cobaltstrike | 99b5eae448df7d37a0be3fe62d43c42685d4e0cbcc37c82fdc4075f72442eee0

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

b1142fbcd079cec3095ee19b0ad96cd8
SHA1

5685bfb3f7f8f8c56a608b62a47db161cfd43a6a
SHA256

99b5eae448df7d37a0be3fe62d43c42685d4e0cbcc37c82fdc4075f72442eee0
SHA512

0c970e903c20616a6cb17a490c78e6a409b75703e300d649b46f377832c72959be02764005fbc544073ba42517f0ca797be208aca571d652b03ed14f8d2195ce
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\WzWhyzT.exe	cobalt_reflective_dll
C:\Windows\System\koYwgkh.exe	cobalt_reflective_dll
C:\Windows\System\CeNiAxP.exe	cobalt_reflective_dll
C:\Windows\System\vVoHalo.exe	cobalt_reflective_dll
C:\Windows\System\MLXekKE.exe	cobalt_reflective_dll
C:\Windows\System\VbMQXdQ.exe	cobalt_reflective_dll
C:\Windows\System\LJkkoKG.exe	cobalt_reflective_dll
C:\Windows\System\OpLFuep.exe	cobalt_reflective_dll
C:\Windows\System\eyicbGF.exe	cobalt_reflective_dll
C:\Windows\System\OKOvhzS.exe	cobalt_reflective_dll
C:\Windows\System\bKMnEro.exe	cobalt_reflective_dll
C:\Windows\System\pZUXDJk.exe	cobalt_reflective_dll
C:\Windows\System\ZmTuCXF.exe	cobalt_reflective_dll
C:\Windows\System\pDIAwTR.exe	cobalt_reflective_dll
C:\Windows\System\UekeSXc.exe	cobalt_reflective_dll
C:\Windows\System\RzgJcjw.exe	cobalt_reflective_dll
C:\Windows\System\FHCVjtN.exe	cobalt_reflective_dll
C:\Windows\System\MnNVapp.exe	cobalt_reflective_dll
C:\Windows\System\WnaZLjl.exe	cobalt_reflective_dll
C:\Windows\System\GBlMxBU.exe	cobalt_reflective_dll
C:\Windows\System\lOuoXbG.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1800-0-0x00007FF6E63D0000-0x00007FF6E6724000-memory.dmp	xmrig
C:\Windows\System\WzWhyzT.exe	xmrig
behavioral2/memory/1020-8-0x00007FF6432F0000-0x00007FF643644000-memory.dmp	xmrig
C:\Windows\System\koYwgkh.exe	xmrig
C:\Windows\System\CeNiAxP.exe	xmrig
behavioral2/memory/1544-14-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp	xmrig
behavioral2/memory/636-20-0x00007FF737D10000-0x00007FF738064000-memory.dmp	xmrig
C:\Windows\System\vVoHalo.exe	xmrig
behavioral2/memory/3312-24-0x00007FF63B140000-0x00007FF63B494000-memory.dmp	xmrig
C:\Windows\System\MLXekKE.exe	xmrig
behavioral2/memory/4596-31-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp	xmrig
C:\Windows\System\VbMQXdQ.exe	xmrig
C:\Windows\System\LJkkoKG.exe	xmrig
behavioral2/memory/1284-42-0x00007FF6122D0000-0x00007FF612624000-memory.dmp	xmrig
behavioral2/memory/2260-44-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp	xmrig
C:\Windows\System\OpLFuep.exe	xmrig
C:\Windows\System\eyicbGF.exe	xmrig
behavioral2/memory/2604-55-0x00007FF7E6F30000-0x00007FF7E7284000-memory.dmp	xmrig
behavioral2/memory/4784-56-0x00007FF6B69D0000-0x00007FF6B6D24000-memory.dmp	xmrig
C:\Windows\System\OKOvhzS.exe	xmrig
behavioral2/memory/1800-60-0x00007FF6E63D0000-0x00007FF6E6724000-memory.dmp	xmrig
behavioral2/memory/3164-61-0x00007FF699180000-0x00007FF6994D4000-memory.dmp	xmrig
behavioral2/memory/1020-67-0x00007FF6432F0000-0x00007FF643644000-memory.dmp	xmrig
behavioral2/memory/3492-72-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp	xmrig
C:\Windows\System\bKMnEro.exe	xmrig
C:\Windows\System\pZUXDJk.exe	xmrig
behavioral2/memory/4736-77-0x00007FF6B6780000-0x00007FF6B6AD4000-memory.dmp	xmrig
behavioral2/memory/1544-76-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp	xmrig
C:\Windows\System\ZmTuCXF.exe	xmrig
C:\Windows\System\pDIAwTR.exe	xmrig
C:\Windows\System\UekeSXc.exe	xmrig
behavioral2/memory/1756-98-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp	xmrig
behavioral2/memory/1100-97-0x00007FF6BBBB0000-0x00007FF6BBF04000-memory.dmp	xmrig
behavioral2/memory/2536-102-0x00007FF724010000-0x00007FF724364000-memory.dmp	xmrig
C:\Windows\System\RzgJcjw.exe	xmrig
behavioral2/memory/4596-110-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp	xmrig
behavioral2/memory/2932-111-0x00007FF6CDB90000-0x00007FF6CDEE4000-memory.dmp	xmrig
behavioral2/memory/3312-99-0x00007FF63B140000-0x00007FF63B494000-memory.dmp	xmrig
behavioral2/memory/1688-96-0x00007FF641170000-0x00007FF6414C4000-memory.dmp	xmrig
C:\Windows\System\FHCVjtN.exe	xmrig
C:\Windows\System\MnNVapp.exe	xmrig
behavioral2/memory/2260-127-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp	xmrig
behavioral2/memory/2188-128-0x00007FF762160000-0x00007FF7624B4000-memory.dmp	xmrig
C:\Windows\System\WnaZLjl.exe	xmrig
C:\Windows\System\GBlMxBU.exe	xmrig
behavioral2/memory/1200-120-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp	xmrig
behavioral2/memory/928-118-0x00007FF651C60000-0x00007FF651FB4000-memory.dmp	xmrig
C:\Windows\System\lOuoXbG.exe	xmrig
behavioral2/memory/556-133-0x00007FF63AFD0000-0x00007FF63B324000-memory.dmp	xmrig
behavioral2/memory/3164-134-0x00007FF699180000-0x00007FF6994D4000-memory.dmp	xmrig
behavioral2/memory/3492-135-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp	xmrig
behavioral2/memory/1756-136-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp	xmrig
behavioral2/memory/1200-137-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp	xmrig
behavioral2/memory/1020-138-0x00007FF6432F0000-0x00007FF643644000-memory.dmp	xmrig
behavioral2/memory/1544-139-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp	xmrig
behavioral2/memory/636-140-0x00007FF737D10000-0x00007FF738064000-memory.dmp	xmrig
behavioral2/memory/3312-141-0x00007FF63B140000-0x00007FF63B494000-memory.dmp	xmrig
behavioral2/memory/4596-142-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp	xmrig
behavioral2/memory/1284-143-0x00007FF6122D0000-0x00007FF612624000-memory.dmp	xmrig
behavioral2/memory/2260-144-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp	xmrig
behavioral2/memory/2604-145-0x00007FF7E6F30000-0x00007FF7E7284000-memory.dmp	xmrig
behavioral2/memory/4784-146-0x00007FF6B69D0000-0x00007FF6B6D24000-memory.dmp	xmrig
behavioral2/memory/3164-147-0x00007FF699180000-0x00007FF6994D4000-memory.dmp	xmrig
behavioral2/memory/3492-148-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

