cobaltstrike | 58cdb8e8bf5d224d58ae0a45b1b2754da11d5208d38aa4e4bfb0a408756b1550

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

4290ad2a8dd4993c88b7199cc093469c
SHA1

47559ea5c19b0858c30204b84f23a1724cdb3976
SHA256

58cdb8e8bf5d224d58ae0a45b1b2754da11d5208d38aa4e4bfb0a408756b1550
SHA512

726c53158a6dae0a8c952727908b4c4f0e339fdfcbf8851ade92280fda992af629c0463f6e2ee37e9ef59c1ecf8a6ced78bc8119db50758ff5ded5c0f3b10f21
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUb:T+856utgpPF8u/7b

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\psorImS.exe	cobalt_reflective_dll
C:\Windows\System\ZptdykX.exe	cobalt_reflective_dll
C:\Windows\System\KtZvXGp.exe	cobalt_reflective_dll
C:\Windows\System\IUhPzxP.exe	cobalt_reflective_dll
C:\Windows\System\bJXgTLP.exe	cobalt_reflective_dll
C:\Windows\System\rCwJHtD.exe	cobalt_reflective_dll
C:\Windows\System\uhqUJLd.exe	cobalt_reflective_dll
C:\Windows\System\ENPcXxO.exe	cobalt_reflective_dll
C:\Windows\System\VxYRcwH.exe	cobalt_reflective_dll
C:\Windows\System\nLqznrE.exe	cobalt_reflective_dll
C:\Windows\System\ttvhKuI.exe	cobalt_reflective_dll
C:\Windows\System\Masdmax.exe	cobalt_reflective_dll
C:\Windows\System\WOstIoe.exe	cobalt_reflective_dll
C:\Windows\System\CeWXCVk.exe	cobalt_reflective_dll
C:\Windows\System\ZabdGUz.exe	cobalt_reflective_dll
C:\Windows\System\SNdUjFk.exe	cobalt_reflective_dll
C:\Windows\System\GkXVyuF.exe	cobalt_reflective_dll
C:\Windows\System\ESgEFTx.exe	cobalt_reflective_dll
C:\Windows\System\LqxBJqw.exe	cobalt_reflective_dll
C:\Windows\System\VDknEPH.exe	cobalt_reflective_dll
C:\Windows\System\fyPnnFg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\psorImS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZptdykX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KtZvXGp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IUhPzxP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bJXgTLP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rCwJHtD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\uhqUJLd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ENPcXxO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VxYRcwH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nLqznrE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ttvhKuI.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\Masdmax.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WOstIoe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\CeWXCVk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZabdGUz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\SNdUjFk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GkXVyuF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ESgEFTx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LqxBJqw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VDknEPH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fyPnnFg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/648-0-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp	UPX
C:\Windows\System\psorImS.exe	UPX
behavioral2/memory/568-8-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	UPX
C:\Windows\System\ZptdykX.exe	UPX
behavioral2/memory/3272-14-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	UPX
C:\Windows\System\KtZvXGp.exe	UPX
behavioral2/memory/1096-20-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp	UPX
C:\Windows\System\IUhPzxP.exe	UPX
behavioral2/memory/4940-25-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	UPX
C:\Windows\System\bJXgTLP.exe	UPX
behavioral2/memory/3952-32-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp	UPX
C:\Windows\System\rCwJHtD.exe	UPX
behavioral2/memory/2932-36-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	UPX
C:\Windows\System\uhqUJLd.exe	UPX
behavioral2/memory/1676-42-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	UPX
C:\Windows\System\ENPcXxO.exe	UPX
behavioral2/memory/4864-50-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp	UPX
C:\Windows\System\VxYRcwH.exe	UPX
behavioral2/memory/2168-54-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	UPX
C:\Windows\System\nLqznrE.exe	UPX
behavioral2/memory/648-61-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp	UPX
C:\Windows\System\ttvhKuI.exe	UPX
behavioral2/memory/4632-68-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp	UPX
C:\Windows\System\Masdmax.exe	UPX
behavioral2/memory/568-72-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	UPX
behavioral2/memory/3588-74-0x00007FF799190000-0x00007FF7994E4000-memory.dmp	UPX
behavioral2/memory/3272-75-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	UPX
behavioral2/memory/396-73-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp	UPX
C:\Windows\System\WOstIoe.exe	UPX
behavioral2/memory/776-82-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp	UPX
C:\Windows\System\CeWXCVk.exe	UPX
behavioral2/memory/4940-87-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	UPX
C:\Windows\System\ZabdGUz.exe	UPX
behavioral2/memory/2780-91-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp	UPX
behavioral2/memory/2604-96-0x00007FF7002B0000-0x00007FF700604000-memory.dmp	UPX
C:\Windows\System\SNdUjFk.exe	UPX
behavioral2/memory/2932-102-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	UPX
behavioral2/memory/2608-103-0x00007FF663250000-0x00007FF6635A4000-memory.dmp	UPX
C:\Windows\System\GkXVyuF.exe	UPX
behavioral2/memory/1676-109-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	UPX
C:\Windows\System\ESgEFTx.exe	UPX
behavioral2/memory/2832-112-0x00007FF62C2D0000-0x00007FF62C624000-memory.dmp	UPX
behavioral2/memory/4860-116-0x00007FF70D5C0000-0x00007FF70D914000-memory.dmp	UPX
C:\Windows\System\LqxBJqw.exe	UPX
behavioral2/memory/2168-122-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	UPX
behavioral2/memory/3376-123-0x00007FF729070000-0x00007FF7293C4000-memory.dmp	UPX
C:\Windows\System\VDknEPH.exe	UPX
