cobaltstrike | 6a7bd644a8817e5c2e39d33f553f9177160a8ed0ba4bdd162448710bf9d133b7

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

95ab835d52f876f1f03f3944fc353e74
SHA1

472f8ec9b2e1318760d217a73539a6e6be831a8a
SHA256

6a7bd644a8817e5c2e39d33f553f9177160a8ed0ba4bdd162448710bf9d133b7
SHA512

3c3679d25707558f9f3a8d521c1a0883760f270617f00527e7d19130c025ac2f17ee81537813cb34f9d3437995a032477b7d28e70e110fc6721e3875a8e1bdb6
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUF:Q+856utgpPF8u/7F

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vglFdjZ.exe	cobalt_reflective_dll
C:\Windows\System\IlurEjo.exe	cobalt_reflective_dll
C:\Windows\System\hlRWMNy.exe	cobalt_reflective_dll
C:\Windows\System\NSApSca.exe	cobalt_reflective_dll
C:\Windows\System\MUEuIAW.exe	cobalt_reflective_dll
C:\Windows\System\nqQtJtN.exe	cobalt_reflective_dll
C:\Windows\System\bMlFVEw.exe	cobalt_reflective_dll
C:\Windows\System\lLmKSYV.exe	cobalt_reflective_dll
C:\Windows\System\kpthtVA.exe	cobalt_reflective_dll
C:\Windows\System\DocSFKL.exe	cobalt_reflective_dll
C:\Windows\System\ZCFPysE.exe	cobalt_reflective_dll
C:\Windows\System\QSCXTRX.exe	cobalt_reflective_dll
C:\Windows\System\NGdXaGq.exe	cobalt_reflective_dll
C:\Windows\System\dIljkPr.exe	cobalt_reflective_dll
C:\Windows\System\yTmunOh.exe	cobalt_reflective_dll
C:\Windows\System\exQYvJm.exe	cobalt_reflective_dll
C:\Windows\System\aGLtBFM.exe	cobalt_reflective_dll
C:\Windows\System\vRgJfkE.exe	cobalt_reflective_dll
C:\Windows\System\xbqHnph.exe	cobalt_reflective_dll
C:\Windows\System\DFcvBMg.exe	cobalt_reflective_dll
C:\Windows\System\ERCjhRg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\vglFdjZ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\IlurEjo.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hlRWMNy.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NSApSca.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MUEuIAW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nqQtJtN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bMlFVEw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\lLmKSYV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kpthtVA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DocSFKL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ZCFPysE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QSCXTRX.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NGdXaGq.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dIljkPr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\yTmunOh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\exQYvJm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\aGLtBFM.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vRgJfkE.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\xbqHnph.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\DFcvBMg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\ERCjhRg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3192-0-0x00007FF74A200000-0x00007FF74A554000-memory.dmp	UPX
C:\Windows\System\vglFdjZ.exe	UPX
behavioral2/memory/2624-7-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	UPX
C:\Windows\System\IlurEjo.exe	UPX
C:\Windows\System\hlRWMNy.exe	UPX
behavioral2/memory/1100-14-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp	UPX
behavioral2/memory/2064-20-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp	UPX
C:\Windows\System\NSApSca.exe	UPX
behavioral2/memory/740-24-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	UPX
C:\Windows\System\MUEuIAW.exe	UPX
behavioral2/memory/4132-32-0x00007FF751460000-0x00007FF7517B4000-memory.dmp	UPX
C:\Windows\System\nqQtJtN.exe	UPX
behavioral2/memory/1120-38-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp	UPX
C:\Windows\System\bMlFVEw.exe	UPX
behavioral2/memory/1296-44-0x00007FF735570000-0x00007FF7358C4000-memory.dmp	UPX
C:\Windows\System\lLmKSYV.exe	UPX
behavioral2/memory/4792-48-0x00007FF728200000-0x00007FF728554000-memory.dmp	UPX
C:\Windows\System\kpthtVA.exe	UPX
C:\Windows\System\DocSFKL.exe	UPX
C:\Windows\System\ZCFPysE.exe	UPX
behavioral2/memory/932-70-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	UPX
behavioral2/memory/2624-67-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	UPX
behavioral2/memory/3192-62-0x00007FF74A200000-0x00007FF74A554000-memory.dmp	UPX
behavioral2/memory/4392-66-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	UPX
behavioral2/memory/4612-58-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp	UPX
C:\Windows\System\QSCXTRX.exe	UPX
behavioral2/memory/3004-76-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp	UPX
C:\Windows\System\NGdXaGq.exe	UPX
behavioral2/memory/4908-82-0x00007FF796540000-0x00007FF796894000-memory.dmp	UPX
C:\Windows\System\dIljkPr.exe	UPX
C:\Windows\System\yTmunOh.exe	UPX
behavioral2/memory/2480-101-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp	UPX
C:\Windows\System\exQYvJm.exe	UPX
C:\Windows\System\aGLtBFM.exe	UPX
behavioral2/memory/4732-97-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	UPX
behavioral2/memory/4000-91-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp	UPX
behavioral2/memory/740-90-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	UPX
behavioral2/memory/2760-107-0x00007FF647140000-0x00007FF647494000-memory.dmp	UPX
behavioral2/memory/4792-119-0x00007FF728200000-0x00007FF728554000-memory.dmp	UPX
C:\Windows\System\vRgJfkE.exe	UPX
behavioral2/memory/4692-120-0x00007FF706630000-0x00007FF706984000-memory.dmp	UPX
behavioral2/memory/4552-127-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp	UPX
behavioral2/memory/4392-126-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	UPX
C:\Windows\System\xbqHnph.exe	UPX
C:\Windows\System\DFcvBMg.exe	UPX
behavioral2/memory/2580-111-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp	UPX
C:\Windows\System\ERCjhRg.exe	UPX
behavioral2/memory/3076-132-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp	UPX
behavioral2/memory/932-133-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	UPX
