cobaltstrike | 679718971421f9d2434d478d6a9ce19e75c74468a461c59b1ce62399c3f4ef44

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

73434ef1167d3372967beb9c82e89e05
SHA1

9d6300578cbb65198f2b1a41c88a874a3626bd8b
SHA256

679718971421f9d2434d478d6a9ce19e75c74468a461c59b1ce62399c3f4ef44
SHA512

e107575b64abd18c76d0b678072dd6e78448cfac9fb5e549ec036f9bfb81ee2c0d4c83577370951c62fdae49aa60bdee50c17114eefe6ab5ba2b0bcb3a571f29
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUN:Q+u56utgpPF8u/7N

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\ZQfyWMq.exe	cobalt_reflective_dll
C:\Windows\System\ubjEAjd.exe	cobalt_reflective_dll
C:\Windows\System\RuSDpbD.exe	cobalt_reflective_dll
C:\Windows\System\zZErLgJ.exe	cobalt_reflective_dll
C:\Windows\System\JvAZflK.exe	cobalt_reflective_dll
C:\Windows\System\LFpVjMD.exe	cobalt_reflective_dll
C:\Windows\System\bYFMXmG.exe	cobalt_reflective_dll
C:\Windows\System\DUNEWEE.exe	cobalt_reflective_dll
C:\Windows\System\kZikdhI.exe	cobalt_reflective_dll
C:\Windows\System\ihDYzca.exe	cobalt_reflective_dll
C:\Windows\System\dEVQJcH.exe	cobalt_reflective_dll
C:\Windows\System\nKGCCGj.exe	cobalt_reflective_dll
C:\Windows\System\AvaYYxG.exe	cobalt_reflective_dll
C:\Windows\System\HmHmTPD.exe	cobalt_reflective_dll
C:\Windows\System\QzzWqfJ.exe	cobalt_reflective_dll
C:\Windows\System\eGjdtLX.exe	cobalt_reflective_dll
C:\Windows\System\DPMAQLy.exe	cobalt_reflective_dll
C:\Windows\System\JTwAnRn.exe	cobalt_reflective_dll
C:\Windows\System\NgEYlnw.exe	cobalt_reflective_dll
C:\Windows\System\WRLsLuz.exe	cobalt_reflective_dll
C:\Windows\System\MERCAAf.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4464-0-0x00007FF65AA90000-0x00007FF65ADE4000-memory.dmp	xmrig
C:\Windows\System\ZQfyWMq.exe	xmrig
behavioral2/memory/4900-8-0x00007FF798570000-0x00007FF7988C4000-memory.dmp	xmrig
C:\Windows\System\ubjEAjd.exe	xmrig
C:\Windows\System\RuSDpbD.exe	xmrig
behavioral2/memory/3884-14-0x00007FF752530000-0x00007FF752884000-memory.dmp	xmrig
C:\Windows\System\zZErLgJ.exe	xmrig
C:\Windows\System\JvAZflK.exe	xmrig
behavioral2/memory/3268-26-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp	xmrig
behavioral2/memory/5028-18-0x00007FF760340000-0x00007FF760694000-memory.dmp	xmrig
behavioral2/memory/1428-32-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp	xmrig
C:\Windows\System\LFpVjMD.exe	xmrig
behavioral2/memory/4640-36-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp	xmrig
C:\Windows\System\bYFMXmG.exe	xmrig
behavioral2/memory/4720-42-0x00007FF70B200000-0x00007FF70B554000-memory.dmp	xmrig
C:\Windows\System\DUNEWEE.exe	xmrig
C:\Windows\System\kZikdhI.exe	xmrig
C:\Windows\System\ihDYzca.exe	xmrig
C:\Windows\System\dEVQJcH.exe	xmrig
behavioral2/memory/4920-64-0x00007FF767220000-0x00007FF767574000-memory.dmp	xmrig
C:\Windows\System\nKGCCGj.exe	xmrig
C:\Windows\System\AvaYYxG.exe	xmrig
C:\Windows\System\HmHmTPD.exe	xmrig
C:\Windows\System\QzzWqfJ.exe	xmrig
behavioral2/memory/5088-112-0x00007FF7D26D0000-0x00007FF7D2A24000-memory.dmp	xmrig
behavioral2/memory/3844-113-0x00007FF710780000-0x00007FF710AD4000-memory.dmp	xmrig
C:\Windows\System\eGjdtLX.exe	xmrig
behavioral2/memory/5028-109-0x00007FF760340000-0x00007FF760694000-memory.dmp	xmrig
behavioral2/memory/3180-108-0x00007FF601650000-0x00007FF6019A4000-memory.dmp	xmrig
behavioral2/memory/1924-105-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp	xmrig
C:\Windows\System\DPMAQLy.exe	xmrig
behavioral2/memory/4084-97-0x00007FF7C7E80000-0x00007FF7C81D4000-memory.dmp	xmrig
behavioral2/memory/4684-90-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp	xmrig
C:\Windows\System\JTwAnRn.exe	xmrig
behavioral2/memory/3156-81-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp	xmrig
behavioral2/memory/3004-77-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp	xmrig
behavioral2/memory/4900-71-0x00007FF798570000-0x00007FF7988C4000-memory.dmp	xmrig
behavioral2/memory/4464-60-0x00007FF65AA90000-0x00007FF65ADE4000-memory.dmp	xmrig
behavioral2/memory/4736-56-0x00007FF6893B0000-0x00007FF689704000-memory.dmp	xmrig
behavioral2/memory/4256-51-0x00007FF62B460000-0x00007FF62B7B4000-memory.dmp	xmrig
C:\Windows\System\NgEYlnw.exe	xmrig
C:\Windows\System\WRLsLuz.exe	xmrig
behavioral2/memory/4216-121-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp	xmrig
behavioral2/memory/4348-128-0x00007FF612980000-0x00007FF612CD4000-memory.dmp	xmrig
C:\Windows\System\MERCAAf.exe	xmrig
behavioral2/memory/1428-126-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp	xmrig
behavioral2/memory/3268-117-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp	xmrig
behavioral2/memory/4640-132-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp	xmrig
behavioral2/memory/2428-133-0x00007FF7CA390000-0x00007FF7CA6E4000-memory.dmp	xmrig
behavioral2/memory/4720-134-0x00007FF70B200000-0x00007FF70B554000-memory.dmp	xmrig
behavioral2/memory/4736-135-0x00007FF6893B0000-0x00007FF689704000-memory.dmp	xmrig
behavioral2/memory/3004-136-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp	xmrig
behavioral2/memory/4920-137-0x00007FF767220000-0x00007FF767574000-memory.dmp	xmrig
behavioral2/memory/3156-138-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp	xmrig
behavioral2/memory/1924-140-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp	xmrig
behavioral2/memory/4684-139-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp	xmrig
behavioral2/memory/3180-141-0x00007FF601650000-0x00007FF6019A4000-memory.dmp	xmrig
behavioral2/memory/4216-142-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp	xmrig
behavioral2/memory/4900-143-0x00007FF798570000-0x00007FF7988C4000-memory.dmp	xmrig
behavioral2/memory/3884-144-0x00007FF752530000-0x00007FF752884000-memory.dmp	xmrig
behavioral2/memory/5028-145-0x00007FF760340000-0x00007FF760694000-memory.dmp	xmrig
behavioral2/memory/3268-146-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp	xmrig
behavioral2/memory/1428-147-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp	xmrig
behavioral2/memory/4640-148-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ZQfyWMq.exeubjEAjd.exeRuSDpbD.exezZErLgJ.exeJvAZflK.exeLFpVjMD.exebYFMXmG.exeDUNEWEE.exekZikdhI.exeihDYzca.exedEVQJcH.exenKGCCGj.exeJTwAnRn.exeAvaYYxG.exeDPMAQLy.exeHmHmTPD.exeQzzWqfJ.exeeGjdtLX.exeNgEYlnw.exeWRLsLuz.exeMERCAAf.exe

