cobaltstrike | 0a6e7d489bd550aa8566a41256d25b2191780f57fef260e9ab65af87f3961ee9

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5b4588095736a72438b5b0bdf5149a96
SHA1

ce839b69ac0b07aa25551483f00ab9a96c7d2797
SHA256

0a6e7d489bd550aa8566a41256d25b2191780f57fef260e9ab65af87f3961ee9
SHA512

d4e51f4465d5dc67571fd3b484bcb4d4d09246254e33d51b27342c9925818cb46ed8eb74c1a42193a1265ff6d5355d8ffe2aca3323c5d3e52d5a44f3a8051c2a
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:Q+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\OuFkfkK.exe	cobalt_reflective_dll
C:\Windows\System\KxUBFUg.exe	cobalt_reflective_dll
C:\Windows\System\GlZCCYN.exe	cobalt_reflective_dll
C:\Windows\System\tyJIYNc.exe	cobalt_reflective_dll
C:\Windows\System\AtbeCcV.exe	cobalt_reflective_dll
C:\Windows\System\eprqOEM.exe	cobalt_reflective_dll
C:\Windows\System\LLnlvYx.exe	cobalt_reflective_dll
C:\Windows\System\GZTuARL.exe	cobalt_reflective_dll
C:\Windows\System\CemnGxa.exe	cobalt_reflective_dll
C:\Windows\System\PrFhyrY.exe	cobalt_reflective_dll
C:\Windows\System\kTIPZxd.exe	cobalt_reflective_dll
C:\Windows\System\vWhtQAs.exe	cobalt_reflective_dll
C:\Windows\System\VYPiIut.exe	cobalt_reflective_dll
C:\Windows\System\NSgalRo.exe	cobalt_reflective_dll
C:\Windows\System\atguRlG.exe	cobalt_reflective_dll
C:\Windows\System\kphZlHt.exe	cobalt_reflective_dll
C:\Windows\System\eRICHhM.exe	cobalt_reflective_dll
C:\Windows\System\FEFjyRx.exe	cobalt_reflective_dll
C:\Windows\System\pWilhxn.exe	cobalt_reflective_dll
C:\Windows\System\QMzQFVp.exe	cobalt_reflective_dll
C:\Windows\System\zERJyHy.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\OuFkfkK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KxUBFUg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GlZCCYN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tyJIYNc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AtbeCcV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eprqOEM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LLnlvYx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GZTuARL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CemnGxa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PrFhyrY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kTIPZxd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vWhtQAs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VYPiIut.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NSgalRo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\atguRlG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kphZlHt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eRICHhM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FEFjyRx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pWilhxn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QMzQFVp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zERJyHy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1724-0-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp	UPX
C:\Windows\System\OuFkfkK.exe	UPX
behavioral2/memory/2076-7-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	UPX
C:\Windows\System\KxUBFUg.exe	UPX
C:\Windows\System\GlZCCYN.exe	UPX
behavioral2/memory/972-14-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	UPX
behavioral2/memory/2236-20-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp	UPX
C:\Windows\System\tyJIYNc.exe	UPX
behavioral2/memory/2876-26-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp	UPX
C:\Windows\System\AtbeCcV.exe	UPX
behavioral2/memory/3124-32-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp	UPX
C:\Windows\System\eprqOEM.exe	UPX
behavioral2/memory/1892-43-0x00007FF607810000-0x00007FF607B64000-memory.dmp	UPX
C:\Windows\System\LLnlvYx.exe	UPX
C:\Windows\System\GZTuARL.exe	UPX
C:\Windows\System\CemnGxa.exe	UPX
C:\Windows\System\PrFhyrY.exe	UPX
C:\Windows\System\kTIPZxd.exe	UPX
C:\Windows\System\vWhtQAs.exe	UPX
C:\Windows\System\VYPiIut.exe	UPX
C:\Windows\System\NSgalRo.exe	UPX
C:\Windows\System\atguRlG.exe	UPX
C:\Windows\System\kphZlHt.exe	UPX
C:\Windows\System\eRICHhM.exe	UPX
C:\Windows\System\FEFjyRx.exe	UPX
C:\Windows\System\pWilhxn.exe	UPX
C:\Windows\System\QMzQFVp.exe	UPX
behavioral2/memory/1556-46-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp	UPX
C:\Windows\System\zERJyHy.exe	UPX
behavioral2/memory/1436-115-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp	UPX
behavioral2/memory/4532-116-0x00007FF691A10000-0x00007FF691D64000-memory.dmp	UPX
behavioral2/memory/3528-114-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp	UPX
behavioral2/memory/1776-117-0x00007FF703960000-0x00007FF703CB4000-memory.dmp	UPX
behavioral2/memory/4584-118-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp	UPX
behavioral2/memory/3492-120-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp	UPX
behavioral2/memory/2668-122-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp	UPX
behavioral2/memory/4492-123-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp	UPX
behavioral2/memory/4188-121-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp	UPX
behavioral2/memory/5080-124-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp	UPX
behavioral2/memory/1140-126-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp	UPX
behavioral2/memory/1292-127-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp	UPX
behavioral2/memory/632-125-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp	UPX
behavioral2/memory/868-119-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp	UPX
behavioral2/memory/2076-129-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	UPX
behavioral2/memory/1724-128-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp	UPX
behavioral2/memory/972-130-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	UPX
behavioral2/memory/2076-131-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	UPX
behavioral2/memory/972-132-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	UPX
