cobaltstrike | 473f479e9b484fbe7ba755a4c608ef2bebd2d96b24dff71de2a692930da7a99e

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a96d53e1f31d215e47dfe3ea383d262b
SHA1

d44dba516021f390ad7795dd79d111bf59c2d000
SHA256

473f479e9b484fbe7ba755a4c608ef2bebd2d96b24dff71de2a692930da7a99e
SHA512

2306e4fb6faa78abf7b7e169a62c17ec40899aa05d7a3aac737c417e481cbc83a3800a27a3f42399b8ca5c83c3285dd7ba4f83c45944dfabce0b48d12462bc84
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l2:RWWBibf56utgpPFotBER/mQ32lUy

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012118-5.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018780-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b00-12.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000186f7-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018bcd-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b83-42.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001902b-52.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018bd2-45.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001927c-55.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000195c7-65.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960d-78.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019611-95.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961d-130.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961f-132.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961b-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019619-120.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019617-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019613-102.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019615-110.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960f-88.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960b-74.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral1/memory/2192-9-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2420-32-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2472-48-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2420-53-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/2192-59-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2420-105-0x0000000002380000-0x00000000026D1000-memory.dmp	xmrig
behavioral1/memory/2776-104-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2472-136-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2420-97-0x0000000002380000-0x00000000026D1000-memory.dmp	xmrig
behavioral1/memory/2760-96-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/864-85-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2420-84-0x0000000002380000-0x00000000026D1000-memory.dmp	xmrig
behavioral1/memory/2840-83-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2320-71-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2532-67-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2320-28-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2756-137-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/2868-138-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2420-139-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/2668-150-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/2420-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2688-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2388-153-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/300-158-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1628-157-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/1728-156-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/1140-155-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/1584-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2040-159-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2008-161-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2000-160-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2420-164-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/2192-212-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2532-214-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2320-216-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2840-218-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2760-220-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2776-222-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2472-224-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2868-228-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2756-226-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/2688-242-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2668-244-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/864-246-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2388-248-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/1584-250-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2192	AJCBRfc.exe
2532	DcgFXvp.exe
2320	LYecnaV.exe
2840	qYeBQdE.exe
2760	RooNNVl.exe
2776	DwWeYPP.exe
2472	QlKSfvd.exe
2756	GStWmxI.exe
2868	otivcag.exe
2688	DkFFjyt.exe
2668	RqXPTdk.exe
864	zUnMKMd.exe
2388	UOHrunH.exe
1584	vAzVCvK.exe
1140	raYNUKW.exe
1728	ctFxDTl.exe
1628	IeGWJyB.exe
300	FSWwTtW.exe
2040	epPXpDj.exe
2000	iIzGsNi.exe
2008	RQBckKY.exe