pid	process
4900	ZQfyWMq.exe
3884	ubjEAjd.exe
5028	RuSDpbD.exe
3268	zZErLgJ.exe
1428	JvAZflK.exe
4640	LFpVjMD.exe
4720	bYFMXmG.exe
4256	DUNEWEE.exe
4736	kZikdhI.exe
4920	ihDYzca.exe
3004	dEVQJcH.exe
4084	nKGCCGj.exe
3156	JTwAnRn.exe
1924	AvaYYxG.exe
4684	DPMAQLy.exe
5088	HmHmTPD.exe
3844	QzzWqfJ.exe
3180	eGjdtLX.exe
4216	NgEYlnw.exe
4348	WRLsLuz.exe
2428	MERCAAf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4464-0-0x00007FF65AA90000-0x00007FF65ADE4000-memory.dmp	upx
C:\Windows\System\ZQfyWMq.exe	upx
behavioral2/memory/4900-8-0x00007FF798570000-0x00007FF7988C4000-memory.dmp	upx
C:\Windows\System\ubjEAjd.exe	upx
C:\Windows\System\RuSDpbD.exe	upx
behavioral2/memory/3884-14-0x00007FF752530000-0x00007FF752884000-memory.dmp	upx
C:\Windows\System\zZErLgJ.exe	upx
C:\Windows\System\JvAZflK.exe	upx
behavioral2/memory/3268-26-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp	upx
behavioral2/memory/5028-18-0x00007FF760340000-0x00007FF760694000-memory.dmp	upx
behavioral2/memory/1428-32-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp	upx
C:\Windows\System\LFpVjMD.exe	upx
behavioral2/memory/4640-36-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp	upx
C:\Windows\System\bYFMXmG.exe	upx
behavioral2/memory/4720-42-0x00007FF70B200000-0x00007FF70B554000-memory.dmp	upx
C:\Windows\System\DUNEWEE.exe	upx
C:\Windows\System\kZikdhI.exe	upx
C:\Windows\System\ihDYzca.exe	upx
C:\Windows\System\dEVQJcH.exe	upx
behavioral2/memory/4920-64-0x00007FF767220000-0x00007FF767574000-memory.dmp	upx
C:\Windows\System\nKGCCGj.exe	upx
C:\Windows\System\AvaYYxG.exe	upx
C:\Windows\System\HmHmTPD.exe	upx
C:\Windows\System\QzzWqfJ.exe	upx
behavioral2/memory/5088-112-0x00007FF7D26D0000-0x00007FF7D2A24000-memory.dmp	upx
behavioral2/memory/3844-113-0x00007FF710780000-0x00007FF710AD4000-memory.dmp	upx
C:\Windows\System\eGjdtLX.exe	upx
behavioral2/memory/5028-109-0x00007FF760340000-0x00007FF760694000-memory.dmp	upx
behavioral2/memory/3180-108-0x00007FF601650000-0x00007FF6019A4000-memory.dmp	upx
behavioral2/memory/1924-105-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp	upx
C:\Windows\System\DPMAQLy.exe	upx
behavioral2/memory/4084-97-0x00007FF7C7E80000-0x00007FF7C81D4000-memory.dmp	upx
behavioral2/memory/4684-90-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp	upx
C:\Windows\System\JTwAnRn.exe	upx
behavioral2/memory/3156-81-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp	upx
behavioral2/memory/3004-77-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp	upx
behavioral2/memory/4900-71-0x00007FF798570000-0x00007FF7988C4000-memory.dmp	upx
behavioral2/memory/4464-60-0x00007FF65AA90000-0x00007FF65ADE4000-memory.dmp	upx
behavioral2/memory/4736-56-0x00007FF6893B0000-0x00007FF689704000-memory.dmp	upx
behavioral2/memory/4256-51-0x00007FF62B460000-0x00007FF62B7B4000-memory.dmp	upx
C:\Windows\System\NgEYlnw.exe	upx
C:\Windows\System\WRLsLuz.exe	upx
behavioral2/memory/4216-121-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp	upx
behavioral2/memory/4348-128-0x00007FF612980000-0x00007FF612CD4000-memory.dmp	upx
C:\Windows\System\MERCAAf.exe	upx
behavioral2/memory/1428-126-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp	upx
behavioral2/memory/3268-117-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp	upx
behavioral2/memory/4640-132-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp	upx
behavioral2/memory/2428-133-0x00007FF7CA390000-0x00007FF7CA6E4000-memory.dmp	upx
behavioral2/memory/4720-134-0x00007FF70B200000-0x00007FF70B554000-memory.dmp	upx
behavioral2/memory/4736-135-0x00007FF6893B0000-0x00007FF689704000-memory.dmp	upx
behavioral2/memory/3004-136-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp	upx
behavioral2/memory/4920-137-0x00007FF767220000-0x00007FF767574000-memory.dmp	upx
behavioral2/memory/3156-138-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp	upx
behavioral2/memory/1924-140-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp	upx
behavioral2/memory/4684-139-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp	upx
behavioral2/memory/3180-141-0x00007FF601650000-0x00007FF6019A4000-memory.dmp	upx
behavioral2/memory/4216-142-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp	upx
behavioral2/memory/4900-143-0x00007FF798570000-0x00007FF7988C4000-memory.dmp	upx
behavioral2/memory/3884-144-0x00007FF752530000-0x00007FF752884000-memory.dmp	upx
behavioral2/memory/5028-145-0x00007FF760340000-0x00007FF760694000-memory.dmp	upx
behavioral2/memory/3268-146-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp	upx
behavioral2/memory/1428-147-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp	upx
