cobaltstrike | 2f3f74dd2e0ca6101248ec33d475c73ba34c1c43015893578491093eaaa16045

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

89bd6415f400bafaf335ace48e0691c8
SHA1

451a05b7c2531523108488d6f5ab03cc9ff3487c
SHA256

2f3f74dd2e0ca6101248ec33d475c73ba34c1c43015893578491093eaaa16045
SHA512

975249530e045ff39c7c515bb2bfbb0dddf0f6a2c0328cd0a070fbcac1a8835474e793409ca1410dc127c54e44fe33f2af58520b49c17fd450875989ff947d12
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUN:Q+856utgpPF8u/7N

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\WREElkz.exe	cobalt_reflective_dll
C:\Windows\System\ktuTlBK.exe	cobalt_reflective_dll
C:\Windows\System\YMkoNzY.exe	cobalt_reflective_dll
C:\Windows\System\WisVfco.exe	cobalt_reflective_dll
C:\Windows\System\PFWKrcH.exe	cobalt_reflective_dll
C:\Windows\System\tkVCSwn.exe	cobalt_reflective_dll
C:\Windows\System\ZPvOauh.exe	cobalt_reflective_dll
C:\Windows\System\BRVVOpv.exe	cobalt_reflective_dll
C:\Windows\System\lYadaPZ.exe	cobalt_reflective_dll
C:\Windows\System\evyPust.exe	cobalt_reflective_dll
C:\Windows\System\AALVWcc.exe	cobalt_reflective_dll
C:\Windows\System\xGzhlLb.exe	cobalt_reflective_dll
C:\Windows\System\LLYfBFn.exe	cobalt_reflective_dll
C:\Windows\System\bOkenoV.exe	cobalt_reflective_dll
C:\Windows\System\zlYIIuC.exe	cobalt_reflective_dll
C:\Windows\System\CLdXvsC.exe	cobalt_reflective_dll
C:\Windows\System\UmDPUmh.exe	cobalt_reflective_dll
C:\Windows\System\ezjVzOI.exe	cobalt_reflective_dll
C:\Windows\System\izBpcYL.exe	cobalt_reflective_dll
C:\Windows\System\rwkSAGE.exe	cobalt_reflective_dll
C:\Windows\System\XSvnsZD.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\WREElkz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ktuTlBK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YMkoNzY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WisVfco.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PFWKrcH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tkVCSwn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZPvOauh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BRVVOpv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lYadaPZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\evyPust.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AALVWcc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xGzhlLb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LLYfBFn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bOkenoV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zlYIIuC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CLdXvsC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UmDPUmh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ezjVzOI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\izBpcYL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rwkSAGE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XSvnsZD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4576-0-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp	UPX
behavioral2/memory/4564-6-0x00007FF633020000-0x00007FF633374000-memory.dmp	UPX
C:\Windows\System\WREElkz.exe	UPX
C:\Windows\System\ktuTlBK.exe	UPX
C:\Windows\System\YMkoNzY.exe	UPX
behavioral2/memory/3180-14-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp	UPX
C:\Windows\System\WisVfco.exe	UPX
behavioral2/memory/3172-22-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp	UPX
behavioral2/memory/1672-30-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	UPX
C:\Windows\System\PFWKrcH.exe	UPX
behavioral2/memory/992-29-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	UPX
C:\Windows\System\tkVCSwn.exe	UPX
behavioral2/memory/212-36-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	UPX
C:\Windows\System\ZPvOauh.exe	UPX
behavioral2/memory/2052-43-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	UPX
C:\Windows\System\BRVVOpv.exe	UPX
behavioral2/memory/5040-50-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp	UPX
C:\Windows\System\lYadaPZ.exe	UPX
behavioral2/memory/3964-56-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	UPX
C:\Windows\System\evyPust.exe	UPX
behavioral2/memory/2104-62-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp	UPX
C:\Windows\System\AALVWcc.exe	UPX
C:\Windows\System\xGzhlLb.exe	UPX
behavioral2/memory/5008-74-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp	UPX
behavioral2/memory/4564-73-0x00007FF633020000-0x00007FF633374000-memory.dmp	UPX
behavioral2/memory/4612-67-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	UPX
behavioral2/memory/4576-66-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp	UPX
C:\Windows\System\LLYfBFn.exe	UPX
C:\Windows\System\bOkenoV.exe	UPX
behavioral2/memory/992-86-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	UPX
C:\Windows\System\zlYIIuC.exe	UPX
behavioral2/memory/1812-97-0x00007FF723330000-0x00007FF723684000-memory.dmp	UPX
behavioral2/memory/2584-100-0x00007FF768730000-0x00007FF768A84000-memory.dmp	UPX
C:\Windows\System\CLdXvsC.exe	UPX
C:\Windows\System\UmDPUmh.exe	UPX
behavioral2/memory/212-103-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	UPX
behavioral2/memory/1672-99-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	UPX
behavioral2/memory/1568-94-0x00007FF650130000-0x00007FF650484000-memory.dmp	UPX
behavioral2/memory/3472-88-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp	UPX
behavioral2/memory/2052-109-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	UPX
behavioral2/memory/4908-110-0x00007FF73E500000-0x00007FF73E854000-memory.dmp	UPX
C:\Windows\System\ezjVzOI.exe	UPX
behavioral2/memory/4288-116-0x00007FF786260000-0x00007FF7865B4000-memory.dmp	UPX
C:\Windows\System\izBpcYL.exe	UPX
behavioral2/memory/4776-122-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp	UPX
C:\Windows\System\rwkSAGE.exe	UPX
behavioral2/memory/4152-127-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp	UPX
