cobaltstrike | 250de0607d512c5ac99ec32e42f059119460410e33b4ac1f9b577a9a5d3325aa

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

3601165c2710936d5388e866ebe52a8c
SHA1

2ae8eb5c7eb146ee2e92d3d5fe9317e94ca64eea
SHA256

250de0607d512c5ac99ec32e42f059119460410e33b4ac1f9b577a9a5d3325aa
SHA512

0fb58d6ff0a54f00c405fd79cf9e4fd27c4e09232756f0c02a37a26f3c2d409d92f98e55787f4c1e4f01f8745f8b34a3551ae694987192ab9c10d9c976bceeca
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUt:Q+856utgpPF8u/7t

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\urYTxdk.exe	cobalt_reflective_dll
C:\Windows\System\tHslcYK.exe	cobalt_reflective_dll
C:\Windows\System\BPAelOJ.exe	cobalt_reflective_dll
C:\Windows\System\UGUbgKV.exe	cobalt_reflective_dll
C:\Windows\System\XJvrCCm.exe	cobalt_reflective_dll
C:\Windows\System\HpejeBL.exe	cobalt_reflective_dll
C:\Windows\System\bxlqwNG.exe	cobalt_reflective_dll
C:\Windows\System\FokpRNN.exe	cobalt_reflective_dll
C:\Windows\System\KoItgUY.exe	cobalt_reflective_dll
C:\Windows\System\nBFOCfJ.exe	cobalt_reflective_dll
C:\Windows\System\rwoRiJx.exe	cobalt_reflective_dll
C:\Windows\System\QEkEHdK.exe	cobalt_reflective_dll
C:\Windows\System\onXnVBY.exe	cobalt_reflective_dll
C:\Windows\System\kaVftuC.exe	cobalt_reflective_dll
C:\Windows\System\OzxenSF.exe	cobalt_reflective_dll
C:\Windows\System\dcnXTxh.exe	cobalt_reflective_dll
C:\Windows\System\iOeOkHP.exe	cobalt_reflective_dll
C:\Windows\System\epyLJll.exe	cobalt_reflective_dll
C:\Windows\System\qSNKMMb.exe	cobalt_reflective_dll
C:\Windows\System\izIlmov.exe	cobalt_reflective_dll
C:\Windows\System\kbZriLR.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Reflective DLL injection artifacts 21 IoCs

Processes:

resource	yara_rule
C:\Windows\System\urYTxdk.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\tHslcYK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\BPAelOJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\UGUbgKV.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\XJvrCCm.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\HpejeBL.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\bxlqwNG.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\FokpRNN.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\KoItgUY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\nBFOCfJ.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\rwoRiJx.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\QEkEHdK.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\onXnVBY.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kaVftuC.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\OzxenSF.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\dcnXTxh.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\iOeOkHP.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\epyLJll.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\qSNKMMb.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\izIlmov.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader
C:\Windows\System\kbZriLR.exe	INDICATOR_SUSPICIOUS_ReflectiveLoader

UPX dump on OEP (original entry point) 64 IoCs

Processes:

