cobaltstrike | 323140ae6707575622973ae79a6f015a2a38e63a4b9462a202fa6e2e2c0d3d19

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5f14ffe89964271cac4025e953339c48
SHA1

0c24d608074084987eb489d9af28bd44bb4418f4
SHA256

323140ae6707575622973ae79a6f015a2a38e63a4b9462a202fa6e2e2c0d3d19
SHA512

40cff4e014524cd14e61b896925a268c2a2ba0be32c48e38f4224b17d154c0fd49d13e6b8f6ba50ebb3f4a25d8ba6bf90549919dff255007439fc65b88747362
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUC:Q+856utgpPF8u/7C

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\xODeKqc.exe	cobalt_reflective_dll
C:\Windows\System\EFKwkKb.exe	cobalt_reflective_dll
C:\Windows\System\IeOUbKP.exe	cobalt_reflective_dll
C:\Windows\System\TkDZOZd.exe	cobalt_reflective_dll
C:\Windows\System\yCsrjTN.exe	cobalt_reflective_dll
C:\Windows\System\cXDLbzw.exe	cobalt_reflective_dll
C:\Windows\System\kHGHfMp.exe	cobalt_reflective_dll
C:\Windows\System\puIUEXc.exe	cobalt_reflective_dll
C:\Windows\System\drssTIh.exe	cobalt_reflective_dll
C:\Windows\System\lvVLRUu.exe	cobalt_reflective_dll
C:\Windows\System\KkfODNM.exe	cobalt_reflective_dll
C:\Windows\System\JNRrYBy.exe	cobalt_reflective_dll
C:\Windows\System\ymXkhac.exe	cobalt_reflective_dll
C:\Windows\System\toTjVTl.exe	cobalt_reflective_dll
C:\Windows\System\hVrVuBY.exe	cobalt_reflective_dll
C:\Windows\System\gpASUQV.exe	cobalt_reflective_dll
C:\Windows\System\yyInNVQ.exe	cobalt_reflective_dll
C:\Windows\System\xLaaWBY.exe	cobalt_reflective_dll
C:\Windows\System\yftzkEQ.exe	cobalt_reflective_dll
C:\Windows\System\mGthZbN.exe	cobalt_reflective_dll
C:\Windows\System\YfSKCqV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\xODeKqc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\EFKwkKb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IeOUbKP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TkDZOZd.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yCsrjTN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cXDLbzw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kHGHfMp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\puIUEXc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\drssTIh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lvVLRUu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KkfODNM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JNRrYBy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ymXkhac.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\toTjVTl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hVrVuBY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gpASUQV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yyInNVQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xLaaWBY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yftzkEQ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mGthZbN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YfSKCqV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF67E020000-0x00007FF67E374000-memory.dmp	UPX
C:\Windows\System\xODeKqc.exe	UPX
behavioral2/memory/2132-8-0x00007FF79F210000-0x00007FF79F564000-memory.dmp	UPX
C:\Windows\System\EFKwkKb.exe	UPX
behavioral2/memory/4460-16-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	UPX
C:\Windows\System\IeOUbKP.exe	UPX
C:\Windows\System\TkDZOZd.exe	UPX
behavioral2/memory/4448-26-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	UPX
C:\Windows\System\yCsrjTN.exe	UPX
C:\Windows\System\cXDLbzw.exe	UPX
C:\Windows\System\kHGHfMp.exe	UPX
C:\Windows\System\puIUEXc.exe	UPX
C:\Windows\System\drssTIh.exe	UPX
behavioral2/memory/3120-51-0x00007FF6330D0000-0x00007FF633424000-memory.dmp	UPX
behavioral2/memory/4864-46-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp	UPX
behavioral2/memory/4928-36-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	UPX
behavioral2/memory/2224-35-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	UPX
behavioral2/memory/3976-22-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	UPX
behavioral2/memory/5092-55-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp	UPX
C:\Windows\System\lvVLRUu.exe	UPX
behavioral2/memory/4892-61-0x00007FF67E020000-0x00007FF67E374000-memory.dmp	UPX
C:\Windows\System\KkfODNM.exe	UPX
behavioral2/memory/2540-71-0x00007FF783630000-0x00007FF783984000-memory.dmp	UPX
behavioral2/memory/4460-79-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	UPX
C:\Windows\System\JNRrYBy.exe	UPX
behavioral2/memory/3976-88-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	UPX
behavioral2/memory/2956-89-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp	UPX
behavioral2/memory/4692-87-0x00007FF776520000-0x00007FF776874000-memory.dmp	UPX
C:\Windows\System\ymXkhac.exe	UPX
C:\Windows\System\toTjVTl.exe	UPX
behavioral2/memory/1400-70-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp	UPX
behavioral2/memory/4140-65-0x00007FF649830000-0x00007FF649B84000-memory.dmp	UPX
C:\Windows\System\hVrVuBY.exe	UPX
C:\Windows\System\gpASUQV.exe	UPX
behavioral2/memory/4636-99-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp	UPX
behavioral2/memory/2224-98-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	UPX
behavioral2/memory/4448-97-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	UPX
behavioral2/memory/4704-103-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp	UPX
C:\Windows\System\yyInNVQ.exe	UPX
behavioral2/memory/4928-107-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	UPX
behavioral2/memory/4908-108-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp	UPX
C:\Windows\System\xLaaWBY.exe	UPX
behavioral2/memory/1068-116-0x00007FF719470000-0x00007FF7197C4000-memory.dmp	UPX
C:\Windows\System\yftzkEQ.exe	UPX
behavioral2/memory/3120-122-0x00007FF6330D0000-0x00007FF633424000-memory.dmp	UPX
C:\Windows\System\mGthZbN.exe	UPX
behavioral2/memory/3712-125-0x00007FF722810000-0x00007FF722B64000-memory.dmp	UPX
C:\Windows\System\YfSKCqV.exe	UPX
behavioral2/memory/4140-132-0x00007FF649830000-0x00007FF649B84000-memory.dmp	UPX
