cobaltstrike | 9f63450d285f1d7b000b9f3730f9d1e81a3baf43e9a8164ff12bf4c54937c9e3

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

08966a06b7f762db90c1966d10fed0ba
SHA1

29eae01abdc9c6a884e5fd013fd7eff3cc45d8ae
SHA256

9f63450d285f1d7b000b9f3730f9d1e81a3baf43e9a8164ff12bf4c54937c9e3
SHA512

92dca6a79edfca9fb84cd3dd6b6643e994f6e6ba21b19d50a0120c7a5dd9fba9067ffce98f6a7d27d8de594d3613604158d0743de1150a7a250672a82d8b092f
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUE:T+856utgpPF8u/7E

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\UqpLpsv.exe	cobalt_reflective_dll
C:\Windows\System\YHPBlGD.exe	cobalt_reflective_dll
C:\Windows\System\hiyqigz.exe	cobalt_reflective_dll
C:\Windows\System\ZcoUDHd.exe	cobalt_reflective_dll
C:\Windows\System\yoXyNBA.exe	cobalt_reflective_dll
C:\Windows\System\csTCZZd.exe	cobalt_reflective_dll
C:\Windows\System\lKZFUDH.exe	cobalt_reflective_dll
C:\Windows\System\zRmcRPA.exe	cobalt_reflective_dll
C:\Windows\System\gJCdHPG.exe	cobalt_reflective_dll
C:\Windows\System\nWBBCrz.exe	cobalt_reflective_dll
C:\Windows\System\UGFXKgP.exe	cobalt_reflective_dll
C:\Windows\System\DCzZUJC.exe	cobalt_reflective_dll
C:\Windows\System\HkzDraD.exe	cobalt_reflective_dll
C:\Windows\System\BgOHIQd.exe	cobalt_reflective_dll
C:\Windows\System\zZDeycT.exe	cobalt_reflective_dll
C:\Windows\System\fRvXFvX.exe	cobalt_reflective_dll
C:\Windows\System\ZAnJWBi.exe	cobalt_reflective_dll
C:\Windows\System\gLBQNrU.exe	cobalt_reflective_dll
C:\Windows\System\LtdjFvx.exe	cobalt_reflective_dll
C:\Windows\System\qFeomoy.exe	cobalt_reflective_dll
C:\Windows\System\BzvUZOi.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\UqpLpsv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YHPBlGD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hiyqigz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZcoUDHd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yoXyNBA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\csTCZZd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lKZFUDH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zRmcRPA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gJCdHPG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nWBBCrz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UGFXKgP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DCzZUJC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HkzDraD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BgOHIQd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zZDeycT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fRvXFvX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZAnJWBi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gLBQNrU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LtdjFvx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qFeomoy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BzvUZOi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-0-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp	UPX
C:\Windows\System\UqpLpsv.exe	UPX
C:\Windows\System\YHPBlGD.exe	UPX
C:\Windows\System\hiyqigz.exe	UPX
behavioral2/memory/1436-17-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp	UPX
behavioral2/memory/1088-18-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	UPX
behavioral2/memory/3432-13-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp	UPX
C:\Windows\System\ZcoUDHd.exe	UPX
behavioral2/memory/3208-26-0x00007FF608400000-0x00007FF608754000-memory.dmp	UPX
C:\Windows\System\yoXyNBA.exe	UPX
behavioral2/memory/4012-31-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	UPX
C:\Windows\System\csTCZZd.exe	UPX
C:\Windows\System\lKZFUDH.exe	UPX
behavioral2/memory/932-44-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp	UPX
C:\Windows\System\zRmcRPA.exe	UPX
behavioral2/memory/4692-50-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp	UPX
behavioral2/memory/1504-38-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp	UPX
C:\Windows\System\gJCdHPG.exe	UPX
C:\Windows\System\nWBBCrz.exe	UPX
behavioral2/memory/3192-62-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp	UPX
C:\Windows\System\UGFXKgP.exe	UPX
behavioral2/memory/4588-76-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp	UPX
C:\Windows\System\DCzZUJC.exe	UPX
C:\Windows\System\HkzDraD.exe	UPX
behavioral2/memory/2144-82-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp	UPX
behavioral2/memory/4984-78-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp	UPX
behavioral2/memory/5004-77-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp	UPX
C:\Windows\System\BgOHIQd.exe	UPX
behavioral2/memory/3964-54-0x00007FF795040000-0x00007FF795394000-memory.dmp	UPX
behavioral2/memory/3004-87-0x00007FF620780000-0x00007FF620AD4000-memory.dmp	UPX
C:\Windows\System\zZDeycT.exe	UPX
C:\Windows\System\fRvXFvX.exe	UPX
C:\Windows\System\ZAnJWBi.exe	UPX
behavioral2/memory/1432-95-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp	UPX
behavioral2/memory/1088-93-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	UPX
behavioral2/memory/5048-117-0x00007FF65E060000-0x00007FF65E3B4000-memory.dmp	UPX
C:\Windows\System\gLBQNrU.exe	UPX
C:\Windows\System\LtdjFvx.exe	UPX
behavioral2/memory/3652-127-0x00007FF697170000-0x00007FF6974C4000-memory.dmp	UPX
behavioral2/memory/4724-125-0x00007FF6BEEE0000-0x00007FF6BF234000-memory.dmp	UPX
C:\Windows\System\qFeomoy.exe	UPX
behavioral2/memory/760-120-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp	UPX
behavioral2/memory/4456-119-0x00007FF6BB7D0000-0x00007FF6BBB24000-memory.dmp	UPX
behavioral2/memory/4580-118-0x00007FF614CE0000-0x00007FF615034000-memory.dmp	UPX
behavioral2/memory/4012-114-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	UPX
C:\Windows\System\BzvUZOi.exe	UPX
behavioral2/memory/3964-131-0x00007FF795040000-0x00007FF795394000-memory.dmp	UPX
behavioral2/memory/1432-132-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp	UPX
behavioral2/memory/760-133-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp	UPX
