cobaltstrike | 119c1b7241fdba86a110afc28592ca2f7a1dfdcb1bc9c2b1418ed3550f862ca7

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

1ba7dce749c70d4130881dd902ebd925
SHA1

2af95dbec622e3312c8d3da8f17939ec00349f6f
SHA256

119c1b7241fdba86a110afc28592ca2f7a1dfdcb1bc9c2b1418ed3550f862ca7
SHA512

7af91a363a8d20d6cbd2a473cb5c16bbe11edc9af30a1b7e4f96f3efc3c0316ae2ee341d9bcdc649c49bb2f5b65f4ba0b7126f55ea3b1414b74db92fa2a04228
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUD:T+856utgpPF8u/7D

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\HPdxQIq.exe	cobalt_reflective_dll
C:\Windows\System\YDYaTQC.exe	cobalt_reflective_dll
C:\Windows\System\iYgXUSO.exe	cobalt_reflective_dll
C:\Windows\System\WfivsIk.exe	cobalt_reflective_dll
C:\Windows\System\RWERhRu.exe	cobalt_reflective_dll
C:\Windows\System\AOLVHOb.exe	cobalt_reflective_dll
C:\Windows\System\JqJxLbs.exe	cobalt_reflective_dll
C:\Windows\System\XnDJBfi.exe	cobalt_reflective_dll
C:\Windows\System\eNHgrOb.exe	cobalt_reflective_dll
C:\Windows\System\iBenYJW.exe	cobalt_reflective_dll
C:\Windows\System\jTkPrkL.exe	cobalt_reflective_dll
C:\Windows\System\hborWOG.exe	cobalt_reflective_dll
C:\Windows\System\SYDWbat.exe	cobalt_reflective_dll
C:\Windows\System\HURXHqJ.exe	cobalt_reflective_dll
C:\Windows\System\guuGiBL.exe	cobalt_reflective_dll
C:\Windows\System\IFtwvIt.exe	cobalt_reflective_dll
C:\Windows\System\TEULEdi.exe	cobalt_reflective_dll
C:\Windows\System\cSPjuYN.exe	cobalt_reflective_dll
C:\Windows\System\UUreilQ.exe	cobalt_reflective_dll
C:\Windows\System\IDCdAwx.exe	cobalt_reflective_dll
C:\Windows\System\LRPLttJ.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\HPdxQIq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YDYaTQC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iYgXUSO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WfivsIk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RWERhRu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AOLVHOb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JqJxLbs.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XnDJBfi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eNHgrOb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iBenYJW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jTkPrkL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hborWOG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SYDWbat.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HURXHqJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\guuGiBL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IFtwvIt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TEULEdi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cSPjuYN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UUreilQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IDCdAwx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LRPLttJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1600-0-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp	UPX
C:\Windows\System\HPdxQIq.exe	UPX
behavioral2/memory/3828-8-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	UPX
C:\Windows\System\YDYaTQC.exe	UPX
C:\Windows\System\iYgXUSO.exe	UPX
C:\Windows\System\WfivsIk.exe	UPX
C:\Windows\System\RWERhRu.exe	UPX
behavioral2/memory/2168-32-0x00007FF7514B0000-0x00007FF751804000-memory.dmp	UPX
C:\Windows\System\AOLVHOb.exe	UPX
C:\Windows\System\JqJxLbs.exe	UPX
behavioral2/memory/2696-44-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	UPX
behavioral2/memory/3956-47-0x00007FF639310000-0x00007FF639664000-memory.dmp	UPX
C:\Windows\System\XnDJBfi.exe	UPX
behavioral2/memory/416-48-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	UPX
C:\Windows\System\eNHgrOb.exe	UPX
C:\Windows\System\iBenYJW.exe	UPX
C:\Windows\System\jTkPrkL.exe	UPX
behavioral2/memory/2992-71-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	UPX
behavioral2/memory/1976-68-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	UPX
behavioral2/memory/2532-67-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp	UPX
behavioral2/memory/4832-66-0x00007FF608640000-0x00007FF608994000-memory.dmp	UPX
C:\Windows\System\hborWOG.exe	UPX
behavioral2/memory/3484-37-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp	UPX
behavioral2/memory/1312-33-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp	UPX
behavioral2/memory/4024-19-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp	UPX
C:\Windows\System\SYDWbat.exe	UPX
behavioral2/memory/1148-80-0x00007FF68DF20000-0x00007FF68E274000-memory.dmp	UPX
C:\Windows\System\HURXHqJ.exe	UPX
behavioral2/memory/2224-84-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp	UPX
C:\Windows\System\guuGiBL.exe	UPX
C:\Windows\System\IFtwvIt.exe	UPX
C:\Windows\System\TEULEdi.exe	UPX
behavioral2/memory/4840-101-0x00007FF68B5C0000-0x00007FF68B914000-memory.dmp	UPX
behavioral2/memory/1600-98-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp	UPX
behavioral2/memory/2616-106-0x00007FF695920000-0x00007FF695C74000-memory.dmp	UPX
behavioral2/memory/3828-105-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	UPX
behavioral2/memory/4252-92-0x00007FF6A23A0000-0x00007FF6A26F4000-memory.dmp	UPX
C:\Windows\System\cSPjuYN.exe	UPX
C:\Windows\System\UUreilQ.exe	UPX
behavioral2/memory/1356-121-0x00007FF62AA10000-0x00007FF62AD64000-memory.dmp	UPX
behavioral2/memory/2696-120-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	UPX
C:\Windows\System\IDCdAwx.exe	UPX
behavioral2/memory/3584-111-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp	UPX
C:\Windows\System\LRPLttJ.exe	UPX
behavioral2/memory/416-130-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	UPX
behavioral2/memory/4472-124-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp	UPX
behavioral2/memory/5104-131-0x00007FF655170000-0x00007FF6554C4000-memory.dmp	UPX
behavioral2/memory/2992-133-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	UPX