behavioral2/memory/1472-128-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp	UPX
behavioral2/memory/4440-135-0x00007FF725060000-0x00007FF7253B4000-memory.dmp	UPX
behavioral2/memory/1400-136-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp	UPX
behavioral2/memory/4692-138-0x00007FF776520000-0x00007FF776874000-memory.dmp	UPX
behavioral2/memory/2540-137-0x00007FF783630000-0x00007FF783984000-memory.dmp	UPX
behavioral2/memory/4908-139-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp	UPX
behavioral2/memory/1472-140-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp	UPX
behavioral2/memory/2132-141-0x00007FF79F210000-0x00007FF79F564000-memory.dmp	UPX
behavioral2/memory/4460-142-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	UPX
behavioral2/memory/3976-143-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	UPX
behavioral2/memory/4448-144-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	UPX
behavioral2/memory/2224-145-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	UPX
behavioral2/memory/4864-147-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp	UPX
behavioral2/memory/4928-146-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	UPX
behavioral2/memory/5092-148-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF67E020000-0x00007FF67E374000-memory.dmp	xmrig
C:\Windows\System\xODeKqc.exe	xmrig
behavioral2/memory/2132-8-0x00007FF79F210000-0x00007FF79F564000-memory.dmp	xmrig
C:\Windows\System\EFKwkKb.exe	xmrig
behavioral2/memory/4460-16-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	xmrig
C:\Windows\System\IeOUbKP.exe	xmrig
C:\Windows\System\TkDZOZd.exe	xmrig
behavioral2/memory/4448-26-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	xmrig
C:\Windows\System\yCsrjTN.exe	xmrig
C:\Windows\System\cXDLbzw.exe	xmrig
C:\Windows\System\kHGHfMp.exe	xmrig
C:\Windows\System\puIUEXc.exe	xmrig
C:\Windows\System\drssTIh.exe	xmrig
behavioral2/memory/3120-51-0x00007FF6330D0000-0x00007FF633424000-memory.dmp	xmrig
behavioral2/memory/4864-46-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp	xmrig
behavioral2/memory/4928-36-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	xmrig
behavioral2/memory/2224-35-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	xmrig
behavioral2/memory/3976-22-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	xmrig
behavioral2/memory/5092-55-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp	xmrig
C:\Windows\System\lvVLRUu.exe	xmrig
behavioral2/memory/4892-61-0x00007FF67E020000-0x00007FF67E374000-memory.dmp	xmrig
C:\Windows\System\KkfODNM.exe	xmrig
behavioral2/memory/2540-71-0x00007FF783630000-0x00007FF783984000-memory.dmp	xmrig
behavioral2/memory/4460-79-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	xmrig
C:\Windows\System\JNRrYBy.exe	xmrig
behavioral2/memory/3976-88-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	xmrig
behavioral2/memory/2956-89-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp	xmrig
behavioral2/memory/4692-87-0x00007FF776520000-0x00007FF776874000-memory.dmp	xmrig
C:\Windows\System\ymXkhac.exe	xmrig
C:\Windows\System\toTjVTl.exe	xmrig
behavioral2/memory/1400-70-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp	xmrig
behavioral2/memory/4140-65-0x00007FF649830000-0x00007FF649B84000-memory.dmp	xmrig
C:\Windows\System\hVrVuBY.exe	xmrig
C:\Windows\System\gpASUQV.exe	xmrig
behavioral2/memory/4636-99-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp	xmrig
behavioral2/memory/2224-98-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	xmrig
behavioral2/memory/4448-97-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	xmrig
behavioral2/memory/4704-103-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp	xmrig
C:\Windows\System\yyInNVQ.exe	xmrig
behavioral2/memory/4928-107-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	xmrig
behavioral2/memory/4908-108-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp	xmrig
C:\Windows\System\xLaaWBY.exe	xmrig
behavioral2/memory/1068-116-0x00007FF719470000-0x00007FF7197C4000-memory.dmp	xmrig
C:\Windows\System\yftzkEQ.exe	xmrig
behavioral2/memory/3120-122-0x00007FF6330D0000-0x00007FF633424000-memory.dmp	xmrig
C:\Windows\System\mGthZbN.exe	xmrig
behavioral2/memory/3712-125-0x00007FF722810000-0x00007FF722B64000-memory.dmp	xmrig
C:\Windows\System\YfSKCqV.exe	xmrig
behavioral2/memory/4140-132-0x00007FF649830000-0x00007FF649B84000-memory.dmp	xmrig
behavioral2/memory/1472-128-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp	xmrig
behavioral2/memory/4440-135-0x00007FF725060000-0x00007FF7253B4000-memory.dmp	xmrig
behavioral2/memory/1400-136-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp	xmrig
behavioral2/memory/4692-138-0x00007FF776520000-0x00007FF776874000-memory.dmp	xmrig
behavioral2/memory/2540-137-0x00007FF783630000-0x00007FF783984000-memory.dmp	xmrig
behavioral2/memory/4908-139-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp	xmrig
behavioral2/memory/1472-140-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp	xmrig
behavioral2/memory/2132-141-0x00007FF79F210000-0x00007FF79F564000-memory.dmp	xmrig
behavioral2/memory/4460-142-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	xmrig
behavioral2/memory/3976-143-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	xmrig
behavioral2/memory/4448-144-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	xmrig
behavioral2/memory/2224-145-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	xmrig
behavioral2/memory/4864-147-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp	xmrig
behavioral2/memory/4928-146-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	xmrig
behavioral2/memory/5092-148-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xODeKqc.exeEFKwkKb.exeIeOUbKP.exeTkDZOZd.exeyCsrjTN.execXDLbzw.exekHGHfMp.exepuIUEXc.exedrssTIh.exelvVLRUu.exeKkfODNM.exetoTjVTl.exeJNRrYBy.exeymXkhac.exehVrVuBY.exegpASUQV.exeyyInNVQ.exexLaaWBY.exeyftzkEQ.exemGthZbN.exeYfSKCqV.exe

