cobaltstrike | eb76b8f1b1dfac2a105716439eaac2cd6de9c3f768e29dc0ff3dba978bd956b3

Analysis

max time kernel
140s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

9b0f5474c89ec07165ecbfe2243eee16
SHA1

1b98c7e7ee3eb366983f91c9947f597ad5fe4352
SHA256

eb76b8f1b1dfac2a105716439eaac2cd6de9c3f768e29dc0ff3dba978bd956b3
SHA512

d8a85d6e6ec36aaf62641c6ce9b16be63878901851ce48629b56dda20474df50fbb3ff022a69027c8b8624c1cad2367ae88eb8398a518c3c99575892f10b07fc
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lU0:E+b56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012118-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019259-7.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001926c-21.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019278-40.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001929a-46.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d7-55.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019319-53.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019513-78.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194df-74.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001950e-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019275-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019268-18.dat	cobalt_reflective_dll
behavioral1/files/0x00340000000191f6-94.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019642-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019b0d-134.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019a72-130.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000197c2-124.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001964b-120.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001964a-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019640-103.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001953e-90.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/2168-0-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/files/0x0007000000012118-6.dat	xmrig
behavioral1/files/0x0007000000019259-7.dat	xmrig
behavioral1/files/0x000700000001926c-21.dat	xmrig
behavioral1/memory/2804-24-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2960-27-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2168-30-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/3052-37-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/files/0x0006000000019278-40.dat	xmrig
behavioral1/files/0x000600000001929a-46.dat	xmrig
behavioral1/files/0x00050000000194d7-55.dat	xmrig
behavioral1/files/0x0006000000019319-53.dat	xmrig
behavioral1/memory/2004-76-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/files/0x0005000000019513-78.dat	xmrig
behavioral1/memory/3044-77-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/files/0x00050000000194df-74.dat	xmrig
behavioral1/memory/2404-73-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/3028-61-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2168-70-0x00000000023C0000-0x0000000002714000-memory.dmp	xmrig
behavioral1/files/0x000500000001950e-69.dat	xmrig
behavioral1/memory/2168-67-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2596-50-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/1296-42-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/files/0x0006000000019275-34.dat	xmrig
behavioral1/memory/2732-29-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2956-28-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/2168-26-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000019268-18.dat	xmrig
behavioral1/memory/1296-80-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/1492-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/files/0x00340000000191f6-94.dat	xmrig
behavioral1/memory/2900-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/files/0x0005000000019642-117.dat	xmrig
behavioral1/files/0x0005000000019b0d-134.dat	xmrig
behavioral1/files/0x0005000000019a72-130.dat	xmrig
behavioral1/files/0x00050000000197c2-124.dat	xmrig
behavioral1/files/0x000500000001964b-120.dat	xmrig
behavioral1/files/0x000500000001964a-113.dat	xmrig
behavioral1/files/0x0005000000019640-103.dat	xmrig
behavioral1/memory/2616-93-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/3028-89-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x000500000001953e-90.dat	xmrig
behavioral1/memory/2616-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2900-140-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig
behavioral1/memory/2168-141-0x000000013F290000-0x000000013F5E4000-memory.dmp	xmrig
behavioral1/memory/2732-142-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2804-143-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2960-144-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2956-145-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/memory/3052-146-0x000000013FFC0000-0x0000000140314000-memory.dmp	xmrig
behavioral1/memory/2596-147-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2404-148-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/3028-151-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/1296-150-0x000000013FA30000-0x000000013FD84000-memory.dmp	xmrig
behavioral1/memory/2004-149-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/3044-152-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/1492-153-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/2616-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2900-155-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2732	vfXGiLA.exe
2804	VCcusKZ.exe
2960	CyBbFvn.exe
2956	JuSXJfv.exe
3052	oogXhAm.exe
1296	muHGzso.exe
2596	mFOUbui.exe
3028	QnYlDcR.exe
2404	AKtxfKo.exe
2004	MgRZryd.exe
3044	HzGdMeu.exe
1492	SGROXAp.exe
2616	RQYJwno.exe
2900	VgOOeos.exe
2240	loROoQf.exe
2924	twKJTpN.exe
668	YESClCc.exe
2128	nGhzEZd.exe
1872	JWiSpYX.exe
588	MRbppRf.exe
604	QYLYura.exe