behavioral2/memory/2236-133-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp	UPX
behavioral2/memory/2876-134-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp	UPX
behavioral2/memory/3124-135-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp	UPX
behavioral2/memory/1892-136-0x00007FF607810000-0x00007FF607B64000-memory.dmp	UPX
behavioral2/memory/1556-137-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp	UPX
behavioral2/memory/1140-138-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp	UPX
behavioral2/memory/1292-139-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp	UPX
behavioral2/memory/3528-140-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp	UPX
behavioral2/memory/1436-141-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp	UPX
behavioral2/memory/4532-142-0x00007FF691A10000-0x00007FF691D64000-memory.dmp	UPX
behavioral2/memory/1776-143-0x00007FF703960000-0x00007FF703CB4000-memory.dmp	UPX
behavioral2/memory/4584-144-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp	UPX
behavioral2/memory/868-145-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp	UPX
behavioral2/memory/3492-146-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp	UPX
behavioral2/memory/2668-148-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp	UPX
behavioral2/memory/4188-147-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1724-0-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp	xmrig
C:\Windows\System\OuFkfkK.exe	xmrig
behavioral2/memory/2076-7-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	xmrig
C:\Windows\System\KxUBFUg.exe	xmrig
C:\Windows\System\GlZCCYN.exe	xmrig
behavioral2/memory/972-14-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	xmrig
behavioral2/memory/2236-20-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp	xmrig
C:\Windows\System\tyJIYNc.exe	xmrig
behavioral2/memory/2876-26-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp	xmrig
C:\Windows\System\AtbeCcV.exe	xmrig
behavioral2/memory/3124-32-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp	xmrig
C:\Windows\System\eprqOEM.exe	xmrig
behavioral2/memory/1892-43-0x00007FF607810000-0x00007FF607B64000-memory.dmp	xmrig
C:\Windows\System\LLnlvYx.exe	xmrig
C:\Windows\System\GZTuARL.exe	xmrig
C:\Windows\System\CemnGxa.exe	xmrig
C:\Windows\System\PrFhyrY.exe	xmrig
C:\Windows\System\kTIPZxd.exe	xmrig
C:\Windows\System\vWhtQAs.exe	xmrig
C:\Windows\System\VYPiIut.exe	xmrig
C:\Windows\System\NSgalRo.exe	xmrig
C:\Windows\System\atguRlG.exe	xmrig
C:\Windows\System\kphZlHt.exe	xmrig
C:\Windows\System\eRICHhM.exe	xmrig
C:\Windows\System\FEFjyRx.exe	xmrig
C:\Windows\System\pWilhxn.exe	xmrig
C:\Windows\System\QMzQFVp.exe	xmrig
behavioral2/memory/1556-46-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp	xmrig
C:\Windows\System\zERJyHy.exe	xmrig
behavioral2/memory/1436-115-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp	xmrig
behavioral2/memory/4532-116-0x00007FF691A10000-0x00007FF691D64000-memory.dmp	xmrig
behavioral2/memory/3528-114-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp	xmrig
behavioral2/memory/1776-117-0x00007FF703960000-0x00007FF703CB4000-memory.dmp	xmrig
behavioral2/memory/4584-118-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp	xmrig
behavioral2/memory/3492-120-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp	xmrig
behavioral2/memory/2668-122-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp	xmrig
behavioral2/memory/4492-123-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp	xmrig
behavioral2/memory/4188-121-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp	xmrig
behavioral2/memory/5080-124-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp	xmrig
behavioral2/memory/1140-126-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp	xmrig
behavioral2/memory/1292-127-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp	xmrig
behavioral2/memory/632-125-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp	xmrig
behavioral2/memory/868-119-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp	xmrig
behavioral2/memory/2076-129-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	xmrig
behavioral2/memory/1724-128-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp	xmrig
behavioral2/memory/972-130-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	xmrig
behavioral2/memory/2076-131-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	xmrig
behavioral2/memory/972-132-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	xmrig
behavioral2/memory/2236-133-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp	xmrig
behavioral2/memory/2876-134-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp	xmrig
behavioral2/memory/3124-135-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp	xmrig
behavioral2/memory/1892-136-0x00007FF607810000-0x00007FF607B64000-memory.dmp	xmrig
behavioral2/memory/1556-137-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp	xmrig
behavioral2/memory/1140-138-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp	xmrig
behavioral2/memory/1292-139-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp	xmrig
behavioral2/memory/3528-140-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp	xmrig
behavioral2/memory/1436-141-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp	xmrig
behavioral2/memory/4532-142-0x00007FF691A10000-0x00007FF691D64000-memory.dmp	xmrig
behavioral2/memory/1776-143-0x00007FF703960000-0x00007FF703CB4000-memory.dmp	xmrig
behavioral2/memory/4584-144-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp	xmrig
behavioral2/memory/868-145-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp	xmrig
behavioral2/memory/3492-146-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp	xmrig
behavioral2/memory/2668-148-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp	xmrig
behavioral2/memory/4188-147-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