pid	process
2132	xODeKqc.exe
4460	EFKwkKb.exe
3976	IeOUbKP.exe
4448	TkDZOZd.exe
2224	yCsrjTN.exe
4928	cXDLbzw.exe
4864	kHGHfMp.exe
3120	puIUEXc.exe
5092	drssTIh.exe
4140	lvVLRUu.exe
1400	KkfODNM.exe
2540	toTjVTl.exe
4692	JNRrYBy.exe
2956	ymXkhac.exe
4636	hVrVuBY.exe
4704	gpASUQV.exe
4908	yyInNVQ.exe
1068	xLaaWBY.exe
3712	yftzkEQ.exe
1472	mGthZbN.exe
4440	YfSKCqV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4892-0-0x00007FF67E020000-0x00007FF67E374000-memory.dmp	upx
C:\Windows\System\xODeKqc.exe	upx
behavioral2/memory/2132-8-0x00007FF79F210000-0x00007FF79F564000-memory.dmp	upx
C:\Windows\System\EFKwkKb.exe	upx
behavioral2/memory/4460-16-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	upx
C:\Windows\System\IeOUbKP.exe	upx
C:\Windows\System\TkDZOZd.exe	upx
behavioral2/memory/4448-26-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	upx
C:\Windows\System\yCsrjTN.exe	upx
C:\Windows\System\cXDLbzw.exe	upx
C:\Windows\System\kHGHfMp.exe	upx
C:\Windows\System\puIUEXc.exe	upx
C:\Windows\System\drssTIh.exe	upx
behavioral2/memory/3120-51-0x00007FF6330D0000-0x00007FF633424000-memory.dmp	upx
behavioral2/memory/4864-46-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp	upx
behavioral2/memory/4928-36-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	upx
behavioral2/memory/2224-35-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	upx
behavioral2/memory/3976-22-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	upx
behavioral2/memory/5092-55-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp	upx
C:\Windows\System\lvVLRUu.exe	upx
behavioral2/memory/4892-61-0x00007FF67E020000-0x00007FF67E374000-memory.dmp	upx
C:\Windows\System\KkfODNM.exe	upx
behavioral2/memory/2540-71-0x00007FF783630000-0x00007FF783984000-memory.dmp	upx
behavioral2/memory/4460-79-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	upx
C:\Windows\System\JNRrYBy.exe	upx
behavioral2/memory/3976-88-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	upx
behavioral2/memory/2956-89-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp	upx
behavioral2/memory/4692-87-0x00007FF776520000-0x00007FF776874000-memory.dmp	upx
C:\Windows\System\ymXkhac.exe	upx
C:\Windows\System\toTjVTl.exe	upx
behavioral2/memory/1400-70-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp	upx
behavioral2/memory/4140-65-0x00007FF649830000-0x00007FF649B84000-memory.dmp	upx
C:\Windows\System\hVrVuBY.exe	upx
C:\Windows\System\gpASUQV.exe	upx
behavioral2/memory/4636-99-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp	upx
behavioral2/memory/2224-98-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	upx
behavioral2/memory/4448-97-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	upx
behavioral2/memory/4704-103-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp	upx
C:\Windows\System\yyInNVQ.exe	upx
behavioral2/memory/4928-107-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	upx
behavioral2/memory/4908-108-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp	upx
C:\Windows\System\xLaaWBY.exe	upx
behavioral2/memory/1068-116-0x00007FF719470000-0x00007FF7197C4000-memory.dmp	upx
C:\Windows\System\yftzkEQ.exe	upx
behavioral2/memory/3120-122-0x00007FF6330D0000-0x00007FF633424000-memory.dmp	upx
C:\Windows\System\mGthZbN.exe	upx
behavioral2/memory/3712-125-0x00007FF722810000-0x00007FF722B64000-memory.dmp	upx
C:\Windows\System\YfSKCqV.exe	upx
behavioral2/memory/4140-132-0x00007FF649830000-0x00007FF649B84000-memory.dmp	upx
behavioral2/memory/1472-128-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp	upx
behavioral2/memory/4440-135-0x00007FF725060000-0x00007FF7253B4000-memory.dmp	upx
behavioral2/memory/1400-136-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp	upx
behavioral2/memory/4692-138-0x00007FF776520000-0x00007FF776874000-memory.dmp	upx
behavioral2/memory/2540-137-0x00007FF783630000-0x00007FF783984000-memory.dmp	upx
behavioral2/memory/4908-139-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp	upx
behavioral2/memory/1472-140-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp	upx
behavioral2/memory/2132-141-0x00007FF79F210000-0x00007FF79F564000-memory.dmp	upx
behavioral2/memory/4460-142-0x00007FF650B20000-0x00007FF650E74000-memory.dmp	upx
behavioral2/memory/3976-143-0x00007FF730FB0000-0x00007FF731304000-memory.dmp	upx
behavioral2/memory/4448-144-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp	upx
behavioral2/memory/2224-145-0x00007FF640EC0000-0x00007FF641214000-memory.dmp	upx
behavioral2/memory/4864-147-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp	upx
behavioral2/memory/4928-146-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp	upx
