cobaltstrike | b6e7b8e1d526534e6fea86caa155154b8377c5caee9f4588ae50af87d87842ef

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

e002344a389d8ecdb9b8d2d8793202d7
SHA1

47def7598aea03a19eedfbdf31c08b959eb74eb9
SHA256

b6e7b8e1d526534e6fea86caa155154b8377c5caee9f4588ae50af87d87842ef
SHA512

3b93d01117ad02194b29b566c48de9a8517281544ad809539b84787b9bc6be0ed36986571098b4f6683b1b51e085fc6c1f43f4ec7a9437f928e5b8955d34e796
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:Q+856utgpPF8u/7b

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\cRKvRXj.exe	cobalt_reflective_dll
C:\Windows\System\AaxlnpQ.exe	cobalt_reflective_dll
C:\Windows\System\OThCdDh.exe	cobalt_reflective_dll
C:\Windows\System\DUEdZLp.exe	cobalt_reflective_dll
C:\Windows\System\WAhNSjE.exe	cobalt_reflective_dll
C:\Windows\System\sBMQtcZ.exe	cobalt_reflective_dll
C:\Windows\System\AQHJNjI.exe	cobalt_reflective_dll
C:\Windows\System\MfewGKo.exe	cobalt_reflective_dll
C:\Windows\System\vPYVTuH.exe	cobalt_reflective_dll
C:\Windows\System\yMBjtUl.exe	cobalt_reflective_dll
C:\Windows\System\qAiidTl.exe	cobalt_reflective_dll
C:\Windows\System\ylpHNBe.exe	cobalt_reflective_dll
C:\Windows\System\thyFzYj.exe	cobalt_reflective_dll
C:\Windows\System\mBdpTIJ.exe	cobalt_reflective_dll
C:\Windows\System\VTNyalh.exe	cobalt_reflective_dll
C:\Windows\System\nUJqVEE.exe	cobalt_reflective_dll
C:\Windows\System\ogTQsvj.exe	cobalt_reflective_dll
C:\Windows\System\HKhzDpo.exe	cobalt_reflective_dll
C:\Windows\System\trYiPPs.exe	cobalt_reflective_dll
C:\Windows\System\jzYmbnd.exe	cobalt_reflective_dll
C:\Windows\System\hUfZsFj.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\cRKvRXj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AaxlnpQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OThCdDh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DUEdZLp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WAhNSjE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sBMQtcZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AQHJNjI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MfewGKo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vPYVTuH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yMBjtUl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qAiidTl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ylpHNBe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\thyFzYj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mBdpTIJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VTNyalh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nUJqVEE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ogTQsvj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HKhzDpo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\trYiPPs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jzYmbnd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hUfZsFj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4056-0-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp	UPX
C:\Windows\System\cRKvRXj.exe	UPX
C:\Windows\System\AaxlnpQ.exe	UPX
C:\Windows\System\OThCdDh.exe	UPX
C:\Windows\System\DUEdZLp.exe	UPX
C:\Windows\System\WAhNSjE.exe	UPX
C:\Windows\System\sBMQtcZ.exe	UPX
C:\Windows\System\AQHJNjI.exe	UPX
C:\Windows\System\MfewGKo.exe	UPX
C:\Windows\System\vPYVTuH.exe	UPX
behavioral2/memory/432-60-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	UPX
C:\Windows\System\yMBjtUl.exe	UPX
C:\Windows\System\qAiidTl.exe	UPX
behavioral2/memory/5048-62-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	UPX
behavioral2/memory/3400-61-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	UPX
behavioral2/memory/1136-59-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	UPX
behavioral2/memory/3436-48-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp	UPX
behavioral2/memory/656-45-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp	UPX
behavioral2/memory/1756-34-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp	UPX
behavioral2/memory/3368-27-0x00007FF681EE0000-0x00007FF682234000-memory.dmp	UPX
behavioral2/memory/772-19-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	UPX
behavioral2/memory/4272-18-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp	UPX
behavioral2/memory/216-8-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	UPX
C:\Windows\System\ylpHNBe.exe	UPX
C:\Windows\System\thyFzYj.exe	UPX
C:\Windows\System\mBdpTIJ.exe	UPX
behavioral2/memory/4056-80-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp	UPX
behavioral2/memory/216-85-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	UPX
behavioral2/memory/640-91-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp	UPX
C:\Windows\System\VTNyalh.exe	UPX
C:\Windows\System\nUJqVEE.exe	UPX
C:\Windows\System\ogTQsvj.exe	UPX
behavioral2/memory/1416-115-0x00007FF6251B0000-0x00007FF625504000-memory.dmp	UPX
C:\Windows\System\HKhzDpo.exe	UPX
C:\Windows\System\trYiPPs.exe	UPX
C:\Windows\System\jzYmbnd.exe	UPX
behavioral2/memory/2168-103-0x00007FF759790000-0x00007FF759AE4000-memory.dmp	UPX
C:\Windows\System\hUfZsFj.exe	UPX
behavioral2/memory/772-97-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	UPX
behavioral2/memory/3988-96-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp	UPX
behavioral2/memory/4496-84-0x00007FF617E00000-0x00007FF618154000-memory.dmp	UPX
behavioral2/memory/2936-79-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp	UPX
behavioral2/memory/1256-127-0x00007FF6651B0000-0x00007FF665504000-memory.dmp	UPX
behavioral2/memory/208-128-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp	UPX
behavioral2/memory/2288-129-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp	UPX
behavioral2/memory/3464-130-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp	UPX
behavioral2/memory/1136-131-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	UPX
behavioral2/memory/3400-132-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	UPX
