cobaltstrike | 8f34e0ebc046a8c5314bfbbb766bb783af7198e7122c402360c56803260fba47

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5937c31ca14a0fca3d2bf65b84899896
SHA1

4531050e9eac23b9b24e4a50691cf2a7ae645fc5
SHA256

8f34e0ebc046a8c5314bfbbb766bb783af7198e7122c402360c56803260fba47
SHA512

3bd2d2245b6bc6d68c58b818e962b1f2c93d7d42fce82880269d9a424b8eeb59a282f812af7f80813c9cec849a3b60140936b690f1dc056e0b1bec63c64987a4
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:T+856utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\aqiFEwr.exe	cobalt_reflective_dll
C:\Windows\System\zVsFAum.exe	cobalt_reflective_dll
C:\Windows\System\jrwILmZ.exe	cobalt_reflective_dll
C:\Windows\System\KSHMFDz.exe	cobalt_reflective_dll
C:\Windows\System\ulbCJAZ.exe	cobalt_reflective_dll
C:\Windows\System\YnLwZeO.exe	cobalt_reflective_dll
C:\Windows\System\wfIZKaq.exe	cobalt_reflective_dll
C:\Windows\System\pdwMAsc.exe	cobalt_reflective_dll
C:\Windows\System\ohNLNuF.exe	cobalt_reflective_dll
C:\Windows\System\vGdWhJw.exe	cobalt_reflective_dll
C:\Windows\System\uUxVrpZ.exe	cobalt_reflective_dll
C:\Windows\System\VGnraJU.exe	cobalt_reflective_dll
C:\Windows\System\AzrzMPA.exe	cobalt_reflective_dll
C:\Windows\System\JPnBrbw.exe	cobalt_reflective_dll
C:\Windows\System\vWhLBWc.exe	cobalt_reflective_dll
C:\Windows\System\MWPRpcL.exe	cobalt_reflective_dll
C:\Windows\System\uGdhdTo.exe	cobalt_reflective_dll
C:\Windows\System\EMGIYkp.exe	cobalt_reflective_dll
C:\Windows\System\IWSjRDj.exe	cobalt_reflective_dll
C:\Windows\System\ANXnpjv.exe	cobalt_reflective_dll
C:\Windows\System\EZsRIup.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\aqiFEwr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zVsFAum.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jrwILmZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KSHMFDz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ulbCJAZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YnLwZeO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wfIZKaq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pdwMAsc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ohNLNuF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vGdWhJw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uUxVrpZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VGnraJU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AzrzMPA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JPnBrbw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vWhLBWc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MWPRpcL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uGdhdTo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EMGIYkp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IWSjRDj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ANXnpjv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EZsRIup.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2056-0-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp	UPX
C:\Windows\System\aqiFEwr.exe	UPX
behavioral2/memory/3168-8-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	UPX
C:\Windows\System\zVsFAum.exe	UPX
C:\Windows\System\jrwILmZ.exe	UPX
C:\Windows\System\KSHMFDz.exe	UPX
C:\Windows\System\ulbCJAZ.exe	UPX
C:\Windows\System\YnLwZeO.exe	UPX
C:\Windows\System\wfIZKaq.exe	UPX
behavioral2/memory/3228-42-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp	UPX
behavioral2/memory/1240-39-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp	UPX
behavioral2/memory/1012-36-0x00007FF793260000-0x00007FF7935B4000-memory.dmp	UPX
behavioral2/memory/1420-31-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp	UPX
behavioral2/memory/3648-26-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp	UPX
behavioral2/memory/2184-20-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	UPX
C:\Windows\System\pdwMAsc.exe	UPX
behavioral2/memory/364-48-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp	UPX
C:\Windows\System\ohNLNuF.exe	UPX
behavioral2/memory/4892-55-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp	UPX
C:\Windows\System\vGdWhJw.exe	UPX
C:\Windows\System\uUxVrpZ.exe	UPX
C:\Windows\System\VGnraJU.exe	UPX
behavioral2/memory/1940-75-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp	UPX
behavioral2/memory/2056-83-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp	UPX
C:\Windows\System\AzrzMPA.exe	UPX
C:\Windows\System\JPnBrbw.exe	UPX
C:\Windows\System\vWhLBWc.exe	UPX
behavioral2/memory/2184-107-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	UPX
C:\Windows\System\MWPRpcL.exe	UPX
behavioral2/memory/4612-117-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp	UPX
C:\Windows\System\uGdhdTo.exe	UPX
C:\Windows\System\EMGIYkp.exe	UPX
behavioral2/memory/2792-110-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp	UPX
behavioral2/memory/1964-108-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp	UPX
C:\Windows\System\IWSjRDj.exe	UPX
C:\Windows\System\ANXnpjv.exe	UPX
behavioral2/memory/1736-101-0x00007FF736840000-0x00007FF736B94000-memory.dmp	UPX
behavioral2/memory/4704-100-0x00007FF796840000-0x00007FF796B94000-memory.dmp	UPX
C:\Windows\System\EZsRIup.exe	UPX
behavioral2/memory/3168-90-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	UPX
behavioral2/memory/2076-84-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp	UPX
behavioral2/memory/2228-81-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp	UPX
behavioral2/memory/4928-80-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp	UPX
behavioral2/memory/2596-71-0x00007FF61F980000-0x00007FF61FCD4000-memory.dmp	UPX
behavioral2/memory/1240-127-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp	UPX
behavioral2/memory/2272-130-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp	UPX
behavioral2/memory/2324-131-0x00007FF6B00F0000-0x00007FF6B0444000-memory.dmp	UPX
behavioral2/memory/3228-132-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp	UPX