behavioral2/memory/5092-148-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\gpASUQV.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YfSKCqV.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yCsrjTN.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KkfODNM.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\drssTIh.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\toTjVTl.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JNRrYBy.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ymXkhac.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hVrVuBY.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mGthZbN.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IeOUbKP.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\puIUEXc.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yftzkEQ.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EFKwkKb.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkDZOZd.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kHGHfMp.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lvVLRUu.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yyInNVQ.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xLaaWBY.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xODeKqc.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cXDLbzw.exe	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4892 wrote to memory of 2132	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	xODeKqc.exe
PID 4892 wrote to memory of 2132	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	xODeKqc.exe
PID 4892 wrote to memory of 4460	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	EFKwkKb.exe
PID 4892 wrote to memory of 4460	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	EFKwkKb.exe
PID 4892 wrote to memory of 3976	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	IeOUbKP.exe
PID 4892 wrote to memory of 3976	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	IeOUbKP.exe
PID 4892 wrote to memory of 4448	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	TkDZOZd.exe
PID 4892 wrote to memory of 4448	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	TkDZOZd.exe
PID 4892 wrote to memory of 2224	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	yCsrjTN.exe
PID 4892 wrote to memory of 2224	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	yCsrjTN.exe
PID 4892 wrote to memory of 4928	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	cXDLbzw.exe
PID 4892 wrote to memory of 4928	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	cXDLbzw.exe
PID 4892 wrote to memory of 4864	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	kHGHfMp.exe
PID 4892 wrote to memory of 4864	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	kHGHfMp.exe
PID 4892 wrote to memory of 3120	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	puIUEXc.exe
PID 4892 wrote to memory of 3120	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	puIUEXc.exe
PID 4892 wrote to memory of 5092	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	drssTIh.exe
PID 4892 wrote to memory of 5092	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	drssTIh.exe
PID 4892 wrote to memory of 4140	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	lvVLRUu.exe
PID 4892 wrote to memory of 4140	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	lvVLRUu.exe
PID 4892 wrote to memory of 1400	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	KkfODNM.exe
PID 4892 wrote to memory of 1400	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	KkfODNM.exe
PID 4892 wrote to memory of 2540	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	toTjVTl.exe
PID 4892 wrote to memory of 2540	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	toTjVTl.exe
PID 4892 wrote to memory of 4692	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	JNRrYBy.exe
PID 4892 wrote to memory of 4692	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	JNRrYBy.exe
PID 4892 wrote to memory of 2956	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	ymXkhac.exe
PID 4892 wrote to memory of 2956	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	ymXkhac.exe
PID 4892 wrote to memory of 4636	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	hVrVuBY.exe
PID 4892 wrote to memory of 4636	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	hVrVuBY.exe
PID 4892 wrote to memory of 4704	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	gpASUQV.exe
PID 4892 wrote to memory of 4704	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	gpASUQV.exe
PID 4892 wrote to memory of 4908	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	yyInNVQ.exe
PID 4892 wrote to memory of 4908	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	yyInNVQ.exe
PID 4892 wrote to memory of 1068	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	xLaaWBY.exe
PID 4892 wrote to memory of 1068	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	xLaaWBY.exe
PID 4892 wrote to memory of 3712	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	yftzkEQ.exe
PID 4892 wrote to memory of 3712	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	yftzkEQ.exe
PID 4892 wrote to memory of 1472	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	mGthZbN.exe
PID 4892 wrote to memory of 1472	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	mGthZbN.exe
PID 4892 wrote to memory of 4440	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	YfSKCqV.exe
PID 4892 wrote to memory of 4440	4892	2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe	YfSKCqV.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\System\xODeKqc.exe
C:\Windows\System\xODeKqc.exe
2⤵
- Executes dropped EXE
PID:2132

