cobaltstrike | 83a44075ec09125c07834729e45ef0626088249387be2c14ec9eb550619aaa68

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8b1da65cc148dc297aee5f23fed2d6d3
SHA1

77cc9e4925d58fdd99c62b9db59d81810701c3d8
SHA256

83a44075ec09125c07834729e45ef0626088249387be2c14ec9eb550619aaa68
SHA512

274f637b14efce7e5f0a6102341ba010b434324f006a7b556777cf118a66e416c03279481a84e8bea3e71d73dccb95394ba650d166f036e0159f81138a58b03c
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:Q+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CfZNQnK.exe	cobalt_reflective_dll
C:\Windows\System\lxxLlqG.exe	cobalt_reflective_dll
C:\Windows\System\lArFOfs.exe	cobalt_reflective_dll
C:\Windows\System\ibRxKGb.exe	cobalt_reflective_dll
C:\Windows\System\lgvuKXy.exe	cobalt_reflective_dll
C:\Windows\System\DIxvFTe.exe	cobalt_reflective_dll
C:\Windows\System\QOOWzPV.exe	cobalt_reflective_dll
C:\Windows\System\UjCxQIb.exe	cobalt_reflective_dll
C:\Windows\System\IDjlWPK.exe	cobalt_reflective_dll
C:\Windows\System\uOEPQNV.exe	cobalt_reflective_dll
C:\Windows\System\mWpRNbF.exe	cobalt_reflective_dll
C:\Windows\System\qLYjdyY.exe	cobalt_reflective_dll
C:\Windows\System\IPLRPpk.exe	cobalt_reflective_dll
C:\Windows\System\PUyWFKD.exe	cobalt_reflective_dll
C:\Windows\System\bNwsSYY.exe	cobalt_reflective_dll
C:\Windows\System\HkzGvtb.exe	cobalt_reflective_dll
C:\Windows\System\udpintH.exe	cobalt_reflective_dll
C:\Windows\System\BxtJtHy.exe	cobalt_reflective_dll
C:\Windows\System\xbKyDNM.exe	cobalt_reflective_dll
C:\Windows\System\JBSNeDv.exe	cobalt_reflective_dll
C:\Windows\System\EcIUEpr.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1856-0-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp	xmrig
C:\Windows\System\CfZNQnK.exe	xmrig
behavioral2/memory/1708-8-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp	xmrig
C:\Windows\System\lxxLlqG.exe	xmrig
behavioral2/memory/216-14-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp	xmrig
C:\Windows\System\lArFOfs.exe	xmrig
behavioral2/memory/4112-19-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	xmrig
C:\Windows\System\ibRxKGb.exe	xmrig
behavioral2/memory/1800-26-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp	xmrig
C:\Windows\System\lgvuKXy.exe	xmrig
behavioral2/memory/4484-35-0x00007FF696400000-0x00007FF696754000-memory.dmp	xmrig
behavioral2/memory/4900-37-0x00007FF747360000-0x00007FF7476B4000-memory.dmp	xmrig
C:\Windows\System\DIxvFTe.exe	xmrig
behavioral2/memory/2988-45-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp	xmrig
C:\Windows\System\QOOWzPV.exe	xmrig
behavioral2/memory/696-57-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp	xmrig
behavioral2/memory/2380-65-0x00007FF6804C0000-0x00007FF680814000-memory.dmp	xmrig
C:\Windows\System\UjCxQIb.exe	xmrig
behavioral2/memory/1708-74-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp	xmrig
C:\Windows\System\IDjlWPK.exe	xmrig
behavioral2/memory/216-87-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp	xmrig
behavioral2/memory/4112-96-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	xmrig
C:\Windows\System\uOEPQNV.exe	xmrig
C:\Windows\System\mWpRNbF.exe	xmrig
behavioral2/memory/2092-102-0x00007FF647DB0000-0x00007FF648104000-memory.dmp	xmrig
behavioral2/memory/4804-101-0x00007FF65F420000-0x00007FF65F774000-memory.dmp	xmrig
C:\Windows\System\qLYjdyY.exe	xmrig
behavioral2/memory/4244-92-0x00007FF753080000-0x00007FF7533D4000-memory.dmp	xmrig
behavioral2/memory/1524-91-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp	xmrig
C:\Windows\System\IPLRPpk.exe	xmrig
behavioral2/memory/3828-79-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp	xmrig
C:\Windows\System\PUyWFKD.exe	xmrig
behavioral2/memory/8-78-0x00007FF728860000-0x00007FF728BB4000-memory.dmp	xmrig
behavioral2/memory/1856-63-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp	xmrig
C:\Windows\System\bNwsSYY.exe	xmrig
C:\Windows\System\HkzGvtb.exe	xmrig
behavioral2/memory/3800-51-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp	xmrig
C:\Windows\System\udpintH.exe	xmrig
behavioral2/memory/1936-108-0x00007FF750510000-0x00007FF750864000-memory.dmp	xmrig
C:\Windows\System\BxtJtHy.exe	xmrig
C:\Windows\System\xbKyDNM.exe	xmrig
C:\Windows\System\JBSNeDv.exe	xmrig
C:\Windows\System\EcIUEpr.exe	xmrig
behavioral2/memory/852-115-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp	xmrig
behavioral2/memory/4900-112-0x00007FF747360000-0x00007FF7476B4000-memory.dmp	xmrig
behavioral2/memory/4836-131-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp	xmrig
behavioral2/memory/696-134-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp	xmrig
behavioral2/memory/3800-133-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp	xmrig
behavioral2/memory/684-132-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp	xmrig
behavioral2/memory/3672-130-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp	xmrig
behavioral2/memory/3828-135-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp	xmrig
behavioral2/memory/4804-136-0x00007FF65F420000-0x00007FF65F774000-memory.dmp	xmrig
behavioral2/memory/2092-137-0x00007FF647DB0000-0x00007FF648104000-memory.dmp	xmrig
behavioral2/memory/852-138-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp	xmrig
behavioral2/memory/1708-139-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp	xmrig
behavioral2/memory/216-140-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp	xmrig
behavioral2/memory/4112-141-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	xmrig
behavioral2/memory/1800-144-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp	xmrig
behavioral2/memory/4484-143-0x00007FF696400000-0x00007FF696754000-memory.dmp	xmrig
behavioral2/memory/4900-142-0x00007FF747360000-0x00007FF7476B4000-memory.dmp	xmrig
behavioral2/memory/2988-145-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp	xmrig
behavioral2/memory/3800-146-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp	xmrig
behavioral2/memory/2380-147-0x00007FF6804C0000-0x00007FF680814000-memory.dmp	xmrig
behavioral2/memory/696-148-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CfZNQnK.exelArFOfs.exelxxLlqG.exeibRxKGb.exeDIxvFTe.exelgvuKXy.exeudpintH.exeQOOWzPV.exeHkzGvtb.exebNwsSYY.exeUjCxQIb.exePUyWFKD.exeIPLRPpk.exeIDjlWPK.exeqLYjdyY.exemWpRNbF.exeuOEPQNV.exeEcIUEpr.exeJBSNeDv.exeBxtJtHy.exexbKyDNM.exe

