cobaltstrike | a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

71e1fcf3adcc69196f313cb6f933d791
SHA1

6c60cbf99fb138b8045629ba80705223880f158f
SHA256

a7cf964013e0b1cf2842ba8c2cc9edce7bb17e829c22ffda9fea8ef4c5764436
SHA512

4fcdc209109386d541ee7ae336d03a8be7e62549f967435c62937121e2dc57305e679483d3ce99c44bf70d275d4d41fc34fe938719f324c06724dfbc026db521
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:Q+856utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\nLdPVdM.exe	cobalt_reflective_dll
C:\Windows\System\oqniZcK.exe	cobalt_reflective_dll
C:\Windows\System\GLzeqTJ.exe	cobalt_reflective_dll
C:\Windows\System\sEbxpxY.exe	cobalt_reflective_dll
C:\Windows\System\piXvaGT.exe	cobalt_reflective_dll
C:\Windows\System\jgUvNft.exe	cobalt_reflective_dll
C:\Windows\System\dNknnRT.exe	cobalt_reflective_dll
C:\Windows\System\FhgEtsM.exe	cobalt_reflective_dll
C:\Windows\System\rpxAizt.exe	cobalt_reflective_dll
C:\Windows\System\yMGPJYS.exe	cobalt_reflective_dll
C:\Windows\System\geUDvvt.exe	cobalt_reflective_dll
C:\Windows\System\ygObmpj.exe	cobalt_reflective_dll
C:\Windows\System\AiKRwIF.exe	cobalt_reflective_dll
C:\Windows\System\mxbbdCp.exe	cobalt_reflective_dll
C:\Windows\System\kcWndlU.exe	cobalt_reflective_dll
C:\Windows\System\XfytqnK.exe	cobalt_reflective_dll
C:\Windows\System\dAaBUkt.exe	cobalt_reflective_dll
C:\Windows\System\KclfuBB.exe	cobalt_reflective_dll
C:\Windows\System\VdUqWIw.exe	cobalt_reflective_dll
C:\Windows\System\dmMhXqw.exe	cobalt_reflective_dll
C:\Windows\System\slGfwgI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\nLdPVdM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\oqniZcK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GLzeqTJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sEbxpxY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\piXvaGT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jgUvNft.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dNknnRT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FhgEtsM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rpxAizt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yMGPJYS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\geUDvvt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ygObmpj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AiKRwIF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mxbbdCp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kcWndlU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XfytqnK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dAaBUkt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KclfuBB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VdUqWIw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dmMhXqw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\slGfwgI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1860-0-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp	UPX
C:\Windows\System\nLdPVdM.exe	UPX
C:\Windows\System\oqniZcK.exe	UPX
C:\Windows\System\GLzeqTJ.exe	UPX
behavioral2/memory/800-14-0x00007FF623B20000-0x00007FF623E74000-memory.dmp	UPX
behavioral2/memory/5028-7-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	UPX
C:\Windows\System\sEbxpxY.exe	UPX
C:\Windows\System\piXvaGT.exe	UPX
C:\Windows\System\jgUvNft.exe	UPX
C:\Windows\System\dNknnRT.exe	UPX
C:\Windows\System\FhgEtsM.exe	UPX
C:\Windows\System\rpxAizt.exe	UPX
C:\Windows\System\yMGPJYS.exe	UPX
C:\Windows\System\geUDvvt.exe	UPX
C:\Windows\System\ygObmpj.exe	UPX
C:\Windows\System\AiKRwIF.exe	UPX
C:\Windows\System\mxbbdCp.exe	UPX
C:\Windows\System\kcWndlU.exe	UPX
C:\Windows\System\XfytqnK.exe	UPX
C:\Windows\System\dAaBUkt.exe	UPX
C:\Windows\System\KclfuBB.exe	UPX
C:\Windows\System\VdUqWIw.exe	UPX
C:\Windows\System\dmMhXqw.exe	UPX
behavioral2/memory/4624-42-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	UPX
behavioral2/memory/1756-40-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	UPX
C:\Windows\System\slGfwgI.exe	UPX
behavioral2/memory/1428-34-0x00007FF644690000-0x00007FF6449E4000-memory.dmp	UPX
behavioral2/memory/1836-27-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp	UPX
behavioral2/memory/3260-20-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp	UPX
behavioral2/memory/3188-114-0x00007FF7901C0000-0x00007FF790514000-memory.dmp	UPX
behavioral2/memory/2448-116-0x00007FF778250000-0x00007FF7785A4000-memory.dmp	UPX
behavioral2/memory/3180-118-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp	UPX
behavioral2/memory/1840-120-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp	UPX
behavioral2/memory/4968-121-0x00007FF7530F0000-0x00007FF753444000-memory.dmp	UPX
behavioral2/memory/3948-122-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp	UPX
behavioral2/memory/2528-123-0x00007FF788B30000-0x00007FF788E84000-memory.dmp	UPX
behavioral2/memory/2396-124-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp	UPX
behavioral2/memory/3256-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp	UPX
behavioral2/memory/2184-117-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp	UPX
behavioral2/memory/676-115-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	UPX
behavioral2/memory/368-126-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp	UPX
behavioral2/memory/1384-127-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp	UPX
behavioral2/memory/3316-125-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp	UPX
behavioral2/memory/1860-128-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp	UPX
behavioral2/memory/5028-129-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	UPX
behavioral2/memory/1756-130-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	UPX
behavioral2/memory/4624-131-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	UPX
behavioral2/memory/5028-132-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	UPX
