cobaltstrike | c8bf87778e6793f4fed5d2b9999b27cbc04fae639798e0c48685917c884c76ab

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d7c1c5df3eaca6ee14eeed00db7c4e2b
SHA1

7e469b75941d2a7e485229198985e2b409fbd66f
SHA256

c8bf87778e6793f4fed5d2b9999b27cbc04fae639798e0c48685917c884c76ab
SHA512

ddd512ad094db15e6bcf72b80cd251b59120dc062b98e824d50547dd861218dda81ae0f57c1b799964c919de314d04b98094a72e47b939c4d39b15ad7e5a89fe
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ln:RWWBibf56utgpPFotBER/mQ32lUr

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000018710-7.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000120fe-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018766-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b62-24.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019223-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019230-52.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3c-100.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c34-103.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019dbf-126.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d8e-122.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cca-118.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cba-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c57-110.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3e-106.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000196a1-82.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019926-88.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961e-68.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019667-75.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961c-61.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018bf3-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b68-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/1964-20-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2824-23-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2880-22-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/3024-49-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2804-65-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2280-140-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/1520-98-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2860-91-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/1520-89-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2952-72-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/1520-55-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2712-64-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/3028-142-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/1520-145-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2060-144-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/1520-146-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2992-152-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2256-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2456-163-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/924-161-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/332-164-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2348-169-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2340-168-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1532-166-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2756-165-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/636-167-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/1520-170-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2880-226-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2824-228-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/1964-230-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2952-233-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2804-234-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/3024-236-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2860-238-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2712-240-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/332-253-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2060-255-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2280-259-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2256-264-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2992-262-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/3028-270-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2880	YiSzqkD.exe
1964	VnYnZZX.exe
2824	OCJlSqJ.exe
2804	PpipdRi.exe
2952	yQaTDSM.exe
2992	ucUyBOY.exe
3024	xchcsXF.exe
2860	HgrYham.exe
2712	OnkaIxH.exe
2256	nZdESwg.exe
2280	HdgyWsC.exe
3028	JxscBTM.exe
2060	GkFdTpi.exe
332	mXJQEqp.exe
924	AnXVTfx.exe
2456	qlNEvRB.exe
2756	DxsodNz.exe
1532	DELqZtm.exe
636	ZGEyxfY.exe
2340	IEFycsZ.exe
2348	bgkPtgo.exe

