cobaltstrike | 46db20bf6710d9377378815384347b99f0d2327e4ea9306289aff17deccef1aa

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

34c58f7611fe77771485847b601c483a
SHA1

cef1da00e38149d89052db5c6d572426e5a3df22
SHA256

46db20bf6710d9377378815384347b99f0d2327e4ea9306289aff17deccef1aa
SHA512

25ad5ccdb378dba45cd7b9295f8562292b3725d268e34ca8befc1475fd3ecd725b488f107df6f23a93649950ebab51ca249e2e247e75cd8606bdbd8d2ae01432
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUQ:Q+856utgpPF8u/7Q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\rBwVoOA.exe	cobalt_reflective_dll
C:\Windows\System\lVHkoIu.exe	cobalt_reflective_dll
C:\Windows\System\FzldCOB.exe	cobalt_reflective_dll
C:\Windows\System\GPtoOJG.exe	cobalt_reflective_dll
C:\Windows\System\ujozQfa.exe	cobalt_reflective_dll
C:\Windows\System\ZOEFqps.exe	cobalt_reflective_dll
C:\Windows\System\QYyOmxx.exe	cobalt_reflective_dll
C:\Windows\System\OGvdNjm.exe	cobalt_reflective_dll
C:\Windows\System\kmfZiqB.exe	cobalt_reflective_dll
C:\Windows\System\UqoHogv.exe	cobalt_reflective_dll
C:\Windows\System\HlBlfFj.exe	cobalt_reflective_dll
C:\Windows\System\rKhbUNx.exe	cobalt_reflective_dll
C:\Windows\System\KsdnTyY.exe	cobalt_reflective_dll
C:\Windows\System\PbJSbDf.exe	cobalt_reflective_dll
C:\Windows\System\mpAOBNW.exe	cobalt_reflective_dll
C:\Windows\System\YUryLVZ.exe	cobalt_reflective_dll
C:\Windows\System\DwNkIWW.exe	cobalt_reflective_dll
C:\Windows\System\mQVxQJx.exe	cobalt_reflective_dll
C:\Windows\System\eyNioRW.exe	cobalt_reflective_dll
C:\Windows\System\yDDtrfW.exe	cobalt_reflective_dll
C:\Windows\System\gdhkthX.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\rBwVoOA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lVHkoIu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FzldCOB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GPtoOJG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ujozQfa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZOEFqps.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QYyOmxx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OGvdNjm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kmfZiqB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UqoHogv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HlBlfFj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rKhbUNx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KsdnTyY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PbJSbDf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mpAOBNW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YUryLVZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DwNkIWW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mQVxQJx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eyNioRW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yDDtrfW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gdhkthX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2232-0-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp	UPX
C:\Windows\System\rBwVoOA.exe	UPX
behavioral2/memory/3796-6-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	UPX
C:\Windows\System\lVHkoIu.exe	UPX
C:\Windows\System\FzldCOB.exe	UPX
behavioral2/memory/3808-22-0x00007FF601560000-0x00007FF6018B4000-memory.dmp	UPX
C:\Windows\System\GPtoOJG.exe	UPX
behavioral2/memory/3840-15-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	UPX
C:\Windows\System\ujozQfa.exe	UPX
behavioral2/memory/1584-28-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp	UPX
behavioral2/memory/3016-40-0x00007FF767440000-0x00007FF767794000-memory.dmp	UPX
behavioral2/memory/4996-45-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	UPX
C:\Windows\System\ZOEFqps.exe	UPX
C:\Windows\System\QYyOmxx.exe	UPX
behavioral2/memory/3800-46-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	UPX
C:\Windows\System\OGvdNjm.exe	UPX
behavioral2/memory/4784-33-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	UPX
C:\Windows\System\kmfZiqB.exe	UPX
behavioral2/memory/780-55-0x00007FF6393C0000-0x00007FF639714000-memory.dmp	UPX
C:\Windows\System\UqoHogv.exe	UPX
behavioral2/memory/4216-62-0x00007FF600530000-0x00007FF600884000-memory.dmp	UPX
C:\Windows\System\HlBlfFj.exe	UPX
behavioral2/memory/4892-70-0x00007FF727F00000-0x00007FF728254000-memory.dmp	UPX
C:\Windows\System\rKhbUNx.exe	UPX
C:\Windows\System\KsdnTyY.exe	UPX
C:\Windows\System\PbJSbDf.exe	UPX
behavioral2/memory/1996-86-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp	UPX
behavioral2/memory/2316-87-0x00007FF787570000-0x00007FF7878C4000-memory.dmp	UPX
behavioral2/memory/3840-84-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	UPX
behavioral2/memory/1788-74-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp	UPX
behavioral2/memory/3796-73-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	UPX
behavioral2/memory/2232-68-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp	UPX
C:\Windows\System\mpAOBNW.exe	UPX
behavioral2/memory/4520-93-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp	UPX
C:\Windows\System\YUryLVZ.exe	UPX
C:\Windows\System\DwNkIWW.exe	UPX
C:\Windows\System\mQVxQJx.exe	UPX
C:\Windows\System\eyNioRW.exe	UPX
behavioral2/memory/1080-116-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp	UPX
behavioral2/memory/1944-106-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp	UPX
behavioral2/memory/4784-105-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	UPX
behavioral2/memory/724-103-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp	UPX
C:\Windows\System\yDDtrfW.exe	UPX
behavioral2/memory/4996-126-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	UPX
behavioral2/memory/3800-130-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	UPX
C:\Windows\System\gdhkthX.exe	UPX
behavioral2/memory/3220-132-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp	UPX
behavioral2/memory/780-134-0x00007FF6393C0000-0x00007FF639714000-memory.dmp	UPX
