cobaltstrike | d7f139448a4fe00f4992a8dbeb8a6f48869080091be6b203b66ba0e2b888e79b

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

488b601724d379fe005684d87ef8fd29
SHA1

8fec6bc7e56608b9b4058af5f20f99ce2840d392
SHA256

d7f139448a4fe00f4992a8dbeb8a6f48869080091be6b203b66ba0e2b888e79b
SHA512

dc6bcaeeb67f7a879bacfedc6d7feb74c7400c57f79d5fcfdfa486ec024e7b5b463e3e6010bf2e1736a5714eae9cc74e9007c6f7fabd7494867e1c331f708c95
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUE:Q+856utgpPF8u/7E

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\qoVgFNr.exe	cobalt_reflective_dll
C:\Windows\System\ynbNDLe.exe	cobalt_reflective_dll
C:\Windows\System\ybDixph.exe	cobalt_reflective_dll
C:\Windows\System\bUtgNgh.exe	cobalt_reflective_dll
C:\Windows\System\gZkqEUk.exe	cobalt_reflective_dll
C:\Windows\System\Pdefkxy.exe	cobalt_reflective_dll
C:\Windows\System\DnvENpr.exe	cobalt_reflective_dll
C:\Windows\System\SRhnJaE.exe	cobalt_reflective_dll
C:\Windows\System\IEGesfe.exe	cobalt_reflective_dll
C:\Windows\System\AhxZddD.exe	cobalt_reflective_dll
C:\Windows\System\haRHsaH.exe	cobalt_reflective_dll
C:\Windows\System\FCbOCdF.exe	cobalt_reflective_dll
C:\Windows\System\mXDhMDz.exe	cobalt_reflective_dll
C:\Windows\System\ocxPJaq.exe	cobalt_reflective_dll
C:\Windows\System\KCBRItS.exe	cobalt_reflective_dll
C:\Windows\System\kHNzAeX.exe	cobalt_reflective_dll
C:\Windows\System\WvAlYoJ.exe	cobalt_reflective_dll
C:\Windows\System\GKoLgYD.exe	cobalt_reflective_dll
C:\Windows\System\kNxfakh.exe	cobalt_reflective_dll
C:\Windows\System\OcJwozm.exe	cobalt_reflective_dll
C:\Windows\System\FeMHIoi.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\qoVgFNr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ynbNDLe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ybDixph.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bUtgNgh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gZkqEUk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Pdefkxy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DnvENpr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SRhnJaE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IEGesfe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AhxZddD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\haRHsaH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FCbOCdF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mXDhMDz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ocxPJaq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KCBRItS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kHNzAeX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WvAlYoJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GKoLgYD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kNxfakh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OcJwozm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FeMHIoi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3648-0-0x00007FF797E40000-0x00007FF798194000-memory.dmp	UPX
C:\Windows\System\qoVgFNr.exe	UPX
behavioral2/memory/4772-8-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp	UPX
C:\Windows\System\ynbNDLe.exe	UPX
C:\Windows\System\ybDixph.exe	UPX
behavioral2/memory/2952-14-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	UPX
behavioral2/memory/3336-19-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	UPX
C:\Windows\System\bUtgNgh.exe	UPX
behavioral2/memory/1552-26-0x00007FF608E30000-0x00007FF609184000-memory.dmp	UPX
C:\Windows\System\gZkqEUk.exe	UPX
behavioral2/memory/960-30-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	UPX
C:\Windows\System\Pdefkxy.exe	UPX
C:\Windows\System\DnvENpr.exe	UPX
behavioral2/memory/2872-52-0x00007FF688320000-0x00007FF688674000-memory.dmp	UPX
C:\Windows\System\SRhnJaE.exe	UPX
C:\Windows\System\IEGesfe.exe	UPX
C:\Windows\System\AhxZddD.exe	UPX
C:\Windows\System\haRHsaH.exe	UPX
behavioral2/memory/1600-65-0x00007FF697230000-0x00007FF697584000-memory.dmp	UPX
C:\Windows\System\FCbOCdF.exe	UPX
behavioral2/memory/2032-74-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	UPX
behavioral2/memory/2952-73-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	UPX
behavioral2/memory/2028-69-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	UPX
behavioral2/memory/3648-64-0x00007FF797E40000-0x00007FF798194000-memory.dmp	UPX
behavioral2/memory/4544-61-0x00007FF660270000-0x00007FF6605C4000-memory.dmp	UPX
behavioral2/memory/996-46-0x00007FF63C120000-0x00007FF63C474000-memory.dmp	UPX
behavioral2/memory/3004-40-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	UPX
C:\Windows\System\mXDhMDz.exe	UPX
behavioral2/memory/3336-81-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	UPX
C:\Windows\System\ocxPJaq.exe	UPX
C:\Windows\System\KCBRItS.exe	UPX
C:\Windows\System\kHNzAeX.exe	UPX
behavioral2/memory/4640-98-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp	UPX
behavioral2/memory/960-95-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	UPX
behavioral2/memory/2432-91-0x00007FF657850000-0x00007FF657BA4000-memory.dmp	UPX
behavioral2/memory/3100-84-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp	UPX
behavioral2/memory/4200-104-0x00007FF743860000-0x00007FF743BB4000-memory.dmp	UPX
C:\Windows\System\WvAlYoJ.exe	UPX
C:\Windows\System\GKoLgYD.exe	UPX
C:\Windows\System\kNxfakh.exe	UPX
behavioral2/memory/3388-114-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp	UPX
C:\Windows\System\OcJwozm.exe	UPX
behavioral2/memory/1868-116-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp	UPX
behavioral2/memory/5008-110-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp	UPX
C:\Windows\System\FeMHIoi.exe	UPX
behavioral2/memory/4324-126-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp	UPX
behavioral2/memory/4652-131-0x00007FF751CF0000-0x00007FF752044000-memory.dmp	UPX
