cobaltstrike | 33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

80e1fa2ee4c973f58400ab974187c75a
SHA1

4facca4418b25e222791385aff211867a4ca7f17
SHA256

33f46ef55469f3ec834da05b32b19fbd2d6dde0cee007399470beae879ea3801
SHA512

8c5abce98017ea65896b900e48ac7579ad021ba3f4560a49b5e0b6667ccc3b6389ce533aaf39fee4a86d4d2ea8247d984ec9f4c1a2cd57706c1f3f7fdccc7103
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUP:Q+856utgpPF8u/7P

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\LiYLJmT.exe	cobalt_reflective_dll
C:\Windows\System\ZgyvXZV.exe	cobalt_reflective_dll
C:\Windows\System\ntpelzu.exe	cobalt_reflective_dll
C:\Windows\System\vjHhIUw.exe	cobalt_reflective_dll
C:\Windows\System\KFFbnBa.exe	cobalt_reflective_dll
C:\Windows\System\GBhLKUf.exe	cobalt_reflective_dll
C:\Windows\System\RVXkMXJ.exe	cobalt_reflective_dll
C:\Windows\System\AjwakiQ.exe	cobalt_reflective_dll
C:\Windows\System\jlrCadd.exe	cobalt_reflective_dll
C:\Windows\System\ZOarXqV.exe	cobalt_reflective_dll
C:\Windows\System\mygkGPX.exe	cobalt_reflective_dll
C:\Windows\System\ADolDPm.exe	cobalt_reflective_dll
C:\Windows\System\HAHxnPc.exe	cobalt_reflective_dll
C:\Windows\System\EJancyI.exe	cobalt_reflective_dll
C:\Windows\System\dhvpRfu.exe	cobalt_reflective_dll
C:\Windows\System\MhAMemt.exe	cobalt_reflective_dll
C:\Windows\System\DyMvSyK.exe	cobalt_reflective_dll
C:\Windows\System\VJTtWjq.exe	cobalt_reflective_dll
C:\Windows\System\uifkavW.exe	cobalt_reflective_dll
C:\Windows\System\BTWzRya.exe	cobalt_reflective_dll
C:\Windows\System\LDMbNjD.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\LiYLJmT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZgyvXZV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ntpelzu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vjHhIUw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KFFbnBa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GBhLKUf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RVXkMXJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AjwakiQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jlrCadd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZOarXqV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mygkGPX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ADolDPm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HAHxnPc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EJancyI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dhvpRfu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MhAMemt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DyMvSyK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VJTtWjq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uifkavW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BTWzRya.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LDMbNjD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1020-0-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	UPX
C:\Windows\System\LiYLJmT.exe	UPX
behavioral2/memory/1112-8-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	UPX
C:\Windows\System\ZgyvXZV.exe	UPX
C:\Windows\System\ntpelzu.exe	UPX
C:\Windows\System\vjHhIUw.exe	UPX
C:\Windows\System\KFFbnBa.exe	UPX
C:\Windows\System\GBhLKUf.exe	UPX
behavioral2/memory/676-56-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp	UPX
C:\Windows\System\RVXkMXJ.exe	UPX
C:\Windows\System\AjwakiQ.exe	UPX
C:\Windows\System\jlrCadd.exe	UPX
C:\Windows\System\ZOarXqV.exe	UPX
behavioral2/memory/1776-84-0x00007FF788070000-0x00007FF7883C4000-memory.dmp	UPX
behavioral2/memory/2888-81-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp	UPX
behavioral2/memory/1548-75-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp	UPX
behavioral2/memory/2524-71-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp	UPX
C:\Windows\System\mygkGPX.exe	UPX
behavioral2/memory/3952-63-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp	UPX
C:\Windows\System\ADolDPm.exe	UPX
C:\Windows\System\HAHxnPc.exe	UPX
behavioral2/memory/4736-47-0x00007FF645630000-0x00007FF645984000-memory.dmp	UPX
behavioral2/memory/1912-45-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp	UPX
behavioral2/memory/3904-38-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp	UPX
behavioral2/memory/4308-34-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp	UPX
behavioral2/memory/4632-32-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	UPX
behavioral2/memory/4128-26-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	UPX
C:\Windows\System\EJancyI.exe	UPX
behavioral2/memory/2960-21-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	UPX
C:\Windows\System\dhvpRfu.exe	UPX
behavioral2/memory/1088-92-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp	UPX
C:\Windows\System\MhAMemt.exe	UPX
behavioral2/memory/1020-96-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	UPX
C:\Windows\System\DyMvSyK.exe	UPX
behavioral2/memory/4632-111-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	UPX
behavioral2/memory/2960-110-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	UPX
behavioral2/memory/1112-108-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	UPX
behavioral2/memory/2400-105-0x00007FF773F30000-0x00007FF774284000-memory.dmp	UPX
C:\Windows\System\VJTtWjq.exe	UPX
behavioral2/memory/3380-120-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp	UPX
C:\Windows\System\uifkavW.exe	UPX
behavioral2/memory/4128-130-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	UPX
behavioral2/memory/4400-126-0x00007FF656230000-0x00007FF656584000-memory.dmp	UPX
C:\Windows\System\BTWzRya.exe	UPX
C:\Windows\System\LDMbNjD.exe	UPX
behavioral2/memory/3108-116-0x00007FF758520000-0x00007FF758874000-memory.dmp	UPX
behavioral2/memory/872-131-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	UPX
behavioral2/memory/3200-132-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp	UPX