behavioral2/memory/4120-133-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp	UPX
behavioral2/memory/1564-131-0x00007FF6514E0000-0x00007FF651834000-memory.dmp	UPX
behavioral2/memory/1788-135-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp	UPX
behavioral2/memory/2316-136-0x00007FF787570000-0x00007FF7878C4000-memory.dmp	UPX
behavioral2/memory/4520-137-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp	UPX
behavioral2/memory/724-138-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp	UPX
behavioral2/memory/1944-139-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp	UPX
behavioral2/memory/1080-140-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp	UPX
behavioral2/memory/3796-141-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	UPX
behavioral2/memory/3808-142-0x00007FF601560000-0x00007FF6018B4000-memory.dmp	UPX
behavioral2/memory/3840-143-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	UPX
behavioral2/memory/1584-144-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp	UPX
behavioral2/memory/4784-145-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	UPX
behavioral2/memory/3016-146-0x00007FF767440000-0x00007FF767794000-memory.dmp	UPX
behavioral2/memory/3800-148-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	UPX
behavioral2/memory/4996-147-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2232-0-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp	xmrig
C:\Windows\System\rBwVoOA.exe	xmrig
behavioral2/memory/3796-6-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	xmrig
C:\Windows\System\lVHkoIu.exe	xmrig
C:\Windows\System\FzldCOB.exe	xmrig
behavioral2/memory/3808-22-0x00007FF601560000-0x00007FF6018B4000-memory.dmp	xmrig
C:\Windows\System\GPtoOJG.exe	xmrig
behavioral2/memory/3840-15-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	xmrig
C:\Windows\System\ujozQfa.exe	xmrig
behavioral2/memory/1584-28-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp	xmrig
behavioral2/memory/3016-40-0x00007FF767440000-0x00007FF767794000-memory.dmp	xmrig
behavioral2/memory/4996-45-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	xmrig
C:\Windows\System\ZOEFqps.exe	xmrig
C:\Windows\System\QYyOmxx.exe	xmrig
behavioral2/memory/3800-46-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	xmrig
C:\Windows\System\OGvdNjm.exe	xmrig
behavioral2/memory/4784-33-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	xmrig
C:\Windows\System\kmfZiqB.exe	xmrig
behavioral2/memory/780-55-0x00007FF6393C0000-0x00007FF639714000-memory.dmp	xmrig
C:\Windows\System\UqoHogv.exe	xmrig
behavioral2/memory/4216-62-0x00007FF600530000-0x00007FF600884000-memory.dmp	xmrig
C:\Windows\System\HlBlfFj.exe	xmrig
behavioral2/memory/4892-70-0x00007FF727F00000-0x00007FF728254000-memory.dmp	xmrig
C:\Windows\System\rKhbUNx.exe	xmrig
C:\Windows\System\KsdnTyY.exe	xmrig
C:\Windows\System\PbJSbDf.exe	xmrig
behavioral2/memory/1996-86-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp	xmrig
behavioral2/memory/2316-87-0x00007FF787570000-0x00007FF7878C4000-memory.dmp	xmrig
behavioral2/memory/3840-84-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	xmrig
behavioral2/memory/1788-74-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp	xmrig
behavioral2/memory/3796-73-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	xmrig
behavioral2/memory/2232-68-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp	xmrig
C:\Windows\System\mpAOBNW.exe	xmrig
behavioral2/memory/4520-93-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp	xmrig
C:\Windows\System\YUryLVZ.exe	xmrig
C:\Windows\System\DwNkIWW.exe	xmrig
C:\Windows\System\mQVxQJx.exe	xmrig
C:\Windows\System\eyNioRW.exe	xmrig
behavioral2/memory/1080-116-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp	xmrig
behavioral2/memory/1944-106-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp	xmrig
behavioral2/memory/4784-105-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	xmrig
behavioral2/memory/724-103-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp	xmrig
C:\Windows\System\yDDtrfW.exe	xmrig
behavioral2/memory/4996-126-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	xmrig
behavioral2/memory/3800-130-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	xmrig
C:\Windows\System\gdhkthX.exe	xmrig
behavioral2/memory/3220-132-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp	xmrig
behavioral2/memory/780-134-0x00007FF6393C0000-0x00007FF639714000-memory.dmp	xmrig
behavioral2/memory/4120-133-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp	xmrig
behavioral2/memory/1564-131-0x00007FF6514E0000-0x00007FF651834000-memory.dmp	xmrig
behavioral2/memory/1788-135-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp	xmrig
behavioral2/memory/2316-136-0x00007FF787570000-0x00007FF7878C4000-memory.dmp	xmrig
behavioral2/memory/4520-137-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp	xmrig
behavioral2/memory/724-138-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp	xmrig
behavioral2/memory/1944-139-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp	xmrig
behavioral2/memory/1080-140-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp	xmrig
behavioral2/memory/3796-141-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	xmrig
behavioral2/memory/3808-142-0x00007FF601560000-0x00007FF6018B4000-memory.dmp	xmrig
behavioral2/memory/3840-143-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	xmrig
behavioral2/memory/1584-144-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp	xmrig
behavioral2/memory/4784-145-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	xmrig
behavioral2/memory/3016-146-0x00007FF767440000-0x00007FF767794000-memory.dmp	xmrig
behavioral2/memory/3800-148-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	xmrig
behavioral2/memory/4996-147-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

