cobaltstrike | 389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

fab8dd08c1c046f7d00b6ac796d91caa
SHA1

905d884b53286a3079b1722243b56aabe7a17cfc
SHA256

389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e
SHA512

18d18dfdf19dc23f3fd01c71a5ddafb695f7ee65382528b14162f0c3cb8f6afa51254d924d21aaf150420d9d603de82ca6aae08af5d2dadbb562ac9237c8a8ac
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUE:Q+856utgpPF8u/7E

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\YvsROsV.exe	cobalt_reflective_dll
C:\Windows\System\FJWeSjW.exe	cobalt_reflective_dll
C:\Windows\System\EapfQBP.exe	cobalt_reflective_dll
C:\Windows\System\MnmqbAc.exe	cobalt_reflective_dll
C:\Windows\System\SRjWhlT.exe	cobalt_reflective_dll
C:\Windows\System\OCHNtkN.exe	cobalt_reflective_dll
C:\Windows\System\PAReEQr.exe	cobalt_reflective_dll
C:\Windows\System\SqvWtbA.exe	cobalt_reflective_dll
C:\Windows\System\Eoctara.exe	cobalt_reflective_dll
C:\Windows\System\YRZbLfq.exe	cobalt_reflective_dll
C:\Windows\System\wLxGkrX.exe	cobalt_reflective_dll
C:\Windows\System\VRTKHrC.exe	cobalt_reflective_dll
C:\Windows\System\DbnvNRs.exe	cobalt_reflective_dll
C:\Windows\System\JXZEoNx.exe	cobalt_reflective_dll
C:\Windows\System\ETfZVCY.exe	cobalt_reflective_dll
C:\Windows\System\KBVwYYV.exe	cobalt_reflective_dll
C:\Windows\System\aPqtcpC.exe	cobalt_reflective_dll
C:\Windows\System\tOgnjfZ.exe	cobalt_reflective_dll
C:\Windows\System\xoVzKSM.exe	cobalt_reflective_dll
C:\Windows\System\ZZOVpVV.exe	cobalt_reflective_dll
C:\Windows\System\uRGzhaK.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1804-0-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp	xmrig
C:\Windows\System\YvsROsV.exe	xmrig
behavioral2/memory/3392-10-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	xmrig
C:\Windows\System\FJWeSjW.exe	xmrig
C:\Windows\System\EapfQBP.exe	xmrig
C:\Windows\System\MnmqbAc.exe	xmrig
C:\Windows\System\SRjWhlT.exe	xmrig
behavioral2/memory/3540-24-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp	xmrig
behavioral2/memory/4508-23-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp	xmrig
behavioral2/memory/2824-14-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp	xmrig
C:\Windows\System\OCHNtkN.exe	xmrig
behavioral2/memory/1492-35-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp	xmrig
behavioral2/memory/4432-36-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp	xmrig
C:\Windows\System\PAReEQr.exe	xmrig
behavioral2/memory/348-44-0x00007FF698F10000-0x00007FF699264000-memory.dmp	xmrig
behavioral2/memory/4956-48-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	xmrig
C:\Windows\System\SqvWtbA.exe	xmrig
C:\Windows\System\Eoctara.exe	xmrig
behavioral2/memory/4636-56-0x00007FF7692F0000-0x00007FF769644000-memory.dmp	xmrig
C:\Windows\System\YRZbLfq.exe	xmrig
behavioral2/memory/1804-61-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp	xmrig
behavioral2/memory/4264-63-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp	xmrig
C:\Windows\System\wLxGkrX.exe	xmrig
C:\Windows\System\VRTKHrC.exe	xmrig
behavioral2/memory/3392-70-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	xmrig
behavioral2/memory/996-77-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp	xmrig
C:\Windows\System\DbnvNRs.exe	xmrig
C:\Windows\System\JXZEoNx.exe	xmrig
behavioral2/memory/3764-90-0x00007FF787470000-0x00007FF7877C4000-memory.dmp	xmrig
behavioral2/memory/860-89-0x00007FF72C300000-0x00007FF72C654000-memory.dmp	xmrig
behavioral2/memory/4508-86-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp	xmrig
C:\Windows\System\ETfZVCY.exe	xmrig
C:\Windows\System\KBVwYYV.exe	xmrig
C:\Windows\System\aPqtcpC.exe	xmrig
C:\Windows\System\tOgnjfZ.exe	xmrig
C:\Windows\System\xoVzKSM.exe	xmrig
C:\Windows\System\ZZOVpVV.exe	xmrig
behavioral2/memory/3192-84-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp	xmrig
behavioral2/memory/2824-83-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp	xmrig
C:\Windows\System\uRGzhaK.exe	xmrig
behavioral2/memory/3540-125-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp	xmrig
behavioral2/memory/4844-126-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp	xmrig
behavioral2/memory/3912-127-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp	xmrig
behavioral2/memory/832-128-0x00007FF731D30000-0x00007FF732084000-memory.dmp	xmrig
behavioral2/memory/4656-129-0x00007FF637750000-0x00007FF637AA4000-memory.dmp	xmrig
behavioral2/memory/4532-131-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp	xmrig
behavioral2/memory/1464-130-0x00007FF748220000-0x00007FF748574000-memory.dmp	xmrig
behavioral2/memory/3476-132-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp	xmrig
behavioral2/memory/4432-133-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp	xmrig
behavioral2/memory/4956-134-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	xmrig
behavioral2/memory/4636-135-0x00007FF7692F0000-0x00007FF769644000-memory.dmp	xmrig
behavioral2/memory/3392-136-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	xmrig
behavioral2/memory/2824-137-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp	xmrig
behavioral2/memory/4508-138-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp	xmrig
behavioral2/memory/3540-140-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp	xmrig
behavioral2/memory/1492-139-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp	xmrig
behavioral2/memory/4432-141-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp	xmrig
behavioral2/memory/348-142-0x00007FF698F10000-0x00007FF699264000-memory.dmp	xmrig
behavioral2/memory/4956-143-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	xmrig
behavioral2/memory/4636-144-0x00007FF7692F0000-0x00007FF769644000-memory.dmp	xmrig
behavioral2/memory/4264-145-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp	xmrig
behavioral2/memory/996-146-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp	xmrig
behavioral2/memory/3192-147-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp	xmrig
behavioral2/memory/860-148-0x00007FF72C300000-0x00007FF72C654000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

