cobaltstrike | a6f22d5acf621a1f02a417cd6a5214ff252be471539cdd0e052409f15af95dba

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

7dd40001e116b288fcf54977d0bffad4
SHA1

4291d238cd72a1c43857d842b4a91d392495c191
SHA256

a6f22d5acf621a1f02a417cd6a5214ff252be471539cdd0e052409f15af95dba
SHA512

3a2c56247d2c8a500554e2a11ec15097c486d939ff10fd1c72f78848063fd1c18c04b4648bce6bcd93fac1cd4375b6694b24ebbca19a46a00c819c86f78af8f6
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUq:E+b56utgpPF8u/7q

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012119-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d41-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d59-16.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d81-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ec9-33.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d0e-37.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016241-56.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ff5-54.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f71-44.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d3f-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d72-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016de0-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016eb4-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017047-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dea-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd9-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6d-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d69-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d63-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d47-73.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 63 IoCs

miner

resource	yara_rule
behavioral1/memory/2504-0-0x000000013F440000-0x000000013F794000-memory.dmp	xmrig
behavioral1/files/0x0007000000012119-3.dat	xmrig
behavioral1/files/0x0008000000015d41-8.dat	xmrig
behavioral1/memory/2308-21-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2540-22-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2272-19-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d59-16.dat	xmrig
behavioral1/files/0x0008000000015d81-23.dat	xmrig
behavioral1/memory/2792-28-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ec9-33.dat	xmrig
behavioral1/memory/1948-36-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/2504-38-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d0e-37.dat	xmrig
behavioral1/memory/2824-47-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2308-58-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2760-55-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/files/0x0009000000016241-56.dat	xmrig
behavioral1/files/0x0007000000015ff5-54.dat	xmrig
behavioral1/memory/2504-53-0x000000013F440000-0x000000013F794000-memory.dmp	xmrig
behavioral1/memory/2756-51-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015f71-44.dat	xmrig
behavioral1/memory/3068-65-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig
behavioral1/memory/2792-64-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d3f-66.dat	xmrig
behavioral1/memory/2596-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2640-78-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2824-80-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2504-91-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
behavioral1/memory/2880-86-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d72-107.dat	xmrig
behavioral1/files/0x0006000000016de0-127.dat	xmrig
behavioral1/files/0x0006000000016eb4-125.dat	xmrig
behavioral1/files/0x0006000000017047-133.dat	xmrig
behavioral1/files/0x0006000000016dea-121.dat	xmrig
behavioral1/memory/1488-99-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016dd9-112.dat	xmrig
behavioral1/files/0x0006000000016d6d-104.dat	xmrig
behavioral1/files/0x0006000000016d69-98.dat	xmrig
behavioral1/memory/680-95-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2504-94-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
behavioral1/memory/2760-85-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d63-89.dat	xmrig
behavioral1/files/0x0006000000016d4f-84.dat	xmrig
behavioral1/memory/2596-138-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d47-73.dat	xmrig
behavioral1/memory/2880-140-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2504-141-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
behavioral1/memory/680-142-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/1488-143-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2272-145-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/2540-146-0x000000013F070000-0x000000013F3C4000-memory.dmp	xmrig
behavioral1/memory/2308-147-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2792-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/1948-149-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/2756-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/2824-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2760-152-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/3068-153-0x000000013F720000-0x000000013FA74000-memory.dmp	xmrig
behavioral1/memory/2596-154-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2640-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2880-156-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/680-157-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/1488-158-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2272	CFfbraz.exe
2540	IhBeUiY.exe
2308	oagcjFK.exe
2792	BgaZDwu.exe
1948	OXfXjmW.exe
2824	OOGaARx.exe
2756	lbKyJqb.exe
2760	BtishsV.exe
3068	cYgobwv.exe
2596	pJTYOlL.exe
2640	czhglWn.exe
2880	vShBVDR.exe
680	fcruQRb.exe
1488	ZmkPgvC.exe
3060	MeZXadl.exe
1368	zGGcrde.exe
2936	BJdNQRr.exe
776	xHRpfkz.exe
2664	gPSjqCF.exe
1516	gghRpsN.exe
784	FtYqQJc.exe

