cobaltstrike | 0a6e7d489bd550aa8566a41256d25b2191780f57fef260e9ab65af87f3961ee9

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5b4588095736a72438b5b0bdf5149a96
SHA1

ce839b69ac0b07aa25551483f00ab9a96c7d2797
SHA256

0a6e7d489bd550aa8566a41256d25b2191780f57fef260e9ab65af87f3961ee9
SHA512

d4e51f4465d5dc67571fd3b484bcb4d4d09246254e33d51b27342c9925818cb46ed8eb74c1a42193a1265ff6d5355d8ffe2aca3323c5d3e52d5a44f3a8051c2a
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:Q+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\LKlFUJS.exe	cobalt_reflective_dll
\Windows\system\uCgCAxY.exe	cobalt_reflective_dll
C:\Windows\system\bGlWoKd.exe	cobalt_reflective_dll
\Windows\system\TrfxDdi.exe	cobalt_reflective_dll
\Windows\system\kKejgDb.exe	cobalt_reflective_dll
C:\Windows\system\pvmVkZm.exe	cobalt_reflective_dll
\Windows\system\UEuNVPC.exe	cobalt_reflective_dll
\Windows\system\kwCpxOc.exe	cobalt_reflective_dll
\Windows\system\msTsSau.exe	cobalt_reflective_dll
C:\Windows\system\iEVXxsy.exe	cobalt_reflective_dll
C:\Windows\system\flXEETd.exe	cobalt_reflective_dll
\Windows\system\JfQTIjc.exe	cobalt_reflective_dll
\Windows\system\bkgVmzW.exe	cobalt_reflective_dll
\Windows\system\USuXvUq.exe	cobalt_reflective_dll
\Windows\system\yvgXdML.exe	cobalt_reflective_dll
C:\Windows\system\oezPbEn.exe	cobalt_reflective_dll
C:\Windows\system\dxBuJMs.exe	cobalt_reflective_dll
C:\Windows\system\bJtNeYz.exe	cobalt_reflective_dll
C:\Windows\system\nmrDsLJ.exe	cobalt_reflective_dll
C:\Windows\system\pwmvBXE.exe	cobalt_reflective_dll
C:\Windows\system\EoUfTzJ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
\Windows\system\LKlFUJS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\uCgCAxY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bGlWoKd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\TrfxDdi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kKejgDb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pvmVkZm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\UEuNVPC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\kwCpxOc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\msTsSau.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\iEVXxsy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\flXEETd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\JfQTIjc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\bkgVmzW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\USuXvUq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
\Windows\system\yvgXdML.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\oezPbEn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\dxBuJMs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\bJtNeYz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\nmrDsLJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\pwmvBXE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\system\EoUfTzJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 46 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x000000013F680000-0x000000013F9D4000-memory.dmp	UPX
\Windows\system\LKlFUJS.exe	UPX
behavioral1/memory/1632-6-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
\Windows\system\uCgCAxY.exe	UPX
behavioral1/memory/1680-14-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
C:\Windows\system\bGlWoKd.exe	UPX
\Windows\system\TrfxDdi.exe	UPX
\Windows\system\kKejgDb.exe	UPX
behavioral1/memory/2552-28-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/2728-22-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2664-35-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
C:\Windows\system\pvmVkZm.exe	UPX
behavioral1/memory/2724-42-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
\Windows\system\UEuNVPC.exe	UPX
behavioral1/memory/1632-41-0x000000013F680000-0x000000013F9D4000-memory.dmp	UPX
behavioral1/memory/1512-47-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2608-51-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
\Windows\system\kwCpxOc.exe	UPX
behavioral1/memory/1680-57-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
\Windows\system\msTsSau.exe	UPX
C:\Windows\system\iEVXxsy.exe	UPX
behavioral1/memory/2724-129-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
C:\Windows\system\flXEETd.exe	UPX
behavioral1/memory/2728-67-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
\Windows\system\JfQTIjc.exe	UPX
\Windows\system\bkgVmzW.exe	UPX
\Windows\system\USuXvUq.exe	UPX
behavioral1/memory/2552-85-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/2488-76-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX
\Windows\system\yvgXdML.exe	UPX
C:\Windows\system\oezPbEn.exe	UPX
C:\Windows\system\dxBuJMs.exe	UPX
C:\Windows\system\bJtNeYz.exe	UPX
C:\Windows\system\nmrDsLJ.exe	UPX
C:\Windows\system\pwmvBXE.exe	UPX
C:\Windows\system\EoUfTzJ.exe	UPX
behavioral1/memory/2664-109-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2608-140-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/1512-144-0x000000013FE40000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2728-145-0x000000013FDE0000-0x0000000140134000-memory.dmp	UPX
behavioral1/memory/2552-147-0x000000013F5B0000-0x000000013F904000-memory.dmp	UPX
behavioral1/memory/1680-146-0x000000013F730000-0x000000013FA84000-memory.dmp	UPX
behavioral1/memory/2664-148-0x000000013FDF0000-0x0000000140144000-memory.dmp	UPX
behavioral1/memory/2724-149-0x000000013FF20000-0x0000000140274000-memory.dmp	UPX
behavioral1/memory/2608-150-0x000000013F050000-0x000000013F3A4000-memory.dmp	UPX
behavioral1/memory/2488-151-0x000000013F2B0000-0x000000013F604000-memory.dmp	UPX