behavioral2/memory/364-133-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp	UPX
behavioral2/memory/4892-134-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp	UPX
behavioral2/memory/4928-135-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp	UPX
behavioral2/memory/2228-136-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp	UPX
behavioral2/memory/2076-137-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp	UPX
behavioral2/memory/4704-138-0x00007FF796840000-0x00007FF796B94000-memory.dmp	UPX
behavioral2/memory/1736-139-0x00007FF736840000-0x00007FF736B94000-memory.dmp	UPX
behavioral2/memory/1964-140-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp	UPX
behavioral2/memory/2792-141-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp	UPX
behavioral2/memory/4612-142-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp	UPX
behavioral2/memory/2272-143-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp	UPX
behavioral2/memory/3168-144-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	UPX
behavioral2/memory/3648-145-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp	UPX
behavioral2/memory/2184-146-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	UPX
behavioral2/memory/1420-147-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp	UPX
behavioral2/memory/1012-148-0x00007FF793260000-0x00007FF7935B4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2056-0-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp	xmrig
C:\Windows\System\aqiFEwr.exe	xmrig
behavioral2/memory/3168-8-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	xmrig
C:\Windows\System\zVsFAum.exe	xmrig
C:\Windows\System\jrwILmZ.exe	xmrig
C:\Windows\System\KSHMFDz.exe	xmrig
C:\Windows\System\ulbCJAZ.exe	xmrig
C:\Windows\System\YnLwZeO.exe	xmrig
C:\Windows\System\wfIZKaq.exe	xmrig
behavioral2/memory/3228-42-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp	xmrig
behavioral2/memory/1240-39-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp	xmrig
behavioral2/memory/1012-36-0x00007FF793260000-0x00007FF7935B4000-memory.dmp	xmrig
behavioral2/memory/1420-31-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp	xmrig
behavioral2/memory/3648-26-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp	xmrig
behavioral2/memory/2184-20-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	xmrig
C:\Windows\System\pdwMAsc.exe	xmrig
behavioral2/memory/364-48-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp	xmrig
C:\Windows\System\ohNLNuF.exe	xmrig
behavioral2/memory/4892-55-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp	xmrig
C:\Windows\System\vGdWhJw.exe	xmrig
C:\Windows\System\uUxVrpZ.exe	xmrig
C:\Windows\System\VGnraJU.exe	xmrig
behavioral2/memory/1940-75-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp	xmrig
behavioral2/memory/2056-83-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp	xmrig
C:\Windows\System\AzrzMPA.exe	xmrig
C:\Windows\System\JPnBrbw.exe	xmrig
C:\Windows\System\vWhLBWc.exe	xmrig
behavioral2/memory/2184-107-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	xmrig
C:\Windows\System\MWPRpcL.exe	xmrig
behavioral2/memory/4612-117-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp	xmrig
C:\Windows\System\uGdhdTo.exe	xmrig
C:\Windows\System\EMGIYkp.exe	xmrig
behavioral2/memory/2792-110-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp	xmrig
behavioral2/memory/1964-108-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp	xmrig
C:\Windows\System\IWSjRDj.exe	xmrig
C:\Windows\System\ANXnpjv.exe	xmrig
behavioral2/memory/1736-101-0x00007FF736840000-0x00007FF736B94000-memory.dmp	xmrig
behavioral2/memory/4704-100-0x00007FF796840000-0x00007FF796B94000-memory.dmp	xmrig
C:\Windows\System\EZsRIup.exe	xmrig
behavioral2/memory/3168-90-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	xmrig
behavioral2/memory/2076-84-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp	xmrig
behavioral2/memory/2228-81-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp	xmrig
behavioral2/memory/4928-80-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp	xmrig
behavioral2/memory/2596-71-0x00007FF61F980000-0x00007FF61FCD4000-memory.dmp	xmrig
behavioral2/memory/1240-127-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp	xmrig
behavioral2/memory/2272-130-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp	xmrig
behavioral2/memory/2324-131-0x00007FF6B00F0000-0x00007FF6B0444000-memory.dmp	xmrig
behavioral2/memory/3228-132-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp	xmrig
behavioral2/memory/364-133-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp	xmrig
behavioral2/memory/4892-134-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp	xmrig
behavioral2/memory/4928-135-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp	xmrig
behavioral2/memory/2228-136-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp	xmrig
behavioral2/memory/2076-137-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp	xmrig
behavioral2/memory/4704-138-0x00007FF796840000-0x00007FF796B94000-memory.dmp	xmrig
behavioral2/memory/1736-139-0x00007FF736840000-0x00007FF736B94000-memory.dmp	xmrig
behavioral2/memory/1964-140-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp	xmrig
behavioral2/memory/2792-141-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp	xmrig
behavioral2/memory/4612-142-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp	xmrig
behavioral2/memory/2272-143-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp	xmrig
behavioral2/memory/3168-144-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	xmrig
behavioral2/memory/3648-145-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp	xmrig
behavioral2/memory/2184-146-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	xmrig
behavioral2/memory/1420-147-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp	xmrig
behavioral2/memory/1012-148-0x00007FF793260000-0x00007FF7935B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