rBwVoOA.exelVHkoIu.exeFzldCOB.exeGPtoOJG.exeujozQfa.exeOGvdNjm.exeQYyOmxx.exeZOEFqps.exekmfZiqB.exeUqoHogv.exeHlBlfFj.exerKhbUNx.exeKsdnTyY.exePbJSbDf.exempAOBNW.exeYUryLVZ.exeDwNkIWW.exemQVxQJx.exeeyNioRW.exeyDDtrfW.exegdhkthX.exe

pid	process
3796	rBwVoOA.exe
3840	lVHkoIu.exe
3808	FzldCOB.exe
1584	GPtoOJG.exe
4784	ujozQfa.exe
3016	OGvdNjm.exe
4996	QYyOmxx.exe
3800	ZOEFqps.exe
780	kmfZiqB.exe
4216	UqoHogv.exe
4892	HlBlfFj.exe
1788	rKhbUNx.exe
1996	KsdnTyY.exe
2316	PbJSbDf.exe
4520	mpAOBNW.exe
724	YUryLVZ.exe
1944	DwNkIWW.exe
1080	mQVxQJx.exe
1564	eyNioRW.exe
3220	yDDtrfW.exe
4120	gdhkthX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2232-0-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp	upx
C:\Windows\System\rBwVoOA.exe	upx
behavioral2/memory/3796-6-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	upx
C:\Windows\System\lVHkoIu.exe	upx
C:\Windows\System\FzldCOB.exe	upx
behavioral2/memory/3808-22-0x00007FF601560000-0x00007FF6018B4000-memory.dmp	upx
C:\Windows\System\GPtoOJG.exe	upx
behavioral2/memory/3840-15-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	upx
C:\Windows\System\ujozQfa.exe	upx
behavioral2/memory/1584-28-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp	upx
behavioral2/memory/3016-40-0x00007FF767440000-0x00007FF767794000-memory.dmp	upx
behavioral2/memory/4996-45-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	upx
C:\Windows\System\ZOEFqps.exe	upx
C:\Windows\System\QYyOmxx.exe	upx
behavioral2/memory/3800-46-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	upx
C:\Windows\System\OGvdNjm.exe	upx
behavioral2/memory/4784-33-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	upx
C:\Windows\System\kmfZiqB.exe	upx
behavioral2/memory/780-55-0x00007FF6393C0000-0x00007FF639714000-memory.dmp	upx
C:\Windows\System\UqoHogv.exe	upx
behavioral2/memory/4216-62-0x00007FF600530000-0x00007FF600884000-memory.dmp	upx
C:\Windows\System\HlBlfFj.exe	upx
behavioral2/memory/4892-70-0x00007FF727F00000-0x00007FF728254000-memory.dmp	upx
C:\Windows\System\rKhbUNx.exe	upx
C:\Windows\System\KsdnTyY.exe	upx
C:\Windows\System\PbJSbDf.exe	upx
behavioral2/memory/1996-86-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp	upx
behavioral2/memory/2316-87-0x00007FF787570000-0x00007FF7878C4000-memory.dmp	upx
behavioral2/memory/3840-84-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	upx
behavioral2/memory/1788-74-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp	upx
behavioral2/memory/3796-73-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	upx
behavioral2/memory/2232-68-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp	upx
C:\Windows\System\mpAOBNW.exe	upx
behavioral2/memory/4520-93-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp	upx
C:\Windows\System\YUryLVZ.exe	upx
C:\Windows\System\DwNkIWW.exe	upx
C:\Windows\System\mQVxQJx.exe	upx
C:\Windows\System\eyNioRW.exe	upx
behavioral2/memory/1080-116-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp	upx
behavioral2/memory/1944-106-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp	upx
behavioral2/memory/4784-105-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	upx
behavioral2/memory/724-103-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp	upx
C:\Windows\System\yDDtrfW.exe	upx
behavioral2/memory/4996-126-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	upx
behavioral2/memory/3800-130-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	upx
C:\Windows\System\gdhkthX.exe	upx
behavioral2/memory/3220-132-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp	upx
behavioral2/memory/780-134-0x00007FF6393C0000-0x00007FF639714000-memory.dmp	upx
behavioral2/memory/4120-133-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp	upx
behavioral2/memory/1564-131-0x00007FF6514E0000-0x00007FF651834000-memory.dmp	upx
behavioral2/memory/1788-135-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp	upx
behavioral2/memory/2316-136-0x00007FF787570000-0x00007FF7878C4000-memory.dmp	upx
behavioral2/memory/4520-137-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp	upx
behavioral2/memory/724-138-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp	upx
behavioral2/memory/1944-139-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp	upx
behavioral2/memory/1080-140-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp	upx
behavioral2/memory/3796-141-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp	upx
behavioral2/memory/3808-142-0x00007FF601560000-0x00007FF6018B4000-memory.dmp	upx
behavioral2/memory/3840-143-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp	upx
behavioral2/memory/1584-144-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp	upx
behavioral2/memory/4784-145-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp	upx
behavioral2/memory/3016-146-0x00007FF767440000-0x00007FF767794000-memory.dmp	upx
behavioral2/memory/3800-148-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp	upx