YvsROsV.exeEapfQBP.exeFJWeSjW.exeSRjWhlT.exeMnmqbAc.exeOCHNtkN.exePAReEQr.exeSqvWtbA.exeEoctara.exeYRZbLfq.exewLxGkrX.exeVRTKHrC.exeuRGzhaK.exeDbnvNRs.exeJXZEoNx.exeETfZVCY.exeZZOVpVV.exeKBVwYYV.exexoVzKSM.exeaPqtcpC.exetOgnjfZ.exe

pid	process
3392	YvsROsV.exe
2824	EapfQBP.exe
4508	FJWeSjW.exe
3540	SRjWhlT.exe
1492	MnmqbAc.exe
4432	OCHNtkN.exe
348	PAReEQr.exe
4956	SqvWtbA.exe
4636	Eoctara.exe
4264	YRZbLfq.exe
996	wLxGkrX.exe
3192	VRTKHrC.exe
860	uRGzhaK.exe
3764	DbnvNRs.exe
3476	JXZEoNx.exe
4844	ETfZVCY.exe
3912	ZZOVpVV.exe
832	KBVwYYV.exe
4656	xoVzKSM.exe
1464	aPqtcpC.exe
4532	tOgnjfZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1804-0-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp	upx
C:\Windows\System\YvsROsV.exe	upx
behavioral2/memory/3392-10-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	upx
C:\Windows\System\FJWeSjW.exe	upx
C:\Windows\System\EapfQBP.exe	upx
C:\Windows\System\MnmqbAc.exe	upx
C:\Windows\System\SRjWhlT.exe	upx
behavioral2/memory/3540-24-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp	upx
behavioral2/memory/4508-23-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp	upx
behavioral2/memory/2824-14-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp	upx
C:\Windows\System\OCHNtkN.exe	upx
behavioral2/memory/1492-35-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp	upx
behavioral2/memory/4432-36-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp	upx
C:\Windows\System\PAReEQr.exe	upx
behavioral2/memory/348-44-0x00007FF698F10000-0x00007FF699264000-memory.dmp	upx
behavioral2/memory/4956-48-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	upx
C:\Windows\System\SqvWtbA.exe	upx
C:\Windows\System\Eoctara.exe	upx
behavioral2/memory/4636-56-0x00007FF7692F0000-0x00007FF769644000-memory.dmp	upx
C:\Windows\System\YRZbLfq.exe	upx
behavioral2/memory/1804-61-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp	upx
behavioral2/memory/4264-63-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp	upx
C:\Windows\System\wLxGkrX.exe	upx
C:\Windows\System\VRTKHrC.exe	upx
behavioral2/memory/3392-70-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	upx
behavioral2/memory/996-77-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp	upx
C:\Windows\System\DbnvNRs.exe	upx
C:\Windows\System\JXZEoNx.exe	upx
behavioral2/memory/3764-90-0x00007FF787470000-0x00007FF7877C4000-memory.dmp	upx
behavioral2/memory/860-89-0x00007FF72C300000-0x00007FF72C654000-memory.dmp	upx
behavioral2/memory/4508-86-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp	upx
C:\Windows\System\ETfZVCY.exe	upx
C:\Windows\System\KBVwYYV.exe	upx
C:\Windows\System\aPqtcpC.exe	upx
C:\Windows\System\tOgnjfZ.exe	upx
C:\Windows\System\xoVzKSM.exe	upx
C:\Windows\System\ZZOVpVV.exe	upx
behavioral2/memory/3192-84-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp	upx
behavioral2/memory/2824-83-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp	upx
C:\Windows\System\uRGzhaK.exe	upx
behavioral2/memory/3540-125-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp	upx
behavioral2/memory/4844-126-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp	upx
behavioral2/memory/3912-127-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp	upx
behavioral2/memory/832-128-0x00007FF731D30000-0x00007FF732084000-memory.dmp	upx
behavioral2/memory/4656-129-0x00007FF637750000-0x00007FF637AA4000-memory.dmp	upx
behavioral2/memory/4532-131-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp	upx
behavioral2/memory/1464-130-0x00007FF748220000-0x00007FF748574000-memory.dmp	upx
behavioral2/memory/3476-132-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp	upx
behavioral2/memory/4432-133-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp	upx
behavioral2/memory/4956-134-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	upx
behavioral2/memory/4636-135-0x00007FF7692F0000-0x00007FF769644000-memory.dmp	upx
behavioral2/memory/3392-136-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp	upx
behavioral2/memory/2824-137-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp	upx
behavioral2/memory/4508-138-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp	upx
behavioral2/memory/3540-140-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp	upx
behavioral2/memory/1492-139-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp	upx
behavioral2/memory/4432-141-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp	upx
behavioral2/memory/348-142-0x00007FF698F10000-0x00007FF699264000-memory.dmp	upx
behavioral2/memory/4956-143-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp	upx
behavioral2/memory/4636-144-0x00007FF7692F0000-0x00007FF769644000-memory.dmp	upx
behavioral2/memory/4264-145-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp	upx
behavioral2/memory/996-146-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp	upx
behavioral2/memory/3192-147-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp	upx
