cobaltstrike | 0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

4e0e0b027c36f5e0ca87d7bd177ca4bb
SHA1

3681dc25df8ffbb27f2fe4239f7f2d9c6072299f
SHA256

0f834825e381d257401550e01f5cbb614c613420b683b53c4fb9a4822c21a517
SHA512

97cd79a9ad4f4d1be151ad735924d599204c49b2da592c36d7820be57ccc72a134babd792cd951f707c374bda2bdbafbdab1e7d5d4f6e581c213a8abbf129a24
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU6:Q+856utgpPF8u/76

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CbVUJFF.exe	cobalt_reflective_dll
C:\Windows\System\gKDfOeA.exe	cobalt_reflective_dll
C:\Windows\System\qPRKeXN.exe	cobalt_reflective_dll
C:\Windows\System\nQTJXNr.exe	cobalt_reflective_dll
C:\Windows\System\XRNAqVN.exe	cobalt_reflective_dll
C:\Windows\System\YhsPGCM.exe	cobalt_reflective_dll
C:\Windows\System\wUlDfIG.exe	cobalt_reflective_dll
C:\Windows\System\nrrkXkh.exe	cobalt_reflective_dll
C:\Windows\System\yRsIAWg.exe	cobalt_reflective_dll
C:\Windows\System\LcNPKpA.exe	cobalt_reflective_dll
C:\Windows\System\flwBQHG.exe	cobalt_reflective_dll
C:\Windows\System\ytFtPah.exe	cobalt_reflective_dll
C:\Windows\System\VEmGwCo.exe	cobalt_reflective_dll
C:\Windows\System\LPMxVcK.exe	cobalt_reflective_dll
C:\Windows\System\aBCIvEW.exe	cobalt_reflective_dll
C:\Windows\System\vqKNuYN.exe	cobalt_reflective_dll
C:\Windows\System\OdopPpV.exe	cobalt_reflective_dll
C:\Windows\System\iVeUbsU.exe	cobalt_reflective_dll
C:\Windows\System\RGxdzaD.exe	cobalt_reflective_dll
C:\Windows\System\vOzKpGE.exe	cobalt_reflective_dll
C:\Windows\System\VhzKRqY.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\CbVUJFF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\gKDfOeA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qPRKeXN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nQTJXNr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XRNAqVN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\YhsPGCM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\wUlDfIG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nrrkXkh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yRsIAWg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LcNPKpA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\flwBQHG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ytFtPah.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VEmGwCo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\LPMxVcK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aBCIvEW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vqKNuYN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OdopPpV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iVeUbsU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RGxdzaD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vOzKpGE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\VhzKRqY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp	UPX
C:\Windows\System\CbVUJFF.exe	UPX
C:\Windows\System\gKDfOeA.exe	UPX
C:\Windows\System\qPRKeXN.exe	UPX
behavioral2/memory/4152-27-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	UPX
C:\Windows\System\nQTJXNr.exe	UPX
behavioral2/memory/3456-35-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	UPX
behavioral2/memory/2356-34-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	UPX
behavioral2/memory/2620-28-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	UPX
behavioral2/memory/1940-22-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	UPX
C:\Windows\System\XRNAqVN.exe	UPX
C:\Windows\System\YhsPGCM.exe	UPX
behavioral2/memory/2828-11-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	UPX
C:\Windows\System\wUlDfIG.exe	UPX
behavioral2/memory/4508-44-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp	UPX
behavioral2/memory/520-50-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp	UPX
C:\Windows\System\nrrkXkh.exe	UPX
C:\Windows\System\yRsIAWg.exe	UPX
behavioral2/memory/4428-56-0x00007FF744EE0000-0x00007FF745234000-memory.dmp	UPX
C:\Windows\System\LcNPKpA.exe	UPX
C:\Windows\System\flwBQHG.exe	UPX
C:\Windows\System\ytFtPah.exe	UPX
behavioral2/memory/5032-72-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp	UPX
behavioral2/memory/3232-69-0x00007FF625760000-0x00007FF625AB4000-memory.dmp	UPX
behavioral2/memory/3320-62-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp	UPX
C:\Windows\System\VEmGwCo.exe	UPX
behavioral2/memory/5108-85-0x00007FF691DB0000-0x00007FF692104000-memory.dmp	UPX
C:\Windows\System\LPMxVcK.exe	UPX
C:\Windows\System\aBCIvEW.exe	UPX
C:\Windows\System\vqKNuYN.exe	UPX
behavioral2/memory/1500-109-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp	UPX
behavioral2/memory/3456-108-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	UPX
behavioral2/memory/1412-107-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp	UPX
behavioral2/memory/2620-103-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	UPX
behavioral2/memory/384-99-0x00007FF661E20000-0x00007FF662174000-memory.dmp	UPX
C:\Windows\System\OdopPpV.exe	UPX
behavioral2/memory/2356-94-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	UPX
behavioral2/memory/4272-93-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp	UPX
behavioral2/memory/4152-89-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	UPX
behavioral2/memory/1940-86-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	UPX
behavioral2/memory/2828-81-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	UPX
behavioral2/memory/3532-80-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp	UPX
C:\Windows\System\iVeUbsU.exe	UPX
C:\Windows\System\RGxdzaD.exe	UPX
C:\Windows\System\vOzKpGE.exe	UPX
behavioral2/memory/4600-124-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp	UPX
behavioral2/memory/3424-128-0x00007FF791830000-0x00007FF791B84000-memory.dmp	UPX
behavioral2/memory/3244-117-0x00007FF775210000-0x00007FF775564000-memory.dmp	UPX
C:\Windows\System\VhzKRqY.exe	UPX