behavioral2/memory/3652-134-0x00007FF697170000-0x00007FF6974C4000-memory.dmp	UPX
behavioral2/memory/3432-135-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp	UPX
behavioral2/memory/1436-136-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp	UPX
behavioral2/memory/1088-137-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	UPX
behavioral2/memory/3208-138-0x00007FF608400000-0x00007FF608754000-memory.dmp	UPX
behavioral2/memory/4012-139-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	UPX
behavioral2/memory/1504-140-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp	UPX
behavioral2/memory/932-141-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp	UPX
behavioral2/memory/4692-142-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp	UPX
behavioral2/memory/3964-143-0x00007FF795040000-0x00007FF795394000-memory.dmp	UPX
behavioral2/memory/4588-144-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp	UPX
behavioral2/memory/4984-145-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp	UPX
behavioral2/memory/5004-146-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp	UPX
behavioral2/memory/2144-147-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp	UPX
behavioral2/memory/3004-148-0x00007FF620780000-0x00007FF620AD4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3192-0-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp	xmrig
C:\Windows\System\UqpLpsv.exe	xmrig
C:\Windows\System\YHPBlGD.exe	xmrig
C:\Windows\System\hiyqigz.exe	xmrig
behavioral2/memory/1436-17-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp	xmrig
behavioral2/memory/1088-18-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	xmrig
behavioral2/memory/3432-13-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp	xmrig
C:\Windows\System\ZcoUDHd.exe	xmrig
behavioral2/memory/3208-26-0x00007FF608400000-0x00007FF608754000-memory.dmp	xmrig
C:\Windows\System\yoXyNBA.exe	xmrig
behavioral2/memory/4012-31-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	xmrig
C:\Windows\System\csTCZZd.exe	xmrig
C:\Windows\System\lKZFUDH.exe	xmrig
behavioral2/memory/932-44-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp	xmrig
C:\Windows\System\zRmcRPA.exe	xmrig
behavioral2/memory/4692-50-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp	xmrig
behavioral2/memory/1504-38-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp	xmrig
C:\Windows\System\gJCdHPG.exe	xmrig
C:\Windows\System\nWBBCrz.exe	xmrig
behavioral2/memory/3192-62-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp	xmrig
C:\Windows\System\UGFXKgP.exe	xmrig
behavioral2/memory/4588-76-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp	xmrig
C:\Windows\System\DCzZUJC.exe	xmrig
C:\Windows\System\HkzDraD.exe	xmrig
behavioral2/memory/2144-82-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp	xmrig
behavioral2/memory/4984-78-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp	xmrig
behavioral2/memory/5004-77-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp	xmrig
C:\Windows\System\BgOHIQd.exe	xmrig
behavioral2/memory/3964-54-0x00007FF795040000-0x00007FF795394000-memory.dmp	xmrig
behavioral2/memory/3004-87-0x00007FF620780000-0x00007FF620AD4000-memory.dmp	xmrig
C:\Windows\System\zZDeycT.exe	xmrig
C:\Windows\System\fRvXFvX.exe	xmrig
C:\Windows\System\ZAnJWBi.exe	xmrig
behavioral2/memory/1432-95-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp	xmrig
behavioral2/memory/1088-93-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	xmrig
behavioral2/memory/5048-117-0x00007FF65E060000-0x00007FF65E3B4000-memory.dmp	xmrig
C:\Windows\System\gLBQNrU.exe	xmrig
C:\Windows\System\LtdjFvx.exe	xmrig
behavioral2/memory/3652-127-0x00007FF697170000-0x00007FF6974C4000-memory.dmp	xmrig
behavioral2/memory/4724-125-0x00007FF6BEEE0000-0x00007FF6BF234000-memory.dmp	xmrig
C:\Windows\System\qFeomoy.exe	xmrig
behavioral2/memory/760-120-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp	xmrig
behavioral2/memory/4456-119-0x00007FF6BB7D0000-0x00007FF6BBB24000-memory.dmp	xmrig
behavioral2/memory/4580-118-0x00007FF614CE0000-0x00007FF615034000-memory.dmp	xmrig
behavioral2/memory/4012-114-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	xmrig
C:\Windows\System\BzvUZOi.exe	xmrig
behavioral2/memory/3964-131-0x00007FF795040000-0x00007FF795394000-memory.dmp	xmrig
behavioral2/memory/1432-132-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp	xmrig
behavioral2/memory/760-133-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp	xmrig
behavioral2/memory/3652-134-0x00007FF697170000-0x00007FF6974C4000-memory.dmp	xmrig
behavioral2/memory/3432-135-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp	xmrig
behavioral2/memory/1436-136-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp	xmrig
behavioral2/memory/1088-137-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	xmrig
behavioral2/memory/3208-138-0x00007FF608400000-0x00007FF608754000-memory.dmp	xmrig
behavioral2/memory/4012-139-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	xmrig
behavioral2/memory/1504-140-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp	xmrig
behavioral2/memory/932-141-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp	xmrig
behavioral2/memory/4692-142-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp	xmrig
behavioral2/memory/3964-143-0x00007FF795040000-0x00007FF795394000-memory.dmp	xmrig
behavioral2/memory/4588-144-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp	xmrig
behavioral2/memory/4984-145-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp	xmrig
behavioral2/memory/5004-146-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp	xmrig
behavioral2/memory/2144-147-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp	xmrig
behavioral2/memory/3004-148-0x00007FF620780000-0x00007FF620AD4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UqpLpsv.exeYHPBlGD.exehiyqigz.exeZcoUDHd.exeyoXyNBA.execsTCZZd.exelKZFUDH.exezRmcRPA.exegJCdHPG.exenWBBCrz.exeUGFXKgP.exeBgOHIQd.exeDCzZUJC.exeHkzDraD.exezZDeycT.exeZAnJWBi.exefRvXFvX.exeBzvUZOi.exeqFeomoy.exegLBQNrU.exeLtdjFvx.exe