Loads dropped DLL 21 IoCs

pid	Process
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1520-0-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/files/0x0007000000018710-7.dat	upx
behavioral1/files/0x00080000000120fe-6.dat	upx
behavioral1/files/0x0007000000018766-16.dat	upx
behavioral1/memory/1964-20-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2824-23-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2880-22-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/files/0x0007000000018b62-24.dat	upx
behavioral1/memory/2952-37-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2992-42-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/files/0x0008000000019223-46.dat	upx
behavioral1/memory/3024-49-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/files/0x0007000000019230-52.dat	upx
behavioral1/memory/2804-65-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/files/0x0005000000019c3c-100.dat	upx
behavioral1/files/0x0005000000019c34-103.dat	upx
behavioral1/files/0x0005000000019dbf-126.dat	upx
behavioral1/files/0x0005000000019d8e-122.dat	upx
behavioral1/files/0x0005000000019cca-118.dat	upx
behavioral1/files/0x0005000000019cba-114.dat	upx
behavioral1/files/0x0005000000019c57-110.dat	upx
behavioral1/files/0x0005000000019c3e-106.dat	upx
behavioral1/memory/332-102-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2280-140-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/files/0x00050000000196a1-82.dat	upx
behavioral1/memory/2280-79-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2860-91-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2060-90-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/files/0x0005000000019926-88.dat	upx
behavioral1/memory/3028-87-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2952-72-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2256-71-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/files/0x000500000001961e-68.dat	upx
behavioral1/files/0x0005000000019667-75.dat	upx
behavioral1/memory/1520-55-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2860-54-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2712-64-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/files/0x000500000001961c-61.dat	upx
behavioral1/files/0x0007000000018bf3-40.dat	upx
behavioral1/memory/2804-33-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/files/0x0007000000018b68-32.dat	upx
behavioral1/memory/3028-142-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2060-144-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/1520-146-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2992-152-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2256-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2456-163-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/924-161-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/332-164-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2348-169-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2340-168-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/1532-166-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2756-165-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/636-167-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/1520-170-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2880-226-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2824-228-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/1964-230-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2952-233-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2804-234-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/3024-236-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2860-238-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2712-240-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/332-253-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HdgyWsC.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GkFdTpi.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnXVTfx.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DxsodNz.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YiSzqkD.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OnkaIxH.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HgrYham.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZdESwg.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qlNEvRB.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DELqZtm.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IEFycsZ.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bgkPtgo.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnYnZZX.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OCJlSqJ.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xchcsXF.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mXJQEqp.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PpipdRi.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ucUyBOY.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZGEyxfY.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQaTDSM.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JxscBTM.exe	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2880	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1520 wrote to memory of 2880	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1520 wrote to memory of 2880	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1520 wrote to memory of 1964	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1520 wrote to memory of 1964	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1520 wrote to memory of 1964	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1520 wrote to memory of 2824	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1520 wrote to memory of 2824	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1520 wrote to memory of 2824	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1520 wrote to memory of 2804	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1520 wrote to memory of 2804	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1520 wrote to memory of 2804	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1520 wrote to memory of 2952	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1520 wrote to memory of 2952	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1520 wrote to memory of 2952	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1520 wrote to memory of 2992	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1520 wrote to memory of 2992	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1520 wrote to memory of 2992	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1520 wrote to memory of 3024	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1520 wrote to memory of 3024	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1520 wrote to memory of 3024	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1520 wrote to memory of 2860	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1520 wrote to memory of 2860	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1520 wrote to memory of 2860	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1520 wrote to memory of 2712	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1520 wrote to memory of 2712	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1520 wrote to memory of 2712	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1520 wrote to memory of 2256	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1520 wrote to memory of 2256	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1520 wrote to memory of 2256	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1520 wrote to memory of 2280	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1520 wrote to memory of 2280	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1520 wrote to memory of 2280	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1520 wrote to memory of 3028	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1520 wrote to memory of 3028	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1520 wrote to memory of 3028	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1520 wrote to memory of 2060	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1520 wrote to memory of 2060	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1520 wrote to memory of 2060	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1520 wrote to memory of 924	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1520 wrote to memory of 924	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1520 wrote to memory of 924	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1520 wrote to memory of 332	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1520 wrote to memory of 332	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1520 wrote to memory of 332	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1520 wrote to memory of 2456	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1520 wrote to memory of 2456	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1520 wrote to memory of 2456	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1520 wrote to memory of 2756	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1520 wrote to memory of 2756	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1520 wrote to memory of 2756	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1520 wrote to memory of 1532	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1520 wrote to memory of 1532	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1520 wrote to memory of 1532	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1520 wrote to memory of 636	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1520 wrote to memory of 636	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1520 wrote to memory of 636	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1520 wrote to memory of 2340	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1520 wrote to memory of 2340	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1520 wrote to memory of 2340	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1520 wrote to memory of 2348	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1520 wrote to memory of 2348	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1520 wrote to memory of 2348	1520	2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_d7c1c5df3eaca6ee14eeed00db7c4e2b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System\YiSzqkD.exe
  C:\Windows\System\YiSzqkD.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\VnYnZZX.exe
  C:\Windows\System\VnYnZZX.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\OCJlSqJ.exe
  C:\Windows\System\OCJlSqJ.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\PpipdRi.exe
  C:\Windows\System\PpipdRi.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\yQaTDSM.exe
  C:\Windows\System\yQaTDSM.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\ucUyBOY.exe
  C:\Windows\System\ucUyBOY.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\xchcsXF.exe
  C:\Windows\System\xchcsXF.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\HgrYham.exe
  C:\Windows\System\HgrYham.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\OnkaIxH.exe
  C:\Windows\System\OnkaIxH.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\nZdESwg.exe
  C:\Windows\System\nZdESwg.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\HdgyWsC.exe
  C:\Windows\System\HdgyWsC.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\JxscBTM.exe
  C:\Windows\System\JxscBTM.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\GkFdTpi.exe
  C:\Windows\System\GkFdTpi.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\AnXVTfx.exe
  C:\Windows\System\AnXVTfx.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\mXJQEqp.exe
  C:\Windows\System\mXJQEqp.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System\qlNEvRB.exe
  C:\Windows\System\qlNEvRB.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\DxsodNz.exe
  C:\Windows\System\DxsodNz.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\DELqZtm.exe
  C:\Windows\System\DELqZtm.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\ZGEyxfY.exe
  C:\Windows\System\ZGEyxfY.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\IEFycsZ.exe
  C:\Windows\System\IEFycsZ.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\bgkPtgo.exe
  C:\Windows\System\bgkPtgo.exe
  2⤵
  - Executes dropped EXE
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AnXVTfx.exe

