cobaltstrike | 389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e

Analysis

max time kernel
128s
max time network
141s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
29-06-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

fab8dd08c1c046f7d00b6ac796d91caa
SHA1

905d884b53286a3079b1722243b56aabe7a17cfc
SHA256

389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e
SHA512

18d18dfdf19dc23f3fd01c71a5ddafb695f7ee65382528b14162f0c3cb8f6afa51254d924d21aaf150420d9d603de82ca6aae08af5d2dadbb562ac9237c8a8ac
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUE:Q+856utgpPF8u/7E

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\eQpczlG.exe	cobalt_reflective_dll
\Windows\system\tAcnUUt.exe	cobalt_reflective_dll
C:\Windows\system\XthwAEd.exe	cobalt_reflective_dll
C:\Windows\system\HimXdlq.exe	cobalt_reflective_dll
C:\Windows\system\HbusmiI.exe	cobalt_reflective_dll
C:\Windows\system\GaavpUg.exe	cobalt_reflective_dll
C:\Windows\system\IJvZrBP.exe	cobalt_reflective_dll
C:\Windows\system\wkGBNiM.exe	cobalt_reflective_dll
C:\Windows\system\bvOZzLC.exe	cobalt_reflective_dll
C:\Windows\system\FuWExOo.exe	cobalt_reflective_dll
C:\Windows\system\XPAhrUW.exe	cobalt_reflective_dll
C:\Windows\system\ImyFhbd.exe	cobalt_reflective_dll
\Windows\system\VJKjbAb.exe	cobalt_reflective_dll
C:\Windows\system\IBLfnjW.exe	cobalt_reflective_dll
\Windows\system\EbAsenw.exe	cobalt_reflective_dll
C:\Windows\system\iOLqonB.exe	cobalt_reflective_dll
\Windows\system\EMZWvnz.exe	cobalt_reflective_dll
C:\Windows\system\aZqrWwy.exe	cobalt_reflective_dll
\Windows\system\TdQoVrl.exe	cobalt_reflective_dll
C:\Windows\system\piJwKZN.exe	cobalt_reflective_dll
C:\Windows\system\spYgSHa.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2420-0-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
C:\Windows\system\eQpczlG.exe	xmrig
\Windows\system\tAcnUUt.exe	xmrig
behavioral1/memory/2580-21-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
C:\Windows\system\XthwAEd.exe	xmrig
behavioral1/memory/2756-19-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/3032-18-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
C:\Windows\system\HimXdlq.exe	xmrig
behavioral1/memory/1716-89-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2760-96-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
C:\Windows\system\HbusmiI.exe	xmrig
C:\Windows\system\GaavpUg.exe	xmrig
C:\Windows\system\IJvZrBP.exe	xmrig
C:\Windows\system\wkGBNiM.exe	xmrig
C:\Windows\system\bvOZzLC.exe	xmrig
C:\Windows\system\FuWExOo.exe	xmrig
C:\Windows\system\XPAhrUW.exe	xmrig
behavioral1/memory/2420-105-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
behavioral1/memory/2420-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	xmrig
C:\Windows\system\ImyFhbd.exe	xmrig
behavioral1/memory/2420-94-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2988-93-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2468-92-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/memory/2492-91-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2652-90-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2420-67-0x0000000002300000-0x0000000002654000-memory.dmp	xmrig
behavioral1/memory/2596-66-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2512-65-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2516-64-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2504-62-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
\Windows\system\VJKjbAb.exe	xmrig
C:\Windows\system\IBLfnjW.exe	xmrig
behavioral1/memory/2504-136-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2716-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
\Windows\system\EbAsenw.exe	xmrig
behavioral1/memory/2716-44-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
C:\Windows\system\iOLqonB.exe	xmrig
\Windows\system\EMZWvnz.exe	xmrig
C:\Windows\system\aZqrWwy.exe	xmrig
\Windows\system\TdQoVrl.exe	xmrig
behavioral1/memory/2512-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2516-137-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
C:\Windows\system\piJwKZN.exe	xmrig
C:\Windows\system\spYgSHa.exe	xmrig
behavioral1/memory/2760-140-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/3032-142-0x000000013FC60000-0x000000013FFB4000-memory.dmp	xmrig
behavioral1/memory/2756-143-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2580-144-0x000000013FE20000-0x0000000140174000-memory.dmp	xmrig
behavioral1/memory/2716-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp	xmrig
behavioral1/memory/2504-146-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2512-148-0x000000013F3D0000-0x000000013F724000-memory.dmp	xmrig
behavioral1/memory/2516-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp	xmrig
behavioral1/memory/2652-150-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/1716-149-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2468-151-0x000000013FEC0000-0x0000000140214000-memory.dmp	xmrig
behavioral1/memory/2492-152-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/2760-153-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2988-154-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2596-155-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

