cobaltstrike | 75c896ea7a713ab5cca54c2315415e8018fe3ea54e55320f1b8e942869c8d4d8

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

0ec648bec2abb888a42c2d1060ec2afa
SHA1

08be56a92d46e567391d1c5c2a2d1945876a410d
SHA256

75c896ea7a713ab5cca54c2315415e8018fe3ea54e55320f1b8e942869c8d4d8
SHA512

b17876e9b2c2d1ea5490a23d87f900dabe9ffff0bf54048956df1ee78897b823f3fa8586abed4b2dedfa8d8ab2b492c9873dad8bc5fad05b61ce55a5bf1ddc67
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUW:Q+856utgpPF8u/7W

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\JsFhroN.exe	cobalt_reflective_dll
C:\Windows\System\VkpOxoZ.exe	cobalt_reflective_dll
C:\Windows\System\ULPUMoa.exe	cobalt_reflective_dll
C:\Windows\System\DdUEdKP.exe	cobalt_reflective_dll
C:\Windows\System\kpBTqNN.exe	cobalt_reflective_dll
C:\Windows\System\cncqkLS.exe	cobalt_reflective_dll
C:\Windows\System\jNkbEKq.exe	cobalt_reflective_dll
C:\Windows\System\riAHsoT.exe	cobalt_reflective_dll
C:\Windows\System\RIKODFC.exe	cobalt_reflective_dll
C:\Windows\System\YJLBbRl.exe	cobalt_reflective_dll
C:\Windows\System\HIWreXw.exe	cobalt_reflective_dll
C:\Windows\System\FpfkGKJ.exe	cobalt_reflective_dll
C:\Windows\System\iFWktvo.exe	cobalt_reflective_dll
C:\Windows\System\hjYBSWz.exe	cobalt_reflective_dll
C:\Windows\System\CgYyfvr.exe	cobalt_reflective_dll
C:\Windows\System\nfdgHFJ.exe	cobalt_reflective_dll
C:\Windows\System\HcDleYi.exe	cobalt_reflective_dll
C:\Windows\System\qvFwqSG.exe	cobalt_reflective_dll
C:\Windows\System\PDcbbig.exe	cobalt_reflective_dll
C:\Windows\System\XaIzgsJ.exe	cobalt_reflective_dll
C:\Windows\System\asHLLZp.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\JsFhroN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VkpOxoZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ULPUMoa.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DdUEdKP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kpBTqNN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cncqkLS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jNkbEKq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\riAHsoT.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RIKODFC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YJLBbRl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HIWreXw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FpfkGKJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iFWktvo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hjYBSWz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CgYyfvr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nfdgHFJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HcDleYi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qvFwqSG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PDcbbig.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XaIzgsJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\asHLLZp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4548-0-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp	UPX
C:\Windows\System\JsFhroN.exe	UPX
C:\Windows\System\VkpOxoZ.exe	UPX
C:\Windows\System\ULPUMoa.exe	UPX
behavioral2/memory/1848-18-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	UPX
behavioral2/memory/924-13-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	UPX
behavioral2/memory/2772-11-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	UPX
C:\Windows\System\DdUEdKP.exe	UPX
behavioral2/memory/3744-24-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	UPX
C:\Windows\System\kpBTqNN.exe	UPX
behavioral2/memory/1068-31-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	UPX
C:\Windows\System\cncqkLS.exe	UPX
behavioral2/memory/3036-36-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	UPX
C:\Windows\System\jNkbEKq.exe	UPX
C:\Windows\System\riAHsoT.exe	UPX
behavioral2/memory/1636-44-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp	UPX
behavioral2/memory/1028-50-0x00007FF6A7060000-0x00007FF6A73B4000-memory.dmp	UPX
C:\Windows\System\RIKODFC.exe	UPX
C:\Windows\System\YJLBbRl.exe	UPX
behavioral2/memory/1964-56-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp	UPX
C:\Windows\System\HIWreXw.exe	UPX
behavioral2/memory/4548-63-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp	UPX
behavioral2/memory/2772-68-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	UPX
behavioral2/memory/5040-71-0x00007FF6C2590000-0x00007FF6C28E4000-memory.dmp	UPX
C:\Windows\System\FpfkGKJ.exe	UPX
behavioral2/memory/3400-69-0x00007FF679DF0000-0x00007FF67A144000-memory.dmp	UPX
C:\Windows\System\iFWktvo.exe	UPX
C:\Windows\System\hjYBSWz.exe	UPX
behavioral2/memory/4980-89-0x00007FF603340000-0x00007FF603694000-memory.dmp	UPX
behavioral2/memory/3744-86-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	UPX
behavioral2/memory/928-83-0x00007FF726210000-0x00007FF726564000-memory.dmp	UPX
behavioral2/memory/1848-81-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	UPX
behavioral2/memory/2020-80-0x00007FF6F03C0000-0x00007FF6F0714000-memory.dmp	UPX
behavioral2/memory/924-76-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	UPX
behavioral2/memory/1068-96-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	UPX
C:\Windows\System\CgYyfvr.exe	UPX
behavioral2/memory/4380-105-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp	UPX
C:\Windows\System\nfdgHFJ.exe	UPX
C:\Windows\System\HcDleYi.exe	UPX
C:\Windows\System\qvFwqSG.exe	UPX
behavioral2/memory/744-121-0x00007FF77ADD0000-0x00007FF77B124000-memory.dmp	UPX
behavioral2/memory/4812-128-0x00007FF736990000-0x00007FF736CE4000-memory.dmp	UPX
C:\Windows\System\PDcbbig.exe	UPX
behavioral2/memory/4700-125-0x00007FF688F40000-0x00007FF689294000-memory.dmp	UPX
behavioral2/memory/1964-124-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp	UPX
behavioral2/memory/4520-112-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp	UPX
