cobaltstrike | 64a0bc5302d9fd527639653b5fd39485e8330096f143acc61b9caa11123bf0ae

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

e2c23ffc1a7b19139badfc37a3922975
SHA1

a42b80ad6527da86c85b8342d3bf33f67b4cfa34
SHA256

64a0bc5302d9fd527639653b5fd39485e8330096f143acc61b9caa11123bf0ae
SHA512

bc456e3ef31b2dba53254a195628e4444069d4d229b40d9f4331f85e06e5853e24a867bb91032c9ddc9ae8adb5dd157abfd1d6523dbc31745ceef52440dfe524
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUk:Q+856utgpPF8u/7k

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\xtFkzNR.exe	cobalt_reflective_dll
C:\Windows\System\qUcyoXv.exe	cobalt_reflective_dll
C:\Windows\System\VRNjlPG.exe	cobalt_reflective_dll
C:\Windows\System\SWzlgKe.exe	cobalt_reflective_dll
C:\Windows\System\zNJZXuL.exe	cobalt_reflective_dll
C:\Windows\System\BiqfWFc.exe	cobalt_reflective_dll
C:\Windows\System\BBaGDUi.exe	cobalt_reflective_dll
C:\Windows\System\VDEzOjM.exe	cobalt_reflective_dll
C:\Windows\System\xHvSTLA.exe	cobalt_reflective_dll
C:\Windows\System\sGINYuw.exe	cobalt_reflective_dll
C:\Windows\System\SWaJbdf.exe	cobalt_reflective_dll
C:\Windows\System\TJADsDn.exe	cobalt_reflective_dll
C:\Windows\System\mSfVNUq.exe	cobalt_reflective_dll
C:\Windows\System\DKvEDLT.exe	cobalt_reflective_dll
C:\Windows\System\vVnWNjS.exe	cobalt_reflective_dll
C:\Windows\System\fXuGbTk.exe	cobalt_reflective_dll
C:\Windows\System\ajyOLTv.exe	cobalt_reflective_dll
C:\Windows\System\mPMyczO.exe	cobalt_reflective_dll
C:\Windows\System\rHciSIy.exe	cobalt_reflective_dll
C:\Windows\System\XowUmli.exe	cobalt_reflective_dll
C:\Windows\System\WusEmXY.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\xtFkzNR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qUcyoXv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VRNjlPG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SWzlgKe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zNJZXuL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BiqfWFc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BBaGDUi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VDEzOjM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xHvSTLA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\sGINYuw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SWaJbdf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TJADsDn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mSfVNUq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DKvEDLT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vVnWNjS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fXuGbTk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ajyOLTv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mPMyczO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rHciSIy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XowUmli.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WusEmXY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/216-0-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp	UPX
C:\Windows\System\xtFkzNR.exe	UPX
C:\Windows\System\qUcyoXv.exe	UPX
behavioral2/memory/4236-12-0x00007FF615840000-0x00007FF615B94000-memory.dmp	UPX
C:\Windows\System\VRNjlPG.exe	UPX
behavioral2/memory/3768-11-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp	UPX
C:\Windows\System\SWzlgKe.exe	UPX
behavioral2/memory/1028-22-0x00007FF69E110000-0x00007FF69E464000-memory.dmp	UPX
C:\Windows\System\zNJZXuL.exe	UPX
C:\Windows\System\BiqfWFc.exe	UPX
C:\Windows\System\BBaGDUi.exe	UPX
C:\Windows\System\VDEzOjM.exe	UPX
C:\Windows\System\xHvSTLA.exe	UPX
C:\Windows\System\sGINYuw.exe	UPX
C:\Windows\System\SWaJbdf.exe	UPX
C:\Windows\System\TJADsDn.exe	UPX
C:\Windows\System\mSfVNUq.exe	UPX
C:\Windows\System\DKvEDLT.exe	UPX
C:\Windows\System\vVnWNjS.exe	UPX
C:\Windows\System\fXuGbTk.exe	UPX
C:\Windows\System\ajyOLTv.exe	UPX
C:\Windows\System\mPMyczO.exe	UPX
C:\Windows\System\rHciSIy.exe	UPX
C:\Windows\System\XowUmli.exe	UPX
C:\Windows\System\WusEmXY.exe	UPX
behavioral2/memory/2484-34-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp	UPX
behavioral2/memory/2128-26-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp	UPX
behavioral2/memory/1948-112-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp	UPX
behavioral2/memory/5112-113-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp	UPX
behavioral2/memory/3192-114-0x00007FF702EC0000-0x00007FF703214000-memory.dmp	UPX
behavioral2/memory/3508-115-0x00007FF65A600000-0x00007FF65A954000-memory.dmp	UPX
behavioral2/memory/1932-117-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp	UPX
behavioral2/memory/3536-118-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	UPX
behavioral2/memory/3276-120-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp	UPX
behavioral2/memory/2448-121-0x00007FF739980000-0x00007FF739CD4000-memory.dmp	UPX
behavioral2/memory/4924-123-0x00007FF664FB0000-0x00007FF665304000-memory.dmp	UPX
behavioral2/memory/1144-125-0x00007FF746760000-0x00007FF746AB4000-memory.dmp	UPX
behavioral2/memory/4056-127-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp	UPX
behavioral2/memory/3784-126-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp	UPX
behavioral2/memory/4228-124-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp	UPX
behavioral2/memory/1636-122-0x00007FF674440000-0x00007FF674794000-memory.dmp	UPX
behavioral2/memory/5080-119-0x00007FF610360000-0x00007FF6106B4000-memory.dmp	UPX
behavioral2/memory/1904-116-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp	UPX
behavioral2/memory/216-128-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp	UPX
behavioral2/memory/4236-129-0x00007FF615840000-0x00007FF615B94000-memory.dmp	UPX
behavioral2/memory/3768-130-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp	UPX
behavioral2/memory/4236-131-0x00007FF615840000-0x00007FF615B94000-memory.dmp	UPX
behavioral2/memory/1028-132-0x00007FF69E110000-0x00007FF69E464000-memory.dmp	UPX
behavioral2/memory/2128-133-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp	UPX