behavioral2/memory/1912-134-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp	UPX
behavioral2/memory/3904-133-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp	UPX
behavioral2/memory/4736-135-0x00007FF645630000-0x00007FF645984000-memory.dmp	UPX
behavioral2/memory/676-136-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp	UPX
behavioral2/memory/3952-137-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp	UPX
behavioral2/memory/2524-138-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp	UPX
behavioral2/memory/1548-139-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp	UPX
behavioral2/memory/1776-140-0x00007FF788070000-0x00007FF7883C4000-memory.dmp	UPX
behavioral2/memory/3380-141-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp	UPX
behavioral2/memory/4400-142-0x00007FF656230000-0x00007FF656584000-memory.dmp	UPX
behavioral2/memory/1112-143-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	UPX
behavioral2/memory/2960-144-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	UPX
behavioral2/memory/4308-145-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp	UPX
behavioral2/memory/4128-146-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	UPX
behavioral2/memory/4632-147-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	UPX
behavioral2/memory/4736-148-0x00007FF645630000-0x00007FF645984000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1020-0-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	xmrig
C:\Windows\System\LiYLJmT.exe	xmrig
behavioral2/memory/1112-8-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	xmrig
C:\Windows\System\ZgyvXZV.exe	xmrig
C:\Windows\System\ntpelzu.exe	xmrig
C:\Windows\System\vjHhIUw.exe	xmrig
C:\Windows\System\KFFbnBa.exe	xmrig
C:\Windows\System\GBhLKUf.exe	xmrig
behavioral2/memory/676-56-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp	xmrig
C:\Windows\System\RVXkMXJ.exe	xmrig
C:\Windows\System\AjwakiQ.exe	xmrig
C:\Windows\System\jlrCadd.exe	xmrig
C:\Windows\System\ZOarXqV.exe	xmrig
behavioral2/memory/1776-84-0x00007FF788070000-0x00007FF7883C4000-memory.dmp	xmrig
behavioral2/memory/2888-81-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp	xmrig
behavioral2/memory/1548-75-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp	xmrig
behavioral2/memory/2524-71-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp	xmrig
C:\Windows\System\mygkGPX.exe	xmrig
behavioral2/memory/3952-63-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp	xmrig
C:\Windows\System\ADolDPm.exe	xmrig
C:\Windows\System\HAHxnPc.exe	xmrig
behavioral2/memory/4736-47-0x00007FF645630000-0x00007FF645984000-memory.dmp	xmrig
behavioral2/memory/1912-45-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp	xmrig
behavioral2/memory/3904-38-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp	xmrig
behavioral2/memory/4308-34-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp	xmrig
behavioral2/memory/4632-32-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	xmrig
behavioral2/memory/4128-26-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	xmrig
C:\Windows\System\EJancyI.exe	xmrig
behavioral2/memory/2960-21-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	xmrig
C:\Windows\System\dhvpRfu.exe	xmrig
behavioral2/memory/1088-92-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp	xmrig
C:\Windows\System\MhAMemt.exe	xmrig
behavioral2/memory/1020-96-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	xmrig
C:\Windows\System\DyMvSyK.exe	xmrig
behavioral2/memory/4632-111-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	xmrig
behavioral2/memory/2960-110-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	xmrig
behavioral2/memory/1112-108-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	xmrig
behavioral2/memory/2400-105-0x00007FF773F30000-0x00007FF774284000-memory.dmp	xmrig
C:\Windows\System\VJTtWjq.exe	xmrig
behavioral2/memory/3380-120-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp	xmrig
C:\Windows\System\uifkavW.exe	xmrig
behavioral2/memory/4128-130-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	xmrig
behavioral2/memory/4400-126-0x00007FF656230000-0x00007FF656584000-memory.dmp	xmrig
C:\Windows\System\BTWzRya.exe	xmrig
C:\Windows\System\LDMbNjD.exe	xmrig
behavioral2/memory/3108-116-0x00007FF758520000-0x00007FF758874000-memory.dmp	xmrig
behavioral2/memory/872-131-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	xmrig
behavioral2/memory/3200-132-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp	xmrig
behavioral2/memory/1912-134-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp	xmrig
behavioral2/memory/3904-133-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp	xmrig
behavioral2/memory/4736-135-0x00007FF645630000-0x00007FF645984000-memory.dmp	xmrig
behavioral2/memory/676-136-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp	xmrig
behavioral2/memory/3952-137-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp	xmrig
behavioral2/memory/2524-138-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp	xmrig
behavioral2/memory/1548-139-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp	xmrig
behavioral2/memory/1776-140-0x00007FF788070000-0x00007FF7883C4000-memory.dmp	xmrig
behavioral2/memory/3380-141-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp	xmrig
behavioral2/memory/4400-142-0x00007FF656230000-0x00007FF656584000-memory.dmp	xmrig
behavioral2/memory/1112-143-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	xmrig
behavioral2/memory/2960-144-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	xmrig
behavioral2/memory/4308-145-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp	xmrig
behavioral2/memory/4128-146-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	xmrig
behavioral2/memory/4632-147-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	xmrig
behavioral2/memory/4736-148-0x00007FF645630000-0x00007FF645984000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