behavioral2/memory/3320-134-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp	UPX
behavioral2/memory/2240-135-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp	UPX
behavioral2/memory/5032-136-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp	UPX
behavioral2/memory/4272-137-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp	UPX
behavioral2/memory/384-138-0x00007FF661E20000-0x00007FF662174000-memory.dmp	UPX
behavioral2/memory/1412-139-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp	UPX
behavioral2/memory/1500-140-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp	UPX
behavioral2/memory/3424-141-0x00007FF791830000-0x00007FF791B84000-memory.dmp	UPX
behavioral2/memory/2828-142-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	UPX
behavioral2/memory/1940-143-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	UPX
behavioral2/memory/4152-144-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	UPX
behavioral2/memory/2620-145-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	UPX
behavioral2/memory/3456-146-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	UPX
behavioral2/memory/2356-147-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	UPX
behavioral2/memory/4508-148-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp	xmrig
C:\Windows\System\CbVUJFF.exe	xmrig
C:\Windows\System\gKDfOeA.exe	xmrig
C:\Windows\System\qPRKeXN.exe	xmrig
behavioral2/memory/4152-27-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	xmrig
C:\Windows\System\nQTJXNr.exe	xmrig
behavioral2/memory/3456-35-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	xmrig
behavioral2/memory/2356-34-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	xmrig
behavioral2/memory/2620-28-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	xmrig
behavioral2/memory/1940-22-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	xmrig
C:\Windows\System\XRNAqVN.exe	xmrig
C:\Windows\System\YhsPGCM.exe	xmrig
behavioral2/memory/2828-11-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	xmrig
C:\Windows\System\wUlDfIG.exe	xmrig
behavioral2/memory/4508-44-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp	xmrig
behavioral2/memory/520-50-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp	xmrig
C:\Windows\System\nrrkXkh.exe	xmrig
C:\Windows\System\yRsIAWg.exe	xmrig
behavioral2/memory/4428-56-0x00007FF744EE0000-0x00007FF745234000-memory.dmp	xmrig
C:\Windows\System\LcNPKpA.exe	xmrig
C:\Windows\System\flwBQHG.exe	xmrig
C:\Windows\System\ytFtPah.exe	xmrig
behavioral2/memory/5032-72-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp	xmrig
behavioral2/memory/3232-69-0x00007FF625760000-0x00007FF625AB4000-memory.dmp	xmrig
behavioral2/memory/3320-62-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp	xmrig
C:\Windows\System\VEmGwCo.exe	xmrig
behavioral2/memory/5108-85-0x00007FF691DB0000-0x00007FF692104000-memory.dmp	xmrig
C:\Windows\System\LPMxVcK.exe	xmrig
C:\Windows\System\aBCIvEW.exe	xmrig
C:\Windows\System\vqKNuYN.exe	xmrig
behavioral2/memory/1500-109-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp	xmrig
behavioral2/memory/3456-108-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	xmrig
behavioral2/memory/1412-107-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp	xmrig
behavioral2/memory/2620-103-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	xmrig
behavioral2/memory/384-99-0x00007FF661E20000-0x00007FF662174000-memory.dmp	xmrig
C:\Windows\System\OdopPpV.exe	xmrig
behavioral2/memory/2356-94-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	xmrig
behavioral2/memory/4272-93-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp	xmrig
behavioral2/memory/4152-89-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	xmrig
behavioral2/memory/1940-86-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	xmrig
behavioral2/memory/2828-81-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	xmrig
behavioral2/memory/3532-80-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp	xmrig
C:\Windows\System\iVeUbsU.exe	xmrig
C:\Windows\System\RGxdzaD.exe	xmrig
C:\Windows\System\vOzKpGE.exe	xmrig
behavioral2/memory/4600-124-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp	xmrig
behavioral2/memory/3424-128-0x00007FF791830000-0x00007FF791B84000-memory.dmp	xmrig
behavioral2/memory/3244-117-0x00007FF775210000-0x00007FF775564000-memory.dmp	xmrig
C:\Windows\System\VhzKRqY.exe	xmrig
behavioral2/memory/3320-134-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp	xmrig
behavioral2/memory/2240-135-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp	xmrig
behavioral2/memory/5032-136-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp	xmrig
behavioral2/memory/4272-137-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp	xmrig
behavioral2/memory/384-138-0x00007FF661E20000-0x00007FF662174000-memory.dmp	xmrig
behavioral2/memory/1412-139-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp	xmrig
behavioral2/memory/1500-140-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp	xmrig
behavioral2/memory/3424-141-0x00007FF791830000-0x00007FF791B84000-memory.dmp	xmrig
behavioral2/memory/2828-142-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	xmrig
behavioral2/memory/1940-143-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	xmrig
behavioral2/memory/4152-144-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	xmrig
behavioral2/memory/2620-145-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	xmrig
behavioral2/memory/3456-146-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	xmrig
behavioral2/memory/2356-147-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	xmrig
behavioral2/memory/4508-148-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CbVUJFF.exeYhsPGCM.exegKDfOeA.exeXRNAqVN.exeqPRKeXN.exenQTJXNr.exewUlDfIG.exenrrkXkh.exeyRsIAWg.exeLcNPKpA.exeflwBQHG.exeytFtPah.exeVEmGwCo.exeOdopPpV.exeLPMxVcK.exeaBCIvEW.exevqKNuYN.exeiVeUbsU.exeRGxdzaD.exevOzKpGE.exeVhzKRqY.exe