Loads dropped DLL 21 IoCs

pid	Process
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2420-0-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/files/0x0007000000012118-5.dat	upx
behavioral1/memory/2192-9-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/files/0x0007000000018780-10.dat	upx
behavioral1/memory/2532-15-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/files/0x0007000000018b00-12.dat	upx
behavioral1/files/0x00080000000186f7-20.dat	upx
behavioral1/files/0x0007000000018bcd-30.dat	upx
behavioral1/files/0x0007000000018b83-42.dat	upx
behavioral1/files/0x000900000001902b-52.dat	upx
behavioral1/memory/2472-48-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2756-54-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/files/0x0007000000018bd2-45.dat	upx
behavioral1/memory/2776-44-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2420-53-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/files/0x000800000001927c-55.dat	upx
behavioral1/files/0x00060000000195c7-65.dat	upx
behavioral1/memory/2868-60-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2688-68-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2192-59-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/files/0x000500000001960d-78.dat	upx
behavioral1/files/0x0005000000019611-95.dat	upx
behavioral1/memory/1584-98-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2388-90-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/files/0x000500000001961d-130.dat	upx
behavioral1/files/0x000500000001961f-132.dat	upx
behavioral1/files/0x000500000001961b-124.dat	upx
behavioral1/files/0x0005000000019619-120.dat	upx
behavioral1/files/0x0005000000019617-114.dat	upx
behavioral1/memory/2776-104-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/files/0x0005000000019613-102.dat	upx
behavioral1/files/0x0005000000019615-110.dat	upx
behavioral1/files/0x000500000001960f-88.dat	upx
behavioral1/memory/2472-136-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2760-96-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/864-85-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/2840-83-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2668-76-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/files/0x000500000001960b-74.dat	upx
behavioral1/memory/2320-71-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2532-67-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2760-41-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2840-39-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2320-28-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2756-137-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/memory/2868-138-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2420-139-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/2668-150-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/2688-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2388-153-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/300-158-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/1628-157-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/1728-156-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/1140-155-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/1584-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2040-159-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/memory/2008-161-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2000-160-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2420-164-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/2192-212-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2532-214-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2320-216-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2840-218-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2760-220-0x000000013FD40000-0x0000000140091000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zUnMKMd.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vAzVCvK.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ctFxDTl.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\epPXpDj.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYecnaV.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qYeBQdE.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\otivcag.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RqXPTdk.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RQBckKY.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DwWeYPP.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DkFFjyt.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\raYNUKW.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iIzGsNi.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DcgFXvp.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QlKSfvd.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UOHrunH.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSWwTtW.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AJCBRfc.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RooNNVl.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GStWmxI.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IeGWJyB.exe	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2192	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2420 wrote to memory of 2192	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2420 wrote to memory of 2192	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2420 wrote to memory of 2532	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2420 wrote to memory of 2532	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2420 wrote to memory of 2532	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2420 wrote to memory of 2320	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2420 wrote to memory of 2320	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2420 wrote to memory of 2320	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2420 wrote to memory of 2840	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2420 wrote to memory of 2840	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2420 wrote to memory of 2840	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2420 wrote to memory of 2776	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2420 wrote to memory of 2776	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2420 wrote to memory of 2776	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2420 wrote to memory of 2760	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2420 wrote to memory of 2760	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2420 wrote to memory of 2760	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2420 wrote to memory of 2472	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2420 wrote to memory of 2472	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2420 wrote to memory of 2472	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2420 wrote to memory of 2756	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2420 wrote to memory of 2756	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2420 wrote to memory of 2756	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2420 wrote to memory of 2868	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2420 wrote to memory of 2868	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2420 wrote to memory of 2868	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2420 wrote to memory of 2688	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2420 wrote to memory of 2688	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2420 wrote to memory of 2688	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2420 wrote to memory of 2668	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2420 wrote to memory of 2668	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2420 wrote to memory of 2668	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2420 wrote to memory of 864	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2420 wrote to memory of 864	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2420 wrote to memory of 864	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2420 wrote to memory of 2388	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2420 wrote to memory of 2388	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2420 wrote to memory of 2388	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2420 wrote to memory of 1584	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2420 wrote to memory of 1584	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2420 wrote to memory of 1584	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2420 wrote to memory of 1140	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2420 wrote to memory of 1140	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2420 wrote to memory of 1140	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2420 wrote to memory of 1728	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2420 wrote to memory of 1728	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2420 wrote to memory of 1728	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2420 wrote to memory of 1628	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2420 wrote to memory of 1628	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2420 wrote to memory of 1628	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2420 wrote to memory of 300	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2420 wrote to memory of 300	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2420 wrote to memory of 300	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2420 wrote to memory of 2040	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2420 wrote to memory of 2040	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2420 wrote to memory of 2040	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2420 wrote to memory of 2000	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2420 wrote to memory of 2000	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2420 wrote to memory of 2000	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2420 wrote to memory of 2008	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2420 wrote to memory of 2008	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2420 wrote to memory of 2008	2420	2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-08_a96d53e1f31d215e47dfe3ea383d262b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System\AJCBRfc.exe
  C:\Windows\System\AJCBRfc.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\DcgFXvp.exe
  C:\Windows\System\DcgFXvp.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\LYecnaV.exe
  C:\Windows\System\LYecnaV.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\qYeBQdE.exe
  C:\Windows\System\qYeBQdE.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\DwWeYPP.exe
  C:\Windows\System\DwWeYPP.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\RooNNVl.exe
  C:\Windows\System\RooNNVl.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\QlKSfvd.exe
  C:\Windows\System\QlKSfvd.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\GStWmxI.exe
  C:\Windows\System\GStWmxI.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\otivcag.exe
  C:\Windows\System\otivcag.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\DkFFjyt.exe
  C:\Windows\System\DkFFjyt.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\RqXPTdk.exe
  C:\Windows\System\RqXPTdk.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\zUnMKMd.exe
  C:\Windows\System\zUnMKMd.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Windows\System\UOHrunH.exe
  C:\Windows\System\UOHrunH.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\vAzVCvK.exe
  C:\Windows\System\vAzVCvK.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\raYNUKW.exe
  C:\Windows\System\raYNUKW.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\ctFxDTl.exe
  C:\Windows\System\ctFxDTl.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\IeGWJyB.exe
  C:\Windows\System\IeGWJyB.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\FSWwTtW.exe
  C:\Windows\System\FSWwTtW.exe
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\System\epPXpDj.exe
  C:\Windows\System\epPXpDj.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\iIzGsNi.exe
  C:\Windows\System\iIzGsNi.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\RQBckKY.exe
  C:\Windows\System\RQBckKY.exe
  2⤵
  - Executes dropped EXE
  PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AJCBRfc.exe