LiYLJmT.exeZgyvXZV.exeEJancyI.exentpelzu.exevjHhIUw.exeKFFbnBa.exeHAHxnPc.exeGBhLKUf.exemygkGPX.exeADolDPm.exeAjwakiQ.exeRVXkMXJ.exejlrCadd.exeZOarXqV.exedhvpRfu.exeMhAMemt.exeVJTtWjq.exeDyMvSyK.exeLDMbNjD.exeBTWzRya.exeuifkavW.exe

pid	process
1112	LiYLJmT.exe
2960	ZgyvXZV.exe
4308	EJancyI.exe
4128	ntpelzu.exe
4632	vjHhIUw.exe
3904	KFFbnBa.exe
1912	HAHxnPc.exe
4736	GBhLKUf.exe
3952	mygkGPX.exe
676	ADolDPm.exe
2524	AjwakiQ.exe
2888	RVXkMXJ.exe
1548	jlrCadd.exe
1776	ZOarXqV.exe
1088	dhvpRfu.exe
2400	MhAMemt.exe
3108	VJTtWjq.exe
872	DyMvSyK.exe
3380	LDMbNjD.exe
4400	BTWzRya.exe
3200	uifkavW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1020-0-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	upx
C:\Windows\System\LiYLJmT.exe	upx
behavioral2/memory/1112-8-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	upx
C:\Windows\System\ZgyvXZV.exe	upx
C:\Windows\System\ntpelzu.exe	upx
C:\Windows\System\vjHhIUw.exe	upx
C:\Windows\System\KFFbnBa.exe	upx
C:\Windows\System\GBhLKUf.exe	upx
behavioral2/memory/676-56-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp	upx
C:\Windows\System\RVXkMXJ.exe	upx
C:\Windows\System\AjwakiQ.exe	upx
C:\Windows\System\jlrCadd.exe	upx
C:\Windows\System\ZOarXqV.exe	upx
behavioral2/memory/1776-84-0x00007FF788070000-0x00007FF7883C4000-memory.dmp	upx
behavioral2/memory/2888-81-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp	upx
behavioral2/memory/1548-75-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp	upx
behavioral2/memory/2524-71-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp	upx
C:\Windows\System\mygkGPX.exe	upx
behavioral2/memory/3952-63-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp	upx
C:\Windows\System\ADolDPm.exe	upx
C:\Windows\System\HAHxnPc.exe	upx
behavioral2/memory/4736-47-0x00007FF645630000-0x00007FF645984000-memory.dmp	upx
behavioral2/memory/1912-45-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp	upx
behavioral2/memory/3904-38-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp	upx
behavioral2/memory/4308-34-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp	upx
behavioral2/memory/4632-32-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	upx
behavioral2/memory/4128-26-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	upx
C:\Windows\System\EJancyI.exe	upx
behavioral2/memory/2960-21-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	upx
C:\Windows\System\dhvpRfu.exe	upx
behavioral2/memory/1088-92-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp	upx
C:\Windows\System\MhAMemt.exe	upx
behavioral2/memory/1020-96-0x00007FF730790000-0x00007FF730AE4000-memory.dmp	upx
C:\Windows\System\DyMvSyK.exe	upx
behavioral2/memory/4632-111-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	upx
behavioral2/memory/2960-110-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	upx
behavioral2/memory/1112-108-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	upx
behavioral2/memory/2400-105-0x00007FF773F30000-0x00007FF774284000-memory.dmp	upx
C:\Windows\System\VJTtWjq.exe	upx
behavioral2/memory/3380-120-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp	upx
C:\Windows\System\uifkavW.exe	upx
behavioral2/memory/4128-130-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	upx
behavioral2/memory/4400-126-0x00007FF656230000-0x00007FF656584000-memory.dmp	upx
C:\Windows\System\BTWzRya.exe	upx
C:\Windows\System\LDMbNjD.exe	upx
behavioral2/memory/3108-116-0x00007FF758520000-0x00007FF758874000-memory.dmp	upx
behavioral2/memory/872-131-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp	upx
behavioral2/memory/3200-132-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp	upx
behavioral2/memory/1912-134-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp	upx
behavioral2/memory/3904-133-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp	upx
behavioral2/memory/4736-135-0x00007FF645630000-0x00007FF645984000-memory.dmp	upx
behavioral2/memory/676-136-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp	upx
behavioral2/memory/3952-137-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp	upx
behavioral2/memory/2524-138-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp	upx
behavioral2/memory/1548-139-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp	upx
behavioral2/memory/1776-140-0x00007FF788070000-0x00007FF7883C4000-memory.dmp	upx
behavioral2/memory/3380-141-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp	upx
behavioral2/memory/4400-142-0x00007FF656230000-0x00007FF656584000-memory.dmp	upx
behavioral2/memory/1112-143-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp	upx
behavioral2/memory/2960-144-0x00007FF697290000-0x00007FF6975E4000-memory.dmp	upx
behavioral2/memory/4308-145-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp	upx
behavioral2/memory/4128-146-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp	upx
behavioral2/memory/4632-147-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp	upx