behavioral2/memory/2484-134-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp	UPX
behavioral2/memory/1948-135-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp	UPX
behavioral2/memory/3192-136-0x00007FF702EC0000-0x00007FF703214000-memory.dmp	UPX
behavioral2/memory/5112-137-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp	UPX
behavioral2/memory/3508-138-0x00007FF65A600000-0x00007FF65A954000-memory.dmp	UPX
behavioral2/memory/1904-140-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp	UPX
behavioral2/memory/3276-141-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp	UPX
behavioral2/memory/5080-144-0x00007FF610360000-0x00007FF6106B4000-memory.dmp	UPX
behavioral2/memory/1932-143-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp	UPX
behavioral2/memory/3536-146-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	UPX
behavioral2/memory/4924-145-0x00007FF664FB0000-0x00007FF665304000-memory.dmp	UPX
behavioral2/memory/1636-142-0x00007FF674440000-0x00007FF674794000-memory.dmp	UPX
behavioral2/memory/2448-139-0x00007FF739980000-0x00007FF739CD4000-memory.dmp	UPX
behavioral2/memory/3784-148-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp	UPX
behavioral2/memory/1144-149-0x00007FF746760000-0x00007FF746AB4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/216-0-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp	xmrig
C:\Windows\System\xtFkzNR.exe	xmrig
C:\Windows\System\qUcyoXv.exe	xmrig
behavioral2/memory/4236-12-0x00007FF615840000-0x00007FF615B94000-memory.dmp	xmrig
C:\Windows\System\VRNjlPG.exe	xmrig
behavioral2/memory/3768-11-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp	xmrig
C:\Windows\System\SWzlgKe.exe	xmrig
behavioral2/memory/1028-22-0x00007FF69E110000-0x00007FF69E464000-memory.dmp	xmrig
C:\Windows\System\zNJZXuL.exe	xmrig
C:\Windows\System\BiqfWFc.exe	xmrig
C:\Windows\System\BBaGDUi.exe	xmrig
C:\Windows\System\VDEzOjM.exe	xmrig
C:\Windows\System\xHvSTLA.exe	xmrig
C:\Windows\System\sGINYuw.exe	xmrig
C:\Windows\System\SWaJbdf.exe	xmrig
C:\Windows\System\TJADsDn.exe	xmrig
C:\Windows\System\mSfVNUq.exe	xmrig
C:\Windows\System\DKvEDLT.exe	xmrig
C:\Windows\System\vVnWNjS.exe	xmrig
C:\Windows\System\fXuGbTk.exe	xmrig
C:\Windows\System\ajyOLTv.exe	xmrig
C:\Windows\System\mPMyczO.exe	xmrig
C:\Windows\System\rHciSIy.exe	xmrig
C:\Windows\System\XowUmli.exe	xmrig
C:\Windows\System\WusEmXY.exe	xmrig
behavioral2/memory/2484-34-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp	xmrig
behavioral2/memory/2128-26-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp	xmrig
behavioral2/memory/1948-112-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp	xmrig
behavioral2/memory/5112-113-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp	xmrig
behavioral2/memory/3192-114-0x00007FF702EC0000-0x00007FF703214000-memory.dmp	xmrig
behavioral2/memory/3508-115-0x00007FF65A600000-0x00007FF65A954000-memory.dmp	xmrig
behavioral2/memory/1932-117-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp	xmrig
behavioral2/memory/3536-118-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	xmrig
behavioral2/memory/3276-120-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp	xmrig
behavioral2/memory/2448-121-0x00007FF739980000-0x00007FF739CD4000-memory.dmp	xmrig
behavioral2/memory/4924-123-0x00007FF664FB0000-0x00007FF665304000-memory.dmp	xmrig
behavioral2/memory/1144-125-0x00007FF746760000-0x00007FF746AB4000-memory.dmp	xmrig
behavioral2/memory/4056-127-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp	xmrig
behavioral2/memory/3784-126-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp	xmrig
behavioral2/memory/4228-124-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp	xmrig
behavioral2/memory/1636-122-0x00007FF674440000-0x00007FF674794000-memory.dmp	xmrig
behavioral2/memory/5080-119-0x00007FF610360000-0x00007FF6106B4000-memory.dmp	xmrig
behavioral2/memory/1904-116-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp	xmrig
behavioral2/memory/216-128-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp	xmrig
behavioral2/memory/4236-129-0x00007FF615840000-0x00007FF615B94000-memory.dmp	xmrig
behavioral2/memory/3768-130-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp	xmrig
behavioral2/memory/4236-131-0x00007FF615840000-0x00007FF615B94000-memory.dmp	xmrig
behavioral2/memory/1028-132-0x00007FF69E110000-0x00007FF69E464000-memory.dmp	xmrig
behavioral2/memory/2128-133-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp	xmrig
behavioral2/memory/2484-134-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp	xmrig
behavioral2/memory/1948-135-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp	xmrig
behavioral2/memory/3192-136-0x00007FF702EC0000-0x00007FF703214000-memory.dmp	xmrig
behavioral2/memory/5112-137-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp	xmrig
behavioral2/memory/3508-138-0x00007FF65A600000-0x00007FF65A954000-memory.dmp	xmrig
behavioral2/memory/1904-140-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp	xmrig
behavioral2/memory/3276-141-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp	xmrig
behavioral2/memory/5080-144-0x00007FF610360000-0x00007FF6106B4000-memory.dmp	xmrig
behavioral2/memory/1932-143-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp	xmrig
behavioral2/memory/3536-146-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	xmrig
behavioral2/memory/4924-145-0x00007FF664FB0000-0x00007FF665304000-memory.dmp	xmrig
behavioral2/memory/1636-142-0x00007FF674440000-0x00007FF674794000-memory.dmp	xmrig
behavioral2/memory/2448-139-0x00007FF739980000-0x00007FF739CD4000-memory.dmp	xmrig
behavioral2/memory/3784-148-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp	xmrig
behavioral2/memory/1144-149-0x00007FF746760000-0x00007FF746AB4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xtFkzNR.exeVRNjlPG.exeqUcyoXv.exeSWzlgKe.exezNJZXuL.exeBiqfWFc.exeWusEmXY.exeBBaGDUi.exeVDEzOjM.exexHvSTLA.exeXowUmli.exesGINYuw.exerHciSIy.exemPMyczO.exeajyOLTv.exefXuGbTk.exevVnWNjS.exeDKvEDLT.exeSWaJbdf.exemSfVNUq.exeTJADsDn.exe