pid	process
3432	UqpLpsv.exe
1436	YHPBlGD.exe
1088	hiyqigz.exe
3208	ZcoUDHd.exe
4012	yoXyNBA.exe
1504	csTCZZd.exe
932	lKZFUDH.exe
4692	zRmcRPA.exe
3964	gJCdHPG.exe
4588	nWBBCrz.exe
4984	UGFXKgP.exe
5004	BgOHIQd.exe
2144	DCzZUJC.exe
3004	HkzDraD.exe
1432	zZDeycT.exe
5048	ZAnJWBi.exe
4580	fRvXFvX.exe
4456	BzvUZOi.exe
4724	qFeomoy.exe
760	gLBQNrU.exe
3652	LtdjFvx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3192-0-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp	upx
C:\Windows\System\UqpLpsv.exe	upx
C:\Windows\System\YHPBlGD.exe	upx
C:\Windows\System\hiyqigz.exe	upx
behavioral2/memory/1436-17-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp	upx
behavioral2/memory/1088-18-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	upx
behavioral2/memory/3432-13-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp	upx
C:\Windows\System\ZcoUDHd.exe	upx
behavioral2/memory/3208-26-0x00007FF608400000-0x00007FF608754000-memory.dmp	upx
C:\Windows\System\yoXyNBA.exe	upx
behavioral2/memory/4012-31-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	upx
C:\Windows\System\csTCZZd.exe	upx
C:\Windows\System\lKZFUDH.exe	upx
behavioral2/memory/932-44-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp	upx
C:\Windows\System\zRmcRPA.exe	upx
behavioral2/memory/4692-50-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp	upx
behavioral2/memory/1504-38-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp	upx
C:\Windows\System\gJCdHPG.exe	upx
C:\Windows\System\nWBBCrz.exe	upx
behavioral2/memory/3192-62-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp	upx
C:\Windows\System\UGFXKgP.exe	upx
behavioral2/memory/4588-76-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp	upx
C:\Windows\System\DCzZUJC.exe	upx
C:\Windows\System\HkzDraD.exe	upx
behavioral2/memory/2144-82-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp	upx
behavioral2/memory/4984-78-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp	upx
behavioral2/memory/5004-77-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp	upx
C:\Windows\System\BgOHIQd.exe	upx
behavioral2/memory/3964-54-0x00007FF795040000-0x00007FF795394000-memory.dmp	upx
behavioral2/memory/3004-87-0x00007FF620780000-0x00007FF620AD4000-memory.dmp	upx
C:\Windows\System\zZDeycT.exe	upx
C:\Windows\System\fRvXFvX.exe	upx
C:\Windows\System\ZAnJWBi.exe	upx
behavioral2/memory/1432-95-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp	upx
behavioral2/memory/1088-93-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	upx
behavioral2/memory/5048-117-0x00007FF65E060000-0x00007FF65E3B4000-memory.dmp	upx
C:\Windows\System\gLBQNrU.exe	upx
C:\Windows\System\LtdjFvx.exe	upx
behavioral2/memory/3652-127-0x00007FF697170000-0x00007FF6974C4000-memory.dmp	upx
behavioral2/memory/4724-125-0x00007FF6BEEE0000-0x00007FF6BF234000-memory.dmp	upx
C:\Windows\System\qFeomoy.exe	upx
behavioral2/memory/760-120-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp	upx
behavioral2/memory/4456-119-0x00007FF6BB7D0000-0x00007FF6BBB24000-memory.dmp	upx
behavioral2/memory/4580-118-0x00007FF614CE0000-0x00007FF615034000-memory.dmp	upx
behavioral2/memory/4012-114-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	upx
C:\Windows\System\BzvUZOi.exe	upx
behavioral2/memory/3964-131-0x00007FF795040000-0x00007FF795394000-memory.dmp	upx
behavioral2/memory/1432-132-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp	upx
behavioral2/memory/760-133-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp	upx
behavioral2/memory/3652-134-0x00007FF697170000-0x00007FF6974C4000-memory.dmp	upx
behavioral2/memory/3432-135-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp	upx
behavioral2/memory/1436-136-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp	upx
behavioral2/memory/1088-137-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp	upx
behavioral2/memory/3208-138-0x00007FF608400000-0x00007FF608754000-memory.dmp	upx
behavioral2/memory/4012-139-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp	upx
behavioral2/memory/1504-140-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp	upx
behavioral2/memory/932-141-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp	upx
behavioral2/memory/4692-142-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp	upx
behavioral2/memory/3964-143-0x00007FF795040000-0x00007FF795394000-memory.dmp	upx
behavioral2/memory/4588-144-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp	upx
behavioral2/memory/4984-145-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp	upx
behavioral2/memory/5004-146-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp	upx
behavioral2/memory/2144-147-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp	upx