Filesize
5.2MB

MD5
e2c6470838c3638ea5830c307a2c4f72

SHA1
5e2bb5035e1fedaeb5e1248bcb238cfa7bb7587c

SHA256
2132b740172c39a98f78054163e12849bf65638744e0d849cb9e2225aedbe45e

SHA512
741da7245be20b5ebc510a87d4f6975ae0c705d848422f7085544776c740f0209a313dd528ecd3735c23290bec9cefcbb25558816f784308cefad6ec7e866015

Download Submit
C:\Windows\system\DkFFjyt.exe

Filesize
5.2MB

MD5
a5bb6c25149b72401d113b140295a765

SHA1
6c9c1eba5d21a0ac65081e962e653087f50e8ccb

SHA256
dc7a7c8f4980cb4ea69ba7b6536ce727190db635bff0ea7f593103b4c1ff3c0a

SHA512
d5987b9d74300a3cc404166dfe3e0b99ebb4730d024f39ecf660f9bb055c111ee6c85a9cee7d85f9fedc5736b1de557a54701c686f2f4147bc870627ac8a0be7

Download Submit
C:\Windows\system\DwWeYPP.exe

Filesize
5.2MB

MD5
727f3a844872283eb959a5ba0a036391

SHA1
535099ea1646a9319ab33c08d889561f50d1e9c8

SHA256
0ca2b2a1fe30f63f0b364042798173abebe9768c2c23214555760aacdf7f7045

SHA512
7ae8e0a180257d03e8e529bc59af4a669980a6609e0bebba36fa101cfb493e7b5a64d883dfc87f7aceae1d140d077bde3c66133b373d19b24ce6c2274dc1cf9c

Download Submit
C:\Windows\system\FSWwTtW.exe

Filesize
5.2MB

MD5
8fcec54b60eede744797d461c176c2bb

SHA1
86a51937e856ede66b64de65caa269fb0bf55e0d

SHA256
463c9983ed6a78c6ad3da2fb30882e72ac492a2330b3df742c560d6b21a7758d

SHA512
fe327b8611b5057a979eddcc6c43f4b63bc2af9dafa267f64c0a91daddb4f0eadc61fa22541b7dfe10c0eb357f6d6715aff3c52fbd2ff2672a494913f2701c62

Download Submit
C:\Windows\system\GStWmxI.exe

Filesize
5.2MB

MD5
a15cd0af51ecf3c5171e22ec4a3876ca

SHA1
e9b0bf8069214a4a9e3e51e1ad3c2147ee68e260

SHA256
8e4bf453f44b7dfc35d73814b46c9fc57916f716c4ddb7367fee2d7524c37d7a

SHA512
f59d3abe3f02b59295b39b942cca42b96dbbef3531d01a71e02fd96152aeacd927c75603f29db01ea75dbd6c8bb8efaba39f906fd42e8085ba9cf6b0c4eee275

Download Submit
C:\Windows\system\IeGWJyB.exe

Filesize
5.2MB

MD5
b98a1ac58ff46425ead9d6fcde67be04

SHA1
cf140e6f6bc85b21641ee357f575972fcacbddc0

SHA256
2d842340553eef0724b4e7aa0c79335679a2b55409c1ba7af0f0ee4c9798f57c

SHA512
7944f8693a5a18a39dc36680bef614d6ae07f935682da7968fd99585550005f6647711b90aa88a1f2b10210ecc7e6735608b0700f90619e159f4a8efc54c52d8

Download Submit
C:\Windows\system\LYecnaV.exe

Filesize
5.2MB

MD5
7bed441282a80705b1be68555a252923

SHA1
b623a7690cbb65bd82e5ca532deacf2b0942d4ea

SHA256
a766a960c2a66a2d8a473c3225f6c861e7c8f7502556e25d21af43a4d98eef0d

SHA512
7678e21fdd4df3c366327402d831cdcdd4de7dadad654850592fb9a9c24629dcde11f923f07f6d42d89b0dfccee5de8797593fb2811223c5b1a86b689c661591