XMRig Miner payload 49 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
\Windows\system\LKlFUJS.exe	xmrig
behavioral1/memory/1632-6-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
\Windows\system\uCgCAxY.exe	xmrig
behavioral1/memory/1680-14-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
C:\Windows\system\bGlWoKd.exe	xmrig
\Windows\system\TrfxDdi.exe	xmrig
\Windows\system\kKejgDb.exe	xmrig
behavioral1/memory/2552-28-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2728-22-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2664-35-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
C:\Windows\system\pvmVkZm.exe	xmrig
behavioral1/memory/2724-42-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
\Windows\system\UEuNVPC.exe	xmrig
behavioral1/memory/1632-41-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/memory/1512-47-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2608-51-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
\Windows\system\kwCpxOc.exe	xmrig
behavioral1/memory/1680-57-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
\Windows\system\msTsSau.exe	xmrig
C:\Windows\system\iEVXxsy.exe	xmrig
behavioral1/memory/2724-129-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
C:\Windows\system\flXEETd.exe	xmrig
behavioral1/memory/2728-67-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
\Windows\system\JfQTIjc.exe	xmrig
\Windows\system\bkgVmzW.exe	xmrig
\Windows\system\USuXvUq.exe	xmrig
behavioral1/memory/2552-85-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2488-76-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
\Windows\system\yvgXdML.exe	xmrig
C:\Windows\system\oezPbEn.exe	xmrig
C:\Windows\system\dxBuJMs.exe	xmrig
C:\Windows\system\bJtNeYz.exe	xmrig
C:\Windows\system\nmrDsLJ.exe	xmrig
C:\Windows\system\pwmvBXE.exe	xmrig
C:\Windows\system\EoUfTzJ.exe	xmrig
behavioral1/memory/2664-109-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/1632-73-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/2608-140-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/1632-141-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1632-142-0x000000013FD10000-0x0000000140064000-memory.dmp	xmrig
behavioral1/memory/1512-144-0x000000013FE40000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2728-145-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2552-147-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/1680-146-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2664-148-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2724-149-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2608-150-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2488-151-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

