cobaltstrike | 99b5eae448df7d37a0be3fe62d43c42685d4e0cbcc37c82fdc4075f72442eee0

Analysis

max time kernel
133s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

b1142fbcd079cec3095ee19b0ad96cd8
SHA1

5685bfb3f7f8f8c56a608b62a47db161cfd43a6a
SHA256

99b5eae448df7d37a0be3fe62d43c42685d4e0cbcc37c82fdc4075f72442eee0
SHA512

0c970e903c20616a6cb17a490c78e6a409b75703e300d649b46f377832c72959be02764005fbc544073ba42517f0ca797be208aca571d652b03ed14f8d2195ce
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\TPutnYb.exe	cobalt_reflective_dll
\Windows\system\pnTiyWa.exe	cobalt_reflective_dll
C:\Windows\system\BwpRPZd.exe	cobalt_reflective_dll
\Windows\system\VVKpFKD.exe	cobalt_reflective_dll
C:\Windows\system\wkijPkK.exe	cobalt_reflective_dll
C:\Windows\system\IrFwalu.exe	cobalt_reflective_dll
C:\Windows\system\LyPgfvH.exe	cobalt_reflective_dll
C:\Windows\system\waaBpUM.exe	cobalt_reflective_dll
C:\Windows\system\CjEmYvp.exe	cobalt_reflective_dll
C:\Windows\system\bkREYJx.exe	cobalt_reflective_dll
C:\Windows\system\qfXKtEi.exe	cobalt_reflective_dll
C:\Windows\system\LGwaLoZ.exe	cobalt_reflective_dll
C:\Windows\system\GDsvPng.exe	cobalt_reflective_dll
C:\Windows\system\UclAyiD.exe	cobalt_reflective_dll
\Windows\system\ZUnaPQh.exe	cobalt_reflective_dll
C:\Windows\system\GrrNSQb.exe	cobalt_reflective_dll
C:\Windows\system\BybaGOR.exe	cobalt_reflective_dll
C:\Windows\system\duwrUOz.exe	cobalt_reflective_dll
C:\Windows\system\jQELjDy.exe	cobalt_reflective_dll
C:\Windows\system\DSnVHkK.exe	cobalt_reflective_dll
C:\Windows\system\cNiNugD.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 61 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2060-0-0x000000013F4C0000-0x000000013F814000-memory.dmp	xmrig
\Windows\system\TPutnYb.exe	xmrig
behavioral1/memory/2744-8-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
\Windows\system\pnTiyWa.exe	xmrig
C:\Windows\system\BwpRPZd.exe	xmrig
behavioral1/memory/2060-13-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
\Windows\system\VVKpFKD.exe	xmrig
C:\Windows\system\wkijPkK.exe	xmrig
C:\Windows\system\IrFwalu.exe	xmrig
C:\Windows\system\LyPgfvH.exe	xmrig
C:\Windows\system\waaBpUM.exe	xmrig
C:\Windows\system\CjEmYvp.exe	xmrig
C:\Windows\system\bkREYJx.exe	xmrig
C:\Windows\system\qfXKtEi.exe	xmrig
C:\Windows\system\LGwaLoZ.exe	xmrig
C:\Windows\system\GDsvPng.exe	xmrig
C:\Windows\system\UclAyiD.exe	xmrig
\Windows\system\ZUnaPQh.exe	xmrig
behavioral1/memory/2160-110-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/2060-115-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2060-119-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2060-124-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2060-128-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2796-131-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2060-130-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig
behavioral1/memory/2492-129-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2444-127-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2616-125-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2468-123-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2564-121-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2664-120-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2572-118-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2672-116-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2604-114-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2060-113-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/1944-112-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2060-111-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/3044-109-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
C:\Windows\system\GrrNSQb.exe	xmrig
C:\Windows\system\BybaGOR.exe	xmrig
C:\Windows\system\duwrUOz.exe	xmrig
C:\Windows\system\jQELjDy.exe	xmrig
C:\Windows\system\DSnVHkK.exe	xmrig
C:\Windows\system\cNiNugD.exe	xmrig
behavioral1/memory/2060-134-0x000000013F4C0000-0x000000013F814000-memory.dmp	xmrig
behavioral1/memory/2744-135-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/3044-137-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2744-138-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/3044-139-0x000000013FE50000-0x00000001401A4000-memory.dmp	xmrig
behavioral1/memory/2160-140-0x000000013FC20000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/1944-141-0x000000013FC80000-0x000000013FFD4000-memory.dmp	xmrig
behavioral1/memory/2604-142-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2672-143-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2572-144-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2664-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2564-146-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2468-147-0x000000013FD30000-0x0000000140084000-memory.dmp	xmrig
behavioral1/memory/2616-148-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2444-149-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/2492-150-0x000000013FDB0000-0x0000000140104000-memory.dmp	xmrig
behavioral1/memory/2796-151-0x000000013FF80000-0x00000001402D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