behavioral2/memory/860-148-0x00007FF72C300000-0x00007FF72C654000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\SRjWhlT.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SqvWtbA.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ETfZVCY.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YRZbLfq.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DbnvNRs.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JXZEoNx.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xoVzKSM.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvsROsV.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EapfQBP.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FJWeSjW.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Eoctara.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aPqtcpC.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnmqbAc.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OCHNtkN.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PAReEQr.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wLxGkrX.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VRTKHrC.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRGzhaK.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZZOVpVV.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KBVwYYV.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tOgnjfZ.exe	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1804 wrote to memory of 3392	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	YvsROsV.exe
PID 1804 wrote to memory of 3392	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	YvsROsV.exe
PID 1804 wrote to memory of 2824	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EapfQBP.exe
PID 1804 wrote to memory of 2824	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	EapfQBP.exe
PID 1804 wrote to memory of 4508	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	FJWeSjW.exe
PID 1804 wrote to memory of 4508	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	FJWeSjW.exe
PID 1804 wrote to memory of 3540	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	SRjWhlT.exe
PID 1804 wrote to memory of 3540	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	SRjWhlT.exe
PID 1804 wrote to memory of 1492	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	MnmqbAc.exe
PID 1804 wrote to memory of 1492	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	MnmqbAc.exe
PID 1804 wrote to memory of 4432	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	OCHNtkN.exe
PID 1804 wrote to memory of 4432	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	OCHNtkN.exe
PID 1804 wrote to memory of 348	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	PAReEQr.exe
PID 1804 wrote to memory of 348	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	PAReEQr.exe
PID 1804 wrote to memory of 4956	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	SqvWtbA.exe
PID 1804 wrote to memory of 4956	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	SqvWtbA.exe
PID 1804 wrote to memory of 4636	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	Eoctara.exe
PID 1804 wrote to memory of 4636	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	Eoctara.exe
PID 1804 wrote to memory of 4264	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	YRZbLfq.exe
PID 1804 wrote to memory of 4264	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	YRZbLfq.exe
PID 1804 wrote to memory of 996	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	wLxGkrX.exe
PID 1804 wrote to memory of 996	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	wLxGkrX.exe
PID 1804 wrote to memory of 3192	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	VRTKHrC.exe
PID 1804 wrote to memory of 3192	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	VRTKHrC.exe
PID 1804 wrote to memory of 860	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	uRGzhaK.exe
PID 1804 wrote to memory of 860	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	uRGzhaK.exe
PID 1804 wrote to memory of 3764	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	DbnvNRs.exe
PID 1804 wrote to memory of 3764	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	DbnvNRs.exe
PID 1804 wrote to memory of 3476	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	JXZEoNx.exe
PID 1804 wrote to memory of 3476	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	JXZEoNx.exe
PID 1804 wrote to memory of 4844	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ETfZVCY.exe
PID 1804 wrote to memory of 4844	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ETfZVCY.exe
PID 1804 wrote to memory of 3912	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ZZOVpVV.exe
PID 1804 wrote to memory of 3912	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	ZZOVpVV.exe
PID 1804 wrote to memory of 832	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	KBVwYYV.exe
PID 1804 wrote to memory of 832	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	KBVwYYV.exe
PID 1804 wrote to memory of 4656	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	xoVzKSM.exe
PID 1804 wrote to memory of 4656	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	xoVzKSM.exe
PID 1804 wrote to memory of 1464	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	aPqtcpC.exe
PID 1804 wrote to memory of 1464	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	aPqtcpC.exe
PID 1804 wrote to memory of 4532	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	tOgnjfZ.exe
PID 1804 wrote to memory of 4532	1804	2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe	tOgnjfZ.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\System\YvsROsV.exe
C:\Windows\System\YvsROsV.exe
2⤵
- Executes dropped EXE
PID:3392