behavioral2/memory/3036-102-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	UPX
behavioral2/memory/2604-101-0x00007FF61C3C0000-0x00007FF61C714000-memory.dmp	UPX
C:\Windows\System\XaIzgsJ.exe	UPX
C:\Windows\System\asHLLZp.exe	UPX
behavioral2/memory/4628-135-0x00007FF69B990000-0x00007FF69BCE4000-memory.dmp	UPX
behavioral2/memory/928-136-0x00007FF726210000-0x00007FF726564000-memory.dmp	UPX
behavioral2/memory/4980-137-0x00007FF603340000-0x00007FF603694000-memory.dmp	UPX
behavioral2/memory/4380-138-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp	UPX
behavioral2/memory/4520-139-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp	UPX
behavioral2/memory/4700-140-0x00007FF688F40000-0x00007FF689294000-memory.dmp	UPX
behavioral2/memory/4812-141-0x00007FF736990000-0x00007FF736CE4000-memory.dmp	UPX
behavioral2/memory/2772-142-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	UPX
behavioral2/memory/924-143-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	UPX
behavioral2/memory/1848-144-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	UPX
behavioral2/memory/3744-145-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	UPX
behavioral2/memory/1068-146-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	UPX
behavioral2/memory/3036-147-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	UPX
behavioral2/memory/1636-148-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4548-0-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp	xmrig
C:\Windows\System\JsFhroN.exe	xmrig
C:\Windows\System\VkpOxoZ.exe	xmrig
C:\Windows\System\ULPUMoa.exe	xmrig
behavioral2/memory/1848-18-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	xmrig
behavioral2/memory/924-13-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	xmrig
behavioral2/memory/2772-11-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	xmrig
C:\Windows\System\DdUEdKP.exe	xmrig
behavioral2/memory/3744-24-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	xmrig
C:\Windows\System\kpBTqNN.exe	xmrig
behavioral2/memory/1068-31-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	xmrig
C:\Windows\System\cncqkLS.exe	xmrig
behavioral2/memory/3036-36-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	xmrig
C:\Windows\System\jNkbEKq.exe	xmrig
C:\Windows\System\riAHsoT.exe	xmrig
behavioral2/memory/1636-44-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp	xmrig
behavioral2/memory/1028-50-0x00007FF6A7060000-0x00007FF6A73B4000-memory.dmp	xmrig
C:\Windows\System\RIKODFC.exe	xmrig
C:\Windows\System\YJLBbRl.exe	xmrig
behavioral2/memory/1964-56-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp	xmrig
C:\Windows\System\HIWreXw.exe	xmrig
behavioral2/memory/4548-63-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp	xmrig
behavioral2/memory/2772-68-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	xmrig
behavioral2/memory/5040-71-0x00007FF6C2590000-0x00007FF6C28E4000-memory.dmp	xmrig
C:\Windows\System\FpfkGKJ.exe	xmrig
behavioral2/memory/3400-69-0x00007FF679DF0000-0x00007FF67A144000-memory.dmp	xmrig
C:\Windows\System\iFWktvo.exe	xmrig
C:\Windows\System\hjYBSWz.exe	xmrig
behavioral2/memory/4980-89-0x00007FF603340000-0x00007FF603694000-memory.dmp	xmrig
behavioral2/memory/3744-86-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	xmrig
behavioral2/memory/928-83-0x00007FF726210000-0x00007FF726564000-memory.dmp	xmrig
behavioral2/memory/1848-81-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	xmrig
behavioral2/memory/2020-80-0x00007FF6F03C0000-0x00007FF6F0714000-memory.dmp	xmrig
behavioral2/memory/924-76-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	xmrig
behavioral2/memory/1068-96-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	xmrig
C:\Windows\System\CgYyfvr.exe	xmrig
behavioral2/memory/4380-105-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp	xmrig
C:\Windows\System\nfdgHFJ.exe	xmrig
C:\Windows\System\HcDleYi.exe	xmrig
C:\Windows\System\qvFwqSG.exe	xmrig
behavioral2/memory/744-121-0x00007FF77ADD0000-0x00007FF77B124000-memory.dmp	xmrig
behavioral2/memory/4812-128-0x00007FF736990000-0x00007FF736CE4000-memory.dmp	xmrig
C:\Windows\System\PDcbbig.exe	xmrig
behavioral2/memory/4700-125-0x00007FF688F40000-0x00007FF689294000-memory.dmp	xmrig
behavioral2/memory/1964-124-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp	xmrig
behavioral2/memory/4520-112-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp	xmrig
behavioral2/memory/3036-102-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	xmrig
behavioral2/memory/2604-101-0x00007FF61C3C0000-0x00007FF61C714000-memory.dmp	xmrig
C:\Windows\System\XaIzgsJ.exe	xmrig
C:\Windows\System\asHLLZp.exe	xmrig
behavioral2/memory/4628-135-0x00007FF69B990000-0x00007FF69BCE4000-memory.dmp	xmrig
behavioral2/memory/928-136-0x00007FF726210000-0x00007FF726564000-memory.dmp	xmrig
behavioral2/memory/4980-137-0x00007FF603340000-0x00007FF603694000-memory.dmp	xmrig
behavioral2/memory/4380-138-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp	xmrig
behavioral2/memory/4520-139-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp	xmrig
behavioral2/memory/4700-140-0x00007FF688F40000-0x00007FF689294000-memory.dmp	xmrig
behavioral2/memory/4812-141-0x00007FF736990000-0x00007FF736CE4000-memory.dmp	xmrig
behavioral2/memory/2772-142-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	xmrig
behavioral2/memory/924-143-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	xmrig
behavioral2/memory/1848-144-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	xmrig
behavioral2/memory/3744-145-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	xmrig
behavioral2/memory/1068-146-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	xmrig
behavioral2/memory/3036-147-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	xmrig
behavioral2/memory/1636-148-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