resource	yara_rule
behavioral2/memory/232-0-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp	UPX
C:\Windows\System\urYTxdk.exe	UPX
behavioral2/memory/2696-6-0x00007FF706E30000-0x00007FF707184000-memory.dmp	UPX
C:\Windows\System\tHslcYK.exe	UPX
C:\Windows\System\BPAelOJ.exe	UPX
behavioral2/memory/3628-12-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	UPX
behavioral2/memory/4884-18-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	UPX
C:\Windows\System\UGUbgKV.exe	UPX
C:\Windows\System\XJvrCCm.exe	UPX
C:\Windows\System\HpejeBL.exe	UPX
C:\Windows\System\bxlqwNG.exe	UPX
C:\Windows\System\FokpRNN.exe	UPX
C:\Windows\System\KoItgUY.exe	UPX
C:\Windows\System\nBFOCfJ.exe	UPX
C:\Windows\System\rwoRiJx.exe	UPX
C:\Windows\System\QEkEHdK.exe	UPX
C:\Windows\System\onXnVBY.exe	UPX
C:\Windows\System\kaVftuC.exe	UPX
C:\Windows\System\OzxenSF.exe	UPX
C:\Windows\System\dcnXTxh.exe	UPX
C:\Windows\System\iOeOkHP.exe	UPX
C:\Windows\System\epyLJll.exe	UPX
C:\Windows\System\qSNKMMb.exe	UPX
C:\Windows\System\izIlmov.exe	UPX
C:\Windows\System\kbZriLR.exe	UPX
behavioral2/memory/1964-52-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp	UPX
behavioral2/memory/2500-42-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	UPX
behavioral2/memory/2704-34-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	UPX
behavioral2/memory/3324-29-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	UPX
behavioral2/memory/1684-26-0x00007FF610FB0000-0x00007FF611304000-memory.dmp	UPX
behavioral2/memory/4256-117-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp	UPX
behavioral2/memory/408-118-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp	UPX
behavioral2/memory/1140-119-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp	UPX
behavioral2/memory/4416-116-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp	UPX
behavioral2/memory/2672-115-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp	UPX
behavioral2/memory/2680-120-0x00007FF626A30000-0x00007FF626D84000-memory.dmp	UPX
behavioral2/memory/4968-121-0x00007FF6633B0000-0x00007FF663704000-memory.dmp	UPX
behavioral2/memory/3356-122-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp	UPX
behavioral2/memory/1944-123-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp	UPX
behavioral2/memory/3388-125-0x00007FF772FF0000-0x00007FF773344000-memory.dmp	UPX
behavioral2/memory/2440-126-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp	UPX
behavioral2/memory/4640-124-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp	UPX
behavioral2/memory/4124-127-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp	UPX
behavioral2/memory/232-128-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp	UPX
behavioral2/memory/2696-129-0x00007FF706E30000-0x00007FF707184000-memory.dmp	UPX
behavioral2/memory/3628-130-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	UPX
behavioral2/memory/4884-131-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	UPX
behavioral2/memory/3324-132-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	UPX
behavioral2/memory/2704-133-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	UPX
behavioral2/memory/2500-134-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	UPX
behavioral2/memory/2696-135-0x00007FF706E30000-0x00007FF707184000-memory.dmp	UPX
behavioral2/memory/3628-136-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	UPX
behavioral2/memory/1684-137-0x00007FF610FB0000-0x00007FF611304000-memory.dmp	UPX
behavioral2/memory/4884-138-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	UPX
behavioral2/memory/3324-139-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	UPX
behavioral2/memory/2672-141-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp	UPX
behavioral2/memory/2500-140-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	UPX
behavioral2/memory/2704-143-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	UPX
behavioral2/memory/1964-142-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp	UPX
behavioral2/memory/4968-145-0x00007FF6633B0000-0x00007FF663704000-memory.dmp	UPX
behavioral2/memory/2440-151-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp	UPX
behavioral2/memory/3388-154-0x00007FF772FF0000-0x00007FF773344000-memory.dmp	UPX
behavioral2/memory/4640-153-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp	UPX
behavioral2/memory/4416-152-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/232-0-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp	xmrig
C:\Windows\System\urYTxdk.exe	xmrig
behavioral2/memory/2696-6-0x00007FF706E30000-0x00007FF707184000-memory.dmp	xmrig
C:\Windows\System\tHslcYK.exe	xmrig
C:\Windows\System\BPAelOJ.exe	xmrig
behavioral2/memory/3628-12-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	xmrig
behavioral2/memory/4884-18-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	xmrig
C:\Windows\System\UGUbgKV.exe	xmrig
C:\Windows\System\XJvrCCm.exe	xmrig
C:\Windows\System\HpejeBL.exe	xmrig
C:\Windows\System\bxlqwNG.exe	xmrig
C:\Windows\System\FokpRNN.exe	xmrig
C:\Windows\System\KoItgUY.exe	xmrig
C:\Windows\System\nBFOCfJ.exe	xmrig
C:\Windows\System\rwoRiJx.exe	xmrig
C:\Windows\System\QEkEHdK.exe	xmrig
C:\Windows\System\onXnVBY.exe	xmrig
C:\Windows\System\kaVftuC.exe	xmrig
C:\Windows\System\OzxenSF.exe	xmrig
C:\Windows\System\dcnXTxh.exe	xmrig
C:\Windows\System\iOeOkHP.exe	xmrig
C:\Windows\System\epyLJll.exe	xmrig
C:\Windows\System\qSNKMMb.exe	xmrig
C:\Windows\System\izIlmov.exe	xmrig
C:\Windows\System\kbZriLR.exe	xmrig
behavioral2/memory/1964-52-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp	xmrig
behavioral2/memory/2500-42-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	xmrig
behavioral2/memory/2704-34-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	xmrig
behavioral2/memory/3324-29-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	xmrig
behavioral2/memory/1684-26-0x00007FF610FB0000-0x00007FF611304000-memory.dmp	xmrig
behavioral2/memory/4256-117-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp	xmrig
behavioral2/memory/408-118-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp	xmrig
behavioral2/memory/1140-119-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp	xmrig
behavioral2/memory/4416-116-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp	xmrig
behavioral2/memory/2672-115-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp	xmrig
behavioral2/memory/2680-120-0x00007FF626A30000-0x00007FF626D84000-memory.dmp	xmrig
behavioral2/memory/4968-121-0x00007FF6633B0000-0x00007FF663704000-memory.dmp	xmrig
behavioral2/memory/3356-122-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp	xmrig
behavioral2/memory/1944-123-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp	xmrig
behavioral2/memory/3388-125-0x00007FF772FF0000-0x00007FF773344000-memory.dmp	xmrig
behavioral2/memory/2440-126-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp	xmrig
behavioral2/memory/4640-124-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp	xmrig
behavioral2/memory/4124-127-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp	xmrig
behavioral2/memory/232-128-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp	xmrig
behavioral2/memory/2696-129-0x00007FF706E30000-0x00007FF707184000-memory.dmp	xmrig
behavioral2/memory/3628-130-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	xmrig
behavioral2/memory/4884-131-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	xmrig
behavioral2/memory/3324-132-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	xmrig
behavioral2/memory/2704-133-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	xmrig
behavioral2/memory/2500-134-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	xmrig
behavioral2/memory/2696-135-0x00007FF706E30000-0x00007FF707184000-memory.dmp	xmrig
behavioral2/memory/3628-136-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	xmrig
behavioral2/memory/1684-137-0x00007FF610FB0000-0x00007FF611304000-memory.dmp	xmrig
behavioral2/memory/4884-138-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	xmrig
behavioral2/memory/3324-139-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	xmrig
behavioral2/memory/2672-141-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp	xmrig
behavioral2/memory/2500-140-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	xmrig
behavioral2/memory/2704-143-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	xmrig
behavioral2/memory/1964-142-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp	xmrig
behavioral2/memory/4968-145-0x00007FF6633B0000-0x00007FF663704000-memory.dmp	xmrig
behavioral2/memory/2440-151-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp	xmrig
behavioral2/memory/3388-154-0x00007FF772FF0000-0x00007FF773344000-memory.dmp	xmrig
behavioral2/memory/4640-153-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp	xmrig
behavioral2/memory/4416-152-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