behavioral2/memory/2028-132-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	UPX
behavioral2/memory/3100-133-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp	UPX
behavioral2/memory/5008-134-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp	UPX
behavioral2/memory/3388-135-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp	UPX
behavioral2/memory/1868-136-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp	UPX
behavioral2/memory/4772-137-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp	UPX
behavioral2/memory/2952-138-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	UPX
behavioral2/memory/3336-139-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	UPX
behavioral2/memory/1552-140-0x00007FF608E30000-0x00007FF609184000-memory.dmp	UPX
behavioral2/memory/960-141-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	UPX
behavioral2/memory/3004-142-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	UPX
behavioral2/memory/996-143-0x00007FF63C120000-0x00007FF63C474000-memory.dmp	UPX
behavioral2/memory/2872-144-0x00007FF688320000-0x00007FF688674000-memory.dmp	UPX
behavioral2/memory/1600-145-0x00007FF697230000-0x00007FF697584000-memory.dmp	UPX
behavioral2/memory/4544-146-0x00007FF660270000-0x00007FF6605C4000-memory.dmp	UPX
behavioral2/memory/2032-147-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	UPX
behavioral2/memory/2028-148-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3648-0-0x00007FF797E40000-0x00007FF798194000-memory.dmp	xmrig
C:\Windows\System\qoVgFNr.exe	xmrig
behavioral2/memory/4772-8-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp	xmrig
C:\Windows\System\ynbNDLe.exe	xmrig
C:\Windows\System\ybDixph.exe	xmrig
behavioral2/memory/2952-14-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	xmrig
behavioral2/memory/3336-19-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	xmrig
C:\Windows\System\bUtgNgh.exe	xmrig
behavioral2/memory/1552-26-0x00007FF608E30000-0x00007FF609184000-memory.dmp	xmrig
C:\Windows\System\gZkqEUk.exe	xmrig
behavioral2/memory/960-30-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	xmrig
C:\Windows\System\Pdefkxy.exe	xmrig
C:\Windows\System\DnvENpr.exe	xmrig
behavioral2/memory/2872-52-0x00007FF688320000-0x00007FF688674000-memory.dmp	xmrig
C:\Windows\System\SRhnJaE.exe	xmrig
C:\Windows\System\IEGesfe.exe	xmrig
C:\Windows\System\AhxZddD.exe	xmrig
C:\Windows\System\haRHsaH.exe	xmrig
behavioral2/memory/1600-65-0x00007FF697230000-0x00007FF697584000-memory.dmp	xmrig
C:\Windows\System\FCbOCdF.exe	xmrig
behavioral2/memory/2032-74-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	xmrig
behavioral2/memory/2952-73-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	xmrig
behavioral2/memory/2028-69-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	xmrig
behavioral2/memory/3648-64-0x00007FF797E40000-0x00007FF798194000-memory.dmp	xmrig
behavioral2/memory/4544-61-0x00007FF660270000-0x00007FF6605C4000-memory.dmp	xmrig
behavioral2/memory/996-46-0x00007FF63C120000-0x00007FF63C474000-memory.dmp	xmrig
behavioral2/memory/3004-40-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	xmrig
C:\Windows\System\mXDhMDz.exe	xmrig
behavioral2/memory/3336-81-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	xmrig
C:\Windows\System\ocxPJaq.exe	xmrig
C:\Windows\System\KCBRItS.exe	xmrig
C:\Windows\System\kHNzAeX.exe	xmrig
behavioral2/memory/4640-98-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp	xmrig
behavioral2/memory/960-95-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	xmrig
behavioral2/memory/2432-91-0x00007FF657850000-0x00007FF657BA4000-memory.dmp	xmrig
behavioral2/memory/3100-84-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp	xmrig
behavioral2/memory/4200-104-0x00007FF743860000-0x00007FF743BB4000-memory.dmp	xmrig
C:\Windows\System\WvAlYoJ.exe	xmrig
C:\Windows\System\GKoLgYD.exe	xmrig
C:\Windows\System\kNxfakh.exe	xmrig
behavioral2/memory/3388-114-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp	xmrig
C:\Windows\System\OcJwozm.exe	xmrig
behavioral2/memory/1868-116-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp	xmrig
behavioral2/memory/5008-110-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp	xmrig
C:\Windows\System\FeMHIoi.exe	xmrig
behavioral2/memory/4324-126-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp	xmrig
behavioral2/memory/4652-131-0x00007FF751CF0000-0x00007FF752044000-memory.dmp	xmrig
behavioral2/memory/2028-132-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	xmrig
behavioral2/memory/3100-133-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp	xmrig
behavioral2/memory/5008-134-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp	xmrig
behavioral2/memory/3388-135-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp	xmrig
behavioral2/memory/1868-136-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp	xmrig
behavioral2/memory/4772-137-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp	xmrig
behavioral2/memory/2952-138-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	xmrig
behavioral2/memory/3336-139-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	xmrig
behavioral2/memory/1552-140-0x00007FF608E30000-0x00007FF609184000-memory.dmp	xmrig
behavioral2/memory/960-141-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	xmrig
behavioral2/memory/3004-142-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	xmrig
behavioral2/memory/996-143-0x00007FF63C120000-0x00007FF63C474000-memory.dmp	xmrig
behavioral2/memory/2872-144-0x00007FF688320000-0x00007FF688674000-memory.dmp	xmrig
behavioral2/memory/1600-145-0x00007FF697230000-0x00007FF697584000-memory.dmp	xmrig
behavioral2/memory/4544-146-0x00007FF660270000-0x00007FF6605C4000-memory.dmp	xmrig
behavioral2/memory/2032-147-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	xmrig
behavioral2/memory/2028-148-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