pid	process
1708	CfZNQnK.exe
216	lArFOfs.exe
4112	lxxLlqG.exe
1800	ibRxKGb.exe
4484	DIxvFTe.exe
4900	lgvuKXy.exe
2988	udpintH.exe
3800	QOOWzPV.exe
696	HkzGvtb.exe
2380	bNwsSYY.exe
8	UjCxQIb.exe
3828	PUyWFKD.exe
1524	IPLRPpk.exe
4244	IDjlWPK.exe
4804	qLYjdyY.exe
2092	mWpRNbF.exe
1936	uOEPQNV.exe
852	EcIUEpr.exe
3672	JBSNeDv.exe
684	BxtJtHy.exe
4836	xbKyDNM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1856-0-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp	upx
C:\Windows\System\CfZNQnK.exe	upx
behavioral2/memory/1708-8-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp	upx
C:\Windows\System\lxxLlqG.exe	upx
behavioral2/memory/216-14-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp	upx
C:\Windows\System\lArFOfs.exe	upx
behavioral2/memory/4112-19-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	upx
C:\Windows\System\ibRxKGb.exe	upx
behavioral2/memory/1800-26-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp	upx
C:\Windows\System\lgvuKXy.exe	upx
behavioral2/memory/4484-35-0x00007FF696400000-0x00007FF696754000-memory.dmp	upx
behavioral2/memory/4900-37-0x00007FF747360000-0x00007FF7476B4000-memory.dmp	upx
C:\Windows\System\DIxvFTe.exe	upx
behavioral2/memory/2988-45-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp	upx
C:\Windows\System\QOOWzPV.exe	upx
behavioral2/memory/696-57-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp	upx
behavioral2/memory/2380-65-0x00007FF6804C0000-0x00007FF680814000-memory.dmp	upx
C:\Windows\System\UjCxQIb.exe	upx
behavioral2/memory/1708-74-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp	upx
C:\Windows\System\IDjlWPK.exe	upx
behavioral2/memory/216-87-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp	upx
behavioral2/memory/4112-96-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	upx
C:\Windows\System\uOEPQNV.exe	upx
C:\Windows\System\mWpRNbF.exe	upx
behavioral2/memory/2092-102-0x00007FF647DB0000-0x00007FF648104000-memory.dmp	upx
behavioral2/memory/4804-101-0x00007FF65F420000-0x00007FF65F774000-memory.dmp	upx
C:\Windows\System\qLYjdyY.exe	upx
behavioral2/memory/4244-92-0x00007FF753080000-0x00007FF7533D4000-memory.dmp	upx
behavioral2/memory/1524-91-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp	upx
C:\Windows\System\IPLRPpk.exe	upx
behavioral2/memory/3828-79-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp	upx
C:\Windows\System\PUyWFKD.exe	upx
behavioral2/memory/8-78-0x00007FF728860000-0x00007FF728BB4000-memory.dmp	upx
behavioral2/memory/1856-63-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp	upx
C:\Windows\System\bNwsSYY.exe	upx
C:\Windows\System\HkzGvtb.exe	upx
behavioral2/memory/3800-51-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp	upx
C:\Windows\System\udpintH.exe	upx
behavioral2/memory/1936-108-0x00007FF750510000-0x00007FF750864000-memory.dmp	upx
C:\Windows\System\BxtJtHy.exe	upx
C:\Windows\System\xbKyDNM.exe	upx
C:\Windows\System\JBSNeDv.exe	upx
C:\Windows\System\EcIUEpr.exe	upx
behavioral2/memory/852-115-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp	upx
behavioral2/memory/4900-112-0x00007FF747360000-0x00007FF7476B4000-memory.dmp	upx
behavioral2/memory/4836-131-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp	upx
behavioral2/memory/696-134-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp	upx
behavioral2/memory/3800-133-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp	upx
behavioral2/memory/684-132-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp	upx
behavioral2/memory/3672-130-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp	upx
behavioral2/memory/3828-135-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp	upx
behavioral2/memory/4804-136-0x00007FF65F420000-0x00007FF65F774000-memory.dmp	upx
behavioral2/memory/2092-137-0x00007FF647DB0000-0x00007FF648104000-memory.dmp	upx
behavioral2/memory/852-138-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp	upx
behavioral2/memory/1708-139-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp	upx
behavioral2/memory/216-140-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp	upx
behavioral2/memory/4112-141-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp	upx
behavioral2/memory/1800-144-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp	upx
behavioral2/memory/4484-143-0x00007FF696400000-0x00007FF696754000-memory.dmp	upx
behavioral2/memory/4900-142-0x00007FF747360000-0x00007FF7476B4000-memory.dmp	upx
behavioral2/memory/2988-145-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp	upx
behavioral2/memory/3800-146-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp	upx
behavioral2/memory/2380-147-0x00007FF6804C0000-0x00007FF680814000-memory.dmp	upx