pid	process
2828	CbVUJFF.exe
1940	YhsPGCM.exe
2620	gKDfOeA.exe
4152	XRNAqVN.exe
2356	qPRKeXN.exe
3456	nQTJXNr.exe
4508	wUlDfIG.exe
520	nrrkXkh.exe
4428	yRsIAWg.exe
3320	LcNPKpA.exe
3232	flwBQHG.exe
5032	ytFtPah.exe
5108	VEmGwCo.exe
4272	OdopPpV.exe
384	LPMxVcK.exe
1412	aBCIvEW.exe
1500	vqKNuYN.exe
3244	iVeUbsU.exe
4600	RGxdzaD.exe
3424	vOzKpGE.exe
2240	VhzKRqY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3532-0-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp	upx
C:\Windows\System\CbVUJFF.exe	upx
C:\Windows\System\gKDfOeA.exe	upx
C:\Windows\System\qPRKeXN.exe	upx
behavioral2/memory/4152-27-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	upx
C:\Windows\System\nQTJXNr.exe	upx
behavioral2/memory/3456-35-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	upx
behavioral2/memory/2356-34-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	upx
behavioral2/memory/2620-28-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	upx
behavioral2/memory/1940-22-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	upx
C:\Windows\System\XRNAqVN.exe	upx
C:\Windows\System\YhsPGCM.exe	upx
behavioral2/memory/2828-11-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	upx
C:\Windows\System\wUlDfIG.exe	upx
behavioral2/memory/4508-44-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp	upx
behavioral2/memory/520-50-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp	upx
C:\Windows\System\nrrkXkh.exe	upx
C:\Windows\System\yRsIAWg.exe	upx
behavioral2/memory/4428-56-0x00007FF744EE0000-0x00007FF745234000-memory.dmp	upx
C:\Windows\System\LcNPKpA.exe	upx
C:\Windows\System\flwBQHG.exe	upx
C:\Windows\System\ytFtPah.exe	upx
behavioral2/memory/5032-72-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp	upx
behavioral2/memory/3232-69-0x00007FF625760000-0x00007FF625AB4000-memory.dmp	upx
behavioral2/memory/3320-62-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp	upx
C:\Windows\System\VEmGwCo.exe	upx
behavioral2/memory/5108-85-0x00007FF691DB0000-0x00007FF692104000-memory.dmp	upx
C:\Windows\System\LPMxVcK.exe	upx
C:\Windows\System\aBCIvEW.exe	upx
C:\Windows\System\vqKNuYN.exe	upx
behavioral2/memory/1500-109-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp	upx
behavioral2/memory/3456-108-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	upx
behavioral2/memory/1412-107-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp	upx
behavioral2/memory/2620-103-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	upx
behavioral2/memory/384-99-0x00007FF661E20000-0x00007FF662174000-memory.dmp	upx
C:\Windows\System\OdopPpV.exe	upx
behavioral2/memory/2356-94-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	upx
behavioral2/memory/4272-93-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp	upx
behavioral2/memory/4152-89-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	upx
behavioral2/memory/1940-86-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	upx
behavioral2/memory/2828-81-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	upx
behavioral2/memory/3532-80-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp	upx
C:\Windows\System\iVeUbsU.exe	upx
C:\Windows\System\RGxdzaD.exe	upx
C:\Windows\System\vOzKpGE.exe	upx
behavioral2/memory/4600-124-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp	upx
behavioral2/memory/3424-128-0x00007FF791830000-0x00007FF791B84000-memory.dmp	upx
behavioral2/memory/3244-117-0x00007FF775210000-0x00007FF775564000-memory.dmp	upx
C:\Windows\System\VhzKRqY.exe	upx
behavioral2/memory/3320-134-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp	upx
behavioral2/memory/2240-135-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp	upx
behavioral2/memory/5032-136-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp	upx
behavioral2/memory/4272-137-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp	upx
behavioral2/memory/384-138-0x00007FF661E20000-0x00007FF662174000-memory.dmp	upx
behavioral2/memory/1412-139-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp	upx
behavioral2/memory/1500-140-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp	upx
behavioral2/memory/3424-141-0x00007FF791830000-0x00007FF791B84000-memory.dmp	upx
behavioral2/memory/2828-142-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp	upx
behavioral2/memory/1940-143-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp	upx
behavioral2/memory/4152-144-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp	upx
behavioral2/memory/2620-145-0x00007FF78F400000-0x00007FF78F754000-memory.dmp	upx
behavioral2/memory/3456-146-0x00007FF683980000-0x00007FF683CD4000-memory.dmp	upx
behavioral2/memory/2356-147-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp	upx