qoVgFNr.exeynbNDLe.exeybDixph.exebUtgNgh.exegZkqEUk.exePdefkxy.exeIEGesfe.exeDnvENpr.exeSRhnJaE.exeAhxZddD.exehaRHsaH.exeFCbOCdF.exemXDhMDz.exeocxPJaq.exeKCBRItS.exekHNzAeX.exeWvAlYoJ.exekNxfakh.exeGKoLgYD.exeOcJwozm.exeFeMHIoi.exe

pid	process
4772	qoVgFNr.exe
2952	ynbNDLe.exe
3336	ybDixph.exe
1552	bUtgNgh.exe
960	gZkqEUk.exe
3004	Pdefkxy.exe
996	IEGesfe.exe
2872	DnvENpr.exe
4544	SRhnJaE.exe
1600	AhxZddD.exe
2028	haRHsaH.exe
2032	FCbOCdF.exe
3100	mXDhMDz.exe
2432	ocxPJaq.exe
4640	KCBRItS.exe
4200	kHNzAeX.exe
5008	WvAlYoJ.exe
1868	kNxfakh.exe
3388	GKoLgYD.exe
4324	OcJwozm.exe
4652	FeMHIoi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3648-0-0x00007FF797E40000-0x00007FF798194000-memory.dmp	upx
C:\Windows\System\qoVgFNr.exe	upx
behavioral2/memory/4772-8-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp	upx
C:\Windows\System\ynbNDLe.exe	upx
C:\Windows\System\ybDixph.exe	upx
behavioral2/memory/2952-14-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	upx
behavioral2/memory/3336-19-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	upx
C:\Windows\System\bUtgNgh.exe	upx
behavioral2/memory/1552-26-0x00007FF608E30000-0x00007FF609184000-memory.dmp	upx
C:\Windows\System\gZkqEUk.exe	upx
behavioral2/memory/960-30-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	upx
C:\Windows\System\Pdefkxy.exe	upx
C:\Windows\System\DnvENpr.exe	upx
behavioral2/memory/2872-52-0x00007FF688320000-0x00007FF688674000-memory.dmp	upx
C:\Windows\System\SRhnJaE.exe	upx
C:\Windows\System\IEGesfe.exe	upx
C:\Windows\System\AhxZddD.exe	upx
C:\Windows\System\haRHsaH.exe	upx
behavioral2/memory/1600-65-0x00007FF697230000-0x00007FF697584000-memory.dmp	upx
C:\Windows\System\FCbOCdF.exe	upx
behavioral2/memory/2032-74-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	upx
behavioral2/memory/2952-73-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	upx
behavioral2/memory/2028-69-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	upx
behavioral2/memory/3648-64-0x00007FF797E40000-0x00007FF798194000-memory.dmp	upx
behavioral2/memory/4544-61-0x00007FF660270000-0x00007FF6605C4000-memory.dmp	upx
behavioral2/memory/996-46-0x00007FF63C120000-0x00007FF63C474000-memory.dmp	upx
behavioral2/memory/3004-40-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	upx
C:\Windows\System\mXDhMDz.exe	upx
behavioral2/memory/3336-81-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	upx
C:\Windows\System\ocxPJaq.exe	upx
C:\Windows\System\KCBRItS.exe	upx
C:\Windows\System\kHNzAeX.exe	upx
behavioral2/memory/4640-98-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp	upx
behavioral2/memory/960-95-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	upx
behavioral2/memory/2432-91-0x00007FF657850000-0x00007FF657BA4000-memory.dmp	upx
behavioral2/memory/3100-84-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp	upx
behavioral2/memory/4200-104-0x00007FF743860000-0x00007FF743BB4000-memory.dmp	upx
C:\Windows\System\WvAlYoJ.exe	upx
C:\Windows\System\GKoLgYD.exe	upx
C:\Windows\System\kNxfakh.exe	upx
behavioral2/memory/3388-114-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp	upx
C:\Windows\System\OcJwozm.exe	upx
behavioral2/memory/1868-116-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp	upx
behavioral2/memory/5008-110-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp	upx
C:\Windows\System\FeMHIoi.exe	upx
behavioral2/memory/4324-126-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp	upx
behavioral2/memory/4652-131-0x00007FF751CF0000-0x00007FF752044000-memory.dmp	upx
behavioral2/memory/2028-132-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	upx
behavioral2/memory/3100-133-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp	upx
behavioral2/memory/5008-134-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp	upx
behavioral2/memory/3388-135-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp	upx
behavioral2/memory/1868-136-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp	upx
behavioral2/memory/4772-137-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp	upx
behavioral2/memory/2952-138-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp	upx
behavioral2/memory/3336-139-0x00007FF724480000-0x00007FF7247D4000-memory.dmp	upx
behavioral2/memory/1552-140-0x00007FF608E30000-0x00007FF609184000-memory.dmp	upx
behavioral2/memory/960-141-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp	upx
behavioral2/memory/3004-142-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp	upx
behavioral2/memory/996-143-0x00007FF63C120000-0x00007FF63C474000-memory.dmp	upx
behavioral2/memory/2872-144-0x00007FF688320000-0x00007FF688674000-memory.dmp	upx
behavioral2/memory/1600-145-0x00007FF697230000-0x00007FF697584000-memory.dmp	upx
behavioral2/memory/4544-146-0x00007FF660270000-0x00007FF6605C4000-memory.dmp	upx
behavioral2/memory/2032-147-0x00007FF67E340000-0x00007FF67E694000-memory.dmp	upx