behavioral2/memory/696-148-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\lArFOfs.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EcIUEpr.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDjlWPK.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLYjdyY.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JBSNeDv.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CfZNQnK.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgvuKXy.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QOOWzPV.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UjCxQIb.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PUyWFKD.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BxtJtHy.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ibRxKGb.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DIxvFTe.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\udpintH.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkzGvtb.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xbKyDNM.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lxxLlqG.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bNwsSYY.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPLRPpk.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mWpRNbF.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uOEPQNV.exe	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1856 wrote to memory of 1708	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	CfZNQnK.exe
PID 1856 wrote to memory of 1708	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	CfZNQnK.exe
PID 1856 wrote to memory of 216	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	lArFOfs.exe
PID 1856 wrote to memory of 216	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	lArFOfs.exe
PID 1856 wrote to memory of 4112	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	lxxLlqG.exe
PID 1856 wrote to memory of 4112	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	lxxLlqG.exe
PID 1856 wrote to memory of 1800	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	ibRxKGb.exe
PID 1856 wrote to memory of 1800	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	ibRxKGb.exe
PID 1856 wrote to memory of 4484	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	DIxvFTe.exe
PID 1856 wrote to memory of 4484	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	DIxvFTe.exe
PID 1856 wrote to memory of 4900	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	lgvuKXy.exe
PID 1856 wrote to memory of 4900	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	lgvuKXy.exe
PID 1856 wrote to memory of 2988	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	udpintH.exe
PID 1856 wrote to memory of 2988	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	udpintH.exe
PID 1856 wrote to memory of 3800	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	QOOWzPV.exe
PID 1856 wrote to memory of 3800	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	QOOWzPV.exe
PID 1856 wrote to memory of 696	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	HkzGvtb.exe
PID 1856 wrote to memory of 696	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	HkzGvtb.exe
PID 1856 wrote to memory of 2380	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	bNwsSYY.exe
PID 1856 wrote to memory of 2380	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	bNwsSYY.exe
PID 1856 wrote to memory of 8	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	UjCxQIb.exe
PID 1856 wrote to memory of 8	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	UjCxQIb.exe
PID 1856 wrote to memory of 3828	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	PUyWFKD.exe
PID 1856 wrote to memory of 3828	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	PUyWFKD.exe
PID 1856 wrote to memory of 1524	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	IPLRPpk.exe
PID 1856 wrote to memory of 1524	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	IPLRPpk.exe
PID 1856 wrote to memory of 4244	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	IDjlWPK.exe
PID 1856 wrote to memory of 4244	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	IDjlWPK.exe
PID 1856 wrote to memory of 4804	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	qLYjdyY.exe
PID 1856 wrote to memory of 4804	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	qLYjdyY.exe
PID 1856 wrote to memory of 2092	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	mWpRNbF.exe
PID 1856 wrote to memory of 2092	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	mWpRNbF.exe
PID 1856 wrote to memory of 1936	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	uOEPQNV.exe
PID 1856 wrote to memory of 1936	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	uOEPQNV.exe
PID 1856 wrote to memory of 852	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	EcIUEpr.exe
PID 1856 wrote to memory of 852	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	EcIUEpr.exe
PID 1856 wrote to memory of 3672	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	JBSNeDv.exe
PID 1856 wrote to memory of 3672	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	JBSNeDv.exe
PID 1856 wrote to memory of 684	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	BxtJtHy.exe
PID 1856 wrote to memory of 684	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	BxtJtHy.exe
PID 1856 wrote to memory of 4836	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	xbKyDNM.exe
PID 1856 wrote to memory of 4836	1856	2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe	xbKyDNM.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Windows\System\CfZNQnK.exe
C:\Windows\System\CfZNQnK.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\System\lArFOfs.exe
C:\Windows\System\lArFOfs.exe
2⤵
- Executes dropped EXE
PID:216