behavioral2/memory/2424-130-0x00007FF76A620000-0x00007FF76A974000-memory.dmp	UPX
C:\Windows\System\fyPnnFg.exe	UPX
behavioral2/memory/4004-134-0x00007FF72BB60000-0x00007FF72BEB4000-memory.dmp	UPX
behavioral2/memory/3588-135-0x00007FF799190000-0x00007FF7994E4000-memory.dmp	UPX
behavioral2/memory/776-136-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp	UPX
behavioral2/memory/2780-137-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp	UPX
behavioral2/memory/568-138-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	UPX
behavioral2/memory/3272-139-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	UPX
behavioral2/memory/1096-140-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp	UPX
behavioral2/memory/3952-141-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp	UPX
behavioral2/memory/4940-142-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	UPX
behavioral2/memory/2932-143-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	UPX
behavioral2/memory/1676-144-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	UPX
behavioral2/memory/4864-145-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp	UPX
behavioral2/memory/2168-146-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	UPX
behavioral2/memory/4632-147-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp	UPX
behavioral2/memory/396-148-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/648-0-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp	xmrig
C:\Windows\System\psorImS.exe	xmrig
behavioral2/memory/568-8-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	xmrig
C:\Windows\System\ZptdykX.exe	xmrig
behavioral2/memory/3272-14-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	xmrig
C:\Windows\System\KtZvXGp.exe	xmrig
behavioral2/memory/1096-20-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp	xmrig
C:\Windows\System\IUhPzxP.exe	xmrig
behavioral2/memory/4940-25-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	xmrig
C:\Windows\System\bJXgTLP.exe	xmrig
behavioral2/memory/3952-32-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp	xmrig
C:\Windows\System\rCwJHtD.exe	xmrig
behavioral2/memory/2932-36-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	xmrig
C:\Windows\System\uhqUJLd.exe	xmrig
behavioral2/memory/1676-42-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	xmrig
C:\Windows\System\ENPcXxO.exe	xmrig
behavioral2/memory/4864-50-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp	xmrig
C:\Windows\System\VxYRcwH.exe	xmrig
behavioral2/memory/2168-54-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	xmrig
C:\Windows\System\nLqznrE.exe	xmrig
behavioral2/memory/648-61-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp	xmrig
C:\Windows\System\ttvhKuI.exe	xmrig
behavioral2/memory/4632-68-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp	xmrig
C:\Windows\System\Masdmax.exe	xmrig
behavioral2/memory/568-72-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	xmrig
behavioral2/memory/3588-74-0x00007FF799190000-0x00007FF7994E4000-memory.dmp	xmrig
behavioral2/memory/3272-75-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	xmrig
behavioral2/memory/396-73-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp	xmrig
C:\Windows\System\WOstIoe.exe	xmrig
behavioral2/memory/776-82-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp	xmrig
C:\Windows\System\CeWXCVk.exe	xmrig
behavioral2/memory/4940-87-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	xmrig
C:\Windows\System\ZabdGUz.exe	xmrig
behavioral2/memory/2780-91-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp	xmrig
behavioral2/memory/2604-96-0x00007FF7002B0000-0x00007FF700604000-memory.dmp	xmrig
C:\Windows\System\SNdUjFk.exe	xmrig
behavioral2/memory/2932-102-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	xmrig
behavioral2/memory/2608-103-0x00007FF663250000-0x00007FF6635A4000-memory.dmp	xmrig
C:\Windows\System\GkXVyuF.exe	xmrig
behavioral2/memory/1676-109-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	xmrig
C:\Windows\System\ESgEFTx.exe	xmrig
behavioral2/memory/2832-112-0x00007FF62C2D0000-0x00007FF62C624000-memory.dmp	xmrig
behavioral2/memory/4860-116-0x00007FF70D5C0000-0x00007FF70D914000-memory.dmp	xmrig
C:\Windows\System\LqxBJqw.exe	xmrig
behavioral2/memory/2168-122-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	xmrig
behavioral2/memory/3376-123-0x00007FF729070000-0x00007FF7293C4000-memory.dmp	xmrig
C:\Windows\System\VDknEPH.exe	xmrig
behavioral2/memory/2424-130-0x00007FF76A620000-0x00007FF76A974000-memory.dmp	xmrig
C:\Windows\System\fyPnnFg.exe	xmrig
behavioral2/memory/4004-134-0x00007FF72BB60000-0x00007FF72BEB4000-memory.dmp	xmrig
behavioral2/memory/3588-135-0x00007FF799190000-0x00007FF7994E4000-memory.dmp	xmrig
behavioral2/memory/776-136-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp	xmrig
behavioral2/memory/2780-137-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp	xmrig
behavioral2/memory/568-138-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	xmrig
behavioral2/memory/3272-139-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	xmrig
behavioral2/memory/1096-140-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp	xmrig
behavioral2/memory/3952-141-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp	xmrig
behavioral2/memory/4940-142-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	xmrig
behavioral2/memory/2932-143-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	xmrig
behavioral2/memory/1676-144-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	xmrig
behavioral2/memory/4864-145-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp	xmrig
behavioral2/memory/2168-146-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	xmrig
behavioral2/memory/4632-147-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp	xmrig
behavioral2/memory/396-148-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