OuFkfkK.exeGlZCCYN.exeKxUBFUg.exetyJIYNc.exeAtbeCcV.exezERJyHy.exeeprqOEM.exeLLnlvYx.exeGZTuARL.exeCemnGxa.exeQMzQFVp.exepWilhxn.exeFEFjyRx.exePrFhyrY.exeeRICHhM.exekphZlHt.exekTIPZxd.exeatguRlG.exeNSgalRo.exevWhtQAs.exeVYPiIut.exe

pid	process
2076	OuFkfkK.exe
972	GlZCCYN.exe
2236	KxUBFUg.exe
2876	tyJIYNc.exe
3124	AtbeCcV.exe
1892	zERJyHy.exe
1556	eprqOEM.exe
1140	LLnlvYx.exe
1292	GZTuARL.exe
3528	CemnGxa.exe
1436	QMzQFVp.exe
4532	pWilhxn.exe
1776	FEFjyRx.exe
4584	PrFhyrY.exe
868	eRICHhM.exe
3492	kphZlHt.exe
4188	kTIPZxd.exe
2668	atguRlG.exe
4492	NSgalRo.exe
5080	vWhtQAs.exe
632	VYPiIut.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1724-0-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp	upx
C:\Windows\System\OuFkfkK.exe	upx
behavioral2/memory/2076-7-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	upx
C:\Windows\System\KxUBFUg.exe	upx
C:\Windows\System\GlZCCYN.exe	upx
behavioral2/memory/972-14-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	upx
behavioral2/memory/2236-20-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp	upx
C:\Windows\System\tyJIYNc.exe	upx
behavioral2/memory/2876-26-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp	upx
C:\Windows\System\AtbeCcV.exe	upx
behavioral2/memory/3124-32-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp	upx
C:\Windows\System\eprqOEM.exe	upx
behavioral2/memory/1892-43-0x00007FF607810000-0x00007FF607B64000-memory.dmp	upx
C:\Windows\System\LLnlvYx.exe	upx
C:\Windows\System\GZTuARL.exe	upx
C:\Windows\System\CemnGxa.exe	upx
C:\Windows\System\PrFhyrY.exe	upx
C:\Windows\System\kTIPZxd.exe	upx
C:\Windows\System\vWhtQAs.exe	upx
C:\Windows\System\VYPiIut.exe	upx
C:\Windows\System\NSgalRo.exe	upx
C:\Windows\System\atguRlG.exe	upx
C:\Windows\System\kphZlHt.exe	upx
C:\Windows\System\eRICHhM.exe	upx
C:\Windows\System\FEFjyRx.exe	upx
C:\Windows\System\pWilhxn.exe	upx
C:\Windows\System\QMzQFVp.exe	upx
behavioral2/memory/1556-46-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp	upx
C:\Windows\System\zERJyHy.exe	upx
behavioral2/memory/1436-115-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp	upx
behavioral2/memory/4532-116-0x00007FF691A10000-0x00007FF691D64000-memory.dmp	upx
behavioral2/memory/3528-114-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp	upx
behavioral2/memory/1776-117-0x00007FF703960000-0x00007FF703CB4000-memory.dmp	upx
behavioral2/memory/4584-118-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp	upx
behavioral2/memory/3492-120-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp	upx
behavioral2/memory/2668-122-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp	upx
behavioral2/memory/4492-123-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp	upx
behavioral2/memory/4188-121-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp	upx
behavioral2/memory/5080-124-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp	upx
behavioral2/memory/1140-126-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp	upx
behavioral2/memory/1292-127-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp	upx
behavioral2/memory/632-125-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp	upx
behavioral2/memory/868-119-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp	upx
behavioral2/memory/2076-129-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	upx
behavioral2/memory/1724-128-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp	upx
behavioral2/memory/972-130-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	upx
behavioral2/memory/2076-131-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp	upx
behavioral2/memory/972-132-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp	upx
behavioral2/memory/2236-133-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp	upx
behavioral2/memory/2876-134-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp	upx
behavioral2/memory/3124-135-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp	upx
behavioral2/memory/1892-136-0x00007FF607810000-0x00007FF607B64000-memory.dmp	upx
behavioral2/memory/1556-137-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp	upx
behavioral2/memory/1140-138-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp	upx
behavioral2/memory/1292-139-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp	upx
behavioral2/memory/3528-140-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp	upx
behavioral2/memory/1436-141-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp	upx
behavioral2/memory/4532-142-0x00007FF691A10000-0x00007FF691D64000-memory.dmp	upx
behavioral2/memory/1776-143-0x00007FF703960000-0x00007FF703CB4000-memory.dmp	upx
behavioral2/memory/4584-144-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp	upx
behavioral2/memory/868-145-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp	upx
behavioral2/memory/3492-146-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp	upx
behavioral2/memory/2668-148-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp	upx
