cobaltstrike | 39a31e8fa6e9a88b8352bb9bccb56334e867a1b05df3b482b8588f6c81586a0d

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1cc558ec67aa955e292376b214a9e213
SHA1

12f39c3034803ee0195243b0436560c76b4fb168
SHA256

39a31e8fa6e9a88b8352bb9bccb56334e867a1b05df3b482b8588f6c81586a0d
SHA512

018abbf7390cdf80ace583f073220aa8430f207d74faf4bbd2d97f594cff4c5e7b9a2e79f7b412f1056a251c6ef98bee3adb9ccb422f7f0de474af2bc17d7f31
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibf56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012233-5.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018725-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018ab4-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b03-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b62-82.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fc7-64.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fca-89.dat	cobalt_reflective_dll
behavioral1/files/0x00030000000178b0-108.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019028-119.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001904d-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019044-129.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001903d-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ffa-104.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fc4-86.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001901a-112.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b54-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018ddd-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b4d-34.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fe2-94.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fcd-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b58-42.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2800-22-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/1368-107-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/1872-136-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2244-139-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2788-138-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2188-70-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2680-69-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2856-37-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/1872-103-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/1924-102-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2748-100-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2872-98-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2580-97-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2696-95-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2056-20-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2504-19-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2708-161-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2864-160-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2200-159-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/3028-158-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/2080-157-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2940-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2440-154-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/1872-163-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2504-211-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2056-219-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2800-221-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2856-228-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2244-232-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2788-230-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2680-236-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2188-234-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2580-244-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2872-246-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2748-248-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/1924-250-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2696-242-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/1368-252-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2504	ArGXqHY.exe
2056	DUzOPqk.exe
2800	clkXUdG.exe
2856	DQpyVKa.exe
2788	BdulEds.exe
2244	pRQHDDE.exe
2680	dLGeyFD.exe
2188	HkPPaEN.exe
2696	gbNxHRl.exe
2580	hoAiLDG.exe
2872	GQOxDaz.exe
2748	ZssSOHq.exe
1924	BFDhHvd.exe
1368	vVqwMWn.exe
2440	fZNWmrj.exe
2080	ZSSZGPC.exe
2940	XvxNIgH.exe
3028	NVDbext.exe
2200	UQTBmpP.exe
2864	LLKtmJC.exe
2708	Dkbqegz.exe