urYTxdk.exeBPAelOJ.exetHslcYK.exeUGUbgKV.exeHpejeBL.exeXJvrCCm.exebxlqwNG.exeFokpRNN.exeKoItgUY.exenBFOCfJ.exerwoRiJx.exekbZriLR.exeizIlmov.exeQEkEHdK.exeqSNKMMb.exeonXnVBY.exeepyLJll.exekaVftuC.exeiOeOkHP.exedcnXTxh.exeOzxenSF.exe

pid	process
2696	urYTxdk.exe
3628	BPAelOJ.exe
4884	tHslcYK.exe
1684	UGUbgKV.exe
3324	HpejeBL.exe
2704	XJvrCCm.exe
2500	bxlqwNG.exe
1964	FokpRNN.exe
2672	KoItgUY.exe
4416	nBFOCfJ.exe
4256	rwoRiJx.exe
408	kbZriLR.exe
1140	izIlmov.exe
2680	QEkEHdK.exe
4968	qSNKMMb.exe
3356	onXnVBY.exe
1944	epyLJll.exe
4640	kaVftuC.exe
3388	iOeOkHP.exe
2440	dcnXTxh.exe
4124	OzxenSF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/232-0-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp	upx
C:\Windows\System\urYTxdk.exe	upx
behavioral2/memory/2696-6-0x00007FF706E30000-0x00007FF707184000-memory.dmp	upx
C:\Windows\System\tHslcYK.exe	upx
C:\Windows\System\BPAelOJ.exe	upx
behavioral2/memory/3628-12-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	upx
behavioral2/memory/4884-18-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	upx
C:\Windows\System\UGUbgKV.exe	upx
C:\Windows\System\XJvrCCm.exe	upx
C:\Windows\System\HpejeBL.exe	upx
C:\Windows\System\bxlqwNG.exe	upx
C:\Windows\System\FokpRNN.exe	upx
C:\Windows\System\KoItgUY.exe	upx
C:\Windows\System\nBFOCfJ.exe	upx
C:\Windows\System\rwoRiJx.exe	upx
C:\Windows\System\QEkEHdK.exe	upx
C:\Windows\System\onXnVBY.exe	upx
C:\Windows\System\kaVftuC.exe	upx
C:\Windows\System\OzxenSF.exe	upx
C:\Windows\System\dcnXTxh.exe	upx
C:\Windows\System\iOeOkHP.exe	upx
C:\Windows\System\epyLJll.exe	upx
C:\Windows\System\qSNKMMb.exe	upx
C:\Windows\System\izIlmov.exe	upx
C:\Windows\System\kbZriLR.exe	upx
behavioral2/memory/1964-52-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp	upx
behavioral2/memory/2500-42-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	upx
behavioral2/memory/2704-34-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	upx
behavioral2/memory/3324-29-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	upx
behavioral2/memory/1684-26-0x00007FF610FB0000-0x00007FF611304000-memory.dmp	upx
behavioral2/memory/4256-117-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp	upx
behavioral2/memory/408-118-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp	upx
behavioral2/memory/1140-119-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp	upx
behavioral2/memory/4416-116-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp	upx
behavioral2/memory/2672-115-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp	upx
behavioral2/memory/2680-120-0x00007FF626A30000-0x00007FF626D84000-memory.dmp	upx
behavioral2/memory/4968-121-0x00007FF6633B0000-0x00007FF663704000-memory.dmp	upx
behavioral2/memory/3356-122-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp	upx
behavioral2/memory/1944-123-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp	upx
behavioral2/memory/3388-125-0x00007FF772FF0000-0x00007FF773344000-memory.dmp	upx
behavioral2/memory/2440-126-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp	upx
behavioral2/memory/4640-124-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp	upx
behavioral2/memory/4124-127-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp	upx
behavioral2/memory/232-128-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp	upx
behavioral2/memory/2696-129-0x00007FF706E30000-0x00007FF707184000-memory.dmp	upx
behavioral2/memory/3628-130-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	upx
behavioral2/memory/4884-131-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	upx
behavioral2/memory/3324-132-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	upx
behavioral2/memory/2704-133-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	upx
behavioral2/memory/2500-134-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	upx
behavioral2/memory/2696-135-0x00007FF706E30000-0x00007FF707184000-memory.dmp	upx
behavioral2/memory/3628-136-0x00007FF755DD0000-0x00007FF756124000-memory.dmp	upx
behavioral2/memory/1684-137-0x00007FF610FB0000-0x00007FF611304000-memory.dmp	upx
behavioral2/memory/4884-138-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp	upx
behavioral2/memory/3324-139-0x00007FF656250000-0x00007FF6565A4000-memory.dmp	upx
behavioral2/memory/2672-141-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp	upx
behavioral2/memory/2500-140-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp	upx
behavioral2/memory/2704-143-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp	upx
behavioral2/memory/1964-142-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp	upx
behavioral2/memory/4968-145-0x00007FF6633B0000-0x00007FF663704000-memory.dmp	upx
behavioral2/memory/2440-151-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp	upx
behavioral2/memory/3388-154-0x00007FF772FF0000-0x00007FF773344000-memory.dmp	upx
behavioral2/memory/4640-153-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp	upx