behavioral2/memory/4188-147-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\pWilhxn.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FEFjyRx.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kTIPZxd.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vWhtQAs.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OuFkfkK.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tyJIYNc.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GZTuARL.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kphZlHt.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NSgalRo.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AtbeCcV.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eprqOEM.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VYPiIut.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxUBFUg.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zERJyHy.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CemnGxa.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QMzQFVp.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PrFhyrY.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eRICHhM.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\atguRlG.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GlZCCYN.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLnlvYx.exe	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1724 wrote to memory of 2076	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	OuFkfkK.exe
PID 1724 wrote to memory of 2076	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	OuFkfkK.exe
PID 1724 wrote to memory of 972	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	GlZCCYN.exe
PID 1724 wrote to memory of 972	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	GlZCCYN.exe
PID 1724 wrote to memory of 2236	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	KxUBFUg.exe
PID 1724 wrote to memory of 2236	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	KxUBFUg.exe
PID 1724 wrote to memory of 2876	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	tyJIYNc.exe
PID 1724 wrote to memory of 2876	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	tyJIYNc.exe
PID 1724 wrote to memory of 3124	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	AtbeCcV.exe
PID 1724 wrote to memory of 3124	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	AtbeCcV.exe
PID 1724 wrote to memory of 1892	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	zERJyHy.exe
PID 1724 wrote to memory of 1892	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	zERJyHy.exe
PID 1724 wrote to memory of 1556	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	eprqOEM.exe
PID 1724 wrote to memory of 1556	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	eprqOEM.exe
PID 1724 wrote to memory of 1140	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	LLnlvYx.exe
PID 1724 wrote to memory of 1140	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	LLnlvYx.exe
PID 1724 wrote to memory of 1292	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	GZTuARL.exe
PID 1724 wrote to memory of 1292	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	GZTuARL.exe
PID 1724 wrote to memory of 3528	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	CemnGxa.exe
PID 1724 wrote to memory of 3528	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	CemnGxa.exe
PID 1724 wrote to memory of 1436	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	QMzQFVp.exe
PID 1724 wrote to memory of 1436	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	QMzQFVp.exe
PID 1724 wrote to memory of 4532	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pWilhxn.exe
PID 1724 wrote to memory of 4532	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	pWilhxn.exe
PID 1724 wrote to memory of 1776	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	FEFjyRx.exe
PID 1724 wrote to memory of 1776	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	FEFjyRx.exe
PID 1724 wrote to memory of 4584	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	PrFhyrY.exe
PID 1724 wrote to memory of 4584	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	PrFhyrY.exe
PID 1724 wrote to memory of 868	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	eRICHhM.exe
PID 1724 wrote to memory of 868	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	eRICHhM.exe
PID 1724 wrote to memory of 3492	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kphZlHt.exe
PID 1724 wrote to memory of 3492	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kphZlHt.exe
PID 1724 wrote to memory of 4188	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kTIPZxd.exe
PID 1724 wrote to memory of 4188	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	kTIPZxd.exe
PID 1724 wrote to memory of 2668	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	atguRlG.exe
PID 1724 wrote to memory of 2668	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	atguRlG.exe
PID 1724 wrote to memory of 4492	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	NSgalRo.exe
PID 1724 wrote to memory of 4492	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	NSgalRo.exe
PID 1724 wrote to memory of 5080	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	vWhtQAs.exe
PID 1724 wrote to memory of 5080	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	vWhtQAs.exe
PID 1724 wrote to memory of 632	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	VYPiIut.exe
PID 1724 wrote to memory of 632	1724	2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe	VYPiIut.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\System\OuFkfkK.exe
C:\Windows\System\OuFkfkK.exe
2⤵
- Executes dropped EXE
PID:2076