behavioral2/memory/4996-147-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\DwNkIWW.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gdhkthX.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBwVoOA.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FzldCOB.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ujozQfa.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QYyOmxx.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZOEFqps.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KsdnTyY.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lVHkoIu.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GPtoOJG.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OGvdNjm.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mQVxQJx.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqoHogv.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKhbUNx.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mpAOBNW.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YUryLVZ.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyNioRW.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kmfZiqB.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HlBlfFj.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PbJSbDf.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yDDtrfW.exe	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2232 wrote to memory of 3796	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	rBwVoOA.exe
PID 2232 wrote to memory of 3796	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	rBwVoOA.exe
PID 2232 wrote to memory of 3840	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	lVHkoIu.exe
PID 2232 wrote to memory of 3840	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	lVHkoIu.exe
PID 2232 wrote to memory of 3808	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	FzldCOB.exe
PID 2232 wrote to memory of 3808	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	FzldCOB.exe
PID 2232 wrote to memory of 1584	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	GPtoOJG.exe
PID 2232 wrote to memory of 1584	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	GPtoOJG.exe
PID 2232 wrote to memory of 4784	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	ujozQfa.exe
PID 2232 wrote to memory of 4784	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	ujozQfa.exe
PID 2232 wrote to memory of 3016	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	OGvdNjm.exe
PID 2232 wrote to memory of 3016	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	OGvdNjm.exe
PID 2232 wrote to memory of 4996	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	QYyOmxx.exe
PID 2232 wrote to memory of 4996	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	QYyOmxx.exe
PID 2232 wrote to memory of 3800	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	ZOEFqps.exe
PID 2232 wrote to memory of 3800	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	ZOEFqps.exe
PID 2232 wrote to memory of 780	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	kmfZiqB.exe
PID 2232 wrote to memory of 780	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	kmfZiqB.exe
PID 2232 wrote to memory of 4216	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	UqoHogv.exe
PID 2232 wrote to memory of 4216	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	UqoHogv.exe
PID 2232 wrote to memory of 4892	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	HlBlfFj.exe
PID 2232 wrote to memory of 4892	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	HlBlfFj.exe
PID 2232 wrote to memory of 1788	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	rKhbUNx.exe
PID 2232 wrote to memory of 1788	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	rKhbUNx.exe
PID 2232 wrote to memory of 1996	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	KsdnTyY.exe
PID 2232 wrote to memory of 1996	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	KsdnTyY.exe
PID 2232 wrote to memory of 2316	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	PbJSbDf.exe
PID 2232 wrote to memory of 2316	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	PbJSbDf.exe
PID 2232 wrote to memory of 4520	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	mpAOBNW.exe
PID 2232 wrote to memory of 4520	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	mpAOBNW.exe
PID 2232 wrote to memory of 724	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	YUryLVZ.exe
PID 2232 wrote to memory of 724	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	YUryLVZ.exe
PID 2232 wrote to memory of 1944	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	DwNkIWW.exe
PID 2232 wrote to memory of 1944	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	DwNkIWW.exe
PID 2232 wrote to memory of 1080	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	mQVxQJx.exe
PID 2232 wrote to memory of 1080	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	mQVxQJx.exe
PID 2232 wrote to memory of 1564	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	eyNioRW.exe
PID 2232 wrote to memory of 1564	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	eyNioRW.exe
PID 2232 wrote to memory of 3220	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	yDDtrfW.exe
PID 2232 wrote to memory of 3220	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	yDDtrfW.exe
PID 2232 wrote to memory of 4120	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	gdhkthX.exe
PID 2232 wrote to memory of 4120	2232	2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe	gdhkthX.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\System\rBwVoOA.exe
C:\Windows\System\rBwVoOA.exe
2⤵
- Executes dropped EXE
PID:3796

