cobaltstrike | da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

f7f6f9f9302926b518975b7a884e32f2
SHA1

d69d7debc202be0769c2fbab3ea94a646a84a59a
SHA256

da4889eae0a9dcba87de468da19d5fc1ec5b16e673419eb8b9d43bed09f7e7ff
SHA512

de48dcab63d2eeced6d25042f7c843df66c7288f0eea6666e3f2a81666c51b002f0935c9e98a29201cb1d39b3045da20c22d3f4739f99c07d91ed255dcc06bfd
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUO:Q+856utgpPF8u/7O

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\hjBhuUS.exe	cobalt_reflective_dll
C:\Windows\System\JflNDSa.exe	cobalt_reflective_dll
C:\Windows\System\hQRPVxt.exe	cobalt_reflective_dll
C:\Windows\System\PdSwOSI.exe	cobalt_reflective_dll
C:\Windows\System\JHMjwyL.exe	cobalt_reflective_dll
C:\Windows\System\TbZRZhZ.exe	cobalt_reflective_dll
C:\Windows\System\EttbxQc.exe	cobalt_reflective_dll
C:\Windows\System\KvCoBTa.exe	cobalt_reflective_dll
C:\Windows\System\jozCCVH.exe	cobalt_reflective_dll
C:\Windows\System\BhUbFUI.exe	cobalt_reflective_dll
C:\Windows\System\SspVFkW.exe	cobalt_reflective_dll
C:\Windows\System\mQxDXGN.exe	cobalt_reflective_dll
C:\Windows\System\kLtvLKi.exe	cobalt_reflective_dll
C:\Windows\System\XCwAfFA.exe	cobalt_reflective_dll
C:\Windows\System\WnBaPfb.exe	cobalt_reflective_dll
C:\Windows\System\RdAONPc.exe	cobalt_reflective_dll
C:\Windows\System\skklCNK.exe	cobalt_reflective_dll
C:\Windows\System\nAblNls.exe	cobalt_reflective_dll
C:\Windows\System\XQMOKzw.exe	cobalt_reflective_dll
C:\Windows\System\IFGvxRz.exe	cobalt_reflective_dll
C:\Windows\System\vAHbPJv.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\hjBhuUS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JflNDSa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hQRPVxt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PdSwOSI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JHMjwyL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TbZRZhZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EttbxQc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KvCoBTa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jozCCVH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BhUbFUI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SspVFkW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mQxDXGN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kLtvLKi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XCwAfFA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WnBaPfb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RdAONPc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\skklCNK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nAblNls.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XQMOKzw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IFGvxRz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vAHbPJv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp	UPX
C:\Windows\System\hjBhuUS.exe	UPX
C:\Windows\System\JflNDSa.exe	UPX
behavioral2/memory/4960-12-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	UPX
C:\Windows\System\hQRPVxt.exe	UPX
behavioral2/memory/4604-16-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	UPX
behavioral2/memory/2232-20-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	UPX
C:\Windows\System\PdSwOSI.exe	UPX
behavioral2/memory/1016-26-0x00007FF712E30000-0x00007FF713184000-memory.dmp	UPX
behavioral2/memory/1848-32-0x00007FF776A30000-0x00007FF776D84000-memory.dmp	UPX
C:\Windows\System\JHMjwyL.exe	UPX
C:\Windows\System\TbZRZhZ.exe	UPX
behavioral2/memory/4956-37-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	UPX
C:\Windows\System\EttbxQc.exe	UPX
behavioral2/memory/5112-42-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	UPX
C:\Windows\System\KvCoBTa.exe	UPX
behavioral2/memory/3624-54-0x00007FF698680000-0x00007FF6989D4000-memory.dmp	UPX
C:\Windows\System\jozCCVH.exe	UPX
C:\Windows\System\BhUbFUI.exe	UPX
behavioral2/memory/1808-61-0x00007FF637620000-0x00007FF637974000-memory.dmp	UPX
C:\Windows\System\SspVFkW.exe	UPX
behavioral2/memory/1932-71-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp	UPX
behavioral2/memory/3288-73-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	UPX
C:\Windows\System\mQxDXGN.exe	UPX
behavioral2/memory/2204-72-0x00007FF7873B0000-0x00007FF787704000-memory.dmp	UPX
C:\Windows\System\kLtvLKi.exe	UPX
C:\Windows\System\XCwAfFA.exe	UPX
C:\Windows\System\WnBaPfb.exe	UPX
C:\Windows\System\RdAONPc.exe	UPX
C:\Windows\System\skklCNK.exe	UPX
C:\Windows\System\nAblNls.exe	UPX
C:\Windows\System\XQMOKzw.exe	UPX
C:\Windows\System\IFGvxRz.exe	UPX
C:\Windows\System\vAHbPJv.exe	UPX
behavioral2/memory/4996-69-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp	UPX
behavioral2/memory/4604-120-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	UPX
behavioral2/memory/4352-121-0x00007FF770000000-0x00007FF770354000-memory.dmp	UPX
behavioral2/memory/2176-122-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp	UPX
behavioral2/memory/5032-123-0x00007FF600220000-0x00007FF600574000-memory.dmp	UPX
behavioral2/memory/4364-125-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp	UPX
behavioral2/memory/3280-126-0x00007FF7522C0000-0x00007FF752614000-memory.dmp	UPX
behavioral2/memory/1688-124-0x00007FF7745C0000-0x00007FF774914000-memory.dmp	UPX
behavioral2/memory/1212-127-0x00007FF752060000-0x00007FF7523B4000-memory.dmp	UPX
behavioral2/memory/2460-128-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp	UPX
behavioral2/memory/2992-129-0x00007FF6100C0000-0x00007FF610414000-memory.dmp	UPX
behavioral2/memory/2232-130-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	UPX
behavioral2/memory/1016-131-0x00007FF712E30000-0x00007FF713184000-memory.dmp	UPX
behavioral2/memory/4956-132-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	UPX