eQpczlG.exetAcnUUt.exeXthwAEd.exespYgSHa.exeaZqrWwy.exeiOLqonB.exeIBLfnjW.exepiJwKZN.exeHimXdlq.exeTdQoVrl.exeEMZWvnz.exeEbAsenw.exeVJKjbAb.exeImyFhbd.exeHbusmiI.exeXPAhrUW.exeGaavpUg.exeFuWExOo.exebvOZzLC.exewkGBNiM.exeIJvZrBP.exe

pid	process
3032	eQpczlG.exe
2756	tAcnUUt.exe
2580	XthwAEd.exe
2716	spYgSHa.exe
2596	aZqrWwy.exe
2504	iOLqonB.exe
2516	IBLfnjW.exe
2512	piJwKZN.exe
1716	HimXdlq.exe
2652	TdQoVrl.exe
2492	EMZWvnz.exe
2468	EbAsenw.exe
2988	VJKjbAb.exe
2760	ImyFhbd.exe
2856	HbusmiI.exe
1720	XPAhrUW.exe
1304	GaavpUg.exe
1288	FuWExOo.exe
1264	bvOZzLC.exe
1812	wkGBNiM.exe
664	IJvZrBP.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2420-0-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
C:\Windows\system\eQpczlG.exe	upx
\Windows\system\tAcnUUt.exe	upx
behavioral1/memory/2580-21-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
C:\Windows\system\XthwAEd.exe	upx
behavioral1/memory/2756-19-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/3032-18-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
C:\Windows\system\HimXdlq.exe	upx
behavioral1/memory/1716-89-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2760-96-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
C:\Windows\system\HbusmiI.exe	upx
C:\Windows\system\GaavpUg.exe	upx
C:\Windows\system\IJvZrBP.exe	upx
C:\Windows\system\wkGBNiM.exe	upx
C:\Windows\system\bvOZzLC.exe	upx
C:\Windows\system\FuWExOo.exe	upx
C:\Windows\system\XPAhrUW.exe	upx
behavioral1/memory/2420-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp	upx
C:\Windows\system\ImyFhbd.exe	upx
behavioral1/memory/2988-93-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2468-92-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/memory/2492-91-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2652-90-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2596-66-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2512-65-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2516-64-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2504-62-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
\Windows\system\VJKjbAb.exe	upx
C:\Windows\system\IBLfnjW.exe	upx
behavioral1/memory/2504-136-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2716-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
\Windows\system\EbAsenw.exe	upx
behavioral1/memory/2716-44-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
C:\Windows\system\iOLqonB.exe	upx
\Windows\system\EMZWvnz.exe	upx
C:\Windows\system\aZqrWwy.exe	upx
\Windows\system\TdQoVrl.exe	upx
behavioral1/memory/2512-138-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2516-137-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
C:\Windows\system\piJwKZN.exe	upx
C:\Windows\system\spYgSHa.exe	upx
behavioral1/memory/2760-140-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/3032-142-0x000000013FC60000-0x000000013FFB4000-memory.dmp	upx
behavioral1/memory/2756-143-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2580-144-0x000000013FE20000-0x0000000140174000-memory.dmp	upx
behavioral1/memory/2716-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp	upx
behavioral1/memory/2504-146-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2512-148-0x000000013F3D0000-0x000000013F724000-memory.dmp	upx
behavioral1/memory/2516-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp	upx
behavioral1/memory/2652-150-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/1716-149-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2468-151-0x000000013FEC0000-0x0000000140214000-memory.dmp	upx
behavioral1/memory/2492-152-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/2760-153-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2988-154-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2596-155-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\VJKjbAb.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wkGBNiM.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tAcnUUt.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZqrWwy.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TdQoVrl.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iOLqonB.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XPAhrUW.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GaavpUg.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuWExOo.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IJvZrBP.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQpczlG.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IBLfnjW.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piJwKZN.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HimXdlq.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\spYgSHa.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ImyFhbd.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HbusmiI.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bvOZzLC.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XthwAEd.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EMZWvnz.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EbAsenw.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2420 wrote to memory of 3032	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	eQpczlG.exe
PID 2420 wrote to memory of 3032	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	eQpczlG.exe
PID 2420 wrote to memory of 3032	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	eQpczlG.exe
PID 2420 wrote to memory of 2756	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	tAcnUUt.exe
PID 2420 wrote to memory of 2756	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	tAcnUUt.exe
PID 2420 wrote to memory of 2756	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	tAcnUUt.exe