C:\Windows\System\GlZCCYN.exe
C:\Windows\System\GlZCCYN.exe
2⤵
- Executes dropped EXE
PID:972

C:\Windows\System\KxUBFUg.exe
C:\Windows\System\KxUBFUg.exe
2⤵
- Executes dropped EXE
PID:2236

C:\Windows\System\tyJIYNc.exe
C:\Windows\System\tyJIYNc.exe
2⤵
- Executes dropped EXE
PID:2876

C:\Windows\System\AtbeCcV.exe
C:\Windows\System\AtbeCcV.exe
2⤵
- Executes dropped EXE
PID:3124

C:\Windows\System\zERJyHy.exe
C:\Windows\System\zERJyHy.exe
2⤵
- Executes dropped EXE
PID:1892

C:\Windows\System\eprqOEM.exe
C:\Windows\System\eprqOEM.exe
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\System\LLnlvYx.exe
C:\Windows\System\LLnlvYx.exe
2⤵
- Executes dropped EXE
PID:1140

C:\Windows\System\GZTuARL.exe
C:\Windows\System\GZTuARL.exe
2⤵
- Executes dropped EXE
PID:1292

C:\Windows\System\CemnGxa.exe
C:\Windows\System\CemnGxa.exe
2⤵
- Executes dropped EXE
PID:3528

C:\Windows\System\QMzQFVp.exe
C:\Windows\System\QMzQFVp.exe
2⤵
- Executes dropped EXE
PID:1436

C:\Windows\System\pWilhxn.exe
C:\Windows\System\pWilhxn.exe
2⤵
- Executes dropped EXE
PID:4532

C:\Windows\System\FEFjyRx.exe
C:\Windows\System\FEFjyRx.exe
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\System\PrFhyrY.exe
C:\Windows\System\PrFhyrY.exe
2⤵
- Executes dropped EXE
PID:4584

C:\Windows\System\eRICHhM.exe
C:\Windows\System\eRICHhM.exe
2⤵
- Executes dropped EXE
PID:868

C:\Windows\System\kphZlHt.exe
C:\Windows\System\kphZlHt.exe
2⤵
- Executes dropped EXE
PID:3492

C:\Windows\System\kTIPZxd.exe
C:\Windows\System\kTIPZxd.exe
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\System\atguRlG.exe
C:\Windows\System\atguRlG.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\NSgalRo.exe
C:\Windows\System\NSgalRo.exe
2⤵
- Executes dropped EXE
PID:4492

C:\Windows\System\vWhtQAs.exe
C:\Windows\System\vWhtQAs.exe
2⤵
- Executes dropped EXE
PID:5080

C:\Windows\System\VYPiIut.exe
C:\Windows\System\VYPiIut.exe
2⤵
- Executes dropped EXE
PID:632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AtbeCcV.exe
Filesize
5.9MB

MD5
0b6287beea186d5ce093985b7f6420e3

SHA1
5d2f79b0d8c0e664395bdf1fb6b35683cb13210a

SHA256
ad770cb16b4033c2be9a614e13c51500b042f1a79a699ac01dfb326bd1f180f7

SHA512
4875c55c5644654610f8b255abd6027116e2acf85bdf98b450b84fc23ca9041be823d76f87d562479858f21c73a73623a974839276c5970326a0829735436559

Download Submit
C:\Windows\System\CemnGxa.exe
Filesize
5.9MB

MD5
b8f6c68b57832c80cabbfc2234307a07

SHA1
224c355d4f399bce3f6852ed43a51b7bc4788e32

SHA256
e470f3c1a14cdff60c3887c002b0f3af1706c68e8b2010d3e5523169d44c3102

SHA512
d5887bdd5fb11b102adc407b7ff85723b52ac5f3b866f89a2939b2421e39ef4d2624f6d0d7fbd00469461c352a9ca8fda38c7f4589c3ee5fb53dcc32d7875193

