cobaltstrike | f23db5e1324925fdabb1c2f0d4f80edd5f6864055dc522d055de465429d540d9

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

acd2123db09fc7f4e221c6cfae4d1e65
SHA1

1120caab303834be53fc38a0b3b095259dd8aa19
SHA256

f23db5e1324925fdabb1c2f0d4f80edd5f6864055dc522d055de465429d540d9
SHA512

84046dc511faf50088071af6a1911261f4734840a63d1d1a57867f6fb0f94fcbff8796f749b1daf6d42e0403bb069997b7d244f5f6750e7c458172ab5bd9dd43
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUu:Q+856utgpPF8u/7u

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\XwwmErX.exe	cobalt_reflective_dll
C:\Windows\System\MLJtEmf.exe	cobalt_reflective_dll
C:\Windows\System\LJSUWJe.exe	cobalt_reflective_dll
C:\Windows\System\ocZPHol.exe	cobalt_reflective_dll
C:\Windows\System\TVkfMbl.exe	cobalt_reflective_dll
C:\Windows\System\nVymQWL.exe	cobalt_reflective_dll
C:\Windows\System\KXNglDg.exe	cobalt_reflective_dll
C:\Windows\System\oprNBfY.exe	cobalt_reflective_dll
C:\Windows\System\LkhTreQ.exe	cobalt_reflective_dll
C:\Windows\System\kAHbDCO.exe	cobalt_reflective_dll
C:\Windows\System\xRneixo.exe	cobalt_reflective_dll
C:\Windows\System\ThjjAdP.exe	cobalt_reflective_dll
C:\Windows\System\NQMAygA.exe	cobalt_reflective_dll
C:\Windows\System\gCHvdLW.exe	cobalt_reflective_dll
C:\Windows\System\wFgAGFH.exe	cobalt_reflective_dll
C:\Windows\System\HUSUApP.exe	cobalt_reflective_dll
C:\Windows\System\dHxiwLb.exe	cobalt_reflective_dll
C:\Windows\System\TZmpdwL.exe	cobalt_reflective_dll
C:\Windows\System\ejrMyEa.exe	cobalt_reflective_dll
C:\Windows\System\naokwSe.exe	cobalt_reflective_dll
C:\Windows\System\OMKoKoW.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4484-0-0x00007FF63ABA0000-0x00007FF63AEF4000-memory.dmp	xmrig
C:\Windows\System\XwwmErX.exe	xmrig
behavioral2/memory/2636-7-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp	xmrig
C:\Windows\System\MLJtEmf.exe	xmrig
C:\Windows\System\LJSUWJe.exe	xmrig
behavioral2/memory/2748-14-0x00007FF714540000-0x00007FF714894000-memory.dmp	xmrig
behavioral2/memory/5040-23-0x00007FF726D00000-0x00007FF727054000-memory.dmp	xmrig
C:\Windows\System\ocZPHol.exe	xmrig
behavioral2/memory/4648-27-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp	xmrig
C:\Windows\System\TVkfMbl.exe	xmrig
behavioral2/memory/4628-30-0x00007FF712280000-0x00007FF7125D4000-memory.dmp	xmrig
C:\Windows\System\nVymQWL.exe	xmrig
C:\Windows\System\KXNglDg.exe	xmrig
behavioral2/memory/3900-44-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp	xmrig
C:\Windows\System\oprNBfY.exe	xmrig
behavioral2/memory/4300-56-0x00007FF6C4D90000-0x00007FF6C50E4000-memory.dmp	xmrig
C:\Windows\System\LkhTreQ.exe	xmrig
C:\Windows\System\kAHbDCO.exe	xmrig
behavioral2/memory/4484-68-0x00007FF63ABA0000-0x00007FF63AEF4000-memory.dmp	xmrig
behavioral2/memory/1612-72-0x00007FF714950000-0x00007FF714CA4000-memory.dmp	xmrig
C:\Windows\System\xRneixo.exe	xmrig
behavioral2/memory/2444-73-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp	xmrig
behavioral2/memory/4060-69-0x00007FF69A1C0000-0x00007FF69A514000-memory.dmp	xmrig