TPutnYb.exepnTiyWa.exeBwpRPZd.exeVVKpFKD.exewkijPkK.exeIrFwalu.exeLyPgfvH.exewaaBpUM.execNiNugD.exeCjEmYvp.exeDSnVHkK.exebkREYJx.exejQELjDy.exeduwrUOz.exeqfXKtEi.exeLGwaLoZ.exeBybaGOR.exeGrrNSQb.exeUclAyiD.exeGDsvPng.exeZUnaPQh.exe

pid	process
2744	TPutnYb.exe
3044	pnTiyWa.exe
2160	BwpRPZd.exe
1944	VVKpFKD.exe
2604	wkijPkK.exe
2672	IrFwalu.exe
2572	LyPgfvH.exe
2664	waaBpUM.exe
2564	cNiNugD.exe
2468	CjEmYvp.exe
2616	DSnVHkK.exe
2444	bkREYJx.exe
2492	jQELjDy.exe
2796	duwrUOz.exe
2096	qfXKtEi.exe
2228	LGwaLoZ.exe
2804	BybaGOR.exe
1396	GrrNSQb.exe
1676	UclAyiD.exe
1472	GDsvPng.exe
1756	ZUnaPQh.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2060-0-0x000000013F4C0000-0x000000013F814000-memory.dmp	upx
\Windows\system\TPutnYb.exe	upx
behavioral1/memory/2744-8-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
\Windows\system\pnTiyWa.exe	upx
C:\Windows\system\BwpRPZd.exe	upx
behavioral1/memory/2060-13-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
\Windows\system\VVKpFKD.exe	upx
C:\Windows\system\wkijPkK.exe	upx
C:\Windows\system\IrFwalu.exe	upx
C:\Windows\system\LyPgfvH.exe	upx
C:\Windows\system\waaBpUM.exe	upx
C:\Windows\system\CjEmYvp.exe	upx
C:\Windows\system\bkREYJx.exe	upx
C:\Windows\system\qfXKtEi.exe	upx
C:\Windows\system\LGwaLoZ.exe	upx
C:\Windows\system\GDsvPng.exe	upx
C:\Windows\system\UclAyiD.exe	upx
\Windows\system\ZUnaPQh.exe	upx
behavioral1/memory/2160-110-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/2796-131-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx
behavioral1/memory/2492-129-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2444-127-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2616-125-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2468-123-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2564-121-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2664-120-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2572-118-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2672-116-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2604-114-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/1944-112-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/3044-109-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
C:\Windows\system\GrrNSQb.exe	upx
C:\Windows\system\BybaGOR.exe	upx
C:\Windows\system\duwrUOz.exe	upx
C:\Windows\system\jQELjDy.exe	upx
C:\Windows\system\DSnVHkK.exe	upx
C:\Windows\system\cNiNugD.exe	upx
behavioral1/memory/2060-134-0x000000013F4C0000-0x000000013F814000-memory.dmp	upx
behavioral1/memory/2744-135-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/3044-137-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2744-138-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/3044-139-0x000000013FE50000-0x00000001401A4000-memory.dmp	upx
behavioral1/memory/2160-140-0x000000013FC20000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/1944-141-0x000000013FC80000-0x000000013FFD4000-memory.dmp	upx
behavioral1/memory/2604-142-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2672-143-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2572-144-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2664-145-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2564-146-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2468-147-0x000000013FD30000-0x0000000140084000-memory.dmp	upx
behavioral1/memory/2616-148-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2444-149-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/2492-150-0x000000013FDB0000-0x0000000140104000-memory.dmp	upx
behavioral1/memory/2796-151-0x000000013FF80000-0x00000001402D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\GDsvPng.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TPutnYb.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\waaBpUM.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cNiNugD.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jQELjDy.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\duwrUOz.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qfXKtEi.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pnTiyWa.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IrFwalu.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LyPgfvH.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DSnVHkK.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZUnaPQh.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VVKpFKD.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wkijPkK.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GrrNSQb.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UclAyiD.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BybaGOR.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwpRPZd.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CjEmYvp.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bkREYJx.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LGwaLoZ.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2060 wrote to memory of 2744	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	TPutnYb.exe
PID 2060 wrote to memory of 2744	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	TPutnYb.exe
PID 2060 wrote to memory of 2744	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	TPutnYb.exe
PID 2060 wrote to memory of 3044	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pnTiyWa.exe
PID 2060 wrote to memory of 3044	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pnTiyWa.exe
PID 2060 wrote to memory of 3044	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pnTiyWa.exe
PID 2060 wrote to memory of 2160	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	BwpRPZd.exe
PID 2060 wrote to memory of 2160	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	BwpRPZd.exe