behavioral2/memory/4640-148-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\zZErLgJ.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QzzWqfJ.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NgEYlnw.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WRLsLuz.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTwAnRn.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AvaYYxG.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DPMAQLy.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmHmTPD.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LFpVjMD.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYFMXmG.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kZikdhI.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ihDYzca.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZQfyWMq.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ubjEAjd.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RuSDpbD.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JvAZflK.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEVQJcH.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nKGCCGj.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eGjdtLX.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUNEWEE.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MERCAAf.exe	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4464 wrote to memory of 4900	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	ZQfyWMq.exe
PID 4464 wrote to memory of 4900	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	ZQfyWMq.exe
PID 4464 wrote to memory of 3884	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	ubjEAjd.exe
PID 4464 wrote to memory of 3884	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	ubjEAjd.exe
PID 4464 wrote to memory of 5028	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	RuSDpbD.exe
PID 4464 wrote to memory of 5028	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	RuSDpbD.exe
PID 4464 wrote to memory of 3268	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	zZErLgJ.exe
PID 4464 wrote to memory of 3268	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	zZErLgJ.exe
PID 4464 wrote to memory of 1428	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	JvAZflK.exe
PID 4464 wrote to memory of 1428	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	JvAZflK.exe
PID 4464 wrote to memory of 4640	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	LFpVjMD.exe
PID 4464 wrote to memory of 4640	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	LFpVjMD.exe
PID 4464 wrote to memory of 4720	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	bYFMXmG.exe
PID 4464 wrote to memory of 4720	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	bYFMXmG.exe
PID 4464 wrote to memory of 4256	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	DUNEWEE.exe
PID 4464 wrote to memory of 4256	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	DUNEWEE.exe
PID 4464 wrote to memory of 4736	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	kZikdhI.exe
PID 4464 wrote to memory of 4736	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	kZikdhI.exe
PID 4464 wrote to memory of 4920	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	ihDYzca.exe
PID 4464 wrote to memory of 4920	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	ihDYzca.exe
PID 4464 wrote to memory of 3004	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	dEVQJcH.exe
PID 4464 wrote to memory of 3004	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	dEVQJcH.exe
PID 4464 wrote to memory of 4084	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	nKGCCGj.exe
PID 4464 wrote to memory of 4084	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	nKGCCGj.exe
PID 4464 wrote to memory of 3156	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	JTwAnRn.exe
PID 4464 wrote to memory of 3156	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	JTwAnRn.exe
PID 4464 wrote to memory of 1924	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	AvaYYxG.exe
PID 4464 wrote to memory of 1924	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	AvaYYxG.exe
PID 4464 wrote to memory of 4684	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	DPMAQLy.exe
PID 4464 wrote to memory of 4684	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	DPMAQLy.exe
PID 4464 wrote to memory of 5088	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	HmHmTPD.exe
PID 4464 wrote to memory of 5088	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	HmHmTPD.exe
PID 4464 wrote to memory of 3844	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	QzzWqfJ.exe
PID 4464 wrote to memory of 3844	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	QzzWqfJ.exe
PID 4464 wrote to memory of 3180	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	eGjdtLX.exe
PID 4464 wrote to memory of 3180	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	eGjdtLX.exe
PID 4464 wrote to memory of 4216	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	NgEYlnw.exe
PID 4464 wrote to memory of 4216	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	NgEYlnw.exe
PID 4464 wrote to memory of 4348	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	WRLsLuz.exe
PID 4464 wrote to memory of 4348	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	WRLsLuz.exe
PID 4464 wrote to memory of 2428	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	MERCAAf.exe
PID 4464 wrote to memory of 2428	4464	2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe	MERCAAf.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_73434ef1167d3372967beb9c82e89e05_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\System\ZQfyWMq.exe
C:\Windows\System\ZQfyWMq.exe
2⤵
- Executes dropped EXE
PID:4900

