cobaltstrike | eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

721d677ed33ab6f0fb5c8694611d8d25
SHA1

48fb283b383131cf4075ff47e30d3efce4ff7738
SHA256

eb9b61923469bcee5a18282bb4296973d5ace255a66b32ac5950e792b75b10ba
SHA512

2a1e5759f84571388920fdd8f9029c4e259bea1535a75751f91c4e350c6463bfd54e344d75b9dcf943f7641e5da9f59ab0c352c686bdd662c6307534f6acaea1
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUI:Q+856utgpPF8u/7I

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\wmMHdoN.exe	cobalt_reflective_dll
C:\Windows\System\zeaddxZ.exe	cobalt_reflective_dll
C:\Windows\System\WtgAZVn.exe	cobalt_reflective_dll
C:\Windows\System\rEPLjft.exe	cobalt_reflective_dll
C:\Windows\System\DzVvqZH.exe	cobalt_reflective_dll
C:\Windows\System\UfHLPhk.exe	cobalt_reflective_dll
C:\Windows\System\QhzFxWl.exe	cobalt_reflective_dll
C:\Windows\System\ICwSUkV.exe	cobalt_reflective_dll
C:\Windows\System\cFNbSDr.exe	cobalt_reflective_dll
C:\Windows\System\JiwwkWe.exe	cobalt_reflective_dll
C:\Windows\System\RoXsecU.exe	cobalt_reflective_dll
C:\Windows\System\DmEUiSw.exe	cobalt_reflective_dll
C:\Windows\System\ucINEzi.exe	cobalt_reflective_dll
C:\Windows\System\xSGMyEj.exe	cobalt_reflective_dll
C:\Windows\System\KHWvbTH.exe	cobalt_reflective_dll
C:\Windows\System\AOoqhIS.exe	cobalt_reflective_dll
C:\Windows\System\PgYJVpv.exe	cobalt_reflective_dll
C:\Windows\System\GdfWVgS.exe	cobalt_reflective_dll
C:\Windows\System\ljymuIh.exe	cobalt_reflective_dll
C:\Windows\System\XTcKlZB.exe	cobalt_reflective_dll
C:\Windows\System\ipHpcgc.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\wmMHdoN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zeaddxZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\WtgAZVn.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rEPLjft.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DzVvqZH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UfHLPhk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QhzFxWl.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ICwSUkV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\cFNbSDr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\JiwwkWe.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\RoXsecU.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DmEUiSw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ucINEzi.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xSGMyEj.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KHWvbTH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AOoqhIS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\PgYJVpv.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\GdfWVgS.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ljymuIh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XTcKlZB.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ipHpcgc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5096-0-0x00007FF75A010000-0x00007FF75A364000-memory.dmp	UPX
C:\Windows\System\wmMHdoN.exe	UPX
C:\Windows\System\zeaddxZ.exe	UPX
behavioral2/memory/1864-6-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	UPX
C:\Windows\System\WtgAZVn.exe	UPX
behavioral2/memory/5016-15-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp	UPX
C:\Windows\System\rEPLjft.exe	UPX
C:\Windows\System\DzVvqZH.exe	UPX
C:\Windows\System\UfHLPhk.exe	UPX
C:\Windows\System\QhzFxWl.exe	UPX
C:\Windows\System\ICwSUkV.exe	UPX
behavioral2/memory/4528-48-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	UPX
C:\Windows\System\cFNbSDr.exe	UPX
C:\Windows\System\JiwwkWe.exe	UPX
C:\Windows\System\RoXsecU.exe	UPX
C:\Windows\System\DmEUiSw.exe	UPX
behavioral2/memory/1692-79-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp	UPX
C:\Windows\System\ucINEzi.exe	UPX
behavioral2/memory/4508-85-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp	UPX
behavioral2/memory/2516-84-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp	UPX
behavioral2/memory/4156-81-0x00007FF771940000-0x00007FF771C94000-memory.dmp	UPX
behavioral2/memory/3244-80-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp	UPX
behavioral2/memory/5096-78-0x00007FF75A010000-0x00007FF75A364000-memory.dmp	UPX
C:\Windows\System\xSGMyEj.exe	UPX
behavioral2/memory/4044-52-0x00007FF685D10000-0x00007FF686064000-memory.dmp	UPX
behavioral2/memory/4812-47-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp	UPX
behavioral2/memory/2868-38-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	UPX
behavioral2/memory/2484-35-0x00007FF695230000-0x00007FF695584000-memory.dmp	UPX
behavioral2/memory/2540-28-0x00007FF619900000-0x00007FF619C54000-memory.dmp	UPX
behavioral2/memory/2348-20-0x00007FF777EC0000-0x00007FF778214000-memory.dmp	UPX
C:\Windows\System\KHWvbTH.exe	UPX
behavioral2/memory/1864-93-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	UPX
C:\Windows\System\AOoqhIS.exe	UPX
C:\Windows\System\PgYJVpv.exe	UPX
C:\Windows\System\GdfWVgS.exe	UPX
C:\Windows\System\ljymuIh.exe	UPX
C:\Windows\System\XTcKlZB.exe	UPX
behavioral2/memory/1704-113-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp	UPX
behavioral2/memory/2484-112-0x00007FF695230000-0x00007FF695584000-memory.dmp	UPX
behavioral2/memory/4792-106-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp	UPX
behavioral2/memory/3036-103-0x00007FF718270000-0x00007FF7185C4000-memory.dmp	UPX
behavioral2/memory/1136-99-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp	UPX
behavioral2/memory/3044-125-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp	UPX
behavioral2/memory/3712-124-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp	UPX
C:\Windows\System\ipHpcgc.exe	UPX
behavioral2/memory/2868-130-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	UPX
behavioral2/memory/2824-131-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp	UPX
behavioral2/memory/4528-132-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	UPX