psorImS.exeKtZvXGp.exeZptdykX.exeIUhPzxP.exebJXgTLP.exerCwJHtD.exeuhqUJLd.exeENPcXxO.exeVxYRcwH.exenLqznrE.exettvhKuI.exeMasdmax.exeWOstIoe.exeCeWXCVk.exeZabdGUz.exeSNdUjFk.exeGkXVyuF.exeESgEFTx.exeLqxBJqw.exeVDknEPH.exefyPnnFg.exe

pid	process
568	psorImS.exe
3272	KtZvXGp.exe
1096	ZptdykX.exe
4940	IUhPzxP.exe
3952	bJXgTLP.exe
2932	rCwJHtD.exe
1676	uhqUJLd.exe
4864	ENPcXxO.exe
2168	VxYRcwH.exe
4632	nLqznrE.exe
396	ttvhKuI.exe
3588	Masdmax.exe
776	WOstIoe.exe
2780	CeWXCVk.exe
2604	ZabdGUz.exe
2608	SNdUjFk.exe
2832	GkXVyuF.exe
4860	ESgEFTx.exe
3376	LqxBJqw.exe
2424	VDknEPH.exe
4004	fyPnnFg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/648-0-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp	upx
C:\Windows\System\psorImS.exe	upx
behavioral2/memory/568-8-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	upx
C:\Windows\System\ZptdykX.exe	upx
behavioral2/memory/3272-14-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	upx
C:\Windows\System\KtZvXGp.exe	upx
behavioral2/memory/1096-20-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp	upx
C:\Windows\System\IUhPzxP.exe	upx
behavioral2/memory/4940-25-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	upx
C:\Windows\System\bJXgTLP.exe	upx
behavioral2/memory/3952-32-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp	upx
C:\Windows\System\rCwJHtD.exe	upx
behavioral2/memory/2932-36-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	upx
C:\Windows\System\uhqUJLd.exe	upx
behavioral2/memory/1676-42-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	upx
C:\Windows\System\ENPcXxO.exe	upx
behavioral2/memory/4864-50-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp	upx
C:\Windows\System\VxYRcwH.exe	upx
behavioral2/memory/2168-54-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	upx
C:\Windows\System\nLqznrE.exe	upx
behavioral2/memory/648-61-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp	upx
C:\Windows\System\ttvhKuI.exe	upx
behavioral2/memory/4632-68-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp	upx
C:\Windows\System\Masdmax.exe	upx
behavioral2/memory/568-72-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	upx
behavioral2/memory/3588-74-0x00007FF799190000-0x00007FF7994E4000-memory.dmp	upx
behavioral2/memory/3272-75-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	upx
behavioral2/memory/396-73-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp	upx
C:\Windows\System\WOstIoe.exe	upx
behavioral2/memory/776-82-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp	upx
C:\Windows\System\CeWXCVk.exe	upx
behavioral2/memory/4940-87-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	upx
C:\Windows\System\ZabdGUz.exe	upx
behavioral2/memory/2780-91-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp	upx
behavioral2/memory/2604-96-0x00007FF7002B0000-0x00007FF700604000-memory.dmp	upx
C:\Windows\System\SNdUjFk.exe	upx
behavioral2/memory/2932-102-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	upx
behavioral2/memory/2608-103-0x00007FF663250000-0x00007FF6635A4000-memory.dmp	upx
C:\Windows\System\GkXVyuF.exe	upx
behavioral2/memory/1676-109-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	upx
C:\Windows\System\ESgEFTx.exe	upx
behavioral2/memory/2832-112-0x00007FF62C2D0000-0x00007FF62C624000-memory.dmp	upx
behavioral2/memory/4860-116-0x00007FF70D5C0000-0x00007FF70D914000-memory.dmp	upx
C:\Windows\System\LqxBJqw.exe	upx
behavioral2/memory/2168-122-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	upx
behavioral2/memory/3376-123-0x00007FF729070000-0x00007FF7293C4000-memory.dmp	upx
C:\Windows\System\VDknEPH.exe	upx
behavioral2/memory/2424-130-0x00007FF76A620000-0x00007FF76A974000-memory.dmp	upx
C:\Windows\System\fyPnnFg.exe	upx
behavioral2/memory/4004-134-0x00007FF72BB60000-0x00007FF72BEB4000-memory.dmp	upx
behavioral2/memory/3588-135-0x00007FF799190000-0x00007FF7994E4000-memory.dmp	upx
behavioral2/memory/776-136-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp	upx
behavioral2/memory/2780-137-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp	upx
behavioral2/memory/568-138-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp	upx
behavioral2/memory/3272-139-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp	upx
behavioral2/memory/1096-140-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp	upx
behavioral2/memory/3952-141-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp	upx
behavioral2/memory/4940-142-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp	upx
behavioral2/memory/2932-143-0x00007FF607060000-0x00007FF6073B4000-memory.dmp	upx
behavioral2/memory/1676-144-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp	upx
behavioral2/memory/4864-145-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp	upx
behavioral2/memory/2168-146-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp	upx
behavioral2/memory/4632-147-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp	upx