behavioral2/memory/432-133-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	UPX
behavioral2/memory/5048-134-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	UPX
behavioral2/memory/3988-135-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp	UPX
behavioral2/memory/2168-136-0x00007FF759790000-0x00007FF759AE4000-memory.dmp	UPX
behavioral2/memory/1256-137-0x00007FF6651B0000-0x00007FF665504000-memory.dmp	UPX
behavioral2/memory/216-138-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	UPX
behavioral2/memory/4272-139-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp	UPX
behavioral2/memory/3368-140-0x00007FF681EE0000-0x00007FF682234000-memory.dmp	UPX
behavioral2/memory/772-141-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	UPX
behavioral2/memory/3436-142-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp	UPX
behavioral2/memory/1756-143-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp	UPX
behavioral2/memory/656-144-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp	UPX
behavioral2/memory/1136-145-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	UPX
behavioral2/memory/432-147-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	UPX
behavioral2/memory/5048-146-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	UPX
behavioral2/memory/3400-148-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4056-0-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp	xmrig
C:\Windows\System\cRKvRXj.exe	xmrig
C:\Windows\System\AaxlnpQ.exe	xmrig
C:\Windows\System\OThCdDh.exe	xmrig
C:\Windows\System\DUEdZLp.exe	xmrig
C:\Windows\System\WAhNSjE.exe	xmrig
C:\Windows\System\sBMQtcZ.exe	xmrig
C:\Windows\System\AQHJNjI.exe	xmrig
C:\Windows\System\MfewGKo.exe	xmrig
C:\Windows\System\vPYVTuH.exe	xmrig
behavioral2/memory/432-60-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	xmrig
C:\Windows\System\yMBjtUl.exe	xmrig
C:\Windows\System\qAiidTl.exe	xmrig
behavioral2/memory/5048-62-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	xmrig
behavioral2/memory/3400-61-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	xmrig
behavioral2/memory/1136-59-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	xmrig
behavioral2/memory/3436-48-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp	xmrig
behavioral2/memory/656-45-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp	xmrig
behavioral2/memory/1756-34-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp	xmrig
behavioral2/memory/3368-27-0x00007FF681EE0000-0x00007FF682234000-memory.dmp	xmrig
behavioral2/memory/772-19-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	xmrig
behavioral2/memory/4272-18-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp	xmrig
behavioral2/memory/216-8-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	xmrig
C:\Windows\System\ylpHNBe.exe	xmrig
C:\Windows\System\thyFzYj.exe	xmrig
C:\Windows\System\mBdpTIJ.exe	xmrig
behavioral2/memory/4056-80-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp	xmrig
behavioral2/memory/216-85-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	xmrig
behavioral2/memory/640-91-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp	xmrig
C:\Windows\System\VTNyalh.exe	xmrig
C:\Windows\System\nUJqVEE.exe	xmrig
C:\Windows\System\ogTQsvj.exe	xmrig
behavioral2/memory/1416-115-0x00007FF6251B0000-0x00007FF625504000-memory.dmp	xmrig
C:\Windows\System\HKhzDpo.exe	xmrig
C:\Windows\System\trYiPPs.exe	xmrig
C:\Windows\System\jzYmbnd.exe	xmrig
behavioral2/memory/2168-103-0x00007FF759790000-0x00007FF759AE4000-memory.dmp	xmrig
C:\Windows\System\hUfZsFj.exe	xmrig
behavioral2/memory/772-97-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	xmrig
behavioral2/memory/3988-96-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp	xmrig
behavioral2/memory/4496-84-0x00007FF617E00000-0x00007FF618154000-memory.dmp	xmrig
behavioral2/memory/2936-79-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp	xmrig
behavioral2/memory/1256-127-0x00007FF6651B0000-0x00007FF665504000-memory.dmp	xmrig
behavioral2/memory/208-128-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp	xmrig
behavioral2/memory/2288-129-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp	xmrig
behavioral2/memory/3464-130-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp	xmrig
behavioral2/memory/1136-131-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	xmrig
behavioral2/memory/3400-132-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	xmrig
behavioral2/memory/432-133-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	xmrig
behavioral2/memory/5048-134-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	xmrig
behavioral2/memory/3988-135-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp	xmrig
behavioral2/memory/2168-136-0x00007FF759790000-0x00007FF759AE4000-memory.dmp	xmrig
behavioral2/memory/1256-137-0x00007FF6651B0000-0x00007FF665504000-memory.dmp	xmrig
behavioral2/memory/216-138-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	xmrig
behavioral2/memory/4272-139-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp	xmrig
behavioral2/memory/3368-140-0x00007FF681EE0000-0x00007FF682234000-memory.dmp	xmrig
behavioral2/memory/772-141-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	xmrig
behavioral2/memory/3436-142-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp	xmrig
behavioral2/memory/1756-143-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp	xmrig
behavioral2/memory/656-144-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp	xmrig
behavioral2/memory/1136-145-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	xmrig
behavioral2/memory/432-147-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	xmrig
behavioral2/memory/5048-146-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	xmrig
behavioral2/memory/3400-148-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