pid	process
3768	xtFkzNR.exe
4236	VRNjlPG.exe
1028	qUcyoXv.exe
2128	SWzlgKe.exe
2484	zNJZXuL.exe
1948	BiqfWFc.exe
5112	WusEmXY.exe
3192	BBaGDUi.exe
3508	VDEzOjM.exe
1904	xHvSTLA.exe
1932	XowUmli.exe
3536	sGINYuw.exe
5080	rHciSIy.exe
3276	mPMyczO.exe
2448	ajyOLTv.exe
1636	fXuGbTk.exe
4924	vVnWNjS.exe
4228	DKvEDLT.exe
1144	SWaJbdf.exe
3784	mSfVNUq.exe
4056	TJADsDn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/216-0-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp	upx
C:\Windows\System\xtFkzNR.exe	upx
C:\Windows\System\qUcyoXv.exe	upx
behavioral2/memory/4236-12-0x00007FF615840000-0x00007FF615B94000-memory.dmp	upx
C:\Windows\System\VRNjlPG.exe	upx
behavioral2/memory/3768-11-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp	upx
C:\Windows\System\SWzlgKe.exe	upx
behavioral2/memory/1028-22-0x00007FF69E110000-0x00007FF69E464000-memory.dmp	upx
C:\Windows\System\zNJZXuL.exe	upx
C:\Windows\System\BiqfWFc.exe	upx
C:\Windows\System\BBaGDUi.exe	upx
C:\Windows\System\VDEzOjM.exe	upx
C:\Windows\System\xHvSTLA.exe	upx
C:\Windows\System\sGINYuw.exe	upx
C:\Windows\System\SWaJbdf.exe	upx
C:\Windows\System\TJADsDn.exe	upx
C:\Windows\System\mSfVNUq.exe	upx
C:\Windows\System\DKvEDLT.exe	upx
C:\Windows\System\vVnWNjS.exe	upx
C:\Windows\System\fXuGbTk.exe	upx
C:\Windows\System\ajyOLTv.exe	upx
C:\Windows\System\mPMyczO.exe	upx
C:\Windows\System\rHciSIy.exe	upx
C:\Windows\System\XowUmli.exe	upx
C:\Windows\System\WusEmXY.exe	upx
behavioral2/memory/2484-34-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp	upx
behavioral2/memory/2128-26-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp	upx
behavioral2/memory/1948-112-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp	upx
behavioral2/memory/5112-113-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp	upx
behavioral2/memory/3192-114-0x00007FF702EC0000-0x00007FF703214000-memory.dmp	upx
behavioral2/memory/3508-115-0x00007FF65A600000-0x00007FF65A954000-memory.dmp	upx
behavioral2/memory/1932-117-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp	upx
behavioral2/memory/3536-118-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	upx
behavioral2/memory/3276-120-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp	upx
behavioral2/memory/2448-121-0x00007FF739980000-0x00007FF739CD4000-memory.dmp	upx
behavioral2/memory/4924-123-0x00007FF664FB0000-0x00007FF665304000-memory.dmp	upx
behavioral2/memory/1144-125-0x00007FF746760000-0x00007FF746AB4000-memory.dmp	upx
behavioral2/memory/4056-127-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp	upx
behavioral2/memory/3784-126-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp	upx
behavioral2/memory/4228-124-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp	upx
behavioral2/memory/1636-122-0x00007FF674440000-0x00007FF674794000-memory.dmp	upx
behavioral2/memory/5080-119-0x00007FF610360000-0x00007FF6106B4000-memory.dmp	upx
behavioral2/memory/1904-116-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp	upx
behavioral2/memory/216-128-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp	upx
behavioral2/memory/4236-129-0x00007FF615840000-0x00007FF615B94000-memory.dmp	upx
behavioral2/memory/3768-130-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp	upx
behavioral2/memory/4236-131-0x00007FF615840000-0x00007FF615B94000-memory.dmp	upx
behavioral2/memory/1028-132-0x00007FF69E110000-0x00007FF69E464000-memory.dmp	upx
behavioral2/memory/2128-133-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp	upx
behavioral2/memory/2484-134-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp	upx
behavioral2/memory/1948-135-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp	upx
behavioral2/memory/3192-136-0x00007FF702EC0000-0x00007FF703214000-memory.dmp	upx
behavioral2/memory/5112-137-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp	upx
behavioral2/memory/3508-138-0x00007FF65A600000-0x00007FF65A954000-memory.dmp	upx
behavioral2/memory/1904-140-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp	upx
behavioral2/memory/3276-141-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp	upx
behavioral2/memory/5080-144-0x00007FF610360000-0x00007FF6106B4000-memory.dmp	upx
behavioral2/memory/1932-143-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp	upx
behavioral2/memory/3536-146-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp	upx
behavioral2/memory/4924-145-0x00007FF664FB0000-0x00007FF665304000-memory.dmp	upx
behavioral2/memory/1636-142-0x00007FF674440000-0x00007FF674794000-memory.dmp	upx
behavioral2/memory/2448-139-0x00007FF739980000-0x00007FF739CD4000-memory.dmp	upx
behavioral2/memory/3784-148-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp	upx