C:\Windows\System\XSvnsZD.exe	UPX
behavioral2/memory/4612-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	UPX
behavioral2/memory/3404-134-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp	UPX
behavioral2/memory/5008-135-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp	UPX
behavioral2/memory/2584-136-0x00007FF768730000-0x00007FF768A84000-memory.dmp	UPX
behavioral2/memory/4152-137-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp	UPX
behavioral2/memory/4564-138-0x00007FF633020000-0x00007FF633374000-memory.dmp	UPX
behavioral2/memory/3180-139-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp	UPX
behavioral2/memory/3172-140-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp	UPX
behavioral2/memory/992-141-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	UPX
behavioral2/memory/1672-142-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	UPX
behavioral2/memory/212-143-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	UPX
behavioral2/memory/2052-144-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	UPX
behavioral2/memory/5040-145-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp	UPX
behavioral2/memory/3964-146-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	UPX
behavioral2/memory/2104-147-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp	UPX
behavioral2/memory/4612-148-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4576-0-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp	xmrig
behavioral2/memory/4564-6-0x00007FF633020000-0x00007FF633374000-memory.dmp	xmrig
C:\Windows\System\WREElkz.exe	xmrig
C:\Windows\System\ktuTlBK.exe	xmrig
C:\Windows\System\YMkoNzY.exe	xmrig
behavioral2/memory/3180-14-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp	xmrig
C:\Windows\System\WisVfco.exe	xmrig
behavioral2/memory/3172-22-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp	xmrig
behavioral2/memory/1672-30-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	xmrig
C:\Windows\System\PFWKrcH.exe	xmrig
behavioral2/memory/992-29-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	xmrig
C:\Windows\System\tkVCSwn.exe	xmrig
behavioral2/memory/212-36-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	xmrig
C:\Windows\System\ZPvOauh.exe	xmrig
behavioral2/memory/2052-43-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	xmrig
C:\Windows\System\BRVVOpv.exe	xmrig
behavioral2/memory/5040-50-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp	xmrig
C:\Windows\System\lYadaPZ.exe	xmrig
behavioral2/memory/3964-56-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	xmrig
C:\Windows\System\evyPust.exe	xmrig
behavioral2/memory/2104-62-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp	xmrig
C:\Windows\System\AALVWcc.exe	xmrig
C:\Windows\System\xGzhlLb.exe	xmrig
behavioral2/memory/5008-74-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp	xmrig
behavioral2/memory/4564-73-0x00007FF633020000-0x00007FF633374000-memory.dmp	xmrig
behavioral2/memory/4612-67-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	xmrig
behavioral2/memory/4576-66-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp	xmrig
C:\Windows\System\LLYfBFn.exe	xmrig
C:\Windows\System\bOkenoV.exe	xmrig
behavioral2/memory/992-86-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	xmrig
C:\Windows\System\zlYIIuC.exe	xmrig
behavioral2/memory/1812-97-0x00007FF723330000-0x00007FF723684000-memory.dmp	xmrig
behavioral2/memory/2584-100-0x00007FF768730000-0x00007FF768A84000-memory.dmp	xmrig
C:\Windows\System\CLdXvsC.exe	xmrig
C:\Windows\System\UmDPUmh.exe	xmrig
behavioral2/memory/212-103-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	xmrig
behavioral2/memory/1672-99-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	xmrig
behavioral2/memory/1568-94-0x00007FF650130000-0x00007FF650484000-memory.dmp	xmrig
behavioral2/memory/3472-88-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp	xmrig
behavioral2/memory/2052-109-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	xmrig
behavioral2/memory/4908-110-0x00007FF73E500000-0x00007FF73E854000-memory.dmp	xmrig
C:\Windows\System\ezjVzOI.exe	xmrig
behavioral2/memory/4288-116-0x00007FF786260000-0x00007FF7865B4000-memory.dmp	xmrig
C:\Windows\System\izBpcYL.exe	xmrig
behavioral2/memory/4776-122-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp	xmrig
C:\Windows\System\rwkSAGE.exe	xmrig
behavioral2/memory/4152-127-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp	xmrig
C:\Windows\System\XSvnsZD.exe	xmrig
behavioral2/memory/4612-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	xmrig
behavioral2/memory/3404-134-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp	xmrig
behavioral2/memory/5008-135-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp	xmrig
behavioral2/memory/2584-136-0x00007FF768730000-0x00007FF768A84000-memory.dmp	xmrig
behavioral2/memory/4152-137-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp	xmrig
behavioral2/memory/4564-138-0x00007FF633020000-0x00007FF633374000-memory.dmp	xmrig
behavioral2/memory/3180-139-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp	xmrig
behavioral2/memory/3172-140-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp	xmrig
behavioral2/memory/992-141-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	xmrig
behavioral2/memory/1672-142-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	xmrig
behavioral2/memory/212-143-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	xmrig
behavioral2/memory/2052-144-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	xmrig
behavioral2/memory/5040-145-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp	xmrig
behavioral2/memory/3964-146-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	xmrig
behavioral2/memory/2104-147-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp	xmrig
behavioral2/memory/4612-148-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