behavioral2/memory/3004-148-0x00007FF620780000-0x00007FF620AD4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\BgOHIQd.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DCzZUJC.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZcoUDHd.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yoXyNBA.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\csTCZZd.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lKZFUDH.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zRmcRPA.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nWBBCrz.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BzvUZOi.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLBQNrU.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkzDraD.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zZDeycT.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fRvXFvX.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqpLpsv.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gJCdHPG.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGFXKgP.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZAnJWBi.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LtdjFvx.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YHPBlGD.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hiyqigz.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qFeomoy.exe	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3192 wrote to memory of 3432	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	UqpLpsv.exe
PID 3192 wrote to memory of 3432	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	UqpLpsv.exe
PID 3192 wrote to memory of 1436	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	YHPBlGD.exe
PID 3192 wrote to memory of 1436	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	YHPBlGD.exe
PID 3192 wrote to memory of 1088	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	hiyqigz.exe
PID 3192 wrote to memory of 1088	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	hiyqigz.exe
PID 3192 wrote to memory of 3208	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	ZcoUDHd.exe
PID 3192 wrote to memory of 3208	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	ZcoUDHd.exe
PID 3192 wrote to memory of 4012	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	yoXyNBA.exe
PID 3192 wrote to memory of 4012	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	yoXyNBA.exe
PID 3192 wrote to memory of 1504	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	csTCZZd.exe
PID 3192 wrote to memory of 1504	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	csTCZZd.exe
PID 3192 wrote to memory of 932	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	lKZFUDH.exe
PID 3192 wrote to memory of 932	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	lKZFUDH.exe
PID 3192 wrote to memory of 4692	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	zRmcRPA.exe
PID 3192 wrote to memory of 4692	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	zRmcRPA.exe
PID 3192 wrote to memory of 3964	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	gJCdHPG.exe
PID 3192 wrote to memory of 3964	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	gJCdHPG.exe
PID 3192 wrote to memory of 4588	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	nWBBCrz.exe
PID 3192 wrote to memory of 4588	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	nWBBCrz.exe
PID 3192 wrote to memory of 4984	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	UGFXKgP.exe
PID 3192 wrote to memory of 4984	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	UGFXKgP.exe
PID 3192 wrote to memory of 5004	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	BgOHIQd.exe
PID 3192 wrote to memory of 5004	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	BgOHIQd.exe
PID 3192 wrote to memory of 2144	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	DCzZUJC.exe
PID 3192 wrote to memory of 2144	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	DCzZUJC.exe
PID 3192 wrote to memory of 3004	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	HkzDraD.exe
PID 3192 wrote to memory of 3004	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	HkzDraD.exe
PID 3192 wrote to memory of 1432	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	zZDeycT.exe
PID 3192 wrote to memory of 1432	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	zZDeycT.exe
PID 3192 wrote to memory of 5048	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	ZAnJWBi.exe
PID 3192 wrote to memory of 5048	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	ZAnJWBi.exe
PID 3192 wrote to memory of 4580	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	fRvXFvX.exe
PID 3192 wrote to memory of 4580	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	fRvXFvX.exe
PID 3192 wrote to memory of 4456	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	BzvUZOi.exe
PID 3192 wrote to memory of 4456	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	BzvUZOi.exe
PID 3192 wrote to memory of 4724	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	qFeomoy.exe
PID 3192 wrote to memory of 4724	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	qFeomoy.exe
PID 3192 wrote to memory of 760	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	gLBQNrU.exe
PID 3192 wrote to memory of 760	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	gLBQNrU.exe
PID 3192 wrote to memory of 3652	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	LtdjFvx.exe
PID 3192 wrote to memory of 3652	3192	2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe	LtdjFvx.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_08966a06b7f762db90c1966d10fed0ba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\System\UqpLpsv.exe
C:\Windows\System\UqpLpsv.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System\YHPBlGD.exe
C:\Windows\System\YHPBlGD.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\hiyqigz.exe
C:\Windows\System\hiyqigz.exe
2⤵
- Executes dropped EXE
PID:1088