behavioral2/memory/1144-149-0x00007FF746760000-0x00007FF746AB4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\SWaJbdf.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWzlgKe.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zNJZXuL.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BiqfWFc.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XowUmli.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vVnWNjS.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DKvEDLT.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXuGbTk.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qUcyoXv.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WusEmXY.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BBaGDUi.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VDEzOjM.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHvSTLA.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mPMyczO.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VRNjlPG.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rHciSIy.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ajyOLTv.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TJADsDn.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xtFkzNR.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sGINYuw.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mSfVNUq.exe	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 216 wrote to memory of 3768	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	xtFkzNR.exe
PID 216 wrote to memory of 3768	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	xtFkzNR.exe
PID 216 wrote to memory of 4236	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	VRNjlPG.exe
PID 216 wrote to memory of 4236	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	VRNjlPG.exe
PID 216 wrote to memory of 1028	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	qUcyoXv.exe
PID 216 wrote to memory of 1028	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	qUcyoXv.exe
PID 216 wrote to memory of 2128	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	SWzlgKe.exe
PID 216 wrote to memory of 2128	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	SWzlgKe.exe
PID 216 wrote to memory of 2484	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	zNJZXuL.exe
PID 216 wrote to memory of 2484	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	zNJZXuL.exe
PID 216 wrote to memory of 1948	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	BiqfWFc.exe
PID 216 wrote to memory of 1948	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	BiqfWFc.exe
PID 216 wrote to memory of 5112	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	WusEmXY.exe
PID 216 wrote to memory of 5112	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	WusEmXY.exe
PID 216 wrote to memory of 3192	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	BBaGDUi.exe
PID 216 wrote to memory of 3192	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	BBaGDUi.exe
PID 216 wrote to memory of 3508	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	VDEzOjM.exe
PID 216 wrote to memory of 3508	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	VDEzOjM.exe
PID 216 wrote to memory of 1904	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	xHvSTLA.exe
PID 216 wrote to memory of 1904	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	xHvSTLA.exe
PID 216 wrote to memory of 1932	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	XowUmli.exe
PID 216 wrote to memory of 1932	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	XowUmli.exe
PID 216 wrote to memory of 3536	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	sGINYuw.exe
PID 216 wrote to memory of 3536	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	sGINYuw.exe
PID 216 wrote to memory of 5080	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	rHciSIy.exe
PID 216 wrote to memory of 5080	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	rHciSIy.exe
PID 216 wrote to memory of 3276	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	mPMyczO.exe
PID 216 wrote to memory of 3276	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	mPMyczO.exe
PID 216 wrote to memory of 2448	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	ajyOLTv.exe
PID 216 wrote to memory of 2448	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	ajyOLTv.exe
PID 216 wrote to memory of 1636	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	fXuGbTk.exe
PID 216 wrote to memory of 1636	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	fXuGbTk.exe
PID 216 wrote to memory of 4924	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	vVnWNjS.exe
PID 216 wrote to memory of 4924	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	vVnWNjS.exe
PID 216 wrote to memory of 4228	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	DKvEDLT.exe
PID 216 wrote to memory of 4228	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	DKvEDLT.exe
PID 216 wrote to memory of 1144	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	SWaJbdf.exe
PID 216 wrote to memory of 1144	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	SWaJbdf.exe
PID 216 wrote to memory of 3784	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	mSfVNUq.exe
PID 216 wrote to memory of 3784	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	mSfVNUq.exe
PID 216 wrote to memory of 4056	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	TJADsDn.exe
PID 216 wrote to memory of 4056	216	2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe	TJADsDn.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_e2c23ffc1a7b19139badfc37a3922975_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\System\xtFkzNR.exe
C:\Windows\System\xtFkzNR.exe
2⤵
- Executes dropped EXE
PID:3768

