cobaltstrike | ea01c63d32a7b8867d3e3da8fc79aedd4b0febaa0a200142806f7894a7cb64a6

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

bd03df8c383ab49bbff63b91d511d5f5
SHA1

bf16405176a425458a6dd5adb3385e2495dc70e9
SHA256

ea01c63d32a7b8867d3e3da8fc79aedd4b0febaa0a200142806f7894a7cb64a6
SHA512

f6b6af1fbc510064f95030512f68c9f370f3ce2963e8c014341a0e9993a06938f096693db596085aa6712e9d71b8166931c6e1300e7bfc3e38a1d285dce8f2f9
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUM:T+856utgpPF8u/7M

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00070000000120cd-3.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001613b-8.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001631e-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016635-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016861-45.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186c8-124.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017406-74.dat	cobalt_reflective_dll
behavioral1/files/0x0011000000018676-116.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000015e87-102.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001748d-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017409-95.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174ab-90.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001747a-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017400-77.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173e4-65.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001866c-111.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001752e-110.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c6a-56.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016ab4-51.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000164d0-37.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016594-29.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 60 IoCs

miner

resource	yara_rule
behavioral1/memory/2652-0-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/files/0x00070000000120cd-3.dat	xmrig
behavioral1/files/0x000800000001613b-8.dat	xmrig
behavioral1/files/0x000800000001631e-10.dat	xmrig
behavioral1/memory/2820-32-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/files/0x0007000000016635-38.dat	xmrig
behavioral1/files/0x0007000000016861-45.dat	xmrig
behavioral1/memory/2612-47-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/3016-53-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/files/0x00050000000186c8-124.dat	xmrig
behavioral1/files/0x0006000000017406-74.dat	xmrig
behavioral1/files/0x0011000000018676-116.dat	xmrig
behavioral1/files/0x0035000000015e87-102.dat	xmrig
behavioral1/files/0x000600000001748d-96.dat	xmrig
behavioral1/files/0x0006000000017409-95.dat	xmrig
behavioral1/files/0x00060000000174ab-90.dat	xmrig
behavioral1/files/0x000600000001747a-84.dat	xmrig
behavioral1/memory/2612-141-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/912-79-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/files/0x0006000000017400-77.dat	xmrig
behavioral1/memory/2720-126-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/3016-142-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2876-125-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/files/0x00060000000173e4-65.dat	xmrig
behavioral1/memory/2384-115-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2532-114-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/1192-112-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/files/0x000900000001866c-111.dat	xmrig
behavioral1/files/0x000600000001752e-110.dat	xmrig
behavioral1/memory/2800-73-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2944-61-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2652-60-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2304-59-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016c6a-56.dat	xmrig
behavioral1/files/0x0009000000016ab4-51.dat	xmrig
behavioral1/memory/2304-143-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2720-40-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2876-39-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/files/0x00070000000164d0-37.dat	xmrig
behavioral1/memory/2652-33-0x00000000023B0000-0x0000000002704000-memory.dmp	xmrig
behavioral1/memory/2800-31-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2840-30-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016594-29.dat	xmrig
behavioral1/memory/2944-22-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/912-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/1192-146-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/2384-147-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2820-148-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2840-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp	xmrig
behavioral1/memory/2944-150-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2800-151-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2304-153-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2612-152-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/memory/2720-154-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2876-156-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/1192-158-0x000000013F1C0000-0x000000013F514000-memory.dmp	xmrig
behavioral1/memory/912-157-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2532-159-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/3016-155-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2384-160-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2820	jpYGenX.exe
2944	KwiTqdi.exe
2840	IDbFNvQ.exe
2800	zYZWvOp.exe
2876	GxibFCP.exe
2720	kuLboSa.exe
2612	YOluikx.exe
3016	gYqyEgB.exe
2304	fjgwOJX.exe
912	CFzEqBB.exe
1192	JHZpVQp.exe
2532	WhXmcHN.exe
2384	nuSzvYG.exe
656	ZNzkUnR.exe
896	OpuJJod.exe
2056	DFZZXYW.exe
2004	rbURZDh.exe
2956	LqNhMmj.exe
1128	iZPtgYn.exe
2380	EQZccJf.exe
2076	nNQDWYs.exe