Filesize
5.2MB

MD5
cd5f6d964b513e1f57d160f1fd60768e

SHA1
bdf27c1e71b02c60d00e6f438cfc1ac5ec3bc568

SHA256
5d8e2d52012ed09cb7526e533d17af7566c98acede9140f63164fa0cdb12debc

SHA512
1b798b150f2b2e1ff896f3483d62a3955d283372f122cc830954da32c7b659454bf8d46819f1614d71a6d0a9cab91233b994969169c5e03b5c4de0ad4191b767

Download Submit
C:\Windows\system\DELqZtm.exe

Filesize
5.2MB

MD5
2a1bdb2a69b8f30a5d5937114010a198

SHA1
61c79962023ef5888fdbc1c6f802f150fee91abb

SHA256
0d5dd3791f2474002e04bec434e7833b027be786d95172df473302a692babfe4

SHA512
2847dc535755baf2546c409b326d29db5e5723cabe36e49f7bc36ff52c12da8d56b340c7d18fb76cf97498bbd0d5c94bb917a2412161957ff6349547b9bbb3e5

Download Submit
C:\Windows\system\DxsodNz.exe

Filesize
5.2MB

MD5
538d0343e8d6ab44ff32291cb2b8f198

SHA1
77d63fbfd83e277f0d66edfa523c06a8963ae7c1

SHA256
f7244f715b613aa9e1872f6f24238bc99e7a3bbbdf6eec278314a01e8d8008dc

SHA512
63dfb184bc0402a0cc25c60879e023cd4b1c109e67774150314df492112d4a3ea3e0d1bcb6d5b5fe2579ba1d2ed531cc042e7ca042f77e9ed2378cbc758026a8

Download Submit
C:\Windows\system\GkFdTpi.exe

Filesize
5.2MB

MD5
10797440e8909a67eb17b34f471911f0

SHA1
e430b32377d4c5089b1ac68216704d3b7baf98ab

SHA256
fabb8ed332c8ef5c125b93a97c471940ae1b3462c21adaa5ea67517f3d50fd6c

SHA512
4ca3aea2e4758d5e6a2686594c4bf6f221635b713b610b477e7d3f1ae05582e44334bf885eb48f71fcbcd2e426d84fb02cf48c5d28454a18b027f248ec3cea12

Download Submit
C:\Windows\system\HdgyWsC.exe

Filesize
5.2MB

MD5
617a60ce5d069501e24a7300a2e72121

SHA1
c2d56d4691175cfca004fbd7353e3eccf691112c

SHA256
93e41cc57ef54a67227d9c139f212497b152e824df43ceb119eb925e7f34fb2e

SHA512
4d03723431c67a7c4f50a8005c60e12a6a4d20f3a686e2080c64a0292b3676d21fe112272c0017a76a617c1530f9861df8abf37c29f4718946e2dd0751d5afba

Download Submit
C:\Windows\system\HgrYham.exe

Filesize
5.2MB

MD5
7fe1f267fcbff2053d64b4ba24543b45

SHA1
0daf91a7e7f7c37f94dbd4f485991015b5bff66f

SHA256
43ea8b0cd797ff18a0e45e618d93da3623ae7120471b1303693e47c23b82042b

SHA512
2e055f059792e2c4e12a11acd8c725e9babf4535424d14bef07304f18a656ca92b8ec8c6d99fa8c526b17b286d38a6d695a5b4be67c8b8ba8795fdf0d2793643

Download Submit
C:\Windows\system\IEFycsZ.exe

Filesize
5.2MB

MD5
fd64737a963fcce659dbd67315d33796

SHA1
678c8bb961fd64c6137cfb2a44194c39f8b78e79

SHA256
82352b6128a12fa74485fa71bd5e723f439450147ea86f85918c46fb143dc3c6

SHA512
2983aa85aa1215a5f3bfda296b8d30f5486bcc2d8d627f8ac229b58f0fb46635a6074eca1a504a9ed015c74f2173e15e0a948a1b2958e29fa66d6483d4f1423c