behavioral2/memory/800-133-0x00007FF623B20000-0x00007FF623E74000-memory.dmp	UPX
behavioral2/memory/3260-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp	UPX
behavioral2/memory/1836-135-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp	UPX
behavioral2/memory/1428-136-0x00007FF644690000-0x00007FF6449E4000-memory.dmp	UPX
behavioral2/memory/1756-137-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	UPX
behavioral2/memory/4624-138-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	UPX
behavioral2/memory/3188-139-0x00007FF7901C0000-0x00007FF790514000-memory.dmp	UPX
behavioral2/memory/676-140-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	UPX
behavioral2/memory/3180-143-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp	UPX
behavioral2/memory/2184-142-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp	UPX
behavioral2/memory/2448-141-0x00007FF778250000-0x00007FF7785A4000-memory.dmp	UPX
behavioral2/memory/3256-144-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp	UPX
behavioral2/memory/1840-145-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp	UPX
behavioral2/memory/2528-148-0x00007FF788B30000-0x00007FF788E84000-memory.dmp	UPX
behavioral2/memory/4968-147-0x00007FF7530F0000-0x00007FF753444000-memory.dmp	UPX
behavioral2/memory/3948-146-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1860-0-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp	xmrig
C:\Windows\System\nLdPVdM.exe	xmrig
C:\Windows\System\oqniZcK.exe	xmrig
C:\Windows\System\GLzeqTJ.exe	xmrig
behavioral2/memory/800-14-0x00007FF623B20000-0x00007FF623E74000-memory.dmp	xmrig
behavioral2/memory/5028-7-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	xmrig
C:\Windows\System\sEbxpxY.exe	xmrig
C:\Windows\System\piXvaGT.exe	xmrig
C:\Windows\System\jgUvNft.exe	xmrig
C:\Windows\System\dNknnRT.exe	xmrig
C:\Windows\System\FhgEtsM.exe	xmrig
C:\Windows\System\rpxAizt.exe	xmrig
C:\Windows\System\yMGPJYS.exe	xmrig
C:\Windows\System\geUDvvt.exe	xmrig
C:\Windows\System\ygObmpj.exe	xmrig
C:\Windows\System\AiKRwIF.exe	xmrig
C:\Windows\System\mxbbdCp.exe	xmrig
C:\Windows\System\kcWndlU.exe	xmrig
C:\Windows\System\XfytqnK.exe	xmrig
C:\Windows\System\dAaBUkt.exe	xmrig
C:\Windows\System\KclfuBB.exe	xmrig
C:\Windows\System\VdUqWIw.exe	xmrig
C:\Windows\System\dmMhXqw.exe	xmrig
behavioral2/memory/4624-42-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	xmrig
behavioral2/memory/1756-40-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	xmrig
C:\Windows\System\slGfwgI.exe	xmrig
behavioral2/memory/1428-34-0x00007FF644690000-0x00007FF6449E4000-memory.dmp	xmrig
behavioral2/memory/1836-27-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp	xmrig
behavioral2/memory/3260-20-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp	xmrig
behavioral2/memory/3188-114-0x00007FF7901C0000-0x00007FF790514000-memory.dmp	xmrig
behavioral2/memory/2448-116-0x00007FF778250000-0x00007FF7785A4000-memory.dmp	xmrig
behavioral2/memory/3180-118-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp	xmrig
behavioral2/memory/1840-120-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp	xmrig
behavioral2/memory/4968-121-0x00007FF7530F0000-0x00007FF753444000-memory.dmp	xmrig
behavioral2/memory/3948-122-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp	xmrig
behavioral2/memory/2528-123-0x00007FF788B30000-0x00007FF788E84000-memory.dmp	xmrig
behavioral2/memory/2396-124-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp	xmrig
behavioral2/memory/3256-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp	xmrig
behavioral2/memory/2184-117-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp	xmrig
behavioral2/memory/676-115-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	xmrig
behavioral2/memory/368-126-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp	xmrig
behavioral2/memory/1384-127-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp	xmrig
behavioral2/memory/3316-125-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp	xmrig
behavioral2/memory/1860-128-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp	xmrig
behavioral2/memory/5028-129-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	xmrig
behavioral2/memory/1756-130-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	xmrig
behavioral2/memory/4624-131-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	xmrig
behavioral2/memory/5028-132-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	xmrig
behavioral2/memory/800-133-0x00007FF623B20000-0x00007FF623E74000-memory.dmp	xmrig
behavioral2/memory/3260-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp	xmrig
behavioral2/memory/1836-135-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp	xmrig
behavioral2/memory/1428-136-0x00007FF644690000-0x00007FF6449E4000-memory.dmp	xmrig
behavioral2/memory/1756-137-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	xmrig
behavioral2/memory/4624-138-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	xmrig
behavioral2/memory/3188-139-0x00007FF7901C0000-0x00007FF790514000-memory.dmp	xmrig
behavioral2/memory/676-140-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	xmrig
behavioral2/memory/3180-143-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp	xmrig
behavioral2/memory/2184-142-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp	xmrig
behavioral2/memory/2448-141-0x00007FF778250000-0x00007FF7785A4000-memory.dmp	xmrig
behavioral2/memory/3256-144-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp	xmrig
behavioral2/memory/1840-145-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp	xmrig
behavioral2/memory/2528-148-0x00007FF788B30000-0x00007FF788E84000-memory.dmp	xmrig
behavioral2/memory/4968-147-0x00007FF7530F0000-0x00007FF753444000-memory.dmp	xmrig
behavioral2/memory/3948-146-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