behavioral2/memory/4732-134-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	UPX
behavioral2/memory/2480-135-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp	UPX
behavioral2/memory/2580-136-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp	UPX
behavioral2/memory/2624-137-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	UPX
behavioral2/memory/1100-138-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp	UPX
behavioral2/memory/2064-139-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp	UPX
behavioral2/memory/740-140-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	UPX
behavioral2/memory/4132-141-0x00007FF751460000-0x00007FF7517B4000-memory.dmp	UPX
behavioral2/memory/1120-142-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp	UPX
behavioral2/memory/1296-143-0x00007FF735570000-0x00007FF7358C4000-memory.dmp	UPX
behavioral2/memory/4792-144-0x00007FF728200000-0x00007FF728554000-memory.dmp	UPX
behavioral2/memory/4612-145-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp	UPX
behavioral2/memory/4392-146-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	UPX
behavioral2/memory/932-147-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	UPX
behavioral2/memory/3004-148-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3192-0-0x00007FF74A200000-0x00007FF74A554000-memory.dmp	xmrig
C:\Windows\System\vglFdjZ.exe	xmrig
behavioral2/memory/2624-7-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	xmrig
C:\Windows\System\IlurEjo.exe	xmrig
C:\Windows\System\hlRWMNy.exe	xmrig
behavioral2/memory/1100-14-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp	xmrig
behavioral2/memory/2064-20-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp	xmrig
C:\Windows\System\NSApSca.exe	xmrig
behavioral2/memory/740-24-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	xmrig
C:\Windows\System\MUEuIAW.exe	xmrig
behavioral2/memory/4132-32-0x00007FF751460000-0x00007FF7517B4000-memory.dmp	xmrig
C:\Windows\System\nqQtJtN.exe	xmrig
behavioral2/memory/1120-38-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp	xmrig
C:\Windows\System\bMlFVEw.exe	xmrig
behavioral2/memory/1296-44-0x00007FF735570000-0x00007FF7358C4000-memory.dmp	xmrig
C:\Windows\System\lLmKSYV.exe	xmrig
behavioral2/memory/4792-48-0x00007FF728200000-0x00007FF728554000-memory.dmp	xmrig
C:\Windows\System\kpthtVA.exe	xmrig
C:\Windows\System\DocSFKL.exe	xmrig
C:\Windows\System\ZCFPysE.exe	xmrig
behavioral2/memory/932-70-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	xmrig
behavioral2/memory/2624-67-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	xmrig
behavioral2/memory/3192-62-0x00007FF74A200000-0x00007FF74A554000-memory.dmp	xmrig
behavioral2/memory/4392-66-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	xmrig
behavioral2/memory/4612-58-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp	xmrig
C:\Windows\System\QSCXTRX.exe	xmrig
behavioral2/memory/3004-76-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp	xmrig
C:\Windows\System\NGdXaGq.exe	xmrig
behavioral2/memory/4908-82-0x00007FF796540000-0x00007FF796894000-memory.dmp	xmrig
C:\Windows\System\dIljkPr.exe	xmrig
C:\Windows\System\yTmunOh.exe	xmrig
behavioral2/memory/2480-101-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp	xmrig
C:\Windows\System\exQYvJm.exe	xmrig
C:\Windows\System\aGLtBFM.exe	xmrig
behavioral2/memory/4732-97-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	xmrig
behavioral2/memory/4000-91-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp	xmrig
behavioral2/memory/740-90-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	xmrig
behavioral2/memory/2760-107-0x00007FF647140000-0x00007FF647494000-memory.dmp	xmrig
behavioral2/memory/4792-119-0x00007FF728200000-0x00007FF728554000-memory.dmp	xmrig
C:\Windows\System\vRgJfkE.exe	xmrig
behavioral2/memory/4692-120-0x00007FF706630000-0x00007FF706984000-memory.dmp	xmrig
behavioral2/memory/4552-127-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp	xmrig
behavioral2/memory/4392-126-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	xmrig
C:\Windows\System\xbqHnph.exe	xmrig
C:\Windows\System\DFcvBMg.exe	xmrig
behavioral2/memory/2580-111-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp	xmrig
C:\Windows\System\ERCjhRg.exe	xmrig
behavioral2/memory/3076-132-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp	xmrig
behavioral2/memory/932-133-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	xmrig
behavioral2/memory/4732-134-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	xmrig
behavioral2/memory/2480-135-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp	xmrig
behavioral2/memory/2580-136-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp	xmrig
behavioral2/memory/2624-137-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	xmrig
behavioral2/memory/1100-138-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp	xmrig
behavioral2/memory/2064-139-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp	xmrig
behavioral2/memory/740-140-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	xmrig
behavioral2/memory/4132-141-0x00007FF751460000-0x00007FF7517B4000-memory.dmp	xmrig
behavioral2/memory/1120-142-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp	xmrig
behavioral2/memory/1296-143-0x00007FF735570000-0x00007FF7358C4000-memory.dmp	xmrig
behavioral2/memory/4792-144-0x00007FF728200000-0x00007FF728554000-memory.dmp	xmrig
behavioral2/memory/4612-145-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp	xmrig
behavioral2/memory/4392-146-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	xmrig
behavioral2/memory/932-147-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	xmrig
behavioral2/memory/3004-148-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vglFdjZ.exeIlurEjo.exehlRWMNy.exeNSApSca.exeMUEuIAW.exenqQtJtN.exebMlFVEw.exelLmKSYV.exekpthtVA.exeDocSFKL.exeZCFPysE.exeQSCXTRX.exeNGdXaGq.exedIljkPr.exeyTmunOh.exeaGLtBFM.exeexQYvJm.exeDFcvBMg.exexbqHnph.exevRgJfkE.exeERCjhRg.exe