JsFhroN.exeULPUMoa.exeVkpOxoZ.exeDdUEdKP.exekpBTqNN.execncqkLS.exejNkbEKq.exeriAHsoT.exeRIKODFC.exeYJLBbRl.exeHIWreXw.exeFpfkGKJ.exehjYBSWz.exeiFWktvo.exeXaIzgsJ.exeCgYyfvr.exenfdgHFJ.exeHcDleYi.exePDcbbig.exeqvFwqSG.exeasHLLZp.exe

pid	process
2772	JsFhroN.exe
924	ULPUMoa.exe
1848	VkpOxoZ.exe
3744	DdUEdKP.exe
1068	kpBTqNN.exe
3036	cncqkLS.exe
1636	jNkbEKq.exe
1028	riAHsoT.exe
1964	RIKODFC.exe
3400	YJLBbRl.exe
5040	HIWreXw.exe
2020	FpfkGKJ.exe
928	hjYBSWz.exe
4980	iFWktvo.exe
2604	XaIzgsJ.exe
4380	CgYyfvr.exe
4520	nfdgHFJ.exe
744	HcDleYi.exe
4700	PDcbbig.exe
4812	qvFwqSG.exe
4628	asHLLZp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4548-0-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp	upx
C:\Windows\System\JsFhroN.exe	upx
C:\Windows\System\VkpOxoZ.exe	upx
C:\Windows\System\ULPUMoa.exe	upx
behavioral2/memory/1848-18-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	upx
behavioral2/memory/924-13-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	upx
behavioral2/memory/2772-11-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	upx
C:\Windows\System\DdUEdKP.exe	upx
behavioral2/memory/3744-24-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	upx
C:\Windows\System\kpBTqNN.exe	upx
behavioral2/memory/1068-31-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	upx
C:\Windows\System\cncqkLS.exe	upx
behavioral2/memory/3036-36-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	upx
C:\Windows\System\jNkbEKq.exe	upx
C:\Windows\System\riAHsoT.exe	upx
behavioral2/memory/1636-44-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp	upx
behavioral2/memory/1028-50-0x00007FF6A7060000-0x00007FF6A73B4000-memory.dmp	upx
C:\Windows\System\RIKODFC.exe	upx
C:\Windows\System\YJLBbRl.exe	upx
behavioral2/memory/1964-56-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp	upx
C:\Windows\System\HIWreXw.exe	upx
behavioral2/memory/4548-63-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp	upx
behavioral2/memory/2772-68-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	upx
behavioral2/memory/5040-71-0x00007FF6C2590000-0x00007FF6C28E4000-memory.dmp	upx
C:\Windows\System\FpfkGKJ.exe	upx
behavioral2/memory/3400-69-0x00007FF679DF0000-0x00007FF67A144000-memory.dmp	upx
C:\Windows\System\iFWktvo.exe	upx
C:\Windows\System\hjYBSWz.exe	upx
behavioral2/memory/4980-89-0x00007FF603340000-0x00007FF603694000-memory.dmp	upx
behavioral2/memory/3744-86-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	upx
behavioral2/memory/928-83-0x00007FF726210000-0x00007FF726564000-memory.dmp	upx
behavioral2/memory/1848-81-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	upx
behavioral2/memory/2020-80-0x00007FF6F03C0000-0x00007FF6F0714000-memory.dmp	upx
behavioral2/memory/924-76-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	upx
behavioral2/memory/1068-96-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	upx
C:\Windows\System\CgYyfvr.exe	upx
behavioral2/memory/4380-105-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp	upx
C:\Windows\System\nfdgHFJ.exe	upx
C:\Windows\System\HcDleYi.exe	upx
C:\Windows\System\qvFwqSG.exe	upx
behavioral2/memory/744-121-0x00007FF77ADD0000-0x00007FF77B124000-memory.dmp	upx
behavioral2/memory/4812-128-0x00007FF736990000-0x00007FF736CE4000-memory.dmp	upx
C:\Windows\System\PDcbbig.exe	upx
behavioral2/memory/4700-125-0x00007FF688F40000-0x00007FF689294000-memory.dmp	upx
behavioral2/memory/1964-124-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp	upx
behavioral2/memory/4520-112-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp	upx
behavioral2/memory/3036-102-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	upx
behavioral2/memory/2604-101-0x00007FF61C3C0000-0x00007FF61C714000-memory.dmp	upx
C:\Windows\System\XaIzgsJ.exe	upx
C:\Windows\System\asHLLZp.exe	upx
behavioral2/memory/4628-135-0x00007FF69B990000-0x00007FF69BCE4000-memory.dmp	upx
behavioral2/memory/928-136-0x00007FF726210000-0x00007FF726564000-memory.dmp	upx
behavioral2/memory/4980-137-0x00007FF603340000-0x00007FF603694000-memory.dmp	upx
behavioral2/memory/4380-138-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp	upx
behavioral2/memory/4520-139-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp	upx
behavioral2/memory/4700-140-0x00007FF688F40000-0x00007FF689294000-memory.dmp	upx
behavioral2/memory/4812-141-0x00007FF736990000-0x00007FF736CE4000-memory.dmp	upx
behavioral2/memory/2772-142-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp	upx
behavioral2/memory/924-143-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp	upx
behavioral2/memory/1848-144-0x00007FF649760000-0x00007FF649AB4000-memory.dmp	upx
behavioral2/memory/3744-145-0x00007FF690190000-0x00007FF6904E4000-memory.dmp	upx
behavioral2/memory/1068-146-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp	upx
behavioral2/memory/3036-147-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	upx