aqiFEwr.exejrwILmZ.exezVsFAum.exeKSHMFDz.exeulbCJAZ.exeYnLwZeO.exewfIZKaq.exepdwMAsc.exeohNLNuF.exeuUxVrpZ.exevGdWhJw.exeVGnraJU.exeEZsRIup.exevWhLBWc.exeAzrzMPA.exeJPnBrbw.exeEMGIYkp.exeuGdhdTo.exeMWPRpcL.exeANXnpjv.exeIWSjRDj.exe

pid	process
3168	aqiFEwr.exe
2184	jrwILmZ.exe
3648	zVsFAum.exe
1420	KSHMFDz.exe
1012	ulbCJAZ.exe
1240	YnLwZeO.exe
3228	wfIZKaq.exe
364	pdwMAsc.exe
4892	ohNLNuF.exe
2596	uUxVrpZ.exe
1940	vGdWhJw.exe
4928	VGnraJU.exe
2076	EZsRIup.exe
2228	vWhLBWc.exe
4704	AzrzMPA.exe
1964	JPnBrbw.exe
1736	EMGIYkp.exe
2792	uGdhdTo.exe
4612	MWPRpcL.exe
2272	ANXnpjv.exe
2324	IWSjRDj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2056-0-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp	upx
C:\Windows\System\aqiFEwr.exe	upx
behavioral2/memory/3168-8-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	upx
C:\Windows\System\zVsFAum.exe	upx
C:\Windows\System\jrwILmZ.exe	upx
C:\Windows\System\KSHMFDz.exe	upx
C:\Windows\System\ulbCJAZ.exe	upx
C:\Windows\System\YnLwZeO.exe	upx
C:\Windows\System\wfIZKaq.exe	upx
behavioral2/memory/3228-42-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp	upx
behavioral2/memory/1240-39-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp	upx
behavioral2/memory/1012-36-0x00007FF793260000-0x00007FF7935B4000-memory.dmp	upx
behavioral2/memory/1420-31-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp	upx
behavioral2/memory/3648-26-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp	upx
behavioral2/memory/2184-20-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	upx
C:\Windows\System\pdwMAsc.exe	upx
behavioral2/memory/364-48-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp	upx
C:\Windows\System\ohNLNuF.exe	upx
behavioral2/memory/4892-55-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp	upx
C:\Windows\System\vGdWhJw.exe	upx
C:\Windows\System\uUxVrpZ.exe	upx
C:\Windows\System\VGnraJU.exe	upx
behavioral2/memory/1940-75-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp	upx
behavioral2/memory/2056-83-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp	upx
C:\Windows\System\AzrzMPA.exe	upx
C:\Windows\System\JPnBrbw.exe	upx
C:\Windows\System\vWhLBWc.exe	upx
behavioral2/memory/2184-107-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	upx
C:\Windows\System\MWPRpcL.exe	upx
behavioral2/memory/4612-117-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp	upx
C:\Windows\System\uGdhdTo.exe	upx
C:\Windows\System\EMGIYkp.exe	upx
behavioral2/memory/2792-110-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp	upx
behavioral2/memory/1964-108-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp	upx
C:\Windows\System\IWSjRDj.exe	upx
C:\Windows\System\ANXnpjv.exe	upx
behavioral2/memory/1736-101-0x00007FF736840000-0x00007FF736B94000-memory.dmp	upx
behavioral2/memory/4704-100-0x00007FF796840000-0x00007FF796B94000-memory.dmp	upx
C:\Windows\System\EZsRIup.exe	upx
behavioral2/memory/3168-90-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	upx
behavioral2/memory/2076-84-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp	upx
behavioral2/memory/2228-81-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp	upx
behavioral2/memory/4928-80-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp	upx
behavioral2/memory/2596-71-0x00007FF61F980000-0x00007FF61FCD4000-memory.dmp	upx
behavioral2/memory/1240-127-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp	upx
behavioral2/memory/2272-130-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp	upx
behavioral2/memory/2324-131-0x00007FF6B00F0000-0x00007FF6B0444000-memory.dmp	upx
behavioral2/memory/3228-132-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp	upx
behavioral2/memory/364-133-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp	upx
behavioral2/memory/4892-134-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp	upx
behavioral2/memory/4928-135-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp	upx
behavioral2/memory/2228-136-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp	upx
behavioral2/memory/2076-137-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp	upx
behavioral2/memory/4704-138-0x00007FF796840000-0x00007FF796B94000-memory.dmp	upx
behavioral2/memory/1736-139-0x00007FF736840000-0x00007FF736B94000-memory.dmp	upx
behavioral2/memory/1964-140-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp	upx
behavioral2/memory/2792-141-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp	upx
behavioral2/memory/4612-142-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp	upx
behavioral2/memory/2272-143-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp	upx
behavioral2/memory/3168-144-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp	upx
behavioral2/memory/3648-145-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp	upx
behavioral2/memory/2184-146-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp	upx
behavioral2/memory/1420-147-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp	upx