Download Submit
C:\Windows\system\QlKSfvd.exe

Filesize
5.2MB

MD5
f4178cab7086bf1fd75a036e529fb054

SHA1
afe3c1288270046eddf3028f5c4aa9522280352a

SHA256
7b2daf7a002dfc28201414e077a4afbe7cf0b02ef424c4d4eacc5febf9dd62fb

SHA512
489828784002adafcc65e9f85f76bb6c92cf8bd76717470bc47db8e8e223ab40fd52de6820e9c5e52635fc5d8ed041f07da00725e9d7a29bf679d41890527ea7

Download Submit
C:\Windows\system\RqXPTdk.exe

Filesize
5.2MB

MD5
ecf83e19d018b3538e20c5363333a462

SHA1
846b5016f3d62269e8c3481c96cb7a2d531e48ac

SHA256
512967cae5374ab9c649501b54180a47ffad76699125db46e7b5c42cf78d997a

SHA512
02b2f665cc11ea80762df5a83059b8187fcb0f9afad6661bf7d69292e4e8cba8373e0e7eafa0a69a8c6d93eff15b4ca769056666bb601b8a33511c6285afefd4

Download Submit
C:\Windows\system\UOHrunH.exe

Filesize
5.2MB

MD5
f225fbee60a910fd7e2ca4dfc70ce590

SHA1
e17ff3b69362934367fc8ec3b02f4390d8b9f062

SHA256
391956a61e63f390e5200080911388b33a585be1fdc754053d9137440dcd77c0

SHA512
d898d1e3596ef19c395ca64b300bf2b22e571abb7af468252fd1f7a717778f9bdbaae1b213fe3569f07850e3211d50f1e88ecba6dcb4eb92d36d8d660b8f16a7

Download Submit
C:\Windows\system\ctFxDTl.exe

Filesize
5.2MB

MD5
1e6489ee7a667ebd42be01af3a1ac09e

SHA1
a42843e858148c804b0efa6bafaea701c3225544

SHA256
245ea2a8c798162d3901c8a6d0c76cded9c0cfd720064969165c56485ac91894

SHA512
ee5891c0085940ff589f18a4cef79943da1cd2e8f936de5e81934d93fca7c3539956bd21008b01715a879fbeb950ed69d9bf9e9c48dffe6e037010fb725e95a9

Download Submit
C:\Windows\system\epPXpDj.exe

Filesize
5.2MB

MD5
db02dc4fd50b11fc3115ddcffbcd1ecf

SHA1
dde48b95b2e4a112e74e19f88438a1c40110e7db

SHA256
f7927f7fa5b8a004dddac60cb9f445b8ee19ab332d6d3bc8ff05e48d1d2bc896

SHA512
b217704bdd1dab63ac39a33c056d2406600af625527837b1f992a8964ecb9f1362dd6fd315af07257437abdb42f8056febbfe7b9e350853dea85a6d8a4c9bbc6

Download Submit
C:\Windows\system\iIzGsNi.exe

Filesize
5.2MB

MD5
2c57b09f3efbe9b217af21bfd949abbd

SHA1
f19179e842a9c5056ebe3e5d7374978e77b53ef1

SHA256
5220ed0f345eecdf72ff1852058da6bc7d4f3268df234661ec17f7dd594616aa

SHA512
3992dffdc6c766a86cfb9b793bcdfe91067a9bf4c8b410425abfc282dcce615dd87e2cc109802767544ad0a479362f8482ffabb7737c79c8960e7b8573cc4dbf

Download Submit
C:\Windows\system\raYNUKW.exe

Filesize
5.2MB

MD5
5b52b960160500c4ad5ca1b489b4d6c5

SHA1
e5cb3caaf32554e7794d463dcc6390513fa6a6dd

SHA256
d16184a360176a0a3eedbb4453f59a75d563d8ff2305390f6b85709642a99943

SHA512
99356e5530dc9855650be81e2338d718a731058beb4bc195d5f4afdf9427ca7cee5ddd6d31f4ac4b2894571eae4426bf91c0624c588c976b4acbca69f4c249f7

Download Submit
C:\Windows\system\vAzVCvK.exe

Filesize
5.2MB

MD5
e384d91d1de55f32ddecd3099b3bca8a

SHA1
2e7fd7716dc3bf22bcb8e489ef00ed4c2012e335

SHA256
3f78045a7d28f18f09ca84de0b4adeefe87c5d964ce26d23a78196ba8239343a

SHA512
e837bea691fec9a746e39f168527d5c4da6e95fc39036c99ea19e1d11e2ef6157ad0c290d72ac07a37d42653c6272ef064ae45734c6721cd3785bb7edebdc39d