C:\Windows\System\lxxLlqG.exe
C:\Windows\System\lxxLlqG.exe
2⤵
- Executes dropped EXE
PID:4112

C:\Windows\System\ibRxKGb.exe
C:\Windows\System\ibRxKGb.exe
2⤵
- Executes dropped EXE
PID:1800

C:\Windows\System\DIxvFTe.exe
C:\Windows\System\DIxvFTe.exe
2⤵
- Executes dropped EXE
PID:4484

C:\Windows\System\lgvuKXy.exe
C:\Windows\System\lgvuKXy.exe
2⤵
- Executes dropped EXE
PID:4900

C:\Windows\System\udpintH.exe
C:\Windows\System\udpintH.exe
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\System\QOOWzPV.exe
C:\Windows\System\QOOWzPV.exe
2⤵
- Executes dropped EXE
PID:3800

C:\Windows\System\HkzGvtb.exe
C:\Windows\System\HkzGvtb.exe
2⤵
- Executes dropped EXE
PID:696

C:\Windows\System\bNwsSYY.exe
C:\Windows\System\bNwsSYY.exe
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\System\UjCxQIb.exe
C:\Windows\System\UjCxQIb.exe
2⤵
- Executes dropped EXE
PID:8

C:\Windows\System\PUyWFKD.exe
C:\Windows\System\PUyWFKD.exe
2⤵
- Executes dropped EXE
PID:3828

C:\Windows\System\IPLRPpk.exe
C:\Windows\System\IPLRPpk.exe
2⤵
- Executes dropped EXE
PID:1524