LKlFUJS.exeuCgCAxY.exebGlWoKd.exeTrfxDdi.exekKejgDb.exepvmVkZm.exeUEuNVPC.exekwCpxOc.exeEoUfTzJ.exeiEVXxsy.exepwmvBXE.exenmrDsLJ.exebJtNeYz.exedxBuJMs.exeoezPbEn.exemsTsSau.exeyvgXdML.exeflXEETd.exeUSuXvUq.exebkgVmzW.exeJfQTIjc.exe

pid	process
1512	LKlFUJS.exe
1680	uCgCAxY.exe
2728	bGlWoKd.exe
2552	TrfxDdi.exe
2664	kKejgDb.exe
2724	pvmVkZm.exe
2608	UEuNVPC.exe
2488	kwCpxOc.exe
2436	EoUfTzJ.exe
2496	iEVXxsy.exe
2908	pwmvBXE.exe
1040	nmrDsLJ.exe
2744	bJtNeYz.exe
1724	dxBuJMs.exe
844	oezPbEn.exe
2904	msTsSau.exe
2044	yvgXdML.exe
2676	flXEETd.exe
2600	USuXvUq.exe
2864	bkgVmzW.exe
1576	JfQTIjc.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1632-0-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
\Windows\system\LKlFUJS.exe	upx
behavioral1/memory/1632-6-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
\Windows\system\uCgCAxY.exe	upx
behavioral1/memory/1680-14-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
C:\Windows\system\bGlWoKd.exe	upx
\Windows\system\TrfxDdi.exe	upx
\Windows\system\kKejgDb.exe	upx
behavioral1/memory/2552-28-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2728-22-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2664-35-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
C:\Windows\system\pvmVkZm.exe	upx
behavioral1/memory/2724-42-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
\Windows\system\UEuNVPC.exe	upx
behavioral1/memory/1632-41-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/memory/1512-47-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2608-51-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
\Windows\system\kwCpxOc.exe	upx
behavioral1/memory/1680-57-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
\Windows\system\msTsSau.exe	upx
C:\Windows\system\iEVXxsy.exe	upx
behavioral1/memory/2724-129-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
C:\Windows\system\flXEETd.exe	upx
behavioral1/memory/2728-67-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
\Windows\system\JfQTIjc.exe	upx
\Windows\system\bkgVmzW.exe	upx
\Windows\system\USuXvUq.exe	upx
behavioral1/memory/2552-85-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2488-76-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
\Windows\system\yvgXdML.exe	upx
C:\Windows\system\oezPbEn.exe	upx
C:\Windows\system\dxBuJMs.exe	upx
C:\Windows\system\bJtNeYz.exe	upx
C:\Windows\system\nmrDsLJ.exe	upx
C:\Windows\system\pwmvBXE.exe	upx
C:\Windows\system\EoUfTzJ.exe	upx
behavioral1/memory/2664-109-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2608-140-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/1512-144-0x000000013FE40000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2728-145-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2552-147-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/1680-146-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2664-148-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2724-149-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2608-150-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2488-151-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\LKlFUJS.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvmVkZm.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bJtNeYz.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kKejgDb.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yvgXdML.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\USuXvUq.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dxBuJMs.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkgVmzW.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JfQTIjc.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iEVXxsy.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwmvBXE.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nmrDsLJ.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oezPbEn.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\msTsSau.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\flXEETd.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCgCAxY.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bGlWoKd.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TrfxDdi.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UEuNVPC.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kwCpxOc.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EoUfTzJ.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1632 wrote to memory of 1512	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	LKlFUJS.exe
PID 1632 wrote to memory of 1512	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	LKlFUJS.exe
PID 1632 wrote to memory of 1512	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	LKlFUJS.exe
PID 1632 wrote to memory of 1680	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	uCgCAxY.exe
PID 1632 wrote to memory of 1680	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	uCgCAxY.exe
PID 1632 wrote to memory of 1680	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	uCgCAxY.exe
PID 1632 wrote to memory of 2728	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bGlWoKd.exe
PID 1632 wrote to memory of 2728	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bGlWoKd.exe
PID 1632 wrote to memory of 2728	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bGlWoKd.exe
PID 1632 wrote to memory of 2552	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	TrfxDdi.exe