behavioral2/memory/4508-148-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\YhsPGCM.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQTJXNr.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wUlDfIG.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yRsIAWg.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LcNPKpA.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\flwBQHG.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qPRKeXN.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ytFtPah.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OdopPpV.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LPMxVcK.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aBCIvEW.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVeUbsU.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CbVUJFF.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XRNAqVN.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vqKNuYN.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RGxdzaD.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VhzKRqY.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gKDfOeA.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nrrkXkh.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEmGwCo.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vOzKpGE.exe	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3532 wrote to memory of 2828	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	CbVUJFF.exe
PID 3532 wrote to memory of 2828	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	CbVUJFF.exe
PID 3532 wrote to memory of 1940	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	YhsPGCM.exe
PID 3532 wrote to memory of 1940	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	YhsPGCM.exe
PID 3532 wrote to memory of 2620	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	gKDfOeA.exe
PID 3532 wrote to memory of 2620	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	gKDfOeA.exe
PID 3532 wrote to memory of 4152	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	XRNAqVN.exe
PID 3532 wrote to memory of 4152	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	XRNAqVN.exe
PID 3532 wrote to memory of 2356	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	qPRKeXN.exe
PID 3532 wrote to memory of 2356	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	qPRKeXN.exe
PID 3532 wrote to memory of 3456	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	nQTJXNr.exe
PID 3532 wrote to memory of 3456	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	nQTJXNr.exe
PID 3532 wrote to memory of 4508	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	wUlDfIG.exe
PID 3532 wrote to memory of 4508	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	wUlDfIG.exe
PID 3532 wrote to memory of 520	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	nrrkXkh.exe
PID 3532 wrote to memory of 520	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	nrrkXkh.exe
PID 3532 wrote to memory of 4428	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	yRsIAWg.exe
PID 3532 wrote to memory of 4428	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	yRsIAWg.exe
PID 3532 wrote to memory of 3320	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LcNPKpA.exe
PID 3532 wrote to memory of 3320	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LcNPKpA.exe
PID 3532 wrote to memory of 3232	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	flwBQHG.exe
PID 3532 wrote to memory of 3232	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	flwBQHG.exe
PID 3532 wrote to memory of 5032	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	ytFtPah.exe
PID 3532 wrote to memory of 5032	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	ytFtPah.exe
PID 3532 wrote to memory of 5108	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VEmGwCo.exe
PID 3532 wrote to memory of 5108	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VEmGwCo.exe
PID 3532 wrote to memory of 4272	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	OdopPpV.exe
PID 3532 wrote to memory of 4272	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	OdopPpV.exe
PID 3532 wrote to memory of 384	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LPMxVcK.exe
PID 3532 wrote to memory of 384	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	LPMxVcK.exe
PID 3532 wrote to memory of 1412	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	aBCIvEW.exe
PID 3532 wrote to memory of 1412	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	aBCIvEW.exe
PID 3532 wrote to memory of 1500	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	vqKNuYN.exe
PID 3532 wrote to memory of 1500	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	vqKNuYN.exe
PID 3532 wrote to memory of 3244	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	iVeUbsU.exe
PID 3532 wrote to memory of 3244	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	iVeUbsU.exe
PID 3532 wrote to memory of 4600	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	RGxdzaD.exe
PID 3532 wrote to memory of 4600	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	RGxdzaD.exe
PID 3532 wrote to memory of 3424	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	vOzKpGE.exe
PID 3532 wrote to memory of 3424	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	vOzKpGE.exe
PID 3532 wrote to memory of 2240	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VhzKRqY.exe
PID 3532 wrote to memory of 2240	3532	2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe	VhzKRqY.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_4e0e0b027c36f5e0ca87d7bd177ca4bb_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\System\CbVUJFF.exe
C:\Windows\System\CbVUJFF.exe
2⤵
- Executes dropped EXE
PID:2828