behavioral2/memory/5112-133-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	UPX
behavioral2/memory/3288-134-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	UPX
behavioral2/memory/4960-135-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	UPX
behavioral2/memory/4604-136-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	UPX
behavioral2/memory/2232-137-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	UPX
behavioral2/memory/1016-138-0x00007FF712E30000-0x00007FF713184000-memory.dmp	UPX
behavioral2/memory/1848-139-0x00007FF776A30000-0x00007FF776D84000-memory.dmp	UPX
behavioral2/memory/4956-140-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	UPX
behavioral2/memory/5112-141-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	UPX
behavioral2/memory/3624-142-0x00007FF698680000-0x00007FF6989D4000-memory.dmp	UPX
behavioral2/memory/1808-143-0x00007FF637620000-0x00007FF637974000-memory.dmp	UPX
behavioral2/memory/1932-144-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp	UPX
behavioral2/memory/2204-145-0x00007FF7873B0000-0x00007FF787704000-memory.dmp	UPX
behavioral2/memory/3288-146-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	UPX
behavioral2/memory/4352-147-0x00007FF770000000-0x00007FF770354000-memory.dmp	UPX
behavioral2/memory/2176-148-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp	xmrig
C:\Windows\System\hjBhuUS.exe	xmrig
C:\Windows\System\JflNDSa.exe	xmrig
behavioral2/memory/4960-12-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	xmrig
C:\Windows\System\hQRPVxt.exe	xmrig
behavioral2/memory/4604-16-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	xmrig
behavioral2/memory/2232-20-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	xmrig
C:\Windows\System\PdSwOSI.exe	xmrig
behavioral2/memory/1016-26-0x00007FF712E30000-0x00007FF713184000-memory.dmp	xmrig
behavioral2/memory/1848-32-0x00007FF776A30000-0x00007FF776D84000-memory.dmp	xmrig
C:\Windows\System\JHMjwyL.exe	xmrig
C:\Windows\System\TbZRZhZ.exe	xmrig
behavioral2/memory/4956-37-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	xmrig
C:\Windows\System\EttbxQc.exe	xmrig
behavioral2/memory/5112-42-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	xmrig
C:\Windows\System\KvCoBTa.exe	xmrig
behavioral2/memory/3624-54-0x00007FF698680000-0x00007FF6989D4000-memory.dmp	xmrig
C:\Windows\System\jozCCVH.exe	xmrig
C:\Windows\System\BhUbFUI.exe	xmrig
behavioral2/memory/1808-61-0x00007FF637620000-0x00007FF637974000-memory.dmp	xmrig
C:\Windows\System\SspVFkW.exe	xmrig
behavioral2/memory/1932-71-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp	xmrig
behavioral2/memory/3288-73-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	xmrig
C:\Windows\System\mQxDXGN.exe	xmrig
behavioral2/memory/2204-72-0x00007FF7873B0000-0x00007FF787704000-memory.dmp	xmrig
C:\Windows\System\kLtvLKi.exe	xmrig
C:\Windows\System\XCwAfFA.exe	xmrig
C:\Windows\System\WnBaPfb.exe	xmrig
C:\Windows\System\RdAONPc.exe	xmrig
C:\Windows\System\skklCNK.exe	xmrig
C:\Windows\System\nAblNls.exe	xmrig
C:\Windows\System\XQMOKzw.exe	xmrig
C:\Windows\System\IFGvxRz.exe	xmrig
C:\Windows\System\vAHbPJv.exe	xmrig
behavioral2/memory/4996-69-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp	xmrig
behavioral2/memory/4604-120-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	xmrig
behavioral2/memory/4352-121-0x00007FF770000000-0x00007FF770354000-memory.dmp	xmrig
behavioral2/memory/2176-122-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp	xmrig
behavioral2/memory/5032-123-0x00007FF600220000-0x00007FF600574000-memory.dmp	xmrig
behavioral2/memory/4364-125-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp	xmrig
behavioral2/memory/3280-126-0x00007FF7522C0000-0x00007FF752614000-memory.dmp	xmrig
behavioral2/memory/1688-124-0x00007FF7745C0000-0x00007FF774914000-memory.dmp	xmrig
behavioral2/memory/1212-127-0x00007FF752060000-0x00007FF7523B4000-memory.dmp	xmrig
behavioral2/memory/2460-128-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp	xmrig
behavioral2/memory/2992-129-0x00007FF6100C0000-0x00007FF610414000-memory.dmp	xmrig
behavioral2/memory/2232-130-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	xmrig
behavioral2/memory/1016-131-0x00007FF712E30000-0x00007FF713184000-memory.dmp	xmrig
behavioral2/memory/4956-132-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	xmrig
behavioral2/memory/5112-133-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	xmrig
behavioral2/memory/3288-134-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	xmrig
behavioral2/memory/4960-135-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	xmrig
behavioral2/memory/4604-136-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	xmrig
behavioral2/memory/2232-137-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	xmrig
behavioral2/memory/1016-138-0x00007FF712E30000-0x00007FF713184000-memory.dmp	xmrig
behavioral2/memory/1848-139-0x00007FF776A30000-0x00007FF776D84000-memory.dmp	xmrig
behavioral2/memory/4956-140-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	xmrig
behavioral2/memory/5112-141-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	xmrig
behavioral2/memory/3624-142-0x00007FF698680000-0x00007FF6989D4000-memory.dmp	xmrig
behavioral2/memory/1808-143-0x00007FF637620000-0x00007FF637974000-memory.dmp	xmrig
behavioral2/memory/1932-144-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp	xmrig
behavioral2/memory/2204-145-0x00007FF7873B0000-0x00007FF787704000-memory.dmp	xmrig
behavioral2/memory/3288-146-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	xmrig
behavioral2/memory/4352-147-0x00007FF770000000-0x00007FF770354000-memory.dmp	xmrig
behavioral2/memory/2176-148-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