nLdPVdM.exeoqniZcK.exeGLzeqTJ.exesEbxpxY.exepiXvaGT.exeslGfwgI.exejgUvNft.exedNknnRT.exeFhgEtsM.exerpxAizt.exedmMhXqw.exeVdUqWIw.exeyMGPJYS.exeKclfuBB.exegeUDvvt.exedAaBUkt.exeXfytqnK.exeygObmpj.exekcWndlU.exemxbbdCp.exeAiKRwIF.exe

pid	process
5028	nLdPVdM.exe
800	oqniZcK.exe
3260	GLzeqTJ.exe
1836	sEbxpxY.exe
1428	piXvaGT.exe
1756	slGfwgI.exe
4624	jgUvNft.exe
3188	dNknnRT.exe
676	FhgEtsM.exe
2448	rpxAizt.exe
2184	dmMhXqw.exe
3180	VdUqWIw.exe
3256	yMGPJYS.exe
1840	KclfuBB.exe
4968	geUDvvt.exe
3948	dAaBUkt.exe
2528	XfytqnK.exe
2396	ygObmpj.exe
3316	kcWndlU.exe
368	mxbbdCp.exe
1384	AiKRwIF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1860-0-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp	upx
C:\Windows\System\nLdPVdM.exe	upx
C:\Windows\System\oqniZcK.exe	upx
C:\Windows\System\GLzeqTJ.exe	upx
behavioral2/memory/800-14-0x00007FF623B20000-0x00007FF623E74000-memory.dmp	upx
behavioral2/memory/5028-7-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	upx
C:\Windows\System\sEbxpxY.exe	upx
C:\Windows\System\piXvaGT.exe	upx
C:\Windows\System\jgUvNft.exe	upx
C:\Windows\System\dNknnRT.exe	upx
C:\Windows\System\FhgEtsM.exe	upx
C:\Windows\System\rpxAizt.exe	upx
C:\Windows\System\yMGPJYS.exe	upx
C:\Windows\System\geUDvvt.exe	upx
C:\Windows\System\ygObmpj.exe	upx
C:\Windows\System\AiKRwIF.exe	upx
C:\Windows\System\mxbbdCp.exe	upx
C:\Windows\System\kcWndlU.exe	upx
C:\Windows\System\XfytqnK.exe	upx
C:\Windows\System\dAaBUkt.exe	upx
C:\Windows\System\KclfuBB.exe	upx
C:\Windows\System\VdUqWIw.exe	upx
C:\Windows\System\dmMhXqw.exe	upx
behavioral2/memory/4624-42-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	upx
behavioral2/memory/1756-40-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	upx
C:\Windows\System\slGfwgI.exe	upx
behavioral2/memory/1428-34-0x00007FF644690000-0x00007FF6449E4000-memory.dmp	upx
behavioral2/memory/1836-27-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp	upx
behavioral2/memory/3260-20-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp	upx
behavioral2/memory/3188-114-0x00007FF7901C0000-0x00007FF790514000-memory.dmp	upx
behavioral2/memory/2448-116-0x00007FF778250000-0x00007FF7785A4000-memory.dmp	upx
behavioral2/memory/3180-118-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp	upx
behavioral2/memory/1840-120-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp	upx
behavioral2/memory/4968-121-0x00007FF7530F0000-0x00007FF753444000-memory.dmp	upx
behavioral2/memory/3948-122-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp	upx
behavioral2/memory/2528-123-0x00007FF788B30000-0x00007FF788E84000-memory.dmp	upx
behavioral2/memory/2396-124-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp	upx
behavioral2/memory/3256-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp	upx
behavioral2/memory/2184-117-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp	upx
behavioral2/memory/676-115-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	upx
behavioral2/memory/368-126-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp	upx
behavioral2/memory/1384-127-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp	upx
behavioral2/memory/3316-125-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp	upx
behavioral2/memory/1860-128-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp	upx
behavioral2/memory/5028-129-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	upx
behavioral2/memory/1756-130-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	upx
behavioral2/memory/4624-131-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	upx
behavioral2/memory/5028-132-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp	upx
behavioral2/memory/800-133-0x00007FF623B20000-0x00007FF623E74000-memory.dmp	upx
behavioral2/memory/3260-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp	upx
behavioral2/memory/1836-135-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp	upx
behavioral2/memory/1428-136-0x00007FF644690000-0x00007FF6449E4000-memory.dmp	upx
behavioral2/memory/1756-137-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp	upx
behavioral2/memory/4624-138-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp	upx
behavioral2/memory/3188-139-0x00007FF7901C0000-0x00007FF790514000-memory.dmp	upx
behavioral2/memory/676-140-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp	upx
behavioral2/memory/3180-143-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp	upx
behavioral2/memory/2184-142-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp	upx
behavioral2/memory/2448-141-0x00007FF778250000-0x00007FF7785A4000-memory.dmp	upx
behavioral2/memory/3256-144-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp	upx
behavioral2/memory/1840-145-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp	upx
behavioral2/memory/2528-148-0x00007FF788B30000-0x00007FF788E84000-memory.dmp	upx
behavioral2/memory/4968-147-0x00007FF7530F0000-0x00007FF753444000-memory.dmp	upx