behavioral2/memory/1636-148-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\RIKODFC.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDcbbig.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ULPUMoa.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VkpOxoZ.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DdUEdKP.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kpBTqNN.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hjYBSWz.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XaIzgsJ.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsFhroN.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\riAHsoT.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YJLBbRl.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FpfkGKJ.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HcDleYi.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvFwqSG.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cncqkLS.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNkbEKq.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HIWreXw.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iFWktvo.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CgYyfvr.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nfdgHFJ.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\asHLLZp.exe	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4548 wrote to memory of 2772	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	JsFhroN.exe
PID 4548 wrote to memory of 2772	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	JsFhroN.exe
PID 4548 wrote to memory of 924	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	ULPUMoa.exe
PID 4548 wrote to memory of 924	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	ULPUMoa.exe
PID 4548 wrote to memory of 1848	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	VkpOxoZ.exe
PID 4548 wrote to memory of 1848	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	VkpOxoZ.exe
PID 4548 wrote to memory of 3744	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	DdUEdKP.exe
PID 4548 wrote to memory of 3744	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	DdUEdKP.exe
PID 4548 wrote to memory of 1068	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	kpBTqNN.exe
PID 4548 wrote to memory of 1068	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	kpBTqNN.exe
PID 4548 wrote to memory of 3036	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	cncqkLS.exe
PID 4548 wrote to memory of 3036	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	cncqkLS.exe
PID 4548 wrote to memory of 1636	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	jNkbEKq.exe
PID 4548 wrote to memory of 1636	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	jNkbEKq.exe
PID 4548 wrote to memory of 1028	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	riAHsoT.exe
PID 4548 wrote to memory of 1028	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	riAHsoT.exe
PID 4548 wrote to memory of 1964	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	RIKODFC.exe
PID 4548 wrote to memory of 1964	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	RIKODFC.exe
PID 4548 wrote to memory of 3400	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	YJLBbRl.exe
PID 4548 wrote to memory of 3400	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	YJLBbRl.exe
PID 4548 wrote to memory of 5040	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	HIWreXw.exe
PID 4548 wrote to memory of 5040	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	HIWreXw.exe
PID 4548 wrote to memory of 2020	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	FpfkGKJ.exe
PID 4548 wrote to memory of 2020	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	FpfkGKJ.exe
PID 4548 wrote to memory of 928	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	hjYBSWz.exe
PID 4548 wrote to memory of 928	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	hjYBSWz.exe
PID 4548 wrote to memory of 4980	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	iFWktvo.exe
PID 4548 wrote to memory of 4980	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	iFWktvo.exe
PID 4548 wrote to memory of 2604	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	XaIzgsJ.exe
PID 4548 wrote to memory of 2604	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	XaIzgsJ.exe
PID 4548 wrote to memory of 4380	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	CgYyfvr.exe
PID 4548 wrote to memory of 4380	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	CgYyfvr.exe
PID 4548 wrote to memory of 4520	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	nfdgHFJ.exe
PID 4548 wrote to memory of 4520	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	nfdgHFJ.exe
PID 4548 wrote to memory of 744	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	HcDleYi.exe
PID 4548 wrote to memory of 744	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	HcDleYi.exe
PID 4548 wrote to memory of 4700	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	PDcbbig.exe
PID 4548 wrote to memory of 4700	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	PDcbbig.exe
PID 4548 wrote to memory of 4812	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	qvFwqSG.exe
PID 4548 wrote to memory of 4812	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	qvFwqSG.exe
PID 4548 wrote to memory of 4628	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	asHLLZp.exe
PID 4548 wrote to memory of 4628	4548	2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe	asHLLZp.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_0ec648bec2abb888a42c2d1060ec2afa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\System\JsFhroN.exe
C:\Windows\System\JsFhroN.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System\ULPUMoa.exe
C:\Windows\System\ULPUMoa.exe
2⤵
- Executes dropped EXE
PID:924