Download Submit
C:\Windows\system\JxscBTM.exe

Filesize
5.2MB

MD5
9a552f9905b004c9f7175347385eab37

SHA1
f856ad4bbb0462a0f01a8faed19a042004792358

SHA256
e6be9c39ccae9832363841c16fa03bf5aeb87dc18b515cfaf27e0424e01794b1

SHA512
dedd5180766df22b5a6f07857e7b016adad92a9c78f503bc8cea3622de751f541b5689ff04ebe1158d45fcd5fa875b1bd0e53c804a80a29c6bf2820e9b123c0c

Download Submit
C:\Windows\system\OCJlSqJ.exe

Filesize
5.2MB

MD5
4d860c563ad849c0b5e4df9e0ec68260

SHA1
953587a4fc3c5e523625a1effb61ae0b9ba1c842

SHA256
6b3de0709f4156a5f5d7d7da41294d33a5952255187be3bbdbb1fe4d99497f14

SHA512
f9a1a673d3935e3669cdddb649e0efdaebca85e135a911b627950b5449928fd0ca497d24bb6359d26276e6f1c4044cb78d48f36b586de18c6c7b8bff643d2eeb

Download Submit
C:\Windows\system\OnkaIxH.exe

Filesize
5.2MB

MD5
c202bbce3b4b27a3f318a7cb33525e5a

SHA1
8c0aa76ff02992d4e0fa4a1907c4b74f9b3c1889

SHA256
d1dea454d8131cb4dc92ed96953c66df8eff7c7d003f61f5b7adaff76a5b8fdf

SHA512
5fc3e3df28d6b5deac4f600fba27900cfac6d4b03a9abfb1cacc5977711f972783d2c1434c1db6830148e3b4b9a50268b172984cbfe7217e42f0e6356efc4dc0

Download Submit
C:\Windows\system\YiSzqkD.exe

Filesize
5.2MB

MD5
158b2df3f2b34d6083f772e2ab52e2fe

SHA1
7bee378358814c6e37fe77211762d120913dd823

SHA256
a598fcde455cbd869e6007225456ec5d47e2dda3e3141a320337b848df5eb820

SHA512
f2b593241cf841d020ac9b4d0ad427f590caccedf72eddbf3af59ed2a54657ac326ead0e68a7a56deae8b7e636f981668de52d47f02384e6fab1bca2d3ce9a50

Download Submit
C:\Windows\system\ZGEyxfY.exe

Filesize
5.2MB

MD5
8d257840cd78efbd728606e2c1d9cecf

SHA1
d1397e1dcf6bfd6faee06208e31f2d8c88cd6472

SHA256
1082485dae76946c32dc19b119a42a0d8488efe50a7325e08b7ff223352f52e4

SHA512
fea31f10c0fc88b97adec86d5ab47186f2df7ee9a8b1609f32110b05316195076d300d778d57ec0612c68873b6441eebcb6c6ab3588f17af4d9de49591469294

Download Submit
C:\Windows\system\bgkPtgo.exe

Filesize
5.2MB

MD5
c29fdb3b4a510de6ef24272bcfe9cdef

SHA1
4fa3aa78fc285bbfd65054d3240d031824a72c45

SHA256
54dffa233093f1de9020ba173903087c18d35ae6899bc8c8744ac9826a8cf9a6

SHA512
be5fa93859138eb20f04eeb019f3617ff2b5202f1679f49cb0e757b4b1370317cf8f9b807c67919f39b3ec4c8f70af4c9efc9a1f9e4f0b4e6b3aa005eb0a9f6a

Download Submit
C:\Windows\system\mXJQEqp.exe

Filesize
5.2MB

MD5
6045a27687bdadf9512accd97d6f6a25

SHA1
59563a006907c59ac5d5c35a247cceeee2e05c91

SHA256
d19301cebf40f7ca73117733819db05f21347db135670b516539e68ca8cb5508

SHA512
12428a377402cb2bbf81acb4d5d32113530885a4453b00bca7bf6cfc8742ab39250f240876724f2e3cff0f693389cc170acaa1ae8c05b65d6b4461fb2d233412

Download Submit
C:\Windows\system\nZdESwg.exe

Filesize
5.2MB

MD5
8281f34d635691930c81e42bc69f72f3

SHA1
4684c702dac26d422fbf19f7a473b348eb12078c

SHA256
193f0b52011b461d4b40e58fd435b683e4cbda7b784f0f7c1724e17ac2701820

SHA512
54ac48c73e54d94058ae07d4ff747d6c56d42e386de1bc440b982a0532b4e28a6e29ce512048bd455fdad69c481ab792792d599109233f754500023c8757ecf9

