cobaltstrike | 88dbc1711696e0dfa9c392a88bd8027faac7f65e37ac16916753539ff28992cb

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

1e321bfef0a4b154ebe0eddae802d688
SHA1

99c5c35179beaa5f153566a95877b5e4d4f835b2
SHA256

88dbc1711696e0dfa9c392a88bd8027faac7f65e37ac16916753539ff28992cb
SHA512

aa91c2226aa1364a3b36e4b3693a53a3944e7289d5662800d0a6b43b543a8c6f27453f556445ad98eba3ffca2f90d3a5d06f79d22eceeed2b8724267610709c7
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUk:Q+u56utgpPF8u/7k

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\oqbjxEr.exe	cobalt_reflective_dll
C:\Windows\System\mBkfZzp.exe	cobalt_reflective_dll
C:\Windows\System\bdYXHXG.exe	cobalt_reflective_dll
C:\Windows\System\rRyXVAu.exe	cobalt_reflective_dll
C:\Windows\System\OjcMNLf.exe	cobalt_reflective_dll
C:\Windows\System\dtRttGw.exe	cobalt_reflective_dll
C:\Windows\System\eHesGGp.exe	cobalt_reflective_dll
C:\Windows\System\hsWSryt.exe	cobalt_reflective_dll
C:\Windows\System\nchMLfW.exe	cobalt_reflective_dll
C:\Windows\System\AOHGesb.exe	cobalt_reflective_dll
C:\Windows\System\rgusOpz.exe	cobalt_reflective_dll
C:\Windows\System\jYbcmll.exe	cobalt_reflective_dll
C:\Windows\System\zICAmQc.exe	cobalt_reflective_dll
C:\Windows\System\vPWzNPA.exe	cobalt_reflective_dll
C:\Windows\System\MUCbDpH.exe	cobalt_reflective_dll
C:\Windows\System\teKEbrV.exe	cobalt_reflective_dll
C:\Windows\System\NpUEqzO.exe	cobalt_reflective_dll
C:\Windows\System\eWLnBld.exe	cobalt_reflective_dll
C:\Windows\System\UDyzfCD.exe	cobalt_reflective_dll
C:\Windows\System\fNfyMVO.exe	cobalt_reflective_dll
C:\Windows\System\TczZMeg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\oqbjxEr.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\mBkfZzp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bdYXHXG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rRyXVAu.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OjcMNLf.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dtRttGw.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eHesGGp.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\hsWSryt.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nchMLfW.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\AOHGesb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rgusOpz.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\jYbcmll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\zICAmQc.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\vPWzNPA.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\MUCbDpH.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\teKEbrV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\NpUEqzO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\eWLnBld.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UDyzfCD.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\fNfyMVO.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\TczZMeg.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp	UPX
C:\Windows\System\oqbjxEr.exe	UPX
behavioral2/memory/1076-8-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	UPX
C:\Windows\System\mBkfZzp.exe	UPX
behavioral2/memory/3336-14-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	UPX
C:\Windows\System\bdYXHXG.exe	UPX
behavioral2/memory/4220-20-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	UPX
C:\Windows\System\rRyXVAu.exe	UPX
behavioral2/memory/4368-24-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	UPX
C:\Windows\System\OjcMNLf.exe	UPX
C:\Windows\System\dtRttGw.exe	UPX
behavioral2/memory/4228-32-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp	UPX
behavioral2/memory/4544-38-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	UPX
C:\Windows\System\eHesGGp.exe	UPX
behavioral2/memory/4264-44-0x00007FF601220000-0x00007FF601574000-memory.dmp	UPX
C:\Windows\System\hsWSryt.exe	UPX
C:\Windows\System\nchMLfW.exe	UPX
C:\Windows\System\AOHGesb.exe	UPX
C:\Windows\System\rgusOpz.exe	UPX
behavioral2/memory/5036-65-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp	UPX
behavioral2/memory/5060-68-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp	UPX
behavioral2/memory/3628-69-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp	UPX
behavioral2/memory/3048-64-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp	UPX
behavioral2/memory/4724-51-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	UPX
C:\Windows\System\jYbcmll.exe	UPX
behavioral2/memory/4896-76-0x00007FF608F60000-0x00007FF6092B4000-memory.dmp	UPX
behavioral2/memory/1076-74-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	UPX
C:\Windows\System\zICAmQc.exe	UPX
behavioral2/memory/752-84-0x00007FF620120000-0x00007FF620474000-memory.dmp	UPX
C:\Windows\System\vPWzNPA.exe	UPX
behavioral2/memory/3336-82-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	UPX
behavioral2/memory/4368-96-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	UPX
behavioral2/memory/2796-97-0x00007FF603D20000-0x00007FF604074000-memory.dmp	UPX
C:\Windows\System\MUCbDpH.exe	UPX
behavioral2/memory/3580-90-0x00007FF6D0F80000-0x00007FF6D12D4000-memory.dmp	UPX
behavioral2/memory/4220-89-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	UPX
behavioral2/memory/1712-104-0x00007FF6C1BF0000-0x00007FF6C1F44000-memory.dmp	UPX
C:\Windows\System\teKEbrV.exe	UPX
C:\Windows\System\NpUEqzO.exe	UPX
behavioral2/memory/4264-113-0x00007FF601220000-0x00007FF601574000-memory.dmp	UPX
C:\Windows\System\eWLnBld.exe	UPX
behavioral2/memory/3980-115-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp	UPX
behavioral2/memory/4724-114-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	UPX
behavioral2/memory/3280-110-0x00007FF69E140000-0x00007FF69E494000-memory.dmp	UPX
behavioral2/memory/4544-109-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	UPX
C:\Windows\System\UDyzfCD.exe	UPX