C:\Windows\System\ZcoUDHd.exe
C:\Windows\System\ZcoUDHd.exe
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\System\yoXyNBA.exe
C:\Windows\System\yoXyNBA.exe
2⤵
- Executes dropped EXE
PID:4012

C:\Windows\System\csTCZZd.exe
C:\Windows\System\csTCZZd.exe
2⤵
- Executes dropped EXE
PID:1504

C:\Windows\System\lKZFUDH.exe
C:\Windows\System\lKZFUDH.exe
2⤵
- Executes dropped EXE
PID:932

C:\Windows\System\zRmcRPA.exe
C:\Windows\System\zRmcRPA.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Windows\System\gJCdHPG.exe
C:\Windows\System\gJCdHPG.exe
2⤵
- Executes dropped EXE
PID:3964

C:\Windows\System\nWBBCrz.exe
C:\Windows\System\nWBBCrz.exe
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\System\UGFXKgP.exe
C:\Windows\System\UGFXKgP.exe
2⤵
- Executes dropped EXE
PID:4984

C:\Windows\System\BgOHIQd.exe
C:\Windows\System\BgOHIQd.exe
2⤵
- Executes dropped EXE
PID:5004

C:\Windows\System\DCzZUJC.exe
C:\Windows\System\DCzZUJC.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Windows\System\HkzDraD.exe
C:\Windows\System\HkzDraD.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\zZDeycT.exe
C:\Windows\System\zZDeycT.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\ZAnJWBi.exe
C:\Windows\System\ZAnJWBi.exe
2⤵
- Executes dropped EXE
PID:5048

C:\Windows\System\fRvXFvX.exe
C:\Windows\System\fRvXFvX.exe
2⤵
- Executes dropped EXE
PID:4580

C:\Windows\System\BzvUZOi.exe
C:\Windows\System\BzvUZOi.exe
2⤵
- Executes dropped EXE
PID:4456

C:\Windows\System\qFeomoy.exe
C:\Windows\System\qFeomoy.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\gLBQNrU.exe
C:\Windows\System\gLBQNrU.exe
2⤵
- Executes dropped EXE
PID:760

C:\Windows\System\LtdjFvx.exe
C:\Windows\System\LtdjFvx.exe
2⤵
- Executes dropped EXE
PID:3652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BgOHIQd.exe
Filesize
5.9MB

MD5
cb49767cdd1e0e7ef94e83ae2140ec31

SHA1
38a587ac22aacc05222f5f055e21efd5770b543a

SHA256
70fc15cdbc341db1a30bce56948a19d5dcaacd26c964090ee6fc3d2f253dc234

SHA512
655ebf0c3bf49f8244ee0bb24367049f6f20cba16128e1e07fc5063365ad67714bcd064dcd3cf1fdb1b6614613fa1ac3e606f9579d621c06dd866ae071f1f93f

Download Submit
C:\Windows\System\BzvUZOi.exe
Filesize
5.9MB

MD5
6ffa4f75b4788afdbe5a6b5ddddcdbb0

SHA1
86b3008b9501b7198f3092acc00df4d87c52aaff

SHA256
452c87c81dc19cc2335f05ee285c1b3d97a89dc06f9b8352e7e27b32692f6867

SHA512
674c6cebf2c502bd0210c6be1a06a8181fd57a6e71da0a6a2063988dacc101c25485b2cfe927b4f3b91241dbbbf2fcba08faf15ed3301f0a0fc0830cdadf72e2

Download Submit
C:\Windows\System\DCzZUJC.exe
Filesize
5.9MB

MD5
16b28bf18a085937416e4d66fbf47a30

SHA1
a69f0c2d1a63a748d2364f9d661359425bcc8cdf

SHA256
3dfdf9828b1bf62fcefe34d2ed7c64a35ac77a7cb48dd9d2c259b1b80f3e3394

SHA512
998f073eddfb2fe41c48506b57d5446fa7eb349c1c0e0aaabbc7aaa871dd1720c7aa9df033599d0e2b693dee963025647c20345554e49c3a270213587d6d07d5