behavioral2/memory/1012-148-0x00007FF793260000-0x00007FF7935B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ulbCJAZ.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vGdWhJw.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uUxVrpZ.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vWhLBWc.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AzrzMPA.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EMGIYkp.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MWPRpcL.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jrwILmZ.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pdwMAsc.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KSHMFDz.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YnLwZeO.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VGnraJU.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aqiFEwr.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zVsFAum.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EZsRIup.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JPnBrbw.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uGdhdTo.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ANXnpjv.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IWSjRDj.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wfIZKaq.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohNLNuF.exe	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2056 wrote to memory of 3168	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	aqiFEwr.exe
PID 2056 wrote to memory of 3168	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	aqiFEwr.exe
PID 2056 wrote to memory of 2184	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	jrwILmZ.exe
PID 2056 wrote to memory of 2184	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	jrwILmZ.exe
PID 2056 wrote to memory of 3648	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	zVsFAum.exe
PID 2056 wrote to memory of 3648	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	zVsFAum.exe
PID 2056 wrote to memory of 1420	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	KSHMFDz.exe
PID 2056 wrote to memory of 1420	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	KSHMFDz.exe
PID 2056 wrote to memory of 1012	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	ulbCJAZ.exe
PID 2056 wrote to memory of 1012	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	ulbCJAZ.exe
PID 2056 wrote to memory of 1240	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	YnLwZeO.exe
PID 2056 wrote to memory of 1240	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	YnLwZeO.exe
PID 2056 wrote to memory of 3228	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	wfIZKaq.exe
PID 2056 wrote to memory of 3228	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	wfIZKaq.exe
PID 2056 wrote to memory of 364	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	pdwMAsc.exe
PID 2056 wrote to memory of 364	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	pdwMAsc.exe
PID 2056 wrote to memory of 4892	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	ohNLNuF.exe
PID 2056 wrote to memory of 4892	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	ohNLNuF.exe
PID 2056 wrote to memory of 2596	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	uUxVrpZ.exe
PID 2056 wrote to memory of 2596	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	uUxVrpZ.exe
PID 2056 wrote to memory of 1940	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	vGdWhJw.exe
PID 2056 wrote to memory of 1940	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	vGdWhJw.exe
PID 2056 wrote to memory of 4928	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	VGnraJU.exe
PID 2056 wrote to memory of 4928	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	VGnraJU.exe
PID 2056 wrote to memory of 2076	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	EZsRIup.exe
PID 2056 wrote to memory of 2076	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	EZsRIup.exe
PID 2056 wrote to memory of 2228	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	vWhLBWc.exe
PID 2056 wrote to memory of 2228	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	vWhLBWc.exe
PID 2056 wrote to memory of 4704	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	AzrzMPA.exe
PID 2056 wrote to memory of 4704	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	AzrzMPA.exe
PID 2056 wrote to memory of 1964	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	JPnBrbw.exe
PID 2056 wrote to memory of 1964	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	JPnBrbw.exe
PID 2056 wrote to memory of 1736	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	EMGIYkp.exe
PID 2056 wrote to memory of 1736	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	EMGIYkp.exe
PID 2056 wrote to memory of 2792	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	uGdhdTo.exe
PID 2056 wrote to memory of 2792	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	uGdhdTo.exe
PID 2056 wrote to memory of 4612	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	MWPRpcL.exe
PID 2056 wrote to memory of 4612	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	MWPRpcL.exe
PID 2056 wrote to memory of 2272	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	ANXnpjv.exe
PID 2056 wrote to memory of 2272	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	ANXnpjv.exe
PID 2056 wrote to memory of 2324	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	IWSjRDj.exe
PID 2056 wrote to memory of 2324	2056	2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe	IWSjRDj.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_5937c31ca14a0fca3d2bf65b84899896_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\System\aqiFEwr.exe
C:\Windows\System\aqiFEwr.exe
2⤵
- Executes dropped EXE
PID:3168