C:\Windows\System\EFKwkKb.exe
C:\Windows\System\EFKwkKb.exe
2⤵
- Executes dropped EXE
PID:4460

C:\Windows\System\IeOUbKP.exe
C:\Windows\System\IeOUbKP.exe
2⤵
- Executes dropped EXE
PID:3976

C:\Windows\System\TkDZOZd.exe
C:\Windows\System\TkDZOZd.exe
2⤵
- Executes dropped EXE
PID:4448

C:\Windows\System\yCsrjTN.exe
C:\Windows\System\yCsrjTN.exe
2⤵
- Executes dropped EXE
PID:2224

C:\Windows\System\cXDLbzw.exe
C:\Windows\System\cXDLbzw.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\System\kHGHfMp.exe
C:\Windows\System\kHGHfMp.exe
2⤵
- Executes dropped EXE
PID:4864

C:\Windows\System\puIUEXc.exe
C:\Windows\System\puIUEXc.exe
2⤵
- Executes dropped EXE
PID:3120

C:\Windows\System\drssTIh.exe
C:\Windows\System\drssTIh.exe
2⤵
- Executes dropped EXE
PID:5092

C:\Windows\System\lvVLRUu.exe
C:\Windows\System\lvVLRUu.exe
2⤵
- Executes dropped EXE
PID:4140

C:\Windows\System\KkfODNM.exe
C:\Windows\System\KkfODNM.exe
2⤵
- Executes dropped EXE
PID:1400

C:\Windows\System\toTjVTl.exe
C:\Windows\System\toTjVTl.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\JNRrYBy.exe
C:\Windows\System\JNRrYBy.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Windows\System\ymXkhac.exe
C:\Windows\System\ymXkhac.exe
2⤵
- Executes dropped EXE
PID:2956

C:\Windows\System\hVrVuBY.exe
C:\Windows\System\hVrVuBY.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\System\gpASUQV.exe
C:\Windows\System\gpASUQV.exe
2⤵
- Executes dropped EXE
PID:4704

C:\Windows\System\yyInNVQ.exe
C:\Windows\System\yyInNVQ.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System\xLaaWBY.exe
C:\Windows\System\xLaaWBY.exe
2⤵
- Executes dropped EXE
PID:1068

C:\Windows\System\yftzkEQ.exe
C:\Windows\System\yftzkEQ.exe
2⤵
- Executes dropped EXE
PID:3712

C:\Windows\System\mGthZbN.exe
C:\Windows\System\mGthZbN.exe
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\System\YfSKCqV.exe
C:\Windows\System\YfSKCqV.exe
2⤵
- Executes dropped EXE
PID:4440

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EFKwkKb.exe
Filesize
5.9MB

MD5
3e9008a0ff2884bbb01a1723ae3709f7

SHA1
5345165cb8bf49b207e14bfa25831d1ac7469841

SHA256
23905344eeb78b13a3df0e4561199c98dd80894b90a7b1117bf015804e0c68a0

SHA512
b4c73844aaed83c0995dc7e42c835424bc782c7baf18ec920cd4dd75e4aa668761c03961373b3baeaf733287c4eca19b959fa41617408da117e8d72add167072

Download Submit
C:\Windows\System\IeOUbKP.exe
Filesize
5.9MB

MD5
4ee78a6695fe36daea9706c89f8869c7

SHA1
97fda1dc28d2c21265a1284fad975d05b66a6abe

SHA256
d4fabcce57660730cc9ddc55d81e160af1bd7956fc5dc72a5a52c7ac37f325a9

SHA512
354845704701a713b474d3875e2763b488cb1d2cbedd535921f0bb9c8d17579a621c349fb3869badf3a9f5d33348ca464745a94d7430f340a27e9d43155d13d6

Download Submit
C:\Windows\System\JNRrYBy.exe
Filesize
5.9MB

MD5
a4c926a2f62fc8f028ae1cb49dae2b8d

SHA1
e390a6c4ea4f9dc92778b95e2334c64a39fede27

SHA256
89690248061234c7ffe61242e3c37c76db892869a3a9c4703af86f72df9205b2

SHA512
ce665830b4a27711ebf5532bb68df46840c00b02b90fc0621c760d63eb03651869c8695d6a0f26ad1b1ca72e170fa60dd8327740720817b8ea5ba35f24838ca1

Download Submit
C:\Windows\System\KkfODNM.exe
Filesize
5.9MB

MD5
a0df513031115e5b65bbb5e3d4c4b3a6

SHA1
96c74fa9ebd5a0ef019bdf28f91feca3ad28b947

SHA256
71927b56a14fd7a7accb662e678b5ac98064b99fdf8bd93f9935b5e6b19adf16

SHA512
84503aae070143e9548079481fcff420609ceed99943e4a62ef7d45fed712cbc9429941aff96723b032e72479cc620bb669fe6d7f5c13719f982ac1268f606f8