behavioral2/memory/4416-152-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\OzxenSF.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rwoRiJx.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kbZriLR.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\onXnVBY.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kaVftuC.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\epyLJll.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urYTxdk.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HpejeBL.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJvrCCm.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bxlqwNG.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BPAelOJ.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KoItgUY.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nBFOCfJ.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QEkEHdK.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qSNKMMb.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iOeOkHP.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dcnXTxh.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHslcYK.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGUbgKV.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FokpRNN.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izIlmov.exe	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 232 wrote to memory of 2696	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	urYTxdk.exe
PID 232 wrote to memory of 2696	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	urYTxdk.exe
PID 232 wrote to memory of 3628	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	BPAelOJ.exe
PID 232 wrote to memory of 3628	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	BPAelOJ.exe
PID 232 wrote to memory of 4884	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	tHslcYK.exe
PID 232 wrote to memory of 4884	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	tHslcYK.exe
PID 232 wrote to memory of 1684	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	UGUbgKV.exe
PID 232 wrote to memory of 1684	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	UGUbgKV.exe
PID 232 wrote to memory of 3324	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	HpejeBL.exe
PID 232 wrote to memory of 3324	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	HpejeBL.exe
PID 232 wrote to memory of 2704	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	XJvrCCm.exe
PID 232 wrote to memory of 2704	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	XJvrCCm.exe
PID 232 wrote to memory of 2500	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	bxlqwNG.exe
PID 232 wrote to memory of 2500	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	bxlqwNG.exe
PID 232 wrote to memory of 1964	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	FokpRNN.exe
PID 232 wrote to memory of 1964	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	FokpRNN.exe
PID 232 wrote to memory of 2672	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	KoItgUY.exe
PID 232 wrote to memory of 2672	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	KoItgUY.exe
PID 232 wrote to memory of 4416	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	nBFOCfJ.exe
PID 232 wrote to memory of 4416	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	nBFOCfJ.exe
PID 232 wrote to memory of 4256	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	rwoRiJx.exe
PID 232 wrote to memory of 4256	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	rwoRiJx.exe
PID 232 wrote to memory of 408	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	kbZriLR.exe
PID 232 wrote to memory of 408	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	kbZriLR.exe
PID 232 wrote to memory of 1140	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	izIlmov.exe
PID 232 wrote to memory of 1140	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	izIlmov.exe
PID 232 wrote to memory of 2680	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	QEkEHdK.exe
PID 232 wrote to memory of 2680	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	QEkEHdK.exe
PID 232 wrote to memory of 4968	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	qSNKMMb.exe
PID 232 wrote to memory of 4968	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	qSNKMMb.exe
PID 232 wrote to memory of 3356	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	onXnVBY.exe
PID 232 wrote to memory of 3356	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	onXnVBY.exe
PID 232 wrote to memory of 1944	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	epyLJll.exe
PID 232 wrote to memory of 1944	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	epyLJll.exe
PID 232 wrote to memory of 4640	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	kaVftuC.exe
PID 232 wrote to memory of 4640	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	kaVftuC.exe
PID 232 wrote to memory of 3388	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	iOeOkHP.exe
PID 232 wrote to memory of 3388	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	iOeOkHP.exe
PID 232 wrote to memory of 2440	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	dcnXTxh.exe
PID 232 wrote to memory of 2440	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	dcnXTxh.exe
PID 232 wrote to memory of 4124	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	OzxenSF.exe
PID 232 wrote to memory of 4124	232	2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe	OzxenSF.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_3601165c2710936d5388e866ebe52a8c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232

