cobaltstrike | 33083de1ea22cb1e4281e12f26b10247ee617c908b5dd6d94fda729868a61f48

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

c973360b21f20bc4259175331d3fcbea
SHA1

32e1c6578bd5540f0f312f2e4d97eaaef76e111e
SHA256

33083de1ea22cb1e4281e12f26b10247ee617c908b5dd6d94fda729868a61f48
SHA512

44631bca037e2b963385047975c7f03b8b7a97146328b3edefa53c8dc0d8a6bddea54ac4a0db1cd868781269c20d49c08f2a0f0509c7b73d72b4127da4338493
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUY:Q+856utgpPF8u/7Y

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vlbUWwn.exe	cobalt_reflective_dll
C:\Windows\System\itxXudF.exe	cobalt_reflective_dll
C:\Windows\System\QcgKNZi.exe	cobalt_reflective_dll
C:\Windows\System\UuJprVd.exe	cobalt_reflective_dll
C:\Windows\System\FJwKXGt.exe	cobalt_reflective_dll
C:\Windows\System\YomHlFE.exe	cobalt_reflective_dll
C:\Windows\System\nOEJGRj.exe	cobalt_reflective_dll
C:\Windows\System\IPxYOLE.exe	cobalt_reflective_dll
C:\Windows\System\UEjtbWA.exe	cobalt_reflective_dll
C:\Windows\System\RAAJdXi.exe	cobalt_reflective_dll
C:\Windows\System\tfzMSpc.exe	cobalt_reflective_dll
C:\Windows\System\UgJGjLX.exe	cobalt_reflective_dll
C:\Windows\System\ArNASEb.exe	cobalt_reflective_dll
C:\Windows\System\FKZkVkg.exe	cobalt_reflective_dll
C:\Windows\System\yZiybuc.exe	cobalt_reflective_dll
C:\Windows\System\BSReHzs.exe	cobalt_reflective_dll
C:\Windows\System\WmSJkuA.exe	cobalt_reflective_dll
C:\Windows\System\Atzmjpd.exe	cobalt_reflective_dll
C:\Windows\System\XEtewyR.exe	cobalt_reflective_dll
C:\Windows\System\xxDBLLH.exe	cobalt_reflective_dll
C:\Windows\System\pwMAxIb.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\vlbUWwn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\itxXudF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QcgKNZi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UuJprVd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FJwKXGt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YomHlFE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nOEJGRj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IPxYOLE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UEjtbWA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RAAJdXi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tfzMSpc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UgJGjLX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ArNASEb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FKZkVkg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yZiybuc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BSReHzs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WmSJkuA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Atzmjpd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XEtewyR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xxDBLLH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\pwMAxIb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1384-0-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp	UPX
C:\Windows\System\vlbUWwn.exe	UPX
behavioral2/memory/4468-8-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	UPX
C:\Windows\System\itxXudF.exe	UPX
C:\Windows\System\QcgKNZi.exe	UPX
behavioral2/memory/4240-14-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	UPX
behavioral2/memory/2528-20-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	UPX
C:\Windows\System\UuJprVd.exe	UPX
behavioral2/memory/2436-26-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	UPX
C:\Windows\System\FJwKXGt.exe	UPX
behavioral2/memory/1028-31-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	UPX
C:\Windows\System\YomHlFE.exe	UPX
behavioral2/memory/1608-37-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	UPX
C:\Windows\System\nOEJGRj.exe	UPX
behavioral2/memory/4848-44-0x00007FF774340000-0x00007FF774694000-memory.dmp	UPX
C:\Windows\System\IPxYOLE.exe	UPX
behavioral2/memory/852-50-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	UPX
C:\Windows\System\UEjtbWA.exe	UPX
behavioral2/memory/1624-56-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp	UPX
C:\Windows\System\RAAJdXi.exe	UPX
C:\Windows\System\tfzMSpc.exe	UPX
behavioral2/memory/1384-62-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp	UPX
behavioral2/memory/3672-66-0x00007FF656610000-0x00007FF656964000-memory.dmp	UPX
behavioral2/memory/4468-67-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	UPX
C:\Windows\System\UgJGjLX.exe	UPX
behavioral2/memory/3260-69-0x00007FF632D30000-0x00007FF633084000-memory.dmp	UPX
C:\Windows\System\ArNASEb.exe	UPX
C:\Windows\System\FKZkVkg.exe	UPX
C:\Windows\System\yZiybuc.exe	UPX
C:\Windows\System\BSReHzs.exe	UPX
C:\Windows\System\WmSJkuA.exe	UPX
C:\Windows\System\Atzmjpd.exe	UPX
C:\Windows\System\XEtewyR.exe	UPX
C:\Windows\System\xxDBLLH.exe	UPX
C:\Windows\System\pwMAxIb.exe	UPX
behavioral2/memory/4240-120-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	UPX
behavioral2/memory/964-121-0x00007FF614110000-0x00007FF614464000-memory.dmp	UPX
behavioral2/memory/1652-123-0x00007FF716610000-0x00007FF716964000-memory.dmp	UPX
behavioral2/memory/2180-122-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp	UPX
behavioral2/memory/2452-125-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp	UPX
behavioral2/memory/3644-126-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp	UPX
behavioral2/memory/4104-127-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp	UPX
behavioral2/memory/768-124-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp	UPX
behavioral2/memory/568-128-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp	UPX
behavioral2/memory/4308-129-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp	UPX
behavioral2/memory/4316-130-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp	UPX
behavioral2/memory/2528-131-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	UPX
behavioral2/memory/2436-132-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	UPX
behavioral2/memory/1028-133-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	UPX