behavioral2/memory/2200-122-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp	UPX
C:\Windows\System\fNfyMVO.exe	UPX
behavioral2/memory/5036-130-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp	UPX
behavioral2/memory/4300-132-0x00007FF683E10000-0x00007FF684164000-memory.dmp	UPX
behavioral2/memory/4944-136-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp	UPX
C:\Windows\System\TczZMeg.exe	UPX
behavioral2/memory/3980-137-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp	UPX
behavioral2/memory/2200-138-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp	UPX
behavioral2/memory/1076-139-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	UPX
behavioral2/memory/3336-140-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	UPX
behavioral2/memory/4220-141-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	UPX
behavioral2/memory/4368-142-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	UPX
behavioral2/memory/4228-143-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp	UPX
behavioral2/memory/4544-144-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	UPX
behavioral2/memory/4264-145-0x00007FF601220000-0x00007FF601574000-memory.dmp	UPX
behavioral2/memory/4724-146-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	UPX
behavioral2/memory/3048-147-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp	UPX
behavioral2/memory/3628-148-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp	xmrig
C:\Windows\System\oqbjxEr.exe	xmrig
behavioral2/memory/1076-8-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	xmrig
C:\Windows\System\mBkfZzp.exe	xmrig
behavioral2/memory/3336-14-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	xmrig
C:\Windows\System\bdYXHXG.exe	xmrig
behavioral2/memory/4220-20-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	xmrig
C:\Windows\System\rRyXVAu.exe	xmrig
behavioral2/memory/4368-24-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	xmrig
C:\Windows\System\OjcMNLf.exe	xmrig
C:\Windows\System\dtRttGw.exe	xmrig
behavioral2/memory/4228-32-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp	xmrig
behavioral2/memory/4544-38-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	xmrig
C:\Windows\System\eHesGGp.exe	xmrig
behavioral2/memory/4264-44-0x00007FF601220000-0x00007FF601574000-memory.dmp	xmrig
C:\Windows\System\hsWSryt.exe	xmrig
C:\Windows\System\nchMLfW.exe	xmrig
C:\Windows\System\AOHGesb.exe	xmrig
C:\Windows\System\rgusOpz.exe	xmrig
behavioral2/memory/5036-65-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp	xmrig
behavioral2/memory/5060-68-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp	xmrig
behavioral2/memory/3628-69-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp	xmrig
behavioral2/memory/3048-64-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp	xmrig
behavioral2/memory/4724-51-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	xmrig
C:\Windows\System\jYbcmll.exe	xmrig
behavioral2/memory/4896-76-0x00007FF608F60000-0x00007FF6092B4000-memory.dmp	xmrig
behavioral2/memory/1076-74-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	xmrig
C:\Windows\System\zICAmQc.exe	xmrig
behavioral2/memory/752-84-0x00007FF620120000-0x00007FF620474000-memory.dmp	xmrig
C:\Windows\System\vPWzNPA.exe	xmrig
behavioral2/memory/3336-82-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	xmrig
behavioral2/memory/4368-96-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	xmrig
behavioral2/memory/2796-97-0x00007FF603D20000-0x00007FF604074000-memory.dmp	xmrig
C:\Windows\System\MUCbDpH.exe	xmrig
behavioral2/memory/3580-90-0x00007FF6D0F80000-0x00007FF6D12D4000-memory.dmp	xmrig
behavioral2/memory/4220-89-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	xmrig
behavioral2/memory/1712-104-0x00007FF6C1BF0000-0x00007FF6C1F44000-memory.dmp	xmrig
C:\Windows\System\teKEbrV.exe	xmrig
C:\Windows\System\NpUEqzO.exe	xmrig
behavioral2/memory/4264-113-0x00007FF601220000-0x00007FF601574000-memory.dmp	xmrig
C:\Windows\System\eWLnBld.exe	xmrig
behavioral2/memory/3980-115-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp	xmrig
behavioral2/memory/4724-114-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	xmrig
behavioral2/memory/3280-110-0x00007FF69E140000-0x00007FF69E494000-memory.dmp	xmrig
behavioral2/memory/4544-109-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	xmrig
C:\Windows\System\UDyzfCD.exe	xmrig
behavioral2/memory/2200-122-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp	xmrig
C:\Windows\System\fNfyMVO.exe	xmrig
behavioral2/memory/5036-130-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp	xmrig
behavioral2/memory/4300-132-0x00007FF683E10000-0x00007FF684164000-memory.dmp	xmrig
behavioral2/memory/4944-136-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp	xmrig
C:\Windows\System\TczZMeg.exe	xmrig
behavioral2/memory/3980-137-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp	xmrig
behavioral2/memory/2200-138-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp	xmrig
behavioral2/memory/1076-139-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	xmrig
behavioral2/memory/3336-140-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	xmrig
behavioral2/memory/4220-141-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	xmrig
behavioral2/memory/4368-142-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	xmrig
behavioral2/memory/4228-143-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp	xmrig
behavioral2/memory/4544-144-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	xmrig
behavioral2/memory/4264-145-0x00007FF601220000-0x00007FF601574000-memory.dmp	xmrig
behavioral2/memory/4724-146-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	xmrig
behavioral2/memory/3048-147-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp	xmrig
behavioral2/memory/3628-148-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