WzWhyzT.exeCeNiAxP.exekoYwgkh.exevVoHalo.exeMLXekKE.exeLJkkoKG.exeVbMQXdQ.exeOpLFuep.exeeyicbGF.exeOKOvhzS.exeZmTuCXF.exebKMnEro.exepZUXDJk.exeFHCVjtN.exepDIAwTR.exeUekeSXc.exeRzgJcjw.exeMnNVapp.exeGBlMxBU.exeWnaZLjl.exelOuoXbG.exe

pid	process
1020	WzWhyzT.exe
1544	CeNiAxP.exe
636	koYwgkh.exe
3312	vVoHalo.exe
4596	MLXekKE.exe
1284	LJkkoKG.exe
2260	VbMQXdQ.exe
2604	OpLFuep.exe
4784	eyicbGF.exe
3164	OKOvhzS.exe
3492	ZmTuCXF.exe
4736	bKMnEro.exe
1688	pZUXDJk.exe
2536	FHCVjtN.exe
1100	pDIAwTR.exe
1756	UekeSXc.exe
2932	RzgJcjw.exe
928	MnNVapp.exe
1200	GBlMxBU.exe
2188	WnaZLjl.exe
556	lOuoXbG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1800-0-0x00007FF6E63D0000-0x00007FF6E6724000-memory.dmp	upx
C:\Windows\System\WzWhyzT.exe	upx
behavioral2/memory/1020-8-0x00007FF6432F0000-0x00007FF643644000-memory.dmp	upx
C:\Windows\System\koYwgkh.exe	upx
C:\Windows\System\CeNiAxP.exe	upx
behavioral2/memory/1544-14-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp	upx
behavioral2/memory/636-20-0x00007FF737D10000-0x00007FF738064000-memory.dmp	upx
C:\Windows\System\vVoHalo.exe	upx
behavioral2/memory/3312-24-0x00007FF63B140000-0x00007FF63B494000-memory.dmp	upx
C:\Windows\System\MLXekKE.exe	upx
behavioral2/memory/4596-31-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp	upx
C:\Windows\System\VbMQXdQ.exe	upx
C:\Windows\System\LJkkoKG.exe	upx
behavioral2/memory/1284-42-0x00007FF6122D0000-0x00007FF612624000-memory.dmp	upx
behavioral2/memory/2260-44-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp	upx
C:\Windows\System\OpLFuep.exe	upx
C:\Windows\System\eyicbGF.exe	upx
behavioral2/memory/2604-55-0x00007FF7E6F30000-0x00007FF7E7284000-memory.dmp	upx
behavioral2/memory/4784-56-0x00007FF6B69D0000-0x00007FF6B6D24000-memory.dmp	upx
C:\Windows\System\OKOvhzS.exe	upx
behavioral2/memory/1800-60-0x00007FF6E63D0000-0x00007FF6E6724000-memory.dmp	upx
behavioral2/memory/3164-61-0x00007FF699180000-0x00007FF6994D4000-memory.dmp	upx
behavioral2/memory/1020-67-0x00007FF6432F0000-0x00007FF643644000-memory.dmp	upx
behavioral2/memory/3492-72-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp	upx
C:\Windows\System\bKMnEro.exe	upx
C:\Windows\System\pZUXDJk.exe	upx
behavioral2/memory/4736-77-0x00007FF6B6780000-0x00007FF6B6AD4000-memory.dmp	upx
behavioral2/memory/1544-76-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp	upx
C:\Windows\System\ZmTuCXF.exe	upx
C:\Windows\System\pDIAwTR.exe	upx
C:\Windows\System\UekeSXc.exe	upx
behavioral2/memory/1756-98-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp	upx
behavioral2/memory/1100-97-0x00007FF6BBBB0000-0x00007FF6BBF04000-memory.dmp	upx
behavioral2/memory/2536-102-0x00007FF724010000-0x00007FF724364000-memory.dmp	upx
C:\Windows\System\RzgJcjw.exe	upx
behavioral2/memory/4596-110-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp	upx
behavioral2/memory/2932-111-0x00007FF6CDB90000-0x00007FF6CDEE4000-memory.dmp	upx
behavioral2/memory/3312-99-0x00007FF63B140000-0x00007FF63B494000-memory.dmp	upx
behavioral2/memory/1688-96-0x00007FF641170000-0x00007FF6414C4000-memory.dmp	upx
C:\Windows\System\FHCVjtN.exe	upx
C:\Windows\System\MnNVapp.exe	upx
behavioral2/memory/2260-127-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp	upx
behavioral2/memory/2188-128-0x00007FF762160000-0x00007FF7624B4000-memory.dmp	upx
C:\Windows\System\WnaZLjl.exe	upx
C:\Windows\System\GBlMxBU.exe	upx
behavioral2/memory/1200-120-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp	upx
behavioral2/memory/928-118-0x00007FF651C60000-0x00007FF651FB4000-memory.dmp	upx
C:\Windows\System\lOuoXbG.exe	upx
behavioral2/memory/556-133-0x00007FF63AFD0000-0x00007FF63B324000-memory.dmp	upx
behavioral2/memory/3164-134-0x00007FF699180000-0x00007FF6994D4000-memory.dmp	upx
behavioral2/memory/3492-135-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp	upx
behavioral2/memory/1756-136-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp	upx
behavioral2/memory/1200-137-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp	upx
behavioral2/memory/1020-138-0x00007FF6432F0000-0x00007FF643644000-memory.dmp	upx
behavioral2/memory/1544-139-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp	upx
behavioral2/memory/636-140-0x00007FF737D10000-0x00007FF738064000-memory.dmp	upx
behavioral2/memory/3312-141-0x00007FF63B140000-0x00007FF63B494000-memory.dmp	upx
behavioral2/memory/4596-142-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp	upx
behavioral2/memory/1284-143-0x00007FF6122D0000-0x00007FF612624000-memory.dmp	upx
behavioral2/memory/2260-144-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp	upx
behavioral2/memory/2604-145-0x00007FF7E6F30000-0x00007FF7E7284000-memory.dmp	upx
behavioral2/memory/4784-146-0x00007FF6B69D0000-0x00007FF6B6D24000-memory.dmp	upx
behavioral2/memory/3164-147-0x00007FF699180000-0x00007FF6994D4000-memory.dmp	upx