C:\Windows\System\IDjlWPK.exe
C:\Windows\System\IDjlWPK.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Windows\System\qLYjdyY.exe
C:\Windows\System\qLYjdyY.exe
2⤵
- Executes dropped EXE
PID:4804

C:\Windows\System\mWpRNbF.exe
C:\Windows\System\mWpRNbF.exe
2⤵
- Executes dropped EXE
PID:2092

C:\Windows\System\uOEPQNV.exe
C:\Windows\System\uOEPQNV.exe
2⤵
- Executes dropped EXE
PID:1936

C:\Windows\System\EcIUEpr.exe
C:\Windows\System\EcIUEpr.exe
2⤵
- Executes dropped EXE
PID:852

C:\Windows\System\JBSNeDv.exe
C:\Windows\System\JBSNeDv.exe
2⤵
- Executes dropped EXE
PID:3672

C:\Windows\System\BxtJtHy.exe
C:\Windows\System\BxtJtHy.exe
2⤵
- Executes dropped EXE
PID:684

C:\Windows\System\xbKyDNM.exe
C:\Windows\System\xbKyDNM.exe
2⤵
- Executes dropped EXE
PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BxtJtHy.exe
Filesize
5.9MB

MD5
dce428eb10f06dca23ff514a02b81d21

SHA1
af84974a137d1042230fcd962cfe8ea30285022b

SHA256
eb9597ae1a7cd40c7f65d95f0d1aee27d9c13cad7b5d89f4df171f79e25a5d61

SHA512
778177c73ccbec763d20fbdb6b734808009fa9d56326a8c4eadb76224992958c230714c3c221cc17a21368bff9dd41746ef0237508b008fbe477782090264517

Download Submit
C:\Windows\System\CfZNQnK.exe
Filesize
5.9MB

MD5
746425482d0f6f1dac4144e8907344aa

SHA1
beab0915691e5ff7ca3dd8fd78c4cf166958307b

SHA256
4fee7a17e99f56702983c1130d10d7b497887c57b7197e953c197806664f91ae

SHA512
daa47f0f0128b7a7572602aaab575d1cdbdf32fdc54640b5f7336a7b3efa670859048584f3dbffed12d8152592884392c9381a9fccdc8b56b2283c9906375525

Download Submit
C:\Windows\System\DIxvFTe.exe
Filesize
5.9MB

MD5
64ff37cc6fdfd132ba60d9c10f1725d8

SHA1
342cf2c46a81459bb57c77dbfef890899763504c

SHA256
b26183b3ee0845351f77be3f76a4ef9e86ee51eaec8b83cc7f567893a14bc9d6

SHA512
3b2005c4a8a20ce2875fd28f2064ef860ecf209f206ec59b70b34a3038a57ad24f02a8a65e10404f6938da8439f486e53ea603c46de1297f7a3dbbd5c8d5d7c0

Download Submit
C:\Windows\System\EcIUEpr.exe
Filesize
5.9MB

MD5
ac1a8b03921cbfc1adeae62b33459a0f

SHA1
99e12a35fafb7a08a6af7cc0efd8ac7741f11828

SHA256
bb8f3723e6c85bf4b163350f03a6a31235fb35d1622fd20563480fe6948655d5

SHA512
66c93acd34836ab33e2cacf9e37a406e4e99266c944412437ab65539fd8325bb962a214d1e71595137903192665b155a59f61195d9569b4beee69f92fd4ed5ab

Download Submit
C:\Windows\System\HkzGvtb.exe
Filesize
5.9MB

MD5
08c1139f923abedf05bbe2fccf2d9a9d

SHA1
cc1a2bd5dd35b92931f48a028a7f3fe5f3a0ba0f

SHA256
48bd0c6a7aa2b44889b8ac599a77d8bd9bbd7b98686d34b5699d531366f27777

SHA512
e507205bbf4b52d159e94de70390c024574b7f7bcc63a386781bb6279e6ac48fd13ee92492418700a6e530819596fe65efea09adb29aeb4e090c03d887dcce20

Download Submit
C:\Windows\System\IDjlWPK.exe
Filesize
5.9MB

MD5
690813710b3b38659a56e2a6e8a63cd2

SHA1
7ffa5b6f7b87c3d76703e191a2d37bc5b1ef7083

SHA256
c6525db779992fec3ce2924d1892521b1c7a41846a4b979d8b52b6f67da76044

SHA512
d40c940fcac98e763e6613404f9930b667ae42ebb28a1498efd0fd1170ab3505351eb09130b51c552a153c633d860cb27fc2bad1a4d6c6fb06cfc218ffe6faf7