pid	process
2624	vglFdjZ.exe
1100	IlurEjo.exe
2064	hlRWMNy.exe
740	NSApSca.exe
4132	MUEuIAW.exe
1120	nqQtJtN.exe
1296	bMlFVEw.exe
4792	lLmKSYV.exe
4612	kpthtVA.exe
4392	DocSFKL.exe
932	ZCFPysE.exe
3004	QSCXTRX.exe
4908	NGdXaGq.exe
4000	dIljkPr.exe
4732	yTmunOh.exe
2480	aGLtBFM.exe
2760	exQYvJm.exe
2580	DFcvBMg.exe
4692	xbqHnph.exe
4552	vRgJfkE.exe
3076	ERCjhRg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3192-0-0x00007FF74A200000-0x00007FF74A554000-memory.dmp	upx
C:\Windows\System\vglFdjZ.exe	upx
behavioral2/memory/2624-7-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	upx
C:\Windows\System\IlurEjo.exe	upx
C:\Windows\System\hlRWMNy.exe	upx
behavioral2/memory/1100-14-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp	upx
behavioral2/memory/2064-20-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp	upx
C:\Windows\System\NSApSca.exe	upx
behavioral2/memory/740-24-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	upx
C:\Windows\System\MUEuIAW.exe	upx
behavioral2/memory/4132-32-0x00007FF751460000-0x00007FF7517B4000-memory.dmp	upx
C:\Windows\System\nqQtJtN.exe	upx
behavioral2/memory/1120-38-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp	upx
C:\Windows\System\bMlFVEw.exe	upx
behavioral2/memory/1296-44-0x00007FF735570000-0x00007FF7358C4000-memory.dmp	upx
C:\Windows\System\lLmKSYV.exe	upx
behavioral2/memory/4792-48-0x00007FF728200000-0x00007FF728554000-memory.dmp	upx
C:\Windows\System\kpthtVA.exe	upx
C:\Windows\System\DocSFKL.exe	upx
C:\Windows\System\ZCFPysE.exe	upx
behavioral2/memory/932-70-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	upx
behavioral2/memory/2624-67-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	upx
behavioral2/memory/3192-62-0x00007FF74A200000-0x00007FF74A554000-memory.dmp	upx
behavioral2/memory/4392-66-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	upx
behavioral2/memory/4612-58-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp	upx
C:\Windows\System\QSCXTRX.exe	upx
behavioral2/memory/3004-76-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp	upx
C:\Windows\System\NGdXaGq.exe	upx
behavioral2/memory/4908-82-0x00007FF796540000-0x00007FF796894000-memory.dmp	upx
C:\Windows\System\dIljkPr.exe	upx
C:\Windows\System\yTmunOh.exe	upx
behavioral2/memory/2480-101-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp	upx
C:\Windows\System\exQYvJm.exe	upx
C:\Windows\System\aGLtBFM.exe	upx
behavioral2/memory/4732-97-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	upx
behavioral2/memory/4000-91-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp	upx
behavioral2/memory/740-90-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	upx
behavioral2/memory/2760-107-0x00007FF647140000-0x00007FF647494000-memory.dmp	upx
behavioral2/memory/4792-119-0x00007FF728200000-0x00007FF728554000-memory.dmp	upx
C:\Windows\System\vRgJfkE.exe	upx
behavioral2/memory/4692-120-0x00007FF706630000-0x00007FF706984000-memory.dmp	upx
behavioral2/memory/4552-127-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp	upx
behavioral2/memory/4392-126-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	upx
C:\Windows\System\xbqHnph.exe	upx
C:\Windows\System\DFcvBMg.exe	upx
behavioral2/memory/2580-111-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp	upx
C:\Windows\System\ERCjhRg.exe	upx
behavioral2/memory/3076-132-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp	upx
behavioral2/memory/932-133-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	upx
behavioral2/memory/4732-134-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp	upx
behavioral2/memory/2480-135-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp	upx
behavioral2/memory/2580-136-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp	upx
behavioral2/memory/2624-137-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp	upx
behavioral2/memory/1100-138-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp	upx
behavioral2/memory/2064-139-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp	upx
behavioral2/memory/740-140-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp	upx
behavioral2/memory/4132-141-0x00007FF751460000-0x00007FF7517B4000-memory.dmp	upx
behavioral2/memory/1120-142-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp	upx
behavioral2/memory/1296-143-0x00007FF735570000-0x00007FF7358C4000-memory.dmp	upx
behavioral2/memory/4792-144-0x00007FF728200000-0x00007FF728554000-memory.dmp	upx
behavioral2/memory/4612-145-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp	upx
behavioral2/memory/4392-146-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp	upx
behavioral2/memory/932-147-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp	upx