behavioral2/memory/1976-132-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	UPX
behavioral2/memory/2224-134-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp	UPX
behavioral2/memory/3584-135-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp	UPX
behavioral2/memory/4472-136-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp	UPX
behavioral2/memory/3828-137-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	UPX
behavioral2/memory/4024-138-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp	UPX
behavioral2/memory/2168-139-0x00007FF7514B0000-0x00007FF751804000-memory.dmp	UPX
behavioral2/memory/1312-141-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp	UPX
behavioral2/memory/3484-140-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp	UPX
behavioral2/memory/2696-142-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	UPX
behavioral2/memory/3956-143-0x00007FF639310000-0x00007FF639664000-memory.dmp	UPX
behavioral2/memory/4832-145-0x00007FF608640000-0x00007FF608994000-memory.dmp	UPX
behavioral2/memory/416-144-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	UPX
behavioral2/memory/1976-147-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	UPX
behavioral2/memory/2992-146-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	UPX
behavioral2/memory/2532-148-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1600-0-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp	xmrig
C:\Windows\System\HPdxQIq.exe	xmrig
behavioral2/memory/3828-8-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	xmrig
C:\Windows\System\YDYaTQC.exe	xmrig
C:\Windows\System\iYgXUSO.exe	xmrig
C:\Windows\System\WfivsIk.exe	xmrig
C:\Windows\System\RWERhRu.exe	xmrig
behavioral2/memory/2168-32-0x00007FF7514B0000-0x00007FF751804000-memory.dmp	xmrig
C:\Windows\System\AOLVHOb.exe	xmrig
C:\Windows\System\JqJxLbs.exe	xmrig
behavioral2/memory/2696-44-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	xmrig
behavioral2/memory/3956-47-0x00007FF639310000-0x00007FF639664000-memory.dmp	xmrig
C:\Windows\System\XnDJBfi.exe	xmrig
behavioral2/memory/416-48-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	xmrig
C:\Windows\System\eNHgrOb.exe	xmrig
C:\Windows\System\iBenYJW.exe	xmrig
C:\Windows\System\jTkPrkL.exe	xmrig
behavioral2/memory/2992-71-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	xmrig
behavioral2/memory/1976-68-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	xmrig
behavioral2/memory/2532-67-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp	xmrig
behavioral2/memory/4832-66-0x00007FF608640000-0x00007FF608994000-memory.dmp	xmrig
C:\Windows\System\hborWOG.exe	xmrig
behavioral2/memory/3484-37-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp	xmrig
behavioral2/memory/1312-33-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp	xmrig
behavioral2/memory/4024-19-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp	xmrig
C:\Windows\System\SYDWbat.exe	xmrig
behavioral2/memory/1148-80-0x00007FF68DF20000-0x00007FF68E274000-memory.dmp	xmrig
C:\Windows\System\HURXHqJ.exe	xmrig
behavioral2/memory/2224-84-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp	xmrig
C:\Windows\System\guuGiBL.exe	xmrig
C:\Windows\System\IFtwvIt.exe	xmrig
C:\Windows\System\TEULEdi.exe	xmrig
behavioral2/memory/4840-101-0x00007FF68B5C0000-0x00007FF68B914000-memory.dmp	xmrig
behavioral2/memory/1600-98-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp	xmrig
behavioral2/memory/2616-106-0x00007FF695920000-0x00007FF695C74000-memory.dmp	xmrig
behavioral2/memory/3828-105-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	xmrig
behavioral2/memory/4252-92-0x00007FF6A23A0000-0x00007FF6A26F4000-memory.dmp	xmrig
C:\Windows\System\cSPjuYN.exe	xmrig
C:\Windows\System\UUreilQ.exe	xmrig
behavioral2/memory/1356-121-0x00007FF62AA10000-0x00007FF62AD64000-memory.dmp	xmrig
behavioral2/memory/2696-120-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	xmrig
C:\Windows\System\IDCdAwx.exe	xmrig
behavioral2/memory/3584-111-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp	xmrig
C:\Windows\System\LRPLttJ.exe	xmrig
behavioral2/memory/416-130-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	xmrig
behavioral2/memory/4472-124-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp	xmrig
behavioral2/memory/5104-131-0x00007FF655170000-0x00007FF6554C4000-memory.dmp	xmrig
behavioral2/memory/2992-133-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	xmrig
behavioral2/memory/1976-132-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	xmrig
behavioral2/memory/2224-134-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp	xmrig
behavioral2/memory/3584-135-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp	xmrig
behavioral2/memory/4472-136-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp	xmrig
behavioral2/memory/3828-137-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	xmrig
behavioral2/memory/4024-138-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp	xmrig
behavioral2/memory/2168-139-0x00007FF7514B0000-0x00007FF751804000-memory.dmp	xmrig
behavioral2/memory/1312-141-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp	xmrig
behavioral2/memory/3484-140-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp	xmrig
behavioral2/memory/2696-142-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	xmrig
behavioral2/memory/3956-143-0x00007FF639310000-0x00007FF639664000-memory.dmp	xmrig
behavioral2/memory/4832-145-0x00007FF608640000-0x00007FF608994000-memory.dmp	xmrig
behavioral2/memory/416-144-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	xmrig
behavioral2/memory/1976-147-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	xmrig
behavioral2/memory/2992-146-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	xmrig
behavioral2/memory/2532-148-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