behavioral2/memory/3492-148-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\MLXekKE.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJkkoKG.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OpLFuep.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eyicbGF.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RzgJcjw.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnNVapp.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOuoXbG.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\koYwgkh.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VbMQXdQ.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmTuCXF.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pDIAwTR.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UekeSXc.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CeNiAxP.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pZUXDJk.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FHCVjtN.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OKOvhzS.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vVoHalo.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bKMnEro.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GBlMxBU.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WnaZLjl.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WzWhyzT.exe	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1800 wrote to memory of 1020	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	WzWhyzT.exe
PID 1800 wrote to memory of 1020	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	WzWhyzT.exe
PID 1800 wrote to memory of 1544	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	CeNiAxP.exe
PID 1800 wrote to memory of 1544	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	CeNiAxP.exe
PID 1800 wrote to memory of 636	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	koYwgkh.exe
PID 1800 wrote to memory of 636	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	koYwgkh.exe
PID 1800 wrote to memory of 3312	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	vVoHalo.exe
PID 1800 wrote to memory of 3312	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	vVoHalo.exe
PID 1800 wrote to memory of 4596	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	MLXekKE.exe
PID 1800 wrote to memory of 4596	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	MLXekKE.exe
PID 1800 wrote to memory of 1284	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LJkkoKG.exe
PID 1800 wrote to memory of 1284	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	LJkkoKG.exe
PID 1800 wrote to memory of 2260	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	VbMQXdQ.exe
PID 1800 wrote to memory of 2260	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	VbMQXdQ.exe
PID 1800 wrote to memory of 2604	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	OpLFuep.exe
PID 1800 wrote to memory of 2604	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	OpLFuep.exe
PID 1800 wrote to memory of 4784	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	eyicbGF.exe
PID 1800 wrote to memory of 4784	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	eyicbGF.exe
PID 1800 wrote to memory of 3164	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	OKOvhzS.exe
PID 1800 wrote to memory of 3164	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	OKOvhzS.exe
PID 1800 wrote to memory of 3492	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	ZmTuCXF.exe
PID 1800 wrote to memory of 3492	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	ZmTuCXF.exe
PID 1800 wrote to memory of 4736	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	bKMnEro.exe
PID 1800 wrote to memory of 4736	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	bKMnEro.exe
PID 1800 wrote to memory of 1688	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pZUXDJk.exe
PID 1800 wrote to memory of 1688	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pZUXDJk.exe
PID 1800 wrote to memory of 2536	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	FHCVjtN.exe
PID 1800 wrote to memory of 2536	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	FHCVjtN.exe
PID 1800 wrote to memory of 1100	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pDIAwTR.exe
PID 1800 wrote to memory of 1100	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	pDIAwTR.exe
PID 1800 wrote to memory of 1756	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	UekeSXc.exe
PID 1800 wrote to memory of 1756	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	UekeSXc.exe
PID 1800 wrote to memory of 2932	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	RzgJcjw.exe
PID 1800 wrote to memory of 2932	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	RzgJcjw.exe
PID 1800 wrote to memory of 928	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	MnNVapp.exe
PID 1800 wrote to memory of 928	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	MnNVapp.exe
PID 1800 wrote to memory of 1200	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GBlMxBU.exe
PID 1800 wrote to memory of 1200	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	GBlMxBU.exe
PID 1800 wrote to memory of 2188	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	WnaZLjl.exe
PID 1800 wrote to memory of 2188	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	WnaZLjl.exe
PID 1800 wrote to memory of 556	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	lOuoXbG.exe
PID 1800 wrote to memory of 556	1800	2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe	lOuoXbG.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_b1142fbcd079cec3095ee19b0ad96cd8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\System\WzWhyzT.exe
C:\Windows\System\WzWhyzT.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\CeNiAxP.exe
C:\Windows\System\CeNiAxP.exe
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\System\koYwgkh.exe
C:\Windows\System\koYwgkh.exe
2⤵
- Executes dropped EXE
PID:636