hjBhuUS.exeJflNDSa.exehQRPVxt.exePdSwOSI.exeJHMjwyL.exeTbZRZhZ.exeEttbxQc.exeKvCoBTa.exeBhUbFUI.exejozCCVH.exeSspVFkW.exemQxDXGN.exevAHbPJv.exeIFGvxRz.exekLtvLKi.exeXQMOKzw.exenAblNls.exeXCwAfFA.exeskklCNK.exeRdAONPc.exeWnBaPfb.exe

pid	process
4960	hjBhuUS.exe
4604	JflNDSa.exe
2232	hQRPVxt.exe
1016	PdSwOSI.exe
1848	JHMjwyL.exe
4956	TbZRZhZ.exe
5112	EttbxQc.exe
3624	KvCoBTa.exe
1808	BhUbFUI.exe
1932	jozCCVH.exe
2204	SspVFkW.exe
3288	mQxDXGN.exe
4352	vAHbPJv.exe
2176	IFGvxRz.exe
5032	kLtvLKi.exe
1688	XQMOKzw.exe
4364	nAblNls.exe
3280	XCwAfFA.exe
1212	skklCNK.exe
2460	RdAONPc.exe
2992	WnBaPfb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4996-0-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp	upx
C:\Windows\System\hjBhuUS.exe	upx
C:\Windows\System\JflNDSa.exe	upx
behavioral2/memory/4960-12-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	upx
C:\Windows\System\hQRPVxt.exe	upx
behavioral2/memory/4604-16-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	upx
behavioral2/memory/2232-20-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	upx
C:\Windows\System\PdSwOSI.exe	upx
behavioral2/memory/1016-26-0x00007FF712E30000-0x00007FF713184000-memory.dmp	upx
behavioral2/memory/1848-32-0x00007FF776A30000-0x00007FF776D84000-memory.dmp	upx
C:\Windows\System\JHMjwyL.exe	upx
C:\Windows\System\TbZRZhZ.exe	upx
behavioral2/memory/4956-37-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	upx
C:\Windows\System\EttbxQc.exe	upx
behavioral2/memory/5112-42-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	upx
C:\Windows\System\KvCoBTa.exe	upx
behavioral2/memory/3624-54-0x00007FF698680000-0x00007FF6989D4000-memory.dmp	upx
C:\Windows\System\jozCCVH.exe	upx
C:\Windows\System\BhUbFUI.exe	upx
behavioral2/memory/1808-61-0x00007FF637620000-0x00007FF637974000-memory.dmp	upx
C:\Windows\System\SspVFkW.exe	upx
behavioral2/memory/1932-71-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp	upx
behavioral2/memory/3288-73-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	upx
C:\Windows\System\mQxDXGN.exe	upx
behavioral2/memory/2204-72-0x00007FF7873B0000-0x00007FF787704000-memory.dmp	upx
C:\Windows\System\kLtvLKi.exe	upx
C:\Windows\System\XCwAfFA.exe	upx
C:\Windows\System\WnBaPfb.exe	upx
C:\Windows\System\RdAONPc.exe	upx
C:\Windows\System\skklCNK.exe	upx
C:\Windows\System\nAblNls.exe	upx
C:\Windows\System\XQMOKzw.exe	upx
C:\Windows\System\IFGvxRz.exe	upx
C:\Windows\System\vAHbPJv.exe	upx
behavioral2/memory/4996-69-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp	upx
behavioral2/memory/4604-120-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	upx
behavioral2/memory/4352-121-0x00007FF770000000-0x00007FF770354000-memory.dmp	upx
behavioral2/memory/2176-122-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp	upx
behavioral2/memory/5032-123-0x00007FF600220000-0x00007FF600574000-memory.dmp	upx
behavioral2/memory/4364-125-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp	upx
behavioral2/memory/3280-126-0x00007FF7522C0000-0x00007FF752614000-memory.dmp	upx
behavioral2/memory/1688-124-0x00007FF7745C0000-0x00007FF774914000-memory.dmp	upx
behavioral2/memory/1212-127-0x00007FF752060000-0x00007FF7523B4000-memory.dmp	upx
behavioral2/memory/2460-128-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp	upx
behavioral2/memory/2992-129-0x00007FF6100C0000-0x00007FF610414000-memory.dmp	upx
behavioral2/memory/2232-130-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	upx
behavioral2/memory/1016-131-0x00007FF712E30000-0x00007FF713184000-memory.dmp	upx
behavioral2/memory/4956-132-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	upx
behavioral2/memory/5112-133-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	upx
behavioral2/memory/3288-134-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	upx
behavioral2/memory/4960-135-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp	upx
behavioral2/memory/4604-136-0x00007FF7621C0000-0x00007FF762514000-memory.dmp	upx
behavioral2/memory/2232-137-0x00007FF792490000-0x00007FF7927E4000-memory.dmp	upx
behavioral2/memory/1016-138-0x00007FF712E30000-0x00007FF713184000-memory.dmp	upx
behavioral2/memory/1848-139-0x00007FF776A30000-0x00007FF776D84000-memory.dmp	upx
behavioral2/memory/4956-140-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp	upx
behavioral2/memory/5112-141-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp	upx
behavioral2/memory/3624-142-0x00007FF698680000-0x00007FF6989D4000-memory.dmp	upx
behavioral2/memory/1808-143-0x00007FF637620000-0x00007FF637974000-memory.dmp	upx
behavioral2/memory/1932-144-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp	upx
behavioral2/memory/2204-145-0x00007FF7873B0000-0x00007FF787704000-memory.dmp	upx
behavioral2/memory/3288-146-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp	upx
behavioral2/memory/4352-147-0x00007FF770000000-0x00007FF770354000-memory.dmp	upx