HPdxQIq.exeYDYaTQC.exeiYgXUSO.exeWfivsIk.exeRWERhRu.exeJqJxLbs.exeAOLVHOb.exeXnDJBfi.exehborWOG.exeeNHgrOb.exejTkPrkL.exeiBenYJW.exeSYDWbat.exeHURXHqJ.exeguuGiBL.exeIFtwvIt.exeTEULEdi.exeIDCdAwx.execSPjuYN.exeUUreilQ.exeLRPLttJ.exe

pid	process
3828	HPdxQIq.exe
4024	YDYaTQC.exe
2168	iYgXUSO.exe
3484	WfivsIk.exe
1312	RWERhRu.exe
3956	JqJxLbs.exe
2696	AOLVHOb.exe
416	XnDJBfi.exe
4832	hborWOG.exe
2532	eNHgrOb.exe
1976	jTkPrkL.exe
2992	iBenYJW.exe
1148	SYDWbat.exe
2224	HURXHqJ.exe
4252	guuGiBL.exe
4840	IFtwvIt.exe
2616	TEULEdi.exe
3584	IDCdAwx.exe
1356	cSPjuYN.exe
4472	UUreilQ.exe
5104	LRPLttJ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1600-0-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp	upx
C:\Windows\System\HPdxQIq.exe	upx
behavioral2/memory/3828-8-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	upx
C:\Windows\System\YDYaTQC.exe	upx
C:\Windows\System\iYgXUSO.exe	upx
C:\Windows\System\WfivsIk.exe	upx
C:\Windows\System\RWERhRu.exe	upx
behavioral2/memory/2168-32-0x00007FF7514B0000-0x00007FF751804000-memory.dmp	upx
C:\Windows\System\AOLVHOb.exe	upx
C:\Windows\System\JqJxLbs.exe	upx
behavioral2/memory/2696-44-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	upx
behavioral2/memory/3956-47-0x00007FF639310000-0x00007FF639664000-memory.dmp	upx
C:\Windows\System\XnDJBfi.exe	upx
behavioral2/memory/416-48-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	upx
C:\Windows\System\eNHgrOb.exe	upx
C:\Windows\System\iBenYJW.exe	upx
C:\Windows\System\jTkPrkL.exe	upx
behavioral2/memory/2992-71-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	upx
behavioral2/memory/1976-68-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	upx
behavioral2/memory/2532-67-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp	upx
behavioral2/memory/4832-66-0x00007FF608640000-0x00007FF608994000-memory.dmp	upx
C:\Windows\System\hborWOG.exe	upx
behavioral2/memory/3484-37-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp	upx
behavioral2/memory/1312-33-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp	upx
behavioral2/memory/4024-19-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp	upx
C:\Windows\System\SYDWbat.exe	upx
behavioral2/memory/1148-80-0x00007FF68DF20000-0x00007FF68E274000-memory.dmp	upx
C:\Windows\System\HURXHqJ.exe	upx
behavioral2/memory/2224-84-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp	upx
C:\Windows\System\guuGiBL.exe	upx
C:\Windows\System\IFtwvIt.exe	upx
C:\Windows\System\TEULEdi.exe	upx
behavioral2/memory/4840-101-0x00007FF68B5C0000-0x00007FF68B914000-memory.dmp	upx
behavioral2/memory/1600-98-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp	upx
behavioral2/memory/2616-106-0x00007FF695920000-0x00007FF695C74000-memory.dmp	upx
behavioral2/memory/3828-105-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	upx
behavioral2/memory/4252-92-0x00007FF6A23A0000-0x00007FF6A26F4000-memory.dmp	upx
C:\Windows\System\cSPjuYN.exe	upx
C:\Windows\System\UUreilQ.exe	upx
behavioral2/memory/1356-121-0x00007FF62AA10000-0x00007FF62AD64000-memory.dmp	upx
behavioral2/memory/2696-120-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	upx
C:\Windows\System\IDCdAwx.exe	upx
behavioral2/memory/3584-111-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp	upx
C:\Windows\System\LRPLttJ.exe	upx
behavioral2/memory/416-130-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	upx
behavioral2/memory/4472-124-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp	upx
behavioral2/memory/5104-131-0x00007FF655170000-0x00007FF6554C4000-memory.dmp	upx
behavioral2/memory/2992-133-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	upx
behavioral2/memory/1976-132-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	upx
behavioral2/memory/2224-134-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp	upx
behavioral2/memory/3584-135-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp	upx
behavioral2/memory/4472-136-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp	upx
behavioral2/memory/3828-137-0x00007FF680A00000-0x00007FF680D54000-memory.dmp	upx
behavioral2/memory/4024-138-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp	upx
behavioral2/memory/2168-139-0x00007FF7514B0000-0x00007FF751804000-memory.dmp	upx
behavioral2/memory/1312-141-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp	upx
behavioral2/memory/3484-140-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp	upx
behavioral2/memory/2696-142-0x00007FF653260000-0x00007FF6535B4000-memory.dmp	upx
behavioral2/memory/3956-143-0x00007FF639310000-0x00007FF639664000-memory.dmp	upx
behavioral2/memory/4832-145-0x00007FF608640000-0x00007FF608994000-memory.dmp	upx
behavioral2/memory/416-144-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp	upx
behavioral2/memory/1976-147-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp	upx
behavioral2/memory/2992-146-0x00007FF77F230000-0x00007FF77F584000-memory.dmp	upx