C:\Windows\System\ubjEAjd.exe
C:\Windows\System\ubjEAjd.exe
2⤵
- Executes dropped EXE
PID:3884

C:\Windows\System\RuSDpbD.exe
C:\Windows\System\RuSDpbD.exe
2⤵
- Executes dropped EXE
PID:5028

C:\Windows\System\zZErLgJ.exe
C:\Windows\System\zZErLgJ.exe
2⤵
- Executes dropped EXE
PID:3268

C:\Windows\System\JvAZflK.exe
C:\Windows\System\JvAZflK.exe
2⤵
- Executes dropped EXE
PID:1428

C:\Windows\System\LFpVjMD.exe
C:\Windows\System\LFpVjMD.exe
2⤵
- Executes dropped EXE
PID:4640

C:\Windows\System\bYFMXmG.exe
C:\Windows\System\bYFMXmG.exe
2⤵
- Executes dropped EXE
PID:4720

C:\Windows\System\DUNEWEE.exe
C:\Windows\System\DUNEWEE.exe
2⤵
- Executes dropped EXE
PID:4256

C:\Windows\System\kZikdhI.exe
C:\Windows\System\kZikdhI.exe
2⤵
- Executes dropped EXE
PID:4736

C:\Windows\System\ihDYzca.exe
C:\Windows\System\ihDYzca.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\System\dEVQJcH.exe
C:\Windows\System\dEVQJcH.exe
2⤵
- Executes dropped EXE
PID:3004

C:\Windows\System\nKGCCGj.exe
C:\Windows\System\nKGCCGj.exe
2⤵
- Executes dropped EXE
PID:4084

C:\Windows\System\JTwAnRn.exe
C:\Windows\System\JTwAnRn.exe
2⤵
- Executes dropped EXE
PID:3156