behavioral2/memory/3948-146-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\slGfwgI.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dmMhXqw.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dAaBUkt.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\geUDvvt.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfytqnK.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ygObmpj.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kcWndlU.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mxbbdCp.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqniZcK.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dNknnRT.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpxAizt.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AiKRwIF.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KclfuBB.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLzeqTJ.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FhgEtsM.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yMGPJYS.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jgUvNft.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdUqWIw.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nLdPVdM.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sEbxpxY.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piXvaGT.exe	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1860 wrote to memory of 5028	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	nLdPVdM.exe
PID 1860 wrote to memory of 5028	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	nLdPVdM.exe
PID 1860 wrote to memory of 800	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	oqniZcK.exe
PID 1860 wrote to memory of 800	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	oqniZcK.exe
PID 1860 wrote to memory of 3260	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	GLzeqTJ.exe
PID 1860 wrote to memory of 3260	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	GLzeqTJ.exe
PID 1860 wrote to memory of 1836	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	sEbxpxY.exe
PID 1860 wrote to memory of 1836	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	sEbxpxY.exe
PID 1860 wrote to memory of 1428	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	piXvaGT.exe
PID 1860 wrote to memory of 1428	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	piXvaGT.exe
PID 1860 wrote to memory of 1756	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	slGfwgI.exe
PID 1860 wrote to memory of 1756	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	slGfwgI.exe
PID 1860 wrote to memory of 4624	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	jgUvNft.exe
PID 1860 wrote to memory of 4624	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	jgUvNft.exe
PID 1860 wrote to memory of 3188	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dNknnRT.exe
PID 1860 wrote to memory of 3188	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dNknnRT.exe
PID 1860 wrote to memory of 676	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	FhgEtsM.exe
PID 1860 wrote to memory of 676	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	FhgEtsM.exe
PID 1860 wrote to memory of 2448	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	rpxAizt.exe
PID 1860 wrote to memory of 2448	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	rpxAizt.exe
PID 1860 wrote to memory of 2184	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dmMhXqw.exe
PID 1860 wrote to memory of 2184	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dmMhXqw.exe
PID 1860 wrote to memory of 3180	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	VdUqWIw.exe
PID 1860 wrote to memory of 3180	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	VdUqWIw.exe
PID 1860 wrote to memory of 3256	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	yMGPJYS.exe
PID 1860 wrote to memory of 3256	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	yMGPJYS.exe
PID 1860 wrote to memory of 1840	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	KclfuBB.exe
PID 1860 wrote to memory of 1840	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	KclfuBB.exe
PID 1860 wrote to memory of 4968	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	geUDvvt.exe
PID 1860 wrote to memory of 4968	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	geUDvvt.exe
PID 1860 wrote to memory of 3948	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dAaBUkt.exe
PID 1860 wrote to memory of 3948	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	dAaBUkt.exe
PID 1860 wrote to memory of 2528	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XfytqnK.exe
PID 1860 wrote to memory of 2528	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	XfytqnK.exe
PID 1860 wrote to memory of 2396	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ygObmpj.exe
PID 1860 wrote to memory of 2396	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	ygObmpj.exe
PID 1860 wrote to memory of 3316	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	kcWndlU.exe
PID 1860 wrote to memory of 3316	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	kcWndlU.exe
PID 1860 wrote to memory of 368	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	mxbbdCp.exe
PID 1860 wrote to memory of 368	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	mxbbdCp.exe
PID 1860 wrote to memory of 1384	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	AiKRwIF.exe
PID 1860 wrote to memory of 1384	1860	2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe	AiKRwIF.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_71e1fcf3adcc69196f313cb6f933d791_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\System\nLdPVdM.exe
C:\Windows\System\nLdPVdM.exe
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\System\oqniZcK.exe
C:\Windows\System\oqniZcK.exe
2⤵
- Executes dropped EXE
PID:800