behavioral2/memory/3004-148-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\DFcvBMg.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xbqHnph.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bMlFVEw.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lLmKSYV.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DocSFKL.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yTmunOh.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGLtBFM.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MUEuIAW.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nqQtJtN.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QSCXTRX.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\exQYvJm.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vRgJfkE.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ERCjhRg.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vglFdjZ.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCFPysE.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NGdXaGq.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kpthtVA.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dIljkPr.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IlurEjo.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hlRWMNy.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NSApSca.exe	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3192 wrote to memory of 2624	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	vglFdjZ.exe
PID 3192 wrote to memory of 2624	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	vglFdjZ.exe
PID 3192 wrote to memory of 1100	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	IlurEjo.exe
PID 3192 wrote to memory of 1100	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	IlurEjo.exe
PID 3192 wrote to memory of 2064	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	hlRWMNy.exe
PID 3192 wrote to memory of 2064	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	hlRWMNy.exe
PID 3192 wrote to memory of 740	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	NSApSca.exe
PID 3192 wrote to memory of 740	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	NSApSca.exe
PID 3192 wrote to memory of 4132	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	MUEuIAW.exe
PID 3192 wrote to memory of 4132	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	MUEuIAW.exe
PID 3192 wrote to memory of 1120	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	nqQtJtN.exe
PID 3192 wrote to memory of 1120	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	nqQtJtN.exe
PID 3192 wrote to memory of 1296	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	bMlFVEw.exe
PID 3192 wrote to memory of 1296	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	bMlFVEw.exe
PID 3192 wrote to memory of 4792	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	lLmKSYV.exe
PID 3192 wrote to memory of 4792	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	lLmKSYV.exe
PID 3192 wrote to memory of 4612	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	kpthtVA.exe
PID 3192 wrote to memory of 4612	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	kpthtVA.exe
PID 3192 wrote to memory of 4392	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	DocSFKL.exe
PID 3192 wrote to memory of 4392	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	DocSFKL.exe
PID 3192 wrote to memory of 932	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	ZCFPysE.exe
PID 3192 wrote to memory of 932	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	ZCFPysE.exe
PID 3192 wrote to memory of 3004	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	QSCXTRX.exe
PID 3192 wrote to memory of 3004	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	QSCXTRX.exe
PID 3192 wrote to memory of 4908	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	NGdXaGq.exe
PID 3192 wrote to memory of 4908	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	NGdXaGq.exe
PID 3192 wrote to memory of 4000	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	dIljkPr.exe
PID 3192 wrote to memory of 4000	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	dIljkPr.exe
PID 3192 wrote to memory of 4732	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	yTmunOh.exe
PID 3192 wrote to memory of 4732	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	yTmunOh.exe
PID 3192 wrote to memory of 2480	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	aGLtBFM.exe
PID 3192 wrote to memory of 2480	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	aGLtBFM.exe
PID 3192 wrote to memory of 2760	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	exQYvJm.exe
PID 3192 wrote to memory of 2760	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	exQYvJm.exe
PID 3192 wrote to memory of 2580	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	DFcvBMg.exe
PID 3192 wrote to memory of 2580	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	DFcvBMg.exe
PID 3192 wrote to memory of 4692	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	xbqHnph.exe
PID 3192 wrote to memory of 4692	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	xbqHnph.exe
PID 3192 wrote to memory of 4552	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	vRgJfkE.exe
PID 3192 wrote to memory of 4552	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	vRgJfkE.exe
PID 3192 wrote to memory of 3076	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	ERCjhRg.exe
PID 3192 wrote to memory of 3076	3192	2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe	ERCjhRg.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_95ab835d52f876f1f03f3944fc353e74_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\System\vglFdjZ.exe
C:\Windows\System\vglFdjZ.exe
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\System\IlurEjo.exe
C:\Windows\System\IlurEjo.exe
2⤵
- Executes dropped EXE
PID:1100