C:\Windows\System\EapfQBP.exe
C:\Windows\System\EapfQBP.exe
2⤵
- Executes dropped EXE
PID:2824

C:\Windows\System\FJWeSjW.exe
C:\Windows\System\FJWeSjW.exe
2⤵
- Executes dropped EXE
PID:4508

C:\Windows\System\SRjWhlT.exe
C:\Windows\System\SRjWhlT.exe
2⤵
- Executes dropped EXE
PID:3540

C:\Windows\System\MnmqbAc.exe
C:\Windows\System\MnmqbAc.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\System\OCHNtkN.exe
C:\Windows\System\OCHNtkN.exe
2⤵
- Executes dropped EXE
PID:4432

C:\Windows\System\PAReEQr.exe
C:\Windows\System\PAReEQr.exe
2⤵
- Executes dropped EXE
PID:348

C:\Windows\System\SqvWtbA.exe
C:\Windows\System\SqvWtbA.exe
2⤵
- Executes dropped EXE
PID:4956

C:\Windows\System\Eoctara.exe
C:\Windows\System\Eoctara.exe
2⤵
- Executes dropped EXE
PID:4636

C:\Windows\System\YRZbLfq.exe
C:\Windows\System\YRZbLfq.exe
2⤵
- Executes dropped EXE
PID:4264

C:\Windows\System\wLxGkrX.exe
C:\Windows\System\wLxGkrX.exe
2⤵
- Executes dropped EXE
PID:996

C:\Windows\System\VRTKHrC.exe
C:\Windows\System\VRTKHrC.exe
2⤵
- Executes dropped EXE
PID:3192

C:\Windows\System\uRGzhaK.exe
C:\Windows\System\uRGzhaK.exe
2⤵
- Executes dropped EXE
PID:860

C:\Windows\System\DbnvNRs.exe
C:\Windows\System\DbnvNRs.exe
2⤵
- Executes dropped EXE
PID:3764