C:\Windows\System\ThjjAdP.exe	xmrig
behavioral2/memory/4992-48-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp	xmrig
behavioral2/memory/1212-38-0x00007FF70AC70000-0x00007FF70AFC4000-memory.dmp	xmrig
behavioral2/memory/4200-85-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp	xmrig
C:\Windows\System\NQMAygA.exe	xmrig
behavioral2/memory/4648-94-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp	xmrig
behavioral2/memory/988-95-0x00007FF647160000-0x00007FF6474B4000-memory.dmp	xmrig
C:\Windows\System\gCHvdLW.exe	xmrig
C:\Windows\System\wFgAGFH.exe	xmrig
behavioral2/memory/4028-86-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp	xmrig
behavioral2/memory/2636-80-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp	xmrig
behavioral2/memory/556-112-0x00007FF65E770000-0x00007FF65EAC4000-memory.dmp	xmrig
behavioral2/memory/3900-110-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp	xmrig
C:\Windows\System\HUSUApP.exe	xmrig
C:\Windows\System\dHxiwLb.exe	xmrig
behavioral2/memory/1124-113-0x00007FF630F30000-0x00007FF631284000-memory.dmp	xmrig
behavioral2/memory/4628-107-0x00007FF712280000-0x00007FF7125D4000-memory.dmp	xmrig
C:\Windows\System\TZmpdwL.exe	xmrig
behavioral2/memory/3644-103-0x00007FF7B1550000-0x00007FF7B18A4000-memory.dmp	xmrig
C:\Windows\System\ejrMyEa.exe	xmrig
behavioral2/memory/384-121-0x00007FF6052B0000-0x00007FF605604000-memory.dmp	xmrig
C:\Windows\System\naokwSe.exe	xmrig
behavioral2/memory/4592-132-0x00007FF79ADA0000-0x00007FF79B0F4000-memory.dmp	xmrig
C:\Windows\System\OMKoKoW.exe	xmrig
behavioral2/memory/4992-127-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp	xmrig
behavioral2/memory/820-133-0x00007FF772D90000-0x00007FF7730E4000-memory.dmp	xmrig
behavioral2/memory/4200-136-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp	xmrig
behavioral2/memory/2444-135-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp	xmrig
behavioral2/memory/1612-134-0x00007FF714950000-0x00007FF714CA4000-memory.dmp	xmrig
behavioral2/memory/4028-137-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp	xmrig
behavioral2/memory/1124-138-0x00007FF630F30000-0x00007FF631284000-memory.dmp	xmrig
behavioral2/memory/2636-139-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp	xmrig
behavioral2/memory/2748-140-0x00007FF714540000-0x00007FF714894000-memory.dmp	xmrig
behavioral2/memory/5040-141-0x00007FF726D00000-0x00007FF727054000-memory.dmp	xmrig
behavioral2/memory/4648-142-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp	xmrig
behavioral2/memory/4628-143-0x00007FF712280000-0x00007FF7125D4000-memory.dmp	xmrig
behavioral2/memory/1212-144-0x00007FF70AC70000-0x00007FF70AFC4000-memory.dmp	xmrig
behavioral2/memory/4300-145-0x00007FF6C4D90000-0x00007FF6C50E4000-memory.dmp	xmrig
behavioral2/memory/3900-146-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp	xmrig
behavioral2/memory/4992-147-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp	xmrig
behavioral2/memory/4060-148-0x00007FF69A1C0000-0x00007FF69A514000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