PID 2420 wrote to memory of 2580	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	XthwAEd.exe
PID 2420 wrote to memory of 2580	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	XthwAEd.exe
PID 2420 wrote to memory of 2580	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	XthwAEd.exe
PID 2420 wrote to memory of 2596	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	aZqrWwy.exe
PID 2420 wrote to memory of 2596	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	aZqrWwy.exe
PID 2420 wrote to memory of 2596	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	aZqrWwy.exe
PID 2420 wrote to memory of 2716	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	spYgSHa.exe
PID 2420 wrote to memory of 2716	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	spYgSHa.exe
PID 2420 wrote to memory of 2716	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	spYgSHa.exe
PID 2420 wrote to memory of 2652	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	TdQoVrl.exe
PID 2420 wrote to memory of 2652	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	TdQoVrl.exe
PID 2420 wrote to memory of 2652	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	TdQoVrl.exe
PID 2420 wrote to memory of 2504	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	iOLqonB.exe
PID 2420 wrote to memory of 2504	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	iOLqonB.exe
PID 2420 wrote to memory of 2504	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	iOLqonB.exe
PID 2420 wrote to memory of 2492	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EMZWvnz.exe
PID 2420 wrote to memory of 2492	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EMZWvnz.exe
PID 2420 wrote to memory of 2492	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EMZWvnz.exe
PID 2420 wrote to memory of 2516	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	IBLfnjW.exe
PID 2420 wrote to memory of 2516	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	IBLfnjW.exe
PID 2420 wrote to memory of 2516	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	IBLfnjW.exe
PID 2420 wrote to memory of 2468	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EbAsenw.exe
PID 2420 wrote to memory of 2468	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EbAsenw.exe
PID 2420 wrote to memory of 2468	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EbAsenw.exe
PID 2420 wrote to memory of 2512	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	piJwKZN.exe
PID 2420 wrote to memory of 2512	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	piJwKZN.exe
PID 2420 wrote to memory of 2512	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	piJwKZN.exe
PID 2420 wrote to memory of 2988	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	VJKjbAb.exe
PID 2420 wrote to memory of 2988	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	VJKjbAb.exe
PID 2420 wrote to memory of 2988	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	VJKjbAb.exe
PID 2420 wrote to memory of 1716	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	HimXdlq.exe
PID 2420 wrote to memory of 1716	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	HimXdlq.exe
PID 2420 wrote to memory of 1716	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	HimXdlq.exe
PID 2420 wrote to memory of 2760	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ImyFhbd.exe
PID 2420 wrote to memory of 2760	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ImyFhbd.exe
PID 2420 wrote to memory of 2760	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ImyFhbd.exe
PID 2420 wrote to memory of 2856	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	HbusmiI.exe
PID 2420 wrote to memory of 2856	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	HbusmiI.exe
PID 2420 wrote to memory of 2856	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	HbusmiI.exe
PID 2420 wrote to memory of 1720	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	XPAhrUW.exe
PID 2420 wrote to memory of 1720	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	XPAhrUW.exe
PID 2420 wrote to memory of 1720	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	XPAhrUW.exe
PID 2420 wrote to memory of 1304	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	GaavpUg.exe
PID 2420 wrote to memory of 1304	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	GaavpUg.exe
PID 2420 wrote to memory of 1304	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	GaavpUg.exe
PID 2420 wrote to memory of 1288	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	FuWExOo.exe
PID 2420 wrote to memory of 1288	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	FuWExOo.exe
PID 2420 wrote to memory of 1288	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	FuWExOo.exe
PID 2420 wrote to memory of 1264	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	bvOZzLC.exe
PID 2420 wrote to memory of 1264	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	bvOZzLC.exe
PID 2420 wrote to memory of 1264	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	bvOZzLC.exe
PID 2420 wrote to memory of 1812	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	wkGBNiM.exe
PID 2420 wrote to memory of 1812	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	wkGBNiM.exe
PID 2420 wrote to memory of 1812	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	wkGBNiM.exe
PID 2420 wrote to memory of 664	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	IJvZrBP.exe
PID 2420 wrote to memory of 664	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	IJvZrBP.exe
PID 2420 wrote to memory of 664	2420	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	IJvZrBP.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\System\eQpczlG.exe
C:\Windows\System\eQpczlG.exe
2⤵
- Executes dropped EXE
PID:3032