Download Submit
C:\Windows\System\TkDZOZd.exe
Filesize
5.9MB

MD5
4b255fd14f72ef4fb79d798757f0c562

SHA1
9bbfbbbb903447c1abdf799465d2226e97e35b69

SHA256
11ed67da9c756ae92abf2cd916d8fbc3343a2787c0967bd90fbcf6d265b7a318

SHA512
223d5b8103889defd40e7e03993ab21f1a6ed03c0099d13e99c2d0a5889202a47f6056d2e67bfdbe33d0aa06b2694ced5cf88805ba1c44a3ecd9dc42257d089e

Download Submit
C:\Windows\System\YfSKCqV.exe
Filesize
5.9MB

MD5
f315f29150df7b4691e0cf1698a6a94c

SHA1
d1fda091232bb440c96558f75495920b65226dc6

SHA256
829f4963ec6202ffe75fbc8c8fbc33ad22473641bd0f33f6a854dffb2ca6cbe1

SHA512
c24565076d4b7325e03223e29e5e446f6bea250e4a35ffa4ba7583c21158b282ea0b847c8192b71b661e06a8605ce547260afdd25b67d98bd3b834be33efa3ae

Download Submit
C:\Windows\System\cXDLbzw.exe
Filesize
5.9MB

MD5
3fdbbf62e41032def035df81a1600c7b

SHA1
31f844937ccab7bc61007bce2f687d7c2eefe136

SHA256
6a32796d04d256e548df31b302147f9463425fb04a82ca898103fc4d51c050cb

SHA512
65cac7e44392e33db3a4432530d85e47c74bf7269c920fc2250ae8662fc23e109bc93e2b3adec5c6a8083531f9cd1157d98d650e2c20a9eb32b7f76fa0b7c232

Download Submit
C:\Windows\System\drssTIh.exe
Filesize
5.9MB

MD5
485675bc7f964c11c58ae5b1bafd75a5

SHA1
7325effd29e766d35a56d697358d8ba20b714bd3

SHA256
f9276d70f86062c936e4ed83a0c3e8be62adb79724d537edc61d56094e70cf12

SHA512
dfcad59fd7a4bda357f1544ae574393a7c1fbf71006f8b3e0b08826d3bf51ee27910676cc48bf83e163207ec6fc8ebe4254ccdf6593db66614aaf191ca696bc3

Download Submit
C:\Windows\System\gpASUQV.exe
Filesize
5.9MB

MD5
5e025be679ced319892c6d09c1ff5915

SHA1
a6c3021164cbd2f0e2d5b08afb1e3ba787bcc00f

SHA256
9eaf622b84e3c4f82e702f491ecd51553018965ece05f2a14d137a81506e2681

SHA512
c2f2f3a370f42ec1b7e8aed8f5df92a0aa17ba3009ea4ec450c69c9f71eee0a8c58dcb0dc18e18e0215b7afcb5359ddad4b90e26898ffc7cd843b5e82619cf8c

Download Submit
C:\Windows\System\hVrVuBY.exe
Filesize
5.9MB

MD5
ac7d5f725b89566d556b3027bc81cfc7

SHA1
a680ce0653f6ce150258640b2689123f31fc373a

SHA256
9b55c27ca255073b6042703f417ea7fa22d809cbf1799f669feac9dd72424c5f

SHA512
4fc2a648a965b484575140ffd5315dc5877aab5dbe8fb8ea02083f81a55979b0fb3cdb4572ad7337bed20b3c6ce63e990d8eab69e9feb009ece9e57e0531dc9e

Download Submit
C:\Windows\System\kHGHfMp.exe
Filesize
5.9MB

MD5
ffbf67a490846bbb346bf0210c941c5e

SHA1
47e7340ffe3af76d5ae61dbf9ca121d314e8b9a8

SHA256
ea1a4b3e851b848e6ddc4be51cb73979d765627bf284f8281dcf235554340d95

SHA512
f232a1ba84f6b38b19f8e172afa679efe8b49d4c58c8c94473a5e530b2f8780e3a0005145dd6ba3b3dd06028b0c6a3e4a5d2e0b7b720f49721227c1415d7e12e

Download Submit
C:\Windows\System\lvVLRUu.exe
Filesize
5.9MB

MD5
f1c77d4e02e44a6c428c1138cc02503c

SHA1
5c35b8d288ad14447b55030d5feff11acde94041

SHA256
1802b5a2af7e2ba16f94a387af04156b74001b9ceffb15b34d649a18ce1aaf3c

SHA512
75c99b57880b679164fb9e7fd4b80ad19faa263e1008396196f83a48f8205f3ceb0748c7c495b91455d604694f95ff511771d9d2831d5ca2c0c1754c64e4f895

Download Submit
C:\Windows\System\mGthZbN.exe
Filesize
5.9MB

MD5
71b0b8e2e730a916080d9f6c50822db3

SHA1
142cf7dcf83d4705e39a0ba522011aa560520fb9

SHA256
f147d07c7f4d48d292a95bd9ce117ec05c4a966e213dbb8699686877f394cab7

SHA512
3a255f3ad8695e22b9ee0b345c61492812c7110427a28dcf92c6a356994272a01cbf6811d7561a74ad79ea82b93a7e074bcb601e3bbd90f7f677bb36706f19ba