C:\Windows\System\hlRWMNy.exe
C:\Windows\System\hlRWMNy.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\System\NSApSca.exe
C:\Windows\System\NSApSca.exe
2⤵
- Executes dropped EXE
PID:740

C:\Windows\System\MUEuIAW.exe
C:\Windows\System\MUEuIAW.exe
2⤵
- Executes dropped EXE
PID:4132

C:\Windows\System\nqQtJtN.exe
C:\Windows\System\nqQtJtN.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\bMlFVEw.exe
C:\Windows\System\bMlFVEw.exe
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\System\lLmKSYV.exe
C:\Windows\System\lLmKSYV.exe
2⤵
- Executes dropped EXE
PID:4792

C:\Windows\System\kpthtVA.exe
C:\Windows\System\kpthtVA.exe
2⤵
- Executes dropped EXE
PID:4612

C:\Windows\System\DocSFKL.exe
C:\Windows\System\DocSFKL.exe
2⤵
- Executes dropped EXE
PID:4392

C:\Windows\System\ZCFPysE.exe
C:\Windows\System\ZCFPysE.exe
2⤵
- Executes dropped EXE
PID:932

C:\Windows\System\QSCXTRX.exe
C:\Windows\System\QSCXTRX.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\NGdXaGq.exe
C:\Windows\System\NGdXaGq.exe
2⤵
- Executes dropped EXE
PID:4908

C:\Windows\System\dIljkPr.exe
C:\Windows\System\dIljkPr.exe
2⤵
- Executes dropped EXE
PID:4000

C:\Windows\System\yTmunOh.exe
C:\Windows\System\yTmunOh.exe
2⤵
- Executes dropped EXE
PID:4732

C:\Windows\System\aGLtBFM.exe
C:\Windows\System\aGLtBFM.exe
2⤵
- Executes dropped EXE
PID:2480

C:\Windows\System\exQYvJm.exe
C:\Windows\System\exQYvJm.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\DFcvBMg.exe
C:\Windows\System\DFcvBMg.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\xbqHnph.exe
C:\Windows\System\xbqHnph.exe
2⤵
- Executes dropped EXE
PID:4692

C:\Windows\System\vRgJfkE.exe
C:\Windows\System\vRgJfkE.exe
2⤵
- Executes dropped EXE
PID:4552

C:\Windows\System\ERCjhRg.exe
C:\Windows\System\ERCjhRg.exe
2⤵
- Executes dropped EXE
PID:3076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DFcvBMg.exe
Filesize
5.9MB

MD5
02e202269766c96f79f736dc3da5452a

SHA1
d0bc2987a05ca64a2e213df07787fbde832d2996

SHA256
d927a45d11f871ab085a27a4ad795d2a86dc53d759b47fdb0a062551acbf28a0

SHA512
67136a9f4172194f30939ee64780656f277a7482f33c0b85d3c162135c66bca737195921b3a0adc9ff57f40161ffa71273a34a629b39d9bfdf9ffdfbb504b006

Download Submit
C:\Windows\System\DocSFKL.exe
Filesize
5.9MB

MD5
2da870afda917d4b060a3b236004eef8

SHA1
37e228840290a12c1d4f818d223f292bbb427d75

SHA256
9809f4c4984e5168df79addfc7cf6b5a1b6b9a37c46067df9b8c22392e28764e

SHA512
44432fab2d2ec62a4c69c003d8f10f8b6c01e01dc7695808846f3d0bc068fee6dfcbbd3d7cffa1c6ba28d303ef7d05004f9f3b485b2fb2e6605bbd3f5a5f5195

Download Submit
C:\Windows\System\ERCjhRg.exe
Filesize
5.9MB

MD5
59d6648895844aca613841196db29ecf

SHA1
e67eb40aabf4a736a845890e08eb141e2d67d89c

SHA256
95c848836758073a174d4ac07cc4ca30f136c52d1ffe926d776c72281672ef01

SHA512
40f5fbdb5363ade58c060267aca81a92fb0c27ecf6ccdb36d4fdc506fce55ba7f22ed702f1df8bd1f38fafdb8b8d8c57d9824c3558f59e1ab89bef77d69282d5

Download Submit
C:\Windows\System\IlurEjo.exe
Filesize
5.9MB

MD5
7d86801ee399be68b2cb0cd55fadf6c0

SHA1
fa9cb2bab9070c637dad70b774915b0479dccab0

SHA256
6a33115996e77447c867a5cb6c24473b5ef0618e195e16ea0ce6be7d957dcc93

SHA512
5588d75a84b08b2595e961c8184197e46ff589bdd1156cbf1e73527166bdbf29fafc45cd4b9ae4d56783677737008697580a8ebae01e2c7a463d025b75696840