Loads dropped DLL 21 IoCs

pid	Process
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2652-0-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/files/0x00070000000120cd-3.dat	upx
behavioral1/files/0x000800000001613b-8.dat	upx
behavioral1/files/0x000800000001631e-10.dat	upx
behavioral1/memory/2820-32-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/files/0x0007000000016635-38.dat	upx
behavioral1/files/0x0007000000016861-45.dat	upx
behavioral1/memory/2612-47-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/3016-53-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/files/0x00050000000186c8-124.dat	upx
behavioral1/files/0x0006000000017406-74.dat	upx
behavioral1/files/0x0011000000018676-116.dat	upx
behavioral1/files/0x0035000000015e87-102.dat	upx
behavioral1/files/0x000600000001748d-96.dat	upx
behavioral1/files/0x0006000000017409-95.dat	upx
behavioral1/files/0x00060000000174ab-90.dat	upx
behavioral1/files/0x000600000001747a-84.dat	upx
behavioral1/memory/2612-141-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/912-79-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/files/0x0006000000017400-77.dat	upx
behavioral1/memory/2720-126-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/3016-142-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2876-125-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/files/0x00060000000173e4-65.dat	upx
behavioral1/memory/2384-115-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2532-114-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/1192-112-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/files/0x000900000001866c-111.dat	upx
behavioral1/files/0x000600000001752e-110.dat	upx
behavioral1/memory/2800-73-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2944-61-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2652-60-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2304-59-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/files/0x0008000000016c6a-56.dat	upx
behavioral1/files/0x0009000000016ab4-51.dat	upx
behavioral1/memory/2304-143-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/2720-40-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2876-39-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/files/0x00070000000164d0-37.dat	upx
behavioral1/memory/2800-31-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2840-30-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/files/0x0007000000016594-29.dat	upx
behavioral1/memory/2944-22-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/912-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/1192-146-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/2384-147-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2820-148-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2840-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp	upx
behavioral1/memory/2944-150-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2800-151-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2304-153-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/2612-152-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/memory/2720-154-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2876-156-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/1192-158-0x000000013F1C0000-0x000000013F514000-memory.dmp	upx
behavioral1/memory/912-157-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2532-159-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/3016-155-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2384-160-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\CFzEqBB.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JHZpVQp.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nuSzvYG.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqNhMmj.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpuJJod.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jpYGenX.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zYZWvOp.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rbURZDh.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YOluikx.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gYqyEgB.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fjgwOJX.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iZPtgYn.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EQZccJf.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KwiTqdi.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDbFNvQ.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GxibFCP.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nNQDWYs.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DFZZXYW.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kuLboSa.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WhXmcHN.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZNzkUnR.exe	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 2820	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2652 wrote to memory of 2820	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2652 wrote to memory of 2820	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2652 wrote to memory of 2944	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2652 wrote to memory of 2944	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2652 wrote to memory of 2944	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2652 wrote to memory of 2840	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2652 wrote to memory of 2840	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2652 wrote to memory of 2840	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2652 wrote to memory of 2876	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2652 wrote to memory of 2876	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2652 wrote to memory of 2876	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2652 wrote to memory of 2800	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2652 wrote to memory of 2800	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2652 wrote to memory of 2800	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2652 