behavioral2/memory/396-148-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\rCwJHtD.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ttvhKuI.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WOstIoe.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqxBJqw.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IUhPzxP.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bJXgTLP.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhqUJLd.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nLqznrE.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CeWXCVk.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZabdGUz.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GkXVyuF.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ESgEFTx.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZptdykX.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VDknEPH.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VxYRcwH.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyPnnFg.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\psorImS.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENPcXxO.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Masdmax.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SNdUjFk.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KtZvXGp.exe	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 648 wrote to memory of 568	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	psorImS.exe
PID 648 wrote to memory of 568	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	psorImS.exe
PID 648 wrote to memory of 3272	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	KtZvXGp.exe
PID 648 wrote to memory of 3272	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	KtZvXGp.exe
PID 648 wrote to memory of 1096	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ZptdykX.exe
PID 648 wrote to memory of 1096	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ZptdykX.exe
PID 648 wrote to memory of 4940	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	IUhPzxP.exe
PID 648 wrote to memory of 4940	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	IUhPzxP.exe
PID 648 wrote to memory of 3952	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	bJXgTLP.exe
PID 648 wrote to memory of 3952	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	bJXgTLP.exe
PID 648 wrote to memory of 2932	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	rCwJHtD.exe
PID 648 wrote to memory of 2932	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	rCwJHtD.exe
PID 648 wrote to memory of 1676	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	uhqUJLd.exe
PID 648 wrote to memory of 1676	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	uhqUJLd.exe
PID 648 wrote to memory of 4864	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ENPcXxO.exe
PID 648 wrote to memory of 4864	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ENPcXxO.exe
PID 648 wrote to memory of 2168	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VxYRcwH.exe
PID 648 wrote to memory of 2168	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VxYRcwH.exe
PID 648 wrote to memory of 4632	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	nLqznrE.exe
PID 648 wrote to memory of 4632	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	nLqznrE.exe
PID 648 wrote to memory of 396	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ttvhKuI.exe
PID 648 wrote to memory of 396	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ttvhKuI.exe
PID 648 wrote to memory of 3588	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	Masdmax.exe
PID 648 wrote to memory of 3588	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	Masdmax.exe
PID 648 wrote to memory of 776	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	WOstIoe.exe
PID 648 wrote to memory of 776	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	WOstIoe.exe
PID 648 wrote to memory of 2780	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	CeWXCVk.exe
PID 648 wrote to memory of 2780	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	CeWXCVk.exe
PID 648 wrote to memory of 2604	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ZabdGUz.exe
PID 648 wrote to memory of 2604	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ZabdGUz.exe
PID 648 wrote to memory of 2608	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SNdUjFk.exe
PID 648 wrote to memory of 2608	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	SNdUjFk.exe
PID 648 wrote to memory of 2832	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	GkXVyuF.exe
PID 648 wrote to memory of 2832	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	GkXVyuF.exe
PID 648 wrote to memory of 4860	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ESgEFTx.exe
PID 648 wrote to memory of 4860	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	ESgEFTx.exe
PID 648 wrote to memory of 3376	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	LqxBJqw.exe
PID 648 wrote to memory of 3376	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	LqxBJqw.exe
PID 648 wrote to memory of 2424	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VDknEPH.exe
PID 648 wrote to memory of 2424	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	VDknEPH.exe
PID 648 wrote to memory of 4004	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	fyPnnFg.exe
PID 648 wrote to memory of 4004	648	2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe	fyPnnFg.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4290ad2a8dd4993c88b7199cc093469c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:648

C:\Windows\System\psorImS.exe
C:\Windows\System\psorImS.exe
2⤵
- Executes dropped EXE
PID:568

C:\Windows\System\KtZvXGp.exe
C:\Windows\System\KtZvXGp.exe
2⤵
- Executes dropped EXE
PID:3272