behavioral2/memory/2532-148-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\hborWOG.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\guuGiBL.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cSPjuYN.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HURXHqJ.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IFtwvIt.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUreilQ.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AOLVHOb.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eNHgrOb.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SYDWbat.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XnDJBfi.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jTkPrkL.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iBenYJW.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TEULEdi.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HPdxQIq.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YDYaTQC.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JqJxLbs.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDCdAwx.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LRPLttJ.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iYgXUSO.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WfivsIk.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWERhRu.exe	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1600 wrote to memory of 3828	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	HPdxQIq.exe
PID 1600 wrote to memory of 3828	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	HPdxQIq.exe
PID 1600 wrote to memory of 4024	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	YDYaTQC.exe
PID 1600 wrote to memory of 4024	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	YDYaTQC.exe
PID 1600 wrote to memory of 2168	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	iYgXUSO.exe
PID 1600 wrote to memory of 2168	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	iYgXUSO.exe
PID 1600 wrote to memory of 3484	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	WfivsIk.exe
PID 1600 wrote to memory of 3484	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	WfivsIk.exe
PID 1600 wrote to memory of 1312	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	RWERhRu.exe
PID 1600 wrote to memory of 1312	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	RWERhRu.exe
PID 1600 wrote to memory of 3956	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	JqJxLbs.exe
PID 1600 wrote to memory of 3956	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	JqJxLbs.exe
PID 1600 wrote to memory of 2696	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	AOLVHOb.exe
PID 1600 wrote to memory of 2696	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	AOLVHOb.exe
PID 1600 wrote to memory of 416	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	XnDJBfi.exe
PID 1600 wrote to memory of 416	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	XnDJBfi.exe
PID 1600 wrote to memory of 4832	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	hborWOG.exe
PID 1600 wrote to memory of 4832	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	hborWOG.exe
PID 1600 wrote to memory of 2532	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	eNHgrOb.exe
PID 1600 wrote to memory of 2532	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	eNHgrOb.exe
PID 1600 wrote to memory of 1976	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	jTkPrkL.exe
PID 1600 wrote to memory of 1976	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	jTkPrkL.exe
PID 1600 wrote to memory of 2992	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	iBenYJW.exe
PID 1600 wrote to memory of 2992	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	iBenYJW.exe
PID 1600 wrote to memory of 1148	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	SYDWbat.exe
PID 1600 wrote to memory of 1148	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	SYDWbat.exe
PID 1600 wrote to memory of 2224	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	HURXHqJ.exe
PID 1600 wrote to memory of 2224	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	HURXHqJ.exe
PID 1600 wrote to memory of 4252	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	guuGiBL.exe
PID 1600 wrote to memory of 4252	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	guuGiBL.exe
PID 1600 wrote to memory of 4840	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	IFtwvIt.exe
PID 1600 wrote to memory of 4840	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	IFtwvIt.exe
PID 1600 wrote to memory of 2616	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	TEULEdi.exe
PID 1600 wrote to memory of 2616	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	TEULEdi.exe
PID 1600 wrote to memory of 3584	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	IDCdAwx.exe
PID 1600 wrote to memory of 3584	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	IDCdAwx.exe
PID 1600 wrote to memory of 1356	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	cSPjuYN.exe
PID 1600 wrote to memory of 1356	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	cSPjuYN.exe
PID 1600 wrote to memory of 4472	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	UUreilQ.exe
PID 1600 wrote to memory of 4472	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	UUreilQ.exe
PID 1600 wrote to memory of 5104	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	LRPLttJ.exe
PID 1600 wrote to memory of 5104	1600	2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe	LRPLttJ.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_1ba7dce749c70d4130881dd902ebd925_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\System\HPdxQIq.exe
C:\Windows\System\HPdxQIq.exe
2⤵
- Executes dropped EXE
PID:3828

