	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	tDQOYsi.exe
PID 4832 wrote to memory of 3216	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	SMbCOmg.exe
PID 4832 wrote to memory of 3216	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	SMbCOmg.exe
PID 4832 wrote to memory of 2268	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	wBjrwEL.exe
PID 4832 wrote to memory of 2268	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	wBjrwEL.exe
PID 4832 wrote to memory of 4720	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	tSTkyKO.exe
PID 4832 wrote to memory of 4720	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	tSTkyKO.exe
PID 4832 wrote to memory of 2412	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	vXuROry.exe
PID 4832 wrote to memory of 2412	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	vXuROry.exe
PID 4832 wrote to memory of 440	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	IgeXUqX.exe
PID 4832 wrote to memory of 440	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	IgeXUqX.exe
PID 4832 wrote to memory of 5000	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	niECUCb.exe
PID 4832 wrote to memory of 5000	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	niECUCb.exe
PID 4832 wrote to memory of 4176	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	plXUzsP.exe
PID 4832 wrote to memory of 4176	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	plXUzsP.exe
PID 4832 wrote to memory of 4000	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	jkYBqZj.exe
PID 4832 wrote to memory of 4000	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	jkYBqZj.exe
PID 4832 wrote to memory of 2172	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	eDfWmRA.exe
PID 4832 wrote to memory of 2172	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	eDfWmRA.exe
PID 4832 wrote to memory of 4560	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CQKCgwc.exe
PID 4832 wrote to memory of 4560	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	CQKCgwc.exe
PID 4832 wrote to memory of 4308	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	mwehoFt.exe
PID 4832 wrote to memory of 4308	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	mwehoFt.exe
PID 4832 wrote to memory of 3100	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	jhXbILX.exe
PID 4832 wrote to memory of 3100	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	jhXbILX.exe
PID 4832 wrote to memory of 3328	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	UkEgBdT.exe
PID 4832 wrote to memory of 3328	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	UkEgBdT.exe
PID 4832 wrote to memory of 5040	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	SubrnTR.exe
PID 4832 wrote to memory of 5040	4832	2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe	SubrnTR.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b49480422c90786723fb6501c8024acd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\System\CLhgqeN.exe
C:\Windows\System\CLhgqeN.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\CUShHDE.exe
C:\Windows\System\CUShHDE.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\nGOdEPQ.exe
C:\Windows\System\nGOdEPQ.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\kfpdSGF.exe
C:\Windows\System\kfpdSGF.exe
2⤵
- Executes dropped EXE
PID:3184

C:\Windows\System\SvzWlCP.exe
C:\Windows\System\SvzWlCP.exe
2⤵
- Executes dropped EXE
PID:4180

C:\Windows\System\RbGvbOT.exe
C:\Windows\System\RbGvbOT.exe
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\System\tDQOYsi.exe
C:\Windows\System\tDQOYsi.exe
2⤵
- Executes dropped EXE
PID:4064

C:\Windows\System\SMbCOmg.exe
C:\Windows\System\SMbCOmg.exe
2⤵
- Executes dropped EXE
PID:3216

C:\Windows\System\wBjrwEL.exe
C:\Windows\System\wBjrwEL.exe
2⤵
- Executes dropped EXE
PID:2268

C:\Windows\System\tSTkyKO.exe
C:\Windows\System\tSTkyKO.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\System\vXuROry.exe
C:\Windows\System\vXuROry.exe
2⤵
- Executes dropped EXE
PID:2412

C:\Windows\System\IgeXUqX.exe
C:\Windows\System\IgeXUqX.exe
2⤵
- Executes dropped EXE
PID:440

C:\Windows\System\niECUCb.exe
C:\Windows\System\niECUCb.exe
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\System\plXUzsP.exe
C:\Windows\System\plXUzsP.exe
2⤵
- Executes dropped EXE
PID:4176

C:\Windows\System\jkYBqZj.exe
C:\Windows\System\jkYBqZj.exe
2⤵
- Executes dropped EXE
PID:4000

C:\Windows\System\eDfWmRA.exe
C:\Windows\System\eDfWmRA.exe
2⤵
- Executes dropped EXE
PID:2172

C:\Windows\System\CQKCgwc.exe
C:\Windows\System\CQKCgwc.exe
2⤵
- Executes dropped EXE
PID:4560