oqbjxEr.exemBkfZzp.exebdYXHXG.exerRyXVAu.exeOjcMNLf.exedtRttGw.exeeHesGGp.exehsWSryt.exenchMLfW.exeAOHGesb.exergusOpz.exejYbcmll.exezICAmQc.exevPWzNPA.exeMUCbDpH.exeNpUEqzO.exeteKEbrV.exeeWLnBld.exeUDyzfCD.exefNfyMVO.exeTczZMeg.exe

pid	process
1076	oqbjxEr.exe
3336	mBkfZzp.exe
4220	bdYXHXG.exe
4368	rRyXVAu.exe
4228	OjcMNLf.exe
4544	dtRttGw.exe
4264	eHesGGp.exe
4724	hsWSryt.exe
3048	nchMLfW.exe
3628	AOHGesb.exe
5036	rgusOpz.exe
4896	jYbcmll.exe
752	zICAmQc.exe
3580	vPWzNPA.exe
2796	MUCbDpH.exe
1712	NpUEqzO.exe
3280	teKEbrV.exe
3980	eWLnBld.exe
2200	UDyzfCD.exe
4300	fNfyMVO.exe
4944	TczZMeg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp	upx
C:\Windows\System\oqbjxEr.exe	upx
behavioral2/memory/1076-8-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	upx
C:\Windows\System\mBkfZzp.exe	upx
behavioral2/memory/3336-14-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	upx
C:\Windows\System\bdYXHXG.exe	upx
behavioral2/memory/4220-20-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	upx
C:\Windows\System\rRyXVAu.exe	upx
behavioral2/memory/4368-24-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	upx
C:\Windows\System\OjcMNLf.exe	upx
C:\Windows\System\dtRttGw.exe	upx
behavioral2/memory/4228-32-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp	upx
behavioral2/memory/4544-38-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	upx
C:\Windows\System\eHesGGp.exe	upx
behavioral2/memory/4264-44-0x00007FF601220000-0x00007FF601574000-memory.dmp	upx
C:\Windows\System\hsWSryt.exe	upx
C:\Windows\System\nchMLfW.exe	upx
C:\Windows\System\AOHGesb.exe	upx
C:\Windows\System\rgusOpz.exe	upx
behavioral2/memory/5036-65-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp	upx
behavioral2/memory/5060-68-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp	upx
behavioral2/memory/3628-69-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp	upx
behavioral2/memory/3048-64-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp	upx
behavioral2/memory/4724-51-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	upx
C:\Windows\System\jYbcmll.exe	upx
behavioral2/memory/4896-76-0x00007FF608F60000-0x00007FF6092B4000-memory.dmp	upx
behavioral2/memory/1076-74-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	upx
C:\Windows\System\zICAmQc.exe	upx
behavioral2/memory/752-84-0x00007FF620120000-0x00007FF620474000-memory.dmp	upx
C:\Windows\System\vPWzNPA.exe	upx
behavioral2/memory/3336-82-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	upx
behavioral2/memory/4368-96-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	upx
behavioral2/memory/2796-97-0x00007FF603D20000-0x00007FF604074000-memory.dmp	upx
C:\Windows\System\MUCbDpH.exe	upx
behavioral2/memory/3580-90-0x00007FF6D0F80000-0x00007FF6D12D4000-memory.dmp	upx
behavioral2/memory/4220-89-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	upx
behavioral2/memory/1712-104-0x00007FF6C1BF0000-0x00007FF6C1F44000-memory.dmp	upx
C:\Windows\System\teKEbrV.exe	upx
C:\Windows\System\NpUEqzO.exe	upx
behavioral2/memory/4264-113-0x00007FF601220000-0x00007FF601574000-memory.dmp	upx
C:\Windows\System\eWLnBld.exe	upx
behavioral2/memory/3980-115-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp	upx
behavioral2/memory/4724-114-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	upx
behavioral2/memory/3280-110-0x00007FF69E140000-0x00007FF69E494000-memory.dmp	upx
behavioral2/memory/4544-109-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	upx
C:\Windows\System\UDyzfCD.exe	upx
behavioral2/memory/2200-122-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp	upx
C:\Windows\System\fNfyMVO.exe	upx
behavioral2/memory/5036-130-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp	upx
behavioral2/memory/4300-132-0x00007FF683E10000-0x00007FF684164000-memory.dmp	upx
behavioral2/memory/4944-136-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp	upx
C:\Windows\System\TczZMeg.exe	upx
behavioral2/memory/3980-137-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp	upx
behavioral2/memory/2200-138-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp	upx
behavioral2/memory/1076-139-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp	upx
behavioral2/memory/3336-140-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp	upx
behavioral2/memory/4220-141-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp	upx
behavioral2/memory/4368-142-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp	upx
behavioral2/memory/4228-143-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp	upx
behavioral2/memory/4544-144-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp	upx
behavioral2/memory/4264-145-0x00007FF601220000-0x00007FF601574000-memory.dmp	upx
behavioral2/memory/4724-146-0x00007FF637DB0000-0x00007FF638104000-memory.dmp	upx
behavioral2/memory/3048-147-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp	upx