Loads dropped DLL 21 IoCs

pid	Process
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/files/0x0007000000012118-6.dat	upx
behavioral1/files/0x0007000000019259-7.dat	upx
behavioral1/files/0x000700000001926c-21.dat	upx
behavioral1/memory/2804-24-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2960-27-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/3052-37-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/files/0x0006000000019278-40.dat	upx
behavioral1/files/0x000600000001929a-46.dat	upx
behavioral1/files/0x00050000000194d7-55.dat	upx
behavioral1/files/0x0006000000019319-53.dat	upx
behavioral1/memory/2004-76-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/files/0x0005000000019513-78.dat	upx
behavioral1/memory/3044-77-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/files/0x00050000000194df-74.dat	upx
behavioral1/memory/2404-73-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/3028-61-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x000500000001950e-69.dat	upx
behavioral1/memory/2168-67-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2596-50-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/1296-42-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/files/0x0006000000019275-34.dat	upx
behavioral1/memory/2732-29-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2956-28-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/files/0x0007000000019268-18.dat	upx
behavioral1/memory/1296-80-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/1492-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/files/0x00340000000191f6-94.dat	upx
behavioral1/memory/2900-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/files/0x0005000000019642-117.dat	upx
behavioral1/files/0x0005000000019b0d-134.dat	upx
behavioral1/files/0x0005000000019a72-130.dat	upx
behavioral1/files/0x00050000000197c2-124.dat	upx
behavioral1/files/0x000500000001964b-120.dat	upx
behavioral1/files/0x000500000001964a-113.dat	upx
behavioral1/files/0x0005000000019640-103.dat	upx
behavioral1/memory/2616-93-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/3028-89-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x000500000001953e-90.dat	upx
behavioral1/memory/2616-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2900-140-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx
behavioral1/memory/2732-142-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2804-143-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2960-144-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2956-145-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/memory/3052-146-0x000000013FFC0000-0x0000000140314000-memory.dmp	upx
behavioral1/memory/2596-147-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2404-148-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/3028-151-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/1296-150-0x000000013FA30000-0x000000013FD84000-memory.dmp	upx
behavioral1/memory/2004-149-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/3044-152-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/1492-153-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/2616-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2900-155-0x000000013F9A0000-0x000000013FCF4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\VCcusKZ.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oogXhAm.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AKtxfKo.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MgRZryd.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SGROXAp.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MRbppRf.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JuSXJfv.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mFOUbui.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HzGdMeu.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGhzEZd.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JWiSpYX.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CyBbFvn.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QnYlDcR.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RQYJwno.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YESClCc.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QYLYura.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vfXGiLA.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\muHGzso.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VgOOeos.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loROoQf.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\twKJTpN.exe	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2732	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2168 wrote to memory of 2732	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2168 wrote to memory of 2732	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2168 wrote to memory of 2804	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2168 wrote to memory of 2804	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2168 wrote to memory of 2804	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2168 wrote to memory of 2960	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2168 wrote to memory of 2960	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2168 wrote to memory of 2960	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2168 wrote to memory of 2956	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2168 wrote to memory of 2956	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2168 wrote to memory of 2956	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2168 wrote to memory of 3052	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2168 wrote to memory of 3052	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2168 wrote to memory of 3052	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2168 wrote to memory of 1296	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2168 wrote to memory of 1296	