behavioral2/memory/4736-148-0x00007FF645630000-0x00007FF645984000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\HAHxnPc.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADolDPm.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RVXkMXJ.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJTtWjq.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDMbNjD.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uifkavW.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MhAMemt.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dhvpRfu.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LiYLJmT.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZgyvXZV.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ntpelzu.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GBhLKUf.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jlrCadd.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZOarXqV.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BTWzRya.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EJancyI.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vjHhIUw.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFFbnBa.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mygkGPX.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjwakiQ.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DyMvSyK.exe	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1020 wrote to memory of 1112	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LiYLJmT.exe
PID 1020 wrote to memory of 1112	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LiYLJmT.exe
PID 1020 wrote to memory of 2960	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ZgyvXZV.exe
PID 1020 wrote to memory of 2960	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ZgyvXZV.exe
PID 1020 wrote to memory of 4308	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	EJancyI.exe
PID 1020 wrote to memory of 4308	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	EJancyI.exe
PID 1020 wrote to memory of 4128	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ntpelzu.exe
PID 1020 wrote to memory of 4128	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ntpelzu.exe
PID 1020 wrote to memory of 4632	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	vjHhIUw.exe
PID 1020 wrote to memory of 4632	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	vjHhIUw.exe
PID 1020 wrote to memory of 3904	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	KFFbnBa.exe
PID 1020 wrote to memory of 3904	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	KFFbnBa.exe
PID 1020 wrote to memory of 1912	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	HAHxnPc.exe
PID 1020 wrote to memory of 1912	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	HAHxnPc.exe
PID 1020 wrote to memory of 4736	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	GBhLKUf.exe
PID 1020 wrote to memory of 4736	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	GBhLKUf.exe
PID 1020 wrote to memory of 3952	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	mygkGPX.exe
PID 1020 wrote to memory of 3952	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	mygkGPX.exe
PID 1020 wrote to memory of 676	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ADolDPm.exe
PID 1020 wrote to memory of 676	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ADolDPm.exe
PID 1020 wrote to memory of 2888	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	RVXkMXJ.exe
PID 1020 wrote to memory of 2888	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	RVXkMXJ.exe
PID 1020 wrote to memory of 2524	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	AjwakiQ.exe
PID 1020 wrote to memory of 2524	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	AjwakiQ.exe
PID 1020 wrote to memory of 1548	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	jlrCadd.exe
PID 1020 wrote to memory of 1548	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	jlrCadd.exe
PID 1020 wrote to memory of 1776	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ZOarXqV.exe
PID 1020 wrote to memory of 1776	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	ZOarXqV.exe
PID 1020 wrote to memory of 1088	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	dhvpRfu.exe
PID 1020 wrote to memory of 1088	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	dhvpRfu.exe
PID 1020 wrote to memory of 2400	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	MhAMemt.exe
PID 1020 wrote to memory of 2400	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	MhAMemt.exe
PID 1020 wrote to memory of 3108	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	VJTtWjq.exe
PID 1020 wrote to memory of 3108	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	VJTtWjq.exe
PID 1020 wrote to memory of 872	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	DyMvSyK.exe
PID 1020 wrote to memory of 872	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	DyMvSyK.exe
PID 1020 wrote to memory of 3380	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LDMbNjD.exe
PID 1020 wrote to memory of 3380	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	LDMbNjD.exe
PID 1020 wrote to memory of 4400	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	BTWzRya.exe
PID 1020 wrote to memory of 4400	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	BTWzRya.exe
PID 1020 wrote to memory of 3200	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	uifkavW.exe
PID 1020 wrote to memory of 3200	1020	2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe	uifkavW.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_80e1fa2ee4c973f58400ab974187c75a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\System\LiYLJmT.exe
C:\Windows\System\LiYLJmT.exe
2⤵
- Executes dropped EXE
PID:1112

C:\Windows\System\ZgyvXZV.exe
C:\Windows\System\ZgyvXZV.exe
2⤵
- Executes dropped EXE
PID:2960