behavioral2/memory/3628-148-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\AOHGesb.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rgusOpz.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UDyzfCD.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjcMNLf.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eHesGGp.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsWSryt.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYbcmll.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MUCbDpH.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\teKEbrV.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TczZMeg.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bdYXHXG.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dtRttGw.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nchMLfW.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vPWzNPA.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NpUEqzO.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fNfyMVO.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqbjxEr.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rRyXVAu.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zICAmQc.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eWLnBld.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBkfZzp.exe	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 5060 wrote to memory of 1076	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	oqbjxEr.exe
PID 5060 wrote to memory of 1076	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	oqbjxEr.exe
PID 5060 wrote to memory of 3336	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	mBkfZzp.exe
PID 5060 wrote to memory of 3336	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	mBkfZzp.exe
PID 5060 wrote to memory of 4220	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	bdYXHXG.exe
PID 5060 wrote to memory of 4220	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	bdYXHXG.exe
PID 5060 wrote to memory of 4368	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	rRyXVAu.exe
PID 5060 wrote to memory of 4368	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	rRyXVAu.exe
PID 5060 wrote to memory of 4228	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	OjcMNLf.exe
PID 5060 wrote to memory of 4228	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	OjcMNLf.exe
PID 5060 wrote to memory of 4544	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	dtRttGw.exe
PID 5060 wrote to memory of 4544	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	dtRttGw.exe
PID 5060 wrote to memory of 4264	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	eHesGGp.exe
PID 5060 wrote to memory of 4264	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	eHesGGp.exe
PID 5060 wrote to memory of 4724	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	hsWSryt.exe
PID 5060 wrote to memory of 4724	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	hsWSryt.exe
PID 5060 wrote to memory of 3048	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	nchMLfW.exe
PID 5060 wrote to memory of 3048	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	nchMLfW.exe
PID 5060 wrote to memory of 3628	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	AOHGesb.exe
PID 5060 wrote to memory of 3628	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	AOHGesb.exe
PID 5060 wrote to memory of 5036	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	rgusOpz.exe
PID 5060 wrote to memory of 5036	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	rgusOpz.exe
PID 5060 wrote to memory of 4896	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	jYbcmll.exe
PID 5060 wrote to memory of 4896	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	jYbcmll.exe
PID 5060 wrote to memory of 752	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	zICAmQc.exe
PID 5060 wrote to memory of 752	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	zICAmQc.exe
PID 5060 wrote to memory of 3580	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	vPWzNPA.exe
PID 5060 wrote to memory of 3580	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	vPWzNPA.exe
PID 5060 wrote to memory of 2796	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	MUCbDpH.exe
PID 5060 wrote to memory of 2796	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	MUCbDpH.exe
PID 5060 wrote to memory of 1712	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	NpUEqzO.exe
PID 5060 wrote to memory of 1712	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	NpUEqzO.exe
PID 5060 wrote to memory of 3280	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	teKEbrV.exe
PID 5060 wrote to memory of 3280	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	teKEbrV.exe
PID 5060 wrote to memory of 3980	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	eWLnBld.exe
PID 5060 wrote to memory of 3980	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	eWLnBld.exe
PID 5060 wrote to memory of 2200	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	UDyzfCD.exe
PID 5060 wrote to memory of 2200	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	UDyzfCD.exe
PID 5060 wrote to memory of 4300	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	fNfyMVO.exe
PID 5060 wrote to memory of 4300	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	fNfyMVO.exe
PID 5060 wrote to memory of 4944	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	TczZMeg.exe
PID 5060 wrote to memory of 4944	5060	2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe	TczZMeg.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_1e321bfef0a4b154ebe0eddae802d688_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060

C:\Windows\System\oqbjxEr.exe
C:\Windows\System\oqbjxEr.exe
2⤵
- Executes dropped EXE
PID:1076

C:\Windows\System\mBkfZzp.exe
C:\Windows\System\mBkfZzp.exe
2⤵
- Executes dropped EXE
PID:3336