behavioral2/memory/1608-134-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	UPX
behavioral2/memory/852-135-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	UPX
behavioral2/memory/4468-136-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	UPX
behavioral2/memory/4240-137-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	UPX
behavioral2/memory/2528-138-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	UPX
behavioral2/memory/2436-139-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	UPX
behavioral2/memory/1028-140-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	UPX
behavioral2/memory/1608-141-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	UPX
behavioral2/memory/4848-142-0x00007FF774340000-0x00007FF774694000-memory.dmp	UPX
behavioral2/memory/852-143-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	UPX
behavioral2/memory/1624-144-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp	UPX
behavioral2/memory/3260-145-0x00007FF632D30000-0x00007FF633084000-memory.dmp	UPX
behavioral2/memory/3672-146-0x00007FF656610000-0x00007FF656964000-memory.dmp	UPX
behavioral2/memory/964-147-0x00007FF614110000-0x00007FF614464000-memory.dmp	UPX
behavioral2/memory/3260-148-0x00007FF632D30000-0x00007FF633084000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1384-0-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp	xmrig
C:\Windows\System\vlbUWwn.exe	xmrig
behavioral2/memory/4468-8-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	xmrig
C:\Windows\System\itxXudF.exe	xmrig
C:\Windows\System\QcgKNZi.exe	xmrig
behavioral2/memory/4240-14-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	xmrig
behavioral2/memory/2528-20-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	xmrig
C:\Windows\System\UuJprVd.exe	xmrig
behavioral2/memory/2436-26-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	xmrig
C:\Windows\System\FJwKXGt.exe	xmrig
behavioral2/memory/1028-31-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	xmrig
C:\Windows\System\YomHlFE.exe	xmrig
behavioral2/memory/1608-37-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	xmrig
C:\Windows\System\nOEJGRj.exe	xmrig
behavioral2/memory/4848-44-0x00007FF774340000-0x00007FF774694000-memory.dmp	xmrig
C:\Windows\System\IPxYOLE.exe	xmrig
behavioral2/memory/852-50-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	xmrig
C:\Windows\System\UEjtbWA.exe	xmrig
behavioral2/memory/1624-56-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp	xmrig
C:\Windows\System\RAAJdXi.exe	xmrig
C:\Windows\System\tfzMSpc.exe	xmrig
behavioral2/memory/1384-62-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp	xmrig
behavioral2/memory/3672-66-0x00007FF656610000-0x00007FF656964000-memory.dmp	xmrig
behavioral2/memory/4468-67-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	xmrig
C:\Windows\System\UgJGjLX.exe	xmrig
behavioral2/memory/3260-69-0x00007FF632D30000-0x00007FF633084000-memory.dmp	xmrig
C:\Windows\System\ArNASEb.exe	xmrig
C:\Windows\System\FKZkVkg.exe	xmrig
C:\Windows\System\yZiybuc.exe	xmrig
C:\Windows\System\BSReHzs.exe	xmrig
C:\Windows\System\WmSJkuA.exe	xmrig
C:\Windows\System\Atzmjpd.exe	xmrig
C:\Windows\System\XEtewyR.exe	xmrig
C:\Windows\System\xxDBLLH.exe	xmrig
C:\Windows\System\pwMAxIb.exe	xmrig
behavioral2/memory/4240-120-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	xmrig
behavioral2/memory/964-121-0x00007FF614110000-0x00007FF614464000-memory.dmp	xmrig
behavioral2/memory/1652-123-0x00007FF716610000-0x00007FF716964000-memory.dmp	xmrig
behavioral2/memory/2180-122-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp	xmrig
behavioral2/memory/2452-125-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp	xmrig
behavioral2/memory/3644-126-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp	xmrig
behavioral2/memory/4104-127-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp	xmrig
behavioral2/memory/768-124-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp	xmrig
behavioral2/memory/568-128-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp	xmrig
behavioral2/memory/4308-129-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp	xmrig
behavioral2/memory/4316-130-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp	xmrig
behavioral2/memory/2528-131-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	xmrig
behavioral2/memory/2436-132-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	xmrig
behavioral2/memory/1028-133-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	xmrig
behavioral2/memory/1608-134-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	xmrig
behavioral2/memory/852-135-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	xmrig
behavioral2/memory/4468-136-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	xmrig
behavioral2/memory/4240-137-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	xmrig
behavioral2/memory/2528-138-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	xmrig
behavioral2/memory/2436-139-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	xmrig
behavioral2/memory/1028-140-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	xmrig
behavioral2/memory/1608-141-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	xmrig
behavioral2/memory/4848-142-0x00007FF774340000-0x00007FF774694000-memory.dmp	xmrig
behavioral2/memory/852-143-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	xmrig
behavioral2/memory/1624-144-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp	xmrig
behavioral2/memory/3260-145-0x00007FF632D30000-0x00007FF633084000-memory.dmp	xmrig
behavioral2/memory/3672-146-0x00007FF656610000-0x00007FF656964000-memory.dmp	xmrig
behavioral2/memory/964-147-0x00007FF614110000-0x00007FF614464000-memory.dmp	xmrig
behavioral2/memory/3260-148-0x00007FF632D30000-0x00007FF633084000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vlbUWwn.exeitxXudF.exeQcgKNZi.exeUuJprVd.exeFJwKXGt.exeYomHlFE.exenOEJGRj.exeIPxYOLE.exeUEjtbWA.exeRAAJdXi.exetfzMSpc.exeUgJGjLX.exeArNASEb.exeFKZkVkg.exeyZiybuc.exeBSReHzs.exeWmSJkuA.exepwMAxIb.exeAtzmjpd.exeXEtewyR.exexxDBLLH.exe