C:\Windows\System\GLzeqTJ.exe
C:\Windows\System\GLzeqTJ.exe
2⤵
- Executes dropped EXE
PID:3260

C:\Windows\System\sEbxpxY.exe
C:\Windows\System\sEbxpxY.exe
2⤵
- Executes dropped EXE
PID:1836

C:\Windows\System\piXvaGT.exe
C:\Windows\System\piXvaGT.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System\slGfwgI.exe
C:\Windows\System\slGfwgI.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\jgUvNft.exe
C:\Windows\System\jgUvNft.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System\dNknnRT.exe
C:\Windows\System\dNknnRT.exe
2⤵
- Executes dropped EXE
PID:3188

C:\Windows\System\FhgEtsM.exe
C:\Windows\System\FhgEtsM.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\System\rpxAizt.exe
C:\Windows\System\rpxAizt.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\dmMhXqw.exe
C:\Windows\System\dmMhXqw.exe
2⤵
- Executes dropped EXE
PID:2184

C:\Windows\System\VdUqWIw.exe
C:\Windows\System\VdUqWIw.exe
2⤵
- Executes dropped EXE
PID:3180

C:\Windows\System\yMGPJYS.exe
C:\Windows\System\yMGPJYS.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\System\KclfuBB.exe
C:\Windows\System\KclfuBB.exe
2⤵
- Executes dropped EXE
PID:1840

C:\Windows\System\geUDvvt.exe
C:\Windows\System\geUDvvt.exe
2⤵
- Executes dropped EXE
PID:4968

C:\Windows\System\dAaBUkt.exe
C:\Windows\System\dAaBUkt.exe
2⤵
- Executes dropped EXE
PID:3948

C:\Windows\System\XfytqnK.exe
C:\Windows\System\XfytqnK.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\ygObmpj.exe
C:\Windows\System\ygObmpj.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\System\kcWndlU.exe
C:\Windows\System\kcWndlU.exe
2⤵
- Executes dropped EXE
PID:3316

C:\Windows\System\mxbbdCp.exe
C:\Windows\System\mxbbdCp.exe
2⤵
- Executes dropped EXE
PID:368

C:\Windows\System\AiKRwIF.exe
C:\Windows\System\AiKRwIF.exe
2⤵
- Executes dropped EXE
PID:1384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AiKRwIF.exe
Filesize
5.9MB

MD5
62fd12c617da0b288ae84747d91b261e

SHA1
5f3089affd2bc335774a5f3093cf167e8a8d20a9

SHA256
b13863431a74a46cc7b2ed9e72144b83e264df0d0646461ca2606ac2496c02fe

SHA512
38e2d70f465d22253e46f151b43381ecbc9ad67d785767e8d40859210719f751ea42da7974cb41dbd2aaaafddf625601c2733e89cddf4bec1e2d7ad8b4269fac

Download Submit
C:\Windows\System\FhgEtsM.exe
Filesize
5.9MB

MD5
73057017cf80feb76485c167d48acc0b

SHA1
f5e0c4f9b61c915f1fc535f6c6eb24266e826fbb

SHA256
0f17cfb66431cca0ff26af0fd9344cd311c9fc52855ee75d8fbed69782de78b4

SHA512
8afb5e55bb05312c24cffd78b6bdb43cb61df1bd103e549453a1c900da136b392271235d712270e505ebee6fa5db53a004d516dc609f71e35a81136c39388fef

Download Submit
C:\Windows\System\GLzeqTJ.exe
Filesize
5.9MB

MD5
cb6b8fb56c68cada5b1bd88e9268314e

SHA1
76d232403db163c936b50845632a727e0fd0d74e

SHA256
423184b7d9e40cc236407109a797a85505eb811a1c893da8b9b562d753ec857f

SHA512
31a690879720beedc5427aea8952019966e865f011458bb1688efbfa28e9c86fb19850c029d5418581c8cd085e73bfbf10e31dd7a4fd5edf43fb2845dc7aa111