C:\Windows\System\bdYXHXG.exe
C:\Windows\System\bdYXHXG.exe
2⤵
- Executes dropped EXE
PID:4220

C:\Windows\System\rRyXVAu.exe
C:\Windows\System\rRyXVAu.exe
2⤵
- Executes dropped EXE
PID:4368

C:\Windows\System\OjcMNLf.exe
C:\Windows\System\OjcMNLf.exe
2⤵
- Executes dropped EXE
PID:4228

C:\Windows\System\dtRttGw.exe
C:\Windows\System\dtRttGw.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\System\eHesGGp.exe
C:\Windows\System\eHesGGp.exe
2⤵
- Executes dropped EXE
PID:4264

C:\Windows\System\hsWSryt.exe
C:\Windows\System\hsWSryt.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\System\nchMLfW.exe
C:\Windows\System\nchMLfW.exe
2⤵
- Executes dropped EXE
PID:3048

C:\Windows\System\AOHGesb.exe
C:\Windows\System\AOHGesb.exe
2⤵
- Executes dropped EXE
PID:3628

C:\Windows\System\rgusOpz.exe
C:\Windows\System\rgusOpz.exe
2⤵
- Executes dropped EXE
PID:5036

C:\Windows\System\jYbcmll.exe
C:\Windows\System\jYbcmll.exe
2⤵
- Executes dropped EXE
PID:4896

C:\Windows\System\zICAmQc.exe
C:\Windows\System\zICAmQc.exe
2⤵
- Executes dropped EXE
PID:752

C:\Windows\System\vPWzNPA.exe
C:\Windows\System\vPWzNPA.exe
2⤵
- Executes dropped EXE
PID:3580

C:\Windows\System\MUCbDpH.exe
C:\Windows\System\MUCbDpH.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\NpUEqzO.exe
C:\Windows\System\NpUEqzO.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\teKEbrV.exe
C:\Windows\System\teKEbrV.exe
2⤵
- Executes dropped EXE
PID:3280

C:\Windows\System\eWLnBld.exe
C:\Windows\System\eWLnBld.exe
2⤵
- Executes dropped EXE
PID:3980

C:\Windows\System\UDyzfCD.exe
C:\Windows\System\UDyzfCD.exe
2⤵
- Executes dropped EXE
PID:2200

C:\Windows\System\fNfyMVO.exe
C:\Windows\System\fNfyMVO.exe
2⤵
- Executes dropped EXE
PID:4300

C:\Windows\System\TczZMeg.exe
C:\Windows\System\TczZMeg.exe
2⤵
- Executes dropped EXE
PID:4944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AOHGesb.exe
Filesize
5.9MB

MD5
98092a6b13e0a55a67f7dae0f1f5bb5c

SHA1
b33827327173b3b72e8bc7b7deda517bfd752a2f

SHA256
bd56621a35baead3bfd77202e1a07fc8cd9e25a2d69892925de3e7550b3f1867

SHA512
a109595edf5d69a29589c02e3751c300d9c17cef5d6fc536efec23cee4bb42784a6f2f1b17a12d41c7846ac7f67555c1b2e699687cd7538834d01d40d427cb34

Download Submit
C:\Windows\System\MUCbDpH.exe
Filesize
5.9MB

MD5
0e31713501d6c6a22c31069bd0213080

SHA1
d2eaa16156bef3bd67cd56269f0651d76803fd79

SHA256
ba6bc6f5e88de1568e941d27156e944a11ac3fe642624f5d0321d78bdabb6656

SHA512
3c2eadcb2bb7c4ccc484fb2468dd55cab26159cb088f63801888e9bcf24a39f8c75a109fa1dd8397a6169016190fc39c460b4dbd19779070b91b58bc1593e604

Download Submit
C:\Windows\System\NpUEqzO.exe
Filesize
5.9MB

MD5
cfea0a83bed60118844e37a34282e033

SHA1
562980d8406528029bcbb2bc8f6bd839aede05ea

SHA256
f9514782b9c6b12577b8f3c221d589481799492094177f40138fec87b3193136

SHA512
02a45607b2f9d2a74ca1d7a14d73d685dc5227fa044fb3bc863639ad0ac7c0ed5da64ca0ad935f135faa86e54f545ee8c4749b72e2fbd0bbf1a6f0db33544d75

Download Submit
C:\Windows\System\OjcMNLf.exe
Filesize
5.9MB

MD5
0f26f226e27bdd6f41b22f2f7e2998ca

SHA1
0afacdb77bca4b6ab4ded7cd572eab7cef553ad7

SHA256
49d155ef4d8bc147de55429a536195fed646605d0b7489be3edd46e6869c1841

SHA512
f747d081d646498523ebd03ae78cdb1d783101512d8ec5649b6c525e02f0b0b587f03e0ce7f16e2ab95990c19accba8f40735e945dd3c44b900c8b22ec38f02c