PID 1632 wrote to memory of 2552	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	TrfxDdi.exe
PID 1632 wrote to memory of 2552	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	TrfxDdi.exe
PID 1632 wrote to memory of 2664	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kKejgDb.exe
PID 1632 wrote to memory of 2664	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kKejgDb.exe
PID 1632 wrote to memory of 2664	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kKejgDb.exe
PID 1632 wrote to memory of 2724	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pvmVkZm.exe
PID 1632 wrote to memory of 2724	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pvmVkZm.exe
PID 1632 wrote to memory of 2724	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pvmVkZm.exe
PID 1632 wrote to memory of 2608	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	UEuNVPC.exe
PID 1632 wrote to memory of 2608	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	UEuNVPC.exe
PID 1632 wrote to memory of 2608	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	UEuNVPC.exe
PID 1632 wrote to memory of 2488	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kwCpxOc.exe
PID 1632 wrote to memory of 2488	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kwCpxOc.exe
PID 1632 wrote to memory of 2488	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kwCpxOc.exe
PID 1632 wrote to memory of 2436	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	EoUfTzJ.exe
PID 1632 wrote to memory of 2436	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	EoUfTzJ.exe
PID 1632 wrote to memory of 2436	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	EoUfTzJ.exe
PID 1632 wrote to memory of 2496	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	iEVXxsy.exe
PID 1632 wrote to memory of 2496	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	iEVXxsy.exe
PID 1632 wrote to memory of 2496	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	iEVXxsy.exe
PID 1632 wrote to memory of 2904	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	msTsSau.exe
PID 1632 wrote to memory of 2904	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	msTsSau.exe
PID 1632 wrote to memory of 2904	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	msTsSau.exe
PID 1632 wrote to memory of 2908	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pwmvBXE.exe
PID 1632 wrote to memory of 2908	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pwmvBXE.exe
PID 1632 wrote to memory of 2908	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pwmvBXE.exe
PID 1632 wrote to memory of 2044	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	yvgXdML.exe
PID 1632 wrote to memory of 2044	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	yvgXdML.exe
PID 1632 wrote to memory of 2044	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	yvgXdML.exe
PID 1632 wrote to memory of 1040	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	nmrDsLJ.exe
PID 1632 wrote to memory of 1040	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	nmrDsLJ.exe
PID 1632 wrote to memory of 1040	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	nmrDsLJ.exe
PID 1632 wrote to memory of 2676	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	flXEETd.exe
PID 1632 wrote to memory of 2676	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	flXEETd.exe
PID 1632 wrote to memory of 2676	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	flXEETd.exe
PID 1632 wrote to memory of 2744	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bJtNeYz.exe
PID 1632 wrote to memory of 2744	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bJtNeYz.exe
PID 1632 wrote to memory of 2744	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bJtNeYz.exe
PID 1632 wrote to memory of 2600	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	USuXvUq.exe
PID 1632 wrote to memory of 2600	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	USuXvUq.exe
PID 1632 wrote to memory of 2600	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	USuXvUq.exe
PID 1632 wrote to memory of 1724	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	dxBuJMs.exe
PID 1632 wrote to memory of 1724	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	dxBuJMs.exe
PID 1632 wrote to memory of 1724	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	dxBuJMs.exe
PID 1632 wrote to memory of 2864	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bkgVmzW.exe
PID 1632 wrote to memory of 2864	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bkgVmzW.exe
PID 1632 wrote to memory of 2864	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	bkgVmzW.exe
PID 1632 wrote to memory of 844	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	oezPbEn.exe
PID 1632 wrote to memory of 844	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	oezPbEn.exe
PID 1632 wrote to memory of 844	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	oezPbEn.exe
PID 1632 wrote to memory of 1576	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	JfQTIjc.exe
PID 1632 wrote to memory of 1576	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	JfQTIjc.exe
PID 1632 wrote to memory of 1576	1632	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	JfQTIjc.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\System\LKlFUJS.exe
C:\Windows\System\LKlFUJS.exe
2⤵
- Executes dropped EXE
PID:1512