Download Submit
C:\Windows\System\KclfuBB.exe
Filesize
5.9MB

MD5
6a38a1acc96f5111e4cd8c30f219a456

SHA1
10ceeee8ebe900715d0250a70abe4429cc242e06

SHA256
2f79984771d6a71a39e836553b11828ac1cdaf3917fc4beadbb536b2c6a66112

SHA512
10826103778e4662d5bfdd05814b36c442c0708f490a62a33ac7c1cb69511e987d23f31fab94f9fd1023b2910b848dc942b4954a3a7f9dfa263c2c780d514988

Download Submit
C:\Windows\System\VdUqWIw.exe
Filesize
5.9MB

MD5
c940ed003cb92f0f1c8b8331e26d7842

SHA1
37cbf66609a226391a9824d519a25056410739c2

SHA256
1e73f08b911e63c3182c8d501da07c0fe10127a97361a78af30d9b205f7a30bc

SHA512
f216d257791612f719e533f2716287ef76ff518221d636b25d6e89ec9949f2c1c863639a3850b91e199cfa8b0e96615a52f0db20a9d8ad83a335edbf787c84d8

Download Submit
C:\Windows\System\XfytqnK.exe
Filesize
5.9MB

MD5
95580cc6f3c35456180376e9eb0747d2

SHA1
8c4f942bc57a04b2b6b24aafd05ba2d5cc56ad6b

SHA256
09dba446902aba7acb2a1394534c3edfe8e829f6797f494620735066a0a0554a

SHA512
106cc4fac01bcc1bcab64864c13407b3ad4371b80faecb4dab15797020b8187ddaf0f90190d6f958a8043c526922aabeec5efe6fcd246a0765bec488cde39d72

Download Submit
C:\Windows\System\dAaBUkt.exe
Filesize
5.9MB

MD5
7b1e2f9afb38ea01a0a381fb860a04c8

SHA1
0cc81b7228c632d5b2b1a822da413f8e81ba1430

SHA256
7ad404e177d1192076e057cce56c7a27d0e94d80bd58cddfe8f0420ce402a928

SHA512
89fb146eff811cd7ccaed7b58ee8ae6751110b648f7fb4cff04bd154521277c76f17c8325fd4bf5c0a75486abc6ac5ccdcdac7b25bf3967221242ec28241ddde

Download Submit
C:\Windows\System\dNknnRT.exe
Filesize
5.9MB

MD5
f166c61dd6aaa6d18c8a2121ed691221

SHA1
6118d1d0354d38cc2ea8e58f0e07fb0303794ecf

SHA256
646048e26a4eefb272e959199df7e26bace4b5768d72c33f4517ed5bf883392e

SHA512
1b13f8c3c056b53704fa8568d9744b6ea8b66a32d01d5185035d0f3bc1b7a6ee4123abf44fa55d5196d14d13116d817849c558b17e9079e6e74f427232ae2243

Download Submit
C:\Windows\System\dmMhXqw.exe
Filesize
5.9MB

MD5
4f28a93703f408671dfb2601efe03f74

SHA1
e1f446aeb536c657258cce58d0c12fdedcc66260

SHA256
d377700b011fef58eb6c94c465f1b6902d43ff058891290bb37784fc0a261fb1

SHA512
5954220419b652b623ea7811d3dc69c3d2e89f8fdec4ec938a7fd29707014a6ef90b2f592b936ed96730e459008716397350029ff99b47dd0f29dbda664cf867

Download Submit
C:\Windows\System\geUDvvt.exe
Filesize
5.9MB

MD5
69e9c97de85b7a13a9019192f130dbf4

SHA1
64331d2386cf7574db825f7de16922b9f2ed2f4b

SHA256
bdf538b88aba6350af22945d348be0a26476cbb78ceebd62d94abda9e5ae5952

SHA512
852767feade48f612984e178f2bc9e3768f6c3ceddf569af3511e0d9200267b68f53e7424a1d91b53f91b10d1b71857a22fecd4e6400e2845f445d93b19cd983

Download Submit
C:\Windows\System\jgUvNft.exe
Filesize
5.9MB

MD5
46b8423ba9deb5d303aa2f2281a5a868

SHA1
29178bf20b9e985cc1893bf03f0c491bf227833f

SHA256
1a928e0584c009e49989d9bb564765ff2e69d7a5ef59b06e3a70c2638be74580

SHA512
2bbdf8352b05a246163b8eb1f3173f38e4f1e582afc5ef2d0138127e1f67a7469dc103db556c71d09564f640024786e035ea76d9f9de6e0c26d8fac2952c2388

Download Submit
C:\Windows\System\kcWndlU.exe
Filesize
5.9MB

MD5
65cdd9efe8b11126820fc6807929499e

SHA1
3e57f0befe18ce16fe35675eb5a2c20dbe4dee53

SHA256
8182ba4b6384dcd0f315ff086fdeaa6cb2ada571292aa5699d0e7bb238457c96

SHA512
df0b2c37352d2891beaa055618aaf409250caf16e1a8aa408cab30af0b6ce39612e24015aa158e707f83cb7f3f385f1f9bb52a264bc03a4ef18269afce682f08