Download Submit
C:\Windows\System\TczZMeg.exe
Filesize
5.9MB

MD5
41b41e05812f1a8874ee9b56be5e2de2

SHA1
cf95c182b6f3e4c657dc36bde1566f168619ccb6

SHA256
1fc0788d4811c5ed46f5f1249efaf64261f15bdbf18850d94ce1743202953d50

SHA512
12ee89471fbd16315b3aab634547cb207dbe1ddedcc15463819ce8379d3d0b12752f2c98519c8e5963c69ffd261a764d8e951ece377dc594cdf00a633fb4f1cd

Download Submit
C:\Windows\System\UDyzfCD.exe
Filesize
5.9MB

MD5
5c50856138f7c8009e11ce540c502dc1

SHA1
d40fe0142fb30bb567ca1246a51eeeb58b3b2cd2

SHA256
d5a926a5e82df99cf25845bdc1d66d89e9da31663f34c531709343baefeed07f

SHA512
bc95a20985a5b2e90d5cbb75b6a208cd2478b132bac4caa02f777eb4ede5ca16987f5bd979c6779ef43784d4b26f4d7a09452a02d0f58f63c8f06bd23872c558

Download Submit
C:\Windows\System\bdYXHXG.exe
Filesize
5.9MB

MD5
745b9b7a5ba8733fad9214cd07e09758

SHA1
8cc5d18186857f3d6109363b8bb4be70591a9235

SHA256
fb156c97932fae802a6556907d22194dfbce9ec67b870aa9d3e6838a9208d387

SHA512
d703d246629d18365eb823d6e5e236205fab195237ae2ca96571991ca7a1ae3e41cdd8f79a09256205740471b4ca6403c922e1bbddd755a6b20f283c9bc773f2

Download Submit
C:\Windows\System\dtRttGw.exe
Filesize
5.9MB

MD5
75c6f49fa1edb898bc094527dffe7ce3

SHA1
7d1869a4dedb4f4d97d097c3a724cbd057d7d445

SHA256
f16dd5b8d5ac811e828a1c60f75be692ec4990f8faf134db2b948c63c5120bff

SHA512
c33e381f9dee2c40e10f672cfe2c96cae05f66095fb69809eb13c2e518622cc586f2399f70d0e4aeadda10bc150173accae55052eaebc0c5be14ba2882473e14

Download Submit
C:\Windows\System\eHesGGp.exe
Filesize
5.9MB

MD5
0c144d73a07e38dfcdb4aaf0f68475b6

SHA1
090b57cc6d8fa9a83e7bad09abd42af43539b40e

SHA256
88323025f2d2f67db0f0750f3251dc4cb9e3df324098eec7f947a9aefec7e2aa

SHA512
646d1ab5b7bfb64a65d5b1456ace23f7b5006808bd611b90684f52267b796da57c421dd768ef62cf6585ae4938daecc9997906725296e8cc955404609a05cf68

Download Submit
C:\Windows\System\eWLnBld.exe
Filesize
5.9MB

MD5
285c60e81edcedb783a526410714226e

SHA1
ec71b9927b4bbed7c28de70052674270e00c557f

SHA256
6eaf0b9e77feed2132c70929430bc017fd2aa50508869c1ca5cff442aee3875f

SHA512
0e6ac66f766f1396c1093c698d040ce70c3f067b93d39802478bb5ab427ddffb231a53080129460715e2605c66bbd9f954647042e569701a566b8750634271c0

Download Submit
C:\Windows\System\fNfyMVO.exe
Filesize
5.9MB

MD5
b54c0003dc4d7423a067d2946a2918e1

SHA1
6b06a9a1d06bdd6bd8d1f76d27e2051c6cd78ad0

SHA256
5436ed857a86749749894fcb63933dc7519cfb95089d61736787c7e27e37168c

SHA512
ec94c605655153d58fd90112d8c8c71fd38b11f94cd358e550f424a8efbc3a9e9c76bdfcf8948a75f7a0f3325396531cd862f20a4bddd53c5462b7005f0776a4

Download Submit
C:\Windows\System\hsWSryt.exe
Filesize
5.9MB

MD5
5e57df31c4aaf787a7cf3fc04ef74ed3

SHA1
b5c48d9cc08d13152f01fbd60e57880596e93de6

SHA256
950b023a42a0db3132824148e7977cc80cec80a0dc552806cb456626b7609d4d

SHA512
4ebfaa4cdb03cf0e8093def93af97226ea19042034cd479dec332b4a22bfb676bc8c3788322aac07cc84f95e42be5077857e43c6656ed93011140662909948e2

Download Submit
C:\Windows\System\jYbcmll.exe
Filesize
5.9MB

MD5
8d771233f24c553c3a397b12291081e0

SHA1
4865e2b2ba0df13e10aba1704bca531a4603dbe3

SHA256
08fc1fe145ed67dc5924b809248db5a1b31399347eacc6fc9bfab7e1594fd22a

SHA512
6cdc851441f1c723f4f95d173c6d89de74522374d6150b282f867ca0272390ec9f083d13154532bfa0ca9246b74c43eb6f6f87af3bab958444e4bf1ab98d05e0