behavioral2/memory/2028-148-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ybDixph.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DnvENpr.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AhxZddD.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FCbOCdF.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kHNzAeX.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FeMHIoi.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUtgNgh.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SRhnJaE.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\haRHsaH.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WvAlYoJ.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kNxfakh.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GKoLgYD.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qoVgFNr.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ynbNDLe.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gZkqEUk.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Pdefkxy.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocxPJaq.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IEGesfe.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mXDhMDz.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCBRItS.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OcJwozm.exe	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3648 wrote to memory of 4772	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	qoVgFNr.exe
PID 3648 wrote to memory of 4772	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	qoVgFNr.exe
PID 3648 wrote to memory of 2952	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	ynbNDLe.exe
PID 3648 wrote to memory of 2952	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	ynbNDLe.exe
PID 3648 wrote to memory of 3336	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	ybDixph.exe
PID 3648 wrote to memory of 3336	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	ybDixph.exe
PID 3648 wrote to memory of 1552	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	bUtgNgh.exe
PID 3648 wrote to memory of 1552	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	bUtgNgh.exe
PID 3648 wrote to memory of 960	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	gZkqEUk.exe
PID 3648 wrote to memory of 960	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	gZkqEUk.exe
PID 3648 wrote to memory of 3004	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	Pdefkxy.exe
PID 3648 wrote to memory of 3004	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	Pdefkxy.exe
PID 3648 wrote to memory of 996	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	IEGesfe.exe
PID 3648 wrote to memory of 996	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	IEGesfe.exe
PID 3648 wrote to memory of 2872	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	DnvENpr.exe
PID 3648 wrote to memory of 2872	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	DnvENpr.exe
PID 3648 wrote to memory of 4544	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	SRhnJaE.exe
PID 3648 wrote to memory of 4544	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	SRhnJaE.exe
PID 3648 wrote to memory of 1600	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	AhxZddD.exe
PID 3648 wrote to memory of 1600	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	AhxZddD.exe
PID 3648 wrote to memory of 2028	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	haRHsaH.exe
PID 3648 wrote to memory of 2028	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	haRHsaH.exe
PID 3648 wrote to memory of 2032	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	FCbOCdF.exe
PID 3648 wrote to memory of 2032	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	FCbOCdF.exe
PID 3648 wrote to memory of 3100	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	mXDhMDz.exe
PID 3648 wrote to memory of 3100	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	mXDhMDz.exe
PID 3648 wrote to memory of 2432	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	ocxPJaq.exe
PID 3648 wrote to memory of 2432	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	ocxPJaq.exe
PID 3648 wrote to memory of 4640	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	KCBRItS.exe
PID 3648 wrote to memory of 4640	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	KCBRItS.exe
PID 3648 wrote to memory of 4200	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	kHNzAeX.exe
PID 3648 wrote to memory of 4200	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	kHNzAeX.exe
PID 3648 wrote to memory of 5008	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	WvAlYoJ.exe
PID 3648 wrote to memory of 5008	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	WvAlYoJ.exe
PID 3648 wrote to memory of 1868	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	kNxfakh.exe
PID 3648 wrote to memory of 1868	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	kNxfakh.exe
PID 3648 wrote to memory of 3388	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	GKoLgYD.exe
PID 3648 wrote to memory of 3388	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	GKoLgYD.exe
PID 3648 wrote to memory of 4324	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	OcJwozm.exe
PID 3648 wrote to memory of 4324	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	OcJwozm.exe
PID 3648 wrote to memory of 4652	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	FeMHIoi.exe
PID 3648 wrote to memory of 4652	3648	2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe	FeMHIoi.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\System\qoVgFNr.exe
C:\Windows\System\qoVgFNr.exe
2⤵
- Executes dropped EXE
PID:4772