C:\Windows\System\mwehoFt.exe
C:\Windows\System\mwehoFt.exe
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\System\jhXbILX.exe
C:\Windows\System\jhXbILX.exe
2⤵
- Executes dropped EXE
PID:3100

C:\Windows\System\UkEgBdT.exe
C:\Windows\System\UkEgBdT.exe
2⤵
- Executes dropped EXE
PID:3328

C:\Windows\System\SubrnTR.exe
C:\Windows\System\SubrnTR.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3816 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CLhgqeN.exe
Filesize
5.9MB

MD5
e64015da51c574193f8462893c7b9ed9

SHA1
961cce3cff7dbf3e2c8b9ff649ee74d3b4890454

SHA256
ef7c80c7ec78f283bef69a79be01501f8f76e8c3d59d1227f19250d937422852

SHA512
1509c6d094dd8a8b8fced6eedbb020e9e4600316de7289f10c6d55674485c836c1331fda9f0e2f3e68236b3dbf20fc22b16ef2f00f888a2e2675dce100b35746

Download Submit
C:\Windows\System\CQKCgwc.exe
Filesize
5.9MB

MD5
c0385d4f1ed2a2cc6f0ee6223f8101eb

SHA1
d0ee132698fed8c9a461a77348fe7eb9394f2dfb

SHA256
541f985ec654c807c4ddd2e2078c16950413cb4990cd36cf46ef0ddf3719a012

SHA512
09aa3e44a24a4e93638d700dbd40fb38f018304e599acc90bbdb6ac50bf926f46ecc16e132b57cf72ffd161e1334eecff80daf7715bf3b8d529cd3d2ce93968a

Download Submit
C:\Windows\System\CUShHDE.exe
Filesize
5.9MB

MD5
5c64b95c95eec6c5f9b90b6744a12ecf

SHA1
8f8ef0b16706d6e974575c132fe695703a652f58

SHA256
b6424f123048213d5d7d1cfc640ee4421c6a494b05eceba8317e47e44fcf1b26

SHA512
7e9097d0391c8b95a1a8901e3245c4dbf93a82a2c450cd3b393c491e405152bcef684043ce228f63de24fc155d8858d07afe150d6a99fa67f3f629f886ef4bfa

Download Submit
C:\Windows\System\IgeXUqX.exe
Filesize
5.9MB

MD5
ff206b31d252b834c6dbfb5eb2ade946

SHA1
3500ffe5cec5c5a867e015c6c6078c5c0b1725ed

SHA256
a21ca6b3955a0d569722f4c1b9de0846005c6f4dc8e3597875565ea6d4561b12

SHA512
f4c7ba1de28ad9899017736af1ab401f03a0d13545106c6b7c71a82411659b05fb19c0e9ce015f549ececf533c138323543676bb1b74a16365a7d7aa49f25bc5

Download Submit
C:\Windows\System\RbGvbOT.exe
Filesize
5.9MB

MD5
310f0e3417753cc23423f995abcd0fc7

SHA1
626d6ec65186d52f25686ce76e2794cfb0559606

SHA256
4e27bd1f357ada62acd78fac42451fc80db1ba60c2f069cc520b102a25272a99

SHA512
f7db990548d6e01e6b770835f90f9aa4dc1a685f70af57e0ad545c5a4bda37b30a15c1b897423877e4e8d06b5ce334b2f1f0becb57f678c2bf0d5d939516af43

Download Submit
C:\Windows\System\SMbCOmg.exe
Filesize
5.9MB

MD5
061c1db3fe31861d49ee24a3f2f920e5

SHA1
1d897ff09563dad730db12a466fb0f989cfcd167

SHA256
49b2467d841d3d2666e47b476666be763f8d573952c56d778c9be01c98a9f137

SHA512
b8a98b2d4d69cecbeaba11a46497c08276179ae08d5ce6610210c700d61882879d3b962fc1f8259ff1373961088d861f6e991a5caefb57ca74e0596fa0b314ef