behavioral2/memory/2176-148-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\hjBhuUS.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PdSwOSI.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BhUbFUI.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SspVFkW.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nAblNls.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnBaPfb.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mQxDXGN.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kLtvLKi.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RdAONPc.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JflNDSa.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQRPVxt.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TbZRZhZ.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EttbxQc.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KvCoBTa.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jozCCVH.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IFGvxRz.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XQMOKzw.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\skklCNK.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JHMjwyL.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAHbPJv.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCwAfFA.exe	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4996 wrote to memory of 4960	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hjBhuUS.exe
PID 4996 wrote to memory of 4960	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hjBhuUS.exe
PID 4996 wrote to memory of 4604	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	JflNDSa.exe
PID 4996 wrote to memory of 4604	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	JflNDSa.exe
PID 4996 wrote to memory of 2232	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hQRPVxt.exe
PID 4996 wrote to memory of 2232	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	hQRPVxt.exe
PID 4996 wrote to memory of 1016	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	PdSwOSI.exe
PID 4996 wrote to memory of 1016	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	PdSwOSI.exe
PID 4996 wrote to memory of 1848	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	JHMjwyL.exe
PID 4996 wrote to memory of 1848	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	JHMjwyL.exe
PID 4996 wrote to memory of 4956	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	TbZRZhZ.exe
PID 4996 wrote to memory of 4956	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	TbZRZhZ.exe
PID 4996 wrote to memory of 5112	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	EttbxQc.exe
PID 4996 wrote to memory of 5112	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	EttbxQc.exe
PID 4996 wrote to memory of 3624	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	KvCoBTa.exe
PID 4996 wrote to memory of 3624	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	KvCoBTa.exe
PID 4996 wrote to memory of 1808	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	BhUbFUI.exe
PID 4996 wrote to memory of 1808	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	BhUbFUI.exe
PID 4996 wrote to memory of 1932	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	jozCCVH.exe
PID 4996 wrote to memory of 1932	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	jozCCVH.exe
PID 4996 wrote to memory of 2204	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	SspVFkW.exe
PID 4996 wrote to memory of 2204	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	SspVFkW.exe
PID 4996 wrote to memory of 3288	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	mQxDXGN.exe
PID 4996 wrote to memory of 3288	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	mQxDXGN.exe
PID 4996 wrote to memory of 4352	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	vAHbPJv.exe
PID 4996 wrote to memory of 4352	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	vAHbPJv.exe
PID 4996 wrote to memory of 2176	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	IFGvxRz.exe
PID 4996 wrote to memory of 2176	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	IFGvxRz.exe
PID 4996 wrote to memory of 5032	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	kLtvLKi.exe
PID 4996 wrote to memory of 5032	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	kLtvLKi.exe
PID 4996 wrote to memory of 1688	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XQMOKzw.exe
PID 4996 wrote to memory of 1688	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XQMOKzw.exe
PID 4996 wrote to memory of 4364	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	nAblNls.exe
PID 4996 wrote to memory of 4364	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	nAblNls.exe
PID 4996 wrote to memory of 3280	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XCwAfFA.exe
PID 4996 wrote to memory of 3280	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	XCwAfFA.exe
PID 4996 wrote to memory of 1212	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	skklCNK.exe
PID 4996 wrote to memory of 1212	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	skklCNK.exe
PID 4996 wrote to memory of 2460	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	RdAONPc.exe
PID 4996 wrote to memory of 2460	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	RdAONPc.exe
PID 4996 wrote to memory of 2992	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	WnBaPfb.exe
PID 4996 wrote to memory of 2992	4996	2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe	WnBaPfb.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_f7f6f9f9302926b518975b7a884e32f2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\System\hjBhuUS.exe
C:\Windows\System\hjBhuUS.exe
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\System\JflNDSa.exe
C:\Windows\System\JflNDSa.exe
2⤵
- Executes dropped EXE
PID:4604