C:\Windows\System\uCgCAxY.exe
C:\Windows\System\uCgCAxY.exe
2⤵
- Executes dropped EXE
PID:1680

C:\Windows\System\bGlWoKd.exe
C:\Windows\System\bGlWoKd.exe
2⤵
- Executes dropped EXE
PID:2728

C:\Windows\System\TrfxDdi.exe
C:\Windows\System\TrfxDdi.exe
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\System\kKejgDb.exe
C:\Windows\System\kKejgDb.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\pvmVkZm.exe
C:\Windows\System\pvmVkZm.exe
2⤵
- Executes dropped EXE
PID:2724

C:\Windows\System\UEuNVPC.exe
C:\Windows\System\UEuNVPC.exe
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\System\kwCpxOc.exe
C:\Windows\System\kwCpxOc.exe
2⤵
- Executes dropped EXE
PID:2488

C:\Windows\System\EoUfTzJ.exe
C:\Windows\System\EoUfTzJ.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\System\iEVXxsy.exe
C:\Windows\System\iEVXxsy.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System\msTsSau.exe
C:\Windows\System\msTsSau.exe
2⤵
- Executes dropped EXE
PID:2904

C:\Windows\System\pwmvBXE.exe
C:\Windows\System\pwmvBXE.exe
2⤵
- Executes dropped EXE
PID:2908

C:\Windows\System\yvgXdML.exe
C:\Windows\System\yvgXdML.exe
2⤵
- Executes dropped EXE
PID:2044

C:\Windows\System\nmrDsLJ.exe
C:\Windows\System\nmrDsLJ.exe
2⤵
- Executes dropped EXE
PID:1040

C:\Windows\System\flXEETd.exe
C:\Windows\System\flXEETd.exe
2⤵
- Executes dropped EXE
PID:2676

C:\Windows\System\bJtNeYz.exe
C:\Windows\System\bJtNeYz.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\USuXvUq.exe
C:\Windows\System\USuXvUq.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\dxBuJMs.exe
C:\Windows\System\dxBuJMs.exe
2⤵
- Executes dropped EXE
PID:1724

C:\Windows\System\bkgVmzW.exe
C:\Windows\System\bkgVmzW.exe
2⤵
- Executes dropped EXE
PID:2864

C:\Windows\System\oezPbEn.exe
C:\Windows\System\oezPbEn.exe
2⤵
- Executes dropped EXE
PID:844

C:\Windows\System\JfQTIjc.exe
C:\Windows\System\JfQTIjc.exe
2⤵
- Executes dropped EXE
PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EoUfTzJ.exe
Filesize
5.9MB

MD5
e04dbdcdb8cb4db4f464c5c2afbf9c2d

SHA1
92ccda48f4489d5c29503143a438712c8c0823c9

SHA256
292766eb495b97bdfabf8fd1d3d3327dfb19d8ab7186e6138cf2fcd95d329331

SHA512
a765730412a843d7f41bbfe783e36f0e47db1fbdec5ca52e0f3c15bc27fc5a4085bbee105619a7beeeaa0da1658f44a219f1d6ddeb4b1340dbf3e11ec47355bf

Download Submit
C:\Windows\system\bGlWoKd.exe
Filesize
5.9MB

MD5
05b7abc9c63a04d86f93fcf6f19c77fe

SHA1
b6e5202f95b913938e68f696c5d1f344d2eadc1e

SHA256
745ecc5aa56741437b9d5b78640654912f97441f7d6d3c0964fcc6166f4d6207

SHA512
2fcf6236c332c47ecbea446452f67b80b68624507fd1c93feaabf15117d59a4df7543ed50ef45b92a4d65afb02a3491d6eb0ba7db63687f480160c27f9a551b7