Download Submit
C:\Windows\System\SubrnTR.exe
Filesize
5.9MB

MD5
372f7beeb36195da5bb65836b9cd025a

SHA1
a0df11690b224b942bda1dad45a5114d01df7c6e

SHA256
7a7ed19dffe56abf47e997a9af97cf5636cb9b6cb5b38dfcafd5e7e0b2576936

SHA512
279159d84ec2ab32a247548391bf5ac322c81df852abcfe0453e771ab6c175c6ebd34c00642e6a559a99d95e4b83e0b899282a611a4aedf4157be959642f4b07

Download Submit
C:\Windows\System\SvzWlCP.exe
Filesize
5.9MB

MD5
4f757c994278c9c728273ffa81b80d8a

SHA1
ef68deb389ff438d3622282b9d1851f8b1f652f9

SHA256
3a520d631a769e39bf9bc614f5e19cc797396ffcdc903f03e39f574bc81bb319

SHA512
75aac85df161f7f3f7ba7eb74ce9270c924e8bffacb937b6235e17cc01503311cde28fa2f516dd4cc0e443458f09621cd2674ecbb4f3496a309d04aa05000341

Download Submit
C:\Windows\System\UkEgBdT.exe
Filesize
5.9MB

MD5
d2cdcb1024973b172cb764537e14bdba

SHA1
deb254369c8419a5ef4e1c23af97b17cfb1a645d

SHA256
2241bd870802951fafe93c24ebd15cd729cd46802ca37002fdf39a3b5a7075a8

SHA512
620f502d77658f8778cadd99d0631214f573a912859e8242e525813a540daeb8e12f07fa1e28a5081bff1c4a1eafc46efddb801b594957ddc94c968d5a731ede

Download Submit
C:\Windows\System\eDfWmRA.exe
Filesize
5.9MB

MD5
782656c6db398648608bf6aca19ea800

SHA1
b960f681d4f8f4ad3b242bf6b6f80e4bb6667940

SHA256
9b1c41a9dbc6f789773dbe14b965ff275662353a17e8e476357bcfcaca95acac

SHA512
012f3c3473b2a437835028e25fb37a84842a804e73821cf4cdbbd1dbb49301a3de2a82e07289b5c6882dd5ed7df7c433ec686d38de13b549ce74e17c842ccfe9

Download Submit
C:\Windows\System\jhXbILX.exe
Filesize
5.9MB

MD5
716746c1c98b6eaa7a33740b95c6ba54

SHA1
72551143c6ca792a25cefe9ce72543f15c6f399a

SHA256
90ae3e50e7b791ee5240a671a2e7c488bc168353e10b73446f89f2aff7f1f3ee

SHA512
fc12d969919f257cb50eee372bc8ed6115a864992af58f601e1a0df82fa701db43d49026c98ac73c8a8ae68df8a805b3ac3e57fee9cf4b98a1c125fae078ccf6

Download Submit
C:\Windows\System\jkYBqZj.exe
Filesize
5.9MB

MD5
f1e29870bbed3996f382a9ef6f6be455

SHA1
b10099380c946fca6f50550a90fc587af1d6e2dc

SHA256
6547fb5b4d5832a4846f9f46a80a6451d7b3c6143b9d0e0ded0693e9be56ab60

SHA512
4f66df3769afaaa45ab191eabc41b4fbfa66cc50b4bcbf767ef05312b038858c07d8e5f17358ec7387b3bd38072620bc21be5ac307a081715210a951fef6d836

Download Submit
C:\Windows\System\kfpdSGF.exe
Filesize
5.9MB

MD5
3568e13905e01b4b12cab1df4838808a

SHA1
51475d3561154bb28b647ae5bd2add27d78e71e9

SHA256
5fa37358a1643880206df05738a4cc140a6edb64003bd4c02774c27c9ddce432

SHA512
d7e88bc7c08ec6c8c6c21fe741d1ed0d729283eec32ac7e6423cc2b29b47be380f6b4441f0faf0cd75d7ab65516b9d849b85484162ea214a915cbaf7b5ac4f1a

Download Submit
C:\Windows\System\mwehoFt.exe
Filesize
5.9MB

MD5
7fd9721d654f496c56b6af7aab599d36

SHA1
daef7d1c872384e81430c645ddd1bcdf301e153e

SHA256
6123fa1d8402b3cbfeb965eeffdd1677937d3f7c486ae0e555021473b6be30d7

SHA512
fa3a2aaab2243e58906ca344482b29053c8d3120009b719da9512a9f80729830db806021eb81a1131a1d8997affc389f6dee892f7599d34c087f80a61bc720d5