Download Submit
C:\Windows\System\MUEuIAW.exe
Filesize
5.9MB

MD5
681a63f7e61af6a487b06f2a9a736c0a

SHA1
89fd416aed6fe28b6bc93861609a89cc494746a0

SHA256
da77e550c824f92986488e0c5e373705deb5d603dab05e6a969336c8efef807d

SHA512
cdd23bcf3123d5de657a1e8034e951ce93b3787fc7ba024b2c9ea6cc4a3b8aa0453e2ab5cab78697ce9bec0a0d7e74c0fb028824f9bf88b532b74259c6cdeab7

Download Submit
C:\Windows\System\NGdXaGq.exe
Filesize
5.9MB

MD5
1c61d9714227e679000a2cbaf01851ad

SHA1
8226a4fbc2f376b8cc9d19534f4bdcf853f34a47

SHA256
21a079720aa6ea5637cd7eb7a10d7e240b66b95f2c40104c2140a90b760048fc

SHA512
0ac9a08240e62bcd883eac297978a25007adacd2163e795126911d226389a1e7d9a73645333a74cdf4631cb4cd38316dc777b2d6693c8a59ffb6b7a20a800c27

Download Submit
C:\Windows\System\NSApSca.exe
Filesize
5.9MB

MD5
fd63ab95680836a9be621002f5d59bf5

SHA1
2f7ccab6e95ca614ff7ef5279fff2dcb0c7eeaa7

SHA256
6bfefd38ba68c740e3eaa8f9b4d095d4442bcb30112b33e0b5e512ee73f62d43

SHA512
a1e21ff3876cbf54fd8399eed8dcfd67f7f0e85ea64a8616f8712e2af44e5d1b93ba92adafcde3d48c53406d8afa81276fae378894a0cd48fb4b02a728f9fdec

Download Submit
C:\Windows\System\QSCXTRX.exe
Filesize
5.9MB

MD5
cc903842430f829876b32b44e1e59218

SHA1
c17e5f4bdeee670c80d4c2188dcc7a2e7388008c

SHA256
5d1e520af5287f6f34d8683e04cb3f52a48ba83eced37694915cf9a1df7fd483

SHA512
4b2c5835df3f99a54fa5ade20fe89e8d5d40fd7f23ad2c847e109a90b139f4197238e4f5f4a70d9779461117ff170281a8284f13c2fdd8ccb080c847fdf35bcd

Download Submit
C:\Windows\System\ZCFPysE.exe
Filesize
5.9MB

MD5
65e86e4cc8556623f05fabfc44f6171c

SHA1
215385a0fe45c92450236639226c2fc18a7b2d0b

SHA256
d228274f4f9f3c98274dd6e8874a2e2be65502044c109f606f6c9d2d9132420e

SHA512
aed2223a5091950d1f059cc7295bc33d71fe917ccc5a377d5a5765bb234a423e252703680517ec83185d13a372c3cce9d3bb46f941ca77633a7d91528ac726d0

Download Submit
C:\Windows\System\aGLtBFM.exe
Filesize
5.9MB

MD5
dfef88503838bcf6037eb83f1152e252

SHA1
3113da8e7dac04aba66393722d65462011dffcb8

SHA256
d376ae861cf6f8c311991c04eb0f5a03a50e60ca46fe860dfcd3bb2b9d40e7d7

SHA512
a7c0222caef152b07b351e18aa5065aeaf197892746ffa5d2169c0c7c330a220f3eeb2a96e51f16c5cb72789dc3d392305b4ca656a815aea198b50ee69fcc846

Download Submit
C:\Windows\System\bMlFVEw.exe
Filesize
5.9MB

MD5
4b83783e4ace8b9ade23580208fe3411

SHA1
2018a9ca4e76f25b670ed873af9055adc7a0a3d6

SHA256
a36da6db86fff88c32c5cf1e5ef7b38a8a1d06f871dc3b8cd7a83e22477aae2a

SHA512
d0f2d3a172aae16cc0a2276b484c782054cae10c64efa64088f9d722474c753d4cdbbaa843302b86c9868b9d0c49703c8d4c6eb288a7e2065eae269d8a9e9063

Download Submit
C:\Windows\System\dIljkPr.exe
Filesize
5.9MB

MD5
6ee1b380abcbc59cab24fc750c00acab

SHA1
82af126cfb9fb5dd47a808cc0ddaec900b446363

SHA256
28bcf1cfed1d3911b9e259b6fba6d699eec8288f3fda3153d24fd95c8bc51107

SHA512
5601a6c675b24a330ff77b613137dad4338bdf8ca07395929d59aa8346b693e43d285c24bfbea422224d6b728269c9deba4f1916e1923f76e0c6bdbcaa9a1b35