C:\Windows\System\VRNjlPG.exe
C:\Windows\System\VRNjlPG.exe
2⤵
- Executes dropped EXE
PID:4236

C:\Windows\System\qUcyoXv.exe
C:\Windows\System\qUcyoXv.exe
2⤵
- Executes dropped EXE
PID:1028

C:\Windows\System\SWzlgKe.exe
C:\Windows\System\SWzlgKe.exe
2⤵
- Executes dropped EXE
PID:2128

C:\Windows\System\zNJZXuL.exe
C:\Windows\System\zNJZXuL.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\BiqfWFc.exe
C:\Windows\System\BiqfWFc.exe
2⤵
- Executes dropped EXE
PID:1948

C:\Windows\System\WusEmXY.exe
C:\Windows\System\WusEmXY.exe
2⤵
- Executes dropped EXE
PID:5112

C:\Windows\System\BBaGDUi.exe
C:\Windows\System\BBaGDUi.exe
2⤵
- Executes dropped EXE
PID:3192

C:\Windows\System\VDEzOjM.exe
C:\Windows\System\VDEzOjM.exe
2⤵
- Executes dropped EXE
PID:3508

C:\Windows\System\xHvSTLA.exe
C:\Windows\System\xHvSTLA.exe
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\System\XowUmli.exe
C:\Windows\System\XowUmli.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\sGINYuw.exe
C:\Windows\System\sGINYuw.exe
2⤵
- Executes dropped EXE
PID:3536

C:\Windows\System\rHciSIy.exe
C:\Windows\System\rHciSIy.exe
2⤵
- Executes dropped EXE
PID:5080

C:\Windows\System\mPMyczO.exe
C:\Windows\System\mPMyczO.exe
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\System\ajyOLTv.exe
C:\Windows\System\ajyOLTv.exe
2⤵
- Executes dropped EXE
PID:2448

C:\Windows\System\fXuGbTk.exe
C:\Windows\System\fXuGbTk.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\vVnWNjS.exe
C:\Windows\System\vVnWNjS.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Windows\System\DKvEDLT.exe
C:\Windows\System\DKvEDLT.exe
2⤵
- Executes dropped EXE
PID:4228

C:\Windows\System\SWaJbdf.exe
C:\Windows\System\SWaJbdf.exe
2⤵
- Executes dropped EXE
PID:1144

C:\Windows\System\mSfVNUq.exe
C:\Windows\System\mSfVNUq.exe
2⤵
- Executes dropped EXE
PID:3784

C:\Windows\System\TJADsDn.exe
C:\Windows\System\TJADsDn.exe
2⤵
- Executes dropped EXE
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4616 /prefetch:8
1⤵
PID:4764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BBaGDUi.exe
Filesize
5.9MB

MD5
a1d7fec84b75dd98a1b3559fc50bcfe5

SHA1
7dbe6a786e2ee10d935701e3b37475c7760afa8b

SHA256
a856307e47d20e95969d83d5935774bb1ece5049aec4a96b6c2bb979f82f13a6

SHA512
65343703ea1601eddd83480acc9ab709d66f44ea2a6f05250775755bd3b9e1cf6864f86bb9c2581061df5f9480643bb601f36dd3806e03854dc2ef8dbed0859f

Download Submit
C:\Windows\System\BiqfWFc.exe
Filesize
5.9MB

MD5
c9f92b8721c140211cd64907919e2dbe

SHA1
835834d854796392c01c6b7265f7014b15fc7202

SHA256
72ace101eb22b4acdfb3b0181d29594d156696e849e579cfac5111e2b46ab528

SHA512
4b671896eb716b0f9d6be40d266e938a508d3c05a1bb2ad6c8aace989706f57e3cb94377275021f998a3b0ef30b60f819eb3459794806c11b0896f3b536fe35b