C:\Windows\System\VkpOxoZ.exe
C:\Windows\System\VkpOxoZ.exe
2⤵
- Executes dropped EXE
PID:1848

C:\Windows\System\DdUEdKP.exe
C:\Windows\System\DdUEdKP.exe
2⤵
- Executes dropped EXE
PID:3744

C:\Windows\System\kpBTqNN.exe
C:\Windows\System\kpBTqNN.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\System\cncqkLS.exe
C:\Windows\System\cncqkLS.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\jNkbEKq.exe
C:\Windows\System\jNkbEKq.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\riAHsoT.exe
C:\Windows\System\riAHsoT.exe
2⤵
- Executes dropped EXE
PID:1028

C:\Windows\System\RIKODFC.exe
C:\Windows\System\RIKODFC.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\YJLBbRl.exe
C:\Windows\System\YJLBbRl.exe
2⤵
- Executes dropped EXE
PID:3400

C:\Windows\System\HIWreXw.exe
C:\Windows\System\HIWreXw.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System\FpfkGKJ.exe
C:\Windows\System\FpfkGKJ.exe
2⤵
- Executes dropped EXE
PID:2020

C:\Windows\System\hjYBSWz.exe
C:\Windows\System\hjYBSWz.exe
2⤵
- Executes dropped EXE
PID:928

C:\Windows\System\iFWktvo.exe
C:\Windows\System\iFWktvo.exe
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\System\XaIzgsJ.exe
C:\Windows\System\XaIzgsJ.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\CgYyfvr.exe
C:\Windows\System\CgYyfvr.exe
2⤵
- Executes dropped EXE
PID:4380

C:\Windows\System\nfdgHFJ.exe
C:\Windows\System\nfdgHFJ.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\System\HcDleYi.exe
C:\Windows\System\HcDleYi.exe
2⤵
- Executes dropped EXE
PID:744

C:\Windows\System\PDcbbig.exe
C:\Windows\System\PDcbbig.exe
2⤵
- Executes dropped EXE
PID:4700

C:\Windows\System\qvFwqSG.exe
C:\Windows\System\qvFwqSG.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\System\asHLLZp.exe
C:\Windows\System\asHLLZp.exe
2⤵
- Executes dropped EXE
PID:4628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CgYyfvr.exe
Filesize
5.9MB

MD5
979d189628024291858539476faf77e1

SHA1
0ab14bfca33885e88c3f2b5e653d4803feb09fe4

SHA256
bf0fe69f6691f4de9bca561d0f481d11e2b29fc5f17acf3f60972bd0c5951808

SHA512
861965f5a83c707f829e1686e3e86889680fb21d45e96572ae3a6dfa767f5df629dba5467fd3765b43f6668b1960c7dc10fd2d9eea21778fde47b4c237036130

Download Submit
C:\Windows\System\DdUEdKP.exe
Filesize
5.9MB

MD5
2b0c98d2b54094b9ef878342bcf5d1d1

SHA1
76b6f01345b47bbb855009d9ef2339185c1fbcdf

SHA256
9f479c97df2c66bd254b14dd74a1b01ac7511b9abbbb5322ffd64d6f915ce5f6

SHA512
ca44952abd98769da11a35cf0556ec7410ef6dc4c1c84c9d88b0242fa128e03d9ee23a23c41db6676ea85e4d5d958e82abf466bb7e4e11bba0c8b0a0aa60e6a3

Download Submit
C:\Windows\System\FpfkGKJ.exe
Filesize
5.9MB

MD5
08f204df640bb46d8f6bb9424e846aea

SHA1
beeb3f59ec56a157db09265b0aa53d9683873deb

SHA256
e2bfe749418f84c5b7f90a78f2853d3170e3490dcd955d47cd79bdd394c962e7

SHA512
0e5babf75d1341f4700855cbe12c34076ee42fd282dc86b121e2e7256cccb84d4b7fd58987525b8e1b32bd939071a8a2f02199618f7e179f4cce5fd2895bb194

Download Submit
C:\Windows\System\HIWreXw.exe
Filesize
5.9MB

MD5
19587aebfb7850985278a023eec7d4ec

SHA1
b8c53b0eb1581ac18f31aaa3587a9f89a74fabeb

SHA256
2e253040b85c0c5a8066ac6c0f5914959eacac6900018c55516bea31e3561e3e

SHA512
df4ee08c33cb6b956d487e348f2efbd228b8375f990a30931b8ae01b0740ee5f25cf8c333a497d91774caeef5762b77df8da7b5a8e24e0c24b5d766a97ead418