Download Submit
C:\Windows\System\exQYvJm.exe
Filesize
5.9MB

MD5
69e393a730077a3bb336f8c491bd852a

SHA1
a71f499fda91eccac96165867406a4c1993dc6e8

SHA256
03a5eacab204a3ceadacd8607f5dc72825b26604880c33d0130038f4c79e896f

SHA512
9a02eec19fbf79efddf34c9a4b273d401aa8e9c2f2e4055cf2660f1f3c93d72910a75641afb353c1ed652fb817429b8eeddb202719b3b40854026023cf721969

Download Submit
C:\Windows\System\hlRWMNy.exe
Filesize
5.9MB

MD5
0ae2f17ced1f4a50b627e6b9b6e57962

SHA1
b84e9984ebc4b64589fa4ac12023ff52e5ec4a8b

SHA256
fbf4022d254401d8b90a358099e6be53db83de5573604e01b0b7cd9eafa07a57

SHA512
11d925541c80226e5133a8e3bc2f2452af320b6f6d276897f7d6f32442de3b2df78149792b423bcad1d6760e4ef343edfd3fcebc5b4fe3bee9885ca031e59c3e

Download Submit
C:\Windows\System\kpthtVA.exe
Filesize
5.9MB

MD5
225ccc294e5cba89c2ead9525e0061b0

SHA1
b920424b0c2d00618a6876a27405726174e91c7b

SHA256
261a6c061713e93f3587d9a6f93cb44e0034fa5a5de6b122dc45fe0e5a0b9339

SHA512
d09e0cfb3e1e315e06f25b72ee6fbb38798f56fd53e8f672cc5b8916b639a0964fbb3ccc7f105194de4a7c90bcdce58d794789666d306db7c264b2df51ef0a61

Download Submit
C:\Windows\System\lLmKSYV.exe
Filesize
5.9MB

MD5
d1fbd16bca4773b71b2a379c4ca18657

SHA1
d9f9ddcb279d4ea121dff3fc01ac94c6441508a7

SHA256
497d05f6a1ca8ebdec25701a7ecd3ac3c2da0d9f4aad81115eb5c5eb1a4dd865

SHA512
dc9aceec7d0dd656c355b5128ecdbabd22970f77d4161d62fe9cd4cf297024656b8a7cf8b606e8d230c428dcac681e97c35077cd0fe13edbd30de6dee8228de7

Download Submit
C:\Windows\System\nqQtJtN.exe
Filesize
5.9MB

MD5
3bd0cceccc7a97f1724ae72bee148617

SHA1
396bef6b21996e421ade9d2d58091c441ec7feee

SHA256
4f65440da796831a75240e3610bac4df1e242acd674f150c1dc92c53b788270d

SHA512
e643d851cd1521a27b959e073a5c71a83690e811d755b0c1785fc2ef0490ae2ad047c9052fb143ead0b5f1c1e300f4936409c96870511b3eac30dc8cf9f582a5

Download Submit
C:\Windows\System\vRgJfkE.exe
Filesize
5.9MB

MD5
13d032be7860ca136516887900f9a240

SHA1
7ac5983e8cd4f36d9819927901a84018267b9531

SHA256
73735fb9df4ed13c0307d6a6c9d45c4dc197ee8fc85a613f8ef0ef4f3c9e06d2

SHA512
e8bfcdc688dd8ddfa5ef13937d237f0b3f3850611f2b22fcdff6234abf35edb936478fb4cbedd40c1050f56f44d928b1902db296a41e261f341d3306c8b5a07e

Download Submit
C:\Windows\System\vglFdjZ.exe
Filesize
5.9MB

MD5
cd37a6f74dc1536b82c5e523eccdcccf

SHA1
9c47da06a13662585825ee441fbca39b18a4bd7c

SHA256
3839df782a9003cf8007b716ce43d38a6f3ff48e7d47f158a6e5e167dab16ce9

SHA512
c916ef7ef0e858f4dfc0822364a63914acbc00756b67cc1e2db491b0e9b8bd11191f0857e79af4369e04ede9da5e063cc8d762b5b3bc32623639b81ba5e0281f

Download Submit
C:\Windows\System\xbqHnph.exe
Filesize
5.9MB

MD5
8fbcaa1c22e83794c9c7000ca4c073d3

SHA1
a4ccc58c27fd4d381c2bcfcb00ab27bd7084f8f3

SHA256
b67537f9d5304ef863f31e6decde0f39e2dbb92ad06d8a4693d2aebda8a6e365

SHA512
e7ba1c5e0d32c8be75203eed3699df002ae1987e17b51ff03219b9ae76ff8c89c593367690dc513d73cd64180fffd2eb6b7ef800668b4c5f3220fba4a7b52aee

Download Submit
C:\Windows\System\yTmunOh.exe
Filesize
5.9MB

MD5
a15e2ba2cb2e9186040bee537944a780

SHA1
15b47afe34a14d54f8b926aefce342a515f9de8a

SHA256
cd23b37743b2649c4648b88ada791b2bf0b037d1d5075a45acf97464bbb3a5a2

SHA512
5f1f0f6feccb61000ce683b04b99b37bcec1170eb421aa9b24d2a7b2163a0d3edb53dafd86b3bc55d5dd683d9acf460bd01a1a12b074b8db35854c1f1e4dda01