pid	process
4468	vlbUWwn.exe
4240	itxXudF.exe
2528	QcgKNZi.exe
2436	UuJprVd.exe
1028	FJwKXGt.exe
1608	YomHlFE.exe
4848	nOEJGRj.exe
852	IPxYOLE.exe
1624	UEjtbWA.exe
3672	RAAJdXi.exe
3260	tfzMSpc.exe
964	UgJGjLX.exe
2180	ArNASEb.exe
1652	FKZkVkg.exe
768	yZiybuc.exe
2452	BSReHzs.exe
3644	WmSJkuA.exe
4104	pwMAxIb.exe
568	Atzmjpd.exe
4308	XEtewyR.exe
4316	xxDBLLH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1384-0-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp	upx
C:\Windows\System\vlbUWwn.exe	upx
behavioral2/memory/4468-8-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	upx
C:\Windows\System\itxXudF.exe	upx
C:\Windows\System\QcgKNZi.exe	upx
behavioral2/memory/4240-14-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	upx
behavioral2/memory/2528-20-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	upx
C:\Windows\System\UuJprVd.exe	upx
behavioral2/memory/2436-26-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	upx
C:\Windows\System\FJwKXGt.exe	upx
behavioral2/memory/1028-31-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	upx
C:\Windows\System\YomHlFE.exe	upx
behavioral2/memory/1608-37-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	upx
C:\Windows\System\nOEJGRj.exe	upx
behavioral2/memory/4848-44-0x00007FF774340000-0x00007FF774694000-memory.dmp	upx
C:\Windows\System\IPxYOLE.exe	upx
behavioral2/memory/852-50-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	upx
C:\Windows\System\UEjtbWA.exe	upx
behavioral2/memory/1624-56-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp	upx
C:\Windows\System\RAAJdXi.exe	upx
C:\Windows\System\tfzMSpc.exe	upx
behavioral2/memory/1384-62-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp	upx
behavioral2/memory/3672-66-0x00007FF656610000-0x00007FF656964000-memory.dmp	upx
behavioral2/memory/4468-67-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	upx
C:\Windows\System\UgJGjLX.exe	upx
behavioral2/memory/3260-69-0x00007FF632D30000-0x00007FF633084000-memory.dmp	upx
C:\Windows\System\ArNASEb.exe	upx
C:\Windows\System\FKZkVkg.exe	upx
C:\Windows\System\yZiybuc.exe	upx
C:\Windows\System\BSReHzs.exe	upx
C:\Windows\System\WmSJkuA.exe	upx
C:\Windows\System\Atzmjpd.exe	upx
C:\Windows\System\XEtewyR.exe	upx
C:\Windows\System\xxDBLLH.exe	upx
C:\Windows\System\pwMAxIb.exe	upx
behavioral2/memory/4240-120-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	upx
behavioral2/memory/964-121-0x00007FF614110000-0x00007FF614464000-memory.dmp	upx
behavioral2/memory/1652-123-0x00007FF716610000-0x00007FF716964000-memory.dmp	upx
behavioral2/memory/2180-122-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp	upx
behavioral2/memory/2452-125-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp	upx
behavioral2/memory/3644-126-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp	upx
behavioral2/memory/4104-127-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp	upx
behavioral2/memory/768-124-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp	upx
behavioral2/memory/568-128-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp	upx
behavioral2/memory/4308-129-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp	upx
behavioral2/memory/4316-130-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp	upx
behavioral2/memory/2528-131-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	upx
behavioral2/memory/2436-132-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	upx
behavioral2/memory/1028-133-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	upx
behavioral2/memory/1608-134-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	upx
behavioral2/memory/852-135-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	upx
behavioral2/memory/4468-136-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp	upx
behavioral2/memory/4240-137-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp	upx
behavioral2/memory/2528-138-0x00007FF7424B0000-0x00007FF742804000-memory.dmp	upx
behavioral2/memory/2436-139-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp	upx
behavioral2/memory/1028-140-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp	upx
behavioral2/memory/1608-141-0x00007FF7451C0000-0x00007FF745514000-memory.dmp	upx
behavioral2/memory/4848-142-0x00007FF774340000-0x00007FF774694000-memory.dmp	upx
behavioral2/memory/852-143-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp	upx
behavioral2/memory/1624-144-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp	upx
behavioral2/memory/3260-145-0x00007FF632D30000-0x00007FF633084000-memory.dmp	upx
behavioral2/memory/3672-146-0x00007FF656610000-0x00007FF656964000-memory.dmp	upx
behavioral2/memory/964-147-0x00007FF614110000-0x00007FF614464000-memory.dmp	upx