C:\Windows\System\AvaYYxG.exe
C:\Windows\System\AvaYYxG.exe
2⤵
- Executes dropped EXE
PID:1924

C:\Windows\System\DPMAQLy.exe
C:\Windows\System\DPMAQLy.exe
2⤵
- Executes dropped EXE
PID:4684

C:\Windows\System\HmHmTPD.exe
C:\Windows\System\HmHmTPD.exe
2⤵
- Executes dropped EXE
PID:5088

C:\Windows\System\QzzWqfJ.exe
C:\Windows\System\QzzWqfJ.exe
2⤵
- Executes dropped EXE
PID:3844

C:\Windows\System\eGjdtLX.exe
C:\Windows\System\eGjdtLX.exe
2⤵
- Executes dropped EXE
PID:3180

C:\Windows\System\NgEYlnw.exe
C:\Windows\System\NgEYlnw.exe
2⤵
- Executes dropped EXE
PID:4216

C:\Windows\System\WRLsLuz.exe
C:\Windows\System\WRLsLuz.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\System\MERCAAf.exe
C:\Windows\System\MERCAAf.exe
2⤵
- Executes dropped EXE
PID:2428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AvaYYxG.exe
Filesize
5.9MB

MD5
757a396f913aa7712010479b2bac336d

SHA1
0bf4cd55e0d967b3868d9d5f682932e4d78e720b

SHA256
e7086f0075b423dd1a4dc458f4744d17a65f9777b245b95777a9d01a3a423ab4

SHA512
89501a1811ba8563358f103738cc69e78ebab11a0f6dccdeda74148585623a78ff79804799166456ce8efaa1511aefc605c666add0ee1df47bcb04bc16cdc875

Download Submit
C:\Windows\System\DPMAQLy.exe
Filesize
5.9MB

MD5
0c893e58e01e79180fa917680d3a33fa

SHA1
28c8b9e71f4d9c2d48511cbe134109c432adc7c2

SHA256
2d26a9a1eaf7d711cefac7afa992e1ab2364f25392302bb3a6db770e7bf7d47a

SHA512
03a41368245087927b1b646e68453c5526ea5c4afdf187998ffcedb96d7ec5fde88c6373a15d5e757c7a659df873f3d9ddd53750cca8cb6004dfb74a845039a9

Download Submit
C:\Windows\System\DUNEWEE.exe
Filesize
5.9MB

MD5
aa86a809a5350b8ed877f5b917252051

SHA1
d78a6ed961c59c91a25ccf68e4e3e31ab19e6af4

SHA256
d52e8035974b7c6c550885300975ca7a58d3b35222d061d5e0b0b3bdb5532fae

SHA512
e63af3dcc836a5af23d26d22990cdd17939b6e3c1d6cba229a9cac42f0a6f7932441cf97ad1dcb6eafaaada7df52c6d14b538442fd2a7b1ebbaae670a1cd5660

Download Submit
C:\Windows\System\HmHmTPD.exe
Filesize
5.9MB

MD5
7dba715140e291e830e0b22c2a19b326

SHA1
19493f3f2bdda75c7466c4eedbb13d558d2a8aff

SHA256
73968e9e66f15519aec3b1f6cd262614dc5ade43639d78222103af8f8949ccf1

SHA512
b4910595d4ab1e8024aeb54ac044a09204ca1699b34ccf334ddc301ed0b5fc31156cd467bb02c83aa21d99bf432d8549087e173c7f78284ccbf9bbe79c06ef95

Download Submit
C:\Windows\System\JTwAnRn.exe
Filesize
5.9MB

MD5
ed0287dd001c850429720517263cc40b

SHA1
5df294a7e18188ff1d897777a4448194186684b0

SHA256
9acd8e23a0b6e0f531426686ccb5d9d172c82eaed05bc4495bbd86333aa1de17

SHA512
45bbfea298837486cada79839533314db0f55920cb574bd25410fc70b874518af7f8e7e6b4d6622d5f61e181a5aa9fb205e21fbb3d8e76d281537fc89c654466

Download Submit
C:\Windows\System\JvAZflK.exe
Filesize
5.9MB

MD5
5967331403431e6d0a3c3906797470d3

SHA1
a3703fa7c489a888e513d36c1069af151849484b

SHA256
05b51a14e348a3dd1326e9b47444a9e6f9c2ee557f60cdd8553c890dda4186ad

SHA512
a5f89a1e504827a6e65db7140310674de630602fbbfb9800acb26e080c293a0c27e41cf89ee9b7b9fee0a7395d43285d82c4e2f6a274ed6a9af90fe8fe1aedf2