C:\Windows\System\vVoHalo.exe
C:\Windows\System\vVoHalo.exe
2⤵
- Executes dropped EXE
PID:3312

C:\Windows\System\MLXekKE.exe
C:\Windows\System\MLXekKE.exe
2⤵
- Executes dropped EXE
PID:4596

C:\Windows\System\LJkkoKG.exe
C:\Windows\System\LJkkoKG.exe
2⤵
- Executes dropped EXE
PID:1284

C:\Windows\System\VbMQXdQ.exe
C:\Windows\System\VbMQXdQ.exe
2⤵
- Executes dropped EXE
PID:2260

C:\Windows\System\OpLFuep.exe
C:\Windows\System\OpLFuep.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\eyicbGF.exe
C:\Windows\System\eyicbGF.exe
2⤵
- Executes dropped EXE
PID:4784

C:\Windows\System\OKOvhzS.exe
C:\Windows\System\OKOvhzS.exe
2⤵
- Executes dropped EXE
PID:3164

C:\Windows\System\ZmTuCXF.exe
C:\Windows\System\ZmTuCXF.exe
2⤵
- Executes dropped EXE
PID:3492

C:\Windows\System\bKMnEro.exe
C:\Windows\System\bKMnEro.exe
2⤵
- Executes dropped EXE
PID:4736