WREElkz.exektuTlBK.exeYMkoNzY.exeWisVfco.exePFWKrcH.exetkVCSwn.exeZPvOauh.exeBRVVOpv.exelYadaPZ.exeevyPust.exeAALVWcc.exexGzhlLb.exeLLYfBFn.exebOkenoV.exezlYIIuC.exeUmDPUmh.exeCLdXvsC.exeezjVzOI.exeizBpcYL.exerwkSAGE.exeXSvnsZD.exe

pid	process
4564	WREElkz.exe
3180	ktuTlBK.exe
3172	YMkoNzY.exe
992	WisVfco.exe
1672	PFWKrcH.exe
212	tkVCSwn.exe
2052	ZPvOauh.exe
5040	BRVVOpv.exe
3964	lYadaPZ.exe
2104	evyPust.exe
4612	AALVWcc.exe
5008	xGzhlLb.exe
3472	LLYfBFn.exe
1568	bOkenoV.exe
1812	zlYIIuC.exe
2584	UmDPUmh.exe
4908	CLdXvsC.exe
4288	ezjVzOI.exe
4776	izBpcYL.exe
4152	rwkSAGE.exe
3404	XSvnsZD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4576-0-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp	upx
behavioral2/memory/4564-6-0x00007FF633020000-0x00007FF633374000-memory.dmp	upx
C:\Windows\System\WREElkz.exe	upx
C:\Windows\System\ktuTlBK.exe	upx
C:\Windows\System\YMkoNzY.exe	upx
behavioral2/memory/3180-14-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp	upx
C:\Windows\System\WisVfco.exe	upx
behavioral2/memory/3172-22-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp	upx
behavioral2/memory/1672-30-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	upx
C:\Windows\System\PFWKrcH.exe	upx
behavioral2/memory/992-29-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	upx
C:\Windows\System\tkVCSwn.exe	upx
behavioral2/memory/212-36-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	upx
C:\Windows\System\ZPvOauh.exe	upx
behavioral2/memory/2052-43-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	upx
C:\Windows\System\BRVVOpv.exe	upx
behavioral2/memory/5040-50-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp	upx
C:\Windows\System\lYadaPZ.exe	upx
behavioral2/memory/3964-56-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	upx
C:\Windows\System\evyPust.exe	upx
behavioral2/memory/2104-62-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp	upx
C:\Windows\System\AALVWcc.exe	upx
C:\Windows\System\xGzhlLb.exe	upx
behavioral2/memory/5008-74-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp	upx
behavioral2/memory/4564-73-0x00007FF633020000-0x00007FF633374000-memory.dmp	upx
behavioral2/memory/4612-67-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	upx
behavioral2/memory/4576-66-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp	upx
C:\Windows\System\LLYfBFn.exe	upx
C:\Windows\System\bOkenoV.exe	upx
behavioral2/memory/992-86-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	upx
C:\Windows\System\zlYIIuC.exe	upx
behavioral2/memory/1812-97-0x00007FF723330000-0x00007FF723684000-memory.dmp	upx
behavioral2/memory/2584-100-0x00007FF768730000-0x00007FF768A84000-memory.dmp	upx
C:\Windows\System\CLdXvsC.exe	upx
C:\Windows\System\UmDPUmh.exe	upx
behavioral2/memory/212-103-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	upx
behavioral2/memory/1672-99-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	upx
behavioral2/memory/1568-94-0x00007FF650130000-0x00007FF650484000-memory.dmp	upx
behavioral2/memory/3472-88-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp	upx
behavioral2/memory/2052-109-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	upx
behavioral2/memory/4908-110-0x00007FF73E500000-0x00007FF73E854000-memory.dmp	upx
C:\Windows\System\ezjVzOI.exe	upx
behavioral2/memory/4288-116-0x00007FF786260000-0x00007FF7865B4000-memory.dmp	upx
C:\Windows\System\izBpcYL.exe	upx
behavioral2/memory/4776-122-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp	upx
C:\Windows\System\rwkSAGE.exe	upx
behavioral2/memory/4152-127-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp	upx
C:\Windows\System\XSvnsZD.exe	upx
behavioral2/memory/4612-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	upx
behavioral2/memory/3404-134-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp	upx
behavioral2/memory/5008-135-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp	upx
behavioral2/memory/2584-136-0x00007FF768730000-0x00007FF768A84000-memory.dmp	upx
behavioral2/memory/4152-137-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp	upx
behavioral2/memory/4564-138-0x00007FF633020000-0x00007FF633374000-memory.dmp	upx
behavioral2/memory/3180-139-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp	upx
behavioral2/memory/3172-140-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp	upx
behavioral2/memory/992-141-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp	upx
behavioral2/memory/1672-142-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp	upx
behavioral2/memory/212-143-0x00007FF67D300000-0x00007FF67D654000-memory.dmp	upx
behavioral2/memory/2052-144-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp	upx
behavioral2/memory/5040-145-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp	upx
behavioral2/memory/3964-146-0x00007FF60D100000-0x00007FF60D454000-memory.dmp	upx
behavioral2/memory/2104-147-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp	upx