Download Submit
C:\Windows\System\DKvEDLT.exe
Filesize
5.9MB

MD5
e16bf9e6fa3e94d01a8c1b0b524a0773

SHA1
04361b99dfd130dc305f243ae2231e1d548f5823

SHA256
553d446ab77a11926af9f7a7135085e8b1fbb1d3d6ee755500238913c9d354fc

SHA512
9aff2c3519cdfba011019a37d66e590ee9255f600050e8b121398cd1e7ad96da236e1d01fc9177d9941b88b0c534fe6ad75c907f3c9cddba9904e2fcbe0f4549

Download Submit
C:\Windows\System\SWaJbdf.exe
Filesize
5.9MB

MD5
14d3fcbb2eb54cebe2f6a4763b1df1b4

SHA1
595b130b2569f1b77df749f9bff312e1a34e272b

SHA256
68c2e72f5b556e20f5c95a08162cef96894d6557a61ade170c3fb26d0cbeafd0

SHA512
7ff9b327ac4e7302f47c3001417a6f0bb37d3e63adea7c7a001b2044d14af5af0791300592c3e03f45253e93de992b31b9e8f2cac74df3ac11932a73aeccb5c7

Download Submit
C:\Windows\System\SWzlgKe.exe
Filesize
5.9MB

MD5
f0cf8a88023d673fa86620d623445ac7

SHA1
c3a23e54a3da3fa194f8f87ae98f260e5a172857

SHA256
9138a47660bea74185a13b24d5e97072432f8b7ce1262e2913bb4af584f1fe78

SHA512
698d355ff1fe08c0f2ca21456110bf12d8305c5e4b55b1fcafb7e53d2df1bbd1f18c7fe1f6df4acde134a970025028d5bf91d5ca5c80cb2350725b826e91a865

Download Submit
C:\Windows\System\TJADsDn.exe
Filesize
5.9MB

MD5
34c6e7594e987e79c615500afa2fc653

SHA1
511611c46b077b9ddd789635a945853c5e9fd914

SHA256
b230bc4b738cd28699585efa652e3fa473d37666e6a20faf5d6f319f8748956d

SHA512
242fb9a6224463921acb60cb7dd70a10261ae6a058532deac37d2ba6e2996f85cd09a883263eef1a1b19c5872768223356c5383ab622c480af71411a6efa6b24

Download Submit
C:\Windows\System\VDEzOjM.exe
Filesize
5.9MB

MD5
0d66d2ceccfed69d73a9bba2468bdcca

SHA1
2a3e7a2887426dbd58166fa89942649373019b17

SHA256
5284f9595114b3a478939b57c75af03a44c99746e17420bf43e743beae30f20e

SHA512
5b407b2cee10bd7b8f9410f3cef0616fe43b362ec367868a560628a33486faaca3ca79d636f4824139d495bb0a73767c3042892066824eacb4ec8f5886c7e1a2

Download Submit
C:\Windows\System\VRNjlPG.exe
Filesize
5.9MB

MD5
579d16f3ec819cbf0aa20cfab7e8eba8

SHA1
95acc3c692e9b0f5cae7b9dbcbf88526691a9611

SHA256
e10e2c9268eceda9840070078d2e31be4f61f252247805f3e49c938cf3f0bf9b

SHA512
de7d539c4266aa8d44015be4310db6e4eb1a38011e0a18e88c614893acd656c19da2088accc5df17ea471319d0e63bf751bd270ac3116409e72179f854a488cb

Download Submit
C:\Windows\System\WusEmXY.exe
Filesize
5.9MB

MD5
5d8004e1905e5beb8473f024ca976f72

SHA1
a9e99f63b258e013a0a61e517bc057a2e3780a83

SHA256
c352cdbc019bf0c9a60b7c9ba369252349e54c9c454f70c922f2ce5760c18fec

SHA512
44e8200d890ea178d6fde6d69c1b048930ee08786fd2c0e2d215601108c893e2bed18d4fee3964a2bf11ea7711180fa6296766f1af41321a5e7637d121ff8ba9

Download Submit
C:\Windows\System\XowUmli.exe
Filesize
5.9MB

MD5
0f6c48b71a59ceb5e38891fbb7c0639e

SHA1
2b8889769db207ee39f2c5eae5b55189a9158aa6

SHA256
13e749ffe0a8c7750bcf7df324062f562752cbf27c1f9bc2c837668eaee609ad

SHA512
7d6cdce2ef86610cc80071287ca83e68f49b0c5b95956d161cc422333dcbb76c961f00d366f55119e5d259064a7083e36c34fdefdcb3e0fa6e260992df30c0a0

Download Submit
C:\Windows\System\ajyOLTv.exe
Filesize
5.9MB

MD5
831aa6a12dda49102520e21dc7127b3f

SHA1
5782f5efe41c3c8399ba8c4457c65a7cba962281

SHA256
de21a4a3a502312e116d6985755d24535bcdc30d077b5fc7a269b683b6a3e6a5

SHA512
f9c18f7ad9356d04b6d53a5c14c1a195769ebfca95ae8c138b3c91d248b038e5043b03d8ac992d86eda458b29bc6ed3fff7bb23620c207c38f2653384397e1fe