Download Submit
C:\Windows\System\HkzDraD.exe
Filesize
5.9MB

MD5
00312552caff409eb0bae63f64deefe6

SHA1
9068541b0b8df5c941b479b06e218dae3193c499

SHA256
67d696a2d2f1ccadcbdcd0adb10215eace954f6a2046ebd7d511d09b4af030f7

SHA512
0ef761e015b5cde4a186df90492d3922170325c07ec503bee93965e75a4d42ec56f6a93c6cf1f60cfdaf8df3875729223c94989ee913432c33c5c15a8861c5de

Download Submit
C:\Windows\System\LtdjFvx.exe
Filesize
5.9MB

MD5
380bbbb8b5b6e19588216de58ec4a236

SHA1
367b2c08af5e66952a28979b47cc170944e74a2e

SHA256
b99e1ad224bd36e1e0c51bbd3f7a867b8881260fbb2c0a170eb64424bb00a85d

SHA512
40402a5c7b7e73001d9bc1e4aeb67709e5cda0bdf23a4b216a7a538005fb789eac73d673f42110920f87ec8f3181ce6eba31b496ac0182c2f1b866f2d5bf8d9a

Download Submit
C:\Windows\System\UGFXKgP.exe
Filesize
5.9MB

MD5
ad09042f2d890b19fe0ed4514e55daa2

SHA1
16adc072e91527b33e959b189ce1bb1c0c3d910d

SHA256
e9f0fd031b8b9959286ac7107c6c1a675802424afb1029f44a9cd00b87cf9809

SHA512
074ede596a865e031ec51d1411b7ef08d6d4f54286fde8110dad13a756c2dfdb2d45cd78eea9b075dbb43fac9ec7da6d229c6d969872b682d7792528d717cdf6

Download Submit
C:\Windows\System\UqpLpsv.exe
Filesize
5.9MB

MD5
946b27aef486c5250a3ad5c48b3e442d

SHA1
c98dd7cc7400edd3acf49dbe63864a4e4bb6989d

SHA256
aeb26b60a326d129870e96009d005a8fccae7c26b5fa3c22881740c8c4b75c0c

SHA512
a52960413e522d0da3b6d54ac190ab17c5bb687ee8ba94b9dacf9baa8396b361b361ec554c953d2e2c81a99069784b9a2e42ed4b5d1260124a7c7f7f965e99ab

Download Submit
C:\Windows\System\YHPBlGD.exe
Filesize
5.9MB

MD5
cd79c94f8ed964f07abc9b5ca3edddfe

SHA1
bb8cee742bba080cd268499a7c8f48bd844967c0

SHA256
6aa3a3494cd73c49f59abf4f716d58d9ab1d14604fc988a7579e11839651855e

SHA512
8cea99d11d290e415e21b766fc12d124865a2473c93a4b785d9bc92e6497db1b914c95136dea118a81457461d51c4f7e90f6189583a3f3a9260e6e63eaaf0654

Download Submit
C:\Windows\System\ZAnJWBi.exe
Filesize
5.9MB

MD5
5833f5753c50440ae17321935c17b536

SHA1
f9446b64f25690b3bc583a02949ec27221e1c98f

SHA256
3ea4ecdb22c38943917681850ddc38802519135ebf291d186e3b0f92c9d39e6c

SHA512
bc0fcb3abb1d7dc71fca24942c3b106b4feaab1b6dd1b6a40670c15c41ad056e86e5b09a80983a4e1cca7aee741ded799b01867762f5ab6809bb063050faa5d5

Download Submit
C:\Windows\System\ZcoUDHd.exe
Filesize
5.9MB

MD5
26b47c2b59dea5aa1ae6283f82639600

SHA1
1a99e1e3ad53dada273743fd97c890ae07add61a

SHA256
69882aa9b3b323d4c64f499fb2a71353a9a0968a9623c962f42bd4ac0c42fd66

SHA512
6185e47feffaaa8c52bdf530ac98e20c8b13b3a72e5516658f87d124d3c4879ab1f78feafb7c672f0d09e19952acf6e15088e0df1e7fab0ef3e3a1634051204b

Download Submit
C:\Windows\System\csTCZZd.exe
Filesize
5.9MB

MD5
0d56d5690ed51684709360c792236fab

SHA1
02aa20c7e9d46aa9e503d2293aff235b06a60c3c

SHA256
0c51b458ac34b23de743cb0697cc8030021e67f254f905a9ae5197d08c01b17f

SHA512
079e7d46ade4eb3c69badbbdc639c4c503baf2bc6209b5035620783e07b4f50e354f3e964a29a3eaac2aa634db042476d52bae1bae251fe38655643a649e9127

Download Submit
C:\Windows\System\fRvXFvX.exe
Filesize
5.9MB

MD5
13bbfaa7b4c60373b33289beb035e129

SHA1
0c1c7fa546715e7bbe8db26912da7e00d713ef0d

SHA256
5347c348a9aa07f87f350c628df5fdc1ee27376754865e6817032b323f4970e0

SHA512
cfd4ec76ef3bba1ed827d97d72075f59578e54fa15fded7996b48f95898c238bd0f44ea1610ed9a6d2f0d9ae149c29439ba8faca29d830edef9bd373d4485765