C:\Windows\System\pZUXDJk.exe
C:\Windows\System\pZUXDJk.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Windows\System\FHCVjtN.exe
C:\Windows\System\FHCVjtN.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Windows\System\pDIAwTR.exe
C:\Windows\System\pDIAwTR.exe
2⤵
- Executes dropped EXE
PID:1100

C:\Windows\System\UekeSXc.exe
C:\Windows\System\UekeSXc.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\RzgJcjw.exe
C:\Windows\System\RzgJcjw.exe
2⤵
- Executes dropped EXE
PID:2932

C:\Windows\System\MnNVapp.exe
C:\Windows\System\MnNVapp.exe
2⤵
- Executes dropped EXE
PID:928

C:\Windows\System\GBlMxBU.exe
C:\Windows\System\GBlMxBU.exe
2⤵
- Executes dropped EXE
PID:1200

C:\Windows\System\WnaZLjl.exe
C:\Windows\System\WnaZLjl.exe
2⤵
- Executes dropped EXE
PID:2188

C:\Windows\System\lOuoXbG.exe
C:\Windows\System\lOuoXbG.exe
2⤵
- Executes dropped EXE
PID:556

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CeNiAxP.exe
Filesize
5.9MB

MD5
921ccb3c860c98123579fe71854628cb

SHA1
98348a5642e46559a0033de702e1fb22ac0302a5

SHA256
68cc455c089d8c35ef36611cbd4925e83ad8dd708643e3cb90ee8d3d9b1ca0d0

SHA512
d3628ac081bad02a4c9154148ce48d7b90e0f042707170c46cc041c28c96dd17aef13ecff409214c8e62cd52c7b99129b58d6d405d4deedc8af1f8d6b933ac06

Download Submit
C:\Windows\System\FHCVjtN.exe
Filesize
5.9MB

MD5
9eaed13825495536d7b1faca59ccb76f

SHA1
0f91659b1b6b5fbe8c62cdc0423e60a733861a83

SHA256
7bcdc6f4a13518379e5cbb09b08a22e9be5cefb0e9ab3b17d086c9331b5a5c9e

SHA512
cf85dda5b304103fa3e52905550dca7bf524132ff915c6aaea969ec6617e738a2624a535dcdd4b48285467f16e6ec466b9a90bc3fb80cfcada1da62fa18f20b1

Download Submit
C:\Windows\System\GBlMxBU.exe
Filesize
5.9MB

MD5
a4829d842a38f141e7d1c3c148e48570

SHA1
3c32f29b4b053220d90c1ba3620cd18e87fa54f2

SHA256
4aae377fc809ca3c668050fba6c4b449af639977265a852f64131e75bc865fc0

SHA512
3f13166a28b956d1011f004016e0e7a8ae4b4f74bcda9e86c46fb076483fbd5c92cdc20cdad76d26845beee420b71638618de0c39739d676bb96ed36c81583e8

Download Submit
C:\Windows\System\LJkkoKG.exe
Filesize
5.9MB

MD5
86fd4deb3ff00465d15fca4f5f6f724f

SHA1
8d3776844f21bc7b8f4975ec93378ab541a49a64

SHA256
f3b818fdc1b6944d1ff50aed84b1f5707327b477c019efecf6df37481b078a6a

SHA512
35b658cb9c7245bf560027e667f1b3df31edb3ace496497786174762cc323ec2aaf6d363055be27f140092a026083d12b65cee16732b679863529621f5b971c4

Download Submit
C:\Windows\System\MLXekKE.exe
Filesize
5.9MB

MD5
3aba6fc57d9b721acb340d86d5774c25

SHA1
5574a717b03dd3625d5eb8c0d2d9887d1603ecae

SHA256
c544ad81fcdd5b6f5a4f892643c2983e6412024a7cf1f3e5c5fe5e66e32028fd

SHA512
816c498c7c9b0334c43bb903405b7d98a5ec8c745e080f8ca866cfa1bad726080429a754447b37017d889cf03765415885fc642a060d5784c18315fedc0f2ab9

Download Submit
C:\Windows\System\MnNVapp.exe
Filesize
5.9MB

MD5
94fc26fd536673458d9a77d17663b1ee

SHA1
5514b39c29beaf9c5b1400571d473188e8aa2eea

SHA256
1db877ff982d53c4dfe8e380164d55b2b9a4db4ec889e6a9a0f982522f93919d

SHA512
b7ac0e14b944878f06784c8928e71930d3fa3e4d4b35f4cd068faf9ce819354a40370a9895a59238b27efb60bb2bfb2e8bf19536667609363c803d9bc793a18d