C:\Windows\System\lVHkoIu.exe
C:\Windows\System\lVHkoIu.exe
2⤵
- Executes dropped EXE
PID:3840

C:\Windows\System\FzldCOB.exe
C:\Windows\System\FzldCOB.exe
2⤵
- Executes dropped EXE
PID:3808

C:\Windows\System\GPtoOJG.exe
C:\Windows\System\GPtoOJG.exe
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\System\ujozQfa.exe
C:\Windows\System\ujozQfa.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\OGvdNjm.exe
C:\Windows\System\OGvdNjm.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\QYyOmxx.exe
C:\Windows\System\QYyOmxx.exe
2⤵
- Executes dropped EXE
PID:4996

C:\Windows\System\ZOEFqps.exe
C:\Windows\System\ZOEFqps.exe
2⤵
- Executes dropped EXE
PID:3800

C:\Windows\System\kmfZiqB.exe
C:\Windows\System\kmfZiqB.exe
2⤵
- Executes dropped EXE
PID:780

C:\Windows\System\UqoHogv.exe
C:\Windows\System\UqoHogv.exe
2⤵
- Executes dropped EXE
PID:4216

C:\Windows\System\HlBlfFj.exe
C:\Windows\System\HlBlfFj.exe
2⤵
- Executes dropped EXE
PID:4892

C:\Windows\System\rKhbUNx.exe
C:\Windows\System\rKhbUNx.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System\KsdnTyY.exe
C:\Windows\System\KsdnTyY.exe
2⤵
- Executes dropped EXE
PID:1996

C:\Windows\System\PbJSbDf.exe
C:\Windows\System\PbJSbDf.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\mpAOBNW.exe
C:\Windows\System\mpAOBNW.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\System\YUryLVZ.exe
C:\Windows\System\YUryLVZ.exe
2⤵
- Executes dropped EXE
PID:724

C:\Windows\System\DwNkIWW.exe
C:\Windows\System\DwNkIWW.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\mQVxQJx.exe
C:\Windows\System\mQVxQJx.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System\eyNioRW.exe
C:\Windows\System\eyNioRW.exe
2⤵
- Executes dropped EXE
PID:1564

C:\Windows\System\yDDtrfW.exe
C:\Windows\System\yDDtrfW.exe
2⤵
- Executes dropped EXE
PID:3220

C:\Windows\System\gdhkthX.exe
C:\Windows\System\gdhkthX.exe
2⤵
- Executes dropped EXE
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3884,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
1⤵
PID:3760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DwNkIWW.exe
Filesize
5.9MB

MD5
08993f2ab8dc700537c7f67b9466d05a

SHA1
dabda4ec4946b1e36d07100610aeca3d0cfbb6bd

SHA256
71252077d596bdb453ea304dfffeaadc55e3c83ef5f13b52ab10e702eebb25ac

SHA512
8d511f43c8dd3a5f5b15fa3ed192a128043677293778e9ddec3d038d29b4fd9f7200e49b3eb627ce3fab56ab576bafa773e6358721df4ccdf4c4bc95275979be

Download Submit
C:\Windows\System\FzldCOB.exe
Filesize
5.9MB

MD5
4838cd7afe2aab943ff3a0dbdf33a8af

SHA1
11e3fbe6024be203b02ea60f0787b190914ef40e

SHA256
ddaebbe9ef02194a4555cc47ff427f668111b676713b6ed19f8fc66090860357

SHA512
940fdbfc6d1eda3ce11074965d1f5bbe9a0210c3858fba169b6349f2ddff6670d7ffcb9f2c38730f3888c5c69542cfec0cc6119527adb53c936d6fea95729c4d

Download Submit
C:\Windows\System\GPtoOJG.exe
Filesize
5.9MB

MD5
9430e3d88081745a46025820bcd9dc38

SHA1
b3f955dec83ea96214bb5b2951aeb3eff14c3379

SHA256
f3d13e13c0556a13ff154b0e8aff4ab0426c3165cff192a3cae7a16ec958d530

SHA512
f2c19f4440b114205f973fae59b93bc993f6fbb663bb487ea1fbdbbb4699ec5eba4c008ee55882fef3e1253790246e04da4644f549e7cc7b8a71951c256dd9d8