cRKvRXj.exeAaxlnpQ.exeOThCdDh.exeDUEdZLp.exeWAhNSjE.exeAQHJNjI.exesBMQtcZ.exeMfewGKo.exeyMBjtUl.exevPYVTuH.exeqAiidTl.exeylpHNBe.exethyFzYj.exemBdpTIJ.exehUfZsFj.exeVTNyalh.exenUJqVEE.exeogTQsvj.exejzYmbnd.exetrYiPPs.exeHKhzDpo.exe

pid	process
216	cRKvRXj.exe
4272	AaxlnpQ.exe
772	OThCdDh.exe
3368	DUEdZLp.exe
1756	WAhNSjE.exe
656	AQHJNjI.exe
3436	sBMQtcZ.exe
1136	MfewGKo.exe
432	yMBjtUl.exe
5048	vPYVTuH.exe
3400	qAiidTl.exe
2936	ylpHNBe.exe
4496	thyFzYj.exe
640	mBdpTIJ.exe
3988	hUfZsFj.exe
2168	VTNyalh.exe
1416	nUJqVEE.exe
1256	ogTQsvj.exe
2288	jzYmbnd.exe
3464	trYiPPs.exe
208	HKhzDpo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4056-0-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp	upx
C:\Windows\System\cRKvRXj.exe	upx
C:\Windows\System\AaxlnpQ.exe	upx
C:\Windows\System\OThCdDh.exe	upx
C:\Windows\System\DUEdZLp.exe	upx
C:\Windows\System\WAhNSjE.exe	upx
C:\Windows\System\sBMQtcZ.exe	upx
C:\Windows\System\AQHJNjI.exe	upx
C:\Windows\System\MfewGKo.exe	upx
C:\Windows\System\vPYVTuH.exe	upx
behavioral2/memory/432-60-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	upx
C:\Windows\System\yMBjtUl.exe	upx
C:\Windows\System\qAiidTl.exe	upx
behavioral2/memory/5048-62-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	upx
behavioral2/memory/3400-61-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	upx
behavioral2/memory/1136-59-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	upx
behavioral2/memory/3436-48-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp	upx
behavioral2/memory/656-45-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp	upx
behavioral2/memory/1756-34-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp	upx
behavioral2/memory/3368-27-0x00007FF681EE0000-0x00007FF682234000-memory.dmp	upx
behavioral2/memory/772-19-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	upx
behavioral2/memory/4272-18-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp	upx
behavioral2/memory/216-8-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	upx
C:\Windows\System\ylpHNBe.exe	upx
C:\Windows\System\thyFzYj.exe	upx
C:\Windows\System\mBdpTIJ.exe	upx
behavioral2/memory/4056-80-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp	upx
behavioral2/memory/216-85-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	upx
behavioral2/memory/640-91-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp	upx
C:\Windows\System\VTNyalh.exe	upx
C:\Windows\System\nUJqVEE.exe	upx
C:\Windows\System\ogTQsvj.exe	upx
behavioral2/memory/1416-115-0x00007FF6251B0000-0x00007FF625504000-memory.dmp	upx
C:\Windows\System\HKhzDpo.exe	upx
C:\Windows\System\trYiPPs.exe	upx
C:\Windows\System\jzYmbnd.exe	upx
behavioral2/memory/2168-103-0x00007FF759790000-0x00007FF759AE4000-memory.dmp	upx
C:\Windows\System\hUfZsFj.exe	upx
behavioral2/memory/772-97-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	upx
behavioral2/memory/3988-96-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp	upx
behavioral2/memory/4496-84-0x00007FF617E00000-0x00007FF618154000-memory.dmp	upx
behavioral2/memory/2936-79-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp	upx
behavioral2/memory/1256-127-0x00007FF6651B0000-0x00007FF665504000-memory.dmp	upx
behavioral2/memory/208-128-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp	upx
behavioral2/memory/2288-129-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp	upx
behavioral2/memory/3464-130-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp	upx
behavioral2/memory/1136-131-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	upx
behavioral2/memory/3400-132-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	upx
behavioral2/memory/432-133-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	upx
behavioral2/memory/5048-134-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	upx
behavioral2/memory/3988-135-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp	upx
behavioral2/memory/2168-136-0x00007FF759790000-0x00007FF759AE4000-memory.dmp	upx
behavioral2/memory/1256-137-0x00007FF6651B0000-0x00007FF665504000-memory.dmp	upx
behavioral2/memory/216-138-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp	upx
behavioral2/memory/4272-139-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp	upx
behavioral2/memory/3368-140-0x00007FF681EE0000-0x00007FF682234000-memory.dmp	upx
behavioral2/memory/772-141-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp	upx
behavioral2/memory/3436-142-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp	upx
behavioral2/memory/1756-143-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp	upx
behavioral2/memory/656-144-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp	upx
behavioral2/memory/1136-145-0x00007FF7860F0000-0x00007FF786444000-memory.dmp	upx
behavioral2/memory/432-147-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp	upx
behavioral2/memory/5048-146-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp	upx