XwwmErX.exeMLJtEmf.exeLJSUWJe.exeocZPHol.exeTVkfMbl.exenVymQWL.exeKXNglDg.exeThjjAdP.exeoprNBfY.exeLkhTreQ.exekAHbDCO.exexRneixo.exeNQMAygA.exewFgAGFH.exegCHvdLW.exeejrMyEa.exeTZmpdwL.exeHUSUApP.exedHxiwLb.exenaokwSe.exeOMKoKoW.exe

pid	process
2636	XwwmErX.exe
2748	MLJtEmf.exe
5040	LJSUWJe.exe
4648	ocZPHol.exe
4628	TVkfMbl.exe
1212	nVymQWL.exe
3900	KXNglDg.exe
4992	ThjjAdP.exe
4300	oprNBfY.exe
4060	LkhTreQ.exe
1612	kAHbDCO.exe
2444	xRneixo.exe
4200	NQMAygA.exe
4028	wFgAGFH.exe
988	gCHvdLW.exe
3644	ejrMyEa.exe
556	TZmpdwL.exe
1124	HUSUApP.exe
384	dHxiwLb.exe
4592	naokwSe.exe
820	OMKoKoW.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4484-0-0x00007FF63ABA0000-0x00007FF63AEF4000-memory.dmp	upx
C:\Windows\System\XwwmErX.exe	upx
behavioral2/memory/2636-7-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp	upx
C:\Windows\System\MLJtEmf.exe	upx
C:\Windows\System\LJSUWJe.exe	upx
behavioral2/memory/2748-14-0x00007FF714540000-0x00007FF714894000-memory.dmp	upx
behavioral2/memory/5040-23-0x00007FF726D00000-0x00007FF727054000-memory.dmp	upx
C:\Windows\System\ocZPHol.exe	upx
behavioral2/memory/4648-27-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp	upx
C:\Windows\System\TVkfMbl.exe	upx
behavioral2/memory/4628-30-0x00007FF712280000-0x00007FF7125D4000-memory.dmp	upx
C:\Windows\System\nVymQWL.exe	upx
C:\Windows\System\KXNglDg.exe	upx
behavioral2/memory/3900-44-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp	upx
C:\Windows\System\oprNBfY.exe	upx
behavioral2/memory/4300-56-0x00007FF6C4D90000-0x00007FF6C50E4000-memory.dmp	upx
C:\Windows\System\LkhTreQ.exe	upx
C:\Windows\System\kAHbDCO.exe	upx
behavioral2/memory/4484-68-0x00007FF63ABA0000-0x00007FF63AEF4000-memory.dmp	upx
behavioral2/memory/1612-72-0x00007FF714950000-0x00007FF714CA4000-memory.dmp	upx
C:\Windows\System\xRneixo.exe	upx
behavioral2/memory/2444-73-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp	upx
behavioral2/memory/4060-69-0x00007FF69A1C0000-0x00007FF69A514000-memory.dmp	upx
C:\Windows\System\ThjjAdP.exe	upx
behavioral2/memory/4992-48-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp	upx
behavioral2/memory/1212-38-0x00007FF70AC70000-0x00007FF70AFC4000-memory.dmp	upx
behavioral2/memory/4200-85-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp	upx
C:\Windows\System\NQMAygA.exe	upx
behavioral2/memory/4648-94-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp	upx
behavioral2/memory/988-95-0x00007FF647160000-0x00007FF6474B4000-memory.dmp	upx
C:\Windows\System\gCHvdLW.exe	upx
C:\Windows\System\wFgAGFH.exe	upx
behavioral2/memory/4028-86-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp	upx
behavioral2/memory/2636-80-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp	upx
behavioral2/memory/556-112-0x00007FF65E770000-0x00007FF65EAC4000-memory.dmp	upx
behavioral2/memory/3900-110-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp	upx
C:\Windows\System\HUSUApP.exe	upx
C:\Windows\System\dHxiwLb.exe	upx
behavioral2/memory/1124-113-0x00007FF630F30000-0x00007FF631284000-memory.dmp	upx
behavioral2/memory/4628-107-0x00007FF712280000-0x00007FF7125D4000-memory.dmp	upx
C:\Windows\System\TZmpdwL.exe	upx
behavioral2/memory/3644-103-0x00007FF7B1550000-0x00007FF7B18A4000-memory.dmp	upx
C:\Windows\System\ejrMyEa.exe	upx
behavioral2/memory/384-121-0x00007FF6052B0000-0x00007FF605604000-memory.dmp	upx
C:\Windows\System\naokwSe.exe	upx
behavioral2/memory/4592-132-0x00007FF79ADA0000-0x00007FF79B0F4000-memory.dmp	upx
C:\Windows\System\OMKoKoW.exe	upx
behavioral2/memory/4992-127-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp	upx
behavioral2/memory/820-133-0x00007FF772D90000-0x00007FF7730E4000-memory.dmp	upx
behavioral2/memory/4200-136-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp	upx
behavioral2/memory/2444-135-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp	upx
behavioral2/memory/1612-134-0x00007FF714950000-0x00007FF714CA4000-memory.dmp	upx
behavioral2/memory/4028-137-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp	upx
behavioral2/memory/1124-138-0x00007FF630F30000-0x00007FF631284000-memory.dmp	upx
behavioral2/memory/2636-139-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp	upx
behavioral2/memory/2748-140-0x00007FF714540000-0x00007FF714894000-memory.dmp	upx
behavioral2/memory/5040-141-0x00007FF726D00000-0x00007FF727054000-memory.dmp	upx
behavioral2/memory/4648-142-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp	upx
behavioral2/memory/4628-143-0x00007FF712280000-0x00007FF7125D4000-memory.dmp	upx
behavioral2/memory/1212-144-0x00007FF70AC70000-0x00007FF70AFC4000-memory.dmp	upx
behavioral2/memory/4300-145-0x00007FF6C4D90000-0x00007FF6C50E4000-memory.dmp	upx
behavioral2/memory/3900-146-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp	upx
behavioral2/memory/4992-147-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp	upx
behavioral2/memory/4060-148-0x00007FF69A1C0000-0x00007FF69A514000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\nVymQWL.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXNglDg.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAHbDCO.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dHxiwLb.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OMKoKoW.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TVkfMbl.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkhTreQ.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xRneixo.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NQMAygA.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFgAGFH.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HUSUApP.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwwmErX.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gCHvdLW.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejrMyEa.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\naokwSe.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MLJtEmf.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocZPHol.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ThjjAdP.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oprNBfY.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZmpdwL.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJSUWJe.exe	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4484 wrote to memory of 2636	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	XwwmErX.exe