C:\Windows\System\EJancyI.exe
C:\Windows\System\EJancyI.exe
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\System\ntpelzu.exe
C:\Windows\System\ntpelzu.exe
2⤵
- Executes dropped EXE
PID:4128

C:\Windows\System\vjHhIUw.exe
C:\Windows\System\vjHhIUw.exe
2⤵
- Executes dropped EXE
PID:4632

C:\Windows\System\KFFbnBa.exe
C:\Windows\System\KFFbnBa.exe
2⤵
- Executes dropped EXE
PID:3904

C:\Windows\System\HAHxnPc.exe
C:\Windows\System\HAHxnPc.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\GBhLKUf.exe
C:\Windows\System\GBhLKUf.exe
2⤵
- Executes dropped EXE
PID:4736

C:\Windows\System\mygkGPX.exe
C:\Windows\System\mygkGPX.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Windows\System\ADolDPm.exe
C:\Windows\System\ADolDPm.exe
2⤵
- Executes dropped EXE
PID:676

C:\Windows\System\RVXkMXJ.exe
C:\Windows\System\RVXkMXJ.exe
2⤵
- Executes dropped EXE
PID:2888

C:\Windows\System\AjwakiQ.exe
C:\Windows\System\AjwakiQ.exe
2⤵
- Executes dropped EXE
PID:2524

C:\Windows\System\jlrCadd.exe
C:\Windows\System\jlrCadd.exe
2⤵
- Executes dropped EXE
PID:1548

C:\Windows\System\ZOarXqV.exe
C:\Windows\System\ZOarXqV.exe
2⤵
- Executes dropped EXE
PID:1776

C:\Windows\System\dhvpRfu.exe
C:\Windows\System\dhvpRfu.exe
2⤵
- Executes dropped EXE
PID:1088

C:\Windows\System\MhAMemt.exe
C:\Windows\System\MhAMemt.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\VJTtWjq.exe
C:\Windows\System\VJTtWjq.exe
2⤵
- Executes dropped EXE
PID:3108

C:\Windows\System\DyMvSyK.exe
C:\Windows\System\DyMvSyK.exe
2⤵
- Executes dropped EXE
PID:872

C:\Windows\System\LDMbNjD.exe
C:\Windows\System\LDMbNjD.exe
2⤵
- Executes dropped EXE
PID:3380

C:\Windows\System\BTWzRya.exe
C:\Windows\System\BTWzRya.exe
2⤵
- Executes dropped EXE
PID:4400

C:\Windows\System\uifkavW.exe
C:\Windows\System\uifkavW.exe
2⤵
- Executes dropped EXE
PID:3200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADolDPm.exe
Filesize
5.9MB

MD5
dfda5ce4816579697f9fdc400885ba42

SHA1
bed088cdd8d27d5c3e0152b2b1e59e8f06476171

SHA256
a90b3eeb55c50bce6e4c081072b1ea945e097b29d79443b959ed812b0145e457

SHA512
8e4eff0ab8e7526d66f0555db5c270b945d5d4479b5455af4e0cdea6aec16e00acd7d0dff387de7d5f6bf630b1055fdf20dd31781cfb0511e3a0b9085733d3f6

Download Submit
C:\Windows\System\AjwakiQ.exe
Filesize
5.9MB

MD5
139b699a3836d2f3d2ff8bd142ecd5f1

SHA1
622c27205a0dd4d3ffc6a343a59bc9950fc94499

SHA256
cddcacda1272ea45a9366660cc1b23c1f0cb62c10fc71b8818f505445ad43f9a

SHA512
de8023a4f816ccb1e2ac36af2bdea81bb30d0c7c7bca8801a80b9d49154296ac1d9fdf7856db41aac0dacd85d616e97752f3203ead4f6ba4732eb0be89849aed

Download Submit
C:\Windows\System\BTWzRya.exe
Filesize
5.9MB

MD5
dc0c523549a9cf5e996b347d1836bbbc

SHA1
3f77f899a9e70669dd241a57804b9a2a82e4dd80

SHA256
cae4a084b7b76055575f76ed82f6a07472a0e4c4dc48eff0f5f0d652805eacaa

SHA512
a9f68a0aec9fb8c6f08c82d0c78b85877c105a3f2d383d40df403586d2a7bd26f7a4c841e6d0a06ae73cde03dfaf4584be0844b4cf9cd9351f1f7f98cbc03e3f

Download Submit
C:\Windows\System\DyMvSyK.exe
Filesize
5.9MB

MD5
56c2bf531890e37225ec14905e06a126

SHA1
123bf6a020e89b4e80a7d721965dea63122baad1

SHA256
e5ade23c3a19d35a6267bdc33ddff892fedcb15ac59601ef00377250703b39d9

SHA512
ec0f670a245c266d3231ffe7e9297853feb805803bb04c5c95216b6f3431d8cd5e8149d91b31e77b2e9ccdc1e86d797a5805829093fa9862382cdde181e074ed