Download Submit
C:\Windows\system\bJtNeYz.exe
Filesize
5.9MB

MD5
a4edb6b56b62ccc635734649d62cb55c

SHA1
0149b8cbdd82d287fb9841ecca91d728188afbff

SHA256
e659b7b8e3e148a66816ed77b56943d01f12464da770ffd8931cd56fb71402ff

SHA512
b0ee725ee627d4e50e16e6b11acc2013b0ab1691d84c8261aa4f4f819d46d2812ae66f5360536df0da0ac53758f5751c357a9f5b6a52052884cbfba9765cc009

Download Submit
C:\Windows\system\dxBuJMs.exe
Filesize
5.9MB

MD5
8ecd8085bb2418f72df08164de3227ee

SHA1
dc9415befdc19a5c7cb371f45ddbc9c3d4b563fc

SHA256
25bcc39d85d2129570d54562612490fb25041240526a8835fb305849a5969274

SHA512
df8a1093d17f6d763f7b4b774762b1c94930e227684f0bf39fbd0f3f1ccc0a090d44210580cba87d38c3b2adef1c9afc1c4f50b8b7ffe86bed4035d005e3fc3c

Download Submit
C:\Windows\system\flXEETd.exe
Filesize
5.9MB

MD5
726c9539dd42118bddff42007c45939d

SHA1
a25e215d1e525719cf84f9f194a1aa56b154f383

SHA256
d82f330805d0744484aff2cf34aa903f056f45b475df56c68db1d3677aafdd6f

SHA512
4962a9def886f1c0c337a1dd94386ce39c652bcda92816a88f111bb967f76f05d2d2d7f05d00e8b8d5a6075515d8fb7496ca5c8dfccd6cfbabaf852168be465a

Download Submit
C:\Windows\system\iEVXxsy.exe
Filesize
5.9MB

MD5
d71c48ceee30d64a80ac7f3d6e462f42

SHA1
50b849ddb1ccec5e8292bb4d7b336fc307b0ff94

SHA256
de3668fb4c53fcadc63b2ca8735b91e0d5f8ee68e54ef66ef4db62cfde65cd8a

SHA512
379dc179fae84074dbd6a662543f1f08cf8b7f36a8c17df44e3d95d35294d9462594171b91c3b60fde1f2a03a34af135c4aaa55f3ced319c977ff2690515b1c0

Download Submit
C:\Windows\system\nmrDsLJ.exe
Filesize
5.9MB

MD5
11d1b0dc3cef995241a73d10525e2e49

SHA1
b68f11f78aaaab7f264220df4f675075ac3fc949

SHA256
ccc25f8c667287ebe11955b049700e8d407ad803da2ebfc2ecf10bcecc0e6013

SHA512
5d857d5fa1b5c2810d87a31429462d458b97fdd865961018a3ee19a4808c2a40ff7152544e7d5b7bc6fd3fb2b1b2b44f135a052d2bee9fef6f54a28cf8c82530

Download Submit
C:\Windows\system\oezPbEn.exe
Filesize
5.9MB

MD5
4e8919974b133454a1eef4a0904d6536

SHA1
b20b95ce7b019a30fb0369b58b53cc6f43f3a35f

SHA256
3ac679b69677298fcfd9abe4594e2d686d424b266954fdfea339bf832a4de6af

SHA512
72945a753a02b829163e44e7b424a2e3fc010ad84886a316d62311af13251ed0348e052476236f3c1f2076ed861d7ad6956e9b125473d346d7bcafacf575afe6

Download Submit
C:\Windows\system\pvmVkZm.exe
Filesize
5.9MB

MD5
dd8f1356d42641904c69e77c36e2be39

SHA1
b683523a364c9df7c609ad255fcb2f5214f2ea73

SHA256
34cb0c95c7ce2032620d537c98ea0f745481124b90435a66750609c78200f8d4

SHA512
35297ef9a06a9e1f96d63b1a24210f163f1dc0f6646fbf514571afd0e7ef31a8f206bc84bc2eb96b41248e625cc3316ca60a986aff3bd56b536b69b091bff5f2