behavioral2/memory/3260-148-0x00007FF632D30000-0x00007FF633084000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\UuJprVd.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArNASEb.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FKZkVkg.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WmSJkuA.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pwMAxIb.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QcgKNZi.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nOEJGRj.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UEjtbWA.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xxDBLLH.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itxXudF.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPxYOLE.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tfzMSpc.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgJGjLX.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yZiybuc.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BSReHzs.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XEtewyR.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vlbUWwn.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJwKXGt.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YomHlFE.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RAAJdXi.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Atzmjpd.exe	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1384 wrote to memory of 4468	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	vlbUWwn.exe
PID 1384 wrote to memory of 4468	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	vlbUWwn.exe
PID 1384 wrote to memory of 4240	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	itxXudF.exe
PID 1384 wrote to memory of 4240	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	itxXudF.exe
PID 1384 wrote to memory of 2528	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	QcgKNZi.exe
PID 1384 wrote to memory of 2528	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	QcgKNZi.exe
PID 1384 wrote to memory of 2436	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	UuJprVd.exe
PID 1384 wrote to memory of 2436	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	UuJprVd.exe
PID 1384 wrote to memory of 1028	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	FJwKXGt.exe
PID 1384 wrote to memory of 1028	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	FJwKXGt.exe
PID 1384 wrote to memory of 1608	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	YomHlFE.exe
PID 1384 wrote to memory of 1608	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	YomHlFE.exe
PID 1384 wrote to memory of 4848	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	nOEJGRj.exe
PID 1384 wrote to memory of 4848	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	nOEJGRj.exe
PID 1384 wrote to memory of 852	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	IPxYOLE.exe
PID 1384 wrote to memory of 852	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	IPxYOLE.exe
PID 1384 wrote to memory of 1624	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	UEjtbWA.exe
PID 1384 wrote to memory of 1624	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	UEjtbWA.exe
PID 1384 wrote to memory of 3672	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	RAAJdXi.exe
PID 1384 wrote to memory of 3672	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	RAAJdXi.exe
PID 1384 wrote to memory of 3260	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	tfzMSpc.exe
PID 1384 wrote to memory of 3260	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	tfzMSpc.exe
PID 1384 wrote to memory of 964	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	UgJGjLX.exe
PID 1384 wrote to memory of 964	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	UgJGjLX.exe
PID 1384 wrote to memory of 2180	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	ArNASEb.exe
PID 1384 wrote to memory of 2180	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	ArNASEb.exe
PID 1384 wrote to memory of 1652	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	FKZkVkg.exe
PID 1384 wrote to memory of 1652	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	FKZkVkg.exe
PID 1384 wrote to memory of 768	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	yZiybuc.exe
PID 1384 wrote to memory of 768	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	yZiybuc.exe
PID 1384 wrote to memory of 2452	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	BSReHzs.exe
PID 1384 wrote to memory of 2452	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	BSReHzs.exe
PID 1384 wrote to memory of 3644	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	WmSJkuA.exe
PID 1384 wrote to memory of 3644	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	WmSJkuA.exe
PID 1384 wrote to memory of 4104	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	pwMAxIb.exe
PID 1384 wrote to memory of 4104	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	pwMAxIb.exe
PID 1384 wrote to memory of 568	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	Atzmjpd.exe
PID 1384 wrote to memory of 568	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	Atzmjpd.exe
PID 1384 wrote to memory of 4308	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	XEtewyR.exe
PID 1384 wrote to memory of 4308	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	XEtewyR.exe
PID 1384 wrote to memory of 4316	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	xxDBLLH.exe
PID 1384 wrote to memory of 4316	1384	2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe	xxDBLLH.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_c973360b21f20bc4259175331d3fcbea_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\System\vlbUWwn.exe
C:\Windows\System\vlbUWwn.exe
2⤵
- Executes dropped EXE
PID:4468