behavioral2/memory/4044-133-0x00007FF685D10000-0x00007FF686064000-memory.dmp	UPX
behavioral2/memory/2516-134-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp	UPX
behavioral2/memory/4508-135-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp	UPX
behavioral2/memory/4792-136-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp	UPX
behavioral2/memory/1704-137-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp	UPX
behavioral2/memory/1864-138-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	UPX
behavioral2/memory/5016-139-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp	UPX
behavioral2/memory/2348-140-0x00007FF777EC0000-0x00007FF778214000-memory.dmp	UPX
behavioral2/memory/2540-141-0x00007FF619900000-0x00007FF619C54000-memory.dmp	UPX
behavioral2/memory/2484-142-0x00007FF695230000-0x00007FF695584000-memory.dmp	UPX
behavioral2/memory/2868-143-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	UPX
behavioral2/memory/4812-144-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp	UPX
behavioral2/memory/4044-145-0x00007FF685D10000-0x00007FF686064000-memory.dmp	UPX
behavioral2/memory/4528-146-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	UPX
behavioral2/memory/1692-147-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp	UPX
behavioral2/memory/3244-148-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5096-0-0x00007FF75A010000-0x00007FF75A364000-memory.dmp	xmrig
C:\Windows\System\wmMHdoN.exe	xmrig
C:\Windows\System\zeaddxZ.exe	xmrig
behavioral2/memory/1864-6-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	xmrig
C:\Windows\System\WtgAZVn.exe	xmrig
behavioral2/memory/5016-15-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp	xmrig
C:\Windows\System\rEPLjft.exe	xmrig
C:\Windows\System\DzVvqZH.exe	xmrig
C:\Windows\System\UfHLPhk.exe	xmrig
C:\Windows\System\QhzFxWl.exe	xmrig
C:\Windows\System\ICwSUkV.exe	xmrig
behavioral2/memory/4528-48-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	xmrig
C:\Windows\System\cFNbSDr.exe	xmrig
C:\Windows\System\JiwwkWe.exe	xmrig
C:\Windows\System\RoXsecU.exe	xmrig
C:\Windows\System\DmEUiSw.exe	xmrig
behavioral2/memory/1692-79-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp	xmrig
C:\Windows\System\ucINEzi.exe	xmrig
behavioral2/memory/4508-85-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp	xmrig
behavioral2/memory/2516-84-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp	xmrig
behavioral2/memory/4156-81-0x00007FF771940000-0x00007FF771C94000-memory.dmp	xmrig
behavioral2/memory/3244-80-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp	xmrig
behavioral2/memory/5096-78-0x00007FF75A010000-0x00007FF75A364000-memory.dmp	xmrig
C:\Windows\System\xSGMyEj.exe	xmrig
behavioral2/memory/4044-52-0x00007FF685D10000-0x00007FF686064000-memory.dmp	xmrig
behavioral2/memory/4812-47-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp	xmrig
behavioral2/memory/2868-38-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	xmrig
behavioral2/memory/2484-35-0x00007FF695230000-0x00007FF695584000-memory.dmp	xmrig
behavioral2/memory/2540-28-0x00007FF619900000-0x00007FF619C54000-memory.dmp	xmrig
behavioral2/memory/2348-20-0x00007FF777EC0000-0x00007FF778214000-memory.dmp	xmrig
C:\Windows\System\KHWvbTH.exe	xmrig
behavioral2/memory/1864-93-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	xmrig
C:\Windows\System\AOoqhIS.exe	xmrig
C:\Windows\System\PgYJVpv.exe	xmrig
C:\Windows\System\GdfWVgS.exe	xmrig
C:\Windows\System\ljymuIh.exe	xmrig
C:\Windows\System\XTcKlZB.exe	xmrig
behavioral2/memory/1704-113-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp	xmrig
behavioral2/memory/2484-112-0x00007FF695230000-0x00007FF695584000-memory.dmp	xmrig
behavioral2/memory/4792-106-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp	xmrig
behavioral2/memory/3036-103-0x00007FF718270000-0x00007FF7185C4000-memory.dmp	xmrig
behavioral2/memory/1136-99-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp	xmrig
behavioral2/memory/3044-125-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp	xmrig
behavioral2/memory/3712-124-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp	xmrig
C:\Windows\System\ipHpcgc.exe	xmrig
behavioral2/memory/2868-130-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	xmrig
behavioral2/memory/2824-131-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp	xmrig
behavioral2/memory/4528-132-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	xmrig
behavioral2/memory/4044-133-0x00007FF685D10000-0x00007FF686064000-memory.dmp	xmrig
behavioral2/memory/2516-134-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp	xmrig
behavioral2/memory/4508-135-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp	xmrig
behavioral2/memory/4792-136-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp	xmrig
behavioral2/memory/1704-137-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp	xmrig
behavioral2/memory/1864-138-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	xmrig
behavioral2/memory/5016-139-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp	xmrig
behavioral2/memory/2348-140-0x00007FF777EC0000-0x00007FF778214000-memory.dmp	xmrig
behavioral2/memory/2540-141-0x00007FF619900000-0x00007FF619C54000-memory.dmp	xmrig
behavioral2/memory/2484-142-0x00007FF695230000-0x00007FF695584000-memory.dmp	xmrig
behavioral2/memory/2868-143-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	xmrig
behavioral2/memory/4812-144-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp	xmrig
behavioral2/memory/4044-145-0x00007FF685D10000-0x00007FF686064000-memory.dmp	xmrig
behavioral2/memory/4528-146-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	xmrig
behavioral2/memory/1692-147-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp	xmrig
behavioral2/memory/3244-148-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