Download Submit
\Windows\system\DcgFXvp.exe

Filesize
5.2MB

MD5
2ee950470289c0a8c0a66002e6509f31

SHA1
1e42b17d5030aec873c07df4a7c0902142d58194

SHA256
792168c374de1014186ab7a4761b15a7b6a60798a339765e3ed60a5fbbc97c11

SHA512
f03835249a5084997a278908d778a927a256d1eb714b01829313e59c9253bed02193e64b5cd72570778dfdd8267edfb9950ba352a0ae8711134688af3b473ab7

Download Submit
\Windows\system\RQBckKY.exe

Filesize
5.2MB

MD5
b485115527f367a1eb49240c9b86871f

SHA1
5b4c3a0c4d4ee6f099b94ce728af148670991758

SHA256
f03ae7a6600247570e4d8c2db60609ae81dd8b5b1cbed5b2d1896514bbebee54

SHA512
f51072da998e3e838bbcaa55f3526d389ca52e49df2b4de02d9c4ac00bd638b89d58c2b7c1391f7a0a9927a7dedd9875aa959760aa8dcfaa153c0ca92f0cf368

Download Submit
\Windows\system\RooNNVl.exe

Filesize
5.2MB

MD5
4161ae4d5f212c6145d445a9e186c8f5

SHA1
d1c3721d20a06041c5ed8fd975be9d5fde46ca80

SHA256
341cbc6714f10eafd2fcc1373385241c9977c59152061076a1d1c308c6f44ec6

SHA512
7c084f69b7fc199568a6b8ab9210f3a59b503e1661bbf5fa272090855fa4517b18fbf3912d74c935e73a03c06b83e8b85409a404a6855d39c156384e8dd93e36

Download Submit
\Windows\system\otivcag.exe

Filesize
5.2MB

MD5
6d28de5478e0334d99638baee47fc4c5

SHA1
c09a9fe8379058ab2ae9ad419045dfa4f2d6b1eb

SHA256
308081b899a28764004c4650457b3278e45267df3d12663c0afd64a493c1a7f9

SHA512
6851948510827ec89f6cfd9aa0688822fd05710e7a314d671764b026fd18c9a44caf55d498785d182298465c066c306b8d3da0a18e71b6f149905f2ce25f8a95

Download Submit
\Windows\system\qYeBQdE.exe

Filesize
5.2MB

MD5
f2462c180a610bae909fc025ac40b576

SHA1
50795d5226ddb77b6a2c021da9ff5204286bf438

SHA256
4000d3c1d858133a850cca7605645176da6642ad7ec8e771b0a70b391e5a5aab

SHA512
df5cc91cbcfbf7385ac2c6fbac1c23ddd2db6411e2bf4d72e3f6ac5fd7ff7ae688977150b35b7be1a01d4de98c40f3c366a7ac427247324fb3ccf3faa69a7830

Download Submit
\Windows\system\zUnMKMd.exe

Filesize
5.2MB

MD5
219325bf553836e016bebbf6eae0191e

SHA1
76ba2a088cb469d8562aa4ab45e4134ff22a20ce

SHA256
bd7b02e5e6f76133d98a439e989121316adb00b1e4500615814aedc28457be65

SHA512
1f1de46566ad29aacb4a8e219c5b90a7261223c4f8c4f95bc625f23b60f58562d4f428cb1ac8cc45b11403f8821b1ea9f92cc22af7d188b6c331c3683f63a740

Download Submit
memory/300-158-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/864-246-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/864-85-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/1140-155-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-98-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-250-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1584-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1628-157-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-156-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2000-160-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2008-161-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2040-159-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-212-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2192-59-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2192-9-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2320-28-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2320-71-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2320-216-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2388-248-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-90-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-153-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-84-0x0000000002380000-0x00000000026D1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-164-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-0-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-72-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2420-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2420-163-0x0000000002380000-0x00000000026D1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-7-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2420-40-0x0000000002380000-0x00000000026D1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-23-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2420-97-0x0000000002380000-0x00000000026D1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-162-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2420-53-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-139-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-32-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2420-172-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-105-0x0000000002380000-0x00000000026D1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-136-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-224-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-48-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-214-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2532-15-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2532-67-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2668-150-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2668-244-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2668-76-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2688-149-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-68-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-242-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-137-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2756-226-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2756-54-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2760-96-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2760-220-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2760-41-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2776-44-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2776-222-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2776-104-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2840-218-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2840-83-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2840-39-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2868-138-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2868-228-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2868-60-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download