Download Submit
memory/740-90-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp

Filesize
3.3MB

Download
memory/740-24-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp

Filesize
3.3MB

Download
memory/740-140-0x00007FF7B7940000-0x00007FF7B7C94000-memory.dmp

Filesize
3.3MB

Download
memory/932-70-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp

Filesize
3.3MB

Download
memory/932-133-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp

Filesize
3.3MB

Download
memory/932-147-0x00007FF7B0FD0000-0x00007FF7B1324000-memory.dmp

Filesize
3.3MB

Download
memory/1100-14-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp

Filesize
3.3MB

Download
memory/1100-138-0x00007FF664A70000-0x00007FF664DC4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-38-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp

Filesize
3.3MB

Download
memory/1120-142-0x00007FF6F1430000-0x00007FF6F1784000-memory.dmp

Filesize
3.3MB

Download
memory/1296-44-0x00007FF735570000-0x00007FF7358C4000-memory.dmp

Filesize
3.3MB

Download
memory/1296-143-0x00007FF735570000-0x00007FF7358C4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-139-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2064-20-0x00007FF72E390000-0x00007FF72E6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-152-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-135-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2480-101-0x00007FF6ABA90000-0x00007FF6ABDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2580-136-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp

Filesize
3.3MB

Download
memory/2580-154-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp

Filesize
3.3MB

Download
memory/2580-111-0x00007FF60F0D0000-0x00007FF60F424000-memory.dmp

Filesize
3.3MB

Download
memory/2624-137-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp

Filesize
3.3MB

Download
memory/2624-67-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp

Filesize
3.3MB

Download
memory/2624-7-0x00007FF7F0CB0000-0x00007FF7F1004000-memory.dmp

Filesize
3.3MB

Download
memory/2760-107-0x00007FF647140000-0x00007FF647494000-memory.dmp

Filesize
3.3MB

Download
memory/2760-153-0x00007FF647140000-0x00007FF647494000-memory.dmp

Filesize
3.3MB

Download
memory/3004-76-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp

Filesize
3.3MB

Download
memory/3004-148-0x00007FF66ABC0000-0x00007FF66AF14000-memory.dmp

Filesize
3.3MB

Download
memory/3076-132-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp

Filesize
3.3MB

Download
memory/3076-157-0x00007FF7311A0000-0x00007FF7314F4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-62-0x00007FF74A200000-0x00007FF74A554000-memory.dmp

Filesize
3.3MB

Download
memory/3192-1-0x000001906B2D0000-0x000001906B2E0000-memory.dmp

Filesize
64KB

Download
memory/3192-0-0x00007FF74A200000-0x00007FF74A554000-memory.dmp

Filesize
3.3MB

Download
memory/4000-91-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp

Filesize
3.3MB

Download
memory/4000-150-0x00007FF6F98D0000-0x00007FF6F9C24000-memory.dmp

Filesize
3.3MB

Download
memory/4132-141-0x00007FF751460000-0x00007FF7517B4000-memory.dmp

Filesize
3.3MB

Download
memory/4132-32-0x00007FF751460000-0x00007FF7517B4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-126-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-146-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-66-0x00007FF638A70000-0x00007FF638DC4000-memory.dmp

Filesize
3.3MB

Download
memory/4552-156-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp

Filesize
3.3MB

Download
memory/4552-127-0x00007FF6F9DF0000-0x00007FF6FA144000-memory.dmp

Filesize
3.3MB

Download
memory/4612-58-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-145-0x00007FF72BD50000-0x00007FF72C0A4000-memory.dmp

Filesize
3.3MB

Download
memory/4692-120-0x00007FF706630000-0x00007FF706984000-memory.dmp

Filesize
3.3MB

Download
memory/4692-155-0x00007FF706630000-0x00007FF706984000-memory.dmp

Filesize
3.3MB

Download
memory/4732-151-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

Filesize
3.3MB

Download
memory/4732-134-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

Filesize
3.3MB

Download
memory/4732-97-0x00007FF7F94A0000-0x00007FF7F97F4000-memory.dmp

Filesize
3.3MB

Download
memory/4792-144-0x00007FF728200000-0x00007FF728554000-memory.dmp

Filesize
3.3MB

Download
memory/4792-48-0x00007FF728200000-0x00007FF728554000-memory.dmp

Filesize
3.3MB

Download
memory/4792-119-0x00007FF728200000-0x00007FF728554000-memory.dmp

Filesize
3.3MB

Download
memory/4908-149-0x00007FF796540000-0x00007FF796894000-memory.dmp

Filesize
3.3MB

Download
memory/4908-82-0x00007FF796540000-0x00007FF796894000-memory.dmp

Filesize
3.3MB

Download