C:\Windows\System\ynbNDLe.exe
C:\Windows\System\ynbNDLe.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\ybDixph.exe
C:\Windows\System\ybDixph.exe
2⤵
- Executes dropped EXE
PID:3336

C:\Windows\System\bUtgNgh.exe
C:\Windows\System\bUtgNgh.exe
2⤵
- Executes dropped EXE
PID:1552

C:\Windows\System\gZkqEUk.exe
C:\Windows\System\gZkqEUk.exe
2⤵
- Executes dropped EXE
PID:960

C:\Windows\System\Pdefkxy.exe
C:\Windows\System\Pdefkxy.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\IEGesfe.exe
C:\Windows\System\IEGesfe.exe
2⤵
- Executes dropped EXE
PID:996

C:\Windows\System\DnvENpr.exe
C:\Windows\System\DnvENpr.exe
2⤵
- Executes dropped EXE
PID:2872

C:\Windows\System\SRhnJaE.exe
C:\Windows\System\SRhnJaE.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\System\AhxZddD.exe
C:\Windows\System\AhxZddD.exe
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\System\haRHsaH.exe
C:\Windows\System\haRHsaH.exe
2⤵
- Executes dropped EXE
PID:2028

C:\Windows\System\FCbOCdF.exe
C:\Windows\System\FCbOCdF.exe
2⤵
- Executes dropped EXE
PID:2032

C:\Windows\System\mXDhMDz.exe
C:\Windows\System\mXDhMDz.exe
2⤵
- Executes dropped EXE
PID:3100

C:\Windows\System\ocxPJaq.exe
C:\Windows\System\ocxPJaq.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System\KCBRItS.exe
C:\Windows\System\KCBRItS.exe
2⤵
- Executes dropped EXE
PID:4640

C:\Windows\System\kHNzAeX.exe
C:\Windows\System\kHNzAeX.exe
2⤵
- Executes dropped EXE
PID:4200

C:\Windows\System\WvAlYoJ.exe
C:\Windows\System\WvAlYoJ.exe
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\System\kNxfakh.exe
C:\Windows\System\kNxfakh.exe
2⤵
- Executes dropped EXE
PID:1868

C:\Windows\System\GKoLgYD.exe
C:\Windows\System\GKoLgYD.exe
2⤵
- Executes dropped EXE
PID:3388

C:\Windows\System\OcJwozm.exe
C:\Windows\System\OcJwozm.exe
2⤵
- Executes dropped EXE
PID:4324

C:\Windows\System\FeMHIoi.exe
C:\Windows\System\FeMHIoi.exe
2⤵
- Executes dropped EXE
PID:4652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AhxZddD.exe
Filesize
5.9MB

MD5
9c45114be0ff39a3798fd3e9479e9f0b

SHA1
698eed1ebb6ea7b48552477b444fd0959149fe0d

SHA256
bb341d86473e3220d9ffdadb3061bd6381260bd6102ac6f4919af80b25e06db7

SHA512
b084cf7d546cab90a89968cd2c3a0f0e2a9d2ea65cda3acbc9ae321af246b517763dcfc502ece1f7a6d3a0b3057e19b229aca8511a131ca4c5a16ccf6bd52d2c

Download Submit
C:\Windows\System\DnvENpr.exe
Filesize
5.9MB

MD5
c2794f1bf1abda254218174e15a722eb

SHA1
05bb17400b7e6efce2a3e90f8d9774bcaf3ec8f6

SHA256
2067ca1bd426072616cddde411f651520d8ed692430ac9b62c33bce302e7662e

SHA512
c532d78e6f1c87c959a63e414c70583fe86382fed2ee1be8d10d12f83dbe2f897c2952a58dbb471ec5b5873c2b73c74096ea1157bcd473f6d22c650417ac35f2

Download Submit
C:\Windows\System\FCbOCdF.exe
Filesize
5.9MB

MD5
7ba0e187e61ce5624eda222304abcdf3

SHA1
8232901901af2304155b9ef69d5e114285c593db

SHA256
e5707ab6614fc7525b70bf3a04b91536079a8fc04e67cf7395010d42fd8861d7

SHA512
2f6912f95dc10e918a95618cf04639aab5d0e9ef1c3b67cdc2feebcc466ab6d087b1589dd26c04a951f8ae69db5ec143c21179847f6da0074e9a1265dda0ea2c