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2168 wrote to memory of 1296	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2168 wrote to memory of 2596	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2168 wrote to memory of 2596	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2168 wrote to memory of 2596	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2168 wrote to memory of 3028	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2168 wrote to memory of 3028	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2168 wrote to memory of 3028	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2168 wrote to memory of 2404	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2168 wrote to memory of 2404	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2168 wrote to memory of 2404	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2168 wrote to memory of 3044	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2168 wrote to memory of 3044	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2168 wrote to memory of 3044	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2168 wrote to memory of 2004	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2168 wrote to memory of 2004	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2168 wrote to memory of 2004	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2168 wrote to memory of 1492	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2168 wrote to memory of 1492	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2168 wrote to memory of 1492	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2168 wrote to memory of 2616	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2168 wrote to memory of 2616	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2168 wrote to memory of 2616	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2168 wrote to memory of 2900	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2168 wrote to memory of 2900	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2168 wrote to memory of 2900	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2168 wrote to memory of 2240	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2168 wrote to memory of 2240	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2168 wrote to memory of 2240	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2168 wrote to memory of 668	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2168 wrote to memory of 668	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2168 wrote to memory of 668	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2168 wrote to memory of 2924	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2168 wrote to memory of 2924	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2168 wrote to memory of 2924	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2168 wrote to memory of 2128	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2168 wrote to memory of 2128	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2168 wrote to memory of 2128	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2168 wrote to memory of 1872	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2168 wrote to memory of 1872	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2168 wrote to memory of 1872	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2168 wrote to memory of 588	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2168 wrote to memory of 588	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2168 wrote to memory of 588	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2168 wrote to memory of 604	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2168 wrote to memory of 604	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2168 wrote to memory of 604	2168	2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_9b0f5474c89ec07165ecbfe2243eee16_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System\vfXGiLA.exe
  C:\Windows\System\vfXGiLA.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\VCcusKZ.exe
  C:\Windows\System\VCcusKZ.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\CyBbFvn.exe
  C:\Windows\System\CyBbFvn.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\JuSXJfv.exe
  C:\Windows\System\JuSXJfv.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\oogXhAm.exe
  C:\Windows\System\oogXhAm.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\muHGzso.exe
  C:\Windows\System\muHGzso.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\mFOUbui.exe
  C:\Windows\System\mFOUbui.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\QnYlDcR.exe
  C:\Windows\System\QnYlDcR.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\AKtxfKo.exe
  C:\Windows\System\AKtxfKo.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\HzGdMeu.exe
  C:\Windows\System\HzGdMeu.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\MgRZryd.exe
  C:\Windows\System\MgRZryd.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\SGROXAp.exe
  C:\Windows\System\SGROXAp.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\RQYJwno.exe
  C:\Windows\System\RQYJwno.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\VgOOeos.exe
  C:\Windows\System\VgOOeos.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\loROoQf.exe
  C:\Windows\System\loROoQf.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\YESClCc.exe
  C:\Windows\System\YESClCc.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\twKJTpN.exe
  C:\Windows\System\twKJTpN.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\nGhzEZd.exe
  C:\Windows\System\nGhzEZd.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\JWiSpYX.exe
  C:\Windows\System\JWiSpYX.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\MRbppRf.exe
  C:\Windows\System\MRbppRf.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\QYLYura.exe
  C:\Windows\System\QYLYura.exe
  2⤵
  - Executes dropped EXE
  PID:604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CyBbFvn.exe