PID 2060 wrote to memory of 2160	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	BwpRPZd.exe
PID 2060 wrote to memory of 1944	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	VVKpFKD.exe
PID 2060 wrote to memory of 1944	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	VVKpFKD.exe
PID 2060 wrote to memory of 1944	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	VVKpFKD.exe
PID 2060 wrote to memory of 2604	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	wkijPkK.exe
PID 2060 wrote to memory of 2604	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	wkijPkK.exe
PID 2060 wrote to memory of 2604	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	wkijPkK.exe
PID 2060 wrote to memory of 2672	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	IrFwalu.exe
PID 2060 wrote to memory of 2672	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	IrFwalu.exe
PID 2060 wrote to memory of 2672	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	IrFwalu.exe
PID 2060 wrote to memory of 2572	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LyPgfvH.exe
PID 2060 wrote to memory of 2572	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LyPgfvH.exe
PID 2060 wrote to memory of 2572	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LyPgfvH.exe
PID 2060 wrote to memory of 2664	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	waaBpUM.exe
PID 2060 wrote to memory of 2664	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	waaBpUM.exe
PID 2060 wrote to memory of 2664	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	waaBpUM.exe
PID 2060 wrote to memory of 2564	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	cNiNugD.exe
PID 2060 wrote to memory of 2564	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	cNiNugD.exe
PID 2060 wrote to memory of 2564	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	cNiNugD.exe
PID 2060 wrote to memory of 2468	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	CjEmYvp.exe
PID 2060 wrote to memory of 2468	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	CjEmYvp.exe
PID 2060 wrote to memory of 2468	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	CjEmYvp.exe
PID 2060 wrote to memory of 2616	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	DSnVHkK.exe
PID 2060 wrote to memory of 2616	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	DSnVHkK.exe
PID 2060 wrote to memory of 2616	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	DSnVHkK.exe
PID 2060 wrote to memory of 2444	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	bkREYJx.exe
PID 2060 wrote to memory of 2444	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	bkREYJx.exe
PID 2060 wrote to memory of 2444	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	bkREYJx.exe
PID 2060 wrote to memory of 2492	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	jQELjDy.exe
PID 2060 wrote to memory of 2492	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	jQELjDy.exe
PID 2060 wrote to memory of 2492	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	jQELjDy.exe
PID 2060 wrote to memory of 2796	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	duwrUOz.exe
PID 2060 wrote to memory of 2796	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	duwrUOz.exe
PID 2060 wrote to memory of 2796	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	duwrUOz.exe
PID 2060 wrote to memory of 2096	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	qfXKtEi.exe
PID 2060 wrote to memory of 2096	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	qfXKtEi.exe
PID 2060 wrote to memory of 2096	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	qfXKtEi.exe
PID 2060 wrote to memory of 2228	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LGwaLoZ.exe
PID 2060 wrote to memory of 2228	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LGwaLoZ.exe
PID 2060 wrote to memory of 2228	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LGwaLoZ.exe
PID 2060 wrote to memory of 2804	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	BybaGOR.exe
PID 2060 wrote to memory of 2804	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	BybaGOR.exe
PID 2060 wrote to memory of 2804	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	BybaGOR.exe
PID 2060 wrote to memory of 1396	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GrrNSQb.exe
PID 2060 wrote to memory of 1396	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GrrNSQb.exe
PID 2060 wrote to memory of 1396	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GrrNSQb.exe
PID 2060 wrote to memory of 1676	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	UclAyiD.exe
PID 2060 wrote to memory of 1676	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	UclAyiD.exe
PID 2060 wrote to memory of 1676	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	UclAyiD.exe
PID 2060 wrote to memory of 1472	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GDsvPng.exe
PID 2060 wrote to memory of 1472	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GDsvPng.exe
PID 2060 wrote to memory of 1472	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GDsvPng.exe
PID 2060 wrote to memory of 1756	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	ZUnaPQh.exe
PID 2060 wrote to memory of 1756	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	ZUnaPQh.exe
PID 2060 wrote to memory of 1756	2060	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	ZUnaPQh.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\System\TPutnYb.exe
C:\Windows\System\TPutnYb.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System\pnTiyWa.exe
C:\Windows\System\pnTiyWa.exe
2⤵
- Executes dropped EXE
PID:3044