C:\Windows\System\itxXudF.exe
C:\Windows\System\itxXudF.exe
2⤵
- Executes dropped EXE
PID:4240

C:\Windows\System\QcgKNZi.exe
C:\Windows\System\QcgKNZi.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\UuJprVd.exe
C:\Windows\System\UuJprVd.exe
2⤵
- Executes dropped EXE
PID:2436

C:\Windows\System\FJwKXGt.exe
C:\Windows\System\FJwKXGt.exe
2⤵
- Executes dropped EXE
PID:1028

C:\Windows\System\YomHlFE.exe
C:\Windows\System\YomHlFE.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\System\nOEJGRj.exe
C:\Windows\System\nOEJGRj.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\IPxYOLE.exe
C:\Windows\System\IPxYOLE.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\UEjtbWA.exe
C:\Windows\System\UEjtbWA.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\System\RAAJdXi.exe
C:\Windows\System\RAAJdXi.exe
2⤵
- Executes dropped EXE
PID:3672

C:\Windows\System\tfzMSpc.exe
C:\Windows\System\tfzMSpc.exe
2⤵
- Executes dropped EXE
PID:3260

C:\Windows\System\UgJGjLX.exe
C:\Windows\System\UgJGjLX.exe
2⤵
- Executes dropped EXE
PID:964

C:\Windows\System\ArNASEb.exe
C:\Windows\System\ArNASEb.exe
2⤵
- Executes dropped EXE
PID:2180

C:\Windows\System\FKZkVkg.exe
C:\Windows\System\FKZkVkg.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Windows\System\yZiybuc.exe
C:\Windows\System\yZiybuc.exe
2⤵
- Executes dropped EXE
PID:768

C:\Windows\System\BSReHzs.exe
C:\Windows\System\BSReHzs.exe
2⤵
- Executes dropped EXE
PID:2452

C:\Windows\System\WmSJkuA.exe
C:\Windows\System\WmSJkuA.exe
2⤵
- Executes dropped EXE
PID:3644

C:\Windows\System\pwMAxIb.exe
C:\Windows\System\pwMAxIb.exe
2⤵
- Executes dropped EXE
PID:4104

C:\Windows\System\Atzmjpd.exe
C:\Windows\System\Atzmjpd.exe
2⤵
- Executes dropped EXE
PID:568

C:\Windows\System\XEtewyR.exe
C:\Windows\System\XEtewyR.exe
2⤵
- Executes dropped EXE
PID:4308

C:\Windows\System\xxDBLLH.exe
C:\Windows\System\xxDBLLH.exe
2⤵
- Executes dropped EXE
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3144 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:3948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ArNASEb.exe
Filesize
5.9MB

MD5
92b04a09f8220386a5ef25f141c7cb0d

SHA1
7778e943a7a32c16243c78d0d3ddf83f5a5f8b02

SHA256
40a73ad5b9547a770aa27af4c33abed38a17cb528b2b73936bbcee1a0dff04b4

SHA512
cb19a5fd1b06bf4fe825174f01127ab20058718a4be1aabb9507407798cdcb49acfe2600db90f2e65a54e9b1c6f527705774317c97c062c425eb554ddc278d07

Download Submit
C:\Windows\System\Atzmjpd.exe
Filesize
5.9MB

MD5
f3b416fcf9c3c6b13c3167075977e569

SHA1
9af1cea96c282d8e3ade12dc7b6347fdd9b10802

SHA256
efd1621b137d388ccf3fe0504eb1fc12f2b76f569e66e7fde9df608a1c89703e

SHA512
fef6ad856c8dc12fcad799922d74bb8ef9e24385ddc11e94d3250f41aa466fb754050414b27b016c75dc96e9dfda2d21c249ba7cbc519e7595b9e2467ac9db51

Download Submit
C:\Windows\System\BSReHzs.exe
Filesize
5.9MB

MD5
d843f167128b75c75c6ad59186ef2646

SHA1
99fd7df70fd8373abedcd2ee337999c6073013e6

SHA256
8fd1d3b871a794bc0842ca68f15d706475316002c16f701ffa3d114fbd7af7f8

SHA512
9dcb17dba074b08f12e640e3434089b8881a867473fef44a9d98ca56679d9dba0b4b6d14fbc308a6b1ebca0496f7bbcea29e6f19a5e46d0ba216ec18533a8909

Download Submit
C:\Windows\System\FJwKXGt.exe
Filesize
5.9MB

MD5
33bd30692a48d23312ebdf6b60df9d55

SHA1
70241125c63e08a1d7ad13b7d432d3092855f79a

SHA256
11698780497e640bfd7f3cd2f5e6a9b6d19ea7210d6e8024e3350df0f0b1f829

SHA512
833a92cef96c35dd20dd6365cdf4b26a2789230460db0cfdf39aad88a7b0c90dd0e2b933472588526af4f9c83b7d2c5469d76722224b9fa4eb1d71e405202448