wmMHdoN.exeWtgAZVn.exezeaddxZ.exerEPLjft.exeUfHLPhk.exeDzVvqZH.exeICwSUkV.exeQhzFxWl.execFNbSDr.exexSGMyEj.exeJiwwkWe.exeRoXsecU.exeucINEzi.exeDmEUiSw.exeKHWvbTH.exeAOoqhIS.exePgYJVpv.exeGdfWVgS.exeXTcKlZB.exeljymuIh.exeipHpcgc.exe

pid	process
1864	wmMHdoN.exe
5016	WtgAZVn.exe
2348	zeaddxZ.exe
2540	rEPLjft.exe
2484	UfHLPhk.exe
2868	DzVvqZH.exe
4812	ICwSUkV.exe
4528	QhzFxWl.exe
4044	cFNbSDr.exe
1692	xSGMyEj.exe
3244	JiwwkWe.exe
4156	RoXsecU.exe
2516	ucINEzi.exe
4508	DmEUiSw.exe
1136	KHWvbTH.exe
3036	AOoqhIS.exe
4792	PgYJVpv.exe
1704	GdfWVgS.exe
3712	XTcKlZB.exe
3044	ljymuIh.exe
2824	ipHpcgc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5096-0-0x00007FF75A010000-0x00007FF75A364000-memory.dmp	upx
C:\Windows\System\wmMHdoN.exe	upx
C:\Windows\System\zeaddxZ.exe	upx
behavioral2/memory/1864-6-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	upx
C:\Windows\System\WtgAZVn.exe	upx
behavioral2/memory/5016-15-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp	upx
C:\Windows\System\rEPLjft.exe	upx
C:\Windows\System\DzVvqZH.exe	upx
C:\Windows\System\UfHLPhk.exe	upx
C:\Windows\System\QhzFxWl.exe	upx
C:\Windows\System\ICwSUkV.exe	upx
behavioral2/memory/4528-48-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	upx
C:\Windows\System\cFNbSDr.exe	upx
C:\Windows\System\JiwwkWe.exe	upx
C:\Windows\System\RoXsecU.exe	upx
C:\Windows\System\DmEUiSw.exe	upx
behavioral2/memory/1692-79-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp	upx
C:\Windows\System\ucINEzi.exe	upx
behavioral2/memory/4508-85-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp	upx
behavioral2/memory/2516-84-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp	upx
behavioral2/memory/4156-81-0x00007FF771940000-0x00007FF771C94000-memory.dmp	upx
behavioral2/memory/3244-80-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp	upx
behavioral2/memory/5096-78-0x00007FF75A010000-0x00007FF75A364000-memory.dmp	upx
C:\Windows\System\xSGMyEj.exe	upx
behavioral2/memory/4044-52-0x00007FF685D10000-0x00007FF686064000-memory.dmp	upx
behavioral2/memory/4812-47-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp	upx
behavioral2/memory/2868-38-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	upx
behavioral2/memory/2484-35-0x00007FF695230000-0x00007FF695584000-memory.dmp	upx
behavioral2/memory/2540-28-0x00007FF619900000-0x00007FF619C54000-memory.dmp	upx
behavioral2/memory/2348-20-0x00007FF777EC0000-0x00007FF778214000-memory.dmp	upx
C:\Windows\System\KHWvbTH.exe	upx
behavioral2/memory/1864-93-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	upx
C:\Windows\System\AOoqhIS.exe	upx
C:\Windows\System\PgYJVpv.exe	upx
C:\Windows\System\GdfWVgS.exe	upx
C:\Windows\System\ljymuIh.exe	upx
C:\Windows\System\XTcKlZB.exe	upx
behavioral2/memory/1704-113-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp	upx
behavioral2/memory/2484-112-0x00007FF695230000-0x00007FF695584000-memory.dmp	upx
behavioral2/memory/4792-106-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp	upx
behavioral2/memory/3036-103-0x00007FF718270000-0x00007FF7185C4000-memory.dmp	upx
behavioral2/memory/1136-99-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp	upx
behavioral2/memory/3044-125-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp	upx
behavioral2/memory/3712-124-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp	upx
C:\Windows\System\ipHpcgc.exe	upx
behavioral2/memory/2868-130-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	upx
behavioral2/memory/2824-131-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp	upx
behavioral2/memory/4528-132-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	upx
behavioral2/memory/4044-133-0x00007FF685D10000-0x00007FF686064000-memory.dmp	upx
behavioral2/memory/2516-134-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp	upx
behavioral2/memory/4508-135-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp	upx
behavioral2/memory/4792-136-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp	upx
behavioral2/memory/1704-137-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp	upx
behavioral2/memory/1864-138-0x00007FF786370000-0x00007FF7866C4000-memory.dmp	upx
behavioral2/memory/5016-139-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp	upx
behavioral2/memory/2348-140-0x00007FF777EC0000-0x00007FF778214000-memory.dmp	upx
behavioral2/memory/2540-141-0x00007FF619900000-0x00007FF619C54000-memory.dmp	upx
behavioral2/memory/2484-142-0x00007FF695230000-0x00007FF695584000-memory.dmp	upx
behavioral2/memory/2868-143-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp	upx
behavioral2/memory/4812-144-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp	upx
behavioral2/memory/4044-145-0x00007FF685D10000-0x00007FF686064000-memory.dmp	upx
behavioral2/memory/4528-146-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp	upx
behavioral2/memory/1692-147-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp	upx