C:\Windows\System\urYTxdk.exe
C:\Windows\System\urYTxdk.exe
2⤵
- Executes dropped EXE
PID:2696

C:\Windows\System\BPAelOJ.exe
C:\Windows\System\BPAelOJ.exe
2⤵
- Executes dropped EXE
PID:3628

C:\Windows\System\tHslcYK.exe
C:\Windows\System\tHslcYK.exe
2⤵
- Executes dropped EXE
PID:4884

C:\Windows\System\UGUbgKV.exe
C:\Windows\System\UGUbgKV.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\HpejeBL.exe
C:\Windows\System\HpejeBL.exe
2⤵
- Executes dropped EXE
PID:3324

C:\Windows\System\XJvrCCm.exe
C:\Windows\System\XJvrCCm.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\bxlqwNG.exe
C:\Windows\System\bxlqwNG.exe
2⤵
- Executes dropped EXE
PID:2500

C:\Windows\System\FokpRNN.exe
C:\Windows\System\FokpRNN.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\KoItgUY.exe
C:\Windows\System\KoItgUY.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\nBFOCfJ.exe
C:\Windows\System\nBFOCfJ.exe
2⤵
- Executes dropped EXE
PID:4416

C:\Windows\System\rwoRiJx.exe
C:\Windows\System\rwoRiJx.exe
2⤵
- Executes dropped EXE
PID:4256

C:\Windows\System\kbZriLR.exe
C:\Windows\System\kbZriLR.exe
2⤵
- Executes dropped EXE
PID:408

C:\Windows\System\izIlmov.exe
C:\Windows\System\izIlmov.exe
2⤵
- Executes dropped EXE
PID:1140

C:\Windows\System\QEkEHdK.exe
C:\Windows\System\QEkEHdK.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Windows\System\qSNKMMb.exe
C:\Windows\System\qSNKMMb.exe
2⤵
- Executes dropped EXE
PID:4968

C:\Windows\System\onXnVBY.exe
C:\Windows\System\onXnVBY.exe
2⤵
- Executes dropped EXE
PID:3356

C:\Windows\System\epyLJll.exe
C:\Windows\System\epyLJll.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\kaVftuC.exe
C:\Windows\System\kaVftuC.exe
2⤵
- Executes dropped EXE
PID:4640

C:\Windows\System\iOeOkHP.exe
C:\Windows\System\iOeOkHP.exe
2⤵
- Executes dropped EXE
PID:3388

C:\Windows\System\dcnXTxh.exe
C:\Windows\System\dcnXTxh.exe
2⤵
- Executes dropped EXE
PID:2440

C:\Windows\System\OzxenSF.exe
C:\Windows\System\OzxenSF.exe
2⤵
- Executes dropped EXE
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,5229431749694857451,16836185654682871752,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:4508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BPAelOJ.exe
Filesize
5.9MB

MD5
d3dbf4b55a2ceed173d660c0f5b485e4

SHA1
3d4341aee01228f715ccd88e7ba322909b75a7ac

SHA256
6f302bcce9e6c7213ed3e2b64ef11bba633379281f8da8265c99283998f52901

SHA512
76658aa1b8d47c611aee1df0493a45bdd4da5bae2b14ceccb35f6250bd5fd1cd5c960db2a4b875a1f774710ce84b43b98eeb73e68f153c722d38d8a0262860b3

Download Submit
C:\Windows\System\FokpRNN.exe
Filesize
5.9MB

MD5
898792cf21a74f2aed392a48d3b2ebb6

SHA1
d402ace95e4068e9fd2c83b8a01f2c85031af49d

SHA256
b4d2e909828b4f770342f07a8f5f16cbba31dd43f39dae1fc40f3c3bffde7f67

SHA512
019e19d29207d804ea919cbadf2f1fa6298663783959fff1156548a82c0b8e35f91142d498c51e279238490f338d825841865ca83b0d991a3031a98badde484d

Download Submit
C:\Windows\System\HpejeBL.exe
Filesize
5.9MB

MD5
bcc5808dffe6107e3761fd72275625b9

SHA1
c46071722c332e1157db7f8043257a23cb2e41d6

SHA256
a6c10f22bd66c3690e648a189f73543e7112a6cddee0d6180b2c44f99d577438

SHA512
16f3af726f115cdf4f64701feb642f3b192ab1fc06ca5807fd95210c65826e9d2a4bbf2f785845782dd7bceceae5e050da08817f8c38e2a47448f03309ca70ef

Download Submit
C:\Windows\System\KoItgUY.exe
Filesize
5.9MB

MD5
87ec3a92b99dae2a98ef8ec65a43f8fa

SHA1
bb86151ef824fa8a271ecbe8087ca260d7dd8dfb

SHA256
0af609251778387bd9eb251cd06ee5065a494d1a758e3903b6a51adeb2ac9955

SHA512
f20d5eb12bca0111f3a852a0e1e5d4eac2b8a658835ca980bfd385a386604e1cdfe21ea33de0a049f586b5a1f04da3552a2d7f346d8e55d4b2a793816b4ab5af