C:\Windows\System\BwpRPZd.exe
C:\Windows\System\BwpRPZd.exe
2⤵
- Executes dropped EXE
PID:2160

C:\Windows\System\VVKpFKD.exe
C:\Windows\System\VVKpFKD.exe
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\System\wkijPkK.exe
C:\Windows\System\wkijPkK.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\IrFwalu.exe
C:\Windows\System\IrFwalu.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\LyPgfvH.exe
C:\Windows\System\LyPgfvH.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System\waaBpUM.exe
C:\Windows\System\waaBpUM.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\cNiNugD.exe
C:\Windows\System\cNiNugD.exe
2⤵
- Executes dropped EXE
PID:2564

C:\Windows\System\CjEmYvp.exe
C:\Windows\System\CjEmYvp.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\DSnVHkK.exe
C:\Windows\System\DSnVHkK.exe
2⤵
- Executes dropped EXE
PID:2616

C:\Windows\System\bkREYJx.exe
C:\Windows\System\bkREYJx.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\jQELjDy.exe
C:\Windows\System\jQELjDy.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\duwrUOz.exe
C:\Windows\System\duwrUOz.exe
2⤵
- Executes dropped EXE
PID:2796

C:\Windows\System\qfXKtEi.exe
C:\Windows\System\qfXKtEi.exe
2⤵
- Executes dropped EXE
PID:2096

C:\Windows\System\LGwaLoZ.exe
C:\Windows\System\LGwaLoZ.exe
2⤵
- Executes dropped EXE
PID:2228

C:\Windows\System\BybaGOR.exe
C:\Windows\System\BybaGOR.exe
2⤵
- Executes dropped EXE
PID:2804

C:\Windows\System\GrrNSQb.exe
C:\Windows\System\GrrNSQb.exe
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\System\UclAyiD.exe
C:\Windows\System\UclAyiD.exe
2⤵
- Executes dropped EXE
PID:1676

C:\Windows\System\GDsvPng.exe
C:\Windows\System\GDsvPng.exe
2⤵
- Executes dropped EXE
PID:1472

C:\Windows\System\ZUnaPQh.exe
C:\Windows\System\ZUnaPQh.exe
2⤵
- Executes dropped EXE
PID:1756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BwpRPZd.exe
Filesize
5.9MB

MD5
dfdb04783512522e847cbb491177b607

SHA1
986755140c8d50e4a96de402639e1f7ce31806b2

SHA256
8aa2005b3366d55ee105a037037906c0f57fdc413e919368f58d5fe17594a5eb

SHA512
e9efd842763610d96d119fd9539321e5e7438c59ed09da1e1c63c102169e1dcbd18250637372b5db8b545d2d40002971a4adc17077d96f3cdc4761d37ec8d0fb