Download Submit
C:\Windows\System\IPLRPpk.exe
Filesize
5.9MB

MD5
c5cbeeefc2734c2e10a44ed1479a15c9

SHA1
ce2e3dadf548ad724113a58b159bba19666a8cbc

SHA256
130eb43a6cdda3ce7d5be72caf81519abd3f1289f11d8ee52329038165946868

SHA512
cebd9081fe3ba3c1ca7163109c132ec4fc9a9292b7d246b55326300e992e99e0fbf8a55659df63934f0880637dddff66e63720a9db5202713b446da2128e25fb

Download Submit
C:\Windows\System\JBSNeDv.exe
Filesize
5.9MB

MD5
18dadf48f67244adcbc9cea9244334cb

SHA1
2c8547d614251206d502a86e91efb0c317931d90

SHA256
4385338f440520ad8b92e8e618c534a739839637fe371f193ace438c5c1f89b5

SHA512
d560c1a3678ab46da888e6f51eb9385d94ea184654b82d60b4e0acc9f829f58cdd369e2ebd933152f6390f96af0f8ddb3d7df24039d67140f54dd7d25ce36d29

Download Submit
C:\Windows\System\PUyWFKD.exe
Filesize
5.9MB

MD5
c653ecab3dd9b61cb7203a1a03280991

SHA1
6185d15540a34c23dcd5228d015d32dc22ff10b8

SHA256
2158cf2341b344f5e9e5efd15392235db21ff165a416c5ec245dd09093667109

SHA512
926615ae01b1042aa496f24c63c40c06d2eb851ac1b86cd0fcb6c893daf8c7ef89822af55a34875fb6ee60ee89f788e6819d20ce8dfe9075ebe0130afc981c56

Download Submit
C:\Windows\System\QOOWzPV.exe
Filesize
5.9MB

MD5
715c76dfd6bbdfe2258147dbb60beee4

SHA1
3ac59cae8bb2f45333ea2e9a57513ad7760ce335

SHA256
d4c62a92588307f09b6e4b80e2d5b02c324955ce1b73d7cdd97331b666b9fa44

SHA512
b739fdfde3a66069222241c9b037a776a1e22bdf7f7ee4ac01630ba637c2199df2250c432a94462d3f0b4b77d4d4eb42e31b642a34892eb692af9a3c89b11f03

Download Submit
C:\Windows\System\UjCxQIb.exe
Filesize
5.9MB

MD5
877be9d28d652cf12ecfcba7585085da

SHA1
8cb358d29d4084ea4f1ad3e7c4e63a4291b3cba5

SHA256
c5c91ff5de6d3f5bc29293e10c09059757fe82401e763ac1f239bc27f921c328

SHA512
a1589eae517f9db82c88bea773da5f411ee70bd7be7a9883bfe2cef25d50027e58dbfb8af942d7bc1ba796b8a960d4ec39551f97c92bf01167e61d273fafc7cb

Download Submit
C:\Windows\System\bNwsSYY.exe
Filesize
5.9MB

MD5
64a15ab9a61862fd7a7753df08561e0b

SHA1
91d51a89e99f68bb8ad027f2af08035a22ea6865

SHA256
366517ab567c9e704b953f935a138b8feaa91f943011dbada938fa7827188220

SHA512
3896ef6584a6750fea22ddaf9318055747bbcc05b59b6c1bd857fb7159f97dd1a6e1a4eecc25c03dab68f618579c8c30d010a356e9ca8602c68fa1862b1717f5

Download Submit
C:\Windows\System\ibRxKGb.exe
Filesize
5.9MB

MD5
874ddb311bf0a8b40ba1e334db2f3caa

SHA1
ea62cfd81c162393355419997ae264e02579ca41

SHA256
72b02642352d087164cad5d87dabc0e107659d4d827f31aaab9b9b237af38e12

SHA512
b40897c09fc4d1c5122b539fba0dea192710b1a38f2d9941ba5c43e04ffec247e3c2a69412ce86efedd5eae0671c75192519b1ded5755fce0f4abda33828d995