C:\Windows\System\tAcnUUt.exe
C:\Windows\System\tAcnUUt.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\System\XthwAEd.exe
C:\Windows\System\XthwAEd.exe
2⤵
- Executes dropped EXE
PID:2580

C:\Windows\System\aZqrWwy.exe
C:\Windows\System\aZqrWwy.exe
2⤵
- Executes dropped EXE
PID:2596

C:\Windows\System\spYgSHa.exe
C:\Windows\System\spYgSHa.exe
2⤵
- Executes dropped EXE
PID:2716

C:\Windows\System\TdQoVrl.exe
C:\Windows\System\TdQoVrl.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\iOLqonB.exe
C:\Windows\System\iOLqonB.exe
2⤵
- Executes dropped EXE
PID:2504

C:\Windows\System\EMZWvnz.exe
C:\Windows\System\EMZWvnz.exe
2⤵
- Executes dropped EXE
PID:2492

C:\Windows\System\IBLfnjW.exe
C:\Windows\System\IBLfnjW.exe
2⤵
- Executes dropped EXE
PID:2516

C:\Windows\System\EbAsenw.exe
C:\Windows\System\EbAsenw.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\piJwKZN.exe
C:\Windows\System\piJwKZN.exe
2⤵
- Executes dropped EXE
PID:2512

C:\Windows\System\VJKjbAb.exe
C:\Windows\System\VJKjbAb.exe
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\System\HimXdlq.exe
C:\Windows\System\HimXdlq.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System\ImyFhbd.exe
C:\Windows\System\ImyFhbd.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\HbusmiI.exe
C:\Windows\System\HbusmiI.exe
2⤵
- Executes dropped EXE
PID:2856

C:\Windows\System\XPAhrUW.exe
C:\Windows\System\XPAhrUW.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\System\GaavpUg.exe
C:\Windows\System\GaavpUg.exe
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\System\FuWExOo.exe
C:\Windows\System\FuWExOo.exe
2⤵
- Executes dropped EXE
PID:1288

C:\Windows\System\bvOZzLC.exe
C:\Windows\System\bvOZzLC.exe
2⤵
- Executes dropped EXE
PID:1264

C:\Windows\System\wkGBNiM.exe
C:\Windows\System\wkGBNiM.exe
2⤵
- Executes dropped EXE
PID:1812

C:\Windows\System\IJvZrBP.exe
C:\Windows\System\IJvZrBP.exe
2⤵
- Executes dropped EXE
PID:664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FuWExOo.exe
Filesize
5.9MB

MD5
9111114f0d78b261dd13d7d6271e2ff4

SHA1
e975c26a90decc1e4502df095afc8b67f94dbd2c

SHA256
c6cd1fba544f13b48141fec77476119cd4caf50897e36ab1ae3ad16a177b0b67

SHA512
d53ee11e736e8e89fcbd15b4e629b8c9dc2b50fc52b9fc01e2e6097fe34e75817ca9b5034be5d9dcd4a50c754f7cc89a7c0a85e2fef059674f9b25825de9a803