behavioral2/memory/4612-148-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\tkVCSwn.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLYfBFn.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izBpcYL.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WisVfco.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\evyPust.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bOkenoV.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zlYIIuC.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLdXvsC.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WREElkz.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PFWKrcH.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRVVOpv.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AALVWcc.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xGzhlLb.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UmDPUmh.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ezjVzOI.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rwkSAGE.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ktuTlBK.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZPvOauh.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lYadaPZ.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XSvnsZD.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YMkoNzY.exe	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4576 wrote to memory of 4564	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	WREElkz.exe
PID 4576 wrote to memory of 4564	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	WREElkz.exe
PID 4576 wrote to memory of 3180	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	ktuTlBK.exe
PID 4576 wrote to memory of 3180	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	ktuTlBK.exe
PID 4576 wrote to memory of 3172	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	YMkoNzY.exe
PID 4576 wrote to memory of 3172	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	YMkoNzY.exe
PID 4576 wrote to memory of 992	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	WisVfco.exe
PID 4576 wrote to memory of 992	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	WisVfco.exe
PID 4576 wrote to memory of 1672	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	PFWKrcH.exe
PID 4576 wrote to memory of 1672	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	PFWKrcH.exe
PID 4576 wrote to memory of 212	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	tkVCSwn.exe
PID 4576 wrote to memory of 212	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	tkVCSwn.exe
PID 4576 wrote to memory of 2052	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	ZPvOauh.exe
PID 4576 wrote to memory of 2052	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	ZPvOauh.exe
PID 4576 wrote to memory of 5040	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	BRVVOpv.exe
PID 4576 wrote to memory of 5040	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	BRVVOpv.exe
PID 4576 wrote to memory of 3964	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	lYadaPZ.exe
PID 4576 wrote to memory of 3964	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	lYadaPZ.exe
PID 4576 wrote to memory of 2104	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	evyPust.exe
PID 4576 wrote to memory of 2104	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	evyPust.exe
PID 4576 wrote to memory of 4612	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	AALVWcc.exe
PID 4576 wrote to memory of 4612	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	AALVWcc.exe
PID 4576 wrote to memory of 5008	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	xGzhlLb.exe
PID 4576 wrote to memory of 5008	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	xGzhlLb.exe
PID 4576 wrote to memory of 3472	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	LLYfBFn.exe
PID 4576 wrote to memory of 3472	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	LLYfBFn.exe
PID 4576 wrote to memory of 1568	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	bOkenoV.exe
PID 4576 wrote to memory of 1568	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	bOkenoV.exe
PID 4576 wrote to memory of 1812	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	zlYIIuC.exe
PID 4576 wrote to memory of 1812	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	zlYIIuC.exe
PID 4576 wrote to memory of 2584	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	UmDPUmh.exe
PID 4576 wrote to memory of 2584	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	UmDPUmh.exe
PID 4576 wrote to memory of 4908	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	CLdXvsC.exe
PID 4576 wrote to memory of 4908	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	CLdXvsC.exe
PID 4576 wrote to memory of 4288	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	ezjVzOI.exe
PID 4576 wrote to memory of 4288	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	ezjVzOI.exe
PID 4576 wrote to memory of 4776	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	izBpcYL.exe
PID 4576 wrote to memory of 4776	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	izBpcYL.exe
PID 4576 wrote to memory of 4152	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	rwkSAGE.exe
PID 4576 wrote to memory of 4152	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	rwkSAGE.exe
PID 4576 wrote to memory of 3404	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	XSvnsZD.exe
PID 4576 wrote to memory of 3404	4576	2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe	XSvnsZD.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_89bd6415f400bafaf335ace48e0691c8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\System\WREElkz.exe
C:\Windows\System\WREElkz.exe
2⤵
- Executes dropped EXE
PID:4564

C:\Windows\System\ktuTlBK.exe
C:\Windows\System\ktuTlBK.exe
2⤵
- Executes dropped EXE
PID:3180