C:\Windows\System\jrwILmZ.exe
C:\Windows\System\jrwILmZ.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\System\zVsFAum.exe
C:\Windows\System\zVsFAum.exe
2⤵
- Executes dropped EXE
PID:3648

C:\Windows\System\KSHMFDz.exe
C:\Windows\System\KSHMFDz.exe
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\System\ulbCJAZ.exe
C:\Windows\System\ulbCJAZ.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Windows\System\YnLwZeO.exe
C:\Windows\System\YnLwZeO.exe
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\System\wfIZKaq.exe
C:\Windows\System\wfIZKaq.exe
2⤵
- Executes dropped EXE
PID:3228

C:\Windows\System\pdwMAsc.exe
C:\Windows\System\pdwMAsc.exe
2⤵
- Executes dropped EXE
PID:364

C:\Windows\System\ohNLNuF.exe
C:\Windows\System\ohNLNuF.exe
2⤵
- Executes dropped EXE
PID:4892

C:\Windows\System\uUxVrpZ.exe
C:\Windows\System\uUxVrpZ.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\vGdWhJw.exe
C:\Windows\System\vGdWhJw.exe
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\System\VGnraJU.exe
C:\Windows\System\VGnraJU.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\System\EZsRIup.exe
C:\Windows\System\EZsRIup.exe
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\System\vWhLBWc.exe
C:\Windows\System\vWhLBWc.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\AzrzMPA.exe
C:\Windows\System\AzrzMPA.exe
2⤵
- Executes dropped EXE
PID:4704

C:\Windows\System\JPnBrbw.exe
C:\Windows\System\JPnBrbw.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\EMGIYkp.exe
C:\Windows\System\EMGIYkp.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System\uGdhdTo.exe
C:\Windows\System\uGdhdTo.exe
2⤵
- Executes dropped EXE
PID:2792

C:\Windows\System\MWPRpcL.exe
C:\Windows\System\MWPRpcL.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\System\ANXnpjv.exe
C:\Windows\System\ANXnpjv.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\IWSjRDj.exe
C:\Windows\System\IWSjRDj.exe
2⤵
- Executes dropped EXE
PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ANXnpjv.exe
Filesize
5.9MB

MD5
7a65b39d2c231aa5f5c0fa52aab0f592

SHA1
4088fa350e2c021074a42ab2677f7ed60dc15dc1

SHA256
5a07ec00dcd3ffa58d61195c81c80dcae034e45662603336413e57c8cf5535e5

SHA512
f9c8e622be5e72a1aa63df56d3cf044f6460f0359e11f48a3d2e6a75edcb6b416a554a88a3755979576b185aef08a4b2711d91bc022ccd9aabd84609ebbb159f

Download Submit
C:\Windows\System\AzrzMPA.exe
Filesize
5.9MB

MD5
55baf7eb0579e7deeb56b4aadfb4b724

SHA1
9c1ce6e82ee1773dfe6c27a43bc45ad6c7b22856

SHA256
d9c7bb47e69f9ca1ba1a976f9b442c2f690188be421cb5ed9085c9afe9e4e6f4

SHA512
432f8780ecaa1c14c507d3c9aaf5962bd03e885d90e8aa2408ccbd85f13f572965bdf14ea6a390a6283ec579696de19d25b5622e452f2743de1e4cadf9ece8fa

Download Submit
C:\Windows\System\EMGIYkp.exe
Filesize
5.9MB

MD5
2f3ee317f892e6e7a018b41c5a8b502d

SHA1
0a096433af11f04a269c7a96f7695efbc77921d5

SHA256
66bdb38e092c33a6151cf1c50efde67a9085d8f978c071d641502a89d4ea3c1f

SHA512
67eb67e6255ea5f7c7e619fd7e37ac7fe044631079f54acd0879d6e261c22c691042a9b4cc5acaf57db8ecf1c388fdfc59d5d0b0286605db9331a244fa3c5089

Download Submit
C:\Windows\System\EZsRIup.exe
Filesize
5.9MB

MD5
9c614a85645e692c17dabf3b9a42772c

SHA1
defd4323cd8d0a0855fa6fd7ae31282bbb61d3aa

SHA256
988904860cda74473c968cd63adbd7b75c2695983bc9a07100c867a6bd12c6a9

SHA512
e7f2fbc9afc08f59e12bd9d2939322e8e36b76cefbd205feca7eafec0852fd44491886861418688795ad9ff0297373ccd0a49de6613037dc8d1ecfbbdce92c24