Download Submit
C:\Windows\System\mBkfZzp.exe
Filesize
5.9MB

MD5
6fafd84fd05ef6ba3e6be3fe3ea56c8a

SHA1
1e95c6ea7ebab898463d97601d58e0133cea9f75

SHA256
7b0679c81224f933b7b55791e9077efe499794573b12d394aea4ca9e7a08e6de

SHA512
a016e0846f575360f86fcfce34b85792212135d761105b23368ac99608bca23a4633c5ff411a62d30d4755737d4c9cd545786a293c0fd1928d77ff36d079891a

Download Submit
C:\Windows\System\nchMLfW.exe
Filesize
5.9MB

MD5
d349f8677cff23f95b62fd9b274742c7

SHA1
371916f6c3d36ee6900329b2dfe8616a6b09995b

SHA256
32bb7d1cea0ef455ff955deed589d1a013619eb571d0c51bbca4b5d2ebcca0cc

SHA512
db4254a341db83f533dc0772d069c147b8e65d70d25e43b38cd82acfbb61a16c1cc2af6531ccbce4c683b3a224cfa45e0195b1c18bbae3c670c09fd4a897a586

Download Submit
C:\Windows\System\oqbjxEr.exe
Filesize
5.9MB

MD5
a63ca77fa4221179e888c1339cd944da

SHA1
3207b7a00374856b4f35012902e60fa35c68f2f4

SHA256
b00f1a28e174a61bf984c72e90ebd9adbfe322d24e37bcfd7b2e69ccc2eb6b35

SHA512
7ce31a51ac29089ee5df1e87478ed794a36eda004ef981bbaf8737627e80e05a94ffa91cc5dc4e1473a9272340d73a74c6e62fc7695ff8514e5008b1e051a096

Download Submit
C:\Windows\System\rRyXVAu.exe
Filesize
5.9MB

MD5
27ef1a7a08a906b6b19c4655117ec388

SHA1
9f0bfafec4c2aff11e1592399cba8f7edfb08a1d

SHA256
3c20e3a9cf2bc11806b0c1304b2a38274b8aaae4dc5fe8b33f998d5bf82f637d

SHA512
53a967c6f84b3f43c7d467688a30a741690e7f2c27a8afa8c18708d233866509109e421ad99911d56756ee8e100ffa338a30f8701ce74780cc67b19ccffe6603

Download Submit
C:\Windows\System\rgusOpz.exe
Filesize
5.9MB

MD5
491764095c3236f2afec46a92061d2c6

SHA1
46912b74ab8385928697f572aa30c87d0ffa1433

SHA256
8c050fffbbb898d988469cc4a20282d597dc1ff8bafdaf2734d4d05c2fb6ae0d

SHA512
c987a71424ae07b63d6a0f3acbdc53eb2fd9e8c49f597bc6b988defbe0d702ba5741bdced29219963b8c8a795e5f1fc59868a8f2857bd687b0c7206170d60c2c

Download Submit
C:\Windows\System\teKEbrV.exe
Filesize
5.9MB

MD5
3591f33b9200385303fc8a962d7b1d19

SHA1
4c1f0036a300d5f2970614fb561ece6898912712

SHA256
5ed96c8fb94ebefe95c3e651a426304a174ba531e79f03884847cdd8b7e24da3

SHA512
69975442c937578984410032e61de8998d714dd32e4fbe12f14ca17e73c331a5d0cf100980f4ab703923bbad46b289a62e682711470e2a93ab121f987f3fdcf7

Download Submit
C:\Windows\System\vPWzNPA.exe
Filesize
5.9MB

MD5
778e2a0e50a832c31d57403c158d5f85

SHA1
d0c05ad0ae17df89747ab6d5c44c11cfc8f9af7d

SHA256
5f3600ad35412fe25d2d30e196d65ecad35618816af3388403666cf84a8c6756

SHA512
4ca5174873d65a24cb9fe10012d1a06210682fc4279e1831b398de0ae12245187503b4a1953ad7203c87ca572e6054781792da05c96fe3306528e81faa12ed8c

Download Submit
C:\Windows\System\zICAmQc.exe
Filesize
5.9MB

MD5
eb32c8cd9d442fd7fe8092a7d4e1bad5

SHA1
f7a5436f115180c339a3075e092e7ebd3df4936a

SHA256
a2f5862f3a7e85bd1cb43e031efbee8fb79fa4107f360bfd8d43aa9b5318eabc

SHA512
04d678f4f1e22fb3da260952f608ed2c1d9ed81927e9f8ecdd1e2239c707b899f64c3296a823a28e612d549a05730daf5a47c3c669b58f6427d0187b568739a7