Download Submit
C:\Windows\System\HcDleYi.exe
Filesize
5.9MB

MD5
a45ba9c609ad41188f400349de25294b

SHA1
0aa96a1d0ad77e00eeb6c9caca6e7712e07d497c

SHA256
1377eeb6adfff6bde6d3a08e409d1063228117e1f1e990186ef06f5fa54b22b2

SHA512
f26c25f30f552dc9e85986c1e9563626e0331aeb882d8a31a6f54b56d2c23584aed7f9011f052b35812d517bb2401f43d64c9c2ae600933256ec4559631b72bd

Download Submit
C:\Windows\System\JsFhroN.exe
Filesize
5.9MB

MD5
57302e717ba9d245990155d1cac19a91

SHA1
b60284e7cc947799a0da96360d0118251d24c0ec

SHA256
88c68602319599da66c68f3c6e38cb5851e1470dc2f2d7e664adcab0c3cb6d0e

SHA512
d41dbac725b695991514ab67f82167c75b217896f73eaba6d308bea34a8911b602e0416825d6af1e68661ac93e99911f61cc222e5071c5e8e8658097b8e96753

Download Submit
C:\Windows\System\PDcbbig.exe
Filesize
5.9MB

MD5
692bd4a49994f21d7859d587e4cc5b6e

SHA1
07b9c79870f7fd6eafdc091c8c73870b5a24ae43

SHA256
07c22d6e6825a23765609e5c09f1e61730043c708a36a50234ebb96f245047f4

SHA512
71bb9c43661d47e643fea43aee133422d9df60896736aa8e32b02f8d17b33b75478bd84634191f9dfecd9dfc2c78be893d26789d00ff3e51d8d181f4afa3d6dc

Download Submit
C:\Windows\System\RIKODFC.exe
Filesize
5.9MB

MD5
19e4de4381dfd01f701a49ff2fe186c8

SHA1
4952696cb67111c733c72433e3a44a5988c5c5c5

SHA256
f2e880917b95ae08cd45cba19819d35d45d86772b5b8e3f8e5f19eb84c2aca06

SHA512
1e833eee37a8290c546cce3b817c9e428ab6f1adc527c3407aef887f93f1abe641fe3dca22d96bc93800383e308669c99dc103f2ee2530e279ec77315870e6ba

Download Submit
C:\Windows\System\ULPUMoa.exe
Filesize
5.9MB

MD5
6369eb8374e569929b205c269f2e7fda

SHA1
8b0dfd358c41031da8220f6d48543685d4d656a5

SHA256
64c14b5cd0e89ba4c96f77d08f2737ece6c79fdc869f9902d8b8ae50af4c9e50

SHA512
4943e10d86a325126231f9fc5e120cf9fd585f5d09f7bd4a13fa16d8f7856ce09ec58479571fc4a7b46c51117bcc9cb896666fbeef569c0809c4299817c2bffd

Download Submit
C:\Windows\System\VkpOxoZ.exe
Filesize
5.9MB

MD5
e485a11533d9ece0ef61b4b2557ca3b1

SHA1
ea1d9788fc0c88d8bc19d1abc49dc9eca2b312c8

SHA256
ca6372dd5629332b49f9d2c37920e2ce1fa0b538c258b962567bb789e0dc330b

SHA512
eccceee7328ac7aaf981cc8d7e3bc89fe2aa757eca1a2419e41f24c0a7482c078c89b9e248abea6265e508e58d20466bee2324dd186cc4fb56be5b5e428500d9

Download Submit
C:\Windows\System\XaIzgsJ.exe
Filesize
5.9MB

MD5
a93b6e2a1c2118f8899dd62694bdb4ac

SHA1
797239a3814cd8335746cda8e4ba8d51c1c788c0

SHA256
8dffd3aa8484e4d58e3969179caf90c7f51867ed5357fb63ed4b0016d8d0764f

SHA512
598d16b88410061d6316d8fea7a1a96432c7a5cffc34e2aad75009802834227d3c02baab6b82c2df5a70ca05e547beca1a451acde2778bfc3d2589767a8d0f1f

Download Submit
C:\Windows\System\YJLBbRl.exe
Filesize
5.9MB

MD5
f7dca067fe10385dd48e1791c67cf972

SHA1
42e3fafe79a1d61b303f3a16a22c98ec77bc33c1

SHA256
94623721b999688303deed6f8402bb9ca0039ec938d6fc658dacf39a942a97b4

SHA512
b5fb467cc23babbeec1a8eb6cb2bedac8a26eb5194a392c479e6c5ae501cf7efa46e459849ee1354273d6dc1e8e75c853f84fa5b817a1cd04f1b842fd9b8a194

Download Submit
C:\Windows\System\asHLLZp.exe
Filesize
5.9MB

MD5
81e2bd711180220cdc2942bf0ca3d844

SHA1
d6d3001d5c74c7349327a2ee8b42221ee9098c60

SHA256
e2bc06f83395b3705a897716de2acfdc0c224e39bb23e858c5720931c196545a

SHA512
89f182abffa819c224023095109f9b47b87bc566999f06651d74f77796000cecbbedb137df3d3d738cc25f9ebcebb1699f045aa6ba68362f92e278e655b10247