C:\Windows\System\hQRPVxt.exe
C:\Windows\System\hQRPVxt.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\PdSwOSI.exe
C:\Windows\System\PdSwOSI.exe
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\System\JHMjwyL.exe
C:\Windows\System\JHMjwyL.exe
2⤵
- Executes dropped EXE
PID:1848

C:\Windows\System\TbZRZhZ.exe
C:\Windows\System\TbZRZhZ.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\System\EttbxQc.exe
C:\Windows\System\EttbxQc.exe
2⤵
- Executes dropped EXE
PID:5112

C:\Windows\System\KvCoBTa.exe
C:\Windows\System\KvCoBTa.exe
2⤵
- Executes dropped EXE
PID:3624

C:\Windows\System\BhUbFUI.exe
C:\Windows\System\BhUbFUI.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\jozCCVH.exe
C:\Windows\System\jozCCVH.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\SspVFkW.exe
C:\Windows\System\SspVFkW.exe
2⤵
- Executes dropped EXE
PID:2204

C:\Windows\System\mQxDXGN.exe
C:\Windows\System\mQxDXGN.exe
2⤵
- Executes dropped EXE
PID:3288

C:\Windows\System\vAHbPJv.exe
C:\Windows\System\vAHbPJv.exe
2⤵
- Executes dropped EXE
PID:4352

C:\Windows\System\IFGvxRz.exe
C:\Windows\System\IFGvxRz.exe
2⤵
- Executes dropped EXE
PID:2176

C:\Windows\System\kLtvLKi.exe
C:\Windows\System\kLtvLKi.exe
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\System\XQMOKzw.exe
C:\Windows\System\XQMOKzw.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System\nAblNls.exe
C:\Windows\System\nAblNls.exe
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\System\XCwAfFA.exe
C:\Windows\System\XCwAfFA.exe
2⤵
- Executes dropped EXE
PID:3280

C:\Windows\System\skklCNK.exe
C:\Windows\System\skklCNK.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\System\RdAONPc.exe
C:\Windows\System\RdAONPc.exe
2⤵
- Executes dropped EXE
PID:2460

C:\Windows\System\WnBaPfb.exe
C:\Windows\System\WnBaPfb.exe
2⤵
- Executes dropped EXE
PID:2992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BhUbFUI.exe
Filesize
5.9MB

MD5
ed5a91e831d4ca73d9203ea488048040

SHA1
e84adebd821b55a538766d01b6390b3e4e7d2f57

SHA256
0fb8ed2b1afaa2602bd4d5f627b072d98d77fd47bb20bf884a580fd4b11b64d0

SHA512
fe4eaa883dfaa09eb0159e150d82a527e42cce43ae619b11a63f6945ef009f5a4f6e80d15d1ce7477213d488fbb28ba36d19161512851a2596366e790be7dc61

Download Submit
C:\Windows\System\EttbxQc.exe
Filesize
5.9MB

MD5
4f448d1ede7326200a8a61281ceb1512

SHA1
27bae6af7aaeaf1ad2ea4beb9e1d405e15fd8de9

SHA256
09a33e4f686bb5c4f553a4c762a1f798538da73b9507b2f31b786b34d50b04e1

SHA512
0e73d7cd12b44e8da086b33382dded8cf0acbf25e84ab8f2b8de4ccac00d27cc1f9bdd226821a57870420dfc9fcc13d5d1d377f99062c774ffe3d127e3a65817

Download Submit
C:\Windows\System\IFGvxRz.exe
Filesize
5.9MB

MD5
e528d1f30571a20d46b677184c20bff0

SHA1
524658b2e1eada8718c96087414312716cf5157f

SHA256
a4ac0429d6e9a32c1a59c00eb348174a7bd08cd10fc59ca13184dd94ca5c29e5

SHA512
1fc2199aa8e3c4bfe0da8e9e587f3232e0120055d123dad4f2e807a3bcb3fe95a0e89a059e6e3076eff450b3a7936c61499764a0fa19e67c35da500a1ff916e2