Download Submit
C:\Windows\System\EJancyI.exe
Filesize
5.9MB

MD5
7456387162aad0d54b85b7d8adcd2504

SHA1
d0517a5d4338017d62b90d24f3176e4c35b661c0

SHA256
650add9a166712aa78cd3682869fd985836ed26be03c5c50eb8a5d633080421b

SHA512
40cbcc6a071661ce286cda519047dacd4c8566d6a4891b98d64198d7db6233abce51b9bf9695b4ffa4f00194c6152ab7e14e66f2c58cb105a4a65601a03b902f

Download Submit
C:\Windows\System\GBhLKUf.exe
Filesize
5.9MB

MD5
44eb8c878fb024d7d3d6583d431b3530

SHA1
46020e6ac278750f82d57d935bf831c0b8c2323c

SHA256
8bd889c10d6624da478f79a05157f80554725c3e5d0e09ab92077a738e3d1d55

SHA512
7265013ace4df201a623c506415dd42c883c1c5761bf924684906ce89a2400a2141f2c095b8719ef8a8ef37d61d2b1a0e1fed962b86f92ca4c8930c475c934f2

Download Submit
C:\Windows\System\HAHxnPc.exe
Filesize
5.9MB

MD5
56a6d718c8123858cd84d4903038acbe

SHA1
3c85bea6b8ed1c7b90ccb8ffe8dea44b8597276f

SHA256
163066cc135ccb023ba3e18463a8717584f0db6dd29570da0c337f2d9c9063c4

SHA512
a1413da147c87487beb8be375354236e37b3f6485117fe56090fa14828f8b5815fce1e7ef4341e87251559e4e52005084bbb676f8d66711ea84532f4dd752dd5

Download Submit
C:\Windows\System\KFFbnBa.exe
Filesize
5.9MB

MD5
017cf30e3308843d50c3b96be62e20b4

SHA1
4d94be446b7625f1d64659b32244827c1dc61b04

SHA256
04452d8865ec0acc8fd0d71d84deb57ef621547479b16c84c89c582d0e9695bb

SHA512
14e3ecae9c9aeba7ef637f8c5b30b1a3099b72c3be24a6dffdebc91dfd132ff2658fa2a620af64231610759798f141cebdbd3d6869bb184a445141d3732598bd

Download Submit
C:\Windows\System\LDMbNjD.exe
Filesize
5.9MB

MD5
c28b76fb7ecf9707f8d6b5d82f4d486f

SHA1
230f8270fec256db7ff206e77757b741ccefd4ae

SHA256
0c942867db0b842b8aca90d9a1e248d324e4fad8cef3e1d51b7321da3d3025aa

SHA512
642c144c7f893188240d2855dc1d683d6b86907cac78b1fcb81f4f5d00c019e5bb9dcc704eaf05448f4bcca01dc09a2697a736a2d57706a95023bd086a83797c

Download Submit
C:\Windows\System\LiYLJmT.exe
Filesize
5.9MB

MD5
fa46400c9ba8f74c46b099da19932d57

SHA1
b103657ac1f54bbd49c957739501a957d048fef1

SHA256
5e69362cd8f0b62603e1c7e571bfad38e2d3fff1e179ccb5368fc8d2b7729ebd

SHA512
70f5cea05dd9b111c0910cde64a5a0e4b0ded96504b1be9e4b49fc864b92aaeb5742573bfb4ddefbe8ba41542b52e6d8666a69a1a9083357fe42271d32863fb2

Download Submit
C:\Windows\System\MhAMemt.exe
Filesize
5.9MB

MD5
fb7c3bbeee6288697e8fecb68a1d7b08

SHA1
4bf7ecabb26465824a5d97f684b4c8df562a3e96

SHA256
e771e767386d67443b189b6bfde73582079d318362ca781b20acefb3182cb21a

SHA512
f5e268570a11ad21703d72f83d000a1c9d9a9dbdaa8a7d566b12147590a6ac7f2ddaa7915caa3a026c5e62611d887c5dfa059eeef167d2e884f7f46b5911b01d

Download Submit
C:\Windows\System\RVXkMXJ.exe
Filesize
5.9MB

MD5
9e8fc1bcb90993383822a4b095b34d70

SHA1
7ef79e18f53878939b1135dba07fe075137a3f80

SHA256
573349de0a25b17aa1faa6dd76f083719a3d17509e3596c77f1e6bf1ad8a0842

SHA512
374e2248e61431a7139279cfbb0835c712de60b5ce727a2d1ef4acfe9316847d8835a3bc277516a7f1d47d0baab05b824494c018968758d3cf6dc20387905bca

Download Submit
C:\Windows\System\VJTtWjq.exe
Filesize
5.9MB

MD5
d25f92153815fc608055826487ae3b65

SHA1
c266a6b552c2f5aead42ab6e753e4468f07ca8c0

SHA256
352be4bd5ceb276a3f26c61057ee71f39119412c87c77040b4e4a4a3a110e8b7

SHA512
0c85738a3d29de38ab02a6a00370d07da697d76973c71f2414bb7ce6737bf22a49c85ce0555f809c06b8b0ae4df87b3a9ad3a03d1ed3265e297d4155d8a89a73