Download Submit
C:\Windows\System\FKZkVkg.exe
Filesize
5.9MB

MD5
734cc8a706bd20f1da3f177a7f5625f6

SHA1
8f46ca99d632f507b2f5d6ef27999efab8e72cec

SHA256
caf6ffb0a7ab0de227f226934ff031b8d7cbdda2e6415d573318eb2813a643c6

SHA512
6261cb29f70bacdb66ef94fad71a270308520fcfe2004df99c0d68b043477ef7ff22fb7da8e150446039bcf905f2e317a369f790481243d65678854bf4e3008f

Download Submit
C:\Windows\System\IPxYOLE.exe
Filesize
5.9MB

MD5
680dea1651a23363d38c48cda24a2fde

SHA1
3e1abf42e5921d6cae243e6660215ad036bd97a0

SHA256
f0b31cb94323afc4d495cd2ffd34370b43477ea51e6765078e9ba2c27be80d1f

SHA512
c904d8ab3c03ad1c6710a70b09de1ca7ac8228221249b54f55eb9de638a63b46c9b2b816618cba921042b6147b37f6e8cc8a46158c6fd280fbce7c74519ddf9d

Download Submit
C:\Windows\System\QcgKNZi.exe
Filesize
5.9MB

MD5
7a75a644e37c142f8634211ed5b09814

SHA1
ba6768fa294fb8935ecd0f7feccaef5d9ae70797

SHA256
453210e4e080318ba5da2a48d23ce3770148ea91fef3476b529351a731d66ea2

SHA512
b904b6156d9c99e3993ef20efc4d30ce772569d3b21d273acbae50c9a51ad79913f504beb74d8b2114242a641c6b429713538c0e3faaaf85728bb2a7e5dbf7c2

Download Submit
C:\Windows\System\RAAJdXi.exe
Filesize
5.9MB

MD5
5c5a0696a3658285e4b93b04d11e0708

SHA1
28cf49a292f4d80cbf8cc564091fa6f903344057

SHA256
b72de73a583dfab0ab0b78b26a3de9e176825c06de8728e72d34acea8e0b6a10

SHA512
0529bf165a5195beed76a2458bea265544d0218436d45618eb2e1a32abaf2b56d5a05c2edf1a60f7c9de045cc70ed94951b9a01f9280ca2166046489f3b4638c

Download Submit
C:\Windows\System\UEjtbWA.exe
Filesize
5.9MB

MD5
e7119e4f2ae9c41dd8150ecd4895c5ec

SHA1
be15aa7aa4d540008115d093e9239ec485242926

SHA256
f654ce67f1bbd924df9db32fbfe54e6dccd77f8dd47e1c266097f2ec26005671

SHA512
1c3927c29440516bb256d27eddba59dfaf8d364e340d04b1c376bbd062a4742863f9ee546ce97fcd84dc7d15ef8ab42c16777b9979a7e13ab2f6be2d3b61d394

Download Submit
C:\Windows\System\UgJGjLX.exe
Filesize
5.9MB

MD5
40daff8711b3f5c949166b6cd74384d5

SHA1
e331a4d3c1b60f6cb72ff9d070f79a93ff83ebf1

SHA256
d3b63e9a3030b275980c8aaa8f33042d2dd9beffa8a973c587035f044c9b7f8b

SHA512
1a2e82ee37328e3d755b99041731914fe608552ec8ca052dbf9f3d7cb3119c698d8ad42384eeae1005e119e8a634d332aa201a11f6731939f9ddf89d19e27684

Download Submit
C:\Windows\System\UuJprVd.exe
Filesize
5.9MB

MD5
4ca236b218a8ae36baf4d670dae5d2a7

SHA1
3d54d2f4d93ca96e9bb7b863bf39d291fb67f494

SHA256
76e9261ca9929d5793920ce3d9144af90bc16178cc649f75491108f8c583c5fb

SHA512
e0c2cf3bba43e0a475d6ed31bc0d096edfdab3f98ff7eb83d3495b721dfe6dc20ca6827800d57b317a1078eedb5e50cca7a0a5654824378928852deb93b52e74

Download Submit
C:\Windows\System\WmSJkuA.exe
Filesize
5.9MB

MD5
7530f496ddec799ce20172610d6feb41

SHA1
36696164c4a8089f7975fcded86572504427b9e4

SHA256
6bd8986f8ba031a51bda7959b9e3925f7ef94f0571b41eb09e5dba5bcb48819b

SHA512
67c4cfcb5adccfba6b652734ad8f9ac8e8a696965b8e2cbe85c3753d25676e5998ffe93c4bedc1443acb8aa2cc4fdd5353a73afa2a03c69915fc9e0eee47a952

Download Submit
C:\Windows\System\XEtewyR.exe
Filesize
5.9MB

MD5
44dc7ecf8fb351493f252d7229b990c3

SHA1
f3fe2037dfc1d96d675c4228b61c4d960412bb6c

SHA256
280dc842de05ddf661302bc6a39962cd6fffe61991bcbc5e0221d95a558033e4

SHA512
6efa6e166a2b68b5cc1e268badae71eceaa9ef5f726d821cddb3681210da46619d394a6eb0c3898fe6c02f3a8a64162370fd9d04328e5968f3d4862aae7e84cf