Loads dropped DLL 21 IoCs

pid	Process
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-0-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/files/0x000b000000012233-5.dat	upx
behavioral1/files/0x0008000000018725-8.dat	upx
behavioral1/files/0x0007000000018ab4-15.dat	upx
behavioral1/memory/2800-22-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/files/0x0007000000018b03-27.dat	upx
behavioral1/files/0x0007000000018b62-82.dat	upx
behavioral1/files/0x0005000000018fc7-64.dat	upx
behavioral1/files/0x0005000000018fca-89.dat	upx
behavioral1/files/0x00030000000178b0-108.dat	upx
behavioral1/files/0x0005000000019028-119.dat	upx
behavioral1/files/0x000500000001904d-133.dat	upx
behavioral1/files/0x0005000000019044-129.dat	upx
behavioral1/files/0x000500000001903d-124.dat	upx
behavioral1/memory/1368-107-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/files/0x0005000000018ffa-104.dat	upx
behavioral1/memory/1872-136-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/files/0x0005000000018fc4-86.dat	upx
behavioral1/files/0x000500000001901a-112.dat	upx
behavioral1/files/0x0006000000018b54-75.dat	upx
behavioral1/memory/2244-139-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2788-138-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2188-70-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2680-69-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/files/0x0006000000018ddd-56.dat	upx
behavioral1/memory/2244-48-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2856-37-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/files/0x0006000000018b4d-34.dat	upx
behavioral1/memory/1924-102-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2748-100-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/2872-98-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2580-97-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2696-95-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/files/0x0005000000018fe2-94.dat	upx
behavioral1/files/0x0005000000018fcd-79.dat	upx
behavioral1/files/0x0006000000018b58-42.dat	upx
behavioral1/memory/2788-41-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2056-20-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2504-19-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2708-161-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2864-160-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2200-159-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/3028-158-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/2080-157-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2940-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2440-154-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/memory/1872-163-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2504-211-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2056-219-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2800-221-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2856-228-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2244-232-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2788-230-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2680-236-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2188-234-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2580-244-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2872-246-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2748-248-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/1924-250-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2696-242-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/1368-252-0x000000013FF30000-0x0000000140281000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\hoAiLDG.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUzOPqk.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\clkXUdG.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BdulEds.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pRQHDDE.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BFDhHvd.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fZNWmrj.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSSZGPC.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLKtmJC.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Dkbqegz.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XvxNIgH.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DQpyVKa.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GQOxDaz.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dLGeyFD.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZssSOHq.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkPPaEN.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArGXqHY.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gbNxHRl.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vVqwMWn.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVDbext.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UQTBmpP.exe	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2504	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1872 wrote to memory of 2504	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1872 wrote to memory of 2504	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1872 wrote to memory of 2056	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1872 wrote to memory of 2056	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1872 wrote to memory of 2056	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1872 wrote to memory of 2800	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1872 wrote to memory of 2800	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1872 wrote to memory of 2800	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1872 wrote to memory of 2856	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1872 wrote to memory of 2856	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1872 wrote to memory of 2856	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1872 wrote to memory of 2788	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1872 wrote to memory of 2788	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1872 wrote to memory of 2788	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1872 wrote to memory of 2696	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1872 wrote to memory of 2696	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1872 wrote to memory of 2696	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1872 wrote to memory of 2244	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1872 wrote to memory of 2244	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1872 wrote to memory of 2244	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1872 wrote to memory of 2872	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1872 wrote to memory of 2872	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1872 wrote to memory of 2872	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1872 wrote to memory of 2680	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1872 wrote to memory of 2680	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1872 wrote to memory of 2680	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1872 wrote to memory of 2748	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1872 wrote to memory of 2748	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1872 wrote to memory of 2748	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1872 wrote to memory of 2188	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1872 wrote to memory of 2188	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1872 wrote to memory of 2188	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1872 wrote to memory of 1924	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1872 wrote to memory of 1924	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1872 wrote to memory of 1924	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1872 wrote to memory of 2580	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1872 wrote to memory of 2580	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1872 wrote to memory of 2580	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1872 wrote to memory of 2440	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1872 wrote to memory of 2440	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1872 wrote to memory of 2440	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1872 wrote to memory of 1368	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1872 wrote to memory of 1368	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1872 wrote to memory of 1368	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1872 wrote to memory of 2940	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1872 wrote to memory of 2940	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1872 wrote to memory of 2940	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1872 wrote to memory of 2080	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1872 wrote to memory of 2080	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1872 wrote to memory of 2080	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1872 wrote to memory of 3028	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1872 wrote to memory of 3028	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1872 wrote to memory of 3028	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1872 wrote to memory of 2200	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1872 wrote to memory of 2200	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1872 wrote to memory of 2200	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1872 wrote to memory of 2864	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1872 wrote to memory of 2864	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1872 wrote to memory of 2864	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1872 wrote to memory of 2708	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1872 wrote to memory of 2708	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1872 wrote to memory of 2708	1872	2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-19_1cc558ec67aa955e292376b214a9e213_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\System\ArGXqHY.exe
  C:\Windows\System\ArGXqHY.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\DUzOPqk.exe
  C:\Windows\System\DUzOPqk.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\clkXUdG.exe
  C:\Windows\System\clkXUdG.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\DQpyVKa.exe
  C:\Windows\System\DQpyVKa.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\BdulEds.exe
  C:\Windows\System\BdulEds.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\gbNxHRl.exe
  C:\Windows\System\gbNxHRl.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\pRQHDDE.exe
  C:\Windows\System\pRQHDDE.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\GQOxDaz.exe
  C:\Windows\System\GQOxDaz.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\dLGeyFD.exe
  C:\Windows\System\dLGeyFD.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\ZssSOHq.exe
  C:\Windows\System\ZssSOHq.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\HkPPaEN.exe
  C:\Windows\System\HkPPaEN.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\BFDhHvd.exe
  C:\Windows\System\BFDhHvd.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\hoAiLDG.exe
  C:\Windows\System\hoAiLDG.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\fZNWmrj.exe
  C:\Windows\System\fZNWmrj.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\vVqwMWn.exe
  C:\Windows\System\vVqwMWn.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\XvxNIgH.exe
  C:\Windows\System\XvxNIgH.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\ZSSZGPC.exe
  C:\Windows\System\ZSSZGPC.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\NVDbext.exe
  C:\Windows\System\NVDbext.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\UQTBmpP.exe
  C:\Windows\System\UQTBmpP.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\LLKtmJC.exe
  C:\Windows\System\LLKtmJC.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\Dkbqegz.exe
  C:\Windows\System\Dkbqegz.exe
  2⤵
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ArGXqHY.exe