Download Submit
C:\Windows\system\GaavpUg.exe
Filesize
5.9MB

MD5
7b230bb0a4498c5c9198af6319bc859e

SHA1
593d30f0b03ac1d2f532f3e0328d00f976133294

SHA256
821964f0f60742ca7a67ba16aa54f335881e813e71558f5774ffea05741aec87

SHA512
7152e0a9e9182da7b3cd7976884adf4f6e619500a03da51794d69452281ae784fe2a36adad3d0260ee6b5ccc02ccb649da5fa27e269f84fa74e8cc051bc53367

Download Submit
C:\Windows\system\HbusmiI.exe
Filesize
5.9MB

MD5
5c20b70ab2638502f07aa51323ec85b2

SHA1
55234b1e3e00b01e91c1cfbfe6b74a0dde0e0f5d

SHA256
66b3c51dd29f22085151b9309ac7b77d15d93c1e056def2e8dd05705185e5010

SHA512
a40dbbdb396d400b36fb0841a0eb17861aaf97580de3027e76ee3f899c8df69a8114074e1d92ea2443b310ed2214a5455a3e40ae37f75feb3f1f8bc0c3ac8dd0

Download Submit
C:\Windows\system\HimXdlq.exe
Filesize
5.9MB

MD5
e694782acf642cd9434a34c8cc8fe9bb

SHA1
fb87704252863350945943e3f6c04cc788d97619

SHA256
2f2d6e782dfe1170238f329c8077bbe91addf6b5f05f531e3dccab69bbad381f

SHA512
0178ee141909b47a8d289807725e6947b6dffeaa7c08d48cc5a5eaba7d7f0bdbb6b1ca026bd2684a7e6585a6baf6ebf4395538597e1b4a9372c9e38b4152ca23

Download Submit
C:\Windows\system\IBLfnjW.exe
Filesize
5.9MB

MD5
46e98567d316d7b77338fd72fd4ee41d

SHA1
09a58d7b5134f617d88b9d93f2e92c23f308dde6

SHA256
b78b86aafd0c70a0edf99a6f46d027b71ae57079e2a574255ae73deb009506a8

SHA512
6022e5a80eb844657b2cc093332a34329091201fb58071f43821e5fc8396758a9e3734f3b3b6b6dea8f441d94883e7ea129de0d50caa35e3b6d7134fa1b4adca

Download Submit
C:\Windows\system\IJvZrBP.exe
Filesize
5.9MB

MD5
8c5fc407e899b282b57de5df42f75171

SHA1
19eb607323fe65d62e1740272403ff572204a6f4

SHA256
ae95500be345c300a557f689d835c01c01f5458e45af586c92e45247e06c20a0

SHA512
3a12b53dd674ac78dc984fe82fc0d168677765870ff090bcf9b4a374b08e19ad8f7b88b3ca76c096052029c8708c97b5a33f9a17970ffee70553eb082c8f2d82

Download Submit
C:\Windows\system\ImyFhbd.exe
Filesize
5.9MB

MD5
172bb273f37836f3b79af477f95d2875

SHA1
474591bb62872b27a9f9ac9bbd8df871dba92f79

SHA256
7b4539a65f0cfec75219e119cf72fe433049dca5161ae5c4564ad6bde9dcf95b

SHA512
01a4a4e35af6fac3f6d6c999c3a6fe6196b421091f85fb5064dfd96779ff5a096510ab3c0018bb9852b09082b85e09da02684c135478465ba5734673650bbc9b

Download Submit
C:\Windows\system\XPAhrUW.exe
Filesize
5.9MB

MD5
6764ce62cced274984c3e7185eb600be

SHA1
c793384e9e2c3c0404f6d016cd338aa489220d1a

SHA256
085f5bb88cc660774a8443280fff11b4d7f11ec80b2e401459d47edd5c48d6f0

SHA512
07625ffbed57221e3bcc8e89e95ba5ffe091951f268881496e1d1a932e78bf02ee70e3e968f735143b958ccc74a233347a8920e08e5c60cbcde7a51a02ea55e8

Download Submit
C:\Windows\system\XthwAEd.exe
Filesize
5.9MB

MD5
253de7b43fea3471863556135b3c2140

SHA1
0e61057d859a2ab768b898fb2a314f6bbdecd152

SHA256
2bf10c7e9148d5adebdbf48d9e445cf5f022790ea3d5c590e4b125fd1f3c5506

SHA512
d5229cf7b0b1f300d664f074c9d61afcdbd248824b9b4db0b703ffadfbf57cf8e81a596f45a2976ffad1b4f3c16be64356df0e9f960ab421a8566d8491bc1484