Download Submit
C:\Windows\system\qlNEvRB.exe

Filesize
5.2MB

MD5
04590c233c0ae8e222e5bfe5ef584daf

SHA1
f51bd89719c613c2acdf5f0f86428cfe6d1997a5

SHA256
9af756e070d32793c820d0d7ffbc8f9171dfb2abc42f293e30c8fa85bde44983

SHA512
8bf227d373be7a9fb2841a42240d520710fd1c4746ab88fb719dfa530a328ec9924c5f7b2e035e3a8802e2ff06400cda0b58c16dab7eef58aba357f5669c1125

Download Submit
C:\Windows\system\ucUyBOY.exe

Filesize
5.2MB

MD5
ae1e6407cdfbc557eae659db9c0c79de

SHA1
89e49437a3a8e4c7612e002e33c24384fac1d52a

SHA256
93eaafcaf35cb79eaa5b544cf0877cf5ff7acffe357247b9935b4b39ddd370fb

SHA512
8963bbe42adb81ea7eba999d5a2f176a7bc5b236033e7551ab0ec91d33e0fabe99ef3ebeab19b436435e84383429da0d8f5f8824444a9b3697e9284efa0a1d08

Download Submit
C:\Windows\system\xchcsXF.exe

Filesize
5.2MB

MD5
b846eba0d5c7621ceeabf4637c5b0c5d

SHA1
041b0965d2d6b4c77d8a77d80122761b0a0f6e83

SHA256
e303525f83832757cd2d82db9668f8bb7d6c36d86c9e73dded203a1f71957f6f

SHA512
5074962773f068dd356613f23636d4b6784edaf878858098b1d088818fb9c7f621d7f3e9411d69cc3edd6987b0b8c3e114b17b85dcb4b4172b267fc80e37e8cd

Download Submit
C:\Windows\system\yQaTDSM.exe

Filesize
5.2MB

MD5
5d021ae40d2a9d8d9b1d0125b1a76fff

SHA1
2b2c0bfea01eebc2a8ced055def5c13bd332dc1a

SHA256
687ee2a7fff7c70d928c50b73fe2ff96f1c7951751a4efcb9c2f4a7b3a125fd1

SHA512
52ac8a6af24453f72e6109f1ff42eaafda1a64570f7d673cf50f04f8b3fe55eb2c1c3785e8a803f3bc3d80b5ba8d7edbfe5555f74bda041c1b5a42fdd6f35c8c

Download Submit
\Windows\system\PpipdRi.exe

Filesize
5.2MB

MD5
cd180a1a1240d1136ae4c605514c704b

SHA1
748b28f5b2057e4876630234b922054eaea9f925

SHA256
27c3382149c9801c985d6a286371025ca94c30e28d779f7d51b2a5dffe07694e

SHA512
561317c9eb17abb653e4a94e951f1ec4c72ecb3074e1ae8b7ced6d735e1ddb6eb10d97519ff54f1cb0e94dcabec928140398cd14f2e1a1b14f3a20bf59bdf56e

Download Submit
\Windows\system\VnYnZZX.exe

Filesize
5.2MB

MD5
56be6fa19f8d6fe2ad24e28ace99f5ef

SHA1
95f81dbbf0853d08be5dad13706c8f5d2c69fd6c

SHA256
f02b65def08c6ea7250c6384f7330ce7758417f3b58c32d03681ce2cffb67725

SHA512
53e0b19b2a42bfe2938b41174ebf30ca177291cc29c08802b441f1f48dfd57da36e2733c374b67419db6d822dce4f8cc1585038bb42f71abfad285fdb15dc6f7

Download Submit
memory/332-102-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/332-253-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/332-164-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/636-167-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/924-161-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1520-48-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-101-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-170-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1520-80-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-70-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-78-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-99-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-98-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-153-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-146-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1520-89-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1520-13-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-145-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-141-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-143-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1520-19-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-0-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1520-31-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/1520-55-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1520-21-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-53-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-34-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/1520-63-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1532-166-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-230-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1964-20-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-255-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2060-144-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2060-90-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2256-157-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-71-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-264-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-79-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-140-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2280-259-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-168-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2348-169-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-163-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2712-64-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2712-240-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2756-165-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2804-33-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2804-234-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2804-65-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2824-23-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-228-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-54-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2860-238-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2860-91-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2880-226-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-22-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-233-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2952-37-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2952-72-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2992-42-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-152-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-262-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-49-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/3024-236-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/3028-87-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-142-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-270-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download