behavioral2/memory/3400-148-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\trYiPPs.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OThCdDh.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ylpHNBe.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hUfZsFj.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yMBjtUl.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nUJqVEE.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ogTQsvj.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzYmbnd.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUEdZLp.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WAhNSjE.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MfewGKo.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AQHJNjI.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HKhzDpo.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPYVTuH.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qAiidTl.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\thyFzYj.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBdpTIJ.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VTNyalh.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cRKvRXj.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AaxlnpQ.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sBMQtcZ.exe	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4056 wrote to memory of 216	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	cRKvRXj.exe
PID 4056 wrote to memory of 216	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	cRKvRXj.exe
PID 4056 wrote to memory of 4272	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	AaxlnpQ.exe
PID 4056 wrote to memory of 4272	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	AaxlnpQ.exe
PID 4056 wrote to memory of 772	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	OThCdDh.exe
PID 4056 wrote to memory of 772	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	OThCdDh.exe
PID 4056 wrote to memory of 3368	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	DUEdZLp.exe
PID 4056 wrote to memory of 3368	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	DUEdZLp.exe
PID 4056 wrote to memory of 1756	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	WAhNSjE.exe
PID 4056 wrote to memory of 1756	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	WAhNSjE.exe
PID 4056 wrote to memory of 656	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	AQHJNjI.exe
PID 4056 wrote to memory of 656	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	AQHJNjI.exe
PID 4056 wrote to memory of 3436	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	sBMQtcZ.exe
PID 4056 wrote to memory of 3436	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	sBMQtcZ.exe
PID 4056 wrote to memory of 1136	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	MfewGKo.exe
PID 4056 wrote to memory of 1136	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	MfewGKo.exe
PID 4056 wrote to memory of 432	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	yMBjtUl.exe
PID 4056 wrote to memory of 432	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	yMBjtUl.exe
PID 4056 wrote to memory of 5048	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	vPYVTuH.exe
PID 4056 wrote to memory of 5048	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	vPYVTuH.exe
PID 4056 wrote to memory of 3400	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	qAiidTl.exe
PID 4056 wrote to memory of 3400	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	qAiidTl.exe
PID 4056 wrote to memory of 2936	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	ylpHNBe.exe
PID 4056 wrote to memory of 2936	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	ylpHNBe.exe
PID 4056 wrote to memory of 4496	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	thyFzYj.exe
PID 4056 wrote to memory of 4496	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	thyFzYj.exe
PID 4056 wrote to memory of 640	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	mBdpTIJ.exe
PID 4056 wrote to memory of 640	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	mBdpTIJ.exe
PID 4056 wrote to memory of 3988	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	hUfZsFj.exe
PID 4056 wrote to memory of 3988	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	hUfZsFj.exe
PID 4056 wrote to memory of 2168	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	VTNyalh.exe
PID 4056 wrote to memory of 2168	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	VTNyalh.exe
PID 4056 wrote to memory of 1416	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	nUJqVEE.exe
PID 4056 wrote to memory of 1416	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	nUJqVEE.exe
PID 4056 wrote to memory of 1256	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	ogTQsvj.exe
PID 4056 wrote to memory of 1256	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	ogTQsvj.exe
PID 4056 wrote to memory of 2288	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	jzYmbnd.exe
PID 4056 wrote to memory of 2288	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	jzYmbnd.exe
PID 4056 wrote to memory of 208	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	HKhzDpo.exe
PID 4056 wrote to memory of 208	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	HKhzDpo.exe
PID 4056 wrote to memory of 3464	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	trYiPPs.exe
PID 4056 wrote to memory of 3464	4056	2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe	trYiPPs.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_e002344a389d8ecdb9b8d2d8793202d7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\System\cRKvRXj.exe
C:\Windows\System\cRKvRXj.exe
2⤵
- Executes dropped EXE
PID:216

C:\Windows\System\AaxlnpQ.exe
C:\Windows\System\AaxlnpQ.exe
2⤵
- Executes dropped EXE
PID:4272