Filesize
5.9MB

MD5
36ab18d97373a1fd992ddfbb5804fbe5

SHA1
40122534f648372b192c7237938d12fc1dba16e6

SHA256
f8a6c19bc59b01d1bcbc69bc814364adce9e8c760e224765b545aec48b2ab62a

SHA512
afad3ceecf863c7847808b18891cc58797be9bdc79a2b35d7f75412cad45bedd2b72ec3429f1543f0789ee4d3a4179dddcdeb4e9e0574c3227b1a0a311272c96

Download Submit
C:\Windows\system\HzGdMeu.exe

Filesize
5.9MB

MD5
7e9e3f20e53fcd1b568bec8b2252f144

SHA1
7a0a94fd6f2bc078755eb56e5fabf19cd3238bd0

SHA256
247d4bb4bbbf29772ddc1dbef2885be86d57cb14c2b34e3b9313d6fd822088f8

SHA512
dcde05d63adec0fef8085601451353778c42d9cbce81df27641b968fe7d96b379a70b579d3f384ecf75174667c4aa0af45aaa6f1fdfc2692ba50f8466ca7dbd3

Download Submit
C:\Windows\system\JWiSpYX.exe

Filesize
5.9MB

MD5
7e46adbc29e4f516776cb99ff9f782ba

SHA1
4e1c5e6c3fa6f7c2a97fc726459cec3643f1a0e9

SHA256
c0496cc385a179619141ff17a5b5fce896be6254aa304f5a58506d133a3863b8

SHA512
a95eb9cb417d489bdbafac71686ad5f246fadb0034aad84b2ab314fd6b8c064e512af882bb682f95586ce2382a6d67d904727f526c58414fdbe0d150d930116c

Download Submit
C:\Windows\system\JuSXJfv.exe

Filesize
5.9MB

MD5
ed796ee73038f466745b842d92427f7f

SHA1
a50e5a35c61453d15f48901af9132818438deb02

SHA256
0d2866f035f46a37e77e75ffb7554a2e1966b6e0c3b7ab46115beac413cb6624

SHA512
16c4df6d098b394fa079db578d8cf19d026bdf364fdd9e9c0d94810ace4a5ab742096fce4a11bd555ff5eb0fce6ca5c7610d17f6a2c7987c29942b41a4d3aedf

Download Submit
C:\Windows\system\MRbppRf.exe

Filesize
5.9MB

MD5
6493a61ce326980ab859f89ca60e5a5e

SHA1
f8aa7f36d706beaa922f7f2699ccae96a3c4421a

SHA256
b4e5645e8dd5c7159f20fa2f4e46aac314669127bdfe2967edd42c706f5c6338

SHA512
53048245fa120ab45bd4de1236bd7437c33f531bdebe01ce03a5e22734c79a9a815ebf33c91c4ccc0fd7b549501acfb612dd49a2a114d597294de594c46a7d9d

Download Submit
C:\Windows\system\MgRZryd.exe

Filesize
5.9MB

MD5
907e21c73be8cf70d999f6a7c84ab1fa

SHA1
87b0c5e1664a10352ba9bacb11bb88c4ae49f1ba

SHA256
d2fb575980434f1b7c759c511fde17385ad090626fb53945d53258757d9e492b

SHA512
b21a9c36556e755e9ff8160bd058c3a7e960e49b836af20089f50aa5f938e88ae23213066b20a119cbb2ae6cffe287800ece7a1a98eb03c2b6bea781ead4ed92

Download Submit
C:\Windows\system\QYLYura.exe

Filesize
5.9MB

MD5
d2c85e2ee5e84c58332750bebcb1cf91

SHA1
3060ce8f729189fe1de60f07cd21f9577269b471

SHA256
5817fbf78a532f051b80923aceb34098be180ab4d47588edc5d32e0f4800ad61

SHA512
f7690592514a96f4dbc1c0f650fa1f5e8b4d7f48fcc06d0df90b398f0090e2122c528719cce6e12d11896b2c3264abd1a01da7551926bd590c12efb12cf31ca5

Download Submit
C:\Windows\system\QnYlDcR.exe

Filesize
5.9MB

MD5
f865efe3f6d872b5d08bd15bb8347fec

SHA1
db7f675b579fc3801975c227b6f877d8629886cf

SHA256
f5500f166fb6864cea73ead8fb74a3c7cd22195ce8522f93ec30915de638f359

SHA512
741d87b266fa03119b10e1e514774303004e1d30976092a9bdcfd46e7e25fcc7d571539ba27736ac9b29d4f1833ba575490acd0664d0ab3579270ec7b834f38a

Download Submit
C:\Windows\system\RQYJwno.exe

Filesize
5.9MB

MD5
d73b121d416fea72ab2d6877ab8d53c8

SHA1
a3af4c0b94422f54074a74793f7ba315b2816c7f

SHA256
caa701300fe8cf96f02a59fbe80d580f6ed03fc7c84ccfa9d510d7a382cfb1ee

SHA512
4ab2a8bea7a160cdeb880af0673b03221cc941d36ae0876d280f302982695cd4645669510f6110be8012d9f0cd75e9888fa3d37fa2ade48aece323a4bc8a45e2