Download Submit
C:\Windows\System\LFpVjMD.exe
Filesize
5.9MB

MD5
c5f893abe7be7133055accdac6c9a8b3

SHA1
ffbad91a339a62694fd7ab56f861c5109c675c3a

SHA256
5e5ddda519986f95b264a7aff8ac843040bd13a7c8f9fe41607ab53efa930a7d

SHA512
2db22d2d0130edfa1d81e6cd5267e10ab859f404f1c549e7add2dbfd83fcb7dfb51c0376e8ed4ab111b7dc84a3e21444ab038eefe3e7955ec886b3e80e528854

Download Submit
C:\Windows\System\MERCAAf.exe
Filesize
5.9MB

MD5
ef035b303e447758466ab54a589a30e5

SHA1
bb60570b76c64f3dabce2d33d1b7acfd6a334623

SHA256
62e71e3150eca5e101c44e73fa8d6e25dafc06ef6ed2c2a2d9cc9cd4709546b1

SHA512
7ecc99c6b523da8412cb47cc160305cfc772a3bde76449e012ed7a8158f4a1abbd2a16eca745f958b00fc7c7cc0dabc74c88c0a1811eae3e734f83208deb97d5

Download Submit
C:\Windows\System\NgEYlnw.exe
Filesize
5.9MB

MD5
3be7ab32941f397c749af264c3129d6d

SHA1
24d9105aba94491ba38a0495699b084901754d51

SHA256
815e0d8c8e71825957423da4d64c07d87fa757db026d8d6251e1b7b6e88aeab5

SHA512
c0222fba57c4cff134545325ef5a126ceeeb2fa24056752bd2d34595302d63dca92fe6a2c508ad9d70596d2d1b64301c2824b34705532a7d8cba1dbc16a320c2

Download Submit
C:\Windows\System\QzzWqfJ.exe
Filesize
5.9MB

MD5
6498ff94d2a52945a950759527f67bbb

SHA1
63714b7f48e6de0de4e81f5abc5fff0e2ad1dd29

SHA256
a3ce577ad74a22df0b78f27a94e0adc880cc3631e4bc2f96084fd0dd80ab97a3

SHA512
4097875dba67d12f5583b734f330a369678855ec631f9625c4ef7d0a9ecb9974bc71ec348ff6d73563cfa66f3141db2df09530c7f171d1c8a78af3786bb0ec4d

Download Submit
C:\Windows\System\RuSDpbD.exe
Filesize
5.9MB

MD5
428ad62562d087496489bc7ebfec4419

SHA1
d6af0029e993e5454691c93ea2d49696263d7894

SHA256
d9e2a20d197cf5e2856f1dba7a71904c515cf0bf746b66cb74f89fd70030b194

SHA512
b106834a6d13c52dad09a5970c7fd162d8ccaebe8f3111ee88d367ce17adf6ef1ec0a5f3eac23fd00605e77e3ddaf5a042d08fc98443447ccac851cb6ecdd04a

Download Submit
C:\Windows\System\WRLsLuz.exe
Filesize
5.9MB

MD5
573ffae10ce314bbcf38233b4dcff350

SHA1
771e1fc900aa49f49739a0f7ef3fbb9343df731c

SHA256
e7902871674cc0c8344bfc81d76628b9b57eb96d2259b89b85d2448eb5890326

SHA512
ab001cd0ab305bcc8b9b66574851dd78274f3d3ee3709b0950b11ed22e7e94d76b3ad12c2146c3cf9656cbf25a22fe54d2b2098176d2581930484bc9088c9840

Download Submit
C:\Windows\System\ZQfyWMq.exe
Filesize
5.9MB

MD5
de809f6606211a5603c1ba7ac5cb4621

SHA1
71fb21d69f9ff4f5526aba406186f1013a238fd8

SHA256
2d45770ac4aa634e2bc796280f78e4d03ca8e62ca7a3279b85d99f509a0d7de6

SHA512
1ec929af03faf1a976c11f6bb3da64fa0c02213cb41bd458783d6117c528c0e4ba9b1e63ea3afdfdb487da1c9fd51d436c82e94f29f9b30a888c8459f20b43f3

Download Submit
C:\Windows\System\bYFMXmG.exe
Filesize
5.9MB

MD5
23e94e6ba43045a70c1d699ac49c5cd6

SHA1
5f1dac1cf6efc001a325a95a256fd8df53ed3951

SHA256
dffd6ce1ff2cfe99e5c977ba94d4f57966ab1030c397be1026feaeb6768e1753

SHA512
a540542f8518006eca8f3b652103b39744ebf5b01fe7899732b1dbc911b9e26129ae363f6dc4fbbe2f5d7fef15b9bcc5e4c150d8f1b28eb78b06545b78c70e1d

Download Submit
C:\Windows\System\dEVQJcH.exe
Filesize
5.9MB

MD5
e42f9e6408e052a45338d04de01a9f3d

SHA1
f1197d918596080371fb7850c30fa9b5c3ccb27d

SHA256
98e99cca510977268d05f5b61eedd3d5dced551e3302fc91b8ec905ac7e9742d

SHA512
bdc16fb1f945bd4e0dd2be5880cbfa116d9ac21a9d9b7a59f4e8152a50610bd7b24a2cf94caa2c983ef0e1c3e2c4714f07c11be160eea7aa813807c37789a14e