C:\Windows\System\YMkoNzY.exe
C:\Windows\System\YMkoNzY.exe
2⤵
- Executes dropped EXE
PID:3172

C:\Windows\System\WisVfco.exe
C:\Windows\System\WisVfco.exe
2⤵
- Executes dropped EXE
PID:992

C:\Windows\System\PFWKrcH.exe
C:\Windows\System\PFWKrcH.exe
2⤵
- Executes dropped EXE
PID:1672

C:\Windows\System\tkVCSwn.exe
C:\Windows\System\tkVCSwn.exe
2⤵
- Executes dropped EXE
PID:212

C:\Windows\System\ZPvOauh.exe
C:\Windows\System\ZPvOauh.exe
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\System\BRVVOpv.exe
C:\Windows\System\BRVVOpv.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System\lYadaPZ.exe
C:\Windows\System\lYadaPZ.exe
2⤵
- Executes dropped EXE
PID:3964

C:\Windows\System\evyPust.exe
C:\Windows\System\evyPust.exe
2⤵
- Executes dropped EXE
PID:2104

C:\Windows\System\AALVWcc.exe
C:\Windows\System\AALVWcc.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\System\xGzhlLb.exe
C:\Windows\System\xGzhlLb.exe
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\System\LLYfBFn.exe
C:\Windows\System\LLYfBFn.exe
2⤵
- Executes dropped EXE
PID:3472

C:\Windows\System\bOkenoV.exe
C:\Windows\System\bOkenoV.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\System\zlYIIuC.exe
C:\Windows\System\zlYIIuC.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System\UmDPUmh.exe
C:\Windows\System\UmDPUmh.exe
2⤵
- Executes dropped EXE
PID:2584

C:\Windows\System\CLdXvsC.exe
C:\Windows\System\CLdXvsC.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System\ezjVzOI.exe
C:\Windows\System\ezjVzOI.exe
2⤵
- Executes dropped EXE
PID:4288

C:\Windows\System\izBpcYL.exe
C:\Windows\System\izBpcYL.exe
2⤵
- Executes dropped EXE
PID:4776

C:\Windows\System\rwkSAGE.exe
C:\Windows\System\rwkSAGE.exe
2⤵
- Executes dropped EXE
PID:4152

C:\Windows\System\XSvnsZD.exe
C:\Windows\System\XSvnsZD.exe
2⤵
- Executes dropped EXE
PID:3404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AALVWcc.exe
Filesize
5.9MB

MD5
080eb3712014524e7756ec60ac2bc36a

SHA1
3df5ec5b3abd787f5b3ba4ed9cbef3a3d0565c11

SHA256
022501c4ee817ae19cba0563a1534f3f26fa63ddfc4f7fdfb3a95456bb31a5e9

SHA512
e6a33e8b2882058eda702671a1b8406818be558a78370e5bf284a7470d465620204cf1ae23cab99ed3aa59d882a51d726b2528104cc784ea30ef8b886570d0b9

Download Submit
C:\Windows\System\BRVVOpv.exe
Filesize
5.9MB

MD5
589cd0068374c190c8fcbc2be58fbf3b

SHA1
dc3652ae1e72b9edd981b4a8d886dfa599b8c92b

SHA256
23836c531ae8d4dd5afbfefa7516f53cbc271fc8dae77760dc49b800e0eb9379

SHA512
3e367269dd213eebcd64cdd227978cfd62210f13fe43659ffea7645939d90d800f2842b1aab430da08f319a0569b0b605e01d2132b22cb7ba8ac1ac905681f48

Download Submit
C:\Windows\System\CLdXvsC.exe
Filesize
5.9MB

MD5
043412b264da8a1235d52ad11c40d47a

SHA1
a7455081d79b8be1f2ba017c920d24731b08c55d

SHA256
79129eb783e98511fa879b6f4b59e57d29121f0aa687282ea08ada522d28d67b

SHA512
d55d82e05c6861a0c45250cb58bf95eeedf08cdfe72aabc2a4872f388515a561a209460a37da9a27d821fa4e286c802dab0505f7bd47ce856e6432c044a5fbb9

Download Submit
C:\Windows\System\LLYfBFn.exe
Filesize
5.9MB

MD5
60d8fbabb9afe92aeea81740a53e1a11

SHA1
4bd2490ea772574c4570e4474214897501e1ba38

SHA256
4655948ab714660861506c280f5efc21aceae25a83c73b72391d74b8930ce536

SHA512
ceb5c203d4223eb59d8da439d8623f93b1eb2d2a714b606dd99c072381766ac4dddc244cc445e9012e583195eff214d6710509caf41967376a19d8c1e39f8169

Download Submit
C:\Windows\System\PFWKrcH.exe
Filesize
5.9MB

MD5
7b8e791968975d097d470eb64963772f

SHA1
13e62fc43351c8fd38ba5d3c1500c02d542c2f16

SHA256
421563e545e3080dcb01325d8f5694f052ee1c2ec124eea4a6d569a73bc2532e

SHA512
661c382880cc632414637891adf114f23e36873e038a6d8a9a1e3923f0bf541259e9e1a3edd92ca8748b17e0becc6ca58aa49c47e9950a82072163608cc7bae9