Download Submit
C:\Windows\System\FeMHIoi.exe
Filesize
5.9MB

MD5
f5484c3a7bd2ae22b9e5d859210728b6

SHA1
387a0322eea70fa0e23a16dbf1608c4b67620fa9

SHA256
e3f01d7e96fa093980fac500cccc64e7cc7e77ebbcd0a669cfc55863a4dfbc2a

SHA512
00e9ccd5646f00d74af4abc8874ddd780e83c6154e5a1a53454ee7a053084b314778d33cad0b09a069d90249d1e2d18354868427f53a447419e855466f9778d9

Download Submit
C:\Windows\System\GKoLgYD.exe
Filesize
5.9MB

MD5
3178488a76bda55d79b77779eb83e5a0

SHA1
b78d9dbaa0e2ae14e0c795ff8feab25c388d64f8

SHA256
118aab608a94c94021231854b5dcb94d3f08c67ac03874e1a8c22644073b4ae2

SHA512
b9dcee34374eeea9263837cdfd1e760c938e5df59b94acc4796610354a7aa0c9393f06302d52674d956f20f3c7afe78ab2c1a181a7789b36e19adb9fcbbf3c8f

Download Submit
C:\Windows\System\IEGesfe.exe
Filesize
5.9MB

MD5
2a19ce0ba53738dd22827c44a29ec903

SHA1
641c934cdcebf8bdc0200860ea46fc4a14004e1a

SHA256
dd7988f92a90603f7a94b57fcdcf10613fc5deb7ab3116931cbc47651a46e073

SHA512
0a815499c57bb3ecb45f7888f4c845079dc560c0e46ec083d55fe104587c356258d2d573d1293ee56b9633ee90d952bd183a351d5bb9f23469c57bc1fd7ff62a

Download Submit
C:\Windows\System\KCBRItS.exe
Filesize
5.9MB

MD5
b2d1fca371a287532ac5359bf28e07ba

SHA1
774233e9bb34818f9fe880b3cd6af8ddfb85e756

SHA256
d12d4a0b87f9b1fe4f2bf98312d89fb8d78b3708bffe95e9cdcf61637d4aa00b

SHA512
53fb30060516700e74282796004a824451a6ef106f297a4b474869294596126a390a6af07bebbca4c03ebb6cee808ef92b0ed7ba739188d2d36149c41ed4e83a

Download Submit
C:\Windows\System\OcJwozm.exe
Filesize
5.9MB

MD5
37e8cd6a78dee02a24c2b641787161d8

SHA1
3c4690aae048230df4a77bdfd299f4465ec92a8e

SHA256
8e1ff747eb7cc2559f54fa2c8caaa507fdd921b83dbb12dec31d37975325a0f4

SHA512
be7bfd31aefce5cfed8eadbf25f8b87d25c9222550d15143eeda369c39ad1dbd33d2532e28275427ad15b246191e032c71c61ddbeff6b6f8a5a70be0f9a92b53

Download Submit
C:\Windows\System\Pdefkxy.exe
Filesize
5.9MB

MD5
751a680da80bfaaccd15580d3937ba7f

SHA1
53a8fbd8b478c42700a4e1d282ddb749ce8e7051

SHA256
fde523d6f01f713af4030035bad5d1b27c06c1590302edec4381812924fb4aa5

SHA512
32b9aec1877a7db6cdfa674c6e6ddb9307e7caca45f0a796647610de6f6b7b764556fba77870bacd4b8dcafea2651ebcf06c144106bd727dc16fb82ed03d4139

Download Submit
C:\Windows\System\SRhnJaE.exe
Filesize
5.9MB

MD5
7dce52cd17a2b661d24bd3a4dcc8a0aa

SHA1
fe1d9611db4cb97f1877c0d8a9163602a6168676

SHA256
a1ea41ce246fe0c5acdde97a4863743d6764af93277eb111c1ce24e5fd695dda

SHA512
a657368a4b165aa3ccd7cce45b3ae61206ff9991333e471fa9e6b26718af68423238c6800e6208957ca665c810f9e7f65c6607d553147828b5f86280d023630f

Download Submit
C:\Windows\System\WvAlYoJ.exe
Filesize
5.9MB

MD5
253a26298444952b43ab9878f8c541c0

SHA1
2c27cb172f863d5edf1279af9cfe7933fc8e4ded

SHA256
095f317c3f47e88429b4446a90ef27385dc406c3bbd38099b0a16fa518191c06

SHA512
fe2ef4ff07adb6bb83d5c388ae8eb398f6a5d53f2821bc938f43375f6c20e8c6aa179f3cbafa785dc53f66e83a1eb4181f5ccbbe1c3fa138d7d5906fe165e0fe