Loads dropped DLL 21 IoCs

pid	Process
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x000000013F440000-0x000000013F794000-memory.dmp	upx
behavioral1/files/0x0007000000012119-3.dat	upx
behavioral1/files/0x0008000000015d41-8.dat	upx
behavioral1/memory/2308-21-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2540-22-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2272-19-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/files/0x0008000000015d59-16.dat	upx
behavioral1/files/0x0008000000015d81-23.dat	upx
behavioral1/memory/2792-28-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x0007000000015ec9-33.dat	upx
behavioral1/memory/1948-36-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
behavioral1/files/0x0008000000015d0e-37.dat	upx
behavioral1/memory/2824-47-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2308-58-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2760-55-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/files/0x0009000000016241-56.dat	upx
behavioral1/files/0x0007000000015ff5-54.dat	upx
behavioral1/memory/2504-53-0x000000013F440000-0x000000013F794000-memory.dmp	upx
behavioral1/memory/2756-51-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x0007000000015f71-44.dat	upx
behavioral1/memory/3068-65-0x000000013F720000-0x000000013FA74000-memory.dmp	upx
behavioral1/memory/2792-64-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/files/0x0008000000016d3f-66.dat	upx
behavioral1/memory/2596-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2640-78-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2824-80-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2880-86-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/files/0x0006000000016d72-107.dat	upx
behavioral1/files/0x0006000000016de0-127.dat	upx
behavioral1/files/0x0006000000016eb4-125.dat	upx
behavioral1/files/0x0006000000017047-133.dat	upx
behavioral1/files/0x0006000000016dea-121.dat	upx
behavioral1/memory/1488-99-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/files/0x0006000000016dd9-112.dat	upx
behavioral1/files/0x0006000000016d6d-104.dat	upx
behavioral1/files/0x0006000000016d69-98.dat	upx
behavioral1/memory/680-95-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2760-85-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/files/0x0006000000016d63-89.dat	upx
behavioral1/files/0x0006000000016d4f-84.dat	upx
behavioral1/memory/2596-138-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/files/0x0006000000016d47-73.dat	upx
behavioral1/memory/2880-140-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/680-142-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/1488-143-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2272-145-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/memory/2540-146-0x000000013F070000-0x000000013F3C4000-memory.dmp	upx
behavioral1/memory/2308-147-0x000000013F960000-0x000000013FCB4000-memory.dmp	upx
behavioral1/memory/2792-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/1948-149-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/2756-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp	upx
behavioral1/memory/2824-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2760-152-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/3068-153-0x000000013F720000-0x000000013FA74000-memory.dmp	upx
behavioral1/memory/2596-154-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2640-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2880-156-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/680-157-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/1488-158-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oagcjFK.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lbKyJqb.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OOGaARx.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MeZXadl.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFfbraz.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vShBVDR.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHRpfkz.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FtYqQJc.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\czhglWn.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcruQRb.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmkPgvC.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IhBeUiY.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OXfXjmW.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BtishsV.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cYgobwv.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pJTYOlL.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gghRpsN.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BgaZDwu.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGGcrde.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gPSjqCF.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BJdNQRr.exe	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2272	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2504 wrote to memory of 2272	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2504 wrote to memory of 2272	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2504 wrote to memory of 2308	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2308	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2308	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2540	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2540	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2540	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2792	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2792	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2792	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 1948	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 1948	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 1948	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2756	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2756	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2756	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2824	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2824	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2824	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2760	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2760	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2760	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 3068	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 3068	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 3068	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 2596	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2596	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2596	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2640	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2640	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2640	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2880	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2880	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2880	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 680	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 680	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 680	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 1488	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 1488	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 1488	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 3060	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 3060	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 3060	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 776	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 776	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 776	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 1368	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 1368	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 1368	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 2664	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 2664	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 2664	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 2936	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 2936	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 2936	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 784	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 784	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 784	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 1516	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 1516	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 1516	2504	2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-12_7dd40001e116b288fcf54977d0bffad4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\System\CFfbraz.exe
  C:\Windows\System\CFfbraz.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\oagcjFK.exe
  C:\Windows\System\oagcjFK.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\IhBeUiY.exe
  C:\Windows\System\IhBeUiY.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\BgaZDwu.exe
  C:\Windows\System\BgaZDwu.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\OXfXjmW.exe
  C:\Windows\System\OXfXjmW.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\lbKyJqb.exe
  C:\Windows\System\lbKyJqb.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\OOGaARx.exe
  C:\Windows\System\OOGaARx.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\BtishsV.exe
  C:\Windows\System\BtishsV.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\cYgobwv.exe
  C:\Windows\System\cYgobwv.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\pJTYOlL.exe
  C:\Windows\System\pJTYOlL.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\czhglWn.exe
  C:\Windows\System\czhglWn.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\vShBVDR.exe
  C:\Windows\System\vShBVDR.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\fcruQRb.exe
  C:\Windows\System\fcruQRb.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\ZmkPgvC.exe
  C:\Windows\System\ZmkPgvC.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\MeZXadl.exe
  C:\Windows\System\MeZXadl.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\xHRpfkz.exe
  C:\Windows\System\xHRpfkz.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\zGGcrde.exe
  C:\Windows\System\zGGcrde.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\gPSjqCF.exe
  C:\Windows\System\gPSjqCF.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\BJdNQRr.exe
  C:\Windows\System\BJdNQRr.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\FtYqQJc.exe
  C:\Windows\System\FtYqQJc.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\gghRpsN.exe
  C:\Windows\System\gghRpsN.exe
  2⤵
  - Executes dropped EXE
  PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BJdNQRr.exe