Download Submit
C:\Windows\System\eGjdtLX.exe
Filesize
5.9MB

MD5
ab25f4eba61171a39050e5e78ce1df54

SHA1
18f59299f0a2fa0e29537943ef0a06fa913174fb

SHA256
a9e3963dcf3ba5bad255d1a060a216246186da9fadad308f3864bae0705759d3

SHA512
7270ca5d76910a8abcf44a6b105dad4635160eff8ff1f536713a1438d3b9d1a2cef3a2e41861e082412836ac952fa526565cf18da783582a9bfda54a0b279e8e

Download Submit
C:\Windows\System\ihDYzca.exe
Filesize
5.9MB

MD5
e06d43ae27fd40c65f00dccbe848fd1c

SHA1
512877da518f9be352c3992aa198911c642aa3ca

SHA256
788db1c729a22caaa8539a4de397c1803c8fc4a4de119ca700526060cda6703a

SHA512
91f347489110c129cd3cea7829741d65beece9123803afe5a8785b0e39e4b5a86feda7dd6ea919feab50a8469c5e14d4169e2ec75fd26073bc0c4b6c9def9c09

Download Submit
C:\Windows\System\kZikdhI.exe
Filesize
5.9MB

MD5
7886d2db61923828be81124fd13fe2bf

SHA1
bdf8bc2eee463ecb1b4a3619b0b4845d7db54f0c

SHA256
05cad534b793302761abc53b75f0a044b86faaae600eb717b0b46f0635e94d9f

SHA512
c02fa98eddf4f375808a6870f43048f69fe9b0db7e37f15c65eae7af80457d4b335c649d3ae9ef6c7469fc0a7e016ff6aad02d398a886692d9c7a0160e9aa6de

Download Submit
C:\Windows\System\nKGCCGj.exe
Filesize
5.9MB

MD5
993c7391f415ec61f571e61fad9711b5

SHA1
8d7d142869e2d54bc67b14028f2f5ff6c25325aa

SHA256
07237b7245fa0de9dfbecf37809fe1ea89512fbd51db3ee62b64c7f77c9cb8f4

SHA512
0730773d6241cfcb2c8ec378f9a35ec10ed837e909e5379659905d2016d258f29ffcc0c862cec2368abd5004ec47572736ebc9223be7c7daf321b8a66b6efb31

Download Submit
C:\Windows\System\ubjEAjd.exe
Filesize
5.9MB

MD5
5885f1af4ba98b823e74307a7c30eaa3

SHA1
e1d5775949ab2be78c5d076c045ed8e9e0a7983f

SHA256
2b6dfa4e000e0a2084f2ea327a2bac9dfa6a6ac37cacf69771612ecac2962ed8

SHA512
a4fedf517f74f76ea0f6622429c00ea182d0726565484c7278c94672112dc0296627e54b95432ac102b59f676abee2fa0b70e33bf6864eeb6344ad48625e0be4

Download Submit
C:\Windows\System\zZErLgJ.exe
Filesize
5.9MB

MD5
ac5aeee0f03ac9df1e89a2b0152fb5c3

SHA1
f1e1175ed57acdb6210e3955b1ac33242cf37ca5

SHA256
74c28ece446fb1b8a6efb3bd0ca4a131c131701dc5faee31afb01da4a7520ea7

SHA512
2927601079961796ee0d1f56735a64184779dfd34884c817f405391e5efe0f2f035aacb30299b9560c8557c15df8af1b41391fa8669280763825b82b637d9620

Download Submit
memory/1428-32-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp

Filesize
3.3MB

Download
memory/1428-126-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp

Filesize
3.3MB

Download
memory/1428-147-0x00007FF6B1140000-0x00007FF6B1494000-memory.dmp

Filesize
3.3MB

Download
memory/1924-158-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp

Filesize
3.3MB

Download
memory/1924-140-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp

Filesize
3.3MB

Download
memory/1924-105-0x00007FF73E7C0000-0x00007FF73EB14000-memory.dmp

Filesize
3.3MB

Download
memory/2428-133-0x00007FF7CA390000-0x00007FF7CA6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2428-163-0x00007FF7CA390000-0x00007FF7CA6E4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-153-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp

Filesize
3.3MB

Download
memory/3004-136-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp

Filesize
3.3MB

Download
memory/3004-77-0x00007FF7B9530000-0x00007FF7B9884000-memory.dmp

Filesize
3.3MB

Download
memory/3156-81-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-138-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3156-155-0x00007FF6F4750000-0x00007FF6F4AA4000-memory.dmp