Download Submit
C:\Windows\System\gJCdHPG.exe
Filesize
5.9MB

MD5
399456bc4702e7ddfff4f4d8c1be5e73

SHA1
90e81a0b24dbae3716c5a24cd67abde4057e4b6a

SHA256
7b93324b1a94301fe9a2cfaa2ed05ddd9751fd6c86c9c54722e77db7e1a5fd06

SHA512
26221ac62e765778f9278bb88cfa4c6c0c7f4645c73756885f8d005f572b995806f0fab6ba1476e5d0cd991e62988530ad26f96a33b1cfdaaff4e7b3eed243f1

Download Submit
C:\Windows\System\gLBQNrU.exe
Filesize
5.9MB

MD5
27003d5e330eeb62addfc067d0e1785f

SHA1
3316de6d3f6ec967576669a4aacc63261d5cd160

SHA256
273a46a91a9ed963f6eb5ee40d059432f07bcb1173c24a7c532f934ca10a97e9

SHA512
4ba1bb2f850be65cb9dc6690433543a37cd4bde2ae1bb7ea6dfc7768b850976831440e5c510c0960a49f5b47c6705d66e5f6fed1d48598ed44ba040fb519a0f4

Download Submit
C:\Windows\System\hiyqigz.exe
Filesize
5.9MB

MD5
9566e8d29e6b8a66bdce56f86ea92d0c

SHA1
94ed2f5171f4c5f733e7e0e1a61747f5a953a8bc

SHA256
5345ba1e667c18454958c25db42c8d6824b0737f973a16b845893ad6aa3d4946

SHA512
618da0154ef418b845141acd1cf75452aafc2833c0cfc8cec3d3f707138eeedbe7f9ed38d0905e7314e1c3df708a6b265b80de748865d6a9fb8eb6afcdc1c69f

Download Submit
C:\Windows\System\lKZFUDH.exe
Filesize
5.9MB

MD5
b464b9dd67f5bfa4f0620b4c8014deac

SHA1
d9e655c44e4911b8cc21a05d7fef1b8f1da191e4

SHA256
c5d3956848625019aabfae20e81299e7a744d5581bc1a7b292d021b5795062d0

SHA512
61e8c6a96f4799e29aa27066874f9efadf1179ef669ac61390d6d1c9b5ab440db5a3f0192a7be69bc53d0e2a8198d5bc6f66b638a0e5012c5160a97d57a70dc0

Download Submit
C:\Windows\System\nWBBCrz.exe
Filesize
5.9MB

MD5
f6a2772232dead0c5278b090802f1757

SHA1
16818117d13361a15e642c5923fd9e75af07c86a

SHA256
e309616d0172df95dad1689809891ef5b20cf56f85eda89c5b4bcd54feaebb77

SHA512
48309db4c6c8b6d8013b22caca52bfd5b37641c503313f078be65f26ad0998a5b76a4a8a63bc2291143fe7d97cecc45241d8e9ae94ce70635da84f1223bf0ed3

Download Submit
C:\Windows\System\qFeomoy.exe
Filesize
5.9MB

MD5
90490a1110883f888ae802c2b7b66585

SHA1
9a9586764f7f3f64a04810d744cf12f02ef0657e

SHA256
1365842184565cda89164431dc99c4d9457cea294f51d92435346b71d21eca6c

SHA512
5a2dfa4217e6a3bb09280cedfb2bd29c0e3471142f8c1d46bde38a62b76fe4fe6382272877cb15d59983dc8ade6a8e958efc8b65074e8832e44dee7b4fa08937

Download Submit
C:\Windows\System\yoXyNBA.exe
Filesize
5.9MB

MD5
557521a19b5328e97080b4af0c428d45

SHA1
69406a8f86caa98aedb3fe6c7454eeff38698894

SHA256
1efaf661a44f44d81cd23ab0ce22cbd820368c6f6cfdadc59c5c867f1f425c66

SHA512
cd351c9c7cd8862a77b31674df8fce030b04d839a9c7e34981dddd1013dc58c6c79c7bf7a4418859f7f4a2adc90377e87bed8e46408efcb419968a772db9a8d9

Download Submit
C:\Windows\System\zRmcRPA.exe
Filesize
5.9MB

MD5
368158c74885edb4fb35f1c8b27d3cf0

SHA1
5f9b294936ee33e5bf19b29fd4bd043a2bfc0670

SHA256
62a6e994e770b0b71b9d1a9bd1955e57539b0700a31f28a49a71e52e97bbbc04

SHA512
4e9f769c22393e4c76c3b78743d88aec0f65b1c43925ed192692c6547077bb8fe9365536389a28a2fd80251f75e7da86fa74ee7cd777871583728817319affdc