Download Submit
C:\Windows\System\bUtgNgh.exe
Filesize
5.9MB

MD5
219598b59571ad85d2eae26a700d098e

SHA1
8c8552c5fed2d9af5da03bc1f4a62af9c4ad2bdb

SHA256
0ef23139ba335f35f2b921e10d236e30ad7dd2b5eb0c7f8b38da1d3703f5b025

SHA512
3488b9676d9d81d109daef5da01e914354d696475e0f0946c34e8b614b934650c22c534b70b932a77c2c48f2ab148f66689b9d52569aa7e534aad4f2f28bf48d

Download Submit
C:\Windows\System\gZkqEUk.exe
Filesize
5.9MB

MD5
3820243ca0c4dd58b300d2e9c118944b

SHA1
12b6bcc314247a413cd5c6d479f14b1eb02d1af2

SHA256
945e7a3da0d69f06f7dba438da9a4820f36d8ce16297936b4834ea1c142e4489

SHA512
bbf0ee909c0bf941e2c4b8f4df4c9b15605c78c6f556f90fac4630fdec89f5fc2b8075173af43946b8c439319d8edfc8464de3e08f31001171715074625cbfbc

Download Submit
C:\Windows\System\haRHsaH.exe
Filesize
5.9MB

MD5
41a9e45873791d2706baf20325a57833

SHA1
76bd016cbaada8c67639423ff325276cf409fb36

SHA256
99f94a063205c6042f77447ebed90a167898f6dd47459b23841bdfeef9832aa3

SHA512
09ee5af6de2df02a58534861b7fe59a38a92e5b451d682d90b62e253c1619d349a2f227c277a1e8f0867c5294fc3fdb45a804bc5b628e4885752d66f3251d66e

Download Submit
C:\Windows\System\kHNzAeX.exe
Filesize
5.9MB

MD5
108f6fc4417fd998f9febf744b1184af

SHA1
f42e7562c795bff10d2d31830ff0436eb3dc3a08

SHA256
e7dcc090c47f948632e3875773fa299497acca10524c043973d9f5286d7b6580

SHA512
de70ff40c429def4cc9c10c22cf4a9f23b8bc775ca6bc2fe7233f69fd6e15748eca79afa379b288d1fa9a74df3f191018cf4e68140ac186a29940e2e1b6ea38f

Download Submit
C:\Windows\System\kNxfakh.exe
Filesize
5.9MB

MD5
9d8db93574d546a9b6517f8206f8c5d0

SHA1
3183afdf801cd7f1a234a9e0c90ad35d8cb60f9a

SHA256
54d4941e2fd996481f263c4024fbc0e243c3d6fbef85e148929c012ab5ab9eb1

SHA512
06d11bb8550fac0cf62d49039079215f772b5bdeff3599198d24ce270ff466c62132cc6a5b8b91331f3e347647498fea90d8bac79c634663c8a6d0cf18f0ce76

Download Submit
C:\Windows\System\mXDhMDz.exe
Filesize
5.9MB

MD5
cbb0db6f8d7a126ba8ca1eb6a90ac767

SHA1
596df1f7b77027c205a2aa3c4b3406550b67cd55

SHA256
def6aa256b07be1f36f9d238dd642c3db9384006751d0ee51f073b72add29d7b

SHA512
db0f5b838d2edeb716e8872ffce5f53f412c3d5d16aed3cc1697455db2410872479c0299bd53a94c6d50e7483e76960ce3e1930ae4eb9a01bcbe15279de5361a

Download Submit
C:\Windows\System\ocxPJaq.exe
Filesize
5.9MB

MD5
26be51fdc474cb18f6cc9b4977af8f8c

SHA1
ce46c273e7d54ffc9ec09d990056c8538f6ef612

SHA256
dcdb4d982ad2501ee94eda15626fc53d14dfd0f5be829978b3ffe56ba0f528b9

SHA512
75c247fcad226a7e500beb481b22d93e15d43c2eaddde8ad5c2c70173380af216650b0d0e6ec233944713ea32a2f53813068a7a463e13f71faeda10e5eaa834f

Download Submit
C:\Windows\System\qoVgFNr.exe
Filesize
5.9MB

MD5
de5373eec9d13605217fd2de94229711

SHA1
cb996148af8401dec01d301253810bc27d213e6c

SHA256
a2427bc91389da5d07c358099d26ecb9fd0873bcdab1445d07d42c2f2b7579a6

SHA512
209ecfc3b0a5b9c6afc05930c0ad7b4a0331d11beb9cb23dd0f4bf74a94aaaf7019a3d70b637f89d5a00c70d6213a937545c2dec8e236888f62768467de8f6d1

Download Submit
C:\Windows\System\ybDixph.exe
Filesize
5.9MB

MD5
2fcdaaddd670f36dfdeb85359364fb7c

SHA1
ff76309c52835cb73859c92036afef6db3ba3dd0

SHA256
92709d4411c142b1d8e3b63e9f6a7bfdd5c2e36134d6e4f1c40695dd41e008ac

SHA512
035a9179969e927cbc80d00ec4f7e45061d14d2bf6e01b43ba9779237f1fc4e7a03820372551c90556e9cca1f7219657856b955ac851931d982c9b13f8ea1915