Download Submit
C:\Windows\system\aZqrWwy.exe
Filesize
5.9MB

MD5
7d1fb11a7e27ed573ff074480546780d

SHA1
e198f13f82007e860b7b75b1f9eb002353c77675

SHA256
08a7eb53c609567f2d269a5b5f9a56f05212f4e87dccedb22a1e5a1505d873a0

SHA512
50c685c2687d191483fa407d7821065936a32f9eeb8d8506b2fc417bc7c78446e6cd8c998f1db0aa64f693b45952c3c39d337be0c1578d8c73564e33b129f060

Download Submit
C:\Windows\system\bvOZzLC.exe
Filesize
5.9MB

MD5
a8b928cb4e3aea188ff5907ec6dea98c

SHA1
c9e1f228db0a28942e53af56768743897d2d42a0

SHA256
d912136504474717ba589762a4b2916fc6ae1c8091ef6a987c0ee35ae8e293b5

SHA512
f574441556070971d3d40f861987280623aa32fd383d23f61b26b23789fecff5cb27fcac341f29607f71db4024c82816e7b24b0c2697076727a9ff37a6b43056

Download Submit
C:\Windows\system\eQpczlG.exe
Filesize
5.9MB

MD5
86f31c6245a080a3728dd8e67d9f22b5

SHA1
96471eb7b28372cf491cf2100f4c418556b6972e

SHA256
377881030d8e146f2e624d134c70365e466be1d9ae5e48203a4c7854b9eb5f93

SHA512
0158ca8d74260a5bb370e9f5178c0240df6762fdb5ae13d36d60bf3206ec27d12cc992ace11ca04524062a9a9583fe59ccdf49570d96a2b1474e4cc91f659ebc

Download Submit
C:\Windows\system\iOLqonB.exe
Filesize
5.9MB

MD5
a46d25727b86c1cc2aca188c47605515

SHA1
90ee06081e661da689f005ba883cba318ee55b5f

SHA256
6f9f3efb054e89529cd88cc493422a9c4f10e3d6c0fddfed9993dad61c3b3771

SHA512
a5b76f324e41aeda12954a96d239744f579e44e6943b947a8c3bdb081b865cc227bba30b8a589a21b7a3f08b60cd72a9f5d556edf4742d88488276a208440ba6

Download Submit
C:\Windows\system\piJwKZN.exe
Filesize
5.9MB

MD5
82b2b96ec0108adc30a707b91a2e9568

SHA1
73038fd7dc189c56cc738c20249b29a3041b5a44

SHA256
84fd744187aac7e8c7082592109fa1ffed80941e6b14925501f504c4ba9911d9

SHA512
19102757ba6d9cacb09d7635fefa64aef44910bf9443498db87eff669048d122f2c9b45596cb3440313b2d82edc6b6073f1fc0ca6d51d1d387ba01bc68634e6c

Download Submit
C:\Windows\system\spYgSHa.exe
Filesize
5.9MB

MD5
02bc66bc9662afaf687cf880dd002ce1

SHA1
731565b76e70f65d3c7c549a3d98782d55ac0907

SHA256
c37491f88f4807b4eec3e643298799282a3390a7fe2c6e61d6247ddd66204175

SHA512
24fcbfd4b3fe7ee796c48bdfda6f2126c4379224778057cc2881b4044f212a40e17556875ee51dc43df95dd9fb46bc1cebf061ea1ec72e42c9d2edb0c13dbb64

Download Submit
C:\Windows\system\wkGBNiM.exe
Filesize
5.9MB

MD5
d0f8fb159d5710a5d49b680eee0d6aa3

SHA1
2f02ab56ab5633383b6daadb91916bfdf38e6810

SHA256
211a64cbb3e94c6c91d877bbe3fceb26052d81acfbe590d7222b60bb28dabcfe

SHA512
d315414834e39de17ac4758184ee823ff4244824553cedcf8491359282e9f89fb66c24d2b8a608e6aa0f4831d66b709c32045df07193adbbea4e9702b6722f7e