Download Submit
C:\Windows\system\pwmvBXE.exe
Filesize
5.9MB

MD5
c536a9d6256ecef39b67945556668642

SHA1
686e95f2cf64dd691a18b60d1142fea8bc3c8810

SHA256
96644ccaf48c3106bc42068b3c0baeee175318f447dc819d5d3c549a4a409680

SHA512
dd26013621469cf567afa58edc7a2e195219cd224e488aba57ee66b863711fd6e6e45fa1a9e19e804796b317ba90a41569ea35a61cb8c3e4389822705b207b29

Download Submit
\Windows\system\JfQTIjc.exe
Filesize
5.9MB

MD5
506f06eeceb122adb54882eb3dfa9845

SHA1
e1785dec4a9cbaa97781fe23d61333858d8cfa0c

SHA256
9d0287eb5bde5415a4ad79d899753c27066c41778bc7a95ab0960a2ae0a41ea0

SHA512
394fe08922e0bf88e38c215a5e74c2a5d5377a6e9cea0138646d8cb03712ce2cce317184f220b47a6cf16e6efc796d431e18969cfd6388c3c11a20b47cf53ac8

Download Submit
\Windows\system\LKlFUJS.exe
Filesize
5.9MB

MD5
00467dbe6d4738fc0ef1c0d910ab6a48

SHA1
ff206b51842853e5576b20d32e3fda4bab88339b

SHA256
85d33e2264be59353fa70f53aca1c56999daa98d6377e050be8280a2a7f93974

SHA512
082abd5c01a2fb15923be143ea7173ed42f79273c8c8bf418f64cd1e31eb95aa01ad646979a9346db638890c769433f6f2ba099249b8b6eefa99a9d26d7a707a

Download Submit
\Windows\system\TrfxDdi.exe
Filesize
5.9MB

MD5
eb983ba7548d7fcd4822ec13334075f8

SHA1
31a8853ddcca68bd0ccd80407c232c2e3f94ec77

SHA256
a2c498e03512c8bca2ff9617589c5bb0e3d39547fd6e9ed7d802772c8a55282e

SHA512
8d2fbf5fdd1bf86c73e8252d258e9e3bef6e554eef99016910fcf022335885e6c27ed38276c1703e2cd590715e6e25cea7075242b85e86c9d40e8a51ef951935

Download Submit
\Windows\system\UEuNVPC.exe
Filesize
5.9MB

MD5
e70c85f547196fa5e0eae96c55b90c8c

SHA1
5de6f839e6adc7c14434e6c68f63706aa4976a06

SHA256
f7705f6425c3df7830f00a84ec3ce831a70e065499046b359d171aac076e6f2a

SHA512
da22066d165da23f85b4afe99e3f07681a7f0400eb792e4f76432c00ba90643cf15145d848b3bd93b51c4cee094ac6b59e8aa3dfaed1a8f5923433b3692d60be

Download Submit
\Windows\system\USuXvUq.exe
Filesize
5.9MB

MD5
0dc799c7fb53abfd684813a2a139411d

SHA1
a0fe303d05d64dc6a04d6767e1766cc1278fcd10

SHA256
03ef97a9b226ef696b3edec663f7359f12013416f94aa253e49857e99ef2801d

SHA512
85ae255911e5a80d7e8325b583576f21035be7338c10ef207fec6bc772bff29ff7bade14003acf089db9190c0147f1ef9f50389634df8da827ba008071f71f78

Download Submit
\Windows\system\bkgVmzW.exe
Filesize
5.9MB

MD5
0f5826e2ee42a88220481a1eb6fc3abf

SHA1
3678849a56e889aa6648eb10f21c00920fa46cb5

SHA256
6a2b3527f0d5486377830f5bc5bdef5a4c22f7cdff1efb3cc597f3d4fe52fb52

SHA512
14f9499f4c1218c6821248573c4e7c165ee621fa7ad0a49be0d2793b3a32b009fcb192c5c9c8c26deaf7030716fbbce5da3d0c68c8952eb1d0d75389ada58149