Download Submit
C:\Windows\System\puIUEXc.exe
Filesize
5.9MB

MD5
58777fdeccd47c65423be14f9b0a862b

SHA1
90cf0a1749c8c275b3382ce9d8febaeb74a79844

SHA256
71004afa9658e4cf7dc35f20dc6d4424782726d91f73cc1921335ad7e8e14b3d

SHA512
a149256271fa9fc1a11e9f84618b27c77f75f8f91be229769998f2a69832d1f2fb0a53f01c7e1023b3ec9152c1a5be20e7871bc2787b5f472a034007d64b15f2

Download Submit
C:\Windows\System\toTjVTl.exe
Filesize
5.9MB

MD5
dce677021b08cccc9a905c9f019c6c2a

SHA1
ff66c11057c746393401e6f3b4cb4887c1222218

SHA256
22417e5aa389886a800c53197b3f5731303dd346a04b877fcc2ce2da2c524cc9

SHA512
cf005c302a02815e7e6f1b2b2433b554282dc28e509f7b261607311163f8f3139a21aca34048b562281f5bb531c2eefa58f88b1c8cabd30af4e090b9da0adb21

Download Submit
C:\Windows\System\xLaaWBY.exe
Filesize
5.9MB

MD5
ed65866d57f09be73a6200b45a31c879

SHA1
32e325ee654aec1410fb39ebd5f570035414b910

SHA256
96f8319b07a56e84d7e19f859c6e91e7bd54a1f6f479b26c073f8e540915fdd5

SHA512
ecc5d3084158ba44f07e3c15aa150425631775bc6cfeaaa8160ecae3cd4d21ef72097933235c1ee4151eb31c257eab63857cc33b57decf91d31ba1b32b3c9206

Download Submit
C:\Windows\System\xODeKqc.exe
Filesize
5.9MB

MD5
7637e66be31f60c09da33e0b097cc579

SHA1
9af8b33797441f2b9ead2eac24703860780ea896

SHA256
bd7bfb1fed76394e17266b15f2d7ad7fc4abfeaaad5c50baa5f9a9e6445bb7eb

SHA512
5ec411caebc4298736d3b9fa34e9e0ae3c19eee23a160b061c708e50cc0e8b66df6b1bcdd27b32c8dfa9e8f5d80e0e007034c6a34ef544104b4b4adfb145a082

Download Submit
C:\Windows\System\yCsrjTN.exe
Filesize
5.9MB

MD5
ffe1ffdf7f98a4339f952fa96156eab8

SHA1
bc993a0902d59a0ccda34c8d74a26dbab3eabbf8

SHA256
fbb5dd5224efa151e024f3e0a457792f50e874f0dda89c869fc837922f46bdd7

SHA512
549bce60e609e298eb7115edc813542bbe10ebc1926ff8d0f955c48d0778be18c8f8cc505f3ba6ef63d66d3cea9c2f45a7a95af5602725e41b5bfed4dd174551

Download Submit
C:\Windows\System\yftzkEQ.exe
Filesize
5.9MB

MD5
791710167ff561bdafca41f78641b7a6

SHA1
5cfa8275241d78dcff2ba9c1fd94cc7f16be6cdb

SHA256
10bfe28296d3208ab74b4ef369ac5caca7bc1aef10d3cf3c9db0ce864a65d883

SHA512
81c8360897ba54cf73164b5fe0409535512f6013713dd9e24f864beabf6d5a01dab03934d02c6f0817450bf4108ba59767bfbefc4ad5bb70e71d74fb20c8216f

Download Submit
C:\Windows\System\ymXkhac.exe
Filesize
5.9MB

MD5
7c5ab1df3abd77a5e1ba1dbc5a9eaf7f

SHA1
fdc11dfe50fde9332d7716961800c78e35b8ea16

SHA256
c0f9876f8282affa241d6ed9420cda03a81a63f535a8e12b5f95e8ad0da75b36

SHA512
37d956b2929cefe074df6f868bcc35c8850116bfb887168a1dd854c60db15953da0002c5fe3ef1480dcf3836170560d6dc0342f5d7232c08bb95fc3ae6eaa4c2

Download Submit
C:\Windows\System\yyInNVQ.exe
Filesize
5.9MB

MD5
edb441dffee7093bd0f45152bae16228

SHA1
cb8df7f0ee9cd2af26f00f9d5fed939957515782

SHA256
88c05f7d4cda6b44435de110f7035373c76955f4cd78e2589e51c84e227dec09

SHA512
0062e791c30039c84762a59537f5510e2bc4e3f49301e9068e300b27f88df70f0750dd8f1f22ce7ab0ac410bf31695bf521f4ec11553a9a72a01909d0bff6d75