Filesize
5.2MB

MD5
ef0b1bb505d03e1fdee6f0f562f78991

SHA1
748404e124b684f8ca372d808af15efb378953a9

SHA256
2eb01cd1b20635a25da56f0d4664046689281a08bcc558ed1ee50283a1915b3f

SHA512
3f738555317c23d265595f3ca6fab24b48f6a38ea99720197b761d3916429838429d635173e7782f042857fc96770407a0a7be166ab32d8aabd193959f188ccd

Download Submit
C:\Windows\system\BFDhHvd.exe

Filesize
5.2MB

MD5
c842e9edea3dddc29b7f6903f772e7c1

SHA1
c3e32ca2ad157649fc2dff0befa8cba7ee403603

SHA256
06ece585e080292a38b56fd263e8ee42d36fc09c7b5653050e688ef9b6f7091a

SHA512
ff1b07a7d84f9ac21a9a613fa08210ff1b72b00ecf69cff28b3df3560107c9bd9f3d8a8c084a71f5370e8f459e4abd60ab390a736579c7a42d6969da6fcb3e6f

Download Submit
C:\Windows\system\BdulEds.exe

Filesize
5.2MB

MD5
d33eec942695f6c48750f16ab59a4b94

SHA1
eca1f737ca4193ebbf210b21d5a6a244ea881b22

SHA256
0114c50a83de7187f2bd8e6b3880059ee422acffed54bd9e9c657475ad844534

SHA512
6a2a33db0d8244146ce016edf6ba303fd189a2a2432ff4f46e8436d9c6d29cbf48e12fdbecca234a7d46879dde2e78879b34fd259ff0fdc7a388e0130f08137c

Download Submit
C:\Windows\system\DQpyVKa.exe

Filesize
5.2MB

MD5
dd4c6f88c1337bc8af63b25f2f81a664

SHA1
f673e8b79bb9b21c60e20724f25aee55961b9c62

SHA256
52d50974c7f250c0c2c4467d2f4a07043219012590fa285e1204fe8fd3e3708f

SHA512
c1a761427a83d4ac1676c96e7c2df1d95fd170ab570666d86fbb3dac42ff3541dd493d73753b20645be4473d48beed88a3636b0c582f445353aaca5d77960116

Download Submit
C:\Windows\system\Dkbqegz.exe

Filesize
5.2MB

MD5
c322dd0fe150b0048fc68c0ac004923a

SHA1
870a73573b4c825d468eb209d7e53f3dfc91daf4

SHA256
ad4a397b9fa21b4dff6a830f393d365ef449e4ce6a001134bb30cbf877f5b8ca

SHA512
be54482c9dc076178707743604947dbdfb08af43dfc198b1b6795e24d2522d9e9222bb8580e22862744fb26e4e06eb8ea59de59320e67c83826cace0a792b8e4

Download Submit
C:\Windows\system\GQOxDaz.exe

Filesize
5.2MB

MD5
b717a3537d24db21dd9e70f4b66ddd5e

SHA1
b0fafc79be566a0163ab34ad5900d6249ca5c0f8

SHA256
e4afcab7b1668e948cad2df603f08964562b31f40b44b5194473dde9fd53d106

SHA512
09001f662281d57bf1f8221b951524d2317d6efdfc935a18dd638f259f7ff94a505b18185600371af028c6676d08843a5b528685de13c4cbbf0206ab7dede81f

Download Submit
C:\Windows\system\HkPPaEN.exe

Filesize
5.2MB

MD5
c49579a0748491a3671bdfe67cb21eda

SHA1
d998dbf7e30e14a8e90889dfc4024ca7c1394f08

SHA256
f117dda39ed889b6f669c27a2d22ab9fd02a6dda88672923000effbdcd06c86c

SHA512
a4dd1908c9f02fbc68ec8f10e4d2479f3b20040af4c833e645712d5b2a781d93ff10a84555485c78ec7c997848b7e9b69980ab1eb59495deb36e1a3b074c42d3