C:\Windows\System\JXZEoNx.exe
C:\Windows\System\JXZEoNx.exe
2⤵
- Executes dropped EXE
PID:3476

C:\Windows\System\ETfZVCY.exe
C:\Windows\System\ETfZVCY.exe
2⤵
- Executes dropped EXE
PID:4844

C:\Windows\System\ZZOVpVV.exe
C:\Windows\System\ZZOVpVV.exe
2⤵
- Executes dropped EXE
PID:3912

C:\Windows\System\KBVwYYV.exe
C:\Windows\System\KBVwYYV.exe
2⤵
- Executes dropped EXE
PID:832

C:\Windows\System\xoVzKSM.exe
C:\Windows\System\xoVzKSM.exe
2⤵
- Executes dropped EXE
PID:4656

C:\Windows\System\aPqtcpC.exe
C:\Windows\System\aPqtcpC.exe
2⤵
- Executes dropped EXE
PID:1464

C:\Windows\System\tOgnjfZ.exe
C:\Windows\System\tOgnjfZ.exe
2⤵
- Executes dropped EXE
PID:4532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DbnvNRs.exe
Filesize
5.9MB

MD5
3cba8851ef1e0c576d22e97a75e7545d

SHA1
9cf10e35c04f29642002ea832c8214e7fdc39ddc

SHA256
36a693c910f66d9f693d1a9877c1d3a37d3c1010cce308db0d53f795f4e821bc

SHA512
30f183f14de7793c495ceb78e98c43c4d7ecb09b1243b4eb855e3e5cba3d9205650f79b3a9662a19c52925b6472b50d19a13558be69b27eb9fc381807b92cc7f

Download Submit
C:\Windows\System\ETfZVCY.exe
Filesize
5.9MB

MD5
be0ff8753f51b18085411142cc5c8f7f

SHA1
e5f94eeab69be931e78cb60cfe75eb229d5158b0

SHA256
6bc94c695f27c1d973ce0213ce06804b645fdcd5316b540990dde1ac0c1cf1cf

SHA512
174b09df6e5a6c6c2307546600d7083414063d9b4c8d49ce3a21cf324733aad73337a4969faa137d435ce39685f8519fc2c968bfa007ecbf74c997ef02339dbf

Download Submit
C:\Windows\System\EapfQBP.exe
Filesize
5.9MB

MD5
41e1ac32c00d022c548688cb36b93be9

SHA1
a84c3ffcd80d651d326e7c7d03753d2ba9958ad8

SHA256
10aa076fe09a922a27d8f91868a22f01b426f13ce99370581551424b8dd62b42

SHA512
ffd4470f7b7493948f4c382e7f2db47c5e5f6a1d2b38cfeafb112d4a8655fa13f95017e6ee59f3dcbaefaf6cc10c0d71a5d13d41bca6dac78c297e55f75346e8

Download Submit
C:\Windows\System\Eoctara.exe
Filesize
5.9MB

MD5
6233eefa6a40ba893c3a5c355e75e2e2

SHA1
c9beaab6e37a511053366c29a83691add4a21d1f

SHA256
47f2789f40797ed321341d7a5bd5214a4838c8e0bbbe1a80121b9fb559c932ed

SHA512
bae07d44f0229e40bc74f9bfa9b58be3625b6a637fdf7286ab945bdf1e5b0e49c7fba1e155e2f49b0fe1cf13d11add576637b0e24af4a23a7a8775bce7992d8c

Download Submit
C:\Windows\System\FJWeSjW.exe
Filesize
5.9MB

MD5
8d4c49a4998d290817879ed727925ce2

SHA1
cec053524033be00d9e6751bf4d3d5b0a0b36fed

SHA256
7586be07b75f0f4fa1832df623e52312b3f00b4d8f2eadeecc47a206cb24ceac

SHA512
e80f0c21cdaae57dd8cdfed6f29394658848853d09bebe72b6cc8c9d1c382bdda864913accac419b62a16daf25113c72675336dddda42148d8fd90586b7dde75