C:\Windows\System\YhsPGCM.exe
C:\Windows\System\YhsPGCM.exe
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\System\gKDfOeA.exe
C:\Windows\System\gKDfOeA.exe
2⤵
- Executes dropped EXE
PID:2620

C:\Windows\System\XRNAqVN.exe
C:\Windows\System\XRNAqVN.exe
2⤵
- Executes dropped EXE
PID:4152

C:\Windows\System\qPRKeXN.exe
C:\Windows\System\qPRKeXN.exe
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\System\nQTJXNr.exe
C:\Windows\System\nQTJXNr.exe
2⤵
- Executes dropped EXE
PID:3456

C:\Windows\System\wUlDfIG.exe
C:\Windows\System\wUlDfIG.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Windows\System\nrrkXkh.exe
C:\Windows\System\nrrkXkh.exe
2⤵
- Executes dropped EXE
PID:520

C:\Windows\System\yRsIAWg.exe
C:\Windows\System\yRsIAWg.exe
2⤵
- Executes dropped EXE
PID:4428

C:\Windows\System\LcNPKpA.exe
C:\Windows\System\LcNPKpA.exe
2⤵
- Executes dropped EXE
PID:3320

C:\Windows\System\flwBQHG.exe
C:\Windows\System\flwBQHG.exe
2⤵
- Executes dropped EXE
PID:3232

C:\Windows\System\ytFtPah.exe
C:\Windows\System\ytFtPah.exe
2⤵
- Executes dropped EXE
PID:5032

C:\Windows\System\VEmGwCo.exe
C:\Windows\System\VEmGwCo.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Windows\System\OdopPpV.exe
C:\Windows\System\OdopPpV.exe
2⤵
- Executes dropped EXE
PID:4272

C:\Windows\System\LPMxVcK.exe
C:\Windows\System\LPMxVcK.exe
2⤵
- Executes dropped EXE
PID:384

C:\Windows\System\aBCIvEW.exe
C:\Windows\System\aBCIvEW.exe
2⤵
- Executes dropped EXE
PID:1412

C:\Windows\System\vqKNuYN.exe
C:\Windows\System\vqKNuYN.exe
2⤵
- Executes dropped EXE
PID:1500

C:\Windows\System\iVeUbsU.exe
C:\Windows\System\iVeUbsU.exe
2⤵
- Executes dropped EXE
PID:3244

C:\Windows\System\RGxdzaD.exe
C:\Windows\System\RGxdzaD.exe
2⤵
- Executes dropped EXE
PID:4600

C:\Windows\System\vOzKpGE.exe
C:\Windows\System\vOzKpGE.exe
2⤵
- Executes dropped EXE
PID:3424

C:\Windows\System\VhzKRqY.exe
C:\Windows\System\VhzKRqY.exe
2⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8
1⤵
PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CbVUJFF.exe
Filesize
5.9MB

MD5
fbb89110113d3948e22040fccba4d151

SHA1
b56c57e7bd45dd9abb0e977de3e8d383fa2f36aa

SHA256
67d9c168d7dbbc5519305b88bb29193cb018401fb7ce18796fe1f34f372be2b5

SHA512
36a823ca68aa886be9992b3b6337e293d6534e0e31907ae5adad464a571f124319ab01672b68e6e041f780b1a961c666af6796e7379c8c5744f937c9b85a6348

Download Submit
C:\Windows\System\LPMxVcK.exe
Filesize
5.9MB

MD5
9ea28d843536186f2386e5f4f98ffcef

SHA1
308560df89997fba30a70adeb092e3fc52b2ef5d

SHA256
cd82665c197ec0b6ea63b4404f75bcac4982c831af511e313967a900a17f98cd

SHA512
2be601ad0b184977cae244205a2707e118e32c1c39dba6162c58cc082fc46fff389d5c91de4b15ead414b8b5f0e7029115ccdbd0482e6a40f5766957e99deada

Download Submit
C:\Windows\System\LcNPKpA.exe
Filesize
5.9MB

MD5
c4407826f5a77ad3a29d7c70db2b6158

SHA1
b1514c5237df7f0c3a923d394961ade337585190

SHA256
4f485a2dac3b027658a045ca9ca776451119649753ecc6f08cd02bccd3e02e4e

SHA512
2b225fc90a5a12ec5e64c9e3addae28a1f40cac72e35675231b3a670e7485ca391867369de7fa27bcaa656b82214ea777603390b96aab78783397e2515ad925e

Download Submit
C:\Windows\System\OdopPpV.exe
Filesize
5.9MB

MD5
a5c0d7149d51d53ddca0539fdba89e7b

SHA1
f06fb8fe8ad710e0b396a74bc8ae511c88c1c58f

SHA256
0db3cd1e032f6551f9a0df67ca1146f0c6963faa659292c57c94db273b6d3bfd

SHA512
48168508b9631856b8442ca6143cbe2ce55809f5b9517c23b929a7bf32d47131b38299e8ce1d5ef476df268cd620cdca3beb56d77fde6e5c0b2a49a7da178cee