wrote to memory of 2720	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2652 wrote to memory of 2720	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2652 wrote to memory of 2720	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2652 wrote to memory of 2612	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2652 wrote to memory of 2612	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2652 wrote to memory of 2612	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2652 wrote to memory of 3016	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2652 wrote to memory of 3016	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2652 wrote to memory of 3016	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2652 wrote to memory of 2304	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2652 wrote to memory of 2304	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2652 wrote to memory of 2304	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2652 wrote to memory of 912	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2652 wrote to memory of 912	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2652 wrote to memory of 912	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2652 wrote to memory of 1192	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2652 wrote to memory of 1192	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2652 wrote to memory of 1192	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2652 wrote to memory of 2004	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2652 wrote to memory of 2004	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2652 wrote to memory of 2004	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2652 wrote to memory of 2532	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2652 wrote to memory of 2532	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2652 wrote to memory of 2532	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2652 wrote to memory of 2956	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2652 wrote to memory of 2956	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2652 wrote to memory of 2956	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2652 wrote to memory of 2384	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2652 wrote to memory of 2384	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2652 wrote to memory of 2384	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2652 wrote to memory of 1128	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2652 wrote to memory of 1128	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2652 wrote to memory of 1128	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2652 wrote to memory of 656	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2652 wrote to memory of 656	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2652 wrote to memory of 656	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2652 wrote to memory of 2380	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2652 wrote to memory of 2380	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2652 wrote to memory of 2380	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2652 wrote to memory of 896	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2652 wrote to memory of 896	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2652 wrote to memory of 896	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2652 wrote to memory of 2076	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2652 wrote to memory of 2076	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2652 wrote to memory of 2076	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2652 wrote to memory of 2056	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2652 wrote to memory of 2056	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2652 wrote to memory of 2056	2652	2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-01_bd03df8c383ab49bbff63b91d511d5f5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Windows\System\jpYGenX.exe
  C:\Windows\System\jpYGenX.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\KwiTqdi.exe
  C:\Windows\System\KwiTqdi.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\IDbFNvQ.exe
  C:\Windows\System\IDbFNvQ.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\GxibFCP.exe
  C:\Windows\System\GxibFCP.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\zYZWvOp.exe
  C:\Windows\System\zYZWvOp.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\kuLboSa.exe
  C:\Windows\System\kuLboSa.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\YOluikx.exe
  C:\Windows\System\YOluikx.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\gYqyEgB.exe
  C:\Windows\System\gYqyEgB.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\fjgwOJX.exe
  C:\Windows\System\fjgwOJX.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\CFzEqBB.exe
  C:\Windows\System\CFzEqBB.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\JHZpVQp.exe
  C:\Windows\System\JHZpVQp.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\rbURZDh.exe
  C:\Windows\System\rbURZDh.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\WhXmcHN.exe
  C:\Windows\System\WhXmcHN.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\LqNhMmj.exe
  C:\Windows\System\LqNhMmj.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\nuSzvYG.exe
  C:\Windows\System\nuSzvYG.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\iZPtgYn.exe
  C:\Windows\System\iZPtgYn.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\ZNzkUnR.exe
  C:\Windows\System\ZNzkUnR.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\EQZccJf.exe
  C:\Windows\System\EQZccJf.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\OpuJJod.exe
  C:\Windows\System\OpuJJod.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System\nNQDWYs.exe
  C:\Windows\System\nNQDWYs.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\DFZZXYW.exe
  C:\Windows\System\DFZZXYW.exe
  2⤵
  - Executes dropped EXE
  PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DFZZXYW.exe