Download Submit
C:\Windows\System\JHMjwyL.exe
Filesize
5.9MB

MD5
4f5afa2e63e5229ebe6e444c778adc52

SHA1
be00627fda00035e06e0e44684ad210a53cba479

SHA256
c33641e6e2ac3e04af82248c5925eeb99b6845d3e7d42498fb7fde911db6f599

SHA512
89ec21651320a3dd61ffc0ed860a16e1e02ca5e5ea866af6f0a1419834b2be69fcad8c4182465eabe8177c69f015c7d60591a61d35d88e6406434d9bb7ce3a20

Download Submit
C:\Windows\System\JflNDSa.exe
Filesize
5.9MB

MD5
fc0731bacd46d0e8bc661e831351d216

SHA1
5145b4081569b47e5671b66ec8eed8287d854db5

SHA256
f9bb3070a17a12e5ed8704a271d4f1e483d63d7497f7c5691868a3a632e881db

SHA512
5b72762f19d17ab34ce585c5f1c267c85424c38689577d9d2e7e590c95aee8ad60d476a08aab45d303229908019da284f18ce6f106bff8fa4406d6c269a998d5

Download Submit
C:\Windows\System\KvCoBTa.exe
Filesize
5.9MB

MD5
5b0bf6c29baffa615af7cec51e54bb51

SHA1
6041e4e3fe6822d5331e791fea396d10b616c829

SHA256
ecbee0ea2faff48627ef9f98984e589c2ad4cdd0c98730e8fcda55e95656b99d

SHA512
c651675521050aaf3b4c9d52288c901013687f9956e23f141cdc47ab4553f35d74a497b16cb9388775596ee4a054767003d84ea3553a0dc106a8c513e9d8f375

Download Submit
C:\Windows\System\PdSwOSI.exe
Filesize
5.9MB

MD5
b8a015f853dace3516a8c8594c73dcb3

SHA1
e8f122417e926224cf9d5a0df22fbca9e5678abd

SHA256
92b0a33131493d396b89f8928665508d2b75da283b8592aa77411c1a488bb55a

SHA512
b19dc0e07a795494a6fb450f6165df646dcd342f2a6513476de8d891dc15ecdd45cc966ea3deaa7fca63259b480b4404e15e84aad41ec7314f01c7e5ba3d3e12

Download Submit
C:\Windows\System\RdAONPc.exe
Filesize
5.9MB

MD5
bf5e845af69f73c8e5e198f9b754abd9

SHA1
3b026d8f8c9e42bd4fbfaedf7f556edbb7abebbc

SHA256
0b4dcc470c4d0d889c2f80decd0b994c4f581561c1074a3df635253ff774f560

SHA512
0a3528fb47132be99ec0188c7312034112e821d180281346c5bb08e90e0af98404d3bb3e126adfee52378d4aa186692b24c40b52790aa0096398cf209977331f

Download Submit
C:\Windows\System\SspVFkW.exe
Filesize
5.9MB

MD5
6a789ba83776da946192018d590e0622

SHA1
7dedad4b4255bdaca3a25f0f1801680debc3b493

SHA256
af4d34b1f0c78dc836649d0ec46c3057766df3ff28e1d93fdf98d3497970ae4a

SHA512
bfca4fbb38290e77f830181b8e76e7a9ac9b39bcf17267cecc26dcede3d21941c9411363368c2b8715aaecefad62eb664cec13a2e91cceb9ce6e138e5d17cb52

Download Submit
C:\Windows\System\TbZRZhZ.exe
Filesize
5.9MB

MD5
1369ccf623579e93bcfe099685b671b6

SHA1
0c9f2ba698bbe43731523709adf46a734c2ec884

SHA256
8821b8599cd356334f78cbc992c860af26614659ffc62b7c70f82f083c268028

SHA512
bd332ef0297fe6b057c3b146aa6bfc1db546ee35285b3d029bad7f41eb0aefc06ab3356f0454170d6fdb8567bb2eea3ae989b3bbdcdb03096554696d96859b78

Download Submit
C:\Windows\System\WnBaPfb.exe
Filesize
5.9MB

MD5
14fbe87ae3cd6db04f9d7e567956390f

SHA1
eaec2e2e9970c5c063645f1c6c315f868ffa3a38

SHA256
6f7125721f83842f3f54a6ae5b674132019b5b713418e781bda32af274fa2275

SHA512
c49cd79bb8a5ea1a787ff25e2d725e0d8ea9804b16cb44348ab67a05f72ae0fd919e17d44322c145a5f8cf7b466d7bc4f04c928bbe476f0477bde8ae8854114e

Download Submit
C:\Windows\System\XCwAfFA.exe
Filesize
5.9MB

MD5
d8af99b747d96d482c278bad603780e4

SHA1
dd1dc57500ac4f7cb93061f5b1f93a035b0f5037

SHA256
e36695df6935eb3dcae8cb183eb10ef56d1161e56ecdca600cae88d254294c88

SHA512
b69c9647942139fcd493b1284cca3b11e1e644f707b48110ec36d49b4f5fda596d8d286ece20c0d3e4a9a9f1e3a6d5ca14fac2ff91e59eb75c52a1bfb0f791ab