Download Submit
C:\Windows\System\IWSjRDj.exe
Filesize
5.9MB

MD5
cd68b6fdfe7c9b370684c33a574a921a

SHA1
ad9796249dd8a11aaf63e6e981fa9356b076c9e9

SHA256
6194a4b179f1b9a8a38dd64560cc8b0a83900a7b580504e028192c11eb993771

SHA512
c06d089cdabc2eb5b37448262e2d47bec85833888151176c3ffd647a17f44fbc86f9f0025cf50dd18722bc60b9f7cb7f73192b1546bdcd4438981b7ce29dc162

Download Submit
C:\Windows\System\JPnBrbw.exe
Filesize
5.9MB

MD5
9f58e976cd58b349277d2d0c2b9cd806

SHA1
fecb7571d28e13a2f27106767861a28ecf8dbf8c

SHA256
380ffe8e2352e2d087579dbbe83e257f2f72ac81ea9ed947248b90d79f62a8bc

SHA512
676d2b54aba1587493aff9be52503df592f297286f380211b47f6aa388272f1d709cbe2ae2a5638cacb5bed11b6929ca94b5168c14aa306ec0de88a7812296a7

Download Submit
C:\Windows\System\KSHMFDz.exe
Filesize
5.9MB

MD5
15043e9dd85bdfc4b335a955a47bb475

SHA1
e878f2103c62374f9e1fedf7fb84c3c700b651dd

SHA256
7ed277f91b4ae14e5eac11e9f13e29fccbf899269a3f83e6f7a861cd840075a2

SHA512
f29494507ee3cca35fe88898a4ef334d42b702d56da76030d517f5daa3ad5b7b17dacd7e3cea312cc14dc2dfdbaadb5e74b0c9b30670226144a075ff211274c3

Download Submit
C:\Windows\System\MWPRpcL.exe
Filesize
5.9MB

MD5
a01c79910eb07c8c09972c4082f25c87

SHA1
564d781d6ef09084b67b1e983b2c134a34d2646d

SHA256
c3cbcd9e3d453ac92a875cffc7bc52a925c571d041ea75044365dd19fee93b81

SHA512
0adc6d2333485fc233bed3dcf8ac86468c6782da108d434b3f9de3ce1c0348bfb919bc04cfdae2f26a7dcc5000cd30456e2493a1d1e3577215b331a1ec3a24a5

Download Submit
C:\Windows\System\VGnraJU.exe
Filesize
5.9MB

MD5
7d1c93ded658142557c4090fd561dc13

SHA1
1ca16b91429f5b592e8a3289b1ccaac214e87828

SHA256
27a6f27b1e48f38655fccf2a2d1feb320946d37bad75af5bd7bffb72d7b8b688

SHA512
24b263be76f6d84f5fb325938de062434b8879737e48c56b91fc6073dac70e15b210e04367d6a5f94e6e666669179577d1822f06c847202fc5cd7a4bb8db52a4

Download Submit
C:\Windows\System\YnLwZeO.exe
Filesize
5.9MB

MD5
00db8daeb702746b7425f1e3c5767080

SHA1
8292baf35eee940abb1b259b956c5c82732ccded

SHA256
39d697f4aa239446d58ddb79810d825b0429cc1abee44110b872e75614ea8fb7

SHA512
7e3c0006c6ac7e3f6fe370192039b2142c4182694847f8502dc8c134ef16b6983bb4e8b875de139674c9c6f9260953d8ddeb59ef17ea987ee331843b3a5a1a17

Download Submit
C:\Windows\System\aqiFEwr.exe
Filesize
5.9MB

MD5
93d16240cba4928b20022ddc0b2a612e

SHA1
35624aab9e7ccfdd5c415c9bc9892e6f9401e17a

SHA256
bb1b9fd6e0fa049f934e7841d6f6089c01905218992cb0343d1eddf52dabc5c9

SHA512
c27f6f87fcf822503ed1e924a34c78477cff59314616f9a66a7e21028fa4f497423aa4dea1d81413ccf775ddab0151bc8abb5ee9e8f9aeae5508ff7112b1066a

Download Submit
C:\Windows\System\jrwILmZ.exe
Filesize
5.9MB

MD5
984ea4367cf85ad56a3eca3ad51755fd

SHA1
4edc46111528e7a5d40240168359d6de333e4309

SHA256
6d0a318e1685ebfac185c04c84d20d381b3d48432fa2ccce5efa3cd3f2807ae0

SHA512
6c8dbb1eb07ba031fb3d9c902cb36cfcd349c300af8a3149515a3d11d28a22c1d45958a7822c5087f9d005912252a4f32c357db846a9e31e17a24c1c07df0b9a