C:\Windows\System\ZptdykX.exe
C:\Windows\System\ZptdykX.exe
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\System\IUhPzxP.exe
C:\Windows\System\IUhPzxP.exe
2⤵
- Executes dropped EXE
PID:4940

C:\Windows\System\bJXgTLP.exe
C:\Windows\System\bJXgTLP.exe
2⤵
- Executes dropped EXE
PID:3952

C:\Windows\System\rCwJHtD.exe
C:\Windows\System\rCwJHtD.exe
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\System\uhqUJLd.exe
C:\Windows\System\uhqUJLd.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\System\ENPcXxO.exe
C:\Windows\System\ENPcXxO.exe
2⤵
- Executes dropped EXE
PID:4864

C:\Windows\System\VxYRcwH.exe
C:\Windows\System\VxYRcwH.exe
2⤵
- Executes dropped EXE
PID:2168

C:\Windows\System\nLqznrE.exe
C:\Windows\System\nLqznrE.exe
2⤵
- Executes dropped EXE
PID:4632

C:\Windows\System\ttvhKuI.exe
C:\Windows\System\ttvhKuI.exe
2⤵
- Executes dropped EXE
PID:396

C:\Windows\System\Masdmax.exe
C:\Windows\System\Masdmax.exe
2⤵
- Executes dropped EXE
PID:3588

C:\Windows\System\WOstIoe.exe
C:\Windows\System\WOstIoe.exe
2⤵
- Executes dropped EXE
PID:776

C:\Windows\System\CeWXCVk.exe
C:\Windows\System\CeWXCVk.exe
2⤵
- Executes dropped EXE
PID:2780

C:\Windows\System\ZabdGUz.exe
C:\Windows\System\ZabdGUz.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\SNdUjFk.exe
C:\Windows\System\SNdUjFk.exe
2⤵
- Executes dropped EXE
PID:2608

C:\Windows\System\GkXVyuF.exe
C:\Windows\System\GkXVyuF.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\ESgEFTx.exe
C:\Windows\System\ESgEFTx.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Windows\System\LqxBJqw.exe
C:\Windows\System\LqxBJqw.exe
2⤵
- Executes dropped EXE
PID:3376

C:\Windows\System\VDknEPH.exe
C:\Windows\System\VDknEPH.exe
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\System\fyPnnFg.exe
C:\Windows\System\fyPnnFg.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CeWXCVk.exe
Filesize
5.9MB

MD5
c6cab020e75194746ce147f5ba842f5c

SHA1
184c563def96747a439a35cddd52222b039dd98f

SHA256
88ac5a7be93192a6a42c72c695cde349288f861087ce8599aa3b3eb0937ef18f

SHA512
85f9deb7adfc15103a9d9d0d19b758b54044b04ab8afee5e5ef24bb5e43b859f3ef839b3c0d5cd5c7134e8f5796e4489e7defdb657ef2d5084f90377663d8d77

Download Submit
C:\Windows\System\ENPcXxO.exe
Filesize
5.9MB

MD5
596145b8a596bc9c751f006631bea299

SHA1
8024a6e94ce9c7fb4dfe9ca09ffbc7e948d7bbde

SHA256
f093b5db3fb70ea04758e69807dd5bf75eacf7a1a269d4fbb1fb7582f9f1409a

SHA512
8945154dce5cd0146705ed4d4cdb415710c631bc98012fdcbe0fb248142d0ba049776e2aa7ffd5b8f52e0ccc7ef71880ec9e5ea5eacd8d35214d2c7730e4e413

Download Submit
C:\Windows\System\ESgEFTx.exe
Filesize
5.9MB

MD5
520fbe7b5e2ab7342028e56632c7ecc7

SHA1
94010f58624e6bd37a99d51c2cb796f73841fe01

SHA256
0e4806679706545633edde9f40287f60e069ab87f64e4a533fbee0b5829d5cfe

SHA512
6fab4e8dd02dee211fd45e785c8e52b5a1d09590a2308d883dd1223cc58e5f38ef44a392469017173823164f1f997169e231987b99c6a72fa307fc215d6c01b1

Download Submit
C:\Windows\System\GkXVyuF.exe
Filesize
5.9MB

MD5
4112e13c2a32a036fbc4f135268e3990

SHA1
12105746a63b28adfcbbdc05352be19b85f8c835

SHA256
8fecdfc57fa7903e885068051ed3a6ee022d111248c3a9823eddad8fd4c5e177

SHA512
8243a071d39fdb93422f0a1ff0b6908e6f83cebbb28c2de41abf6a2b0dea39e1a8e7b474f033683444362944cefd8c4b839f1b47983498bda86611ef199d95af