Download Submit
C:\Windows\system\LLKtmJC.exe

Filesize
5.2MB

MD5
c4270f5fea7c01cd31d361b01e846816

SHA1
365c28f4c2f8364ecd367883257d68c7887a994f

SHA256
b612fa5544a8a4a462f40816bf24f5c21d25acd20002885520350ed637710dc3

SHA512
a8e9352483de298ecb02929b0164f62b68e9d7bb4b1f65ae7aa421fe99df91a5783273bd6192e58ab3594dea8d735744a469c3441c60ce91504866d8b06058c9

Download Submit
C:\Windows\system\NVDbext.exe

Filesize
5.2MB

MD5
0b5f53095a4008ace67322211a6f89b2

SHA1
b38840509bea64c7bfe6c2d21f8e5e0e36cf2da4

SHA256
84991038cc6758eca15109d724c46113f1864e7f390804ddd4bc2fba6ce9a10d

SHA512
d0bd11012af0abf892d27c6fdbf9cb9503d82e15457cebc8973880ba70d3935c8c3433e4e1b3add6a670c944aed02f91a190eb3d54b60e9e510fc6d9f6e493f1

Download Submit
C:\Windows\system\UQTBmpP.exe

Filesize
5.2MB

MD5
38e94f9e85557b3dbcbe2469a82976a9

SHA1
e945f0c79ecc305f3923ace8ce2380b0bd639599

SHA256
4926480aecb80fbb246aefc1f4f772cb4aaca7d3cf9e7e62f2ed5b33dabe2a7a

SHA512
8cee0a2f573acc35387cca90977a343c074f587d2110aa61eb960189e95be83a2f4e94c6a8eaf56f71707eda2d97f646170a4aeb6fc93e08163fc4c97f981540

Download Submit
C:\Windows\system\ZSSZGPC.exe

Filesize
5.2MB

MD5
efe898f4f7816f8f3ce4697eca2bac9e

SHA1
b04d5996c5783b504b5fdcabfe0ce0995127e726

SHA256
64982615cc56b383d394072e6525142e936e42f839fe8d8054b1f5b4d139704a

SHA512
a08e4f5c5274ed449fce26e3dd3d4aed6e7d56ea446f5574f83dddcc2f5cd0a495b7d30ed00686f6790866e64b80b20f10a1f1567c0c35691632780a4c55df05

Download Submit
C:\Windows\system\ZssSOHq.exe

Filesize
5.2MB

MD5
10d4bf75913a4582675d603db454059f

SHA1
47993db630fd1a83ac55c622fb4270d6f6153269

SHA256
45bdee30c80aaea17fa0c85a9b1a1a58cef6bd68afdad2dac83f61fbf189040f

SHA512
5c313d09f4f6455c179847a1b8843cc2844201f7d8ad683ffe128c3a082e56cb568616ef2230abee4751294c89c4472c63e3ccf2b278917ac9f5f90cdbb9db52

Download Submit
C:\Windows\system\clkXUdG.exe

Filesize
5.2MB

MD5
2a85b935796e18de2958aa17de131ee0

SHA1
f2247b2d2ebb8f6a2c13f6040831c0f87533d1ac

SHA256
d7f6f7f8191621e56ffa0e33e61b90ce27dcb88d71cfe491295a324bdd98d56f

SHA512
fa6824797b6ff7c0495f2cf0e7dc8107c51368f71db187ca566850b6985f056c9298493160ba9895ce503edafd29273552ca3afc45c26def67165237e5a627eb

Download Submit
C:\Windows\system\dLGeyFD.exe

Filesize
5.2MB

MD5
97f5ee532e9ee1200c8905c3826f07f9

SHA1
0d9f268c0df60692ceb12241ce53558945d1f071

SHA256
dc24b46ca8dba404278304811c3bd892e60a38ed82b83a93431d36ba753c512a

SHA512
ed3f8cfb89541b2941e9f2b53403a3862de60f17d755f83c681593f40ab0c72d05edcec73b02c30d4e17d5dc599693f4aa2d8659a004ebdfb5978e9304a7fd05

Download Submit
C:\Windows\system\fZNWmrj.exe

Filesize
5.2MB

MD5
ac228ea00ce8e4d8868841871e6766f3

SHA1
933f73562f3d2dd681178907bc2eff9b94347ee4

SHA256
928f4dc99f290f6aa4c4e15b812be9565b6fbefa31a099c854eff174fccda275

SHA512
41e105a903f0b46ef882090e60fe39c211aca7b4e1bbec893dbc450493cba95db44eed6ed71efbcfe7da085e9a1c4e6dcb981704a57ee26c8c02680480058eed