Filesize
5.9MB

MD5
29d33dff447e834f9668ffaa9c0f89bd

SHA1
ced765c4d42bc9e6aa3587f9ba2d5feb322458f7

SHA256
c272caab00af1588a9b62ac5cb743438677428264b6f31e300aedc211ad8ae63

SHA512
536fed3a15ac8036d697545214ff665efa382a911820cd6fd0824c12a8b2405662a1bac4cebf57e3c797f395c6fb8f74c7c135dbc762e2204f30b5485107d0d8

Download Submit
C:\Windows\system\BtishsV.exe

Filesize
5.9MB

MD5
2cdd5adf06ef7a86277afe6bae182bba

SHA1
10322e572aca4e86d10699efe2ea5cece3d6e888

SHA256
67fd7afab5fb4f318d76aae15b3a2597b33353a150980c7bb5aa5db445f0c8bb

SHA512
7f6bc3428f518edf5b09184744b65584923cb2cf7c8420e8ea1eaf1e6604ca5c59f84bd41da92bac69199396c04e8cbb6197b3a9d814c5d876ad96d37a7a18bc

Download Submit
C:\Windows\system\IhBeUiY.exe

Filesize
5.9MB

MD5
36068a854ec5d46a1b04e6475e3f4b0a

SHA1
b28d4c1a57c968dd2979bf066410f0e1e4e8c6e1

SHA256
e8d2b2a55e644b2ca9f3acb8903464d710cc3c6c74af858d4f6dcf6b90d882af

SHA512
ae95f5f7257e7792aa16449af9098803e8ba540126ee443a3ad509b4f67e07d06e6a19323520a7c38d3b466ec84db26e14797f844660bac75e25101c4ecc1249

Download Submit
C:\Windows\system\MeZXadl.exe

Filesize
5.9MB

MD5
5015b32c28244137eba3ba5545835f30

SHA1
79839117b85bbe9bd95f465972aff5ed695f8a14

SHA256
4c7381ee18bf706716db10c0c754206e5d218826b9822af5b653ff12fb34715b

SHA512
69eae30bcdc4ead155a0c72b50a6b81fe3c262a3646b0b0ec55860a5382d90ed7531a0e5ad5e3b159b98ca4b4c779695e906a2cd718428d8808e37064b0d2cd2

Download Submit
C:\Windows\system\OOGaARx.exe

Filesize
5.9MB

MD5
4efbac30ca254f953ccbf901d1791143

SHA1
998e946753578c591c86044c3cff780e78739fde

SHA256
7d99c469b64d4127a84a6edace6bf736cbb162af0266b874740fddc2c7e4bfa5

SHA512
6925dfb216f5dc9d9d02d0c16bba0b776248b9660ac1417951fe15108faef6d976f08377fe2ed38bedc9f1b0fb4f7447fead3211456d2c6ebd554ef607b329c9

Download Submit
C:\Windows\system\OXfXjmW.exe

Filesize
5.9MB

MD5
ca2a1f7c194b9a4a81dcbbeac748af68

SHA1
dbdfd674fa7cd47fd66ca48e5951babfc285d8d5

SHA256
757ff1f1da3c54ab32229359777bb21315045054de07a67a333878aee8ce333c

SHA512
475f3f1e0af3b7e3f66c06c3724f1f6d04df17dedfc7f9de423e93bde0addd83908fad0e382935ce5c31f6363d4c4bfba7dd9144a0f58222216a3db8ae29d1ec

Download Submit
C:\Windows\system\ZmkPgvC.exe

Filesize
5.9MB

MD5
eaa60a404eec0d8930d2bb3f7e672861

SHA1
c9894621ef42cdd0074cfa7a10645ac472458456

SHA256
2a9c9b661615178a281d16e01ecd2241c5857546b9daea78b6125cbf2f97a690

SHA512
a5afdead0a1381f8c8766a92b31642b65294a7f902ab0015e920a2b389850930a4f615cd9667a8bba0cc9321007bb092548c2dd5f2e4966146ad80cc2ece20e0