Download Submit
C:\Windows\System\mxbbdCp.exe
Filesize
5.9MB

MD5
1b07e64b5103630a8f3baff84d521249

SHA1
2efc48c86941e718d91524d9f74a3333c26f67f3

SHA256
ba15cb26ec0df153eeb48a5d7fb5409778233de221ce292af91de363d9783655

SHA512
18ce792a1b39f4465918257c5af911e5cc49e23a4cbe2e961e4b6f50ab7d3d6104ca173ae890b45307778fd79865ceb76ef58c195ebb4a086f165f34adaac2be

Download Submit
C:\Windows\System\nLdPVdM.exe
Filesize
5.9MB

MD5
bea22b7c4cf20239a69e2bf663ef72ba

SHA1
f5afa0737144f5a32210ad065435e5b58d27f66b

SHA256
5a9727a0d743b61b98eccb24252d472071ff3134b9d66989caf96f180dc78c4f

SHA512
8c94da93aec2fea9fed1c4c805f0ba996663f119e1bdde82a70d45d73818100d5530489cd4abebfa92a8e225468b86a270ad1e937c20b81a652d3919360a7076

Download Submit
C:\Windows\System\oqniZcK.exe
Filesize
5.9MB

MD5
9df48cb8d51dda757687ecc0e02b5541

SHA1
84e1193f737c747a0043297a97abbd09416e293e

SHA256
b8ca2a532ef8ccfb76f61d8bfdeebd7e2b6d9636f6932cb71a40992beeb0ae3d

SHA512
006af90d00d1f20e5bf971ce370112e68e2614d671799ea7aa4b841dcf40e859b19aea7e0008183aeb1ba408f78ac32b2d44b69b13454d13d7bd981ede95da9f

Download Submit
C:\Windows\System\piXvaGT.exe
Filesize
5.9MB

MD5
e8ee17dd9e4b236660b4e90704046e2c

SHA1
b1c2a6347a6ae513861a6959e9351844074dc372

SHA256
648c03fbb1b2ac3c6c8a143766241f341dd09ac3f505310ae17a026883ed16d1

SHA512
50fbe101c1d3e69939173c55eee183840dbf881611a2d6b9ed764a3de5fd0726becedf0f79b573d3f8854590fde318f1dea06dada2498fabd5c052d9cc521afa

Download Submit
C:\Windows\System\rpxAizt.exe
Filesize
5.9MB

MD5
e3e0058ce29cfb8dc01fd02daaa41ba3

SHA1
963a2796ee834562c7c600213b769ace508dfa6a

SHA256
68b6a3744d1ad3801267aca6fe7d761b76ff95b718faa059db820221d90c8304

SHA512
05937ced40aa715bffb33d6b35962bcc3b0fb5780006fc581e82a5878ba23f585e9ee1d2d35132ddc8eddd30557e97a704045c3e0e6ee064c3d5c08c7ad0b90f

Download Submit
C:\Windows\System\sEbxpxY.exe
Filesize
5.9MB

MD5
5ff91b6e457c738766b75c737b94008f

SHA1
5b00a3051492d6f050cdf40e7c5efd8eca6a512c

SHA256
ac7a7252eb3fae9c4b2bf58572ee8ed409b989c9683a07563ac6ee12aa2728c2

SHA512
534f24df7b02475b6481c67a3affb4c7eec30e5953c5890a6ad397a822ac602d937789df9f41fb3cddf032e93c54ba0c53d5df41462d443d22007dcf602ba0be

Download Submit
C:\Windows\System\slGfwgI.exe
Filesize
5.9MB

MD5
d2594f38215751c3bf4fc52a6d6d060b

SHA1
ec573ff4255229d2f06617a521c54b2c1bbbf4c3

SHA256
e49d0cf90f71bd3beb7dfaf722623355ee7ca573d38b91aff66f965f837cd0db

SHA512
cae2ab542664676ffa2f02043efa6902bdabc46f334d6bb546b656f8b2e43a362d68fb89ef1801df5fa2e092f99d6abf0941fe5f042f674c217156bb4b7f7ab6

Download Submit
C:\Windows\System\yMGPJYS.exe
Filesize
5.9MB

MD5
91a2e3e94e7a61dcce50f299f3111cb4

SHA1
d9bae4e673f31943802c14b41d273841b76a5f29

SHA256
5a7cd367433e7ebd74269b7d6b3a0747c4ee2db0445c98fb27892d835b8cf229

SHA512
768a20d16915f50b8c859ec88021d98e4e336535d73c0fe3a976d5220a451372c5d5584392ec5dec0f33705bbeadda08d0852bd66c9c636833ed2208491aee28