Download Submit
C:\Windows\System\UmDPUmh.exe
Filesize
5.9MB

MD5
423d43dedfdb8c3e3db70d5601364076

SHA1
5220a1e35724b49c5dfb8fcd8963031aa92344b6

SHA256
4b44d8a95b847bb0ddae06ad4c1d967a9649710f3f2023b3a8d602d717a92560

SHA512
c3fac5adc655344f2111a5896ff91a1a6dee4a68d6f218b74d4e5833c87cd46eb3a49d8e3e4c551431227f4f6387b7b0cf52809f38d50cdd5434febf4ab238ea

Download Submit
C:\Windows\System\WREElkz.exe
Filesize
5.9MB

MD5
2e97420167fb64e18cc9ca28bfa75d2b

SHA1
350941f6e98a5bdfcfde239620bb7bb963de86e6

SHA256
31092e2dda8e206e02e307cee8a03df461c47c7cf2e26af2c0a3b42f90fdf23f

SHA512
269aeeffb34948a1870f7df8201f4e367e70b2a0c4e932feb9b64191295a7c934ca587383ce52e7bbf3330219e4344024838da4d3c0a73ad8637aac5a9db6eea

Download Submit
C:\Windows\System\WisVfco.exe
Filesize
5.9MB

MD5
74480f5fd61db5bedfc49e79d11fc5f3

SHA1
b809ee3168dc3678f23ce286336636063ee6b3b9

SHA256
04786d68e01564807b97c5acd6dff45cbde52db60f0ca4fd892b7d5ebc1c5f26

SHA512
68964f68144fa24c45e104f02d50e1ac5cbbf6d8e0c9d75b0a69ae06d64be56b6bc33796036c2359a383c27ddee9d614e218adddb5965a68a9a9e613441c6bc2

Download Submit
C:\Windows\System\XSvnsZD.exe
Filesize
5.9MB

MD5
8763604ac65cf52064661de042809197

SHA1
e6f9f73eebb02ff53fa007a2c6e604facaa742bd

SHA256
a7bdcc0aba7b81194568f6bf72f9fff505db6d8b44c3ef167bce639b0356f44e

SHA512
b0873002363594813534cc4d8d307a3f8435ebd59ee1233379c7e96e5a465ae0fdfce8915e767d8f881eb2800eb303f567a82b4a10b0e2fd13c588b6a9949b76

Download Submit
C:\Windows\System\YMkoNzY.exe
Filesize
5.9MB

MD5
2353f37b7256b070dada891d936bb6cb

SHA1
e5bb2fb38920b5e7a499a6fc2ed66b22339db6bd

SHA256
8d25fceb01e5c23ce1be93e9da41ed6de94c4eba0ab39a02dab874c76e9ae4de

SHA512
94e01c0309b68cd65c84183a6c41ed253152ef476b71be37a7f9c063c3c088b95425d4b2772e6ba8443214fb2eee98284954284bf772a7073e47acdb6360fae6

Download Submit
C:\Windows\System\ZPvOauh.exe
Filesize
5.9MB

MD5
0b813103d726851486c6657dfb7071bf

SHA1
d912c5af715e1342cc7b38510e6bb6be3e3be6a5

SHA256
d313126ff495e69bd8e1071b17c9cb1a447fbcd4bfa2a48030a7626e5a1fc3a9

SHA512
b21ec15a78fbcaa86f6d334616d644c028a08ad39e38b41d84a225056e5a45b574fb0c06bbed290cf80319b4cee8d6284d0354006a58187191244c72412fb66e

Download Submit
C:\Windows\System\bOkenoV.exe
Filesize
5.9MB

MD5
76ad9bace674a166087241d14b0864e2

SHA1
d2f37a19356725fb56f592aaf4a895cd1dd7524e

SHA256
484495042896c78655e9c6b96f5c4a7e5cb7dfa8ae8f34928126e742b2ba5794

SHA512
dbd848f66c39d1367be4e66e3d9d5ec7095a810c61b5420d445a2a09046cc4397dc33f89ec586a4c91d340dfd66ae24e1a7c6d38430db837e35b5f7b5b306247

Download Submit
C:\Windows\System\evyPust.exe
Filesize
5.9MB

MD5
4ef419874e8249312b73bfef814b31cb

SHA1
183550d08dca60c688ecf66a3cdb4a3839ccf071

SHA256
7bee0dc7e6f2a779c39b963fba83defcf965b5ed398358a81a1f445be83402ec

SHA512
07096073ebfe1ff60782dabd9c13b8f348486ff252a2c7f71f55e943bbfe588c78aee591c92eb81e3fb069188020a959ad4919a2f8eb3685ee25d0525ab7fdd7