Download Submit
C:\Windows\System\cncqkLS.exe
Filesize
5.9MB

MD5
018d0aab0541871833f3f5de6a086470

SHA1
d0415f4f7a14dbd152aa8f9b6905e0ab4c26a81b

SHA256
118c8d99abde4888786d2d6989a95826b27a02b7512c452fa489da39b548a493

SHA512
ec02dffee721cd59b1f51f8f0aec6fd5b5eb270e22da9c5b551a846e91610d3d7db6c91246c0b72f3f0de7c615d928dd1687622ea0993ea78b2854e67d28657c

Download Submit
C:\Windows\System\hjYBSWz.exe
Filesize
5.9MB

MD5
af08a591ab80b48d42c29743942ec7ee

SHA1
63a8c736b1968b8b24ce60e5503a17fb4608cf06

SHA256
f99ae8b953e518ade092751ab58c9f1b0e4edd3ac2294daa34033d9b3fa49ed4

SHA512
3c7662e739a5db1397b6af5884991a18f14f510f130567761b477dfbb4135252e714a1a6721686e34b5b230e45c08ca85afe652d7057a2d0f7706c7c4a4a3270

Download Submit
C:\Windows\System\iFWktvo.exe
Filesize
5.9MB

MD5
faeb5bd0458faec9730722c3902d30a4

SHA1
90f75a9614427967917e8f0944f27e9d4bcf62c6

SHA256
996247066cc5bf8f532374a69d6900ec6bf9a8bd8a23fefc8ec3d41d7b69c759

SHA512
a07cbd203da52201c9ea0a63e75f4386326a669d6de79a71fbb967a2aad6e483034ba3f7e17a9a39c7102906e619538f899f8cfd2b91268e16d71514291d3f53

Download Submit
C:\Windows\System\jNkbEKq.exe
Filesize
5.9MB

MD5
98bd568498e36ea3870034ab5c4e6786

SHA1
7dc7e0f791893adbf7bc4dfa5b9dae60fc3626fb

SHA256
121cdcacf978974dc5ad55ef1c41b459d1cf9ff0b6f665152574a8f683707b74

SHA512
04873630b378b833c794f97d09db42a41d9a555fb1fffee316625678cfc5a4fa2615170381e91a0abc4349bfaf76c517d4e741bf6569f207b8fd61da5fefcfd4

Download Submit
C:\Windows\System\kpBTqNN.exe
Filesize
5.9MB

MD5
4b7ceee2c5845debcbbaa1b703b2684b

SHA1
ea676f9d3f71a2224cebde31a440367aab28eae4

SHA256
06507330107414adfded0cf8a4c0f24ea39f7eb523b7a403c35bec1516a9e473

SHA512
6a69b200fcba91622b5895958edbe8ce8b89550e89cea14a109034119a8db2434513cd6fd9f1d593f9bc457092f7f92c03e5899af374fcb43cb75d96b3de3e34

Download Submit
C:\Windows\System\nfdgHFJ.exe
Filesize
5.9MB

MD5
5940f806f9005d9d4b4e9881c902f3bd

SHA1
b20a1978e916219ed0f990f29953be4ddc50c4e6

SHA256
75c3b98ec9e59f77b8d9510979b8321ed455a6087d5086521720563980853fdc

SHA512
98157c3ec9e3ce3cff440cb4bcf333614fed45a18240a053b3f781add260691d80ab34be2198d0c9f4c0d3a2d8093f41146abec5c4ae26a70d9c7fec4fa3e470

Download Submit
C:\Windows\System\qvFwqSG.exe
Filesize
5.9MB

MD5
f21762e045a28a8ea252385ba468d168

SHA1
2aae4ae6243ce06aa613c607ef9766bd2b712e1a

SHA256
edc9c5d55e6c68d59a73ff8a79b9abe1bc1d35607242afbc16144e38c9524a2b

SHA512
23db0dc42cbed2827ad1b16d49a059e63e3f34502692459fcb0115d8e880466ebcc7bb926a1c4e6004e17681609fd2ef6e5c6789e295fe260b1ca3424e366fb8

Download Submit
C:\Windows\System\riAHsoT.exe
Filesize
5.9MB

MD5
59247b564c4a7f2bce2b5d8db5463fc0

SHA1
686d6051faa90dd3607ea03b16060fa081e436cc

SHA256
b17bdb6d1002dfc21d313c819180f65678e52fcf41baee601ac7269f8a725d01

SHA512
5a715db3a5ec9885a156432d3857c481717bf53b242a0f03f512b8244afc6588ae779dfdac94bca2f07e1ada051136fa01fc7b3eed71c92ae81ca3cd3d4e1212