Download Submit
C:\Windows\System\ynbNDLe.exe
Filesize
5.9MB

MD5
84b6cc9f4c634c6a959a75da61fd654d

SHA1
7b3fca6fc95c2f0dc3f9f55a9e498089de509875

SHA256
33a1109c3d0dd87c9b07fd75bd652ffdd7b23163b8c133f51c8b5a5cdf3dac15

SHA512
f1cf4bff48442acff69addbb96aa79b3d467ecbb6567dff5c5d8abc9f2852607aaea9660ed6d336852d1647176412442ec6b0580f59da6293f16fc5629b0f4a3

Download Submit
memory/960-141-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp

Filesize
3.3MB

Download
memory/960-30-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp

Filesize
3.3MB

Download
memory/960-95-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp

Filesize
3.3MB

Download
memory/996-143-0x00007FF63C120000-0x00007FF63C474000-memory.dmp

Filesize
3.3MB

Download
memory/996-46-0x00007FF63C120000-0x00007FF63C474000-memory.dmp

Filesize
3.3MB

Download
memory/1552-26-0x00007FF608E30000-0x00007FF609184000-memory.dmp

Filesize
3.3MB

Download
memory/1552-140-0x00007FF608E30000-0x00007FF609184000-memory.dmp

Filesize
3.3MB

Download
memory/1600-145-0x00007FF697230000-0x00007FF697584000-memory.dmp

Filesize
3.3MB

Download
memory/1600-65-0x00007FF697230000-0x00007FF697584000-memory.dmp

Filesize
3.3MB

Download
memory/1868-116-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp

Filesize
3.3MB

Download
memory/1868-156-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp

Filesize
3.3MB

Download
memory/1868-136-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp

Filesize
3.3MB

Download
memory/2028-69-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-132-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2028-148-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp

Filesize
3.3MB

Download
memory/2032-74-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

Filesize
3.3MB

Download
memory/2032-147-0x00007FF67E340000-0x00007FF67E694000-memory.dmp

Filesize
3.3MB

Download
memory/2432-91-0x00007FF657850000-0x00007FF657BA4000-memory.dmp

Filesize
3.3MB

Download
memory/2432-150-0x00007FF657850000-0x00007FF657BA4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-52-0x00007FF688320000-0x00007FF688674000-memory.dmp

Filesize
3.3MB

Download
memory/2872-144-0x00007FF688320000-0x00007FF688674000-memory.dmp

Filesize
3.3MB

Download
memory/2952-14-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp

Filesize
3.3MB

Download
memory/2952-73-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp

Filesize
3.3MB

Download
memory/2952-138-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp

Filesize
3.3MB

Download
memory/3004-142-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-40-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-84-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp

Filesize
3.3MB

Download
memory/3100-133-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp

Filesize
3.3MB

Download
memory/3100-149-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp

Filesize
3.3MB

Download
memory/3336-19-0x00007FF724480000-0x00007FF7247D4000-memory.dmp

Filesize
3.3MB

Download
memory/3336-81-0x00007FF724480000-0x00007FF7247D4000-memory.dmp

Filesize
3.3MB

Download
memory/3336-139-0x00007FF724480000-0x00007FF7247D4000-memory.dmp

Filesize
3.3MB

Download
memory/3388-114-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp

Filesize
3.3MB

Download
memory/3388-135-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp

Filesize
3.3MB

Download
memory/3388-154-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp

Filesize
3.3MB

Download
memory/3648-0-0x00007FF797E40000-0x00007FF798194000-memory.dmp

Filesize
3.3MB

Download
memory/3648-1-0x0000021FA6520000-0x0000021FA6530000-memory.dmp

Filesize
64KB

Download
memory/3648-64-0x00007FF797E40000-0x00007FF798194000-memory.dmp

Filesize
3.3MB

Download
memory/4200-104-0x00007FF743860000-0x00007FF743BB4000-memory.dmp

Filesize
3.3MB

Download
memory/4200-152-0x00007FF743860000-0x00007FF743BB4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-155-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp

Filesize
3.3MB

Download
memory/4324-126-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp

Filesize
3.3MB

Download
memory/4544-61-0x00007FF660270000-0x00007FF6605C4000-memory.dmp

Filesize
3.3MB

Download
memory/4544-146-0x00007FF660270000-0x00007FF6605C4000-memory.dmp

Filesize
3.3MB

Download
memory/4640-98-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp

Filesize
3.3MB

Download
memory/4640-151-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp

Filesize
3.3MB

Download
memory/4652-157-0x00007FF751CF0000-0x00007FF752044000-memory.dmp

Filesize
3.3MB

Download
memory/4652-131-0x00007FF751CF0000-0x00007FF752044000-memory.dmp

Filesize
3.3MB

Download
memory/4772-8-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp

Filesize
3.3MB

Download
memory/4772-137-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-153-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-110-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

Filesize
3.3MB

Download
memory/5008-134-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp

Filesize
3.3MB

Download