Download Submit
C:\Windows\System\ezjVzOI.exe
Filesize
5.9MB

MD5
99baa6468c3e457e93d639ea6a81dd13

SHA1
210b787a308476f90d91b778c4c02ebb29ad0432

SHA256
2406c97afc655121135ef9357c1bc47bed1bc2efb6f0453522049b37ebe109e9

SHA512
e4cba7390b07bd739c8281f6228e2c9595e96dec33d5376eb5c6ee1d11f7302def55812b5e227e74a63f2cfed6edf0ab18bdae0604879dc016528322c0828aa5

Download Submit
C:\Windows\System\izBpcYL.exe
Filesize
5.9MB

MD5
e4b0c53e607524fda40f4a2bb2cdc332

SHA1
6c300cc3f517c512c0d8ffd619b9fca6bdc106e6

SHA256
b2f469e213ed18717621e6e85a241f3e77a9c7a7eb83167e7a62d76f8e9cc7b5

SHA512
7f1322c901b085b04bc6b6c95b0afad9d84ba42e1eebd6f2df4e4b149ee128940ed646547c130f52378710c916899ad725c15c2c1c00cde302fd00fed0fb15d2

Download Submit
C:\Windows\System\ktuTlBK.exe
Filesize
5.9MB

MD5
d582a6a01a77a3440c61f34b0fe4e230

SHA1
7eec56dda791626df330de4e87260b0951fbc48b

SHA256
7e4e842e53e1e9ebbc3cfa3068528994eeeaef464874a5921967d4def07a22fb

SHA512
649d82dd6df269ddbd566521f78d0ea18ef47243efbbd2bb7086440740133c72c11119d4a34cd81a2fcecb83f8162f7777c78a90f57fdf151cfb39e83e330770

Download Submit
C:\Windows\System\lYadaPZ.exe
Filesize
5.9MB

MD5
27ead8a8294727bdcd34c3fddabc1b7e

SHA1
7fdcf617a43c428f13827283902fc5945bc585c6

SHA256
9d42144b6df2324527ad5da2aa66dec6b47cfc853ed058885a551d386af4dc06

SHA512
ea262208d497af77e213bcc00a8c03d99ec77f937f5d64c58fd99410433819c30304740aad391ff217c6aa003cafc3a5362802f1ba0c48482f7eaef375010eab

Download Submit
C:\Windows\System\rwkSAGE.exe
Filesize
5.9MB

MD5
70a18c92275972f23134ef04e2bc916d

SHA1
8c24c4bb8908a053b15cbe7ac1bf51ea14772f90

SHA256
9e32c66f39ae885b1eb4a78bc36b0614845d813c4f3a21332584c6d4a872cfe9

SHA512
092ee9ff52b75da906fd3923cbdf68c368d2bd1dc711cb2e7cb8a80e2fe2bd57503dbf047b6a8fb6bcc1b44bf41a671fd600bc4fef55be02dd6f215f6278eef9

Download Submit
C:\Windows\System\tkVCSwn.exe
Filesize
5.9MB

MD5
3923c9eda7305b9cdaaee1f125969e64

SHA1
ae4a584bf8f9a5232e777362068fad0d2dfa9dfd

SHA256
97ee9ca63611e384c7ebe1744e1db4604458246beac850c24cc40d602df40867

SHA512
32bc00414b26f2f828fb466e707f9ce5d4d7fa35a94c7c6b6ad7a7103f3500d5c619b1650213b2d86b404001bf1e73b831a681a085a7c1d238a5bf52c2b27712

Download Submit
C:\Windows\System\xGzhlLb.exe
Filesize
5.9MB

MD5
93fe94c9114223e3a4a2036db506f8d1

SHA1
0182df05fe794d306643a356cf86dad6891abb4e

SHA256
69548643a3a477c9ab5a501c3632bb3109c361c633e2c5eb877f4499cf69773d

SHA512
c15cc1bc09accc5ef847ed837d9f01b7d14b0ebb5da5eeeb4790a024bea1aed63643709f40c4b91127cfa2b5a1bf12d5d04d665a47ff2144170730ed53e196f6

Download Submit
C:\Windows\System\zlYIIuC.exe
Filesize
5.9MB

MD5
8ac9cd37608839cd740b567d843cd2f2

SHA1
7c57cb37161b1401a08823da5deee60514521d1b

SHA256
94fcdcc0dc2ec66a8a2d1af618e661d14ef298f1c3087e174cd7795295d967aa

SHA512
feffcfe59d0e1a4e0c823e8818676864bc42c6648f5121e23e42da0ac47dfe24809ec175b9e57ab471d62708642afed6fded9ab351812ee2339d86057f402d19