Download Submit
memory/744-159-0x00007FF77ADD0000-0x00007FF77B124000-memory.dmp

Filesize
3.3MB

Download
memory/744-121-0x00007FF77ADD0000-0x00007FF77B124000-memory.dmp

Filesize
3.3MB

Download
memory/924-13-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp

Filesize
3.3MB

Download
memory/924-76-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp

Filesize
3.3MB

Download
memory/924-143-0x00007FF6A7740000-0x00007FF6A7A94000-memory.dmp

Filesize
3.3MB

Download
memory/928-154-0x00007FF726210000-0x00007FF726564000-memory.dmp

Filesize
3.3MB

Download
memory/928-83-0x00007FF726210000-0x00007FF726564000-memory.dmp

Filesize
3.3MB

Download
memory/928-136-0x00007FF726210000-0x00007FF726564000-memory.dmp

Filesize
3.3MB

Download
memory/1028-149-0x00007FF6A7060000-0x00007FF6A73B4000-memory.dmp

Filesize
3.3MB

Download
memory/1028-50-0x00007FF6A7060000-0x00007FF6A73B4000-memory.dmp

Filesize
3.3MB

Download
memory/1068-31-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp

Filesize
3.3MB

Download
memory/1068-146-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp

Filesize
3.3MB

Download
memory/1068-96-0x00007FF680BE0000-0x00007FF680F34000-memory.dmp

Filesize
3.3MB

Download
memory/1636-148-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp

Filesize
3.3MB

Download
memory/1636-44-0x00007FF712F50000-0x00007FF7132A4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-81-0x00007FF649760000-0x00007FF649AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-144-0x00007FF649760000-0x00007FF649AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-18-0x00007FF649760000-0x00007FF649AB4000-memory.dmp

Filesize
3.3MB

Download
memory/1964-56-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp

Filesize
3.3MB

Download
memory/1964-150-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp

Filesize
3.3MB

Download
memory/1964-124-0x00007FF6B59C0000-0x00007FF6B5D14000-memory.dmp

Filesize
3.3MB

Download
memory/2020-80-0x00007FF6F03C0000-0x00007FF6F0714000-memory.dmp

Filesize
3.3MB

Download
memory/2020-153-0x00007FF6F03C0000-0x00007FF6F0714000-memory.dmp

Filesize
3.3MB

Download
memory/2604-155-0x00007FF61C3C0000-0x00007FF61C714000-memory.dmp

Filesize
3.3MB

Download
memory/2604-101-0x00007FF61C3C0000-0x00007FF61C714000-memory.dmp

Filesize
3.3MB

Download
memory/2772-11-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp

Filesize
3.3MB

Download
memory/2772-68-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp

Filesize
3.3MB

Download
memory/2772-142-0x00007FF7FC1D0000-0x00007FF7FC524000-memory.dmp

Filesize
3.3MB

Download
memory/3036-102-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-147-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-36-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/3400-151-0x00007FF679DF0000-0x00007FF67A144000-memory.dmp

Filesize
3.3MB

Download
memory/3400-69-0x00007FF679DF0000-0x00007FF67A144000-memory.dmp

Filesize
3.3MB

Download
memory/3744-86-0x00007FF690190000-0x00007FF6904E4000-memory.dmp

Filesize
3.3MB

Download
memory/3744-145-0x00007FF690190000-0x00007FF6904E4000-memory.dmp

Filesize
3.3MB

Download
memory/3744-24-0x00007FF690190000-0x00007FF6904E4000-memory.dmp

Filesize
3.3MB

Download
memory/4380-157-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp

Filesize
3.3MB

Download
memory/4380-138-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp

Filesize
3.3MB

Download
memory/4380-105-0x00007FF7D1F30000-0x00007FF7D2284000-memory.dmp

Filesize
3.3MB

Download
memory/4520-158-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-139-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4520-112-0x00007FF7FD790000-0x00007FF7FDAE4000-memory.dmp

Filesize
3.3MB

Download
memory/4548-1-0x00000188171D0000-0x00000188171E0000-memory.dmp

Filesize
64KB

Download
memory/4548-63-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp

Filesize
3.3MB

Download
memory/4548-0-0x00007FF66FD50000-0x00007FF6700A4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-135-0x00007FF69B990000-0x00007FF69BCE4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-162-0x00007FF69B990000-0x00007FF69BCE4000-memory.dmp

Filesize
3.3MB

Download
memory/4700-140-0x00007FF688F40000-0x00007FF689294000-memory.dmp

Filesize
3.3MB

Download
memory/4700-125-0x00007FF688F40000-0x00007FF689294000-memory.dmp

Filesize
3.3MB

Download
memory/4700-160-0x00007FF688F40000-0x00007FF689294000-memory.dmp

Filesize
3.3MB

Download
memory/4812-141-0x00007FF736990000-0x00007FF736CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-161-0x00007FF736990000-0x00007FF736CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-128-0x00007FF736990000-0x00007FF736CE4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-156-0x00007FF603340000-0x00007FF603694000-memory.dmp

Filesize
3.3MB

Download
memory/4980-137-0x00007FF603340000-0x00007FF603694000-memory.dmp

Filesize
3.3MB

Download
memory/4980-89-0x00007FF603340000-0x00007FF603694000-memory.dmp

Filesize
3.3MB

Download
memory/5040-152-0x00007FF6C2590000-0x00007FF6C28E4000-memory.dmp

Filesize
3.3MB

Download
memory/5040-71-0x00007FF6C2590000-0x00007FF6C28E4000-memory.dmp

Filesize
3.3MB

Download