Download Submit
C:\Windows\System\RGxdzaD.exe
Filesize
5.9MB

MD5
9f7a613b017cde67913864f97f7a58d1

SHA1
fc4f68d67ead4dfc2230e3ecb722ca1cb2c50796

SHA256
2061606e47900234770be7ec507557fb476048bef0df1734d8bf6726adcb7c8b

SHA512
e646dbe929ef2083ee4d22c926d6cea6a1362a072ea2acb9d676e2b5090398f908abeda7a8b737c221c4835ccdaa57ccc7c5d9a8e454da8a4b7c24a71eb6e3e9

Download Submit
C:\Windows\System\VEmGwCo.exe
Filesize
5.9MB

MD5
5bda4db9c904d9517ec3bbab5eabed65

SHA1
466b2f4e035d1a92bab2d4f6d842a2180d88effc

SHA256
b66fc34571f43266130192f03bebf1648addde82aafeb970aa06ec164f72e7ee

SHA512
c72a5c237fc8072aae751e51baede40efc566e9604d7aa8307fed6e35ffde6de5164ace41aab227e1a07550cdfc3dadb7491adaa29a83c62d38a7d8359add045

Download Submit
C:\Windows\System\VhzKRqY.exe
Filesize
5.9MB

MD5
458802432ddb0c5cfd243cb3f8e12aa1

SHA1
3b1b54a95bd6066132fae75fd5ea1e37af307fd2

SHA256
3bbf794b431e56ff778439c0c04f8093e1404c7a2bade3bc61a5eff85dac3e59

SHA512
8582eb6c24a8b34bf68627ec610b348594fa9b5867f988047b035cc167d10f09bd516fbe5b5d46983dfbb169938940822cf98116e7a1141b8992e62dc19565bb

Download Submit
C:\Windows\System\XRNAqVN.exe
Filesize
5.9MB

MD5
1ba1f65468efbd722ce49fce5016976a

SHA1
2aef6d700995b1ea43c695a5be1910c3ba19314b

SHA256
5b56a4888960ca42bf3f6ba098949bed68a89df7c535cf71699a1532df6bba6e

SHA512
627044642724711a7685b20919ea970b69c4eadbf5f6d1f226c6ee6be37ffc554ed43525c02f066b514de2c55aee2cf5c30e5b9e45e6f23c64a8b094a8c6fe3f

Download Submit
C:\Windows\System\YhsPGCM.exe
Filesize
5.9MB

MD5
2da91d9aa18fa52d85525dc1f83033ae

SHA1
9bf518d7e83a54a4fb52a632d4d28fb6c9a79e79

SHA256
f938b5dcaa9fa349734bfc79b8a4600c5217d60789417aa5256ea971a0496375

SHA512
d2b2d3601f358237cd40b3dffb471ef18d6886e27a13ab43d19fab1c0bc097632d6bb2b8f87a7f2809f413250c2cc61a85391e3d208827c3e060b211b7be8f06

Download Submit
C:\Windows\System\aBCIvEW.exe
Filesize
5.9MB

MD5
6126d9399a249c9294b1933da19d537b

SHA1
b88c7e67c0f8e6cc874f6705450fa379481121d0

SHA256
fe70cc8b636857ba3f300d42836f3679000e7153a3e653999b9004330d3540e5

SHA512
a8dc171ff47d0bcfa3585fdd82d5df22e2370f16e176170fd76b3321a155e6122a02d88eafb8cf7fc144505b64ae285b9c6de79021891956520914da7c82ceda

Download Submit
C:\Windows\System\flwBQHG.exe
Filesize
5.9MB

MD5
7eca1c3dac4d6e6909a442bdd89ec0f7

SHA1
0878c0fc1bd2a17378824ea7cea1ab45b7c28b64

SHA256
c25863793c5ef19e552bcf3c806d6fcb0ba4afe78a1099ffa3600b8cb4f03670

SHA512
b31ecd0802c7c04b5a34c17f238eaad633270bc44c8b07f88c3bcc72bad44072a54e9dee7f28fc6d21ec4a92520cd86db5e7e0c576bca9bffb857705e4e758e3

Download Submit
C:\Windows\System\gKDfOeA.exe
Filesize
5.9MB

MD5
01509851b723a3b9f428ff0601cb2611

SHA1
c7fb69366d3db5673fea9e05c0010a25808b708a

SHA256
3cde1c348ea54cad604fa5eb619d4fb5ad6d1caa8e627b33f12ae7fd5610861a

SHA512
32c6ecd04efdbaa71ecc23a9086bd9f46d68fca628392a4cfee714b8b5d1bf32ec9bbf02526c36b8ea24b40883506c0092cace8569b3ab4cea0da0340e4e9f85

Download Submit
C:\Windows\System\iVeUbsU.exe
Filesize
5.9MB

MD5
45be6ac93bc2de6bd51a7daa43caf4ee

SHA1
9487699896b9e67d5fc7c491ea83528af41c0cc7

SHA256
ac5fe50247359e163ca290c51f6dbd25d534554dd0a30ed8d5ad83fe2fffc0c9

SHA512
515d22edf3ac7e0f8914fefcd1b69432032c7601a4862ded07a6875a7086052418560c46fa54e48def30e3a47a1d645d38447a1d615face13b471b712f1e3251