C:\Windows\System\OThCdDh.exe
C:\Windows\System\OThCdDh.exe
2⤵
- Executes dropped EXE
PID:772

C:\Windows\System\DUEdZLp.exe
C:\Windows\System\DUEdZLp.exe
2⤵
- Executes dropped EXE
PID:3368

C:\Windows\System\WAhNSjE.exe
C:\Windows\System\WAhNSjE.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\AQHJNjI.exe
C:\Windows\System\AQHJNjI.exe
2⤵
- Executes dropped EXE
PID:656

C:\Windows\System\sBMQtcZ.exe
C:\Windows\System\sBMQtcZ.exe
2⤵
- Executes dropped EXE
PID:3436

C:\Windows\System\MfewGKo.exe
C:\Windows\System\MfewGKo.exe
2⤵
- Executes dropped EXE
PID:1136

C:\Windows\System\yMBjtUl.exe
C:\Windows\System\yMBjtUl.exe
2⤵
- Executes dropped EXE
PID:432

C:\Windows\System\vPYVTuH.exe
C:\Windows\System\vPYVTuH.exe
2⤵
- Executes dropped EXE
PID:5048

C:\Windows\System\qAiidTl.exe
C:\Windows\System\qAiidTl.exe
2⤵
- Executes dropped EXE
PID:3400

C:\Windows\System\ylpHNBe.exe
C:\Windows\System\ylpHNBe.exe
2⤵
- Executes dropped EXE
PID:2936

C:\Windows\System\thyFzYj.exe
C:\Windows\System\thyFzYj.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System\mBdpTIJ.exe
C:\Windows\System\mBdpTIJ.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System\hUfZsFj.exe
C:\Windows\System\hUfZsFj.exe
2⤵
- Executes dropped EXE
PID:3988

C:\Windows\System\VTNyalh.exe
C:\Windows\System\VTNyalh.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\nUJqVEE.exe
C:\Windows\System\nUJqVEE.exe
2⤵
- Executes dropped EXE
PID:1416

C:\Windows\System\ogTQsvj.exe
C:\Windows\System\ogTQsvj.exe
2⤵
- Executes dropped EXE
PID:1256

C:\Windows\System\jzYmbnd.exe
C:\Windows\System\jzYmbnd.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\System\HKhzDpo.exe
C:\Windows\System\HKhzDpo.exe
2⤵
- Executes dropped EXE
PID:208

C:\Windows\System\trYiPPs.exe
C:\Windows\System\trYiPPs.exe
2⤵
- Executes dropped EXE
PID:3464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AQHJNjI.exe
Filesize
5.9MB

MD5
97c70550a0e3d9322c6053b18f6f559f

SHA1
ff096d9e02d90a3c668bffa8bf34eb1c697218b6

SHA256
3bcf5b2fc84e955f6a87aaf581cb7893756e8a506ad297113db05bb3c96ecc26

SHA512
363daa840b7448b7bc75dc0da02da3380678591a9a03ec25177a5964de9056761772961b5c55ed9ae31871488e1f1023b5cba8d0c60cff09e2d734d945592ec1

Download Submit
C:\Windows\System\AaxlnpQ.exe
Filesize
5.9MB

MD5
b60ad4eb0cd4404c752bc02e68695f7e

SHA1
142c739370161259c57d849c47f5051cbd6aeb43

SHA256
f6d34ba6b2295a9c7f98f28f64011bdc5a401157cf07f21dbd342a89c2efe099

SHA512
2139d0bd73d55138bac888877c7d0b71ce31eee350682adf4c8b4dae3ed54efbb8d58e0c24e9c0865198526ebb07c71ac4537560d7fc0de504ba3774175f6b97

Download Submit
C:\Windows\System\DUEdZLp.exe
Filesize
5.9MB

MD5
259d4883a32687d576ef5e539857aa72

SHA1
92bb3c922b24276985bf492b04501ba715b5f7d7

SHA256
13b46ca3ab604c84a652081358c09438810b35d5a940930ab0b55f1ee8f0556e

SHA512
8fb716d3a5fdca62d1a6e45e8a816495ee0463fdd8f769a508a78e46d5977183587be9c13e83d71c0a1fedf2ed2ae8a03e03279618b67d68d4eb12db4815e25e

Download Submit
C:\Windows\System\HKhzDpo.exe
Filesize
5.9MB

MD5
615c44ea87dd0b3f03fd7be9b5709690

SHA1
99a997cebce4522e2e143289dcd9912cee4e3585

SHA256
eac7385655b8c823cb44e05244bd3c76d37212015a9f24d8c695d31d81006af8

SHA512
ea79ab0c0ad6157727170affac6570c75f4fdf1b3255e72e8694b8f2efc0bcc090f150a659e6d860e72bc5c4a0517c877df3664f3b9a89172d66262f90f4e2e5