Download Submit
C:\Windows\System\fXuGbTk.exe
Filesize
5.9MB

MD5
187fdc7409d00294822a1c95532a927f

SHA1
ca41d54118b3e5a06c00ddadecb86c189f3b817d

SHA256
3aed9eed1ba9da74a74880904b0a7f41a1b092f158d022796ad10d5cfa40c7b6

SHA512
bc5ac9e4f443837a55d8d37023dbc4344eaf77e79325f494fdc675a7fa81cb769205d7e3bee9b071e550c3bdad86e6c2c79f4d3e27ab5231e2d37dbab2fabe1f

Download Submit
C:\Windows\System\mPMyczO.exe
Filesize
5.9MB

MD5
afaaab4ea98cf47bbe8867d451de6f38

SHA1
31e515e7804350e03966ced5c2852428323cd171

SHA256
95f489b053a113db931f063d62400144a6da97b5946362423023667c8d2441e3

SHA512
a7dc69ff18cf53243308f5c4c2cadc58888cc25b8cef1c57476313c04a462d103542a00315659c43e7ada4d66ca3829f90f0e3b6f21ace1e6aa5de884761e39e

Download Submit
C:\Windows\System\mSfVNUq.exe
Filesize
5.9MB

MD5
679988957f8b229d9564879e03c63c72

SHA1
4f04790f98a23db2fd3a29d5d846f52452bf90ce

SHA256
a9da683414d40ef3d14e9e7826351ce4c8a6c318bf98e69dcf0f4bee32cc165e

SHA512
b7ba31bf2be7fc9b64f6a209db3c0b91e0543ab6677aed90a7d46cfece841db9374413568d14d189b51f8c9bd65f5b1041ecdc11d1d2b35afb7dfbfc96643591

Download Submit
C:\Windows\System\qUcyoXv.exe
Filesize
5.9MB

MD5
dcb2faae45f31423457139999ec8e8a5

SHA1
5cf9568f386d8c00268942775b02429b75a6e9d7

SHA256
380863397e645347153178c7861ed803e972d09a548366c07857c23cc5e15d1a

SHA512
4b2bbecf8f51350d84caad7bdeabe8e5e1e140ba3bb60a3e0f00bd3e1067cbd3f89e51ff3af6b052c3b87564025310fce6b8bfd9cec081b2ec847a3435f4db36

Download Submit
C:\Windows\System\rHciSIy.exe
Filesize
5.9MB

MD5
8f977dfa47654bb6c5310f0428ff179c

SHA1
85c27827fde2b6cd8b5a1ae33711791ece584762

SHA256
0f1539a218fe2de461bf291b8da04ea951d97c669e0c81ad58b75883a68cfb6c

SHA512
a7234abd143a392d3ec7a9d95c669ca43f2d79c6c3a37661dd7f02bb18cdf169cdbeeccfd576150132035948272c129abe4b9ec250b3c7b71a03a10245807b71

Download Submit
C:\Windows\System\sGINYuw.exe
Filesize
5.9MB

MD5
c63d4a65e705954162e71cc96ab531ce

SHA1
44d7c7c22c6868f045409fc81fdd80519d306620

SHA256
d7e93d1e440b9b22368a0603490a14514acbe76e09172859478eb9e0ed265f85

SHA512
ab3302b824be3477c338557b47eaa9a785758f21954fbec8f24d12a7d3e857454748ac0a4768d176b9a58a3b891d30998468bd7168f8fd71adc8b31c09f4a828

Download Submit
C:\Windows\System\vVnWNjS.exe
Filesize
5.9MB

MD5
22f29600420ba6749b55d599f2c6958e

SHA1
e1c1134d096c1b283f8563bce3fb062cc525334f

SHA256
82e347af83b0a9f7d29e273dc601ef97ff311d149a807647f60ca4bd985c4703

SHA512
a55a307e11007be5d9ad94dbbbe577e7f9c6fdb76acd19760995ab448a403fd4a3e855f48ab89cfa37db59e85d4523a42f1512dff364257dcea0aca7418c0df0

Download Submit
C:\Windows\System\xHvSTLA.exe
Filesize
5.9MB

MD5
fd1776f1b3b0da7a206560861ae6b64b

SHA1
84df1f72cb512b65230af809d7ebf08f66ce3c0b

SHA256
9e7d9d0b8375c7840dd9f9fcb47a95b83190d548a0e306e41fb2b2724ba35907

SHA512
cb1d7ead01117daba02318d983a38333e61113dc78c805828b447290f849032ba0cafac4ebc91a90c7c3aaf3359ef9c711145d65811f381c9d236d19674eefb6

Download Submit
C:\Windows\System\xtFkzNR.exe
Filesize
5.9MB

MD5
98e6eee31e8467c2f09041b0e19bf324

SHA1
bfb915e387bab5a592153fb8ce8d220a9db21b52

SHA256
f024483f130592f9a167b7cdc3afb955c0643b6edfe381b4d1d389da740a6802

SHA512
1160abe96ca05880283472da43e9d3ca5db025cc43b7b5b43f4cd7cc1de7cf2288fb357fabbe3210e909f6b38f0505e2f93d2b10a56cca0ba39de1da876903e8