Download Submit
C:\Windows\System\OKOvhzS.exe
Filesize
5.9MB

MD5
46a0b70c5aeb236d33d9f7020b412694

SHA1
a7f40d8501bdf1f245f2fa899462a67b854492c1

SHA256
d49173e078645c58e2e6a16aa111daeca89711c52972263b85bd34b49b3a47d1

SHA512
b1e5911b45523b17bee736cf6296771eb38e7b53e04720fc861bfd784a6f73b35e7155dcb06b1a73efddd8bb28b2dd8827bcfedd778fd97aa50dc2b79fa4bf26

Download Submit
C:\Windows\System\OpLFuep.exe
Filesize
5.9MB

MD5
be64a8413ff7adf25bb2913e052882a4

SHA1
7a0e82775942fe0d41b406281768c92ae2422ed3

SHA256
3aa7547008e261f98eac6f7ff5c7924870d263128540297d99db3908c069bc7a

SHA512
4dbcff45b2b1e5ce0f7f7b33936fd37c98987c9082ae9e834ac7807d9e4ca73aca67cf3a308a35fa8cffaeba9e3b723f7dfcd3dbfd7a13fd964073efb4da631a

Download Submit
C:\Windows\System\RzgJcjw.exe
Filesize
5.9MB

MD5
6dda91a0a36af452673b815a06adce81

SHA1
17e00932eb5010e58c818ff447646f7b4a2914c8

SHA256
e7fb92f74d2a41c0513c412673557d006429a62d389b84d8034ff514f48cb37f

SHA512
d9c0f401a52ecffd98683efc0fd048c6e0cd91a50d35cd8af56d72a557cb9faab33e1f27157795f1798190cba9e179f1ee01b503fb169650544d6ded77f12abe

Download Submit
C:\Windows\System\UekeSXc.exe
Filesize
5.9MB

MD5
e5aa19c5db1685c22bcf73756f2554f3

SHA1
a09c4b73c504fbb1c7e50be604286da618f691d3

SHA256
a6dc28f7cf724014ee7b3381079f84c4bdf9a50dbaff941c66af24e35c353f17

SHA512
69b12f61847d7a25cfe74468788fa67293b10fd62439b3880526bb1c5c4c6568be5b5407503bdec7ab0d794d283569c4c44ebcbb1db105639815dab9aa0584e0

Download Submit
C:\Windows\System\VbMQXdQ.exe
Filesize
5.9MB

MD5
419bd7c9050eb7be6349153ba7350938

SHA1
1524b782a4c4e50758ceb98b271c5348ba9bf8cf

SHA256
a94fdeb7feb529d2b7842a825f6da6071f36a388d9e08c634f0aa0014c2204a3

SHA512
d02449f8c9899e84c76c1b0156050af5ae141502a3983e1552dffb0f286bbb03ecf0180a06aba0a26f3d594a5434b3d86550be1f1c053bd469a2974ecd8f2ce1

Download Submit
C:\Windows\System\WnaZLjl.exe
Filesize
5.9MB

MD5
ef0432d21c4eb9b97c60a9ded90a4c57

SHA1
cb59ae5e4fcc76d4a063fcd4cd767312377f05df

SHA256
b86d6d4b1bb3aba3f73136f4e4c953b36b0ea30a28b3f63956f2914a99200d6a

SHA512
87d1dadadb427caa81fe0d29c49794ecb9250c57864cd860c06bd635bf5aece04b85042eb9677ec97f117cc12a8544e6cadda11f4b5907f329b91a616899d63c

Download Submit
C:\Windows\System\WzWhyzT.exe
Filesize
5.9MB

MD5
6153b464913379953b85a842e58c34ee

SHA1
03f4bfafcfa8e169ef22c01433701c6221b682f9

SHA256
d572a9bcb6c054ae30ab518d407aa7efe9a1467b19ca98ee51b3109803ab8e3a

SHA512
f9bc842ef84dbe3b7782c4235bba7f46f07f0ead4b70ee8b411b479e3c79ea96368f47725e52b57466be7b4f7296024b25a076292a28cf7362b98898b4f5c8b0

Download Submit
C:\Windows\System\ZmTuCXF.exe
Filesize
5.9MB

MD5
0295a843426b7e534045d5c0b41bdda9

SHA1
30702ef66a5a428d4023f48d8bacee181c0855b0

SHA256
5fe6e11c4a2106016878fb29d2ad76ab1a7c736439582af3ed5fe0900ea670e1

SHA512
d6cccac45a5a5dba25bc1dbca30789cd7c43a9a6e8d0bf018b04e4cbbefece490b8720f0f4a950d6df88a901ce86a4cba12e87188c8824e909942518928c5393