Download Submit
C:\Windows\System\JXZEoNx.exe
Filesize
5.9MB

MD5
e356ef8734972dec9b34ce9d9c842389

SHA1
85240d07b80e71a40adeb681e23ccc1df48bbf4f

SHA256
619cf454b876998a82d8d4ab43c51a45f5da7bcde2cad2c79877fdb55dc7f012

SHA512
855c07fc60cfd0654928cbcdd9d82c2b8f227922fc564b4b71f88f715557118268dac3c392c2ed32fc06bf56a8fbd721f980a28e0e20376029bbcb8183a91619

Download Submit
C:\Windows\System\KBVwYYV.exe
Filesize
5.9MB

MD5
c1d61b12e7bf24598369865f9b9560b0

SHA1
8d324c8a0a700bf2c860104cd62e023ef2b3e473

SHA256
d1eaad72a2bb3c9be3b208cf0d78b99baabfcfadd65c7efd55c08e350f85e937

SHA512
596e22b2e99ecccca7104ff7c7611fa69c0b2fa7f3a32e61e31bb9dfd8853fc3fd33f833db53e890d4b5a09e2e2a852c21620cbd43a40d204c76da48812d103a

Download Submit
C:\Windows\System\MnmqbAc.exe
Filesize
5.9MB

MD5
40f0527191182ae9dbdb38149c7863bc

SHA1
0d4c2bdecb9770183fb80316c82d0e634de7d6c5

SHA256
720246ca3b7595fde0f4f81b0af67b96ce4a4f7c1eb0ec5dcc1c68cac7f990b4

SHA512
62e90c41f58e4a1f165937276fda5f4e0d90e5150b152dec788b3986e141abdb33986a346d7a0b02ebf1af546da11909d24952127d7a0defb1ffd0559b1430bb

Download Submit
C:\Windows\System\OCHNtkN.exe
Filesize
5.9MB

MD5
63d6ded8b477aa427a95c1cce27b96b2

SHA1
d67078663c7dfbff584de502cc7620101b418503

SHA256
17c5478fa16747c17aae4815c448e8aa91e6c0c274cc8ad924a20833e309d567

SHA512
627883fb8f6b72fbeb4f6ba6c8ee8d7dcfd77996370dc250cf60b18c7aee996ed43c9bf8bc7f5bb6b9700718649ea5a84cfa3524529fc52fd15e1c6d5ed58f56

Download Submit
C:\Windows\System\PAReEQr.exe
Filesize
5.9MB

MD5
71569d3463a630406e74144381b9d010

SHA1
e15a64c6cf2e2637d309bd9dfc9f7d410f24d266

SHA256
adbca39c20d394e95167a2ef0b33a0f6c33660d67bb97f895d81ebcfa22efef0

SHA512
4c57e6900c841215a33796ca227144a79cbda79f252e0d63505824a1f945db119a0a9c3e424c2aa2d13b052d11d75f34876e126383d18a004b9a4af1c4b00606

Download Submit
C:\Windows\System\SRjWhlT.exe
Filesize
5.9MB

MD5
84b419a45f406b3a365c8a3b1918d1df

SHA1
5d7ba50012b315f318042c8b5ee872119e70e488

SHA256
74ec317a3f7a91b2c12b224c92dc9a4b3570b46ec48ae7fa1273aae23b84ae81

SHA512
ea7cda772897bf9b7101fcf4370be2cda55776cc872b2c44c07fd4682fb624ecdfcb013d977d4e9be1301966ff58b1d1658024b27db9dde77657be0fec8a620b

Download Submit
C:\Windows\System\SqvWtbA.exe
Filesize
5.9MB

MD5
f3ff0ed4f1959e90d87fa7604eed531c

SHA1
016948642d8ac207d1925b693167b90e140f1539

SHA256
80fa60efbd261650c9de15dfeb70fc4b7b4141d41b4b839610e77ed66002ae2f

SHA512
db123275b132789c2f1036fc152fc171e5eebf8460a9f110e4dcde647109979dfbc6d464a01af2eaf608969f625dbda1f3f089dcde6fe323a6405a209807ba3e

Download Submit
C:\Windows\System\VRTKHrC.exe
Filesize
5.9MB

MD5
e92fd2d9e1839036543faea3b5e45c4f

SHA1
bbde7fca2ea94242823936c0fe5c362d69f3a400

SHA256
e0346180876325055fa92e5b05776f8fd30fc52db34485fa9b2db3491d8624b4

SHA512
a8f4250dd78f709b90e648c171e5cc16a9c51769ad0f57f5e78e7c18b25cfbe878d140e71c72d52c9da3dd75932f8d614f1339313cfed402dce93e6b90451291