Download Submit
C:\Windows\System\IUhPzxP.exe
Filesize
5.9MB

MD5
f92852385a32f959e8793c7f9f7c97a4

SHA1
a94e0c60a51af35e821de1a4039c80c190b3f466

SHA256
8e4bca3a6d45f57b412f645c30afb62cb3fefc4f1d18f5012453349f8f7cdc4c

SHA512
343d084aab223e5bd8ca578e7e01c4708cdb51f2dcedce7a66501aec7edaf446d4651fdadb827c84a8fa04f9c42a809820dd66a49d26932bed5a22f178cfaeab

Download Submit
C:\Windows\System\KtZvXGp.exe
Filesize
5.9MB

MD5
5a229f50e178ee114bf4096b5f9c1942

SHA1
622cf297606f48f18c86acac36a7a3083c5dd54f

SHA256
7fb457ace0a4c01d9e6cca2e6448b43673fc0dcdc11aa56102cff97f7dbdb1a5

SHA512
57653fd63a5e3c39597455ebe3e8d6f5035acd848b200502bcbdf8ff732f61d19944aa67d47bd26654dd5887f393e3e74c5a532b552e4d32a46aee9a2dd7b915

Download Submit
C:\Windows\System\LqxBJqw.exe
Filesize
5.9MB

MD5
7fb5c3711022a28d2607e1b1e0687860

SHA1
6ec2169d91497a262d5b615bfd24b3d8831fac0f

SHA256
ac34ef04fac612373fcbc4b0d42b42ec6e424ea5dadb827a855af71a701d2150

SHA512
8a556c5c70ac1b30ba1445e98bd90e88f7ff626513ff034815a9be17400c1ef6963909bc3f155a5c71dd3980df57ba8c9f48f204eea20e10c4148ad0017ec57c

Download Submit
C:\Windows\System\Masdmax.exe
Filesize
5.9MB

MD5
565072acab0a9f1d9994aa31f9b49af2

SHA1
1a08151e74b3a0ac4a52dfce959e74d92ef2c048

SHA256
135067b78db24dae1371805ed6cd14c8c08ce8c4f153d2e3d1aea22cca68ba30

SHA512
5a227303eccb4e3711fadba0d76b8766c3dbd4c121c3506051043f043c588170a5043ca0caf8170be773702f9012f4be70803cffafaaa09f2b6aebace6cadae4

Download Submit
C:\Windows\System\SNdUjFk.exe
Filesize
5.9MB

MD5
d86b9784e15438ea1ea5f7f7ff82fa41

SHA1
532e04dde9cf2aebaec1c4898920e6f29326ee56

SHA256
c02840174c999cb9bfe9083db17cc42546d2fda32cf3973964bdd8ab45e4c660

SHA512
4b2fc4a4bd3185d21547b7f711d233bf1f0d072aca9f4da4deb3d06ea20937c1344a537b76b2838715a7f31cbb664a771f79d904e29febf724e89cb79dcceb70

Download Submit
C:\Windows\System\VDknEPH.exe
Filesize
5.9MB

MD5
d2ccefbef0036d119116bb9c55b9eb31

SHA1
b61fbb69b24418f93f6d38faaccd33e6d3b8a506

SHA256
29697cec78546f9da383931429cd1c25a9fd71338aa18d073bdeabc90ad6a632

SHA512
61ae9087acc4afac1f987fa3b348531d48a822c18709b01e9f13669f0d7c6dc7b9c07102e39bfecef09ce05866a9b0f54811a0ae7bf04b88ab1ab1ea07ba61e6

Download Submit
C:\Windows\System\VxYRcwH.exe
Filesize
5.9MB

MD5
3a4c53409c2fadd505aa10ed902d1b0e

SHA1
e2fcba4357ac6217f6cae9d7b9501ba8cb1d6986

SHA256
5dac4fc3b3e1c73ae9f72f1a122f72380de80ac3baffd611f1ae556ff7868127

SHA512
070f2255246559f5bb9f7cdc6b7a00cbdbfe82f5ea27ed9ed29cdecd6dede2b3ba227fc597f1a39eba167794d52011300c15377b9dc4cd5e5e68c33ce680af3c

Download Submit
C:\Windows\System\WOstIoe.exe
Filesize
5.9MB

MD5
aab06ebd50da7f3c4f2a293b6ba26c3a

SHA1
22f58401d64c7b39873db05b577cf112d7a47959

SHA256
12844773191936b630d97c61d432bb510ba473169051d46ee1fe32965dda1fe4

SHA512
088484c4254aa56ee29d13f389f6cc74fba8596d2e26e2fca37ecb425f46dad2b45cd2347ac979d1c0210c4d0a74d4a9c873530277eda26d5c5d18e5465a126c

Download Submit
C:\Windows\System\ZabdGUz.exe
Filesize
5.9MB

MD5
127244bd2a461693970eaf980fecb1c1

SHA1
fbe0ac2c5382523550067711d6b07ef7c195fd9c

SHA256
5b3d8eddc866d7ef95bf7e8ba78a8802581aa4084e149c530568e782c55a6727

SHA512
5485661189d64b289075c017ebe84dc4d877eeed6635c88b597e94bf6529d742e0f7e63054ee421dbc72b4dddcdef81afed181ecd1137d44172c5254dbd0d023