Download Submit
memory/212-103-0x00007FF67D300000-0x00007FF67D654000-memory.dmp

Filesize
3.3MB

Download
memory/212-143-0x00007FF67D300000-0x00007FF67D654000-memory.dmp

Filesize
3.3MB

Download
memory/212-36-0x00007FF67D300000-0x00007FF67D654000-memory.dmp

Filesize
3.3MB

Download
memory/992-29-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp

Filesize
3.3MB

Download
memory/992-141-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp

Filesize
3.3MB

Download
memory/992-86-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp

Filesize
3.3MB

Download
memory/1568-151-0x00007FF650130000-0x00007FF650484000-memory.dmp

Filesize
3.3MB

Download
memory/1568-94-0x00007FF650130000-0x00007FF650484000-memory.dmp

Filesize
3.3MB

Download
memory/1672-142-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp

Filesize
3.3MB

Download
memory/1672-99-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp

Filesize
3.3MB

Download
memory/1672-30-0x00007FF6A2400000-0x00007FF6A2754000-memory.dmp

Filesize
3.3MB

Download
memory/1812-152-0x00007FF723330000-0x00007FF723684000-memory.dmp

Filesize
3.3MB

Download
memory/1812-97-0x00007FF723330000-0x00007FF723684000-memory.dmp

Filesize
3.3MB

Download
memory/2052-43-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-144-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-109-0x00007FF6CAD60000-0x00007FF6CB0B4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-147-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp

Filesize
3.3MB

Download
memory/2104-62-0x00007FF6437F0000-0x00007FF643B44000-memory.dmp

Filesize
3.3MB

Download
memory/2584-100-0x00007FF768730000-0x00007FF768A84000-memory.dmp

Filesize
3.3MB

Download
memory/2584-154-0x00007FF768730000-0x00007FF768A84000-memory.dmp

Filesize
3.3MB

Download
memory/2584-136-0x00007FF768730000-0x00007FF768A84000-memory.dmp

Filesize
3.3MB

Download
memory/3172-22-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp

Filesize
3.3MB

Download
memory/3172-140-0x00007FF7AD4F0000-0x00007FF7AD844000-memory.dmp

Filesize
3.3MB

Download
memory/3180-14-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp

Filesize
3.3MB

Download
memory/3180-139-0x00007FF79CCD0000-0x00007FF79D024000-memory.dmp

Filesize
3.3MB

Download
memory/3404-134-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp

Filesize
3.3MB

Download
memory/3404-158-0x00007FF6C0820000-0x00007FF6C0B74000-memory.dmp

Filesize
3.3MB

Download
memory/3472-88-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp

Filesize
3.3MB

Download
memory/3472-150-0x00007FF709BC0000-0x00007FF709F14000-memory.dmp

Filesize
3.3MB

Download
memory/3964-56-0x00007FF60D100000-0x00007FF60D454000-memory.dmp

Filesize
3.3MB

Download
memory/3964-146-0x00007FF60D100000-0x00007FF60D454000-memory.dmp

Filesize
3.3MB

Download
memory/4152-157-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp

Filesize
3.3MB

Download
memory/4152-137-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp

Filesize
3.3MB

Download
memory/4152-127-0x00007FF6069B0000-0x00007FF606D04000-memory.dmp

Filesize
3.3MB

Download
memory/4288-116-0x00007FF786260000-0x00007FF7865B4000-memory.dmp

Filesize
3.3MB

Download
memory/4288-155-0x00007FF786260000-0x00007FF7865B4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-73-0x00007FF633020000-0x00007FF633374000-memory.dmp

Filesize
3.3MB

Download
memory/4564-138-0x00007FF633020000-0x00007FF633374000-memory.dmp

Filesize
3.3MB

Download
memory/4564-6-0x00007FF633020000-0x00007FF633374000-memory.dmp

Filesize
3.3MB

Download
memory/4576-0-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp

Filesize
3.3MB

Download
memory/4576-66-0x00007FF6BED30000-0x00007FF6BF084000-memory.dmp

Filesize
3.3MB

Download
memory/4576-1-0x000001F58CEB0000-0x000001F58CEC0000-memory.dmp

Filesize
64KB

Download
memory/4612-67-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp

Filesize
3.3MB

Download
memory/4612-133-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp

Filesize
3.3MB

Download
memory/4612-148-0x00007FF6DA620000-0x00007FF6DA974000-memory.dmp

Filesize
3.3MB

Download
memory/4776-122-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp

Filesize
3.3MB

Download
memory/4776-156-0x00007FF7B15F0000-0x00007FF7B1944000-memory.dmp

Filesize
3.3MB

Download
memory/4908-153-0x00007FF73E500000-0x00007FF73E854000-memory.dmp

Filesize
3.3MB

Download
memory/4908-110-0x00007FF73E500000-0x00007FF73E854000-memory.dmp

Filesize
3.3MB

Download
memory/5008-74-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp

Filesize
3.3MB

Download
memory/5008-149-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp

Filesize
3.3MB

Download
memory/5008-135-0x00007FF68D4E0000-0x00007FF68D834000-memory.dmp

Filesize
3.3MB

Download
memory/5040-50-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp

Filesize
3.3MB

Download
memory/5040-145-0x00007FF7ADBD0000-0x00007FF7ADF24000-memory.dmp

Filesize
3.3MB

Download