Download Submit
C:\Windows\System\YRZbLfq.exe
Filesize
5.9MB

MD5
e88a43050ba615e5fbc0b7a0ec27b805

SHA1
38789cd6333474a11652d676c11d85ad92a6376c

SHA256
1c5269d85decd736abdd9a22bff2e3fc7733244dc49bc22ffae4d070e49376ea

SHA512
f60bae003928ff4557d6d0022ffe3f16ed069e5a55ed0f7c67c665f164ef25c5d25223da0ceb2d5d6edfb5759868a809398692c0c479630bf85eec7a05581683

Download Submit
C:\Windows\System\YvsROsV.exe
Filesize
5.9MB

MD5
9a67570d4605f94d18783a145b1289c1

SHA1
eb5ab4db74cf64828ff2e81f332af7d7654b0d47

SHA256
b142dd84d9e0adf0d44c23a6efa9a5142e75779e175ff097c611fed40e3fea24

SHA512
a12f23ddb929299da3e5cb54ac25aa11375d70a77eee7ce88b362019e082207213384ccea1351712336e6ebba3b7a66b2a8bb567ca707042edaf19128bc1d8b2

Download Submit
C:\Windows\System\ZZOVpVV.exe
Filesize
5.9MB

MD5
e0f659fa11e66941fad0cf3351e30eca

SHA1
e4916bd9c41d4e23bbf04880f40d0a078892df94

SHA256
6373b88fa2bd934b793e035b2523fd44dc13848685eee592596e2db93d385d38

SHA512
f7e5722122a7379f53a0c6faa994bebbd710b19c1cea85615a193693d2af97c90c4b2b010de7c694f2777789e3daf2bb5366783c15a9df4e44d87036d74602ea

Download Submit
C:\Windows\System\aPqtcpC.exe
Filesize
5.9MB

MD5
66aff8fe3291a4bd604eb0704a44af9e

SHA1
aa79d692dbad3fee17b56f893b4f03b2667909d2

SHA256
6f64083d4627eeabed28521401659c27fd5ab73c09c7d6397bb6151a6d86d92c

SHA512
0030ec4af65252d52a912eefe4f825a141b8a9cf45cfc1ee1d2bccd32157e2aee32186715215b3332475c04f94b563673a77f0ae9c0e4e3abbc81436f970116d

Download Submit
C:\Windows\System\tOgnjfZ.exe
Filesize
5.9MB

MD5
a60d7868cf4a46e547892a49334b2f21

SHA1
27f528480f3f2a26ff8b496c57df26b3a147a95c

SHA256
f454ad8bcf7797084e4860221e7687a28131597ba3a810ab0ec002a8986cab00

SHA512
26b0650de512160db41e5ec105987b521d9745bbbb0c03c761591115470c05c2ca1efc2e8cf44192f81110d3e2c40d039aaabe0dc09385960623ed470da2505b

Download Submit
C:\Windows\System\uRGzhaK.exe
Filesize
5.9MB

MD5
ff99fecb45880f011c6529053959c8fc

SHA1
48ccd8c836ab7c71d7e6d4489d42f6a7ba3a5e88

SHA256
96f054597066f60fefe0a36a9fefa39904e54f034a2bf82a2e0326ff7c14276b

SHA512
81a7ffc9bfeec8a6b6224bb82001df180308c2cee328d7b8eb6b99d639f087f04d5f7c9660edfdd0c016f65c06e900a09184069faa99229e84635e4341fcfa6b

Download Submit
C:\Windows\System\wLxGkrX.exe
Filesize
5.9MB

MD5
82cf2f8614792ac6641ffde841d9b147

SHA1
7042c4a0b9af761dbec0abe3914da3583bb76b27

SHA256
73455b8a84bb4591eff7a12ddee23c45ee3f5b904d9b7870a93e5adf61bec5f7

SHA512
99bdbb9a8a64e9d7b8c811e23ca0c241b3aab49ce47e92e6e86d1b7593c7a0273e72b26f38789a848d349b78d04cb8e4b25f9df8882a7e28bdccda8258c2db66