Download Submit
C:\Windows\System\XQMOKzw.exe
Filesize
5.9MB

MD5
24705da84a98ece1c106eb37edd9bf93

SHA1
2c6083df431f1a60cca7d28efda3f1a7dd0e5299

SHA256
46e1f57022238cc8826f3d1668e686e28be86620d754e6157182654dfeb4efd5

SHA512
7e7d5f8e8360715b27a966c2cf868a0b0e076a8cf12544b355b3f026d221ba1b14cce6e4858cdf6a2c7ce602434c5aa2bb920cfc2067ae178142d6bec563423a

Download Submit
C:\Windows\System\hQRPVxt.exe
Filesize
5.9MB

MD5
1d47947ea2b34a937593ef1c3b295066

SHA1
85ad06b384abff4a2c55ccddc534bd2f30eea2fc

SHA256
c2ae01d698e73f5ff8bdb9240208ac36350623cdc20b9bc9803b93f41e059f89

SHA512
8a67a8b9254da68086ed001d9491e2b95396fe0b43742d9410697ecc77f95680979e5b0916e2c972fe7cf659b25ba86e713f79d516594d8e4f6085210f0cfd28

Download Submit
C:\Windows\System\hjBhuUS.exe
Filesize
5.9MB

MD5
eab4a688d410c594e2fe104027ba211e

SHA1
33c02d7027e84fe2cb6d5248dea1f3eba12f995a

SHA256
fe0ec507268f7b8d7e66e90684649c53ca541c6a839c425b7a611c8f7bc0c8e4

SHA512
94321a205c23b0866b6269aa0eb73f77c5999e538740d51e80c4a4349d19233a55801e9a1ba1ea4289a414f96cc6feb0ab9378a31aa3d8f1309b731d2ca48b9d

Download Submit
C:\Windows\System\jozCCVH.exe
Filesize
5.9MB

MD5
6b48de963a1ad27e876a2ff06c2dc95e

SHA1
1f9144645de5a609fc6d7ffeb091c8df52500c7b

SHA256
eba71a18ec0718996b9fff89001ab7fe17e0c9acd73448455514fae1266cae30

SHA512
21b8d0bb3161af82179e9dbac04d21d22ded25381d577272aade2523121a1343579eed128430b22c9cfba3d684fd1baec40daa45820efdadcf239b6e39076d60

Download Submit
C:\Windows\System\kLtvLKi.exe
Filesize
5.9MB

MD5
41c72768be9c40eb4e5ced0440d9c18a

SHA1
2685542d28cdd67f731260cc085d56ecfa2f6395

SHA256
90e9ca0e4dfea887ffca13bc06579b7a7004a058ff68f30b0894f36dd8b4c9a4

SHA512
5f20862e8df87a0a09b828de778fe6c7085b4e988ce5f4de3b6607051c18a1fa33d0eaa5eecc76edb2e49a971053c020bcf81575195721b187101caa0be5cf88

Download Submit
C:\Windows\System\mQxDXGN.exe
Filesize
5.9MB

MD5
316855076f1f3022a5305702a0521854

SHA1
8f173f1f6fc5a125c3c4aea826076c69f9e2d73b

SHA256
6550b34d3ca33914da840752047a46bc8761ddf798050fa54f44d137e5c1d1f9

SHA512
67d32c8cbbf94ea3b895d68682779d51f21b2295f4e48a86f2065b14eefc9f885b2fc0d4c63eca92e4a4588506515377305848295d84307e866c26efef853e91

Download Submit
C:\Windows\System\nAblNls.exe
Filesize
5.9MB

MD5
aec7c4990d9578e86e0603796d0e7c8c

SHA1
c1d9ec7d248c28ecbbea013e1b8bbf79e9f5661a

SHA256
1bcd45369f814075b132247059722a27ec2ab63aa62abd84e818dc19941c5f2b

SHA512
78e4b1b69756b31ceba3264aa4111d31210f010196547e167973c7291c4b01b0af1f52572cd64dad600f1f7482161b61e01a304e4f01083c20ca230e3d007818

Download Submit
C:\Windows\System\skklCNK.exe
Filesize
5.9MB

MD5
f2b396ce7ebc4f54cffd68ee3c7da492

SHA1
2578d66d01141c748ce2cbe079086d309bf48ac9

SHA256
6fb1ef0c03235b21e865057709229d28d58a575f72fba779745a2ff57614e65e

SHA512
5847ac086873f120a6c74cfadf45a35d36dae55c143a46347e31f8105d676652b302712731e1b28e2408c56e0a02253123b1e59a5fc610cd6bcfd6ff2f37adb0

Download Submit
C:\Windows\System\vAHbPJv.exe
Filesize
5.9MB

MD5
82ef9229b2af660ed6ef4c3f852c1eb5

SHA1
fff060377239add2190190a1ded972b630e91c45

SHA256
1f4d3818072206840254986010ba33ddbfd65baab7046b4d6851f614cd6edf6f

SHA512
50bfc13b3219918bbf0bfdf5c78b0f79902556068826a985e185314ea18167467f5a92f350c1146a072b4b4f41016b300d6279a3cb20c018d971fafc0389e6b1