Download Submit
C:\Windows\System\HlBlfFj.exe
Filesize
5.9MB

MD5
a568c3f70baeebbca5979afd1cbca28f

SHA1
135ac08c7b8703c93d534cac4c2bf0a3c166d077

SHA256
8a087506427b8699f41df18fcec0be5e490ec57202b5b6275403c1516ac8bc00

SHA512
75d43eafb1133826e596b06f956de7766e37eb27948a82684af253b56f644c577d3ba952bdfedad6b7e7c2cf14d2621a061ee80da7529cc067374ff226c5aecb

Download Submit
C:\Windows\System\KsdnTyY.exe
Filesize
5.9MB

MD5
cac48a2fe4c9bf1e45a8a3ef154e9e5f

SHA1
3d47e18e41a990239024bace9551d8b031c6425a

SHA256
932859cd0771e7d6d0eb855cea8e1490571fee29f6a740db192f0c73cdff0546

SHA512
e8f9e4f5cb60471482554d6894744b5693c1eb7162cff01ab4951df9fd5fecdb44cadd43c5f19409bc7482414dafb58615593c76b10d1d039ab111f503f65562

Download Submit
C:\Windows\System\OGvdNjm.exe
Filesize
5.9MB

MD5
48f0748963bbddbfd95e44cbc179d646

SHA1
3ad3c6ec3f59d19c3d68e5ad25415ed5b2f8ebf0

SHA256
fc7c9e16cfe14316b673ace00c583bfb3ccc5e563d2e6dc36a1442eed13ceee1

SHA512
e1aa52de5a59f674e8af7cac9071b5de5a7f0a34de7cd8e6411a4b930de006ee45db6173e517627866ec527e336d224c868ea5200b03fdfa5fde16d04be0597b

Download Submit
C:\Windows\System\PbJSbDf.exe
Filesize
5.9MB

MD5
5b4bab83ca16baaa48d78539cad427f5

SHA1
c69c6860d0e522db865d54727454af28c4b2e677

SHA256
86ed7a6853e103da7171282fb98998ff8371c4d9918d178a31567194c026afcd

SHA512
ba5fbd1f8cd8de90cb9d39dab501ea25802e719e50619fc0ba994edea817b700dcded4f5c4207f78160f12b83dea5ace9c3a7fd7a5c0a11d4ca39185439eccc1

Download Submit
C:\Windows\System\QYyOmxx.exe
Filesize
5.9MB

MD5
0c2fed6726b5d1ef9b72e072ccb8ce3b

SHA1
e0eb26a352f25b79424a0cb8725efff7d19288f6

SHA256
58906124a785576e2661f73f02ffbb927014cff46e14375d90b185f5d53ef8fd

SHA512
dd1f9d8de1f35288e0d406293eb43303dee9b3ced9fa3783d6288b471ab3444b1355e08e880685b0e86563c01ba310f80fe6bfc645eb697ab8e7587a99db6e58

Download Submit
C:\Windows\System\UqoHogv.exe
Filesize
5.9MB

MD5
b9fce04f88059efeb4b50538c96ae971

SHA1
a8791066e880832583617ff67dbbf1df81ec6432

SHA256
2f62f2f192458ee774ba2ca9f1c8424ef1ff0206c6a8394c795718c0fc5ebd8e

SHA512
62e4ec0b88e7518c7fff206cdc2dd7661b855ccbb1fc4b8d30b8398aca7814cec32cdcb11d572162c67b77180381b26ad3f5ec3cecf3ad27d34091ba746c619c

Download Submit
C:\Windows\System\YUryLVZ.exe
Filesize
5.9MB

MD5
8b81efb559d43c8ca0d9d0a5b86985bc

SHA1
4745b5ebf58778dcd50a3f625799daabbeb3c623

SHA256
cb8a3ff7c38ac2288f9f5deb4fcbacfe8a16e56f8cbe3732a6eef6f1255a2933

SHA512
8bbee59ed5bf0fe50163256e3637693011a54601aa3e8660bf3e2c2e29a4b7e1b02d460d0412372cbb39fd46807774215f2b6ca88500a4fefccfc337fc9e36cd

Download Submit
C:\Windows\System\ZOEFqps.exe
Filesize
5.9MB

MD5
d7191d982f97e457642c82cf516290a8

SHA1
d8b8ac47f39078186223454f10a85ffc7860a392

SHA256
f091eb94eed425fc9fffeaae15eaf298d7c826b2b16f0873b7e9f74b8e961fdf

SHA512
40dfec078203e955a9baba1de274a2fe2d858bef01d15cdd7b1b9262951efab5c722c467f83aa9c0ba1bdf82696cd2dd12bca4624d03ff5401f1ca6791109c83