Filesize
3.3MB

Download
memory/3180-108-0x00007FF601650000-0x00007FF6019A4000-memory.dmp

Filesize
3.3MB

Download
memory/3180-141-0x00007FF601650000-0x00007FF6019A4000-memory.dmp

Filesize
3.3MB

Download
memory/3180-159-0x00007FF601650000-0x00007FF6019A4000-memory.dmp

Filesize
3.3MB

Download
memory/3268-117-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp

Filesize
3.3MB

Download
memory/3268-146-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp

Filesize
3.3MB

Download
memory/3268-26-0x00007FF6A56F0000-0x00007FF6A5A44000-memory.dmp

Filesize
3.3MB

Download
memory/3844-156-0x00007FF710780000-0x00007FF710AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3844-113-0x00007FF710780000-0x00007FF710AD4000-memory.dmp

Filesize
3.3MB

Download
memory/3884-144-0x00007FF752530000-0x00007FF752884000-memory.dmp

Filesize
3.3MB

Download
memory/3884-14-0x00007FF752530000-0x00007FF752884000-memory.dmp

Filesize
3.3MB

Download
memory/4084-97-0x00007FF7C7E80000-0x00007FF7C81D4000-memory.dmp

Filesize
3.3MB

Download
memory/4084-154-0x00007FF7C7E80000-0x00007FF7C81D4000-memory.dmp

Filesize
3.3MB

Download
memory/4216-142-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp

Filesize
3.3MB

Download
memory/4216-121-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp

Filesize
3.3MB

Download
memory/4216-161-0x00007FF62AFD0000-0x00007FF62B324000-memory.dmp

Filesize
3.3MB

Download
memory/4256-51-0x00007FF62B460000-0x00007FF62B7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4256-150-0x00007FF62B460000-0x00007FF62B7B4000-memory.dmp

Filesize
3.3MB

Download
memory/4348-162-0x00007FF612980000-0x00007FF612CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4348-128-0x00007FF612980000-0x00007FF612CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-1-0x000001F0F7CF0000-0x000001F0F7D00000-memory.dmp

Filesize
64KB

Download
memory/4464-0-0x00007FF65AA90000-0x00007FF65ADE4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-60-0x00007FF65AA90000-0x00007FF65ADE4000-memory.dmp

Filesize
3.3MB

Download
memory/4640-132-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp

Filesize
3.3MB

Download
memory/4640-36-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp

Filesize
3.3MB

Download
memory/4640-148-0x00007FF7AEFB0000-0x00007FF7AF304000-memory.dmp

Filesize
3.3MB

Download
memory/4684-90-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4684-139-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4684-157-0x00007FF629B90000-0x00007FF629EE4000-memory.dmp

Filesize
3.3MB

Download
memory/4720-42-0x00007FF70B200000-0x00007FF70B554000-memory.dmp

Filesize
3.3MB

Download
memory/4720-149-0x00007FF70B200000-0x00007FF70B554000-memory.dmp

Filesize
3.3MB

Download
memory/4720-134-0x00007FF70B200000-0x00007FF70B554000-memory.dmp

Filesize
3.3MB

Download
memory/4736-135-0x00007FF6893B0000-0x00007FF689704000-memory.dmp

Filesize
3.3MB

Download
memory/4736-151-0x00007FF6893B0000-0x00007FF689704000-memory.dmp

Filesize
3.3MB

Download
memory/4736-56-0x00007FF6893B0000-0x00007FF689704000-memory.dmp

Filesize
3.3MB

Download
memory/4900-71-0x00007FF798570000-0x00007FF7988C4000-memory.dmp

Filesize
3.3MB

Download
memory/4900-8-0x00007FF798570000-0x00007FF7988C4000-memory.dmp

Filesize
3.3MB

Download
memory/4900-143-0x00007FF798570000-0x00007FF7988C4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-152-0x00007FF767220000-0x00007FF767574000-memory.dmp

Filesize
3.3MB

Download
memory/4920-64-0x00007FF767220000-0x00007FF767574000-memory.dmp

Filesize
3.3MB

Download
memory/4920-137-0x00007FF767220000-0x00007FF767574000-memory.dmp

Filesize
3.3MB

Download
memory/5028-18-0x00007FF760340000-0x00007FF760694000-memory.dmp

Filesize
3.3MB

Download
memory/5028-109-0x00007FF760340000-0x00007FF760694000-memory.dmp

Filesize
3.3MB

Download
memory/5028-145-0x00007FF760340000-0x00007FF760694000-memory.dmp

Filesize
3.3MB

Download
memory/5088-112-0x00007FF7D26D0000-0x00007FF7D2A24000-memory.dmp

Filesize
3.3MB

Download
memory/5088-160-0x00007FF7D26D0000-0x00007FF7D2A24000-memory.dmp

Filesize
3.3MB

Download