Download Submit
C:\Windows\System\nQTJXNr.exe
Filesize
5.9MB

MD5
2897f39ce4744a32dfb4d0e681720463

SHA1
1a71cc60876fea859c59c7570bc01f0a7ed5dbd6

SHA256
fbc0082a6117e962caac95352e0653d21c3e8f00e333247495edb2a64e553de3

SHA512
8da5107c7419069ab566656c1451e74927cbf457b1a976d850cad08ab34c65f100b92a9fc292a0e68f17487310138c5455ff09ee886bb378ad3d3d2425774f43

Download Submit
C:\Windows\System\nrrkXkh.exe
Filesize
5.9MB

MD5
e051c1ebb387c9d186f143647064225f

SHA1
bad912b8ccb3f01531df8b08c6654f47c9593eaa

SHA256
3da403ce26e92b5387af34199d8b4656eed78f1b61951a26ba95afec7e46b5c5

SHA512
13563494572715fac85db22472998727200d1070cfb9f372425e07108309c8d496fac4e741a62e13fc5a99829d726ed6413b128ea1570e8a01d42240fd382c29

Download Submit
C:\Windows\System\qPRKeXN.exe
Filesize
5.9MB

MD5
6db8d1822f4ea1b4e9101d752a2377d6

SHA1
0f948d035c6a324b3044aa055712b81df6725388

SHA256
9376a63fd371020e72880268b0957445abfc76e8c52efcb007f113498bbbc391

SHA512
677054098e1a3064f9d1dc4efacf3c67f03f6c89c783dacf6062204e23967582bc783dbd4135a2eb152fa291bf70ccea5bf4d112589befba72d439ae93ec9fed

Download Submit
C:\Windows\System\vOzKpGE.exe
Filesize
5.9MB

MD5
8c84479efe22dab6b2b9f1e31bc28f8e

SHA1
4b56bcfc8ad606b10b1cbbb82289d22159d2dac5

SHA256
5f2e2a6427913f754b684dfb90b933cae8c3d884cf58f4e8734e9fb9b0b61501

SHA512
3d178025f534366c7ecc5fb04c591db927adf792b79c398a35d47b172231468e17ff666a93546b090011e598bd42d72baaf92524f01836d70d9eb2765eb3ac41

Download Submit
C:\Windows\System\vqKNuYN.exe
Filesize
5.9MB

MD5
21660b3d07c33a77550a7e015f89d52e

SHA1
6c6d243e11cabc6b0514fdf7d8ede2665d93791d

SHA256
a113a329771b065de4509f77cf82ee135a04d88801b8ccbaf6ffdd5b71588331

SHA512
402035f6ce9508cd2b17b0ed00d10d869db7e63087dd442168a65e26c52c3c3d813e13b6b2fb90af93c9dfddf1f40dc0f78c7ab2e6d99d74b1b58f8ceaa7d8ad

Download Submit
C:\Windows\System\wUlDfIG.exe
Filesize
5.9MB

MD5
d936a10029209be27a239bd1e6d43459

SHA1
67cf43ad3f0022a26479da33691e26838480b964

SHA256
ef646e755ab2be6583356baf3303e7f698df211bb8aa7f8d5a3ab4611fd6560d

SHA512
78aab960537450f67016cc6326d233429739415002b016fd8b44def099da6a5e692f7f7d8c6ae18e4b3d7f1c505ba01023ddc3c5b561e18aff4862ec8591942e

Download Submit
C:\Windows\System\yRsIAWg.exe
Filesize
5.9MB

MD5
e34370fdbfa4e924f29640cfb793aa8f

SHA1
2499af9bfe2c34e37bb4e8dd211de4e13edc2894

SHA256
5542ff2c9fa0292151fa0c6b3381bd8df6d2640502102eaf44d19143d8ae6d2f

SHA512
a54a3f32d80ab91623eed130ebb036510132aca48b24ebd2fc8ce4a5795694fde5478f3f117d33169b03217cf256325bdc88064556cc9cc8bdda652f9c313539

Download Submit
C:\Windows\System\ytFtPah.exe
Filesize
5.9MB

MD5
9c8383ad30c763a685382f0db5ea324c

SHA1
ba5517d2003a387d888175ed6f6256e37ca6d5a4

SHA256
c966a589e9f449c6b8ce6a2337c973ae4b22efeffddd065f7031edb9dcb1363b

SHA512
cfeb3445e4ef687eb214dddb0a7c5967e85b94fefc204d2fa7c1b8952aca5533a50a7cb2de28cac928f7686b421c579400728b2b25e889e7952df536ea8c9b0f