Download Submit
C:\Windows\System\YomHlFE.exe
Filesize
5.9MB

MD5
1adc22901023cd2142f4cc4c3ee6a6ec

SHA1
4ff220cc94d77c52b61ac47659f418f37facdb69

SHA256
f33f07bdeec4580ea3ee315a970ebeaa33a44a8efd6e484eaf6c916a31b0193c

SHA512
8fa5fbff1a9941fe7003c03151688c9e735f2203209db5569b18920a3a7dae2b9d1d6284e21a384beb2b0c570d479b491fc1810f1bf6d845f164ec8deff85986

Download Submit
C:\Windows\System\itxXudF.exe
Filesize
5.9MB

MD5
04806cc7366036d77dddd5f962f0afe2

SHA1
115cce05e7d18092e264dc81c6066bb84cd59442

SHA256
476f7e97d4add6e84b474cf53e92fc0d0dd4642c6e5b8e5f95b8077e8db0a061

SHA512
76fe49e159100bd40690b09233de47d1146e9bc07c8be9815721a2a7721099674f35af4f2766398b8e06e7feff9ae42496afb10b09351fa1f66e2fa9de61caa9

Download Submit
C:\Windows\System\nOEJGRj.exe
Filesize
5.9MB

MD5
63fac8af8a927c129d70c1d710e7ce14

SHA1
15881a272ea75f90a8d8df076477f1c0acbc8d45

SHA256
464bb9fa7cd6893a7440fa7c77e368a621f84b3c7535b04d9077eb37856ead9b

SHA512
a84c15bb455c023c1bdbddeef026d2a20a0de74eb32b249b564e6bb669fb1d8ec030ef4a9a92db19d04bb98033d20d111dd06c2f98bb6adfb22d0803dbeb043c

Download Submit
C:\Windows\System\pwMAxIb.exe
Filesize
5.9MB

MD5
1f49df919b41f010d0ff60a08b92e75e

SHA1
c4670b0520a09ca81e71c0c69fde467deaef594e

SHA256
3667babab86bb34abb4ca8beae0dea0faa100f1fa88f94694fceca4e32ffca02

SHA512
c50f371992f5bb0820d99c36781309c3e44d0cf2f3da91814209ae5f940100e82407f6639f2e010649f82f5f1439a46d0c88c295709fa58e7130cee50726e64b

Download Submit
C:\Windows\System\tfzMSpc.exe
Filesize
5.9MB

MD5
4b2646389edcc1cf380c8de3450e9096

SHA1
29dceb8928ef7f18bed006d01bf24e77e711b842

SHA256
8e2b284d454eff34f63069c91740f805ae1ff6a45b68583acb8db11cb3cdb162

SHA512
8ee9c90fe0215c3107a628b705034a2ee2cf6c8475f308609361df11f7b08dfb3b57ab1cbf354dcbe40aa34adab87dd42bdd0edbf15f5c11528d6d66c48c3729

Download Submit
C:\Windows\System\vlbUWwn.exe
Filesize
5.9MB

MD5
9832865bc4f3dd6b1e8e4b8f96615fa2

SHA1
74e5dca343b7ff62ef775b96a5f00fa44a04334f

SHA256
940ac78bc6fe3acfda920a6641d21ded77848ebabffff10fdd751ca2f634a162

SHA512
047a29b1d25545e9b8b35f91f0a153a291cf476397c0342a051126c8138a8b3915f33395e070d34b4d23d3cef1761a93ac3fc48c4644bd66f91c81b6129e1d94

Download Submit
C:\Windows\System\xxDBLLH.exe
Filesize
5.9MB

MD5
b5f720cc59045e623fcab756369b2de0

SHA1
11fd070431c921f5b6a990572cc1a2d0b8ec8dd1

SHA256
7e175602670a36e44a33822e8fc2b3eae88d53f9fe79b86d34775d5ba5d346d6

SHA512
133920c9def89bb448fb26f9fdd4ee9ecb151edb97406fda9df8f7e9c73af5bb35d03e8061d56cbcd0b8a9636246b4e3b8a70b48eecd709815bbd655c9965bd6

Download Submit
C:\Windows\System\yZiybuc.exe
Filesize
5.9MB

MD5
ab89ad3d5416d4625f891eb9924a6813

SHA1
db465a559742b9484ed09255047947c0b4b28d09

SHA256
e80b9375896c392f5a0fddbbd5e6b45179a2a7b6b9f7a9e3a70c5ae977b55a6d

SHA512
80f8e00be5b80abb3c34da6cddbcdf0e9bf4d31791cc72f2618b9e068065b20a1f80dc1e644898c9b70339026759f5b16f1937b5c6d2b541e72a89afee1d683a

Download Submit
memory/568-128-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp

Filesize
3.3MB

Download
memory/568-153-0x00007FF7A4A70000-0x00007FF7A4DC4000-memory.dmp

Filesize
3.3MB

Download
memory/768-124-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp

Filesize
3.3MB

Download
memory/768-151-0x00007FF78F1B0000-0x00007FF78F504000-memory.dmp

Filesize
3.3MB

Download
memory/852-50-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp

Filesize
3.3MB

Download
memory/852-135-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp

Filesize
3.3MB

Download
memory/852-143-0x00007FF7C4F40000-0x00007FF7C5294000-memory.dmp

Filesize
3.3MB

Download
memory/964-121-0x00007FF614110000-0x00007FF614464000-memory.dmp

Filesize
3.3MB

Download
memory/964-147-0x00007FF614110000-0x00007FF614464000-memory.dmp

Filesize
3.3MB

Download
memory/1028-140-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp

Filesize
3.3MB

Download
memory/1028-133-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp

Filesize
3.3MB

Download
memory/1028-31-0x00007FF6F1CC0000-0x00007FF6F2014000-memory.dmp

Filesize
3.3MB

Download
memory/1384-1-0x000001A67E730000-0x000001A67E740000-memory.dmp

Filesize
64KB

Download
memory/1384-62-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1384-0-0x00007FF6D1B70000-0x00007FF6D1EC4000-memory.dmp

Filesize
3.3MB

Download
memory/1608-37-0x00007FF7451C0000-0x00007FF745514000-memory.dmp

Filesize
3.3MB

Download
memory/1608-134-0x00007FF7451C0000-0x00007FF745514000-memory.dmp

Filesize
3.3MB

Download
memory/1608-141-0x00007FF7451C0000-0x00007FF745514000-memory.dmp

Filesize
3.3MB

Download
memory/1624-56-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-144-0x00007FF6E2B90000-0x00007FF6E2EE4000-memory.dmp

Filesize
3.3MB

Download
memory/1652-150-0x00007FF716610000-0x00007FF716964000-memory.dmp

Filesize
3.3MB

Download
memory/1652-123-0x00007FF716610000-0x00007FF716964000-memory.dmp

Filesize
3.3MB

Download
memory/2180-122-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-149-0x00007FF68C290000-0x00007FF68C5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2436-26-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp

Filesize
3.3MB

Download
memory/2436-139-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp

Filesize
3.3MB

Download
memory/2436-132-0x00007FF7FEB20000-0x00007FF7FEE74000-memory.dmp

Filesize
3.3MB

Download
memory/2452-125-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp

Filesize
3.3MB

Download
memory/2452-152-0x00007FF7D0FE0000-0x00007FF7D1334000-memory.dmp

Filesize
3.3MB

Download
memory/2528-20-0x00007FF7424B0000-0x00007FF742804000-memory.dmp

Filesize
3.3MB

Download
memory/2528-138-0x00007FF7424B0000-0x00007FF742804000-memory.dmp

Filesize
3.3MB

Download
memory/2528-131-0x00007FF7424B0000-0x00007FF742804000-memory.dmp

Filesize
3.3MB

Download
memory/3260-69-0x00007FF632D30000-0x00007FF633084000-memory.dmp

Filesize
3.3MB

Download
memory/3260-148-0x00007FF632D30000-0x00007FF633084000-memory.dmp

Filesize
3.3MB

Download
memory/3260-145-0x00007FF632D30000-0x00007FF633084000-memory.dmp

Filesize
3.3MB

Download
memory/3644-126-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp

Filesize
3.3MB

Download
memory/3644-155-0x00007FF7A9B30000-0x00007FF7A9E84000-memory.dmp

Filesize
3.3MB

Download
memory/3672-146-0x00007FF656610000-0x00007FF656964000-memory.dmp

Filesize
3.3MB

Download
memory/3672-66-0x00007FF656610000-0x00007FF656964000-memory.dmp

Filesize
3.3MB

Download
memory/4104-154-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp

Filesize
3.3MB

Download
memory/4104-127-0x00007FF60ABB0000-0x00007FF60AF04000-memory.dmp

Filesize
3.3MB

Download
memory/4240-14-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp

Filesize
3.3MB

Download
memory/4240-137-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp

Filesize
3.3MB

Download
memory/4240-120-0x00007FF7BF280000-0x00007FF7BF5D4000-memory.dmp

Filesize
3.3MB

Download
memory/4308-129-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp

Filesize
3.3MB

Download
memory/4308-157-0x00007FF76E1E0000-0x00007FF76E534000-memory.dmp

Filesize
3.3MB

Download
memory/4316-130-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp

Filesize
3.3MB

Download
memory/4316-156-0x00007FF6D9220000-0x00007FF6D9574000-memory.dmp

Filesize
3.3MB

Download
memory/4468-8-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp

Filesize
3.3MB

Download
memory/4468-67-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp

Filesize
3.3MB

Download
memory/4468-136-0x00007FF76C0F0000-0x00007FF76C444000-memory.dmp

Filesize
3.3MB

Download
memory/4848-44-0x00007FF774340000-0x00007FF774694000-memory.dmp

Filesize
3.3MB

Download
memory/4848-142-0x00007FF774340000-0x00007FF774694000-memory.dmp

Filesize
3.3MB

Download