behavioral2/memory/3244-148-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\DmEUiSw.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KHWvbTH.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ljymuIh.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wmMHdoN.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zeaddxZ.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UfHLPhk.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiwwkWe.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PgYJVpv.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ICwSUkV.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QhzFxWl.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cFNbSDr.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RoXsecU.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DzVvqZH.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xSGMyEj.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ucINEzi.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ipHpcgc.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTcKlZB.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtgAZVn.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rEPLjft.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AOoqhIS.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GdfWVgS.exe	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 5096 wrote to memory of 1864	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	wmMHdoN.exe
PID 5096 wrote to memory of 1864	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	wmMHdoN.exe
PID 5096 wrote to memory of 5016	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	WtgAZVn.exe
PID 5096 wrote to memory of 5016	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	WtgAZVn.exe
PID 5096 wrote to memory of 2348	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	zeaddxZ.exe
PID 5096 wrote to memory of 2348	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	zeaddxZ.exe
PID 5096 wrote to memory of 2540	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	rEPLjft.exe
PID 5096 wrote to memory of 2540	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	rEPLjft.exe
PID 5096 wrote to memory of 2484	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	UfHLPhk.exe
PID 5096 wrote to memory of 2484	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	UfHLPhk.exe
PID 5096 wrote to memory of 2868	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	DzVvqZH.exe
PID 5096 wrote to memory of 2868	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	DzVvqZH.exe
PID 5096 wrote to memory of 4812	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ICwSUkV.exe
PID 5096 wrote to memory of 4812	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ICwSUkV.exe
PID 5096 wrote to memory of 4528	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	QhzFxWl.exe
PID 5096 wrote to memory of 4528	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	QhzFxWl.exe
PID 5096 wrote to memory of 4044	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	cFNbSDr.exe
PID 5096 wrote to memory of 4044	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	cFNbSDr.exe
PID 5096 wrote to memory of 1692	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	xSGMyEj.exe
PID 5096 wrote to memory of 1692	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	xSGMyEj.exe
PID 5096 wrote to memory of 3244	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	JiwwkWe.exe
PID 5096 wrote to memory of 3244	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	JiwwkWe.exe
PID 5096 wrote to memory of 4156	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RoXsecU.exe
PID 5096 wrote to memory of 4156	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	RoXsecU.exe
PID 5096 wrote to memory of 2516	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ucINEzi.exe
PID 5096 wrote to memory of 2516	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ucINEzi.exe
PID 5096 wrote to memory of 4508	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	DmEUiSw.exe
PID 5096 wrote to memory of 4508	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	DmEUiSw.exe
PID 5096 wrote to memory of 1136	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	KHWvbTH.exe
PID 5096 wrote to memory of 1136	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	KHWvbTH.exe
PID 5096 wrote to memory of 3036	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	AOoqhIS.exe
PID 5096 wrote to memory of 3036	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	AOoqhIS.exe
PID 5096 wrote to memory of 4792	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	PgYJVpv.exe
PID 5096 wrote to memory of 4792	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	PgYJVpv.exe
PID 5096 wrote to memory of 1704	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GdfWVgS.exe
PID 5096 wrote to memory of 1704	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	GdfWVgS.exe
PID 5096 wrote to memory of 3712	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	XTcKlZB.exe
PID 5096 wrote to memory of 3712	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	XTcKlZB.exe
PID 5096 wrote to memory of 3044	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ljymuIh.exe
PID 5096 wrote to memory of 3044	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ljymuIh.exe
PID 5096 wrote to memory of 2824	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ipHpcgc.exe
PID 5096 wrote to memory of 2824	5096	2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe	ipHpcgc.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_721d677ed33ab6f0fb5c8694611d8d25_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096