Download Submit
C:\Windows\System\OzxenSF.exe
Filesize
5.9MB

MD5
7d0cadc7edb1c4b76f079036a601eff4

SHA1
c9bd96de73526af92aea2a977185e45b498b890b

SHA256
bb49977b477b0564d6b095ebbdba1488963bbba66d04b355b1aaa0fbf4a88654

SHA512
6ec9a44c4dca9791f32373d51905f9d56b22f76cb97c4b5b17a100566ba6a573885c610103f8bba835b4fc8edf6cf86c7559eb764be22ecdfb6420759493a2dd

Download Submit
C:\Windows\System\QEkEHdK.exe
Filesize
5.9MB

MD5
5d53d8bc037febba3268929428439cae

SHA1
a911f184daf51d1f8e5bf759f23478b22c5c2a16

SHA256
1ea2754bedd4c2087c725bfdd6aa87fb731251b4f47fb9050bf7668aa8d02208

SHA512
42e8060d79d032b9f5635a1b69a8d24313aa8318a03c00a42491931ac81d927f1fc210a0844b7b5533aac28f7fed4b32344b8f5aa2706697a232746775ef0db8

Download Submit
C:\Windows\System\UGUbgKV.exe
Filesize
5.9MB

MD5
19f5ef6486fbb1bdfd7c4cec9b267d75

SHA1
007921b897fcca6c4e8e4c749587c0333998446e

SHA256
53b50034445532e73d803c1e0d6a24bd50e63c3a1289fac350bed78de4a72564

SHA512
57defd6f56dff4a24c99606004ca88685839654043fa7c63a91b49eb2844b97821578136a54464c93b73f7bf23fc5436e8cd6b1c15687fd7e1e29a9c1f4212dc

Download Submit
C:\Windows\System\XJvrCCm.exe
Filesize
5.9MB

MD5
b2d715a04232d421600c0a5ceedd548c

SHA1
1f926ee8177f7b17ac8b4312f1a9b218c6560088

SHA256
0c4ed3962fec6504a3c59998cba8e2935f78084c69ecefd839997f4130b87bf8

SHA512
ffa7b8074a35856cad43dc875ff9978c6ec3b96c651bb2c6ae9173999457b7817d28d859a176782d0c04ebd0bdb77bcbc125f767fda09368eb62d30293413531

Download Submit
C:\Windows\System\bxlqwNG.exe
Filesize
5.9MB

MD5
5bc6ac7485f3aa6175d41ed132fd54ac

SHA1
1574189bf7a1197c9db9587b4015c458a58950aa

SHA256
40539fa92e41443f48dc8805c8cf0643b608c6cb5bcc875442930a4b1008697a

SHA512
35e8b8c0052d0312b37c908602de061c2add5bad298a4bd5f7a50eb4a42b0a3952c8bc88f70f9a019a66f51b59c65799c4e426fdd8db69afed8f5ce976d09a4f

Download Submit
C:\Windows\System\dcnXTxh.exe
Filesize
5.9MB

MD5
16ba6e151b32abbfa6328ed37cd9403d

SHA1
3ff5f0463e3f2efd186f4aeb1849d9cd85a16c67

SHA256
16cfc2c65b16ad9d2f97a2f2edbae82b28426294f64dec03b958fb2b355f517f

SHA512
ba8f3ba785c934e8a09b20f2442a09d544b13aa74654f2cdb2cb15baa7479acf0044a7ec9659cf8eb6f532e18a3e3e438bb8d92e6820978ade6cbafa13d978bc

Download Submit
C:\Windows\System\epyLJll.exe
Filesize
5.9MB

MD5
f3c6afeb3cd897549410a1e88b618d2c

SHA1
48639dcf8d31f6ede1dc3f9d7d97f8b4cb930838

SHA256
c7bcb953253cc1b020013ee85cca71f90201b928628905c702902c8f3807f343

SHA512
015485ec8d6a99a222672e7c81f01b1eb1619168cb0839c4b7257f992645a09c2d6e8ee6ef80659131925864c4b13ce6c5072e9e257ca01dce361fcaae7d3a85

Download Submit
C:\Windows\System\iOeOkHP.exe
Filesize
5.9MB

MD5
fa4e54d2648a99cbc618513f5d11ade5

SHA1
b3928dfabd1c6790a5ce44733cc9a8f22ae4815e

SHA256
784724129cbe2b9b4e34fbd803deeb166dfbedd477ed55339c102b016a32a867

SHA512
0b86c338c9f7c89b43646c57cd80504d9f01777b8ca9c136fc84d3aec0608d38cd317963e837cac9202afabbf71071e932ba5a5b64c59ca69e46f97b98a88135