Download Submit
\Windows\system\EMZWvnz.exe
Filesize
5.9MB

MD5
35dc9da2f60f7f331225fdc1f52c606e

SHA1
f225c155b14cade16264675b4196a758a5e4b22e

SHA256
aec70179c3b9a79963f10d515c360c7f49b6f1d22e45f852e5520fc78ebb140d

SHA512
1d1ffa0e8baf209d8fa851b671aae0ff18260d6ff6b6d11d23a4ef3f08a9059f25f850840a0b63c8d7962a8e2aad8e9b2e355cc53e6b3669e1626b5207702d00

Download Submit
\Windows\system\EbAsenw.exe
Filesize
5.9MB

MD5
2e72b96836ef4566f6f6b99bc45748ac

SHA1
2b885bfc388005c126d1b80406f1349e96b7a2b9

SHA256
de764f6695b261e9d88dc63aa19953d55c369846165aebe6c273d798497999b0

SHA512
4b043f254f7a09a254b791e63a66ce3e1839ae602c444dae942c78b4f6c6b519baa4a14ff063344b359109d8d7e46cf2522d861d43c7e5d2fbb37365af9eeae4

Download Submit
\Windows\system\TdQoVrl.exe
Filesize
5.9MB

MD5
abc7acb1a671b55bbbafdccb8848954a

SHA1
3a10b6eb53579b6b79878d1adcab1b6431605d3e

SHA256
7499daaba1c09804cf046a9a4e7a5d2b90ce3047ff23663a4b1050630a973341

SHA512
38746f27f00adbdf1001ade35e478931ab7439dd36c9d9e116b9d4e2cdc68c18201e2db369ed3997e08108073b94fed3b063a9efb8a0addac0be78f08b401126

Download Submit
\Windows\system\VJKjbAb.exe
Filesize
5.9MB

MD5
406facef8f14099e7446306c2cdc51c4

SHA1
453bd5733aedd847cbaccdd7a021c24f0b1180f4

SHA256
d35af7cced3d7f6e73454e5adf93e5edfc0047fed15c95a8ca0d0f959e132f63

SHA512
e5b148066bcf7be5c3ba58531643c7733e8e18a0996b7a40408a97abfaa4919b6848eaa14ae8009fcbea4ed81725462965f20a1926fd7d803f259fee4e3b3953

Download Submit
\Windows\system\tAcnUUt.exe
Filesize
5.9MB

MD5
ae778629199e89253caa6b54289a2ed1

SHA1
35c835250456bb725e408f9ca27eafb295082e2d

SHA256
72111bd41978d88eed5a13a1a6df8052a30bfbf0c3db544089c22688a028bc67

SHA512
53b12ee9052bac416f1868f88df0a65660ff7d339cdff77b19b07891e40319631b44ed61b0b62cf782fb3069443189a6f5c4961f896d8501fefbf8229069cadd

Download Submit
memory/1716-149-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/1716-89-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2420-56-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-20-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2420-1-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2420-141-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2420-29-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-0-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-88-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2420-69-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2420-68-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2420-67-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2420-22-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2420-58-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-94-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2420-63-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/2420-33-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2420-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/2420-52-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2420-105-0x0000000002300000-0x0000000002654000-memory.dmp

Filesize
3.3MB

Download
memory/2468-151-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/2468-92-0x000000013FEC0000-0x0000000140214000-memory.dmp

Filesize
3.3MB

Download
memory/2492-91-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2492-152-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-146-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-136-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2504-62-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-138-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2512-65-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2512-148-0x000000013F3D0000-0x000000013F724000-memory.dmp

Filesize
3.3MB

Download
memory/2516-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2516-64-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2516-137-0x000000013F9C0000-0x000000013FD14000-memory.dmp

Filesize
3.3MB

Download
memory/2580-144-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2580-21-0x000000013FE20000-0x0000000140174000-memory.dmp

Filesize
3.3MB

Download
memory/2596-66-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2596-155-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-90-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2652-150-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2716-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2716-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2716-44-0x000000013F6E0000-0x000000013FA34000-memory.dmp

Filesize
3.3MB

Download
memory/2756-143-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2756-19-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-140-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2760-153-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2760-96-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2988-93-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2988-154-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/3032-18-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-142-0x000000013FC60000-0x000000013FFB4000-memory.dmp

Filesize
3.3MB

Download