Download Submit
C:\Windows\system\BybaGOR.exe
Filesize
5.9MB

MD5
68e91258b1e7244ccee47f0474bd8680

SHA1
9f7639e18ae4992d1200736c428bb79369383eeb

SHA256
43d61f3f4e928c1703d7318435ce58214a26ee9d7a8b4807b44f147249003e58

SHA512
f235f9ad04f3efa4502b6d974c6f6e3504a91b4c51333a30b2cb536037f871f48ad20fb07f52bb8135ad4e7de95a2f0451a8facb68e09fb2f79344b661a7f6ea

Download Submit
C:\Windows\system\CjEmYvp.exe
Filesize
5.9MB

MD5
a9126d4acb3fcf5bde4c92f6eed90c68

SHA1
883bcfa09c747ee2b9677473dee57c99eeae9589

SHA256
4bd81951afcb48f9db4ac9293bedc063c4742bbd9408908e113dfff169356a78

SHA512
f797299fbc865cd8ad68b5fb5303aff872a418b53305eb3a99eef9b292eb92a32842d96bff18c9cbdc8dec3a36bbdc7cf4eda0fb3286f9d25ecb089174cc5396

Download Submit
C:\Windows\system\DSnVHkK.exe
Filesize
5.9MB

MD5
03acdaaab464f3eebd4353458f5f73bf

SHA1
16aed367910ffaa3e8e240eea2b3d550dad2dfbc

SHA256
f3d9519777efcb5e2074c4e2286c750b181d965b9fd7acae02254717a550eafb

SHA512
32f3e6376bca219382075f570f7c00f8cd76aa8ac14d8b026ff40284998c41865428b8d5bb431c0102cb050e89d202c3b81c30abcd4116b079b16359c6f5c3a6

Download Submit
C:\Windows\system\GDsvPng.exe
Filesize
5.9MB

MD5
d73fd90f92b01cc658e599c23d2261c0

SHA1
1eb5114b402edfa316fb840026962b6bd644a232

SHA256
4378d79a9df894fa473463235de8e40cbc9263b62e0499448435050c3e64292d

SHA512
f7f0f4eab8c32ea6777cd4beab30a97bc67d4f7b96998e1d0f58aff777e5f546fa5954bed1edc67dde99314a73ff1dfce07bf93ae7f89c6c261f2a8b6bb3c0e4

Download Submit
C:\Windows\system\GrrNSQb.exe
Filesize
5.9MB

MD5
6a2f3bb35459a5f29daa9d2b51b6e042

SHA1
f395998fe596ce34da30e5edb90e35b02f747823

SHA256
ac91f1e8eb370e1a3b0d5cc802510f74fb5ff3592fcd0f2e10d88c24716dd898

SHA512
01f53606462c138b6acb93bb6a4d561de38895762553e7fd58c50bcf459fb946e463ac4488fe373a879751e2b75a525dfd8aab313105c7302dfc33a22302f067

Download Submit
C:\Windows\system\IrFwalu.exe
Filesize
5.9MB

MD5
7335be3a695a474390a6f5df969b25c8

SHA1
07760296237ceb7f2e013e5a6a6eb686246ea303

SHA256
29c75af6a6e052ce4dad31a2aeb14b67aa45f4a12e8fa20ec8ed1cbb7d5df17a

SHA512
056dc9d9eeac65ea3692a0e7970ec8cb0c743714b0e829a3a646ef7ff3009f2c18152b7ab9cf865a1c4b3a3403bf9d6fd10d6a96f610dea62af245dd48c9800c

Download Submit
C:\Windows\system\LGwaLoZ.exe
Filesize
5.9MB

MD5
5d6f52566a523bb4e7e11d0826f20955

SHA1
e0c144292798574f8ff79adb2bd139109783f9f7

SHA256
82e8469910fe8a65a0d964ef0ae0d3e64a2d41619dd3d1983706bc184eaaa44c

SHA512
1f338f635dc5c7dc23271364fd8a272e3fa98afcc309a4add1f8b67d2eb82b3e90459fec10c79c1980a304442efea8d47d8843866f807cb084236e9a585bf8d8

Download Submit
C:\Windows\system\LyPgfvH.exe
Filesize
5.9MB

MD5
31858481366750bb8b99c5fb1d7933db

SHA1
fef541ab80185edb62b9d33ce66250f9392f051f

SHA256
279b0bbd3cd4abb9e0ebd7d8503c65924ab446d3b5292d8662367194a673a286

SHA512
02fe34d3970a755040b11eff77ae695aa91c96e00543c6efeb30ad8d844f2933f3f2799d06ef5c8504f74ab2bcde30c131fa3d0d59a232f618f8dad823eaba89