Download Submit
C:\Windows\System\izIlmov.exe
Filesize
5.9MB

MD5
ace0cc55def04d14c8987ef26ba2b3a4

SHA1
f91234bd6c8927fbc1dba5c558a57c8e6ca8ae36

SHA256
f8a2547fc1e5e13f1296e051954ebaed9bb0588b749b500d7d967673bc7d85fa

SHA512
e27e1b7e2291629832bd7d1ae904dca2b15e934603eff1263e1e66b5b4b6cd6db5e0cca86fb19ed50a35bcb1a9e3af9445d873f34071d3bd16fb77b94e1895a3

Download Submit
C:\Windows\System\kaVftuC.exe
Filesize
5.9MB

MD5
f160fc30d29637ecc64c0d437d08d6ae

SHA1
ec6c19af1d8188144aa934ef9376c08d18411eea

SHA256
637ecb65206cc3cde881c26625c7c5fe2073586e5ed56638ee6d624ea6d0de5f

SHA512
362b2089dc70346b29ca6677abec976c9ddc314b2ffce0868bafa9e16ce9996c6f274b9b41ec90f649c01f607e6ecf405fbfee6c6eff1cc85b92e9c97f247a47

Download Submit
C:\Windows\System\kbZriLR.exe
Filesize
5.9MB

MD5
296715622d8cf042f67e184e8682bb76

SHA1
1b2bda9c527dd3ce2d3eb505c42887d21cf75b9a

SHA256
720731c09adff9e773c4f56d83463d72b148c04ead70e291ab070b0ba05b78ae

SHA512
789002e1e2f07dddf59b00dd8ca8a35e8e7e49bad4357e3e1d4e7518526b259e27abfcffcf18a5b69b4c9d48dc8dda80af1877555a27bd2b47a9af32a084eb51

Download Submit
C:\Windows\System\nBFOCfJ.exe
Filesize
5.9MB

MD5
3e0258c0af37276f478d475cc8b72485

SHA1
40fc5e3eed394a18d64bd9af2593cf2861aa4779

SHA256
65a90d8ee7e53c57cb1b9d4bc2b517a47dbda0f7b35d039ed1625e6d9a8bd30b

SHA512
1bad727bd6f00a3985dc1801fd2005cb7310012cd1067394f5e1f16fe7415d16540ea72c79a1407c1c90293ecef40b8b9682d36aad29cd62344a320ff6002254

Download Submit
C:\Windows\System\onXnVBY.exe
Filesize
5.9MB

MD5
f5aa52dd1ac9089b9421ce8948a91173

SHA1
6e342dff6ba55fc05ecb60b84e413dde1eafd1ab

SHA256
a58422b21fc859b9bd31abcfa05374a45527b114c1286f0fa3287108392244c8

SHA512
821db3449bfa79d3f081dd8d7acebade34850f2d7d288e6fe23949a85a0e5a72f00ccb2fa1f24b552f07a6c53c97d60acc15b47219c3c4565a369ddb4df48cf4

Download Submit
C:\Windows\System\qSNKMMb.exe
Filesize
5.9MB

MD5
feb34df9370342533b382949c4247ef3

SHA1
54675ddc915da659a6e35df5d8310f3adca397e3

SHA256
9effc0ee47245d93d25129cacfadf4e0435932d5af5e855b55f295196fdf55b6

SHA512
c9c75dbd857e67c6ee5a1d7764cb95724c23e54b842970d0874f58c5832031654d0f32f235e35ced8413c0244a602cc5e67d9fdc0b7373ae5cd3ebf11b932259

Download Submit
C:\Windows\System\rwoRiJx.exe
Filesize
5.9MB

MD5
990c3d5ebf3e4e80cdadef8ce6e67ccc

SHA1
604fc9b3f03f51f7dbc2ca36725ed2939117ed17

SHA256
d5e89375c86bce46d9c3f940a864ac83cfce142a0d532eae20dab9849e29982b

SHA512
33eda170d6762acb8ad07c6743a893db54a086acd45d677b2b2aa44e85ad6d305990d3acbc324e2e6de30457292007e1277c7fb247819369c91e58c0225ce34b

Download Submit
C:\Windows\System\tHslcYK.exe
Filesize
5.9MB

MD5
dc702388fa84a533a3e3958045320fe9

SHA1
906d23f479052062d60e449a06eeda9c177ef054

SHA256
c9edb9431296fd1bfb3a9f80dad73317d44f6a8962639f607781b34a21008ffd

SHA512
577178193fa6fd68098c4545bae8a038b20f296d2a02c0d3801cbef3d4fabb7cac484e82f19b8e71918774efa0aeba11f63e5711193409cb2a92be8d28cd03e5

Download Submit
C:\Windows\System\urYTxdk.exe
Filesize
5.9MB

MD5
26df69b71e06cc69f74256b3fa710687

SHA1
43b8111eaf32443b9720d5dbb1917e5c02a83e5d

SHA256
00029b9e8f79c0ef4ec02a95c177198ec78d0fcafaa0909ebadbbab4c5342e28

SHA512
b4f3d561f0068a9b1e12da4d7fcf991bf328edc2d488c7277e1e1da68f1950539f9213f933a4ed285446f7f30f097eb59628112520c47325867fc5e33484a6bb

Download Submit
memory/232-128-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