Download Submit
C:\Windows\System\ZOarXqV.exe
Filesize
5.9MB

MD5
ac7bdd95210d32da26b5e817ac5bcf54

SHA1
3c9b90294a7279d4fd0da0da5f2dfbf73a9b65c2

SHA256
addfe4066533b83649bcc9f406668bebf8e9eacf51c28b0a81ff20bfe5afaf7e

SHA512
0d77e0d9844d376b3fb1cd50cbac335f598d0452fc15a08d3fbee980607291eea300c9d0f70f979353163ee49bdd043ede43519a629e6f4e241c5b4120f3a007

Download Submit
C:\Windows\System\ZgyvXZV.exe
Filesize
5.9MB

MD5
6800e6d0472d6500d6045c566c072ff5

SHA1
45f68b60e4351fc2cc827b731893c8eb0e161e06

SHA256
da51914a0a5c79e17fb58259381b740895e0dbd721b3d299b282a38f103556fd

SHA512
24a7c9b3aa4cc3dfb36e5af7b41859cb95b298267db2a532ec1b810c54f178b310ee37466263fe5d6003436ea8834fe8340a449a7437c5dd6d674334ca7f5573

Download Submit
C:\Windows\System\dhvpRfu.exe
Filesize
5.9MB

MD5
f919722671fbf10bb7688242b0ad0e16

SHA1
84db69ffe042e5f7bb6a627a762d1b3d65634797

SHA256
1f6845aecffbfe70295d788dc8a17765a3bfe66e24c5b7ff7b3c728e5d2ce76a

SHA512
f9c0b941108fbb7e80e81fe05a39052e8ba8ab45b6da1e412edd33034c451d672e34f3e886413feb5c8c5d92c6957f7af67918cdd1e5e273d11c352a67399744

Download Submit
C:\Windows\System\jlrCadd.exe
Filesize
5.9MB

MD5
a38938fbe6edd2ffe0c0eec79f90459a

SHA1
b900c167422c12e4194db41bf277c151528f3cc9

SHA256
bec4744713d9bd45466d5264bb8ebcffd8fc13c28215504044605b0ca873115a

SHA512
78a00d56d8141695bb6146c4a9b3504ccc7466fe893ecc5a03fcc549e5a4688aff4f03f635c2fc6f6768be22d47edb60bb66e0e0c674e20f1829410238b3d886

Download Submit
C:\Windows\System\mygkGPX.exe
Filesize
5.9MB

MD5
07ab7339dc6ac47566ef411309b5a993

SHA1
9091635303cdb4da4ed563495b589a26fbc92b0e

SHA256
acea62084f23916265de9944ab3836f7b19c8ba48ad78ec73e620f25eb9ec51c

SHA512
535712ea0b730d73667a9f20ecd668d2be081098af2b0daf276cf4a9a1c0c094410ebc8eed1de7bc02d01ab577e75b03e3f6bddf3aec2c881718b1402e4b66fe

Download Submit
C:\Windows\System\ntpelzu.exe
Filesize
5.9MB

MD5
88ceff45ee8c66ed384c394711a1a3ee

SHA1
aec14c0e63318217f1dd593dc1d2128a457a65fa

SHA256
21c506b9923ca056e8c2a89ce7da76234bd33bef85d2d1b693289458e8e64b69

SHA512
9580ca2cae3a3b5c82f75c912b388fc02a25896b1ec74a0b8d06ce5d563f5497ac13aadee5aad8f0956a9f9b8ad7fc931f16c825182e3d95d4fcbe7f547582e0

Download Submit
C:\Windows\System\uifkavW.exe
Filesize
5.9MB

MD5
0772a01670f80635b81b37a5a24d0f95

SHA1
f01f0698ba4a14aa7e244a99684bd75cf994510e

SHA256
4a3189a7ca2b31f6d842eaabea1ebe526b0664ed6dec19861033c52029cb8e5d

SHA512
c060dd5e5e7ec7a7c827fd79eb7e77315758959da0f1a1d0de501b9ab071d8d167c4dc196a47f3f905a83e483ad5d33f626e7ed9619aa6476c82b1935244a27b

Download Submit
C:\Windows\System\vjHhIUw.exe
Filesize
5.9MB

MD5
39f279397b476d3ba2f187ba1ac8e310

SHA1
54e3622a90489bdee038fb0e4d647f62bb8263b6

SHA256
4e54e5034e61231fc8ae24730e96ba044f1d7942a965eaf86d1cd85b353d545a

SHA512
2dd88641c916971e8afebdda32bbc804e3bac63211c7631040dc968d1dc13b5a56c0c13243477268d94ff9ea387addee9fb93e911fedb692d8fa22a4ff822809