Download Submit
C:\Windows\System\eyNioRW.exe
Filesize
5.9MB

MD5
435f1d15f5e672f9464739de9ecbf0f4

SHA1
372216f89d60dbd0150645b3e21ea337ceeec829

SHA256
e77bca6bef807fbdd0ef6aa32725579b76eead9667de9f59372e3f5e6591fc72

SHA512
2e18aa81ecba8ca1314a41adc3844f833ac71da5e96e37c20f199b9810572abf0d7da5de58a924d502797e357a427c695fb4e4c0efea80863791baaef61948d8

Download Submit
C:\Windows\System\gdhkthX.exe
Filesize
5.9MB

MD5
ee1216742feb4c37ca339c6da9cc978f

SHA1
0a0c2ff03cf5317a4e1efc621793957f36290115

SHA256
f623517d7a3d92286800a6595a22daa45d68f6b38047eca342df978fc905db3c

SHA512
fbf7e2587c9f89f760dc76b2b4754c79b28b152d4e7280e644814b96875e26d68a9202a29821ce4428fae83e73b06d307041951d7263ffdfa2386c45a514e1cf

Download Submit
C:\Windows\System\kmfZiqB.exe
Filesize
5.9MB

MD5
b125430a1ad3ae4a8e2c8febd9f55f5c

SHA1
44d4e364af9f4187b12c1577b389c4fb2746e18a

SHA256
1f81f357fcc77b675a64bd2c6b3b18792f827753e162dcd4a4c22ba61cb22cc3

SHA512
e1e5a4279175059aebd37bc98ed88fff048e5a99c81eb89994616ea89383f3c214c7ffa63f1e1e2929cf6d47c430a8fc400c69acc7889bdc6ca1e58d49129810

Download Submit
C:\Windows\System\lVHkoIu.exe
Filesize
5.9MB

MD5
51ec5969ec165429cb514a6c0462e918

SHA1
d000cf6cd61d7678fa15157e71df14574e5f5e49

SHA256
e15723dd3fc82067522eaff359155033579f898a09ef18ec906ae37974c37e2b

SHA512
041fab45ff7249e335b2662c1b7243454e5b6d3e0cd4cedaeed1ab56b0cd7ce6b3c23b33c9616da7d9cfda9857be0ee4c430d799c280929564cbe0bbc34df0d4

Download Submit
C:\Windows\System\mQVxQJx.exe
Filesize
5.9MB

MD5
3ca2949388d308c061b550b41e7316c4

SHA1
ded3b2d497a5217d749fba68daff45b7bfdb6c4b

SHA256
a35091262af023cae42c04a44659976cc878bff5e8760b83f79771c63d22b035

SHA512
3c6f12aaf8da81648eb6144f9f0f5263e7b312f7f5a58e5a3693cd307cb4b383dab6fffa456b3747333b7d60f8cf83fa575b233039bd274aaf06f601c908a210

Download Submit
C:\Windows\System\mpAOBNW.exe
Filesize
5.9MB

MD5
353477ef5d18fe926cabcb7809c29722

SHA1
7f7ba1ddf39b0780ba581082ecc9915f4a350e8e

SHA256
37676bd5bb79be3e18f434869558630fd2ad1c62b8f26fc7551dd06860586be1

SHA512
7583b23e476000ca84c9e0e9e0f210fb3c469a838d57938668f58525a7d9fe59f25d25c48537fe2bd295e11d70a7c5fe3d800ef0af181beb07d20583214eab25

Download Submit
C:\Windows\System\rBwVoOA.exe
Filesize
5.9MB

MD5
fecf40a92437c8d2668bfbd8e4db5134

SHA1
995e231884edc0a26e3be50771adecfdcfd84f12

SHA256
97bdcdeb726dff3e63e7d161079a3b12e8bfa289e3c155968656a6018f8bbde9

SHA512
22928daf561cd9d2646ec5e7f40b64807c9d82b27a6b8bc72935fb05657307f237d81215f4cf5cfe85dcd0256f4353f12047841d00fac445942b8ee278c04841

Download Submit
C:\Windows\System\rKhbUNx.exe
Filesize
5.9MB

MD5
7d3118afe26b261a9015d2a346a529aa

SHA1
643df85bec1c8683ea4d664bd59d8fd22d6119f2

SHA256
7eec7f7bca2f6a95674c4a5ab7a79bf1e792528730c0141ecf3bb8979f9f24dc

SHA512
ab51fa09dd487063b5649d132b3fd3b2b5bfb3303fd5f23a1df29753e3d3fcd80e5a55578aa809d38acfec158d253d1ba41d254a94723d44f38d9aad5ccbbd4e