Download Submit
C:\Windows\system\czhglWn.exe

Filesize
5.9MB

MD5
35d79d440d8b4701ffca52238645aaaa

SHA1
c687e147798e1ebd9bac559d4a9e14a50ada3932

SHA256
c53b0f284d401ad92ffd885a43b29747916b58731a3c2a219d75fa420c824025

SHA512
180598d152256ce643fb49bcd5ead6b31bf599e7383d60f086d3507a91af2038ede252c3bc16aef168072ff1cb705b137f7b794a0252fae3b60ea6c1949965b4

Download Submit
C:\Windows\system\fcruQRb.exe

Filesize
5.9MB

MD5
5bf93e3cce444e8e0eb8b5794ca8a18c

SHA1
654a0ecd704c3fb194b348613ad9dd53f3c7f78d

SHA256
7cdb15ab108204f58c235f0f742503c6f2d0e4d608a4ab7cd9d69f7fc81339c3

SHA512
262d67b9d5aceffae7d86d9834f0c82ee851153f84aa1e51efa7f2df0a7984bcee5f22a92923bb82c9ade7e1bc94263badca2d9f56bab0acc4f4621f50ec76a8

Download Submit
C:\Windows\system\gPSjqCF.exe

Filesize
5.9MB

MD5
a96b561e5d00a0ffa79d50da7c3e63e3

SHA1
ff0112d18071848bc504461ed85245cdeabdb25f

SHA256
67ef9f8ef5b77e280ab41356b616b01d27bf5159f89d116136d64b41b86c63d3

SHA512
eb1e02733b94f789b4715e82b0c0639800c8518bb3fce5196e4ab965107f9b7b029fee1ae0f2731b786d564c0543b34f55941aa2425db6f7bafb5c0193493815

Download Submit
C:\Windows\system\gghRpsN.exe

Filesize
5.9MB

MD5
0d8205c2f3783bb16e9c9182de47792c

SHA1
50c705388450a94eca5bdb45f1a8c78d0d05e9d2

SHA256
2cca966e19f80e6145980bffbb255bc5832b926d13b145e46c2bd29d94f619fa

SHA512
65832a247311ccba6af5a4d75326bd44848206c5eaf1243f7a67eb2dcb997d5cb752b5e0b88bdaf1f7a16aefc958655f468003b5a2617a4bd99d438aaa2b9552

Download Submit
C:\Windows\system\oagcjFK.exe

Filesize
5.9MB

MD5
1cdbc37e90dde6d536a0782919d42f19

SHA1
8552524861a79e1059993be715a09d8ae9e02d17

SHA256
295a0151d765029afe3e728b3db47621aa3f16809bf8632d6a6b324b3b643a58

SHA512
c087a9404f51a25b6a6c757fbccce8aeb7922ce42a0f4c9c0fd6d028080548812c73c4f4ea910f0fe49376dc2468f9b32db9fb1f290614112744832ccc80edad

Download Submit
C:\Windows\system\vShBVDR.exe

Filesize
5.9MB

MD5
1815060d73be8db28c666c8950dd4bc0

SHA1
a7270aad2151fe2d635f3be2c33d5a611c5ab72e

SHA256
9856ad001ec58d2230ad970eda2919310a092da90560635da73e6103fbe1a6eb

SHA512
430d688b8af4675bec4f8bb3e74cc46e6ff180a36d2ebca8ad76f050cf1564bba68a0c26c8936a5ef2ccd7fd3be0c3de24aabf094c43bdd4b4f770d75a572014

Download Submit
C:\Windows\system\zGGcrde.exe

Filesize
5.9MB

MD5
3b0caa6a2b05d544572782c009bc3636

SHA1
855c71bcf4968e85d901c9faecf2d3654458c1b6

SHA256
5299c47f2d7fc8bcf65b174add6c40f24c2308bb0a2947c1fee7f1f2e9f94cd9

SHA512
306cbe3f04eb1170240c5191932133368e80079c11289891b58893c135bf0b7d0210f43c864fa7b5b3d668bd3a1d3fb86ace7a3959c216468d1ada3a386c11f5

Download Submit
\Windows\system\BgaZDwu.exe

Filesize
5.9MB

MD5
5e7a8b21f1f55611ce9d56fe87318d5d

SHA1
cd066f51b5f971a5f79011d6e25407a908764666

SHA256
75663a2c47c302a0dc763d6d3a34eb41167ab16489ee37f4fa88c542f2364010

SHA512
24623e01ade86d70e254ed49923016c6424a86c783eae4d4af0b5e74da8101e279265e671e5710f0865319391a195f2b0f3f3630599bf238bc4f7e9c6d11eeea