Download Submit
C:\Windows\System\nGOdEPQ.exe
Filesize
5.9MB

MD5
e54b77bd47b366975b4f2400a94f4d59

SHA1
dbb7980fa9393fd6c83b5a134f8e9d10d8dbd8e4

SHA256
b7faea29d1f1b3d9a1acf72bb2eef55c290c80a2dcf05fc770c8955278fcc6a1

SHA512
cf943a25b12b42f6fbfd3ad849b99d7e6be0f327fc14897285e5f97f71aff5d7591a02afd3e478bab8a996ae08130f5a603573d080e0a85b34c235a365a8c15d

Download Submit
C:\Windows\System\niECUCb.exe
Filesize
5.9MB

MD5
0fe36ebedb98afe1b61af6d0efc5018b

SHA1
5bb6d3cd0a441dd11839d64f3a1f15d6cb16c1eb

SHA256
de58873d77dc1d4221e5663fab26c3a838a60065b64fdd2fb20f70b250e75619

SHA512
225ed1cea04c99ca270a1c18259328c2cfdfe55dccd9817b1531b20c7e6ae0c26916893b4bbe58d19e7435a7102a8bb0e672c656a48906d6e856a91665f88b7a

Download Submit
C:\Windows\System\plXUzsP.exe
Filesize
5.9MB

MD5
bf57337649177c9f462610385292e735

SHA1
d9c19c31e676fee08162fadc3b6bbaa3ea441de9

SHA256
faa1c308b3672354c45516a9f7263dd87831a174ef4c358d5d6a281de2dda481

SHA512
5da71522fa2d4ec17659a63d0ad2fb304cd2500fec5e73668c6c80c276b4d3504f1a29e58c799f7a86f18478670dc4c53d07a150eb26b73ba6d5aea05138647c

Download Submit
C:\Windows\System\tDQOYsi.exe
Filesize
5.9MB

MD5
2b380ea718021b660e39e5d92b3fe369

SHA1
aef061d3045a0a873b854684748408239665c861

SHA256
8f2a4d36b9445335dbc6925bfa10b721d592aa4c5e6196f2ef2ce8817fb47793

SHA512
2effa907071fa49292929490b2f29070ab3faf0d57e11a2e4e3e1b0965540af39f0195ce69d79859b4785d6d80988f293502caf92f80fd470621330ecc4db9c6

Download Submit
C:\Windows\System\tSTkyKO.exe
Filesize
5.9MB

MD5
eeb35490739c0fecce7583ca1235a666

SHA1
adaf2d732f71541a564534202c56464969d830a7

SHA256
ede418d6791890aa0166ebe47f8818a84baf1973e73f9d5121cba2725f01e3a2

SHA512
1075180f72025259d18c327f4b633d5544a11462d9b74d6d4b77a218d03e582fc29cc532e7685071a57c7f70dbb0006a7f0a785a3577acfe1370654f402ce991

Download Submit
C:\Windows\System\vXuROry.exe
Filesize
5.9MB

MD5
8641b56c29ddb9a76f437542abc16f56

SHA1
b5b2b93c19df6969612e811b3baccec64a3b8e7e

SHA256
7a4a12fc22a296b7d27dc421e2b4e152aa1b3d77aad63a2865419bc3c6255d13

SHA512
3848d806b51c4243840b2b704d9262ec583b0f821cc576acf424e26468fb19cac0fc562ab3b26473bce8207e74a721b2d5dba58f51dd1f558191f40a50c67718

Download Submit
C:\Windows\System\wBjrwEL.exe
Filesize
5.9MB

MD5
51153bc8dacb1eb0aded996c9f6585c8

SHA1
abe7e0c57d5f6615bcfa707eb8cab2187cd77dee

SHA256
84bbe8b10c2cc48ac1ce8c9450032d0c6fc6e13eba648d14e65104198c7c9d6a

SHA512
6816fe5152ac9d1ed3e05778732b619f73cd5ca5fb8e0a5972eb3f46f0651f915dc7bea87f81e34ae2d8cb4109c2fb34327b531f71e20b2415b7a264ce80f510

Download Submit
memory/440-77-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp

Filesize
3.3MB

Download
memory/440-148-0x00007FF60E4D0000-0x00007FF60E824000-memory.dmp

Filesize
3.3MB

Download
memory/1432-138-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

Filesize
3.3MB

Download
memory/1432-76-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

Filesize
3.3MB

Download
memory/1432-14-0x00007FF7D58C0000-0x00007FF7D5C14000-memory.dmp

Filesize
3.3MB

Download
memory/2172-152-0x00007FF779690000-0x00007FF7799E4000-memory.dmp

Filesize
3.3MB

Download
memory/2172-105-0x00007FF779690000-0x00007FF7799E4000-memory.dmp

Filesize
3.3MB

Download
memory/2268-145-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp

Filesize
3.3MB

Download
memory/2268-122-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp

Filesize
3.3MB

Download
memory/2268-57-0x00007FF6DB620000-0x00007FF6DB974000-memory.dmp

Filesize
3.3MB

Download
memory/2412-147-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp

Filesize
3.3MB

Download
memory/2412-70-0x00007FF65EA20000-0x00007FF65ED74000-memory.dmp

Filesize
3.3MB

Download
memory/2452-83-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp

Filesize
3.3MB

Download
memory/2452-139-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp

Filesize
3.3MB

Download
memory/2452-20-0x00007FF78BF20000-0x00007FF78C274000-memory.dmp

Filesize
3.3MB

Download
memory/2600-69-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-137-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-8-0x00007FF6B7E50000-0x00007FF6B81A4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-126-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-155-0x00007FF7C2570000-0x00007FF7C28C4000-memory.dmp

Filesize
3.3MB

Download
memory/3184-90-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp

Filesize
3.3MB

Download
memory/3184-140-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp

Filesize
3.3MB

Download
memory/3184-26-0x00007FF71BE80000-0x00007FF71C1D4000-memory.dmp

Filesize
3.3MB

Download
memory/3216-144-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3216-51-0x00007FF64CAA0000-0x00007FF64CDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3328-156-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp

Filesize
3.3MB

Download
memory/3328-135-0x00007FF6468F0000-0x00007FF646C44000-memory.dmp

Filesize
3.3MB

Download
memory/4000-103-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp

Filesize
3.3MB

Download
memory/4000-151-0x00007FF6A2730000-0x00007FF6A2A84000-memory.dmp

Filesize
3.3MB

Download
memory/4064-143-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

Filesize
3.3MB

Download
memory/4064-44-0x00007FF79E2E0000-0x00007FF79E634000-memory.dmp

Filesize
3.3MB

Download
memory/4176-150-0x00007FF7201E0000-0x00007FF720534000-memory.dmp

Filesize
3.3MB

Download
memory/4176-91-0x00007FF7201E0000-0x00007FF720534000-memory.dmp

Filesize
3.3MB

Download
memory/4180-32-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp

Filesize
3.3MB

Download
memory/4180-97-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp

Filesize
3.3MB

Download
memory/4180-141-0x00007FF7AA1A0000-0x00007FF7AA4F4000-memory.dmp

Filesize
3.3MB

Download
memory/4308-117-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4308-154-0x00007FF7748A0000-0x00007FF774BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-37-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-142-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4512-104-0x00007FF7C07A0000-0x00007FF7C0AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4560-111-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp

Filesize
3.3MB

Download
memory/4560-153-0x00007FF6F5920000-0x00007FF6F5C74000-memory.dmp

Filesize
3.3MB

Download
memory/4720-146-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp

Filesize
3.3MB

Download
memory/4720-63-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp

Filesize
3.3MB

Download
memory/4720-131-0x00007FF76B830000-0x00007FF76BB84000-memory.dmp

Filesize
3.3MB

Download
memory/4832-50-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/4832-0-0x00007FF63F880000-0x00007FF63FBD4000-memory.dmp

Filesize
3.3MB

Download
memory/4832-1-0x000001C7C4AA0000-0x000001C7C4AB0000-memory.dmp

Filesize
64KB

Download
memory/5000-149-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/5000-84-0x00007FF7BB960000-0x00007FF7BBCB4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-136-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp

Filesize
3.3MB

Download
memory/5040-157-0x00007FF6C03E0000-0x00007FF6C0734000-memory.dmp

Filesize
3.3MB

Download