Download Submit
C:\Windows\System\lArFOfs.exe
Filesize
5.9MB

MD5
1be78a059d107e9416e0ddeb01011846

SHA1
b220409523da2a19328fd470850e0bf9760147f2

SHA256
86d607ecc5aa9183a47298c1c5a3a71a6bfcfed20ae08471bbe297b6e1f9bba4

SHA512
793f1bf2ab29eaef6520e2768e967c79c24663fe198d067377d2c8a8bc9629080106e0b2214d7c690cb204f917cfbc4443157d46f87875f697c0184d7db66f5a

Download Submit
C:\Windows\System\lgvuKXy.exe
Filesize
5.9MB

MD5
b33caf9da8ff13a160e83c51745899c9

SHA1
ca371fb8d595549142ec99f6dfadff7b9030b142

SHA256
da405aed8c88ab6cd430c66aa3610656d05940738074e5aac8233f2846832e92

SHA512
1a8ab02d0af928376f124030b3850f1f991bec630089342a67ce4fdbc491ff7cfdcfb715d9aea6a3ccc5edf17c882bf3a49db862c8d163ce7d509ab5b1a202f2

Download Submit
C:\Windows\System\lxxLlqG.exe
Filesize
5.9MB

MD5
40957319aff686235be5e4833a3ac793

SHA1
89460689d818c327ee21c2207ac23c29bdec8980

SHA256
c93f6b30fee28b1aa6bb31705752031b34aa6eaca62b97b443421e3c5d20fd7a

SHA512
41e24b7f2ff673c32f7120c36771be332430a1cc42491ae17bf902f1650287f2b44be40c6d1a6b64493c4495a692028c284e335da327fe783cc2c64f773fb50c

Download Submit
C:\Windows\System\mWpRNbF.exe
Filesize
5.9MB

MD5
ed4b752d1a2ee16c18d4b4edc749f3c9

SHA1
01ba2b4fddda7eb7b15cf9a73ab07822b1fe7a18

SHA256
e1e2957faba04163671679560b536cc1b834ea546318b6ffe4ed14b883e384e9

SHA512
305bf186acf8f83037fa1b5b2cffc5feb5c3dbad18c918430ba98d3ae80767d45583a0b6e52347915cdd97afa7e090d6966ebe9ecbb166ff17c05063097f4917

Download Submit
C:\Windows\System\qLYjdyY.exe
Filesize
5.9MB

MD5
faf729392db6bf3f2956ea7f477ae501

SHA1
6a73989b4d193e7287eb50207af7911a8fca65fa

SHA256
35b4aadfbc9def1847542b0255b9be0476f81320e87e73fa50a083895531f2b0

SHA512
2dfaf28a26f9ed3cfba954cd33c63d504cff1a1c4dbdec4e498d50b344d1fe41c5add107e5e7f46c1bacf10170aff252fc855a6d29b45ee1517e7b956eec2ad7

Download Submit
C:\Windows\System\uOEPQNV.exe
Filesize
5.9MB

MD5
17ea6540cb51948b148691f90be60cfc

SHA1
2f44bcef6a41ac3a388a9345014afe0f0ae78386

SHA256
5e7fb2467e0993a0f9fb6876c4cf78d3991d3b44027e8b3a880ec2ccfd2564ab

SHA512
9820fcc1fc04cc6ea122dd5cd43ebe3b792d27421c2903f8bcaca5808007c49dbd1f844298619499074c145ab613cab213c4ddd1e14b2487e3132ebbf0a047d6

Download Submit
C:\Windows\System\udpintH.exe
Filesize
5.9MB

MD5
fb7271750bf1c25cbcb23d3564bd5ba8

SHA1
e50a160eaf84073d432e5a100cb785c545704aa4

SHA256
f67a387ef520e7c57b4413ce45cb91c3d21c75d75f7f417056533f02b9a84c25

SHA512
e4cb1c2b62c115d0753ce6779d37fc21c8b9950bc44e3ef73398e894910797f6bec771bbb0d1f8b3f5a21cf6b8e5dec3ef4add4b796a819ffc2c223e95773b22

Download Submit
C:\Windows\System\xbKyDNM.exe
Filesize
5.9MB

MD5
a6135aab6a9e90f2d7d34d9e3dc4eb1c

SHA1
8b466218bab68b465b905d915888eb903b345638

SHA256
6180107b22b850b149f72dff61b630e37ce11d60c1f50d346830f7238b375de6

SHA512
62bf40910bcdb901b6040bfec3209f51a4fe788925875036665d9e3d0df92443609f44b180c246bf7b3655887dc67cf3af32b0862ddde573458664e207b59135