Download Submit
C:\Windows\system\gbNxHRl.exe

Filesize
5.2MB

MD5
72313b8bbc528e67d97dc81e93c0764d

SHA1
cdd7a13b0569bbd0c8d28bb4155ca410e0bcd167

SHA256
25be290a97134934f79d85df47d4002ce63de07170caa73b70085bd387d9a7f1

SHA512
6ffb3d4ebbcd95ecedb727c88f1719bd95309f42de18c643beb225a250af2b501785a8d1475a49554095e76c78c07f79a8896eafc8d400e2bb9dc6830230d0cb

Download Submit
C:\Windows\system\hoAiLDG.exe

Filesize
5.2MB

MD5
d45866d8488389743cd061827b4f7684

SHA1
a157b19bc4724f9932fe8fb335a546e7e72da987

SHA256
99cddd3d154661d380ede05f8b9a66dd6ad33989f2527fa34ad2dd8d8673d064

SHA512
87819bf7ccb5e3a0b34b0ccba244ed046ee656f94485a0bb9528f94e52c924852f721fec6eabc9597fbaed99746061f184c207ff0fd5bee8b2ff29f028980e33

Download Submit
C:\Windows\system\pRQHDDE.exe

Filesize
5.2MB

MD5
facbd03a505e33429b2eddf769c4b54b

SHA1
525b5ff123eb44895e4b643077a2c722319b6319

SHA256
6034d4a5e83ce2c683ab8a72630e799524553622c734b51135d9b6d649fea344

SHA512
7d3d181f6adf650157a920d823cd61d6ace3b28eb9cc8428a31d589713ef8bf7723643881bcdd675d54e2701773331f81c0d5a8cc8b709d104e809322d9499f0

Download Submit
C:\Windows\system\vVqwMWn.exe

Filesize
5.2MB

MD5
970dfcf4848f67f784420a4b557074ad

SHA1
c54dae6bace6d0c32864bb61b497b67747753548

SHA256
8c4b568b82f5e972bc18aa1552d2ec55a8ed15a914f076cfe2e7b05b6d2a318d

SHA512
d46a3e0a4e1ff07eb46207fce6b0df2eef8cd0e191603fa771cdbce562e46703ac86c73466af70580572f33b78aa208258fb4ef56bbf24cc1881fe024fe07732

Download Submit
\Windows\system\DUzOPqk.exe

Filesize
5.2MB

MD5
1ffcc824dffcd6e95642392df6336a51

SHA1
c4c9c4c8da30b311202da8e6a82b6a1625a76bc7

SHA256
29dedcbffcdc23ac5e5f06e9744a92ccece137709547fd20de60e3a52a330d15

SHA512
412b7873a88753cb1be7a92a93b4ba1c3c222db447c7b834abb5c228612d371b68eafcdd2683d0872115dce7557d57221f0bb5e62f8b09e401ebe714718e0b9e

Download Submit
\Windows\system\XvxNIgH.exe

Filesize
5.2MB

MD5
f129ad3f42ee964d209bf03d97137ccc

SHA1
ba7c95282a0c5f60b22157b34d2e4ea2367cb227

SHA256
051353e7fd882c3705d2e56701dc0be172d435c7dbfc241cf5ba861e658836e4

SHA512
b6cca1cafbd4611fc5969888de91fdcba1ee4fd60ef1d8ffa2774365c93bc21d1d76a88b5ca55deaff92b74016f050ccf2fe64d106c09964c2fb7aad4d61a3da

Download Submit
memory/1368-252-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1368-107-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1872-35-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-163-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1872-73-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/1872-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1872-74-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-72-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-71-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/1872-162-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-16-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-68-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-57-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-136-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1872-21-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/1872-61-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-0-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1872-137-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-103-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1872-23-0x00000000021F0000-0x0000000002541000-memory.dmp

Filesize
3.3MB

Download
memory/1872-52-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/1872-99-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/1872-96-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/1924-250-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1924-102-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-20-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2056-219-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2080-157-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2188-234-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2188-70-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2200-159-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2244-48-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2244-139-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2244-232-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2440-154-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-19-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-211-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-244-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2580-97-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2680-236-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2680-69-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-95-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2696-242-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2708-161-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2748-248-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2748-100-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2788-41-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2788-230-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2788-138-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2800-221-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2800-22-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2856-228-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-37-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-160-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2872-246-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-98-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-156-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/3028-158-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download