C:\Windows\System\YDYaTQC.exe
C:\Windows\System\YDYaTQC.exe
2⤵
- Executes dropped EXE
PID:4024

C:\Windows\System\iYgXUSO.exe
C:\Windows\System\iYgXUSO.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\WfivsIk.exe
C:\Windows\System\WfivsIk.exe
2⤵
- Executes dropped EXE
PID:3484

C:\Windows\System\RWERhRu.exe
C:\Windows\System\RWERhRu.exe
2⤵
- Executes dropped EXE
PID:1312

C:\Windows\System\JqJxLbs.exe
C:\Windows\System\JqJxLbs.exe
2⤵
- Executes dropped EXE
PID:3956

C:\Windows\System\AOLVHOb.exe
C:\Windows\System\AOLVHOb.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\XnDJBfi.exe
C:\Windows\System\XnDJBfi.exe
2⤵
- Executes dropped EXE
PID:416

C:\Windows\System\hborWOG.exe
C:\Windows\System\hborWOG.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Windows\System\eNHgrOb.exe
C:\Windows\System\eNHgrOb.exe
2⤵
- Executes dropped EXE
PID:2532

C:\Windows\System\jTkPrkL.exe
C:\Windows\System\jTkPrkL.exe
2⤵
- Executes dropped EXE
PID:1976

C:\Windows\System\iBenYJW.exe
C:\Windows\System\iBenYJW.exe
2⤵
- Executes dropped EXE
PID:2992

C:\Windows\System\SYDWbat.exe
C:\Windows\System\SYDWbat.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\System\HURXHqJ.exe
C:\Windows\System\HURXHqJ.exe
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\System\guuGiBL.exe
C:\Windows\System\guuGiBL.exe
2⤵
- Executes dropped EXE
PID:4252

C:\Windows\System\IFtwvIt.exe
C:\Windows\System\IFtwvIt.exe
2⤵
- Executes dropped EXE
PID:4840

C:\Windows\System\TEULEdi.exe
C:\Windows\System\TEULEdi.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\IDCdAwx.exe
C:\Windows\System\IDCdAwx.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\System\cSPjuYN.exe
C:\Windows\System\cSPjuYN.exe
2⤵
- Executes dropped EXE
PID:1356

C:\Windows\System\UUreilQ.exe
C:\Windows\System\UUreilQ.exe
2⤵
- Executes dropped EXE
PID:4472

C:\Windows\System\LRPLttJ.exe
C:\Windows\System\LRPLttJ.exe
2⤵
- Executes dropped EXE
PID:5104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOLVHOb.exe
Filesize
5.9MB

MD5
6db07fa3e9ab559617e2fa5478f63628

SHA1
a30004095e5e36dfb3b9bf53f0fa73da4e734ea7

SHA256
e908889701341da90011d59dc7a334043bb2c4bac8b2fdf91ee8ffe977e218ca

SHA512
3b49d5ecbbafab2d1f57f036e29b24bb097b5fd8767d6ce1c314cb055eeb86a110e4b9a533b6ba5261b1668fbd984f4df90041e137d7c89df87ff4a0c9c0b1a6

Download Submit
C:\Windows\System\HPdxQIq.exe
Filesize
5.9MB

MD5
45e89ebe30d4c173e5c701c7178f1d3f

SHA1
63ac85f7c97bd45229ab97a344d1dc44b78c8a2a

SHA256
2141d02a05dab9acef9400f4c1854f8f29748412dd04805399a224ac1344bb80

SHA512
8cb4056bb5f4df4601c182658101e92d86b55ef5aef155081c507012a2683e629e00360d4db7762a5bf09faa88e31f3d595d186b5f674df873a965000164e5a4

Download Submit
C:\Windows\System\HURXHqJ.exe
Filesize
5.9MB

MD5
3f7e3030a45ce98f823526a78cc39f6e

SHA1
1ec9bd7b79cc33385e155a3aca1325682e0ac843

SHA256
20bb1f3358c29f2f018a06905957319c96942ccada2e54ddc2092d1021be4553

SHA512
f93ecef1395e2ead6ec0ab65eb1246d6b8a366b7f53d23d6cac4a67c94e550103f2c6450c62bb2a55510b418db6e3d6a0f217b133074459322448a2d9be6f76c

Download Submit
C:\Windows\System\IDCdAwx.exe
Filesize
5.9MB

MD5
7ae21bc359e0d21442aa57ffa8856cfa

SHA1
212c82e5bd32ee3a96621da60744db10a2e1eea9

SHA256
81056ec53ef3f3689e0294ae0152b502a02360beeb78b6e276fbc318227ffb68

SHA512
88045ee810276ba69001b10778fa78888b984b4b62a7ad35f5e26e3e27cfe9d2dee06f0ff139df9749776bff371546460a95ddf9f02fd9003395815983f3a7fe