Download Submit
C:\Windows\System\xoVzKSM.exe
Filesize
5.9MB

MD5
3c15df2c3bed91834825bb594eb03abc

SHA1
05ebfcb9e62daa504d0caa8de7eada304bbe8361

SHA256
b9ef1a8c0c0db5ec97d8949a3cd23d6306ca7d7d074550c700de2679c39d8896

SHA512
83017c0f95f2dd20dfc65d902c0aee817874a751a9be1851dc1aa5d45ed5a2003cdc3c6691134ef1f5d6fb4b42a76a5798af181bb50087820a69d6b480b1962e

Download Submit
memory/348-44-0x00007FF698F10000-0x00007FF699264000-memory.dmp

Filesize
3.3MB

Download
memory/348-142-0x00007FF698F10000-0x00007FF699264000-memory.dmp

Filesize
3.3MB

Download
memory/832-128-0x00007FF731D30000-0x00007FF732084000-memory.dmp

Filesize
3.3MB

Download
memory/832-153-0x00007FF731D30000-0x00007FF732084000-memory.dmp

Filesize
3.3MB

Download
memory/860-148-0x00007FF72C300000-0x00007FF72C654000-memory.dmp

Filesize
3.3MB

Download
memory/860-89-0x00007FF72C300000-0x00007FF72C654000-memory.dmp

Filesize
3.3MB

Download
memory/996-77-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp

Filesize
3.3MB

Download
memory/996-146-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp

Filesize
3.3MB

Download
memory/1464-130-0x00007FF748220000-0x00007FF748574000-memory.dmp

Filesize
3.3MB

Download
memory/1464-154-0x00007FF748220000-0x00007FF748574000-memory.dmp

Filesize
3.3MB

Download
memory/1492-35-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1492-139-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp

Filesize
3.3MB

Download
memory/1804-0-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp

Filesize
3.3MB

Download
memory/1804-61-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp

Filesize
3.3MB

Download
memory/1804-1-0x000001EE71640000-0x000001EE71650000-memory.dmp

Filesize
64KB

Download
memory/2824-83-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp

Filesize
3.3MB

Download
memory/2824-14-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp

Filesize
3.3MB

Download
memory/2824-137-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp

Filesize
3.3MB

Download
memory/3192-147-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-84-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-136-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-10-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

Filesize
3.3MB

Download
memory/3392-70-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-132-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp

Filesize
3.3MB

Download
memory/3476-150-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp

Filesize
3.3MB

Download
memory/3540-125-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp

Filesize
3.3MB

Download
memory/3540-24-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp

Filesize
3.3MB

Download
memory/3540-140-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp

Filesize
3.3MB

Download
memory/3764-149-0x00007FF787470000-0x00007FF7877C4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-90-0x00007FF787470000-0x00007FF7877C4000-memory.dmp

Filesize
3.3MB

Download
memory/3912-127-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp

Filesize
3.3MB

Download
memory/3912-152-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp

Filesize
3.3MB

Download
memory/4264-145-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp

Filesize
3.3MB

Download
memory/4264-63-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp

Filesize
3.3MB

Download
memory/4432-36-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp

Filesize
3.3MB

Download
memory/4432-133-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp

Filesize
3.3MB

Download
memory/4432-141-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp

Filesize
3.3MB

Download
memory/4508-138-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-86-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp

Filesize
3.3MB

Download
memory/4508-23-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp

Filesize
3.3MB

Download
memory/4532-131-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp

Filesize
3.3MB

Download
memory/4532-156-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp

Filesize
3.3MB

Download
memory/4636-56-0x00007FF7692F0000-0x00007FF769644000-memory.dmp

Filesize
3.3MB

Download
memory/4636-144-0x00007FF7692F0000-0x00007FF769644000-memory.dmp

Filesize
3.3MB

Download
memory/4636-135-0x00007FF7692F0000-0x00007FF769644000-memory.dmp

Filesize
3.3MB

Download
memory/4656-155-0x00007FF637750000-0x00007FF637AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-129-0x00007FF637750000-0x00007FF637AA4000-memory.dmp

Filesize
3.3MB

Download
memory/4844-151-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp

Filesize
3.3MB

Download
memory/4844-126-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp

Filesize
3.3MB

Download
memory/4956-48-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

Filesize
3.3MB

Download
memory/4956-143-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

Filesize
3.3MB

Download
memory/4956-134-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp

Filesize
3.3MB

Download