Download Submit
C:\Windows\System\FEFjyRx.exe
Filesize
5.9MB

MD5
41cdbe7fa0c556fb39c156a936012866

SHA1
a201baf1d3d1f99e879d5c9fa6d0e46c190bd2f0

SHA256
78420fef6fb1a215a8e2cdd9cf71a319a1daa0fcd6eccb0d949fcdffd5469524

SHA512
5b7280ee83467ca4d55ded1ed45523e794b0812a09f2a0e03eeb1c25251bdf3e5c78ec0a86d0e3cca3b9670a12a6083f9845c5d9df4e32c0d76a7bb75e9a89fe

Download Submit
C:\Windows\System\GZTuARL.exe
Filesize
5.9MB

MD5
9775b34acd06da4ffecc2cb34825ce78

SHA1
c9d30e09bac892480eea9ede55eea2331488d22a

SHA256
34a27c6c45eeda69b3a4870fc83ad4f49849631c1a06266594ef30b52789ad32

SHA512
a8a789edef132c0d4be036bd71c9017e176ce43ee514fa9bee1aeb999c2f8dc5ad71451ec8be40aa8f6961e8d7cda8c1e596662bedb0729c0148228c2d292168

Download Submit
C:\Windows\System\GlZCCYN.exe
Filesize
5.9MB

MD5
a129147649d9223903b4bb096ec151f5

SHA1
b1a7b0f701a289b6c6dedd5283da78c3e576655b

SHA256
094c2b27331c3f85d74d71133732605ac32eea67afed96274f4be24b7b037ff0

SHA512
f562e14a30f127fbbfe9fc2083f4f8e213b78f89bd45e7a23ccca6ec38f00e91813b09dec2a20ab58dfc24f4cb5aed0b3277d09335e85cef096b490a38938b73

Download Submit
C:\Windows\System\KxUBFUg.exe
Filesize
5.9MB

MD5
b433589c00e77ff58691db05b02a236f

SHA1
f3511071bb6263f8a324517ae0c3ef9cd44d7cd3

SHA256
6021249c436ad0819613a11bc76db02039cea6114be1fddaab89e512376c8752

SHA512
e6b3d1584eaa96b2206291e741abb878e985188f51fec2336030e2bb84f954604557b6dfbabb29f0cf8a800a4e2e1ae19af7558bd629138426c33bf891b0ac67

Download Submit
C:\Windows\System\LLnlvYx.exe
Filesize
5.9MB

MD5
c8820ab6934b9a4fcfde9ce336466018

SHA1
b4b03af61927eacf935f3ddd8088363c2d0b77b6

SHA256
a377fba93f0556087947a4a16d0fa7c8f8bf2b4596a044742ca2b54f5adb8fad

SHA512
96a2307105576eef4e0c90f37dbd688c58c7aaa186144a426abe8fc05ba651c9c015823a4bc1451a72c8177ad10be3f7dda9f050abde4f11e3d7830ed63b9d61

Download Submit
C:\Windows\System\NSgalRo.exe
Filesize
5.9MB

MD5
494acb77ddc08e580daa358b4d9751e0

SHA1
169b899a461302a3adbf4ac96249b4d6ed2d324c

SHA256
77262b0f2fc1289ce0e348d16a7582fc4dc5bec41d7908d0de9e0ac323b69aea

SHA512
f46004c4f25011b2a717464589a51469db640fc542d1d3dfc6fb0dd1d4e7216427a1834358522517ccf43e96f0db05015b0119bd74306add202f2350d37b202e

Download Submit
C:\Windows\System\OuFkfkK.exe
Filesize
5.9MB

MD5
2c9de10c3f2b3896bd8dfacd0f6b24cd

SHA1
08ac4d43737d7e3a819547fa446a39ba0baf14c6

SHA256
561bfcbfdb59c36190501dab76338479db76752f611c929654d3ee4e66859ddf

SHA512
e8c9959d317c24c5e14c1d7a0a84fcc7fd3b5dc5060700dda8762e8902856defb91a00fe4f04eaa97e8bff89f761f4a925508396ab1ae15eccbe4863c088b93a

Download Submit
C:\Windows\System\PrFhyrY.exe
Filesize
5.9MB

MD5
c58528332608f195cee67d0fa8b48fcc

SHA1
1b708dd58ba7bf80f0cbb450a8505a748c788554

SHA256
1106cdcb22c8f7dc2a66c69fc67aa98407d4839f09c7c26a7426d1d19245dc3f

SHA512
822c096b9341a561926bde1b5ef197e4177c8f360256b7edeaccd4051a45975f0618f781c46f2544d58b0f7a7cd93db0e748878d8fb6527beed45a7e90d747c1