Download Submit
C:\Windows\System\bKMnEro.exe
Filesize
5.9MB

MD5
b6da6c1f6df5c62aa30866423a7c4012

SHA1
ccd02d44518a2567f5696556344029f6997ab741

SHA256
ffe5b11cb21dd0c95baae38bf3b4f519c69ebbe67e4870df39de3537acdf706a

SHA512
67bfce271dc60dff511b5d26a9a5f3b4842dab11f50ac87823ccb1cf8396244bd3709353657a731eaaa3d0bf4c9fc644b77c5cc2bfccc19de65042d224d0ccd6

Download Submit
C:\Windows\System\eyicbGF.exe
Filesize
5.9MB

MD5
18c03f93054fdf21f5360fc14527e4e7

SHA1
037599ee031ae8c4025256f9ef667916166a77ec

SHA256
f96899e07e00ca6092b3c7c5f6ea31e32110a3aa9e2a8a1347da712ac2c57e88

SHA512
4f3e10ce7ccd5bf640116f33dd05b17f3c7a323b39ee9542103227e7e1e3f7275d8e90dad6b8cb7ce4a6b604f36647f04b3f4912677e99d4e2849eb235a1d8dd

Download Submit
C:\Windows\System\koYwgkh.exe
Filesize
5.9MB

MD5
74b7436e7f2596614822b59cc7e9ff06

SHA1
a9caee2c3bb4ab80ec8775e6937feef900fbb6fb

SHA256
23ed3f8e552243e3cf03086a6ff89142c9df9ab2f04a0f3dc2403bfd96098277

SHA512
c4420bbf936b9b7380a18069fd55d340fe7f8b0b664c781c86ff3add0fc79c16fed868e78d6bf7a25565d18ff402789ed54d9584642c1024052db77d071f8989

Download Submit
C:\Windows\System\lOuoXbG.exe
Filesize
5.9MB

MD5
25ffa2f897f142e165a36405ed46c3ed

SHA1
420747cb481402ceef1778cc60a82b09767a8458

SHA256
e07f775e0a593316599e2e02e8bad278d6a14c3fe45c3a4bdd1f7382622ffc09

SHA512
80e41c6126d3cceb486f5411446c69b81def0f4d8e3912b41c87c9eff90604dfd73e65eed43f16fa18a6f4f375df94e2fab77015d315001e9f3f6012f1cdc456

Download Submit
C:\Windows\System\pDIAwTR.exe
Filesize
5.9MB

MD5
c773464cc4190064d2832dc97978e22e

SHA1
40d6b687be44775a7e39beb0e0c4d6c52ab8cded

SHA256
1518dc41e30fe7068a8551846cad4b73e309469463c0a85a78887fb892a5fac7

SHA512
d67e86c63b539b2c40d8170e0db76e53a3f518f6550cdc9cb9bbd81784f2ee77eb73ad87636201cf48ef7ae34cbf1fdefe08aa86b15ff6188aafd71ff8e5f37a

Download Submit
C:\Windows\System\pZUXDJk.exe
Filesize
5.9MB

MD5
b68f6d8069847bf2e95369108ee487b0

SHA1
3743fc2d2081b10ad6c713975fe50d49d614cc37

SHA256
d548ff0b5a37b8ed51706ba58b3c8315f41d07e79919e56e251d81fe4fa37215

SHA512
95af835d4b00a93facc95ff9ea52cd0fb523292355b392f2060cff114a56a84768012ce155913ba4ffcb2c3ca2ae6f76a0fcef32f85b53bc9d9d1a817b053966

Download Submit
C:\Windows\System\vVoHalo.exe
Filesize
5.9MB

MD5
324e1af434bdbb5f9bd577195f2bd145

SHA1
fab194c250cd842a3da5fbab03445b69f934ef99

SHA256
96efd074b7c1786b476cefa0bc395ba5c3df6e819355f755f83eaa481c2e2700

SHA512
7b7f53a5192587445b73999ad5ab5e3ab51afa447e45329bf147dc51576183d54de9c586677bddd48e679c74bbcea3c2f2c5b1328ca4621b6a78bce262de5823