Download Submit
C:\Windows\system\YESClCc.exe

Filesize
5.9MB

MD5
115a08b58d503e2df294a77d3b0a1938

SHA1
9b3e98d0d0808ae617f5fd771b43072f5be092b3

SHA256
4e78a85f5c19f17a05f7f65d96157663431625b24097beba3e5b4cb4f1f1983a

SHA512
cb4e296a16cd234b6279a53a91cb05e6719ea6942648b6d8e971ccfe137de985a5bb5266a669fc15dd4bb6ee016563d71289b8a3523f1c2e38de353c33397149

Download Submit
C:\Windows\system\loROoQf.exe

Filesize
5.9MB

MD5
d3baed399ec52450f88b3209b338f708

SHA1
804bb638d4dce77e82ea188d8af3b00cbb6ae56e

SHA256
e57fcc67ea00a5ce1efac31040fbd2365b38452a8301be3da9bbdc58de5eb01b

SHA512
e68ee0378a7685450fc28b2f61c3de8629699820d66ac9804e9d9b3736e2e13e9d5a063e9d56ccc392d818f74531dc9d0eedb3fde3bea57153f81347e287427d

Download Submit
C:\Windows\system\mFOUbui.exe

Filesize
5.9MB

MD5
286cb482b1f11d78ab5616242a95cbd9

SHA1
f8f78baba87e6287417976be97e4222b6ad21822

SHA256
3cb5f9fe81248cdb53ddb9135b2743ac3b098da2c6bbc6ea0c180f67363349e5

SHA512
a3871287ba15ac0d3a46b6e9710110ca073567320d6a7b9354f31e9d1656f928940423bdb0eaee7f49ffd3f92567d4ebfac68e50d6c49d91c499702695371e00

Download Submit
C:\Windows\system\muHGzso.exe

Filesize
5.9MB

MD5
c47a44e773a86955e04df24a2fe672c9

SHA1
b58fb77c99d10e4f2926985e4739add1423b3401

SHA256
dddb7882a8a525e05ac01daad8eff08c692daaa35ff7a0aaa447881d57cf38c0

SHA512
b2f4adf9b074e2bd4c0da04db3c42ca0d5037905f76ab8baa006b1f27c8c9e2f4b219c555b9e10975953ab5b09742a03ddd04e9f3a8caa80994e6c51249a9750

Download Submit
C:\Windows\system\nGhzEZd.exe

Filesize
5.9MB

MD5
f3d8a62eaf959be302dd33749a875d21

SHA1
06f51e2b3f7f786842bb64cd3b4b27c9e821e3e0

SHA256
aad20bca1e79746bd136395a349c12d7919520cfe32806238dc74e2215cdad94

SHA512
8f418ed12e99ba8106fb43f74832279a9ffc6c9fbff66a50eb34f8ffb4bf2f71396f593e803569b12744edb478c39f76354c3bbe8f9056c73e0d6d5fa0e2340e

Download Submit
C:\Windows\system\oogXhAm.exe

Filesize
5.9MB

MD5
577c262dd454022d754c82141c1ac959

SHA1
22859ef0133fec03fa583927b06f8f6030390dc3

SHA256
3d9c9be885971991e293e618f03394bc43e0943ac68aa27653955753de8eb943

SHA512
931e2d1a2283201bf7973ed674cf782aade3f5510eec3d54dd2ab6c9c60a14664142e14e7cd7ae2688862f319aa215446ff4a9d06dd69fa6fbbf71ef3a61c112

Download Submit
C:\Windows\system\twKJTpN.exe

Filesize
5.9MB

MD5
2a5ce2baf4a98a19051d5660797694b8

SHA1
40551e3a36364442a925d0505464e77deb3504a1

SHA256
fb23facc43c7622d34ab17956fe917330ddf5198869fa6131d44f436ff5c861f

SHA512
c67fab055c820d48c6dc146a4cf4af3dcca0c0b26c9f7e2ab0b609b18293aecf2ff9efdd304b9f3472b8609217435b3c56f328c05f130eccabc4f982b230e3b4