Download Submit
C:\Windows\System\ohNLNuF.exe
Filesize
5.9MB

MD5
6ff939b67e77ba0d533a1f1e874cdef2

SHA1
a9866c838d085cae887de5223006459f5bc1513e

SHA256
7920d85e00dedd6107acb80d065881fc417e0b1ec7be63e6ded1c83fde825c86

SHA512
3ce02d3bf6fbc27bce6aa1cbc10f66dbf340b4c7b9630fad520a3f3996d7ffaee0391a1f2d3758b607fdd727389c4a0274f98071387ee701ebc199f5bb8eef0e

Download Submit
C:\Windows\System\pdwMAsc.exe
Filesize
5.9MB

MD5
dbba828b8e32c09c6a64f041f39c61b5

SHA1
2ddbd909c38767e81a99711693a54e4da0ed9b90

SHA256
ff5c306dacda2da5469a683fa7fbba47f783a56b346f48850c547ba25969c11b

SHA512
36a475152548d714f5b598af1326355f0e423b2cdf6db544aa5f5f12bd863df56bee4389741dd520ef6253d120e19fa4e217dbd99fd737618735d2faaefb11bb

Download Submit
C:\Windows\System\uGdhdTo.exe
Filesize
5.9MB

MD5
8875299857ab1360866d3d1c5656de4b

SHA1
c6504c65453853309582ee89deae2da4ade716bb

SHA256
2f10d74ec7d6fc4180f6ca6372f9b35375fa15794b54f0c74d0dfb4fbfcdb782

SHA512
cf73b4efdb03a28e657b635553ca2b81fd86180f5b50244adb6efa6ab2303087bc110d5014803a2b3fd09e7ed96f018e894eea1c8fedf29136f4fbad54435300

Download Submit
C:\Windows\System\uUxVrpZ.exe
Filesize
5.9MB

MD5
e691f6d0ae129dbe3e968b2b4a1f75d4

SHA1
c443a9073f0f9cf0da42c5544ef8bb4075815b80

SHA256
ff1191053522d8e1c6545e13f9270ad3bbd61f11244d5585c606a5d15701f347

SHA512
bc4bd7078042ce180b1df84fd043753de3a5356521000ba25c766fcd84b2309a02885e36169c82835e19b502f5f2469e183836eebc01705e6ded2dcf0faa1be1

Download Submit
C:\Windows\System\ulbCJAZ.exe
Filesize
5.9MB

MD5
556e26e1f62f07172feeb1f08e01de53

SHA1
4ecd1fc2936571fb9c2bf298eaf2856a089dc7a2

SHA256
8acae7aca340120a591fbb252520e7f0fb404695a09cffcbba8822f83ebe6b4f

SHA512
f9adf455254bb2ee23d2aad5f6fdb6095aed0c38cc6726dd6edd21a449cb0868305b2f32aab6d99c74c5d75fe1de62c2d2147a783b65c80967f4a6a8747b580b

Download Submit
C:\Windows\System\vGdWhJw.exe
Filesize
5.9MB

MD5
e597229255dcc523cdad99cb74eae9a4

SHA1
c7d0547819002436506335b90c526b6aa723eebc

SHA256
ab4043e018eabc72ff0aa3684e5cdd122406f25865fe89817448116420be7cc2

SHA512
e66985ab70fc839ec0c510954195e985423fb9bef8cc3d9ce374d2105ce70ac3131d7e4d46e317ae5531ad7946d36b8018a57339f20a4c50cb3052f3d8559f7c

Download Submit
C:\Windows\System\vWhLBWc.exe
Filesize
5.9MB

MD5
48738793aad6e4075586dace1b276419

SHA1
ebd1e13cb489bf0a6b7713651897cbb42a50feda

SHA256
de70199a6ad10064ec627107ed409e0fa39fc00b9b57e3bd501240b22940c237

SHA512
31c0230171e3766066b4ab58219a22112460f95c4e79712d4ce07a30ad3c454ce095c87a988bad22c2b73e53016fc99a533f8ee1126354db1d380f361a321428

Download Submit
C:\Windows\System\wfIZKaq.exe
Filesize
5.9MB

MD5
5aea74de6a443f507847896351f21a96

SHA1
27db61047fd9cb30608f513c60c26dc23d79a01b

SHA256
06b825c4d9db89acf46da0c9bb8db8c5a38b7b3870e41d5bc0cdf4feaec1c4f4

SHA512
fc55969da2ef7d82183f0439abf444e1d4b2a12221f18c83bd98f4dcd9ca76a633db582cc6cf0347c43495c3e7a88a776b0a461a07dd0953298457fffe7b9607

Download Submit
C:\Windows\System\zVsFAum.exe
Filesize
5.9MB

MD5
827eb6e62c573f3b8d16455b001d2483

SHA1
4bbec132910985f0e6fe7985fa6c0fd82421ce8d

SHA256
0171f0c943c4feb73994236413103ed81005266155f1a96cc6f844b2eff5b614

SHA512
fbfdb5a3f7c992bfd485940a466eebcffbb0456f6332d75a8c821aa85b671edaf60d5b239c57b4fbdb2bdb064983a3f707d9f0e88fd5b7064cdf12bb9f700e86