Download Submit
memory/556-133-0x00007FF63AFD0000-0x00007FF63B324000-memory.dmp

Filesize
3.3MB

Download
memory/556-158-0x00007FF63AFD0000-0x00007FF63B324000-memory.dmp

Filesize
3.3MB

Download
memory/636-20-0x00007FF737D10000-0x00007FF738064000-memory.dmp

Filesize
3.3MB

Download
memory/636-140-0x00007FF737D10000-0x00007FF738064000-memory.dmp

Filesize
3.3MB

Download
memory/928-155-0x00007FF651C60000-0x00007FF651FB4000-memory.dmp

Filesize
3.3MB

Download
memory/928-118-0x00007FF651C60000-0x00007FF651FB4000-memory.dmp

Filesize
3.3MB

Download
memory/1020-8-0x00007FF6432F0000-0x00007FF643644000-memory.dmp

Filesize
3.3MB

Download
memory/1020-67-0x00007FF6432F0000-0x00007FF643644000-memory.dmp

Filesize
3.3MB

Download
memory/1020-138-0x00007FF6432F0000-0x00007FF643644000-memory.dmp

Filesize
3.3MB

Download
memory/1100-152-0x00007FF6BBBB0000-0x00007FF6BBF04000-memory.dmp

Filesize
3.3MB

Download
memory/1100-97-0x00007FF6BBBB0000-0x00007FF6BBF04000-memory.dmp

Filesize
3.3MB

Download
memory/1200-120-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp

Filesize
3.3MB

Download
memory/1200-137-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp

Filesize
3.3MB

Download
memory/1200-156-0x00007FF6247C0000-0x00007FF624B14000-memory.dmp

Filesize
3.3MB

Download
memory/1284-143-0x00007FF6122D0000-0x00007FF612624000-memory.dmp

Filesize
3.3MB

Download
memory/1284-42-0x00007FF6122D0000-0x00007FF612624000-memory.dmp

Filesize
3.3MB

Download
memory/1544-14-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp

Filesize
3.3MB

Download
memory/1544-139-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp

Filesize
3.3MB

Download
memory/1544-76-0x00007FF7FA8B0000-0x00007FF7FAC04000-memory.dmp

Filesize
3.3MB

Download
memory/1688-96-0x00007FF641170000-0x00007FF6414C4000-memory.dmp

Filesize
3.3MB

Download
memory/1688-150-0x00007FF641170000-0x00007FF6414C4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-153-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp

Filesize
3.3MB

Download
memory/1756-136-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp

Filesize
3.3MB

Download
memory/1756-98-0x00007FF7AC9B0000-0x00007FF7ACD04000-memory.dmp

Filesize
3.3MB

Download
memory/1800-1-0x0000025158B70000-0x0000025158B80000-memory.dmp

Filesize
64KB

Download
memory/1800-60-0x00007FF6E63D0000-0x00007FF6E6724000-memory.dmp

Filesize
3.3MB

Download
memory/1800-0-0x00007FF6E63D0000-0x00007FF6E6724000-memory.dmp

Filesize
3.3MB

Download
memory/2188-157-0x00007FF762160000-0x00007FF7624B4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-128-0x00007FF762160000-0x00007FF7624B4000-memory.dmp

Filesize
3.3MB

Download
memory/2260-44-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp

Filesize
3.3MB

Download
memory/2260-144-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp

Filesize
3.3MB

Download
memory/2260-127-0x00007FF7A7700000-0x00007FF7A7A54000-memory.dmp

Filesize
3.3MB

Download
memory/2536-102-0x00007FF724010000-0x00007FF724364000-memory.dmp

Filesize
3.3MB

Download
memory/2536-151-0x00007FF724010000-0x00007FF724364000-memory.dmp

Filesize
3.3MB

Download
memory/2604-55-0x00007FF7E6F30000-0x00007FF7E7284000-memory.dmp

Filesize
3.3MB

Download
memory/2604-145-0x00007FF7E6F30000-0x00007FF7E7284000-memory.dmp

Filesize
3.3MB

Download
memory/2932-111-0x00007FF6CDB90000-0x00007FF6CDEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2932-154-0x00007FF6CDB90000-0x00007FF6CDEE4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-134-0x00007FF699180000-0x00007FF6994D4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-61-0x00007FF699180000-0x00007FF6994D4000-memory.dmp

Filesize
3.3MB

Download
memory/3164-147-0x00007FF699180000-0x00007FF6994D4000-memory.dmp

Filesize
3.3MB

Download
memory/3312-141-0x00007FF63B140000-0x00007FF63B494000-memory.dmp

Filesize
3.3MB

Download
memory/3312-24-0x00007FF63B140000-0x00007FF63B494000-memory.dmp

Filesize
3.3MB

Download
memory/3312-99-0x00007FF63B140000-0x00007FF63B494000-memory.dmp

Filesize
3.3MB

Download
memory/3492-148-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp

Filesize
3.3MB

Download
memory/3492-72-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp

Filesize
3.3MB

Download
memory/3492-135-0x00007FF74EDD0000-0x00007FF74F124000-memory.dmp

Filesize
3.3MB

Download
memory/4596-110-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp

Filesize
3.3MB

Download
memory/4596-31-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp

Filesize
3.3MB

Download
memory/4596-142-0x00007FF65A3B0000-0x00007FF65A704000-memory.dmp

Filesize
3.3MB

Download
memory/4736-149-0x00007FF6B6780000-0x00007FF6B6AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4736-77-0x00007FF6B6780000-0x00007FF6B6AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-146-0x00007FF6B69D0000-0x00007FF6B6D24000-memory.dmp

Filesize
3.3MB

Download
memory/4784-56-0x00007FF6B69D0000-0x00007FF6B6D24000-memory.dmp

Filesize
3.3MB

Download