Download Submit
C:\Windows\System\QMzQFVp.exe
Filesize
5.9MB

MD5
59d02c6467945f67722d916500f48ce8

SHA1
1de16ddc60ebced80c04ad763710124515a4174f

SHA256
3eefc9cdfbbd7f234d0255b9d4dbfaaa21eb63bab95758c7dc6e65f2dc2f8fb5

SHA512
4623e08cd61c78a86d093329483871cae1ae59eb055c2550540375bb2ba9df232d81bb37e8f1750e2e5e451a5dcc1eb82628e728c2c4e3464d822318a84e8b47

Download Submit
C:\Windows\System\VYPiIut.exe
Filesize
5.9MB

MD5
8a230a4270911ecd863306fe2c96f9b2

SHA1
3062cfb76158c62b65e52da004b5e59a20fc058f

SHA256
4be44d313d1fd7a2a26da5195704649de8a054e6cb0ae91dc111ace07c3bbcc1

SHA512
84ceb63bbf55a75f8d88a1df98f195b0dab4f4c3dea20e989c19509ec0e991cde3929fb14d0a8162a2d4c9a29a0eeaba619872fdb16571715355e126efddd4b2

Download Submit
C:\Windows\System\atguRlG.exe
Filesize
5.9MB

MD5
06b45c028ec942d34c021b6d07297fe1

SHA1
01d6fbb475c5f2591f267f61f206bbc46e82e1c6

SHA256
bff3022e7f6c38b003305f009ccf1fe4c43e9c0de55f9dcab67c785ea301ed8d

SHA512
277b300bca3c9bb201622e94be80a719fbe552d9dc49dd2947c2c93b9b13587835921cd29bb3bb654561b8fcb725b4b5ef12ca6b95641de6790b4fb6e6beca95

Download Submit
C:\Windows\System\eRICHhM.exe
Filesize
5.9MB

MD5
7cbcbf910986e7661b91ff09bbb37a34

SHA1
62f2ba17e68b23fa2261d09d19dafa8b065066ee

SHA256
c490cf7614aacb503c3bed7cf354d0cd6dd70c133123069d649ed1bd4f11dd7c

SHA512
5349b3c0fd4d6c23beead3386ca6e13406b0da47985c2532501113d691e805dd6fc87ddea84b1ed9780e4e1ddb36400003e4308783d97225df7af0e3c65c5786

Download Submit
C:\Windows\System\eprqOEM.exe
Filesize
5.9MB

MD5
cf398472b47a398d74d41db02e48f6a3

SHA1
ca64ecf5f30a21649f7f82ce70df0a01eced4491

SHA256
9ae484867256d3863becc60a3900720fa4cc409d30ea7baeeff6a7d2e281a567

SHA512
21d26d02a38b7d6d3795b41320419d390f684cc711b57d2b1cf3f309446ea86c9c7df12b8f750c2c446a45635b8c2b4d2833491cc44c4dc90c26d1df3d28a0f8

Download Submit
C:\Windows\System\kTIPZxd.exe
Filesize
5.9MB

MD5
1d0f46519d0acd4d19f2298055bbddcf

SHA1
3336e6a640503def8ae193bcd58022c7fb0bc346

SHA256
0801b73e6822e633c87c457a753534e646c28648104d31f6ac030a33aae949be

SHA512
9315d69a706f52ce12997d9caf1e2bf5bfb0f74f99bc7f926d72114fb381ddd82ba811a31e4d3818a1da8ea2c1c810f3965bfbf0cc0ca43aa119716b58c8787a

Download Submit
C:\Windows\System\kphZlHt.exe
Filesize
5.9MB

MD5
34b003ad12718a5d15412172a7878ede

SHA1
c438bf0c28b9b564f5df44bb1dc5e327c1f4da7b

SHA256
0b9f45449e6fa1aa4e48e4f8dcf51a8959020618a37783657b94ccaa95d7109d

SHA512
fff60b31dcc0ae190bd492d210ee18504060e7e6361b212aca741b4a9dcba27e82ceca4e56747793f12c211444a457bba53025690314f796960713d2d983dbc0

Download Submit
C:\Windows\System\pWilhxn.exe
Filesize
5.9MB

MD5
a9093990efcc56549faa7ae18bd48878

SHA1
214227d5259588f61f433541186fbf2430a61667

SHA256
965a96ef6763fdad6f6bd08e196ba6b01cb6dd4090038e627625cdda2da8315b

SHA512
3b555fbcefe0e718b77943bce380a1f5b7ada26a622fe4eb0eaae423d92943738bbbffa16337005f76ab17d51a59bf4158907f3b4a5866c73c34fd1fe2a4598f