Download Submit
C:\Windows\System\ZptdykX.exe
Filesize
5.9MB

MD5
29f0730d39a3cc2a353a80bd1d14766a

SHA1
0d6c9c3c0cfe378ca45a2cd5396682f6224e92cf

SHA256
a565a56f6961513fcf5a1d792f69033b50c091edd0514f5814eb8d3c59229698

SHA512
3031622d00e5a4e315bca1bc688b1577fd5c9d073d75173459101d068024112979edc27daa6acb86823676a4bbe02baebd438afd8141cc6653216b9ae254df1f

Download Submit
C:\Windows\System\bJXgTLP.exe
Filesize
5.9MB

MD5
2db478357d7fa3e97500b78fead3b5d9

SHA1
135cc430d20797a594701549dbba26babd7fa736

SHA256
b0ebdc0a47e3f1d33156c696c85f3140c292a6e32bfa2c89998e3ded8887d33c

SHA512
1a82d38ae9395bc4c730562a81b11bbe31d309645f151e807c628422e366cf5ec98bef5623c9fb47cd6441477b74cd21e22f2d53a149dc1f1e42bd46bf5a6ade

Download Submit
C:\Windows\System\fyPnnFg.exe
Filesize
5.9MB

MD5
9aa5bae206c13bc500851166ce396be5

SHA1
4d07d9cc0592c4125b58c742b286dcabdb037826

SHA256
c8b8826d9763508fe07eee21ac78a23da4fd9a3d12d06a3a316995daf6126c40

SHA512
c665cf1ab4891c8a71605e0b64bbdb635d994288323b7a220132abca8ca5381c5bf75a0cb8ffa0499f9b4bc5cf5159a8d96ff752f30a5638a4d5274ec2911d5f

Download Submit
C:\Windows\System\nLqznrE.exe
Filesize
5.9MB

MD5
76cd9a10014043517d43f05d344199e0

SHA1
db5f6c5340a2c34f38b4f3ed2645c2329767690f

SHA256
b999feaba119ee16f9888695e4d6a6d1f5f01a4c48e460af5bcc4491e9d59a4a

SHA512
3901c9ceabfb2baf122984f369b7ada61a0d42bddcc9b2fada4852f6cdeaf07af5ca3c9ca5008895fdd2bb0340e91ac8a0951a8c05e54d18998a3b84c39887e4

Download Submit
C:\Windows\System\psorImS.exe
Filesize
5.9MB

MD5
44a8b076a18c8c913c5335b72cf1a9e2

SHA1
c23fa37c9529b40ab2f6afd3e3b1951e57a774a2

SHA256
731a1b418162be04b674d355b23916489f33568e338b3eae0b313ebc2043c8ad

SHA512
fb6e9429066fe7c4f372bb5295e148a7a92994d7b6ecb000a71ee7cfa0699430222bb5347a82f1296d9a9704f96a3d6835487fb2305989364f579bd3d3ce0e71

Download Submit
C:\Windows\System\rCwJHtD.exe
Filesize
5.9MB

MD5
ddf53008d6cc973be0ed97769763bd93

SHA1
c8e92246f427ade3d34999c6b7ba2613efece4d7

SHA256
31438e66ff442b33a1f16f7ca8a77a6bc4b0d6b21006a7aea1101faeafe53bbb

SHA512
3b5438d170aed9750f60ab88a420c2698639a4b934b6cb968a33062883d3cdedc448d5d174c3c9ad9c840b1c3b697a3752fa933fb446d29d25b59a3f9ab8dd9f

Download Submit
C:\Windows\System\ttvhKuI.exe
Filesize
5.9MB

MD5
927bfcdce681ef2448bd0e777bbe626a

SHA1
83762973ec65a8a60a74c7a728fc74b43c8f5615

SHA256
0f13af6fe62c26872135399bf2a94077e4122f9b478b335b5813d646c2258d2a

SHA512
a025806971f697ea50a71859aa81ac8c1dafdc3eb969d5f18eaddb3d0280e416085042a031e1aedf6cc7c1582507324f6aa991f96f92eddfa76a3c32126a214e

Download Submit
C:\Windows\System\uhqUJLd.exe
Filesize
5.9MB

MD5
00dc6a3880a0f14fac1f4961c2f6559e

SHA1
31d8348dfdbc626f263c984c4bb45f05a8a3efb3

SHA256
fbf85af57c68bf7d836621fdb06e0d410d193e301cbf35b112d11c6b29a85cc2

SHA512
4d8724edd14ce6dd2356c196034c134f54b9c6bb45633b050ccdd6ddd7980273a81fc20bd8c7450af45078dd87c7783b0b7d4a5b06b31ac086d052d0d5a1725f

Download Submit
memory/396-148-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp

Filesize
3.3MB

Download
memory/396-73-0x00007FF799D60000-0x00007FF79A0B4000-memory.dmp

Filesize
3.3MB

Download
memory/568-138-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp

Filesize
3.3MB

Download
memory/568-8-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp

Filesize
3.3MB

Download
memory/568-72-0x00007FF7159A0000-0x00007FF715CF4000-memory.dmp

Filesize
3.3MB

Download
memory/648-0-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp

Filesize
3.3MB

Download
memory/648-1-0x0000027ABC4B0000-0x0000027ABC4C0000-memory.dmp

Filesize
64KB

Download
memory/648-61-0x00007FF77CF60000-0x00007FF77D2B4000-memory.dmp

Filesize
3.3MB

Download
memory/776-150-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp

Filesize
3.3MB

Download
memory/776-136-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp

Filesize
3.3MB

Download
memory/776-82-0x00007FF65E3E0000-0x00007FF65E734000-memory.dmp

Filesize
3.3MB

Download
memory/1096-20-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp

Filesize
3.3MB

Download
memory/1096-140-0x00007FF64D050000-0x00007FF64D3A4000-memory.dmp

Filesize
3.3MB

Download
memory/1676-144-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp

Filesize
3.3MB

Download
memory/1676-42-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp

Filesize
3.3MB

Download
memory/1676-109-0x00007FF62A2C0000-0x00007FF62A614000-memory.dmp

Filesize
3.3MB

Download
memory/2168-54-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp

Filesize
3.3MB

Download
memory/2168-122-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp

Filesize
3.3MB

Download
memory/2168-146-0x00007FF7BDBF0000-0x00007FF7BDF44000-memory.dmp

Filesize
3.3MB

Download
memory/2424-130-0x00007FF76A620000-0x00007FF76A974000-memory.dmp

Filesize
3.3MB

Download
memory/2424-157-0x00007FF76A620000-0x00007FF76A974000-memory.dmp

Filesize
3.3MB

Download
memory/2604-96-0x00007FF7002B0000-0x00007FF700604000-memory.dmp

Filesize
3.3MB

Download
memory/2604-151-0x00007FF7002B0000-0x00007FF700604000-memory.dmp

Filesize
3.3MB

Download
memory/2608-103-0x00007FF663250000-0x00007FF6635A4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-153-0x00007FF663250000-0x00007FF6635A4000-memory.dmp

Filesize
3.3MB

Download
memory/2780-137-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2780-91-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2780-152-0x00007FF73C7A0000-0x00007FF73CAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2832-112-0x00007FF62C2D0000-0x00007FF62C624000-memory.dmp

Filesize
3.3MB

Download
memory/2832-154-0x00007FF62C2D0000-0x00007FF62C624000-memory.dmp

Filesize
3.3MB

Download
memory/2932-143-0x00007FF607060000-0x00007FF6073B4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-36-0x00007FF607060000-0x00007FF6073B4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-102-0x00007FF607060000-0x00007FF6073B4000-memory.dmp

Filesize
3.3MB

Download
memory/3272-139-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3272-14-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3272-75-0x00007FF76F060000-0x00007FF76F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/3376-156-0x00007FF729070000-0x00007FF7293C4000-memory.dmp

Filesize
3.3MB

Download
memory/3376-123-0x00007FF729070000-0x00007FF7293C4000-memory.dmp

Filesize
3.3MB

Download
memory/3588-135-0x00007FF799190000-0x00007FF7994E4000-memory.dmp

Filesize
3.3MB

Download
memory/3588-74-0x00007FF799190000-0x00007FF7994E4000-memory.dmp

Filesize
3.3MB

Download
memory/3588-149-0x00007FF799190000-0x00007FF7994E4000-memory.dmp

Filesize
3.3MB

Download
memory/3952-141-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp

Filesize
3.3MB

Download
memory/3952-32-0x00007FF7C1B10000-0x00007FF7C1E64000-memory.dmp

Filesize
3.3MB

Download
memory/4004-134-0x00007FF72BB60000-0x00007FF72BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4004-158-0x00007FF72BB60000-0x00007FF72BEB4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-147-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp

Filesize
3.3MB

Download
memory/4632-68-0x00007FF6866A0000-0x00007FF6869F4000-memory.dmp

Filesize
3.3MB

Download
memory/4860-116-0x00007FF70D5C0000-0x00007FF70D914000-memory.dmp

Filesize
3.3MB

Download
memory/4860-155-0x00007FF70D5C0000-0x00007FF70D914000-memory.dmp

Filesize
3.3MB

Download
memory/4864-145-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp

Filesize
3.3MB

Download
memory/4864-50-0x00007FF77CB50000-0x00007FF77CEA4000-memory.dmp

Filesize
3.3MB

Download
memory/4940-25-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp

Filesize
3.3MB

Download
memory/4940-87-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp

Filesize
3.3MB

Download
memory/4940-142-0x00007FF7BE040000-0x00007FF7BE394000-memory.dmp

Filesize
3.3MB

Download