Filesize
3.3MB

Download
memory/232-1-0x000001FE7BC70000-0x000001FE7BC80000-memory.dmp

Filesize
64KB

Download
memory/232-0-0x00007FF7BD2A0000-0x00007FF7BD5F4000-memory.dmp

Filesize
3.3MB

Download
memory/408-118-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp

Filesize
3.3MB

Download
memory/408-148-0x00007FF66A0A0000-0x00007FF66A3F4000-memory.dmp

Filesize
3.3MB

Download
memory/1140-147-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp

Filesize
3.3MB

Download
memory/1140-119-0x00007FF6DD0B0000-0x00007FF6DD404000-memory.dmp

Filesize
3.3MB

Download
memory/1684-137-0x00007FF610FB0000-0x00007FF611304000-memory.dmp

Filesize
3.3MB

Download
memory/1684-26-0x00007FF610FB0000-0x00007FF611304000-memory.dmp

Filesize
3.3MB

Download
memory/1944-155-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp

Filesize
3.3MB

Download
memory/1944-123-0x00007FF60ED10000-0x00007FF60F064000-memory.dmp

Filesize
3.3MB

Download
memory/1964-142-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

Filesize
3.3MB

Download
memory/1964-52-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp

Filesize
3.3MB

Download
memory/2440-151-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2440-126-0x00007FF69FC00000-0x00007FF69FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2500-140-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp

Filesize
3.3MB

Download
memory/2500-42-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp

Filesize
3.3MB

Download
memory/2500-134-0x00007FF7DB0D0000-0x00007FF7DB424000-memory.dmp

Filesize
3.3MB

Download
memory/2672-141-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-115-0x00007FF6C2D70000-0x00007FF6C30C4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-120-0x00007FF626A30000-0x00007FF626D84000-memory.dmp

Filesize
3.3MB

Download
memory/2680-146-0x00007FF626A30000-0x00007FF626D84000-memory.dmp

Filesize
3.3MB

Download
memory/2696-135-0x00007FF706E30000-0x00007FF707184000-memory.dmp

Filesize
3.3MB

Download
memory/2696-129-0x00007FF706E30000-0x00007FF707184000-memory.dmp

Filesize
3.3MB

Download
memory/2696-6-0x00007FF706E30000-0x00007FF707184000-memory.dmp

Filesize
3.3MB

Download
memory/2704-34-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp

Filesize
3.3MB

Download
memory/2704-133-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp

Filesize
3.3MB

Download
memory/2704-143-0x00007FF69DB00000-0x00007FF69DE54000-memory.dmp

Filesize
3.3MB

Download
memory/3324-132-0x00007FF656250000-0x00007FF6565A4000-memory.dmp

Filesize
3.3MB

Download
memory/3324-29-0x00007FF656250000-0x00007FF6565A4000-memory.dmp

Filesize
3.3MB

Download
memory/3324-139-0x00007FF656250000-0x00007FF6565A4000-memory.dmp

Filesize
3.3MB

Download
memory/3356-122-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp

Filesize
3.3MB

Download
memory/3356-144-0x00007FF6E07E0000-0x00007FF6E0B34000-memory.dmp

Filesize
3.3MB

Download
memory/3388-125-0x00007FF772FF0000-0x00007FF773344000-memory.dmp

Filesize
3.3MB

Download
memory/3388-154-0x00007FF772FF0000-0x00007FF773344000-memory.dmp

Filesize
3.3MB

Download
memory/3628-136-0x00007FF755DD0000-0x00007FF756124000-memory.dmp

Filesize
3.3MB

Download
memory/3628-12-0x00007FF755DD0000-0x00007FF756124000-memory.dmp

Filesize
3.3MB

Download
memory/3628-130-0x00007FF755DD0000-0x00007FF756124000-memory.dmp

Filesize
3.3MB

Download
memory/4124-150-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp

Filesize
3.3MB

Download
memory/4124-127-0x00007FF7B85B0000-0x00007FF7B8904000-memory.dmp

Filesize
3.3MB

Download
memory/4256-117-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp

Filesize
3.3MB

Download
memory/4256-149-0x00007FF78D1C0000-0x00007FF78D514000-memory.dmp

Filesize
3.3MB

Download
memory/4416-116-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp

Filesize
3.3MB

Download
memory/4416-152-0x00007FF7AD510000-0x00007FF7AD864000-memory.dmp

Filesize
3.3MB

Download
memory/4640-153-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp

Filesize
3.3MB

Download
memory/4640-124-0x00007FF65ED00000-0x00007FF65F054000-memory.dmp

Filesize
3.3MB

Download
memory/4884-18-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-138-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp

Filesize
3.3MB

Download
memory/4884-131-0x00007FF68EE70000-0x00007FF68F1C4000-memory.dmp

Filesize
3.3MB

Download
memory/4968-145-0x00007FF6633B0000-0x00007FF663704000-memory.dmp

Filesize
3.3MB

Download
memory/4968-121-0x00007FF6633B0000-0x00007FF663704000-memory.dmp

Filesize
3.3MB

Download