Download Submit
memory/8-78-0x00007FF728860000-0x00007FF728BB4000-memory.dmp

Filesize
3.3MB

Download
memory/8-149-0x00007FF728860000-0x00007FF728BB4000-memory.dmp

Filesize
3.3MB

Download
memory/216-14-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

Filesize
3.3MB

Download
memory/216-140-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

Filesize
3.3MB

Download
memory/216-87-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp

Filesize
3.3MB

Download
memory/684-132-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp

Filesize
3.3MB

Download
memory/684-158-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp

Filesize
3.3MB

Download
memory/696-134-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp

Filesize
3.3MB

Download
memory/696-57-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp

Filesize
3.3MB

Download
memory/696-148-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp

Filesize
3.3MB

Download
memory/852-138-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp

Filesize
3.3MB

Download
memory/852-115-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp

Filesize
3.3MB

Download
memory/852-156-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp

Filesize
3.3MB

Download
memory/1524-91-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp

Filesize
3.3MB

Download
memory/1524-151-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp

Filesize
3.3MB

Download
memory/1708-8-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp

Filesize
3.3MB

Download
memory/1708-139-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp

Filesize
3.3MB

Download
memory/1708-74-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp

Filesize
3.3MB

Download
memory/1800-144-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp

Filesize
3.3MB

Download
memory/1800-26-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp

Filesize
3.3MB

Download
memory/1856-0-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1856-1-0x00000220244D0000-0x00000220244E0000-memory.dmp

Filesize
64KB

Download
memory/1856-63-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp

Filesize
3.3MB

Download
memory/1936-108-0x00007FF750510000-0x00007FF750864000-memory.dmp

Filesize
3.3MB

Download
memory/1936-154-0x00007FF750510000-0x00007FF750864000-memory.dmp

Filesize
3.3MB

Download
memory/2092-137-0x00007FF647DB0000-0x00007FF648104000-memory.dmp

Filesize
3.3MB

Download
memory/2092-155-0x00007FF647DB0000-0x00007FF648104000-memory.dmp

Filesize
3.3MB

Download
memory/2092-102-0x00007FF647DB0000-0x00007FF648104000-memory.dmp

Filesize
3.3MB

Download
memory/2380-65-0x00007FF6804C0000-0x00007FF680814000-memory.dmp

Filesize
3.3MB

Download
memory/2380-147-0x00007FF6804C0000-0x00007FF680814000-memory.dmp

Filesize
3.3MB

Download
memory/2988-45-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp

Filesize
3.3MB

Download
memory/2988-145-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp

Filesize
3.3MB

Download
memory/3672-130-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp

Filesize
3.3MB

Download
memory/3672-157-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp

Filesize
3.3MB

Download
memory/3800-146-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp

Filesize
3.3MB

Download
memory/3800-133-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp

Filesize
3.3MB

Download
memory/3800-51-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp

Filesize
3.3MB

Download
memory/3828-150-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp

Filesize
3.3MB

Download
memory/3828-79-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp

Filesize
3.3MB

Download
memory/3828-135-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp

Filesize
3.3MB

Download
memory/4112-141-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4112-96-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4112-19-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-152-0x00007FF753080000-0x00007FF7533D4000-memory.dmp

Filesize
3.3MB

Download
memory/4244-92-0x00007FF753080000-0x00007FF7533D4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-35-0x00007FF696400000-0x00007FF696754000-memory.dmp

Filesize
3.3MB

Download
memory/4484-143-0x00007FF696400000-0x00007FF696754000-memory.dmp

Filesize
3.3MB

Download
memory/4804-101-0x00007FF65F420000-0x00007FF65F774000-memory.dmp

Filesize
3.3MB

Download
memory/4804-153-0x00007FF65F420000-0x00007FF65F774000-memory.dmp

Filesize
3.3MB

Download
memory/4804-136-0x00007FF65F420000-0x00007FF65F774000-memory.dmp

Filesize
3.3MB

Download
memory/4836-131-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp

Filesize
3.3MB

Download
memory/4836-159-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp

Filesize
3.3MB

Download
memory/4900-112-0x00007FF747360000-0x00007FF7476B4000-memory.dmp

Filesize
3.3MB

Download
memory/4900-37-0x00007FF747360000-0x00007FF7476B4000-memory.dmp

Filesize
3.3MB

Download
memory/4900-142-0x00007FF747360000-0x00007FF7476B4000-memory.dmp

Filesize
3.3MB

Download