Download Submit
memory/676-56-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp

Filesize
3.3MB

Download
memory/676-136-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp

Filesize
3.3MB

Download
memory/676-149-0x00007FF65DCA0000-0x00007FF65DFF4000-memory.dmp

Filesize
3.3MB

Download
memory/872-131-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

Filesize
3.3MB

Download
memory/872-160-0x00007FF659DF0000-0x00007FF65A144000-memory.dmp

Filesize
3.3MB

Download
memory/1020-0-0x00007FF730790000-0x00007FF730AE4000-memory.dmp

Filesize
3.3MB

Download
memory/1020-1-0x00000247DA340000-0x00000247DA350000-memory.dmp

Filesize
64KB

Download
memory/1020-96-0x00007FF730790000-0x00007FF730AE4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-92-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp

Filesize
3.3MB

Download
memory/1088-157-0x00007FF607F90000-0x00007FF6082E4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-143-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-108-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-8-0x00007FF60FA80000-0x00007FF60FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/1548-139-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp

Filesize
3.3MB

Download
memory/1548-75-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp

Filesize
3.3MB

Download
memory/1548-152-0x00007FF7D3E30000-0x00007FF7D4184000-memory.dmp

Filesize
3.3MB

Download
memory/1776-156-0x00007FF788070000-0x00007FF7883C4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-84-0x00007FF788070000-0x00007FF7883C4000-memory.dmp

Filesize
3.3MB

Download
memory/1776-140-0x00007FF788070000-0x00007FF7883C4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-150-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp

Filesize
3.3MB

Download
memory/1912-45-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp

Filesize
3.3MB

Download
memory/1912-134-0x00007FF61DBF0000-0x00007FF61DF44000-memory.dmp

Filesize
3.3MB

Download
memory/2400-158-0x00007FF773F30000-0x00007FF774284000-memory.dmp

Filesize
3.3MB

Download
memory/2400-105-0x00007FF773F30000-0x00007FF774284000-memory.dmp

Filesize
3.3MB

Download
memory/2524-153-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-71-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-138-0x00007FF6D9480000-0x00007FF6D97D4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-154-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2888-81-0x00007FF63B870000-0x00007FF63BBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-110-0x00007FF697290000-0x00007FF6975E4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-21-0x00007FF697290000-0x00007FF6975E4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-144-0x00007FF697290000-0x00007FF6975E4000-memory.dmp

Filesize
3.3MB

Download
memory/3108-159-0x00007FF758520000-0x00007FF758874000-memory.dmp

Filesize
3.3MB

Download
memory/3108-116-0x00007FF758520000-0x00007FF758874000-memory.dmp

Filesize
3.3MB

Download
memory/3200-132-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp

Filesize
3.3MB

Download
memory/3200-163-0x00007FF6CED60000-0x00007FF6CF0B4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-141-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp

Filesize
3.3MB

Download
memory/3380-161-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp

Filesize
3.3MB

Download
memory/3380-120-0x00007FF73FC20000-0x00007FF73FF74000-memory.dmp

Filesize
3.3MB

Download
memory/3904-133-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp

Filesize
3.3MB

Download
memory/3904-155-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp

Filesize
3.3MB

Download
memory/3904-38-0x00007FF7082A0000-0x00007FF7085F4000-memory.dmp

Filesize
3.3MB

Download
memory/3952-63-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp

Filesize
3.3MB

Download
memory/3952-151-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp

Filesize
3.3MB

Download
memory/3952-137-0x00007FF64CF00000-0x00007FF64D254000-memory.dmp

Filesize
3.3MB

Download
memory/4128-146-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4128-130-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4128-26-0x00007FF726BA0000-0x00007FF726EF4000-memory.dmp

Filesize
3.3MB

Download
memory/4308-145-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp

Filesize
3.3MB

Download
memory/4308-34-0x00007FF7150A0000-0x00007FF7153F4000-memory.dmp

Filesize
3.3MB

Download
memory/4400-142-0x00007FF656230000-0x00007FF656584000-memory.dmp

Filesize
3.3MB

Download
memory/4400-162-0x00007FF656230000-0x00007FF656584000-memory.dmp

Filesize
3.3MB

Download
memory/4400-126-0x00007FF656230000-0x00007FF656584000-memory.dmp

Filesize
3.3MB

Download
memory/4632-32-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp

Filesize
3.3MB

Download
memory/4632-111-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp

Filesize
3.3MB

Download
memory/4632-147-0x00007FF7D4430000-0x00007FF7D4784000-memory.dmp

Filesize
3.3MB

Download
memory/4736-148-0x00007FF645630000-0x00007FF645984000-memory.dmp

Filesize
3.3MB

Download
memory/4736-47-0x00007FF645630000-0x00007FF645984000-memory.dmp

Filesize
3.3MB

Download
memory/4736-135-0x00007FF645630000-0x00007FF645984000-memory.dmp

Filesize
3.3MB

Download