Download Submit
C:\Windows\system\UclAyiD.exe
Filesize
5.9MB

MD5
7aee6522e000317f28a059b5d84383ad

SHA1
b4e8a43a0f63621a397fe0e2a37a492084c569aa

SHA256
ec553ec7ca51dde0bc8ee5ce8ed2b9107179ddf9ff59f37149c5ce26a994d7d9

SHA512
04715dde6420644d588eb0dd0c87260810bc610063d04fe850c5c05ea4b42b28533e51ed1ad7e7d1df6a578901ac10d278b0aa937c751ffa72fa1f99ced09551

Download Submit
C:\Windows\system\bkREYJx.exe
Filesize
5.9MB

MD5
1e5b17d93df8569dc8bcfc9ddd9e65f2

SHA1
8d7a13ca8cd569b83871bf37198976feffd4ae85

SHA256
ebbc3ca12eed1943ada93d93f9f86dc28a18e6fad8cbadf87c377aab413e0302

SHA512
9daf7b0d5c76bda03c49ad24e9c9135de172a83bd9c394e0f058a958f8a0fa98c27165cb2087feaf5691fdf47925f92049b4417b071017fe506d496941e419e1

Download Submit
C:\Windows\system\cNiNugD.exe
Filesize
5.9MB

MD5
91b3478038efa52d7a8bf7d8a3a7b358

SHA1
efc3ed4f4db8988d260acccbdf726780e418e558

SHA256
141fc9454a29498afa072e7e36d816fe2df45025f30b323c9e337e6dfa257520

SHA512
4da43ad6fb12afaecbcc8ed607aa3996d09509d414857e200c6a5d42dfc93beb3fac7a5c079ea81ce8248f1d81b314dfb919016c97ab4cb69042ce7256891697

Download Submit
C:\Windows\system\duwrUOz.exe
Filesize
5.9MB

MD5
5e95501e176a8485841e2f4bfcb2a1ad

SHA1
dc7fea346fee3851cb26fbef59d7c109398c9045

SHA256
da3e1d2e0764c5ca86370d1c02a793ffe2b64a2f586d5f59c67d14ffaa5f70ab

SHA512
d217738192c62050d981086749f0c46f2cbbe36d5a4714b7849325559d49a1533bad79819d45eea066292e0b4f10cb8452fbabd2a8b0ffd3ceeade179b399aa0

Download Submit
C:\Windows\system\jQELjDy.exe
Filesize
5.9MB

MD5
7379265ac75b926cd0d88d3a89a55db5

SHA1
242d2b779341924fe4ae5d67c2fd10e4078b7998

SHA256
57ddb3c66e348b8c9fcdd6d05b22dc5f6ff605fbc0d3da7b175f057da6e5f8e4

SHA512
3ebb1ca12259083575b54a39e3a506806adb4cd8d65f8faf7cc9e13674ddbedf8f77d090bf7d0b50c8fa1cdf0cafb21ff2a4af0d6ed129fdd71d8479cd875d96

Download Submit
C:\Windows\system\qfXKtEi.exe
Filesize
5.9MB

MD5
68be3b03b3eb094f0fe90b2c3c795bc5

SHA1
72499e16fa3d29365b7192cc32d9d75cf9716178

SHA256
500a9a66f2699bfcd34be6aa5002cfa292bcbeb66e84957880be5e5a8184a95e

SHA512
ece97b5c0c31d72ea5df79a5b3e7769ac06f1c617c6885d1e8feed4cfaf3efdfc17a848fa5a4b53467c1d644da7325141bba8ffa18f6b2845d05ce5ac1eaa78d

Download Submit
C:\Windows\system\waaBpUM.exe
Filesize
5.9MB

MD5
4df30deab9840d592a61c5d9644d8c11

SHA1
1874b127d361e881d8e4208a2bd22f62d169370a

SHA256
024ab8bcf33638c1dda76b568d2f609779bdde436057dab0a19bbb8597c6a64a

SHA512
67670136c315029bb5e6460306d3ef3af1622178e24d26cd0c0c670d026695dd98190f28780649291cc70651c9442def163b5a83350e133c207273a85fb1acdb