C:\Windows\System\wmMHdoN.exe
C:\Windows\System\wmMHdoN.exe
2⤵
- Executes dropped EXE
PID:1864

C:\Windows\System\WtgAZVn.exe
C:\Windows\System\WtgAZVn.exe
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System\zeaddxZ.exe
C:\Windows\System\zeaddxZ.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Windows\System\rEPLjft.exe
C:\Windows\System\rEPLjft.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\UfHLPhk.exe
C:\Windows\System\UfHLPhk.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Windows\System\DzVvqZH.exe
C:\Windows\System\DzVvqZH.exe
2⤵
- Executes dropped EXE
PID:2868

C:\Windows\System\ICwSUkV.exe
C:\Windows\System\ICwSUkV.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\System\QhzFxWl.exe
C:\Windows\System\QhzFxWl.exe
2⤵
- Executes dropped EXE
PID:4528

C:\Windows\System\cFNbSDr.exe
C:\Windows\System\cFNbSDr.exe
2⤵
- Executes dropped EXE
PID:4044

C:\Windows\System\xSGMyEj.exe
C:\Windows\System\xSGMyEj.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\JiwwkWe.exe
C:\Windows\System\JiwwkWe.exe
2⤵
- Executes dropped EXE
PID:3244

C:\Windows\System\RoXsecU.exe
C:\Windows\System\RoXsecU.exe
2⤵
- Executes dropped EXE
PID:4156

C:\Windows\System\ucINEzi.exe
C:\Windows\System\ucINEzi.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\DmEUiSw.exe
C:\Windows\System\DmEUiSw.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Windows\System\KHWvbTH.exe
C:\Windows\System\KHWvbTH.exe
2⤵
- Executes dropped EXE
PID:1136

C:\Windows\System\AOoqhIS.exe
C:\Windows\System\AOoqhIS.exe
2⤵
- Executes dropped EXE
PID:3036

C:\Windows\System\PgYJVpv.exe
C:\Windows\System\PgYJVpv.exe
2⤵
- Executes dropped EXE
PID:4792

C:\Windows\System\GdfWVgS.exe
C:\Windows\System\GdfWVgS.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Windows\System\XTcKlZB.exe
C:\Windows\System\XTcKlZB.exe
2⤵
- Executes dropped EXE
PID:3712

C:\Windows\System\ljymuIh.exe
C:\Windows\System\ljymuIh.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\ipHpcgc.exe
C:\Windows\System\ipHpcgc.exe
2⤵
- Executes dropped EXE
PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOoqhIS.exe
Filesize
5.9MB

MD5
bba52c4a2e95ddd3692cacc32c92fe89

SHA1
949b126cf2455c33cc4cbf01c04a50c80d0a8143

SHA256
f4f7ee0e529417f810804c7cd21c8ffe20fd6255253c767b1f40b1024cd7b4ea

SHA512
7d9610a0965746ffa1f652c7f21c63dd570f77d8d8c5af1a3c7ae8c956447db7522750c5eb22925c9cba6f6dc642d2112247f2f01340a930e0b31f155cb33105

Download Submit
C:\Windows\System\DmEUiSw.exe
Filesize
5.9MB

MD5
700497c7cd22f531b7c1628586cde270

SHA1
598c622bf829eda719f69cd1a4dcedcd070fcb94

SHA256
3560bc12a732091da2bc65fb80e27d75312ce3ad93d0cdc9e4a81adcb46bee7a

SHA512
0da551766a322669546cc7a2b4f72176ce433267939bc9814353fc8375fe1d0e0651cd10802e4589230279b91ec9d962cc07f1cbcc6f8095adc1e191b5f4abb4

Download Submit
C:\Windows\System\DzVvqZH.exe
Filesize
5.9MB

MD5
8f6f806c091e80ab4cf39e3c6745fa74

SHA1
4a9ad969fa9afa98dbf0a16b99eaeccfbf88e6be

SHA256
ddbc7b1714c3bcda0d9dbbfd1bd12bdee655699c9d3806db00bfc8cf3bf36aee

SHA512
56cdaf739814510b7587644435690b2f64e159b9144ea980bf052375328bf97c3cfe6827e33b102fd1b71180ebcaef31ce5ab18b0bb9d892bf443ea25dea9f10