Download Submit
C:\Windows\System\MfewGKo.exe
Filesize
5.9MB

MD5
94f1927e2fd49c35faeac0ab1a26c8c4

SHA1
cccfbdaff99603f9905f55d58de2dd6e8293c334

SHA256
f617ed6e8bdb59b31a79c5cda0f7a13c27ef93e795ceefe0672c48a6b92e8257

SHA512
3ba00a6648218607aa939b85393657d3804df261093c40f3ad11568db20109d392e31c2cf82f0c00d5ab0195adb538124078455ba0648331a0a365644d8db55a

Download Submit
C:\Windows\System\OThCdDh.exe
Filesize
5.9MB

MD5
fa5782795918e133657e902c2e12e0c8

SHA1
72fe9ceea7a0e08dbe37bb2219f6b6e2736cf033

SHA256
5f2632102ff9402984416b28b4e2c7b20a356aa6e30ba10253fe3b4b7cd51356

SHA512
a90ffe9bb8861964cf3e10440585d50cc926b064794d022dcc5dc881f3c134bf7972e4eb6569fd6c0717d8d0bec0628a7f70f5fda9d66c4b783d2394f55eca25

Download Submit
C:\Windows\System\VTNyalh.exe
Filesize
5.9MB

MD5
0899ab321b53711ac7c9981c26dfaed6

SHA1
99babd2c2340de82298d970e01ede2f32b0785b5

SHA256
96aa33f5a8f3c554d9413a9f6fe6c4137292b2cfe1e329babb1d27dffe77e874

SHA512
a0a1a1403bcdb26fe55848aa1410186ccfd63497046476849bb7ce8ef3da62f97917cbde195710cfd7d69b471d009b24ed386a562effd605de8287a785030f1d

Download Submit
C:\Windows\System\WAhNSjE.exe
Filesize
5.9MB

MD5
c64b2f8ecf1de0cee09658736450f57c

SHA1
0f44273b2f86ac7ff3e9e5263ab8cbceb169d8b1

SHA256
0bfc266ef9bd7bf054dbe656af33b758ea6ed65548e8369f649518c839b4a5a3

SHA512
0b34babbaa9ddde0ba220dd3c8fc39bd63a5a0fa6a0ae859b0c2e3692c6a9eee320d7d041d73743b9edb635f86d0b62061f5092217c85d9c6ebb58cad7a9ceed

Download Submit
C:\Windows\System\cRKvRXj.exe
Filesize
5.9MB

MD5
47c6fe5f9aa33aa471d007948fe27a6d

SHA1
8090ed93b7e67356cc175aca005f4982efb6b375

SHA256
e3d8d609e678b4c87efdeefa3f58c9a8c40017bf8c2f50b88eb581d69dd469ae

SHA512
c71769fc58d549f14bdff299170b85311098e40632c99d6a52413f660ad49c6065fc4b19cfda713076c04f537f541e90850e699cf97a5bfcf97a8b8ec06d33c6

Download Submit
C:\Windows\System\hUfZsFj.exe
Filesize
5.9MB

MD5
c44a67a87f6b97f8444d2c1297f54584

SHA1
658e9a6a76932b7a722c1105e43e8d2096cf7237

SHA256
b02bb7a9c5da732903430f02b57cac708ba7dff210eb0217ed45b6e04ec4dabe

SHA512
b773a3be6b660d01abef59f6c805849e1af92a26b0e8fefd66cf62dbb4c63326f503f62004c5a6bedb8e483f1771a7cecc04fb3b1786cfd2204499c0aec24c1c

Download Submit
C:\Windows\System\jzYmbnd.exe
Filesize
5.9MB

MD5
0b59297b9f8d727de96467e0ab22879c

SHA1
bc90f6524a5c931cd9f3d47c2663bda1cff201f3

SHA256
57bbc346b91db0637b221518a74652cf02e11e6ef785a73f3bef50d9c10a9273

SHA512
cb027f1c11c3aa6f40c86619d939a68ce4e58bac40ba063d568787ae5d989f21a74e7d8e3beabeb00e44734d9afec57fd072baddf62c61d1dc2fe4af06aac440

Download Submit
C:\Windows\System\mBdpTIJ.exe
Filesize
5.9MB

MD5
b86876e5775d385d617b4e1bc43c1949

SHA1
2fd45f2844b7f3ec8acccd37f58437401d804c6e

SHA256
7e25354eaf997a0c35a9b43a393bae7709216b34673759f7e36500fcf6a6b81f

SHA512
c9a253eeaaa75119f261be1d10374fb7e579631c113abb8d93cf03fd468ab8acc4e402f1e2f3d55689b4ffe3c70f4ca3fec83d1b15b438eb7aee403fcc74bff0

Download Submit
C:\Windows\System\nUJqVEE.exe
Filesize
5.9MB

MD5
9ce2d980a6138b9cc20554ea922dfbe6

SHA1
e54e1a94d2546a1de19432f62faf7a1a6ad1c7fe

SHA256
fb305775647e24a3c27575f906bbd44173ab9a2a24d6fa833cdaf543d418fb3a

SHA512
0efe38a74185e18b1afe79d0e43228ab04ea175e3dcebe0431f7e77f265250c9627d78e565ff8df7fac563a7be85b73b1c46d51f8fe30102a53ad0819d228c45