Download Submit
\Windows\system\CFfbraz.exe

Filesize
5.9MB

MD5
841a9946c293308078e770ff07572793

SHA1
a17b81d999fe660a3543c120a8ebcee3fd597fcb

SHA256
3321b5918d422fd342795f0a5b166ff9a919b7a2bc17564f58403eb8ecd93b02

SHA512
cf8fe354f5668e7fb58e27fb17e36f0f2e4c7354acd7a88af1a648ce3fa5e0d1251b3fe27263916486f7ccb02dceb1a418f45b2e957c887888bb07185d797910

Download Submit
\Windows\system\FtYqQJc.exe

Filesize
5.9MB

MD5
88a716cb0ba83a35f69d34f9abc98a00

SHA1
de01f05449d5e2bf2fb97758fd78808c191273c3

SHA256
4d2858ba95394f2620572eb9ac6e54ec5332f0820d386d938f592899327c8854

SHA512
d45fffd371b9209615a639345cfb5b4aad9a4e60533be44a12c11167447e2a1a4925c1b6a54058a1a9b37efd47e109128840e7a1d957ea3f4765310e26c83c2f

Download Submit
\Windows\system\cYgobwv.exe

Filesize
5.9MB

MD5
5c1dc923444b06bc4020db4edd1dee97

SHA1
31559c1a5bd67ad1a30f14610078aa91b2629fe0

SHA256
16f26a4adf5069246c068f5e6e5c24a929f1a9406f25e081b7e32366dec5c179

SHA512
b07afea7f4081d4eadf3a23782adfdd3a182bdb3c4cb010cc7a6da6875cc4fef83cc1724f17c27ce056443827f918ab7278a8e6afbd59a40720f8194edb3f703

Download Submit
\Windows\system\lbKyJqb.exe

Filesize
5.9MB

MD5
d9ad7e60e63431d4258b3c1aefa9db5e

SHA1
e831b6cc8fe8e01280eb9b6c924fb73728576d0b

SHA256
4b1b49fabf5bb0f47aeefd03756b953d1f479bfe5840d71e296de7f6c4e0d45b

SHA512
827dde5ce447d1fe7c5f0c05942f5b73151849ac0ece306c70473a262e9dd5e7149136c4c74e7cccda46383488de1f1639d685de9e13b8bad02104cfe7d224bc

Download Submit
\Windows\system\pJTYOlL.exe

Filesize
5.9MB

MD5
21ff8191a09f44a164fde942617a2c1c

SHA1
c75a456c4d6d3124ad513dcc7a1781908bfe6ef5

SHA256
b30176f6d928b53856040b4841a1eb1ff31dd4014a10c1f5550f8eadcacf2d13

SHA512
b6f45f66d3a02dbd7ae73120a804a8da6f2ae9a57a473bd30f70a1092a29b77dc54f65745591cbbd1776aefbf82bc855dd4749fa719729679c4139c0a4c2502b

Download Submit
\Windows\system\xHRpfkz.exe

Filesize
5.9MB

MD5
eb9eabba71d496e4b64a9f07ae137e7d

SHA1
e2c56ab1092d0ad89c0ccba4d30131ae9038fa36

SHA256
8431ea36eba9483b509066ba79d75f31881a97cf9d6f9b44d0859177b219202f

SHA512
2a22e9716817570bf42321daad610d90359870e1d9b7bc544c310b9f702a93148867176dd534070bc42524b9374aac9edad4aa8d315b3e9739ed22f83a74f63c

Download Submit
memory/680-95-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/680-142-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/680-157-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-99-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-143-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-158-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/1948-149-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/1948-36-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2272-145-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-19-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-147-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-58-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2308-21-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-35-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2504-139-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-91-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2504-79-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2504-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2504-15-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-24-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-14-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2504-144-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/2504-38-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-137-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2504-53-0x000000013F440000-0x000000013F794000-memory.dmp

Filesize
3.3MB

Download
memory/2504-97-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-141-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2504-94-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2504-0-0x000000013F440000-0x000000013F794000-memory.dmp

Filesize
3.3MB

Download
memory/2504-59-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2504-77-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-146-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-22-0x000000013F070000-0x000000013F3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-154-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-138-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-155-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-78-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-51-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-55-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2760-85-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2760-152-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2792-148-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-28-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2792-64-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2824-151-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2824-47-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2824-80-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2880-140-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2880-86-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2880-156-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/3068-65-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download
memory/3068-153-0x000000013F720000-0x000000013FA74000-memory.dmp

Filesize
3.3MB

Download