Download Submit
C:\Windows\System\GdfWVgS.exe
Filesize
5.9MB

MD5
ec72e9f8d46439393d1f2e7c5f756792

SHA1
0eeab93a93f437ef1fc67f3ac7cfdd5fa0430459

SHA256
dd54c4c64438b1696de7be02641fd6d8fd438460a4de11d82c143ba784804837

SHA512
4f59172fa12a0c4d50d538a8c39ac216c5a45446810291e96e05354a375c2802a183d9eeb703aa25145d9927167af5e4cb5dd829cc678ebe6c0609f2fb0ea0b3

Download Submit
C:\Windows\System\ICwSUkV.exe
Filesize
5.9MB

MD5
630cf0097c375a64529ac2efe001e718

SHA1
635362db1313f9e7a589ec9141e11a51c9f205bd

SHA256
44adf266367d4ff095ca26616453c960e8956947c5c8132c1963565f3301a30c

SHA512
4879b2fe544cba9b616f2ad1213efc35b6d64dfa201c83753d6e5048bce7048184dea985038d683c32eff28d0f5fe3b41b82b5d0ffd435f1a82023330b19e642

Download Submit
C:\Windows\System\JiwwkWe.exe
Filesize
5.9MB

MD5
8b2f6fd6496f202f3a9cb4af77ff639e

SHA1
72adb60a66feaf82810c3ece349aaaaf54780290

SHA256
3621ef25d3d7f44fd5f5feeddc8b8247dd09ec8dbea8f0df4e21e96cdce2d2ed

SHA512
8850c6916ee7916f27c2f40cc606bb5539a88ea28a22409822a1097cd4c7dc6fa6327e3eac797652f90323eb1e7d2814f7225dfc447ade5016eaa77fe3914b0a

Download Submit
C:\Windows\System\KHWvbTH.exe
Filesize
5.9MB

MD5
2bddfd3b017a14ec5421fc523f8706a6

SHA1
366caf529b7a58c063c088839532efa290d80337

SHA256
572cb8e490951b1b0699c4c1e3d8065e06693a6358829f9bc74b3439343d60f0

SHA512
0f8225e1f18604ef747931fbd7ca3ade5a333f8955915a0eda38560b12b00a395d31efe9c79afbfb8a9d4bff5ebeda1600fb4aeea4953bbfe87fe2d610f0f1db

Download Submit
C:\Windows\System\PgYJVpv.exe
Filesize
5.9MB

MD5
b4dae17f1695910549f304260139bb49

SHA1
2a826b0ed4928170a68637157e18b399bd5bd39e

SHA256
fb7b63805725328cf8d431f57e40ebcb8abbb3bd3d399f34c968940f9bef1d16

SHA512
84877e6cfdde606d0511c80fc3ef4e2cf6a7d1e3f50a91db4471ef825bb8e2f61d15777b139332f2425ca3353655ddc541e38d5bee2c495f00acf8a3c25d2c4f

Download Submit
C:\Windows\System\QhzFxWl.exe
Filesize
5.9MB

MD5
cfc2848239fa1bedbbfe4354aafcc578

SHA1
ca3498f17c20628d40d80b4ce6b6673a39a24a43

SHA256
5b626289fc1fe357bc05473d1425b230cb82a5ba2b3fa2fe86bd070ccef7142a

SHA512
8d372db15b6ab61ee4ee238b6f955f23d69d908b1715a332941907fe1c2dc2b9338d26a8a33e91fc4aeeb7981c308e2d5657d31c3cf545a9c5a0ca36b698b50b

Download Submit
C:\Windows\System\RoXsecU.exe
Filesize
5.9MB

MD5
9e82101b3b96e0827969d93e634d6495

SHA1
f474da87662ac0e166a35fefbafee94d23cf7083

SHA256
cf9409f50496ecbaa00ae4a0b4334bd1d4668917d4d13e7471f9f48abbf79c3b

SHA512
87d591aa75d6bc4284b091d7ac7038583b75a5c8a9d830415ab1b6d275290015826deba533db188052c963b34914d5d7d2fbcbc6808806c7275f3ccdae8a59f1

Download Submit
C:\Windows\System\UfHLPhk.exe
Filesize
5.9MB

MD5
840049ddda257c115a0cb3a18cfdefc2

SHA1
4ae38221f9273851fa59a8e221e7b32946711e99

SHA256
25a0141a813f1789b4de1cf66552659922e2714dda7bd6e7ac8b6ad4dd00c28b

SHA512
624a535d2da11e4bcd6356d534a7a1944b57c0ceaf21a11362f4b87138b1c10ee258e93b81e0b8c38c768dff5025f98f15e57d0166148656b28b9ad777737d38

Download Submit
C:\Windows\System\WtgAZVn.exe
Filesize
5.9MB

MD5
24a25458fb0736849566d2ae6995b444

SHA1
b7700534b744d2846fcc278d6a5ac52672533739

SHA256
e95d1e28c525f951193534d2675ac0e7dd833b2c509b07621e3d5e5eac7f8674

SHA512
d10d366fb2d645006916978c4025a1519802f01d6d3a06f8a83e732fe329002c6f24f538923b457d299c0ff874611e23be9840ad6a0a289e618e91c3176c144d