Download Submit
C:\Windows\System\ygObmpj.exe
Filesize
5.9MB

MD5
7188d820cdb47a8ae0b636e21b480d47

SHA1
99da54392aa102e9b5c3fb23bf0d6ff8f05a8d87

SHA256
0928c5410ef5ae638bbdeca844e96dcc9e88c7972ef91dba6bea955f996712a9

SHA512
d1c844cc727df612465c5758935ad8e639c7d3245610867d12655102f18e76613838ced728a5ed9acbd3c161e49dc82990277d99e98f81e76562c64cddbdb8a3

Download Submit
memory/368-151-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp

Filesize
3.3MB

Download
memory/368-126-0x00007FF68C360000-0x00007FF68C6B4000-memory.dmp

Filesize
3.3MB

Download
memory/676-140-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

Filesize
3.3MB

Download
memory/676-115-0x00007FF7DCDD0000-0x00007FF7DD124000-memory.dmp

Filesize
3.3MB

Download
memory/800-14-0x00007FF623B20000-0x00007FF623E74000-memory.dmp

Filesize
3.3MB

Download
memory/800-133-0x00007FF623B20000-0x00007FF623E74000-memory.dmp

Filesize
3.3MB

Download
memory/1384-152-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-127-0x00007FF6079A0000-0x00007FF607CF4000-memory.dmp

Filesize
3.3MB

Download
memory/1428-34-0x00007FF644690000-0x00007FF6449E4000-memory.dmp

Filesize
3.3MB

Download
memory/1428-136-0x00007FF644690000-0x00007FF6449E4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-40-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp

Filesize
3.3MB

Download
memory/1756-137-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp

Filesize
3.3MB

Download
memory/1756-130-0x00007FF646AF0000-0x00007FF646E44000-memory.dmp

Filesize
3.3MB

Download
memory/1836-135-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp

Filesize
3.3MB

Download
memory/1836-27-0x00007FF6AE4F0000-0x00007FF6AE844000-memory.dmp

Filesize
3.3MB

Download
memory/1840-145-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp

Filesize
3.3MB

Download
memory/1840-120-0x00007FF7809D0000-0x00007FF780D24000-memory.dmp

Filesize
3.3MB

Download
memory/1860-0-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp

Filesize
3.3MB

Download
memory/1860-1-0x0000016BEE4E0000-0x0000016BEE4F0000-memory.dmp

Filesize
64KB

Download
memory/1860-128-0x00007FF6DDF70000-0x00007FF6DE2C4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-117-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp

Filesize
3.3MB

Download
memory/2184-142-0x00007FF6E55C0000-0x00007FF6E5914000-memory.dmp

Filesize
3.3MB

Download
memory/2396-124-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2396-150-0x00007FF74D890000-0x00007FF74DBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-141-0x00007FF778250000-0x00007FF7785A4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-116-0x00007FF778250000-0x00007FF7785A4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-148-0x00007FF788B30000-0x00007FF788E84000-memory.dmp

Filesize
3.3MB

Download
memory/2528-123-0x00007FF788B30000-0x00007FF788E84000-memory.dmp

Filesize
3.3MB

Download
memory/3180-118-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3180-143-0x00007FF75C660000-0x00007FF75C9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3188-139-0x00007FF7901C0000-0x00007FF790514000-memory.dmp

Filesize
3.3MB

Download
memory/3188-114-0x00007FF7901C0000-0x00007FF790514000-memory.dmp

Filesize
3.3MB

Download
memory/3256-119-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp

Filesize
3.3MB

Download
memory/3256-144-0x00007FF7F68B0000-0x00007FF7F6C04000-memory.dmp

Filesize
3.3MB

Download
memory/3260-134-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

Filesize
3.3MB

Download
memory/3260-20-0x00007FF7BE140000-0x00007FF7BE494000-memory.dmp

Filesize
3.3MB

Download
memory/3316-125-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp

Filesize
3.3MB

Download
memory/3316-149-0x00007FF659E60000-0x00007FF65A1B4000-memory.dmp

Filesize
3.3MB

Download
memory/3948-122-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp

Filesize
3.3MB

Download
memory/3948-146-0x00007FF60A3E0000-0x00007FF60A734000-memory.dmp

Filesize
3.3MB

Download
memory/4624-42-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-138-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-131-0x00007FF7B5890000-0x00007FF7B5BE4000-memory.dmp

Filesize
3.3MB

Download
memory/4968-121-0x00007FF7530F0000-0x00007FF753444000-memory.dmp

Filesize
3.3MB

Download
memory/4968-147-0x00007FF7530F0000-0x00007FF753444000-memory.dmp

Filesize
3.3MB

Download
memory/5028-129-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp

Filesize
3.3MB

Download
memory/5028-7-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp

Filesize
3.3MB

Download
memory/5028-132-0x00007FF7A0FB0000-0x00007FF7A1304000-memory.dmp

Filesize
3.3MB

Download