Filesize
5.9MB

MD5
dce3f4c84fdae3ce7e185dd188f5294b

SHA1
ed456d534f9c0beb02dd1bdbfeadeefb9f5795ac

SHA256
ee5bb3200405af4baf9c509c7428f8970887d05eba9977f099d806cb80daf1cb

SHA512
d5447c4ddb1d4a0a59e78ac717a5071389f833a142dfae089c53053a9d5655ef759b3268a1416303595eb472f44eeb51fa8053a6f5470cab9a71c05ee9a8cbdd

Download Submit
C:\Windows\system\GxibFCP.exe

Filesize
5.9MB

MD5
647398d4e55d331b734c89dca3ab6502

SHA1
4c64363ead6b2ff29d1ff7a6e69fad87b3112d46

SHA256
60b0b2c8cf60782d1f0d081a75d492dcf6a4b65df2a661ea3cf970c1f445831f

SHA512
1129786acc557cc6044271506ec11f4ce1dacea6757fd628050c598a7dc3ad1b5f5b98ae70b378c940fcce0f17f4e0f7549b272d5077a45db04546a48d9453d1

Download Submit
C:\Windows\system\IDbFNvQ.exe

Filesize
5.9MB

MD5
2cf1d419b68a4a302ece66e40cbcdafd

SHA1
5094d36de471f98c02dfff47cc34261f4c6877df

SHA256
f5e50db0f5244a610139bc3380bfc3be7ffe11550fcb0916f461d26b6e2ad57c

SHA512
44d626b99f5ab6081790d256911fa19bebb9ee83759f995bc1f1694770081e0954a1197b30c301bfccf2f812e91b52b49a95038b2241ab5f819a90f01e517293

Download Submit
C:\Windows\system\JHZpVQp.exe

Filesize
5.9MB

MD5
2b53b30880e0f32b0b1a4f4b5e9390b5

SHA1
66bd1bec8f18e5779129b25840f699e4e80262e3

SHA256
f5effda6b32f155807b7bd3f3dad8fbc811b14c0d82c00f2c78f449e2f04ed47

SHA512
f2676e04eac7bcf736d0277140928aae91b9b3defb9af63af606c8dfb9399657fe7870b5c42a0fc795a846a6c9aec872157992bcd3f56e0c11386eb6de07606d

Download Submit
C:\Windows\system\OpuJJod.exe

Filesize
5.9MB

MD5
62839b2a3a794dac52e422a6f8386bae

SHA1
3546ad126d3db8d9108d7c13b24576eef38e6aa6

SHA256
71e5ef830bf173212c4bbf23121c75aeb63adcf9511572f9676b4adb1ddfabfc

SHA512
aa9751ad269bdb7805320c56979a3b72b451471581e6b3bb987a03513eddf4ca6b8bbf8a0381955f869d08866b4ed66a56e89a0ac7e144a9346e947da655b08c

Download Submit
C:\Windows\system\WhXmcHN.exe

Filesize
5.9MB

MD5
176c5542538b7b586c33c1adbb197fea

SHA1
e3f8753db42a90e7f0b04c06642361f838142d4c

SHA256
28ba0dd20278e1f900b9010c2fa7e3ebb8162bfb18b430d4c240f01ca173b37e

SHA512
c404efac6c1d224d8ffc7f5ca7ec569551548ef28dae2a6bb298390998af98d9a8b156da22e501cbcd8f49aa22392508805ed9a4d4717b30db08e7d686099078

Download Submit
C:\Windows\system\YOluikx.exe

Filesize
5.9MB

MD5
adeec955826077d1235b6d581dbfaa03

SHA1
33490846fb9c46bd373c9ac9dcdad8a5f61e5963

SHA256
9e7555b88764d7d259d0dbf78d51adefd0cb9ec7a078efb16a58d915ae494399

SHA512
d5f87c7e0e95047e3333e69f939df41a01c72b0d0f6b013501fc774fffe1846b7b92628519c8592bf415ed2e5dca208c3f00feb5cb055f98628ef08340685356

Download Submit
C:\Windows\system\ZNzkUnR.exe

Filesize
5.9MB

MD5
e5ff08db2df9a77be139472ed7c160d9

SHA1
0a6ff283be30fdaa7caacdba6ec339578447df99

SHA256
b15b0f67fce417b28bd0ca268e0e750b1af45929d92186ef503aee784fef4f99

SHA512
88a67b5a230b2589032843bc0a158860948619b0471c137c62ba3418f166c7b1d90bd089f625cd968a6de5f2135d1720710f45345a9de16fc566af046eac046c

Download Submit
C:\Windows\system\fjgwOJX.exe

Filesize
5.9MB

MD5
d9c4bbec865c28834a0f8c17ed22aa9b

SHA1
f5bc6c2448f759acf6c9185262e81dc9c028bad0

SHA256
d35c66d5570c55c0c78a730860fc3d6f7903baad3a3ec153ac533b2d6b7b33c9

SHA512
f88d93c770d5fd423574dec6e044a2b1f8f5cc6668db0244ab5707ff54e40331a9083b4aaf17e7ffd1a80d534bfd5bafacce8a672d42ab36a8159b59a8b4d959