Download Submit
C:\Windows\System\zNJZXuL.exe
Filesize
5.9MB

MD5
14b50c270ea08de158f9d0cfb047b23b

SHA1
3e74845e2f27cc400c863b29dfa02eb053c3480f

SHA256
bfd17a01c42af357673f211cbf3de724bd276e29b7f2dceb6aedcfe0bffee5f0

SHA512
0eaa8b1cec9d483eebfd9a40d0df663a8e4550f086045a9e833ab66985ceac05a2f871d98bd68de8331a866ee0303204b9d3099197e22c0a695998677bc0d6f6

Download Submit
memory/216-0-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp

Filesize
3.3MB

Download
memory/216-128-0x00007FF643E90000-0x00007FF6441E4000-memory.dmp

Filesize
3.3MB

Download
memory/216-1-0x00000147F4D60000-0x00000147F4D70000-memory.dmp

Filesize
64KB

Download
memory/1028-22-0x00007FF69E110000-0x00007FF69E464000-memory.dmp

Filesize
3.3MB

Download
memory/1028-132-0x00007FF69E110000-0x00007FF69E464000-memory.dmp

Filesize
3.3MB

Download
memory/1144-149-0x00007FF746760000-0x00007FF746AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1144-125-0x00007FF746760000-0x00007FF746AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-142-0x00007FF674440000-0x00007FF674794000-memory.dmp

Filesize
3.3MB

Download
memory/1636-122-0x00007FF674440000-0x00007FF674794000-memory.dmp

Filesize
3.3MB

Download
memory/1904-140-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp

Filesize
3.3MB

Download
memory/1904-116-0x00007FF6DE3E0000-0x00007FF6DE734000-memory.dmp

Filesize
3.3MB

Download
memory/1932-143-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp

Filesize
3.3MB

Download
memory/1932-117-0x00007FF773BC0000-0x00007FF773F14000-memory.dmp

Filesize
3.3MB

Download
memory/1948-112-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp

Filesize
3.3MB

Download
memory/1948-135-0x00007FF6EEEE0000-0x00007FF6EF234000-memory.dmp

Filesize
3.3MB

Download
memory/2128-133-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2128-26-0x00007FF62EB70000-0x00007FF62EEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-139-0x00007FF739980000-0x00007FF739CD4000-memory.dmp

Filesize
3.3MB

Download
memory/2448-121-0x00007FF739980000-0x00007FF739CD4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-34-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2484-134-0x00007FF76DC80000-0x00007FF76DFD4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-136-0x00007FF702EC0000-0x00007FF703214000-memory.dmp

Filesize
3.3MB

Download
memory/3192-114-0x00007FF702EC0000-0x00007FF703214000-memory.dmp

Filesize
3.3MB

Download
memory/3276-141-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp

Filesize
3.3MB

Download
memory/3276-120-0x00007FF7E2BC0000-0x00007FF7E2F14000-memory.dmp

Filesize
3.3MB

Download
memory/3508-115-0x00007FF65A600000-0x00007FF65A954000-memory.dmp

Filesize
3.3MB

Download
memory/3508-138-0x00007FF65A600000-0x00007FF65A954000-memory.dmp

Filesize
3.3MB

Download
memory/3536-118-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp

Filesize
3.3MB

Download
memory/3536-146-0x00007FF6E2840000-0x00007FF6E2B94000-memory.dmp

Filesize
3.3MB

Download
memory/3768-130-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp

Filesize
3.3MB

Download
memory/3768-11-0x00007FF66D170000-0x00007FF66D4C4000-memory.dmp

Filesize
3.3MB

Download
memory/3784-126-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp

Filesize
3.3MB

Download
memory/3784-148-0x00007FF6E8CF0000-0x00007FF6E9044000-memory.dmp

Filesize
3.3MB

Download
memory/4056-147-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp

Filesize
3.3MB

Download
memory/4056-127-0x00007FF74EE30000-0x00007FF74F184000-memory.dmp

Filesize
3.3MB

Download
memory/4228-150-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp

Filesize
3.3MB

Download
memory/4228-124-0x00007FF738D60000-0x00007FF7390B4000-memory.dmp

Filesize
3.3MB

Download
memory/4236-129-0x00007FF615840000-0x00007FF615B94000-memory.dmp

Filesize
3.3MB

Download
memory/4236-131-0x00007FF615840000-0x00007FF615B94000-memory.dmp

Filesize
3.3MB

Download
memory/4236-12-0x00007FF615840000-0x00007FF615B94000-memory.dmp

Filesize
3.3MB

Download
memory/4924-145-0x00007FF664FB0000-0x00007FF665304000-memory.dmp

Filesize
3.3MB

Download
memory/4924-123-0x00007FF664FB0000-0x00007FF665304000-memory.dmp

Filesize
3.3MB

Download
memory/5080-144-0x00007FF610360000-0x00007FF6106B4000-memory.dmp

Filesize
3.3MB

Download
memory/5080-119-0x00007FF610360000-0x00007FF6106B4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-137-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp

Filesize
3.3MB

Download
memory/5112-113-0x00007FF7A7940000-0x00007FF7A7C94000-memory.dmp

Filesize
3.3MB

Download