Download Submit
memory/1016-26-0x00007FF712E30000-0x00007FF713184000-memory.dmp

Filesize
3.3MB

Download
memory/1016-138-0x00007FF712E30000-0x00007FF713184000-memory.dmp

Filesize
3.3MB

Download
memory/1016-131-0x00007FF712E30000-0x00007FF713184000-memory.dmp

Filesize
3.3MB

Download
memory/1212-153-0x00007FF752060000-0x00007FF7523B4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-127-0x00007FF752060000-0x00007FF7523B4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-150-0x00007FF7745C0000-0x00007FF774914000-memory.dmp

Filesize
3.3MB

Download
memory/1688-124-0x00007FF7745C0000-0x00007FF774914000-memory.dmp

Filesize
3.3MB

Download
memory/1808-61-0x00007FF637620000-0x00007FF637974000-memory.dmp

Filesize
3.3MB

Download
memory/1808-143-0x00007FF637620000-0x00007FF637974000-memory.dmp

Filesize
3.3MB

Download
memory/1848-139-0x00007FF776A30000-0x00007FF776D84000-memory.dmp

Filesize
3.3MB

Download
memory/1848-32-0x00007FF776A30000-0x00007FF776D84000-memory.dmp

Filesize
3.3MB

Download
memory/1932-71-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp

Filesize
3.3MB

Download
memory/1932-144-0x00007FF7C8DD0000-0x00007FF7C9124000-memory.dmp

Filesize
3.3MB

Download
memory/2176-122-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp

Filesize
3.3MB

Download
memory/2176-148-0x00007FF7E3C00000-0x00007FF7E3F54000-memory.dmp

Filesize
3.3MB

Download
memory/2204-72-0x00007FF7873B0000-0x00007FF787704000-memory.dmp

Filesize
3.3MB

Download
memory/2204-145-0x00007FF7873B0000-0x00007FF787704000-memory.dmp

Filesize
3.3MB

Download
memory/2232-137-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-20-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

Filesize
3.3MB

Download
memory/2232-130-0x00007FF792490000-0x00007FF7927E4000-memory.dmp

Filesize
3.3MB

Download
memory/2460-155-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp

Filesize
3.3MB

Download
memory/2460-128-0x00007FF6A3460000-0x00007FF6A37B4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-129-0x00007FF6100C0000-0x00007FF610414000-memory.dmp

Filesize
3.3MB

Download
memory/2992-154-0x00007FF6100C0000-0x00007FF610414000-memory.dmp

Filesize
3.3MB

Download
memory/3280-126-0x00007FF7522C0000-0x00007FF752614000-memory.dmp

Filesize
3.3MB

Download
memory/3280-152-0x00007FF7522C0000-0x00007FF752614000-memory.dmp

Filesize
3.3MB

Download
memory/3288-73-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp

Filesize
3.3MB

Download
memory/3288-134-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp

Filesize
3.3MB

Download
memory/3288-146-0x00007FF6B16D0000-0x00007FF6B1A24000-memory.dmp

Filesize
3.3MB

Download
memory/3624-142-0x00007FF698680000-0x00007FF6989D4000-memory.dmp

Filesize
3.3MB

Download
memory/3624-54-0x00007FF698680000-0x00007FF6989D4000-memory.dmp

Filesize
3.3MB

Download
memory/4352-147-0x00007FF770000000-0x00007FF770354000-memory.dmp

Filesize
3.3MB

Download
memory/4352-121-0x00007FF770000000-0x00007FF770354000-memory.dmp

Filesize
3.3MB

Download
memory/4364-151-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4364-125-0x00007FF71BDA0000-0x00007FF71C0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4604-136-0x00007FF7621C0000-0x00007FF762514000-memory.dmp

Filesize
3.3MB

Download
memory/4604-16-0x00007FF7621C0000-0x00007FF762514000-memory.dmp

Filesize
3.3MB

Download
memory/4604-120-0x00007FF7621C0000-0x00007FF762514000-memory.dmp

Filesize
3.3MB

Download
memory/4956-37-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

Filesize
3.3MB

Download
memory/4956-140-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

Filesize
3.3MB

Download
memory/4956-132-0x00007FF7D76D0000-0x00007FF7D7A24000-memory.dmp

Filesize
3.3MB

Download
memory/4960-12-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp

Filesize
3.3MB

Download
memory/4960-135-0x00007FF600D60000-0x00007FF6010B4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-69-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-0-0x00007FF7D4850000-0x00007FF7D4BA4000-memory.dmp

Filesize
3.3MB

Download
memory/4996-1-0x0000027998840000-0x0000027998850000-memory.dmp

Filesize
64KB

Download
memory/5032-123-0x00007FF600220000-0x00007FF600574000-memory.dmp

Filesize
3.3MB

Download
memory/5032-149-0x00007FF600220000-0x00007FF600574000-memory.dmp

Filesize
3.3MB

Download
memory/5112-141-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp

Filesize
3.3MB

Download
memory/5112-133-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp

Filesize
3.3MB

Download
memory/5112-42-0x00007FF64FFF0000-0x00007FF650344000-memory.dmp

Filesize
3.3MB

Download