Download Submit
C:\Windows\system\gYqyEgB.exe

Filesize
5.9MB

MD5
c8ffda3ae17eb236ce7c502e21915d6d

SHA1
c8805e190a729674b91aad5c36ccde44da34134c

SHA256
317649fc7cb743b18db8c3a0cf207ff7d710b51293e6f60fbb46b5380c4743d7

SHA512
9e651b323bb05f9ba58403e088181d06267c3ec11f97ef0c7cab8fd15bce0778842979e3067969921625a9e22cfe2dc14d2df391bddb39532bba0622722f1d30

Download Submit
C:\Windows\system\kuLboSa.exe

Filesize
5.9MB

MD5
d48b5cbac3193183205f97a8939a0030

SHA1
5a83ad8870cdc4115c743b00db801776c440dd7d

SHA256
3b6811094022ced2b174bdbcb44ca2f552c718900aaf7f0e8e1d01731d31d5fc

SHA512
94ddfd3b870a31e738045e8bfa38ab4648bf33820a6abf8c5c0a60a5f1bf0606f97bcec4e4f22da65028d93d87b9f826af672d29cec41ea6bf62928e354ddec4

Download Submit
C:\Windows\system\nuSzvYG.exe

Filesize
5.9MB

MD5
6cdca7b490f6f28576a8045d8c259e9a

SHA1
ad66e3986f99c91dedef05a628a66895d2a4de08

SHA256
5a6e4127f934b13156fd0aa0e5489cc474322863cf3bf6b300bdd3b22732aa50

SHA512
2fd4af7d74363ac6cff795d33cf79edc63d7e9ecc56527fe0d5560437c7b39e79603f7e68cd54bd3eb176b0d575aae48dbe4b010376030c615cee573d4f9220e

Download Submit
C:\Windows\system\zYZWvOp.exe

Filesize
5.9MB

MD5
3e92cf910f771645a3d0c1a40fb79bf6

SHA1
74003e9c32b74dfdde4ea437ece621b908a370c8

SHA256
63603e264eb27f62c4702cbf4d6080640dc9c8b0be5c17bbc18d6d435045888f

SHA512
550edaa212e69c722659f6cb3075e332d465250e7531d25cf416838980940f25e3821cd9f10233d108da9ba4607729ae49e862246d57b3f6e790be66c523ad22

Download Submit
\Windows\system\CFzEqBB.exe

Filesize
5.9MB

MD5
4948cc11a2c911b7a018509c8441add2

SHA1
451c81a47d6ee3d3aa673e522406b310f1a0cad7

SHA256
43754d27dae8e542d1a36f3409ac39e6aed55ab5ebd56b417083d0ea72936c93

SHA512
407e178673919e349349c84ea2184aa218b6bdc5f6856f70fe31668bafccd9efd936350830ed5ba826d24b36dad4fd7378cce6eaba20e7e28c3e2ab86d39935f

Download Submit
\Windows\system\EQZccJf.exe

Filesize
5.9MB

MD5
478c0bf714682fa5810977ea5c1aa898

SHA1
013ff6dc39514c0186f384746a4c99c0f130e7be

SHA256
cc6541ca525d6d001cdbbd7d9d7a0d89c153f1aa105744efeeec6f5fc65efc82

SHA512
522412eb4302855c1af7d54c204c49e25ae605c5376fd450437f2b3af97707d31253d3bfba214600d5592a9323c9434bd5b4cfc6d0e36be0c6ce9ae1d4e4d4d1

Download Submit
\Windows\system\KwiTqdi.exe

Filesize
5.9MB

MD5
b7e55ba1011a6ec47d09129e29ddb30a

SHA1
a05ccefe64e82f3e968b16288de285280e954bb4

SHA256
bc33cf3bbf5d7c5e04ebb53988d6f7b9b760470a7ef5408dc45523899aa7ddf6

SHA512
bca5cdbb71f3c1b5f557fb032b0af1ab3a4a5cc88ae1df41aecd3bda3e6df7f10dd27666a48236ef49cd6a80ecd14eeff639036ccc666d424bd52a8616bed40a