Download Submit
memory/752-151-0x00007FF620120000-0x00007FF620474000-memory.dmp

Filesize
3.3MB

Download
memory/752-84-0x00007FF620120000-0x00007FF620474000-memory.dmp

Filesize
3.3MB

Download
memory/1076-8-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp

Filesize
3.3MB

Download
memory/1076-139-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp

Filesize
3.3MB

Download
memory/1076-74-0x00007FF64CCB0000-0x00007FF64D004000-memory.dmp

Filesize
3.3MB

Download
memory/1712-154-0x00007FF6C1BF0000-0x00007FF6C1F44000-memory.dmp

Filesize
3.3MB

Download
memory/1712-104-0x00007FF6C1BF0000-0x00007FF6C1F44000-memory.dmp

Filesize
3.3MB

Download
memory/2200-157-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-138-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2200-122-0x00007FF75CC80000-0x00007FF75CFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-97-0x00007FF603D20000-0x00007FF604074000-memory.dmp

Filesize
3.3MB

Download
memory/2796-153-0x00007FF603D20000-0x00007FF604074000-memory.dmp

Filesize
3.3MB

Download
memory/3048-64-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp

Filesize
3.3MB

Download
memory/3048-147-0x00007FF69FF40000-0x00007FF6A0294000-memory.dmp

Filesize
3.3MB

Download
memory/3280-155-0x00007FF69E140000-0x00007FF69E494000-memory.dmp

Filesize
3.3MB

Download
memory/3280-110-0x00007FF69E140000-0x00007FF69E494000-memory.dmp

Filesize
3.3MB

Download
memory/3336-140-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp

Filesize
3.3MB

Download
memory/3336-14-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp

Filesize
3.3MB

Download
memory/3336-82-0x00007FF7B0EF0000-0x00007FF7B1244000-memory.dmp

Filesize
3.3MB

Download
memory/3580-90-0x00007FF6D0F80000-0x00007FF6D12D4000-memory.dmp

Filesize
3.3MB

Download
memory/3580-152-0x00007FF6D0F80000-0x00007FF6D12D4000-memory.dmp

Filesize
3.3MB

Download
memory/3628-148-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp

Filesize
3.3MB

Download
memory/3628-69-0x00007FF6DB040000-0x00007FF6DB394000-memory.dmp

Filesize
3.3MB

Download
memory/3980-115-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp

Filesize
3.3MB

Download
memory/3980-156-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp

Filesize
3.3MB

Download
memory/3980-137-0x00007FF7F34B0000-0x00007FF7F3804000-memory.dmp

Filesize
3.3MB

Download
memory/4220-89-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp

Filesize
3.3MB

Download
memory/4220-20-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp

Filesize
3.3MB

Download
memory/4220-141-0x00007FF6259C0000-0x00007FF625D14000-memory.dmp

Filesize
3.3MB

Download
memory/4228-32-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp

Filesize
3.3MB

Download
memory/4228-143-0x00007FF6DADE0000-0x00007FF6DB134000-memory.dmp

Filesize
3.3MB

Download
memory/4264-113-0x00007FF601220000-0x00007FF601574000-memory.dmp

Filesize
3.3MB

Download
memory/4264-44-0x00007FF601220000-0x00007FF601574000-memory.dmp

Filesize
3.3MB

Download
memory/4264-145-0x00007FF601220000-0x00007FF601574000-memory.dmp

Filesize
3.3MB

Download
memory/4300-158-0x00007FF683E10000-0x00007FF684164000-memory.dmp

Filesize
3.3MB

Download
memory/4300-132-0x00007FF683E10000-0x00007FF684164000-memory.dmp

Filesize
3.3MB

Download
memory/4368-24-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp

Filesize
3.3MB

Download
memory/4368-96-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp

Filesize
3.3MB

Download
memory/4368-142-0x00007FF7FF8E0000-0x00007FF7FFC34000-memory.dmp

Filesize
3.3MB

Download
memory/4544-38-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp

Filesize
3.3MB

Download
memory/4544-144-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp

Filesize
3.3MB

Download
memory/4544-109-0x00007FF7167F0000-0x00007FF716B44000-memory.dmp

Filesize
3.3MB

Download
memory/4724-146-0x00007FF637DB0000-0x00007FF638104000-memory.dmp

Filesize
3.3MB

Download
memory/4724-114-0x00007FF637DB0000-0x00007FF638104000-memory.dmp

Filesize
3.3MB

Download
memory/4724-51-0x00007FF637DB0000-0x00007FF638104000-memory.dmp

Filesize
3.3MB

Download
memory/4896-150-0x00007FF608F60000-0x00007FF6092B4000-memory.dmp

Filesize
3.3MB

Download
memory/4896-76-0x00007FF608F60000-0x00007FF6092B4000-memory.dmp

Filesize
3.3MB

Download
memory/4944-136-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp

Filesize
3.3MB

Download
memory/4944-159-0x00007FF7CB840000-0x00007FF7CBB94000-memory.dmp

Filesize
3.3MB

Download
memory/5036-149-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-130-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-65-0x00007FF665C70000-0x00007FF665FC4000-memory.dmp

Filesize
3.3MB

Download
memory/5060-0-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp

Filesize
3.3MB

Download
memory/5060-68-0x00007FF7F8F10000-0x00007FF7F9264000-memory.dmp

Filesize
3.3MB

Download
memory/5060-1-0x000002D71F6E0000-0x000002D71F6F0000-memory.dmp

Filesize
64KB

Download