Download Submit
C:\Windows\system\vfXGiLA.exe

Filesize
5.9MB

MD5
5048c1609adfb6935c4e7b5e99760a4f

SHA1
c3523f1da1e446da1ffb66657108ed5743549402

SHA256
9ebd23852ab4176bc0351b6aa071ebd051eb476a241efd92c564f64610699474

SHA512
fdf1f1e47c0d46a7b24e72995cf40dbc1abd020d05657402ed15d7c13fbc9398ea8e8acc8c270317c38c0dd81896e982cbe91b9b0367cb4deca74590c6c36573

Download Submit
\Windows\system\AKtxfKo.exe

Filesize
5.9MB

MD5
86a29825e0dc70ed7196748ef3e55639

SHA1
ea29c463a55c768fb07b7f2c455027b31e9b242b

SHA256
454903a6abb4342a19f5200873f6047f52b4ea0eb6f26b11eacd38899dc9559e

SHA512
54441902c9094204962c6f466c941676a285a3290db5413dba9166b5517b5e9d1c96dc903f61c450e8c2578709788ef33390257977e5cf64a28aec865f2b87e7

Download Submit
\Windows\system\SGROXAp.exe

Filesize
5.9MB

MD5
289adacfcd11cf2a5d3c62d11c7cee10

SHA1
14859b6931c76cf5140fde0109d8444e6e739df6

SHA256
e6615d12ba4d56d721ced1817f86d6d33f9814c3a9ca3f29bcfcf85d4f37b8f2

SHA512
0d4a645b875024aab74902dc7f5bd3369c0dbd8e7fe7becfa9c9adeec26761a8b92a1d55fc32d18b8d937584b83bcd5298fe2119acd1f56a98613bb36fd086a4

Download Submit
\Windows\system\VCcusKZ.exe

Filesize
5.9MB

MD5
33fdbb6351ceb1f9bc68617996ea308b

SHA1
f9867ac97e5b06d3ac7c9e4e6de039da5d97f5c1

SHA256
7732950e8b440b38de11e5f9903af166965cd32694afb7411bfcf99e530260ef

SHA512
8ff266806a329ea0890ad98e5cb4310b4a534f3e6a779287a1d5e85938046fd7b5f0abd48ef73f7e0a1a9723d67f474cb01633494f30cf29ab9c056298dd62e1

Download Submit
\Windows\system\VgOOeos.exe

Filesize
5.9MB

MD5
033dc3b780923e3c0a490b21df3a6c7c

SHA1
97f6e02d07231aa833180ef2216a1286931bf732

SHA256
0fed6658e989e66b43d8878e2a938bf802794011feef2f071cd97399555aeac9

SHA512
b246714e1fec112b29626e77c7b79ce00eb288f6071bd918e53adea17eadb9e2ace3573de3b69e6ae3975fdaf5755ce3200efff023f1cdcfc8a1d562e7685c43

Download Submit
memory/1296-42-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/1296-80-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/1296-150-0x000000013FA30000-0x000000013FD84000-memory.dmp

Filesize
3.3MB

Download
memory/1492-85-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-153-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2004-149-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2004-76-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-79-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-22-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2168-139-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-137-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-49-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-26-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-67-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2168-70-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-72-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-91-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2168-12-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2168-97-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-141-0x000000013F290000-0x000000013F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-0-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/2168-136-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-35-0x00000000023C0000-0x0000000002714000-memory.dmp

Filesize
3.3MB

Download
memory/2168-109-0x000000013F290000-0x000000013F5E4000-memory.dmp

Filesize
3.3MB

Download
memory/2168-30-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2404-148-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2404-73-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2596-147-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2596-50-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2616-93-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-154-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-138-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-142-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2732-29-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2804-143-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2804-24-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2900-140-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2900-155-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2900-99-0x000000013F9A0000-0x000000013FCF4000-memory.dmp

Filesize
3.3MB

Download
memory/2956-28-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2956-145-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2960-27-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-144-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/3028-151-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/3028-61-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/3028-89-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/3044-77-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/3044-152-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/3052-37-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download
memory/3052-146-0x000000013FFC0000-0x0000000140314000-memory.dmp

Filesize
3.3MB

Download