Download Submit
C:\Windows\System\IFtwvIt.exe
Filesize
5.9MB

MD5
0cf6135982f0ee081c283e08ec6682f6

SHA1
faa699fd2aa9b2125f261551d5fc933f1af056f8

SHA256
2e6577f6930c5849d69002c6f4e4963b6b141e772c1ebc501267588536971869

SHA512
0ba5cbb3f2cefda91537b75b9a09b8d3933a2449d3cda7fbf353e3dcd616b7c5d6e0d47cf7cda62dbc6f12ad44bc0041cb3326ad09c57ee2ca868fb99c6230f6

Download Submit
C:\Windows\System\JqJxLbs.exe
Filesize
5.9MB

MD5
fb8f347dba8f423e5029c17a8ee76a26

SHA1
094557b5f85c5bff5d73687e233d1a2bf3a9b213

SHA256
5ac218dc28129c2f345b7f26558bfd12273a33221dbc5c62208567885ffec147

SHA512
aea42f7a3364f97bcdba332840a9a567ea14f97c3caf6be7ed2deb6a8ed8bfba536b21c111b763b824cc1c7c0068068301c6782c4a92b953b53020f69e1928af

Download Submit
C:\Windows\System\LRPLttJ.exe
Filesize
5.9MB

MD5
22c6119a707dc68d5d2dbe4f270ed0ad

SHA1
608223d4a5f683b1b97ecdf3bc7acb63113c90f1

SHA256
dab2c8db80cafb94cdda43f0812e2919d0f7e9b496aa285ca2de7ea742fd61d0

SHA512
0a739a7b9363200213e97bf70134c4ffc7aa280fea0aff81224c420ce9830b957a072cb66b7a5b18300bf8d0ed73030ca87cb8f278f4f7c045b42004635d5823

Download Submit
C:\Windows\System\RWERhRu.exe
Filesize
5.9MB

MD5
baa4073ccb294cc420364bed01d207bc

SHA1
3c1ceddd2051458c406f588099cfc5ddc8aa9da4

SHA256
2f333e8bd0d569700f1c316420a3fb51bb8759646ee473f3304c53630efca89a

SHA512
761dedc9fc0fcf7bb198ebe6cbd9a3048f68fcdab3d7d38ac83ebe43db04a27942317706be1fd80a2c96b56d3a443045e887f19a1bd91dcf0670a34bcce89c6e

Download Submit
C:\Windows\System\SYDWbat.exe
Filesize
5.9MB

MD5
8f4f2e1c99b20c85fdbc5bbc50549c21

SHA1
d64a13375f985f1f7236851c21d318c94b8b81f9

SHA256
ecf462132961e85a0d7cdf7198b2f3c999a49aa34214064293e2573183586be1

SHA512
973186a4131f26d3fb7e33e2f21f9d79733d5cc78c0d758c4ce7ee4a47f253780b24714e460bf4f4824c9f8efbdcfd6ee84a10dd4a1c195dee01aac4bd3c8a4d

Download Submit
C:\Windows\System\TEULEdi.exe
Filesize
5.9MB

MD5
a04c0940d08854895c73e4dc77190f7c

SHA1
b15a5cbbbf94f7aa31fedae1b048f105ec239a97

SHA256
7389cb326c1b6ae5f4ef0943a1af56315027ed0fed842de90e083163565b4751

SHA512
f52a41b16ba254718cbdce26f12cbb7d92da3faad23daf9cb8c034632ac8df246f61db27c4b2d98056048a3ab13c46b00d840f4929cc89429b2437eb1708f341

Download Submit
C:\Windows\System\UUreilQ.exe
Filesize
5.9MB

MD5
57312f2e41e81a7c754cecae2722c3c0

SHA1
5f028475e56aefb229ec9d819e7d71df3992d1d8

SHA256
4a35b0fb4ea4bfa4847cb1f100d64cbee40fa6dde84bb776b7e19319161a793a

SHA512
492e1d34d2e91f0093e71e7ce42d48ebf1284aab147354c6784eefe713240e331d09eff5205c687dc9de30572be98bd9eaf2ba6891b78ce1ab84a413acf9b6ba

Download Submit
C:\Windows\System\WfivsIk.exe
Filesize
5.9MB

MD5
472e34fe94f25e4a2a6d09dd4dff9505

SHA1
fbdb44ed919182f7330ac79b413e27a8bf23e4c3

SHA256
bec7299189e4c8517882069de5684303c96a3daee4b9f47d34d415f09e6d6150

SHA512
daaf9fca38c7e49d678204e4a8fbaf499fb8a7d15be2b50aa16d5df9526bc9d280335014a27f4ce53d91a57473ecdbf1e6d6f2bde0eefdd27b0b8629466620f2

Download Submit
C:\Windows\System\XnDJBfi.exe
Filesize
5.9MB

MD5
972bf7ae4ea1811350fc0375f25af417

SHA1
db848bfa0c01c8ed4b11c599bcfa6975fd5a1236

SHA256
ae2b813d3ecc9639d520f9fa0ce5ab33a659a27703c496dac34c90da46838f62

SHA512
e45e39f35837da9db3c78d642974ef5564601a48edb41e4159c2941e418aec251c14d317b5cec3ba9bed939e71eb2de06cae44b6c0f076ff5620b01a9904c514