Download Submit
C:\Windows\System\ogTQsvj.exe
Filesize
5.9MB

MD5
156c5f25d7f4ef1c20ccf15bcddd9603

SHA1
fe3d385d810afd948a64a15fa4f22b6d2dcebda1

SHA256
13b90f1a8dcdc5e7c2d94828130cb266ff3cf2d0897f4fd24b3bc29b36254832

SHA512
04f96628290d2a6d231ebb70be44333865c3eb0c242a98190e560aeb86bbb13b5c6735e2df431aa90b63f92e7efb749d259959144d696d099f42ead5b5a4a1f3

Download Submit
C:\Windows\System\qAiidTl.exe
Filesize
5.9MB

MD5
118c8c504bc36a71e52811a4f355511b

SHA1
dc0a8484c9586fd7559b4a28864420b5e00d3abd

SHA256
fc5c713c5ac2b364e38c6635e9c4a5ef6764e7804ce051c13dbdc4c6cd43b9ac

SHA512
69056b5799a97da0cf6ed43388080d890a7464ef010f61e4f354c9044358f6bace4737683ff959bae79999805ac560f44ec58cc40a38bacaf24e26122f0fe01e

Download Submit
C:\Windows\System\sBMQtcZ.exe
Filesize
5.9MB

MD5
32e06ead863ffcbedd9e7d2497fe0a39

SHA1
ea01712e548bd927038ed4f5587d41bfa57cc8b0

SHA256
af112746753a0844eb3763c7cb55e8548291d13143738c2d176755396be15b72

SHA512
627612e274d708a63faca477fc5c97b7406748bb19329a3760ced178c38faddb0482c31a9efaaa6a5dd0054400bb13f502885afd8c30bd7fa5e21f719d6f9256

Download Submit
C:\Windows\System\thyFzYj.exe
Filesize
5.9MB

MD5
ea349737ded8ebf864d91d027cb49d8a

SHA1
276a7365121c48d474d36dc37a2940116185160b

SHA256
02ed91c4236290fea5cd67d53f4493534f4145ca5dfc8d2f2b27ea1614f7ba5e

SHA512
a2b686f1b9461c952544a51348c3e4cdb130103a7da744c94102ca3bf5140cfa1969613f7cd784990914c1b8be30a724240e38096e0458a9af80f967ff866c9e

Download Submit
C:\Windows\System\trYiPPs.exe
Filesize
5.9MB

MD5
025a852d983fade36d7363bc8276be8a

SHA1
5a6eae8169f9dde9a87f832b6703e384e841d92c

SHA256
c6647e2b143281cbe557db3452705924cf6b362734d89be8eaa6cb254f850673

SHA512
bedb98bb8c5e30a63c5d4174151e240ce7b341bf229e6bb6b745b0dc730e24dd98cc6da8746e141ca869492cddf61d5696aa967cc72b6ffb7c097128b89b3031

Download Submit
C:\Windows\System\vPYVTuH.exe
Filesize
5.9MB

MD5
a733823c2c52e94434405213b45667da

SHA1
edcf0c6313b31dd1e596dd51a3e44e8c01e0fe9b

SHA256
5ac5e4434fc71092a3cf4e58216af874eb8a77508de66a4577bf39ebaacf224c

SHA512
c4569d80e8ba01af2219d68ded884c8593c1160775446f220f2bd6aae58afa681271870f6fd7abd1a13ed5a49d9ff9089c5f8cb28c419f275b7f6292f52267da

Download Submit
C:\Windows\System\yMBjtUl.exe
Filesize
5.9MB

MD5
0eeeba704d617656f71e2895cd2f01a3

SHA1
cad2bfb6d4235934ead84c0c51115fc42103652c

SHA256
60c62f8410427b258873a8155f471c2add99e216991ac4449eccf0907d575364

SHA512
0951bb633219c935c2f0de7f1a2fa709f8a1d3f372fea7bfef3f4ec718a70d5ae7ccd34af5df7b274574735a930c00806f6b68e6c194f8d7f6c8c5e69075746a

Download Submit
C:\Windows\System\ylpHNBe.exe
Filesize
5.9MB

MD5
88aef3a4d2cc0c6890550436dbaff7be

SHA1
97cebee61b792c7e1e83155237abea7f90aa39e8

SHA256
a6218cb746379f8e12a82aaf9f1cc08e573ab4a154a057dcf7e4ee2e6a5d3097

SHA512
b60ec9ccb7cca1c1bd923a14c7ada2cf2a22727dde0998f062f09568763ab470e7c007539ea6df1a893862b7a5ee6e36e62cf0cb23a8ca4e7efc265c082b4622

Download Submit
memory/208-128-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp

Filesize
3.3MB

Download
memory/208-157-0x00007FF6F4C30000-0x00007FF6F4F84000-memory.dmp

Filesize
3.3MB

Download
memory/216-85-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp

Filesize
3.3MB

Download
memory/216-138-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp

Filesize
3.3MB

Download
memory/216-8-0x00007FF6FBE80000-0x00007FF6FC1D4000-memory.dmp

Filesize
3.3MB

Download
memory/432-133-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp

Filesize
3.3MB

Download
memory/432-147-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp

Filesize
3.3MB

Download
memory/432-60-0x00007FF77CB80000-0x00007FF77CED4000-memory.dmp

Filesize
3.3MB

Download
memory/640-91-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp

Filesize
3.3MB

Download
memory/640-151-0x00007FF6F0970000-0x00007FF6F0CC4000-memory.dmp

Filesize
3.3MB

Download
memory/656-144-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp

Filesize
3.3MB

Download
memory/656-45-0x00007FF7CFB30000-0x00007FF7CFE84000-memory.dmp

Filesize
3.3MB

Download
memory/772-97-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp

Filesize
3.3MB

Download
memory/772-19-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp

Filesize
3.3MB

Download
memory/772-141-0x00007FF71E8B0000-0x00007FF71EC04000-memory.dmp

Filesize
3.3MB

Download
memory/1136-131-0x00007FF7860F0000-0x00007FF786444000-memory.dmp

Filesize
3.3MB

Download
memory/1136-145-0x00007FF7860F0000-0x00007FF786444000-memory.dmp

Filesize
3.3MB

Download
memory/1136-59-0x00007FF7860F0000-0x00007FF786444000-memory.dmp

Filesize
3.3MB

Download
memory/1256-137-0x00007FF6651B0000-0x00007FF665504000-memory.dmp

Filesize
3.3MB

Download
memory/1256-155-0x00007FF6651B0000-0x00007FF665504000-memory.dmp

Filesize
3.3MB

Download
memory/1256-127-0x00007FF6651B0000-0x00007FF665504000-memory.dmp

Filesize
3.3MB

Download
memory/1416-115-0x00007FF6251B0000-0x00007FF625504000-memory.dmp

Filesize
3.3MB

Download
memory/1416-154-0x00007FF6251B0000-0x00007FF625504000-memory.dmp

Filesize
3.3MB

Download
memory/1756-143-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp

Filesize
3.3MB

Download
memory/1756-34-0x00007FF71A830000-0x00007FF71AB84000-memory.dmp

Filesize
3.3MB

Download
memory/2168-152-0x00007FF759790000-0x00007FF759AE4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-103-0x00007FF759790000-0x00007FF759AE4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-136-0x00007FF759790000-0x00007FF759AE4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-156-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2288-129-0x00007FF65B750000-0x00007FF65BAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2936-149-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp

Filesize
3.3MB

Download
memory/2936-79-0x00007FF6B8510000-0x00007FF6B8864000-memory.dmp

Filesize
3.3MB

Download
memory/3368-140-0x00007FF681EE0000-0x00007FF682234000-memory.dmp

Filesize
3.3MB

Download
memory/3368-27-0x00007FF681EE0000-0x00007FF682234000-memory.dmp

Filesize
3.3MB

Download
memory/3400-132-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp

Filesize
3.3MB

Download
memory/3400-61-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp

Filesize
3.3MB

Download
memory/3400-148-0x00007FF6B06E0000-0x00007FF6B0A34000-memory.dmp

Filesize
3.3MB

Download
memory/3436-142-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp

Filesize
3.3MB

Download
memory/3436-48-0x00007FF76A0B0000-0x00007FF76A404000-memory.dmp

Filesize
3.3MB

Download
memory/3464-158-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp

Filesize
3.3MB

Download
memory/3464-130-0x00007FF7CCC20000-0x00007FF7CCF74000-memory.dmp

Filesize
3.3MB

Download
memory/3988-135-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-153-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-96-0x00007FF7C64A0000-0x00007FF7C67F4000-memory.dmp

Filesize
3.3MB

Download
memory/4056-80-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp

Filesize
3.3MB

Download
memory/4056-0-0x00007FF7DCBE0000-0x00007FF7DCF34000-memory.dmp

Filesize
3.3MB

Download
memory/4056-1-0x00000244D4CC0000-0x00000244D4CD0000-memory.dmp

Filesize
64KB

Download
memory/4272-139-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-18-0x00007FF6EA690000-0x00007FF6EA9E4000-memory.dmp

Filesize
3.3MB

Download
memory/4496-150-0x00007FF617E00000-0x00007FF618154000-memory.dmp

Filesize
3.3MB

Download
memory/4496-84-0x00007FF617E00000-0x00007FF618154000-memory.dmp

Filesize
3.3MB

Download
memory/5048-146-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-134-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/5048-62-0x00007FF72F170000-0x00007FF72F4C4000-memory.dmp

Filesize
3.3MB

Download