Download Submit
\Windows\system\kKejgDb.exe
Filesize
5.9MB

MD5
6698ba73c2240ee51928fe6c6e9c874e

SHA1
be28ceaed9f601e7581e843993ac30f9e316a244

SHA256
23eb78a348ae44158ec8fd696290bc37a403efd0a8722c20daf6675040bcca6f

SHA512
bad7f206502f5c569b00d5d4690e69808cba40ee2e818c51d25bc5b603b906498d24aec29a47b7d62cf70f56217fea0f213781c2feabc802e11e8c8c0f24aaf4

Download Submit
\Windows\system\kwCpxOc.exe
Filesize
5.9MB

MD5
7c31d479827047c0eb2157a3441c2a8c

SHA1
1c218794b9ee73370e09a76ad5e479a9fae2a89c

SHA256
239146a28b7f750b55918e7d2bce61070c0243cdb652d0c5786ebb6140e49761

SHA512
17d4fd6496950ed163a901d062fc0fa191fc5f4276c2ab1376db954bb0d42b87af70b5adbb1f6448e5b31442fe77f3d987783f0314531ec3bf0cdf033739cc90

Download Submit
\Windows\system\msTsSau.exe
Filesize
5.9MB

MD5
f22f9d4ba893b9ad67894ccbbffd7e37

SHA1
6038412458848bda02f5cefa0072f14051a3dee9

SHA256
8e7f616f9ab7ddfc25061c69a1d1d6dac56208a76e9c68cca308293046e36281

SHA512
9794e8fdf0cca27033bb2044617755cc3ffea770f3499f95a0f92b15eda42945d51adc79cc0dab2eabbe4011b0ca2f8e074aa34b00038dc71c58fe4be1418398

Download Submit
\Windows\system\uCgCAxY.exe
Filesize
5.9MB

MD5
2ab68d2992ed2410b625a0164a305ada

SHA1
de1d47e753e2bf1360d8de1bc7175be3bccc6212

SHA256
4675e30e4094a725bec6f904fdf210297172482b2d2d9a746e4b87bf7b80c619

SHA512
0400a986e916e80d96a9b5e58fbd7e3deac9ffea8614260cb00ac65ce1d9d78a515a11fac673dd7a221f547280efbd12d1d3f385759edbdc272166fd4fd32798

Download Submit
\Windows\system\yvgXdML.exe
Filesize
5.9MB

MD5
50475fcf8663c14c9f0741de3b25b502

SHA1
f6e026da7fedb0128eb94a6eda38768a7c07e200

SHA256
b1cf3c2f091f01ecbf53d4109c437c0948da87f8ab4c887d98582a313ca4596d

SHA512
7a21f4e00b6759c37d86accd3fec119a77b71de4411c06f24e2d636436b38000495ac2ea158d6e7b535dcf151e913dd36fec91590ee192a324034b32d9466377

Download Submit
memory/1512-144-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1512-47-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1632-102-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1632-12-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1632-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1632-143-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-37-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/1632-41-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-142-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/1632-45-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1632-141-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1632-73-0x000000013FD10000-0x0000000140064000-memory.dmp

Filesize
3.3MB

Download
memory/1632-0-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-81-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/1632-94-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1632-20-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/1632-88-0x000000013FC90000-0x000000013FFE4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-90-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-98-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1632-122-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1632-119-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/1632-27-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1632-105-0x000000013FF40000-0x0000000140294000-memory.dmp

Filesize
3.3MB

Download
memory/1632-31-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/1632-6-0x000000013FE40000-0x0000000140194000-memory.dmp

Filesize
3.3MB

Download
memory/1632-50-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1632-111-0x00000000024B0000-0x0000000002804000-memory.dmp

Filesize
3.3MB

Download
memory/1680-14-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1680-146-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1680-57-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2488-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2488-76-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2552-85-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2552-147-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2552-28-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2608-51-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-140-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-150-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-35-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2664-148-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2664-109-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2724-129-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2724-42-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2724-149-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2728-67-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2728-22-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2728-145-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download