Download Submit
C:\Windows\System\tyJIYNc.exe
Filesize
5.9MB

MD5
a4aa32e6aa628a289151e0f87a115570

SHA1
296c02098a5838e37a9c6019e1a4b2fd24ab07db

SHA256
752349f162adde20c398b597c137674be3a6a4089543464ae9abefbf70d77771

SHA512
801341cd11e15cf7794023b01592074800025f29b54724bfa7551d831404137b0af9899e168908915ba90d390938b8798b507d1e6c41375f0c7cd369512c8526

Download Submit
C:\Windows\System\vWhtQAs.exe
Filesize
5.9MB

MD5
88953cec1389603c5110818b72ee119a

SHA1
995363123f3c9566b59912cd88f86c4925ce54cd

SHA256
5fdef7c0b07576ca4d40d8043bd58a90a7dadf26a3303e8b9030fd9c7ff7a5db

SHA512
3d335d54b03dc7659999599e337a9a4e7901932c9aa002dfb8a9c188ac2e6cce26077527701a30910f0f4c56cc5952104f81a56a0c7a8b21441858ab7f2a7348

Download Submit
C:\Windows\System\zERJyHy.exe
Filesize
5.9MB

MD5
d7f9b442b19d26612f2ee3eb9ccecc08

SHA1
c323831eb81c146a0eb26e0ee252cc53edc40f2f

SHA256
fbd45844ea7a38679c9a712f0a24c3d08ca8e31f48f98dc48e8a04831d49cd56

SHA512
72306063ce2bd143b54f9f12512351878b686cef9a74815d811e49ab453967064f34d32c557283e0f2b3e4557b7a516ec74613d87a4bba8381514ef7f31fc102

Download Submit
memory/632-125-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp

Filesize
3.3MB

Download
memory/632-150-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp

Filesize
3.3MB

Download
memory/868-145-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp

Filesize
3.3MB

Download
memory/868-119-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp

Filesize
3.3MB

Download
memory/972-130-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp

Filesize
3.3MB

Download
memory/972-132-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp

Filesize
3.3MB

Download
memory/972-14-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp

Filesize
3.3MB

Download
memory/1140-126-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1140-138-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1292-139-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp

Filesize
3.3MB

Download
memory/1292-127-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp

Filesize
3.3MB

Download
memory/1436-141-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp

Filesize
3.3MB

Download
memory/1436-115-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp

Filesize
3.3MB

Download
memory/1556-46-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp

Filesize
3.3MB

Download
memory/1556-137-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp

Filesize
3.3MB

Download
memory/1724-0-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp

Filesize
3.3MB

Download
memory/1724-1-0x0000019A365F0000-0x0000019A36600000-memory.dmp

Filesize
64KB

Download
memory/1724-128-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-143-0x00007FF703960000-0x00007FF703CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-117-0x00007FF703960000-0x00007FF703CB4000-memory.dmp

Filesize
3.3MB

Download
memory/1892-136-0x00007FF607810000-0x00007FF607B64000-memory.dmp

Filesize
3.3MB

Download
memory/1892-43-0x00007FF607810000-0x00007FF607B64000-memory.dmp

Filesize
3.3MB

Download
memory/2076-129-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp

Filesize
3.3MB

Download
memory/2076-7-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp

Filesize
3.3MB

Download
memory/2076-131-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp

Filesize
3.3MB

Download
memory/2236-20-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-133-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-148-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp

Filesize
3.3MB

Download
memory/2668-122-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp

Filesize
3.3MB

Download
memory/2876-134-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp

Filesize
3.3MB

Download
memory/2876-26-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp

Filesize
3.3MB

Download
memory/3124-135-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp

Filesize
3.3MB

Download
memory/3124-32-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp

Filesize
3.3MB

Download
memory/3492-120-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp

Filesize
3.3MB

Download
memory/3492-146-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-140-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3528-114-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4188-147-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp

Filesize
3.3MB

Download
memory/4188-121-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp

Filesize
3.3MB

Download
memory/4492-151-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp

Filesize
3.3MB

Download
memory/4492-123-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp

Filesize
3.3MB

Download
memory/4532-142-0x00007FF691A10000-0x00007FF691D64000-memory.dmp

Filesize
3.3MB

Download
memory/4532-116-0x00007FF691A10000-0x00007FF691D64000-memory.dmp

Filesize
3.3MB

Download
memory/4584-144-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp

Filesize
3.3MB

Download
memory/4584-118-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp

Filesize
3.3MB

Download
memory/5080-124-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp

Filesize
3.3MB

Download
memory/5080-149-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp

Filesize
3.3MB

Download