Download Submit
C:\Windows\System\XTcKlZB.exe
Filesize
5.9MB

MD5
af34913a98855b33b34b9ed294e37561

SHA1
a1ef94b13074dbf68420870d8938110d9f4e50bb

SHA256
8397cbb2527f1f249371282fa19cc694f5317eaf02535dd60bfb17b30304d80b

SHA512
c5555bc987cb12cf2f9b198451ddc9a7b21d111c544a6dcef592d3ac15a493e458c7d5ec23a8f09f3e1b870ceb4543f079b688c9cb94c82808a50678d281c8ae

Download Submit
C:\Windows\System\cFNbSDr.exe
Filesize
5.9MB

MD5
bbb5452142202a68e396fbaaf3a34bc6

SHA1
625127fa911443aa31dfa444861f58878b73750a

SHA256
df3bb4bc31ee417e1b1c688f330932ac267f177482d323daad37785fbe437dfa

SHA512
128d965924c36668bbab7d5de39e91eab21334aef9b0d64df213516889b2aff6e7207b8f622b874806cada0c22c5bb57e809b53fde63214b7d7e7f0e073b130c

Download Submit
C:\Windows\System\ipHpcgc.exe
Filesize
5.9MB

MD5
43c4edf90636880a2000a773318503c6

SHA1
28b25db242b8133c72853afde9df14d30213cfc8

SHA256
1a171f7213c0e189a7d808d910b52c199b87503490fd5b01d7a93f48dfa1ae44

SHA512
7dec552ecf9a37d23c6880b0cfd9c622261bdb2d388d6d18ac891ed3215897108dfb4c6cda1f506c96793036a5a2a1e9fabd5c167ba842b7c1ba134f904c314d

Download Submit
C:\Windows\System\ljymuIh.exe
Filesize
5.9MB

MD5
3e82ebca1b09607f5283641ba6185868

SHA1
87937b089ff29149ff94818ee3ff19043937d2a5

SHA256
2c07483e64f78ae96769d025cbf3fdc41c327fe9de447c208fbb581bddd6042c

SHA512
26fe6019fea1d1622c02ace414f91b8712889fd0c315f22cf8ce668c11a44eb324b52fb40fe83c445749fc212dce8d27755551d2286bd1e86b754647a423c096

Download Submit
C:\Windows\System\rEPLjft.exe
Filesize
5.9MB

MD5
d6243a5a31c8a0461f9a30d71dace669

SHA1
c633310f914680bf1365a56c2a4d161d329ad949

SHA256
84bf0c04ca96bce7eb54f7d4be04989bddce70bd06f9bf460d575d1c1658ee2d

SHA512
d08f891f3056c33a38837a49a500de6754f2729397d4a288fa177c18d28e5d05b1ec28a77a9b60a33c0dcc12c6f0fc199af9ecdf063e9d67c208b35b3d3e75e4

Download Submit
C:\Windows\System\ucINEzi.exe
Filesize
5.9MB

MD5
a89c79ea05140756daa6611bff4f4f00

SHA1
4241d3b80d838ee0eb7a0370cf31ec850f4e3850

SHA256
15b617b3d23fa877f38f3c31a4620f0fc6c1e6c8b21900f784fff2a9195f43f1

SHA512
a5d43fc6ce11bd6d745188651c667cbc3aa360cb2c5db7cc327e3a6848c9e1f6ebdcc4cee07a6aa214a821c0c0d531d781b275085a5f6a1daa333eaa16a7f35f

Download Submit
C:\Windows\System\wmMHdoN.exe
Filesize
5.9MB

MD5
1c1aca97941f91233568451f1c5f447a

SHA1
07ee6a841f211c125d1c2024eb0fd1c166c05c71

SHA256
00e1bb7b41e8b77687f293fce3c362d22827a9643ef62960ea2436fec00597c6

SHA512
8708e40806b192f178c85f199cea5304a08c18a542ba1cee371edb04e76b86f59eb9bfa0936d16603641ac29d49f7f9415a1fb598d550d2767c61e446e471d08

Download Submit
C:\Windows\System\xSGMyEj.exe
Filesize
5.9MB

MD5
6e4a47a83aa5c66304d34ec8b402adcb

SHA1
8264f6b5b75731327a72a7464eb9e551201fb31b

SHA256
fa20338a762e312c3805b4b1e9d09bf3e047f7b6590f4124d1387c0261abf345

SHA512
8ce570d8a22fb28584efa7de1734c931e27de1a1f04bc4705b87d19612f22c3df42853a05d61ada7c9d9591d3f830d61bef524ef67bb4a70b00186b3ba317648

Download Submit
C:\Windows\System\zeaddxZ.exe
Filesize
5.9MB

MD5
e3368dd6ae1c1065fad9f322771328fa

SHA1
ae6a82f13bf826a168a4bc5eac964e0d45860364

SHA256
2c19f215ffcc8689e2df8444e49df99601be2a9be83bf51b89c0cb0729c37282

SHA512
59b125515e4b61ee46b6c994e69bc45d49c952065abc3418293fb6d11b80067f9ab44a0219af4d4acc8ab1c4249224390ee354548e1b39f4e51b616a71f63521