Download Submit
\Windows\system\LqNhMmj.exe

Filesize
5.9MB

MD5
18dbe3f7c6b4afd64d707d9ae9473137

SHA1
492eaba80ab6d7c3833350eba08e05fc95fa83e9

SHA256
23a361e7776b8fa51c9cdc3abce6143c1294da0d404af4e6d69fac0158216afd

SHA512
1eea8ca6459dc81adb06a6e052c4f797530e8489626f1f168d0344fdc281de8803430a6d62e93254af3b8106c3ebf21459f0acb1378fdd735e5b7e11f39b09fc

Download Submit
\Windows\system\iZPtgYn.exe

Filesize
5.9MB

MD5
ecdc3f851fa37c8a809dc497f74170b3

SHA1
928f28248e1471b1f6965509f8660c6f4acdfec2

SHA256
0792d5b8435ba1f421d0c024c434374633487d24d1aea0448ecf1826625f087e

SHA512
97873aa8f62155fcfe00eb3eb5659e9c9cdf629bc7477d84d9ce2e97c409a2b3fcd80bdadb17d43dcd782ae5e823d743db9519efb8e6dd47b804978fdd7bc7ee

Download Submit
\Windows\system\jpYGenX.exe

Filesize
5.9MB

MD5
529c207a267cde7057d679f21f96136a

SHA1
a54ef830a1a755c6d622a0d0ddf349f1581acd43

SHA256
9e69b05f113764844c818ba220bb8322c08cb770d0f11acb272590eb1a78bd06

SHA512
700ec0d021fdf8d7587173df6c488daa12218a04d05859d39b3544dc0a661a20959f55347af23cd674c1393852f1d815983b8eab3f4391465166c9c7693192ca

Download Submit
\Windows\system\nNQDWYs.exe

Filesize
5.9MB

MD5
7c21e847e8f304b8e19794ae4ed87a78

SHA1
85cb5c775b8dba9a84c4364bdb06ce935ffaf80c

SHA256
f4e8c1ed9d7d42f3bf0a458c8f0dd30a6d152fadeeecdbcec2f8f34853e88c04

SHA512
48aaf8b337f0c9d4e6a16b451ff9f0f636d9c66833d76f802b21e69df56f96045dff110612515cc69676e5324fc9522b392bb9377d859b89e75c62fd95df1f1c

Download Submit
\Windows\system\rbURZDh.exe

Filesize
5.9MB

MD5
92e14fe7d55e81f48c24e2b865856f56

SHA1
6cd8c48337f75e942e7326ee847fcc6aaf3da478

SHA256
7de466ac0e4b7987d36194d3f30f430d77a153b98f8d984d75a3acd271908898

SHA512
fb50e4f9c70c11c1aa563f1a8797d9680598da2ad038384e621bfe389e2a93000d36e5e239f72f84681080009e2285730bb950742f7cb930171320aebb23bc30

Download Submit
memory/912-157-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/912-79-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/912-144-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/1192-146-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1192-112-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/1192-158-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2304-59-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-143-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2304-153-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-147-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-160-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2384-115-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2532-159-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2532-114-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2612-141-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-152-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-47-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-100-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-145-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-52-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2652-60-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-0-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-58-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-113-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-122-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-46-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-123-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-119-0x000000013F440000-0x000000013F794000-memory.dmp

Filesize
3.3MB

Download
memory/2652-83-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2652-78-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-35-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-34-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-33-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-69-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2652-26-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2652-17-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2720-40-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-154-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-126-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-151-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2800-31-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2800-73-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2820-148-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2820-32-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2840-149-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-30-0x000000013FEA0000-0x00000001401F4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-125-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2876-156-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2876-39-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2944-150-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2944-22-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2944-61-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/3016-53-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-142-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/3016-155-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download