Download Submit
C:\Windows\System\YDYaTQC.exe
Filesize
5.9MB

MD5
b2cf4c089cf2ea97da064a62b3ebb362

SHA1
c407d2aff73988e5eecea7c9e32b3f0c797199c7

SHA256
0acd3b8aa4b6a319266f51aa8ea512f6a834bff5b04d4221680e50062c6f6154

SHA512
5337d374a29b32bc894d88a1c4867f08ead8e7d731d3cec1d57a1fa10d340ef41844b0e0b2c3d84312d6850514b2d31d704528891fd99bb75f3a9e46e49580f7

Download Submit
C:\Windows\System\cSPjuYN.exe
Filesize
5.9MB

MD5
59054eee0a95b8e0730b7b4d69b89860

SHA1
baaf0d2957aa2bae76b959d941ea0c0ffd376fcf

SHA256
4b8f45fe1d6fe330d55cec4b5b976ebcbb624b7e25865c61fc0005778198eaab

SHA512
92a001b02bed8a27dae97eabba71b9cda93cf2e4f6bf37dc917f094dd1cae9e4d18dc290ad1bdf6f175f27727e86a02a94a299b8ed781190714d87b471d4c260

Download Submit
C:\Windows\System\eNHgrOb.exe
Filesize
5.9MB

MD5
b9baeaf32b50026709d0cc1879c13077

SHA1
0611e0101b22fd949ec99b6d500fbc01e105675c

SHA256
e06af2245fc91aecb6ca9bd020b7dc8c79553eb0eadfbe682e9edc5a121bb902

SHA512
f8d730025b002c6fea92e379bc44be992308dfdb97a7bbeaf06bc35a83977413e5df4e8bd12b04478f3f82c73940e4cf346434c0424875a286979f173c9bcab5

Download Submit
C:\Windows\System\guuGiBL.exe
Filesize
5.9MB

MD5
875a9a60934456e7db70fe39579bf332

SHA1
085b7169db7ddcba1325fbe1e8d0751df621865b

SHA256
c70b52ec57a380f610de141963dccf92c9e15ed877575b664cac7c4c39bc57b5

SHA512
e043577094723e479576990f57d80aef9ec429ba9a796bf29edc0dfe0fa1ab21559aa4df5e8ec4a6d79cf9a87b96a1132450a0f18afd66bdf9ec8920876c27c3

Download Submit
C:\Windows\System\hborWOG.exe
Filesize
5.9MB

MD5
a5489c829896ef23da561e40e0cf685a

SHA1
cd9fb85504b2e41df2f3e8fe2cc8ac4f41aa1438

SHA256
0784ad65a21a292c60b0e66e12e1d983bcda2fd5b3e148364adf567967f81daf

SHA512
9120cf13621b8b4f202a9d40aa036a91ffe0c26c3aa4f3aeb15aba6df0c5a79a58a7851f3ee917e769dd11beb74e61f4365d0934c146ebb4dfb41ae2ac2ce42d

Download Submit
C:\Windows\System\iBenYJW.exe
Filesize
5.9MB

MD5
0a7b70d6bde015a9e446f91d529f95c5

SHA1
a04b934b7c2ba6302205d6db2092d8e7f5545ef9

SHA256
ae534581f41b32d70da6327b67b48a80c97c86056ca9130638cdbb09b08d2d5a

SHA512
e878a5e7cf60395f4cfc2f8b7ab254980d6cf9cb835549e338c55aed20923d17900e77dbc8600c604ced7189db988059abf572535d0ad671f0f60b711485be69

Download Submit
C:\Windows\System\iYgXUSO.exe
Filesize
5.9MB

MD5
2e4e6251b86a0e561e6560acbf2fedac

SHA1
dc6742aa39b0275a222f8b914037e3ab0bd95834

SHA256
bcee55036dd6174edf22093be405d4d16a0e6f7d80521967de4b6bbe4e8ef30e

SHA512
b8eb259a13e778f5eee50653e5d072e4c9e8a173684932d78d3d814373cdcbef6b94038da8b1ff2362f854166a986871b1f232770a4bc3d44b1d4e9227056f65

Download Submit
C:\Windows\System\jTkPrkL.exe
Filesize
5.9MB

MD5
f2b4315405e9f956d9d5c2880381355a

SHA1
c4555b86552a794c7c1570dc36d7b4cbcdaaf910

SHA256
18441ea5d398a2cb645fdcc56aa8d40fd197524014d8cfab5d5d5e73897ef963

SHA512
df3e35351343d5c0daad9f0a3e0966b944e0c3f647f6c50a74a24124461b83df98d84d4a0a3ed7a27dc93cf9b4abcd36872b5f2357baffc066307af8a8880c6f

Download Submit
memory/416-48-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp

Filesize
3.3MB

Download
memory/416-130-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp

Filesize
3.3MB

Download
memory/416-144-0x00007FF75B7B0000-0x00007FF75BB04000-memory.dmp

Filesize
3.3MB

Download
memory/1148-80-0x00007FF68DF20000-0x00007FF68E274000-memory.dmp

Filesize
3.3MB

Download
memory/1148-149-0x00007FF68DF20000-0x00007FF68E274000-memory.dmp

Filesize
3.3MB

Download
memory/1312-33-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp

Filesize
3.3MB

Download
memory/1312-141-0x00007FF769CC0000-0x00007FF76A014000-memory.dmp

Filesize
3.3MB

Download
memory/1356-121-0x00007FF62AA10000-0x00007FF62AD64000-memory.dmp

Filesize
3.3MB

Download
memory/1356-154-0x00007FF62AA10000-0x00007FF62AD64000-memory.dmp

Filesize
3.3MB

Download
memory/1600-1-0x000001FADC580000-0x000001FADC590000-memory.dmp

Filesize
64KB

Download
memory/1600-0-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1600-98-0x00007FF61B4A0000-0x00007FF61B7F4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-68-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-147-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-132-0x00007FF6D8EA0000-0x00007FF6D91F4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-32-0x00007FF7514B0000-0x00007FF751804000-memory.dmp

Filesize
3.3MB

Download
memory/2168-139-0x00007FF7514B0000-0x00007FF751804000-memory.dmp

Filesize
3.3MB

Download
memory/2224-84-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp

Filesize
3.3MB

Download
memory/2224-134-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp

Filesize
3.3MB

Download
memory/2224-150-0x00007FF703AF0000-0x00007FF703E44000-memory.dmp

Filesize
3.3MB

Download
memory/2532-67-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp

Filesize
3.3MB

Download
memory/2532-148-0x00007FF6017D0000-0x00007FF601B24000-memory.dmp

Filesize
3.3MB

Download
memory/2616-153-0x00007FF695920000-0x00007FF695C74000-memory.dmp

Filesize
3.3MB

Download
memory/2616-106-0x00007FF695920000-0x00007FF695C74000-memory.dmp

Filesize
3.3MB

Download
memory/2696-120-0x00007FF653260000-0x00007FF6535B4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-44-0x00007FF653260000-0x00007FF6535B4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-142-0x00007FF653260000-0x00007FF6535B4000-memory.dmp

Filesize
3.3MB

Download
memory/2992-146-0x00007FF77F230000-0x00007FF77F584000-memory.dmp

Filesize
3.3MB

Download
memory/2992-133-0x00007FF77F230000-0x00007FF77F584000-memory.dmp

Filesize
3.3MB

Download
memory/2992-71-0x00007FF77F230000-0x00007FF77F584000-memory.dmp

Filesize
3.3MB

Download
memory/3484-37-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3484-140-0x00007FF7B2A70000-0x00007FF7B2DC4000-memory.dmp

Filesize
3.3MB

Download
memory/3584-155-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp

Filesize
3.3MB

Download
memory/3584-111-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp

Filesize
3.3MB

Download
memory/3584-135-0x00007FF6436B0000-0x00007FF643A04000-memory.dmp

Filesize
3.3MB

Download
memory/3828-105-0x00007FF680A00000-0x00007FF680D54000-memory.dmp

Filesize
3.3MB

Download
memory/3828-137-0x00007FF680A00000-0x00007FF680D54000-memory.dmp

Filesize
3.3MB

Download
memory/3828-8-0x00007FF680A00000-0x00007FF680D54000-memory.dmp

Filesize
3.3MB

Download
memory/3956-143-0x00007FF639310000-0x00007FF639664000-memory.dmp

Filesize
3.3MB

Download
memory/3956-47-0x00007FF639310000-0x00007FF639664000-memory.dmp

Filesize
3.3MB

Download
memory/4024-138-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp

Filesize
3.3MB

Download
memory/4024-19-0x00007FF730BB0000-0x00007FF730F04000-memory.dmp

Filesize
3.3MB

Download
memory/4252-92-0x00007FF6A23A0000-0x00007FF6A26F4000-memory.dmp

Filesize
3.3MB

Download
memory/4252-151-0x00007FF6A23A0000-0x00007FF6A26F4000-memory.dmp

Filesize
3.3MB

Download
memory/4472-156-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp

Filesize
3.3MB

Download
memory/4472-136-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp

Filesize
3.3MB

Download
memory/4472-124-0x00007FF7B9800000-0x00007FF7B9B54000-memory.dmp

Filesize
3.3MB

Download
memory/4832-66-0x00007FF608640000-0x00007FF608994000-memory.dmp

Filesize
3.3MB

Download
memory/4832-145-0x00007FF608640000-0x00007FF608994000-memory.dmp

Filesize
3.3MB

Download
memory/4840-152-0x00007FF68B5C0000-0x00007FF68B914000-memory.dmp

Filesize
3.3MB

Download
memory/4840-101-0x00007FF68B5C0000-0x00007FF68B914000-memory.dmp

Filesize
3.3MB

Download
memory/5104-131-0x00007FF655170000-0x00007FF6554C4000-memory.dmp

Filesize
3.3MB

Download
memory/5104-157-0x00007FF655170000-0x00007FF6554C4000-memory.dmp

Filesize
3.3MB

Download