Download Submit
memory/384-138-0x00007FF661E20000-0x00007FF662174000-memory.dmp

Filesize
3.3MB

Download
memory/384-99-0x00007FF661E20000-0x00007FF662174000-memory.dmp

Filesize
3.3MB

Download
memory/384-156-0x00007FF661E20000-0x00007FF662174000-memory.dmp

Filesize
3.3MB

Download
memory/520-149-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp

Filesize
3.3MB

Download
memory/520-50-0x00007FF7EC5C0000-0x00007FF7EC914000-memory.dmp

Filesize
3.3MB

Download
memory/1412-157-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp

Filesize
3.3MB

Download
memory/1412-107-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp

Filesize
3.3MB

Download
memory/1412-139-0x00007FF7BD7B0000-0x00007FF7BDB04000-memory.dmp

Filesize
3.3MB

Download
memory/1500-140-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp

Filesize
3.3MB

Download
memory/1500-109-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp

Filesize
3.3MB

Download
memory/1500-158-0x00007FF69DAB0000-0x00007FF69DE04000-memory.dmp

Filesize
3.3MB

Download
memory/1940-86-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp

Filesize
3.3MB

Download
memory/1940-22-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp

Filesize
3.3MB

Download
memory/1940-143-0x00007FF70ABE0000-0x00007FF70AF34000-memory.dmp

Filesize
3.3MB

Download
memory/2240-135-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2240-162-0x00007FF6AD390000-0x00007FF6AD6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-34-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-94-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2356-147-0x00007FF72B6A0000-0x00007FF72B9F4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-103-0x00007FF78F400000-0x00007FF78F754000-memory.dmp

Filesize
3.3MB

Download
memory/2620-28-0x00007FF78F400000-0x00007FF78F754000-memory.dmp

Filesize
3.3MB

Download
memory/2620-145-0x00007FF78F400000-0x00007FF78F754000-memory.dmp

Filesize
3.3MB

Download
memory/2828-142-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

Filesize
3.3MB

Download
memory/2828-81-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

Filesize
3.3MB

Download
memory/2828-11-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp

Filesize
3.3MB

Download
memory/3232-151-0x00007FF625760000-0x00007FF625AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3232-69-0x00007FF625760000-0x00007FF625AB4000-memory.dmp

Filesize
3.3MB

Download
memory/3244-159-0x00007FF775210000-0x00007FF775564000-memory.dmp

Filesize
3.3MB

Download
memory/3244-117-0x00007FF775210000-0x00007FF775564000-memory.dmp

Filesize
3.3MB

Download
memory/3320-62-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp

Filesize
3.3MB

Download
memory/3320-134-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp

Filesize
3.3MB

Download
memory/3320-152-0x00007FF7F4090000-0x00007FF7F43E4000-memory.dmp

Filesize
3.3MB

Download
memory/3424-161-0x00007FF791830000-0x00007FF791B84000-memory.dmp

Filesize
3.3MB

Download
memory/3424-141-0x00007FF791830000-0x00007FF791B84000-memory.dmp

Filesize
3.3MB

Download
memory/3424-128-0x00007FF791830000-0x00007FF791B84000-memory.dmp

Filesize
3.3MB

Download
memory/3456-35-0x00007FF683980000-0x00007FF683CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3456-108-0x00007FF683980000-0x00007FF683CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3456-146-0x00007FF683980000-0x00007FF683CD4000-memory.dmp

Filesize
3.3MB

Download
memory/3532-0-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp

Filesize
3.3MB

Download
memory/3532-80-0x00007FF6A9C40000-0x00007FF6A9F94000-memory.dmp

Filesize
3.3MB

Download
memory/3532-1-0x000001EBE9CF0000-0x000001EBE9D00000-memory.dmp

Filesize
64KB

Download
memory/4152-144-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp

Filesize
3.3MB

Download
memory/4152-27-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp

Filesize
3.3MB

Download
memory/4152-89-0x00007FF7D3010000-0x00007FF7D3364000-memory.dmp

Filesize
3.3MB

Download
memory/4272-93-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-155-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4272-137-0x00007FF737B90000-0x00007FF737EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4428-56-0x00007FF744EE0000-0x00007FF745234000-memory.dmp

Filesize
3.3MB

Download
memory/4428-150-0x00007FF744EE0000-0x00007FF745234000-memory.dmp

Filesize
3.3MB

Download
memory/4508-44-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp

Filesize
3.3MB

Download
memory/4508-148-0x00007FF7DAFF0000-0x00007FF7DB344000-memory.dmp

Filesize
3.3MB

Download
memory/4600-160-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp

Filesize
3.3MB

Download
memory/4600-124-0x00007FF747E50000-0x00007FF7481A4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-153-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-72-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp

Filesize
3.3MB

Download
memory/5032-136-0x00007FF7B70A0000-0x00007FF7B73F4000-memory.dmp

Filesize
3.3MB

Download
memory/5108-154-0x00007FF691DB0000-0x00007FF692104000-memory.dmp

Filesize
3.3MB

Download
memory/5108-85-0x00007FF691DB0000-0x00007FF692104000-memory.dmp

Filesize
3.3MB

Download