Download Submit
memory/364-151-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp

Filesize
3.3MB

Download
memory/364-133-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp

Filesize
3.3MB

Download
memory/364-48-0x00007FF75E740000-0x00007FF75EA94000-memory.dmp

Filesize
3.3MB

Download
memory/1012-36-0x00007FF793260000-0x00007FF7935B4000-memory.dmp

Filesize
3.3MB

Download
memory/1012-148-0x00007FF793260000-0x00007FF7935B4000-memory.dmp

Filesize
3.3MB

Download
memory/1240-39-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp

Filesize
3.3MB

Download
memory/1240-150-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp

Filesize
3.3MB

Download
memory/1240-127-0x00007FF6CE7C0000-0x00007FF6CEB14000-memory.dmp

Filesize
3.3MB

Download
memory/1420-147-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp

Filesize
3.3MB

Download
memory/1420-31-0x00007FF6B9900000-0x00007FF6B9C54000-memory.dmp

Filesize
3.3MB

Download
memory/1736-101-0x00007FF736840000-0x00007FF736B94000-memory.dmp

Filesize
3.3MB

Download
memory/1736-139-0x00007FF736840000-0x00007FF736B94000-memory.dmp

Filesize
3.3MB

Download
memory/1736-159-0x00007FF736840000-0x00007FF736B94000-memory.dmp

Filesize
3.3MB

Download
memory/1940-75-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp

Filesize
3.3MB

Download
memory/1940-153-0x00007FF6C3750000-0x00007FF6C3AA4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-140-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-108-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-160-0x00007FF64EF80000-0x00007FF64F2D4000-memory.dmp

Filesize
3.3MB

Download
memory/2056-83-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp

Filesize
3.3MB

Download
memory/2056-1-0x00000150ED260000-0x00000150ED270000-memory.dmp

Filesize
64KB

Download
memory/2056-0-0x00007FF7DC7F0000-0x00007FF7DCB44000-memory.dmp

Filesize
3.3MB

Download
memory/2076-84-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-156-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2076-137-0x00007FF7CFC80000-0x00007FF7CFFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-107-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-146-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-20-0x00007FF6D8D80000-0x00007FF6D90D4000-memory.dmp

Filesize
3.3MB

Download
memory/2228-81-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp

Filesize
3.3MB

Download
memory/2228-157-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp

Filesize
3.3MB

Download
memory/2228-136-0x00007FF7BE9A0000-0x00007FF7BECF4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-130-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp

Filesize
3.3MB

Download
memory/2272-143-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp

Filesize
3.3MB

Download
memory/2272-164-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp

Filesize
3.3MB

Download
memory/2324-131-0x00007FF6B00F0000-0x00007FF6B0444000-memory.dmp

Filesize
3.3MB

Download
memory/2324-163-0x00007FF6B00F0000-0x00007FF6B0444000-memory.dmp

Filesize
3.3MB

Download
memory/2596-154-0x00007FF61F980000-0x00007FF61FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-71-0x00007FF61F980000-0x00007FF61FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-110-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp

Filesize
3.3MB

Download
memory/2792-141-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp

Filesize
3.3MB

Download
memory/2792-161-0x00007FF7F8330000-0x00007FF7F8684000-memory.dmp

Filesize
3.3MB

Download
memory/3168-90-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp

Filesize
3.3MB

Download
memory/3168-144-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp

Filesize
3.3MB

Download
memory/3168-8-0x00007FF6D71A0000-0x00007FF6D74F4000-memory.dmp

Filesize
3.3MB

Download
memory/3228-42-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp

Filesize
3.3MB

Download
memory/3228-132-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp

Filesize
3.3MB

Download
memory/3228-149-0x00007FF6F8C40000-0x00007FF6F8F94000-memory.dmp

Filesize
3.3MB

Download
memory/3648-145-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp

Filesize
3.3MB

Download
memory/3648-26-0x00007FF6897A0000-0x00007FF689AF4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-117-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-162-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-142-0x00007FF61E660000-0x00007FF61E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/4704-100-0x00007FF796840000-0x00007FF796B94000-memory.dmp

Filesize
3.3MB

Download
memory/4704-158-0x00007FF796840000-0x00007FF796B94000-memory.dmp

Filesize
3.3MB

Download
memory/4704-138-0x00007FF796840000-0x00007FF796B94000-memory.dmp

Filesize
3.3MB

Download
memory/4892-55-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp

Filesize
3.3MB

Download
memory/4892-152-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp

Filesize
3.3MB

Download
memory/4892-134-0x00007FF7A3600000-0x00007FF7A3954000-memory.dmp

Filesize
3.3MB

Download
memory/4928-80-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-155-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-135-0x00007FF78FE50000-0x00007FF7901A4000-memory.dmp

Filesize
3.3MB

Download