Download Submit
C:\Windows\System\zZDeycT.exe
Filesize
5.9MB

MD5
15361d596202284bbd53a1d01a50afca

SHA1
4c6944cd00bf96a56d9d178d41a8eff7ee8454e3

SHA256
2b6f0c4603c5566249eba951812d251def7218c7cafe52452598644bb464bcfd

SHA512
55953aa3904260235bf16ddf4d2da439255b05366bb9529a8910fb9f41770fea68e8b29ef5ea80ee36e655ba6402a0dc913bd9e57df90a036e6f9abf7fb01a9f

Download Submit
memory/760-120-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp

Filesize
3.3MB

Download
memory/760-133-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp

Filesize
3.3MB

Download
memory/760-155-0x00007FF798C60000-0x00007FF798FB4000-memory.dmp

Filesize
3.3MB

Download
memory/932-141-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp

Filesize
3.3MB

Download
memory/932-44-0x00007FF67BBD0000-0x00007FF67BF24000-memory.dmp

Filesize
3.3MB

Download
memory/1088-93-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp

Filesize
3.3MB

Download
memory/1088-18-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp

Filesize
3.3MB

Download
memory/1088-137-0x00007FF7D32F0000-0x00007FF7D3644000-memory.dmp

Filesize
3.3MB

Download
memory/1432-149-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp

Filesize
3.3MB

Download
memory/1432-132-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp

Filesize
3.3MB

Download
memory/1432-95-0x00007FF6B8220000-0x00007FF6B8574000-memory.dmp

Filesize
3.3MB

Download
memory/1436-136-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1436-17-0x00007FF7D7CA0000-0x00007FF7D7FF4000-memory.dmp

Filesize
3.3MB

Download
memory/1504-140-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp

Filesize
3.3MB

Download
memory/1504-38-0x00007FF7B7B20000-0x00007FF7B7E74000-memory.dmp

Filesize
3.3MB

Download
memory/2144-82-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp

Filesize
3.3MB

Download
memory/2144-147-0x00007FF6266F0000-0x00007FF626A44000-memory.dmp

Filesize
3.3MB

Download
memory/3004-87-0x00007FF620780000-0x00007FF620AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-148-0x00007FF620780000-0x00007FF620AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-0-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-62-0x00007FF779AA0000-0x00007FF779DF4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-1-0x0000020A4A780000-0x0000020A4A790000-memory.dmp

Filesize
64KB

Download
memory/3208-138-0x00007FF608400000-0x00007FF608754000-memory.dmp

Filesize
3.3MB

Download
memory/3208-26-0x00007FF608400000-0x00007FF608754000-memory.dmp

Filesize
3.3MB

Download
memory/3432-135-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3432-13-0x00007FF65C260000-0x00007FF65C5B4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-127-0x00007FF697170000-0x00007FF6974C4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-134-0x00007FF697170000-0x00007FF6974C4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-154-0x00007FF697170000-0x00007FF6974C4000-memory.dmp

Filesize
3.3MB

Download
memory/3964-131-0x00007FF795040000-0x00007FF795394000-memory.dmp

Filesize
3.3MB

Download
memory/3964-143-0x00007FF795040000-0x00007FF795394000-memory.dmp

Filesize
3.3MB

Download
memory/3964-54-0x00007FF795040000-0x00007FF795394000-memory.dmp

Filesize
3.3MB

Download
memory/4012-139-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp

Filesize
3.3MB

Download
memory/4012-31-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp

Filesize
3.3MB

Download
memory/4012-114-0x00007FF6CEF80000-0x00007FF6CF2D4000-memory.dmp

Filesize
3.3MB

Download
memory/4456-152-0x00007FF6BB7D0000-0x00007FF6BBB24000-memory.dmp

Filesize
3.3MB

Download
memory/4456-119-0x00007FF6BB7D0000-0x00007FF6BBB24000-memory.dmp

Filesize
3.3MB

Download
memory/4580-151-0x00007FF614CE0000-0x00007FF615034000-memory.dmp

Filesize
3.3MB

Download
memory/4580-118-0x00007FF614CE0000-0x00007FF615034000-memory.dmp

Filesize
3.3MB

Download
memory/4588-144-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4588-76-0x00007FF672C70000-0x00007FF672FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-142-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-50-0x00007FF66A2A0000-0x00007FF66A5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4724-125-0x00007FF6BEEE0000-0x00007FF6BF234000-memory.dmp

Filesize
3.3MB

Download
memory/4724-153-0x00007FF6BEEE0000-0x00007FF6BF234000-memory.dmp

Filesize
3.3MB

Download
memory/4984-145-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp

Filesize
3.3MB

Download
memory/4984-78-0x00007FF76EF90000-0x00007FF76F2E4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-146-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-77-0x00007FF7D41A0000-0x00007FF7D44F4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-150-0x00007FF65E060000-0x00007FF65E3B4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-117-0x00007FF65E060000-0x00007FF65E3B4000-memory.dmp

Filesize
3.3MB

Download