Download Submit
C:\Windows\system\wkijPkK.exe
Filesize
5.9MB

MD5
7395c19d3111637363f92dde2929e1a0

SHA1
c02ea317242411a52357c8498a6180fec7a0736b

SHA256
de46febaf377d56556e4e716fb51a7255e1a8b18d6b1bad21d24a12a8c54e3af

SHA512
fde6b9a90b3b1fa103b9d91200f926bd0c868b04ced7f64cde8dafc516312396a23d45d51288fa37bb0f88ff7702ac9c4268062d94ae40168685efe9c49abfac

Download Submit
\Windows\system\TPutnYb.exe
Filesize
5.9MB

MD5
67cfbfb59343829e1e042bef2b72b875

SHA1
c2bcbac61d8ae4890701585d7dc9a5a934b7281e

SHA256
0b131fd44a97ff6c84d71be485b81bef2075b4ed39b05e386a25f28c93b719e0

SHA512
3e8ace9b3314f32a4299fcec49b8aae8b7e83774b88c70a7fcb298effeb976a9f98697b9adcc1107568cd95d4323d1803fe56182801923bc8d3760bedb8baec1

Download Submit
\Windows\system\VVKpFKD.exe
Filesize
5.9MB

MD5
b618b7feb4d5b1c4a73a98db2d298eb1

SHA1
857e64850cfa9d003a02f22c543334e7c18a9a44

SHA256
d0d29793866cb63724c266ab6c6218ba7c9985f328ce01784edc70225e0d2742

SHA512
4685d5dff212e3ee5d1b1ec457f04cedc15a51c504e7efa0b7c7d51cad745c20a9204e68899a05571f66bb794856f69fa29d11cad2b56c018003d11a7bcfcad9

Download Submit
\Windows\system\ZUnaPQh.exe
Filesize
5.9MB

MD5
ef5d79bbad4f3de7a8b1196b5990b3e5

SHA1
12a92e5d40cf4d7ebac02ed21dd5c5aacfd07f6d

SHA256
1c8b4fa85d37f8c6038f2aa3a296b79734f9067c6f4d90c62cdaf7ff5054e650

SHA512
33d358eef45483073b2571ed026753b95afc82a8d77515612073052059848cd55af521c80ac9896a41dc7e4c594580ceb61da3728d2aceb3d4f34759583320e4

Download Submit
\Windows\system\pnTiyWa.exe
Filesize
5.9MB

MD5
dfb0044ba7586097a88f96cb75dd1fc0

SHA1
e592d48664d9c81b2ba32e5f6066f594ce80a0df

SHA256
410cac9f34865921b5a60caf9531914728fbe973f394a1ae2e15c039d06c66fd

SHA512
8719f5bcf85afe88c51beebda0365056692d6b6a0edd00ceb12b27a82b227ff6c7ff4dd5f1994a964c5d42e2592242e8e64a68c607ce08b82f8aa6d16500cfe4

Download Submit
memory/1944-112-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1944-141-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-136-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2060-128-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2060-132-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-133-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2060-124-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-130-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-0-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2060-134-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2060-126-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-13-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-115-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-117-0x00000000023B0000-0x0000000002704000-memory.dmp

Filesize
3.3MB

Download
memory/2060-119-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2060-111-0x000000013FC80000-0x000000013FFD4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-122-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2060-113-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2160-140-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2160-110-0x000000013FC20000-0x000000013FF74000-memory.dmp

Filesize
3.3MB

Download
memory/2444-127-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2444-149-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2468-123-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2468-147-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2492-150-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2492-129-0x000000013FDB0000-0x0000000140104000-memory.dmp

Filesize
3.3MB

Download
memory/2564-121-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2564-146-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2572-144-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2572-118-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2604-142-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2604-114-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2616-148-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2616-125-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-145-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2664-120-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2672-143-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2672-116-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-138-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2744-135-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2744-8-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2796-131-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/2796-151-0x000000013FF80000-0x00000001402D4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-139-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-137-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-109-0x000000013FE50000-0x00000001401A4000-memory.dmp

Filesize
3.3MB

Download