Download Submit
memory/1136-99-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp

Filesize
3.3MB

Download
memory/1136-152-0x00007FF6E5AE0000-0x00007FF6E5E34000-memory.dmp

Filesize
3.3MB

Download
memory/1692-79-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp

Filesize
3.3MB

Download
memory/1692-147-0x00007FF69D1D0000-0x00007FF69D524000-memory.dmp

Filesize
3.3MB

Download
memory/1704-155-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-137-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-113-0x00007FF6AEA70000-0x00007FF6AEDC4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-6-0x00007FF786370000-0x00007FF7866C4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-138-0x00007FF786370000-0x00007FF7866C4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-93-0x00007FF786370000-0x00007FF7866C4000-memory.dmp

Filesize
3.3MB

Download
memory/2348-20-0x00007FF777EC0000-0x00007FF778214000-memory.dmp

Filesize
3.3MB

Download
memory/2348-140-0x00007FF777EC0000-0x00007FF778214000-memory.dmp

Filesize
3.3MB

Download
memory/2484-35-0x00007FF695230000-0x00007FF695584000-memory.dmp

Filesize
3.3MB

Download
memory/2484-142-0x00007FF695230000-0x00007FF695584000-memory.dmp

Filesize
3.3MB

Download
memory/2484-112-0x00007FF695230000-0x00007FF695584000-memory.dmp

Filesize
3.3MB

Download
memory/2516-84-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp

Filesize
3.3MB

Download
memory/2516-134-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp

Filesize
3.3MB

Download
memory/2516-149-0x00007FF7F2310000-0x00007FF7F2664000-memory.dmp

Filesize
3.3MB

Download
memory/2540-141-0x00007FF619900000-0x00007FF619C54000-memory.dmp

Filesize
3.3MB

Download
memory/2540-28-0x00007FF619900000-0x00007FF619C54000-memory.dmp

Filesize
3.3MB

Download
memory/2824-131-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp

Filesize
3.3MB

Download
memory/2824-158-0x00007FF7E2A60000-0x00007FF7E2DB4000-memory.dmp

Filesize
3.3MB

Download
memory/2868-130-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp

Filesize
3.3MB

Download
memory/2868-143-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp

Filesize
3.3MB

Download
memory/2868-38-0x00007FF6E5400000-0x00007FF6E5754000-memory.dmp

Filesize
3.3MB

Download
memory/3036-103-0x00007FF718270000-0x00007FF7185C4000-memory.dmp

Filesize
3.3MB

Download
memory/3036-153-0x00007FF718270000-0x00007FF7185C4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-125-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp

Filesize
3.3MB

Download
memory/3044-157-0x00007FF7A2340000-0x00007FF7A2694000-memory.dmp

Filesize
3.3MB

Download
memory/3244-148-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp

Filesize
3.3MB

Download
memory/3244-80-0x00007FF79C7B0000-0x00007FF79CB04000-memory.dmp

Filesize
3.3MB

Download
memory/3712-156-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp

Filesize
3.3MB

Download
memory/3712-124-0x00007FF7FBCA0000-0x00007FF7FBFF4000-memory.dmp

Filesize
3.3MB

Download
memory/4044-145-0x00007FF685D10000-0x00007FF686064000-memory.dmp

Filesize
3.3MB

Download
memory/4044-52-0x00007FF685D10000-0x00007FF686064000-memory.dmp

Filesize
3.3MB

Download
memory/4044-133-0x00007FF685D10000-0x00007FF686064000-memory.dmp

Filesize
3.3MB

Download
memory/4156-81-0x00007FF771940000-0x00007FF771C94000-memory.dmp

Filesize
3.3MB

Download
memory/4156-150-0x00007FF771940000-0x00007FF771C94000-memory.dmp

Filesize
3.3MB

Download
memory/4508-135-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-85-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-151-0x00007FF616B60000-0x00007FF616EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4528-48-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp

Filesize
3.3MB

Download
memory/4528-132-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp

Filesize
3.3MB

Download
memory/4528-146-0x00007FF6CA6B0000-0x00007FF6CAA04000-memory.dmp

Filesize
3.3MB

Download
memory/4792-154-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp

Filesize
3.3MB

Download
memory/4792-106-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp

Filesize
3.3MB

Download
memory/4792-136-0x00007FF6C1D70000-0x00007FF6C20C4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-144-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp

Filesize
3.3MB

Download
memory/4812-47-0x00007FF7EBC90000-0x00007FF7EBFE4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-15-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-139-0x00007FF6A7480000-0x00007FF6A77D4000-memory.dmp

Filesize
3.3MB

Download
memory/5096-1-0x000001ED243E0000-0x000001ED243F0000-memory.dmp

Filesize
64KB

Download
memory/5096-0-0x00007FF75A010000-0x00007FF75A364000-memory.dmp

Filesize
3.3MB

Download
memory/5096-78-0x00007FF75A010000-0x00007FF75A364000-memory.dmp

Filesize
3.3MB

Download