Download Submit
memory/1068-116-0x00007FF719470000-0x00007FF7197C4000-memory.dmp

Filesize
3.3MB

Download
memory/1068-158-0x00007FF719470000-0x00007FF7197C4000-memory.dmp

Filesize
3.3MB

Download
memory/1400-151-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1400-70-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1400-136-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1472-128-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp

Filesize
3.3MB

Download
memory/1472-140-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp

Filesize
3.3MB

Download
memory/1472-160-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp

Filesize
3.3MB

Download
memory/2132-8-0x00007FF79F210000-0x00007FF79F564000-memory.dmp

Filesize
3.3MB

Download
memory/2132-141-0x00007FF79F210000-0x00007FF79F564000-memory.dmp

Filesize
3.3MB

Download
memory/2224-35-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

Filesize
3.3MB

Download
memory/2224-98-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

Filesize
3.3MB

Download
memory/2224-145-0x00007FF640EC0000-0x00007FF641214000-memory.dmp

Filesize
3.3MB

Download
memory/2540-71-0x00007FF783630000-0x00007FF783984000-memory.dmp

Filesize
3.3MB

Download
memory/2540-137-0x00007FF783630000-0x00007FF783984000-memory.dmp

Filesize
3.3MB

Download
memory/2540-152-0x00007FF783630000-0x00007FF783984000-memory.dmp

Filesize
3.3MB

Download
memory/2956-89-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp

Filesize
3.3MB

Download
memory/2956-154-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp

Filesize
3.3MB

Download
memory/3120-149-0x00007FF6330D0000-0x00007FF633424000-memory.dmp

Filesize
3.3MB

Download
memory/3120-122-0x00007FF6330D0000-0x00007FF633424000-memory.dmp

Filesize
3.3MB

Download
memory/3120-51-0x00007FF6330D0000-0x00007FF633424000-memory.dmp

Filesize
3.3MB

Download
memory/3712-159-0x00007FF722810000-0x00007FF722B64000-memory.dmp

Filesize
3.3MB

Download
memory/3712-125-0x00007FF722810000-0x00007FF722B64000-memory.dmp

Filesize
3.3MB

Download
memory/3976-22-0x00007FF730FB0000-0x00007FF731304000-memory.dmp

Filesize
3.3MB

Download
memory/3976-143-0x00007FF730FB0000-0x00007FF731304000-memory.dmp

Filesize
3.3MB

Download
memory/3976-88-0x00007FF730FB0000-0x00007FF731304000-memory.dmp

Filesize
3.3MB

Download
memory/4140-65-0x00007FF649830000-0x00007FF649B84000-memory.dmp

Filesize
3.3MB

Download
memory/4140-132-0x00007FF649830000-0x00007FF649B84000-memory.dmp

Filesize
3.3MB

Download
memory/4140-150-0x00007FF649830000-0x00007FF649B84000-memory.dmp

Filesize
3.3MB

Download
memory/4440-161-0x00007FF725060000-0x00007FF7253B4000-memory.dmp

Filesize
3.3MB

Download
memory/4440-135-0x00007FF725060000-0x00007FF7253B4000-memory.dmp

Filesize
3.3MB

Download
memory/4448-97-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp

Filesize
3.3MB

Download
memory/4448-26-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp

Filesize
3.3MB

Download
memory/4448-144-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp

Filesize
3.3MB

Download
memory/4460-79-0x00007FF650B20000-0x00007FF650E74000-memory.dmp

Filesize
3.3MB

Download
memory/4460-142-0x00007FF650B20000-0x00007FF650E74000-memory.dmp

Filesize
3.3MB

Download
memory/4460-16-0x00007FF650B20000-0x00007FF650E74000-memory.dmp

Filesize
3.3MB

Download
memory/4636-155-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp

Filesize
3.3MB

Download
memory/4636-99-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-153-0x00007FF776520000-0x00007FF776874000-memory.dmp

Filesize
3.3MB

Download
memory/4692-138-0x00007FF776520000-0x00007FF776874000-memory.dmp

Filesize
3.3MB

Download
memory/4692-87-0x00007FF776520000-0x00007FF776874000-memory.dmp

Filesize
3.3MB

Download
memory/4704-103-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp

Filesize
3.3MB

Download
memory/4704-156-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp

Filesize
3.3MB

Download
memory/4864-46-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp

Filesize
3.3MB

Download
memory/4864-147-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp

Filesize
3.3MB

Download
memory/4892-1-0x0000015047740000-0x0000015047750000-memory.dmp

Filesize
64KB

Download
memory/4892-61-0x00007FF67E020000-0x00007FF67E374000-memory.dmp

Filesize
3.3MB

Download
memory/4892-0-0x00007FF67E020000-0x00007FF67E374000-memory.dmp

Filesize
3.3MB

Download
memory/4908-157-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp

Filesize
3.3MB

Download
memory/4908-108-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp

Filesize
3.3MB

Download
memory/4908-139-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp

Filesize
3.3MB

Download
memory/4928-36-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp

Filesize
3.3MB

Download
memory/4928-146-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp

Filesize
3.3MB

Download
memory/4928-107-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp

Filesize
3.3MB

Download
memory/5092-55-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp

Filesize
3.3MB

Download
memory/5092-148-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp

Filesize
3.3MB

Download