Download Submit
C:\Windows\System\ujozQfa.exe
Filesize
5.9MB

MD5
581179be07588649de5ff844df00b2e8

SHA1
0dbc24bba53cad01f7043c7f7c949dd9071be5b1

SHA256
23fc83b6faf4cf1aeccf3e6f2c2bd537c230de27815ab7e6fa2c641516699159

SHA512
c8cb5148ebd1785657abb566d6b512b3ae76456830fa6749983f532f712aa270c531530465cc972946e8411c7b832844c8101e9547e1fbda932deff178e28d4c

Download Submit
C:\Windows\System\yDDtrfW.exe
Filesize
5.9MB

MD5
ec04335931b849983e2b31caa2612f60

SHA1
90b0c54425f41dc75bec9b87c8325d9511bc5a12

SHA256
cdf3f62fb65045e98f9d1d6e38e18cc45b3b5435e1e384c680af5901ad82e35f

SHA512
f6a3d12839472b2dec72e39e91ca1ce2328b2af7cd3bc5bf58d97719cf6f01519f3150e43e3c70f09c95bb3a048720e6a3cc5b0986fca2f5b13bd66e80e0b96a

Download Submit
memory/724-156-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp

Filesize
3.3MB

Download
memory/724-103-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp

Filesize
3.3MB

Download
memory/724-138-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp

Filesize
3.3MB

Download
memory/780-55-0x00007FF6393C0000-0x00007FF639714000-memory.dmp

Filesize
3.3MB

Download
memory/780-149-0x00007FF6393C0000-0x00007FF639714000-memory.dmp

Filesize
3.3MB

Download
memory/780-134-0x00007FF6393C0000-0x00007FF639714000-memory.dmp

Filesize
3.3MB

Download
memory/1080-158-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp

Filesize
3.3MB

Download
memory/1080-140-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp

Filesize
3.3MB

Download
memory/1080-116-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp

Filesize
3.3MB

Download
memory/1564-159-0x00007FF6514E0000-0x00007FF651834000-memory.dmp

Filesize
3.3MB

Download
memory/1564-131-0x00007FF6514E0000-0x00007FF651834000-memory.dmp

Filesize
3.3MB

Download
memory/1584-28-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp

Filesize
3.3MB

Download
memory/1584-144-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp

Filesize
3.3MB

Download
memory/1788-135-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp

Filesize
3.3MB

Download
memory/1788-152-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp

Filesize
3.3MB

Download
memory/1788-74-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp

Filesize
3.3MB

Download
memory/1944-106-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-139-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-157-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp

Filesize
3.3MB

Download
memory/1996-86-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp

Filesize
3.3MB

Download
memory/1996-153-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp

Filesize
3.3MB

Download
memory/2232-0-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp

Filesize
3.3MB

Download
memory/2232-68-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp

Filesize
3.3MB

Download
memory/2232-1-0x000002969A4D0000-0x000002969A4E0000-memory.dmp

Filesize
64KB

Download
memory/2316-87-0x00007FF787570000-0x00007FF7878C4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-136-0x00007FF787570000-0x00007FF7878C4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-154-0x00007FF787570000-0x00007FF7878C4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-146-0x00007FF767440000-0x00007FF767794000-memory.dmp

Filesize
3.3MB

Download
memory/3016-40-0x00007FF767440000-0x00007FF767794000-memory.dmp

Filesize
3.3MB

Download
memory/3220-132-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/3220-160-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/3796-73-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp

Filesize
3.3MB

Download
memory/3796-6-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp

Filesize
3.3MB

Download
memory/3796-141-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp

Filesize
3.3MB

Download
memory/3800-46-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp

Filesize
3.3MB

Download
memory/3800-130-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp

Filesize
3.3MB

Download
memory/3800-148-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp

Filesize
3.3MB

Download
memory/3808-22-0x00007FF601560000-0x00007FF6018B4000-memory.dmp

Filesize
3.3MB

Download
memory/3808-142-0x00007FF601560000-0x00007FF6018B4000-memory.dmp

Filesize
3.3MB

Download
memory/3840-84-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp

Filesize
3.3MB

Download
memory/3840-143-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp

Filesize
3.3MB

Download
memory/3840-15-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp

Filesize
3.3MB

Download
memory/4120-161-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp

Filesize
3.3MB

Download
memory/4120-133-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp

Filesize
3.3MB

Download
memory/4216-62-0x00007FF600530000-0x00007FF600884000-memory.dmp

Filesize
3.3MB

Download
memory/4216-150-0x00007FF600530000-0x00007FF600884000-memory.dmp

Filesize
3.3MB

Download
memory/4520-155-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-137-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-93-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-105-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-145-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-33-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp

Filesize
3.3MB

Download
memory/4892-151-0x00007FF727F00000-0x00007FF728254000-memory.dmp

Filesize
3.3MB

Download
memory/4892-70-0x00007FF727F00000-0x00007FF728254000-memory.dmp

Filesize
3.3MB

Download
memory/4996-147-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-45-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-126-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp

Filesize
3.3MB

Download