PID 4484 wrote to memory of 2636	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	XwwmErX.exe
PID 4484 wrote to memory of 2748	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	MLJtEmf.exe
PID 4484 wrote to memory of 2748	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	MLJtEmf.exe
PID 4484 wrote to memory of 5040	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	LJSUWJe.exe
PID 4484 wrote to memory of 5040	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	LJSUWJe.exe
PID 4484 wrote to memory of 4648	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	ocZPHol.exe
PID 4484 wrote to memory of 4648	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	ocZPHol.exe
PID 4484 wrote to memory of 4628	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	TVkfMbl.exe
PID 4484 wrote to memory of 4628	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	TVkfMbl.exe
PID 4484 wrote to memory of 1212	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	nVymQWL.exe
PID 4484 wrote to memory of 1212	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	nVymQWL.exe
PID 4484 wrote to memory of 3900	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	KXNglDg.exe
PID 4484 wrote to memory of 3900	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	KXNglDg.exe
PID 4484 wrote to memory of 4992	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	ThjjAdP.exe
PID 4484 wrote to memory of 4992	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	ThjjAdP.exe
PID 4484 wrote to memory of 4300	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	oprNBfY.exe
PID 4484 wrote to memory of 4300	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	oprNBfY.exe
PID 4484 wrote to memory of 4060	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	LkhTreQ.exe
PID 4484 wrote to memory of 4060	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	LkhTreQ.exe
PID 4484 wrote to memory of 1612	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	kAHbDCO.exe
PID 4484 wrote to memory of 1612	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	kAHbDCO.exe
PID 4484 wrote to memory of 2444	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	xRneixo.exe
PID 4484 wrote to memory of 2444	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	xRneixo.exe
PID 4484 wrote to memory of 4200	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	NQMAygA.exe
PID 4484 wrote to memory of 4200	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	NQMAygA.exe
PID 4484 wrote to memory of 4028	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	wFgAGFH.exe
PID 4484 wrote to memory of 4028	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	wFgAGFH.exe
PID 4484 wrote to memory of 988	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	gCHvdLW.exe
PID 4484 wrote to memory of 988	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	gCHvdLW.exe
PID 4484 wrote to memory of 3644	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	ejrMyEa.exe
PID 4484 wrote to memory of 3644	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	ejrMyEa.exe
PID 4484 wrote to memory of 556	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	TZmpdwL.exe
PID 4484 wrote to memory of 556	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	TZmpdwL.exe
PID 4484 wrote to memory of 1124	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	HUSUApP.exe
PID 4484 wrote to memory of 1124	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	HUSUApP.exe
PID 4484 wrote to memory of 384	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	dHxiwLb.exe
PID 4484 wrote to memory of 384	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	dHxiwLb.exe
PID 4484 wrote to memory of 4592	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	naokwSe.exe
PID 4484 wrote to memory of 4592	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	naokwSe.exe
PID 4484 wrote to memory of 820	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	OMKoKoW.exe
PID 4484 wrote to memory of 820	4484	2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe	OMKoKoW.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_acd2123db09fc7f4e221c6cfae4d1e65_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\System\XwwmErX.exe
C:\Windows\System\XwwmErX.exe
2⤵
- Executes dropped EXE
PID:2636

C:\Windows\System\MLJtEmf.exe
C:\Windows\System\MLJtEmf.exe
2⤵
- Executes dropped EXE
PID:2748

C:\Windows\System\LJSUWJe.exe
C:\Windows\System\LJSUWJe.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Windows\System\ocZPHol.exe
C:\Windows\System\ocZPHol.exe
2⤵
- Executes dropped EXE
PID:4648

C:\Windows\System\TVkfMbl.exe
C:\Windows\System\TVkfMbl.exe
2⤵
- Executes dropped EXE
PID:4628

C:\Windows\System\nVymQWL.exe
C:\Windows\System\nVymQWL.exe
2⤵
- Executes dropped EXE
PID:1212

C:\Windows\System\KXNglDg.exe
C:\Windows\System\KXNglDg.exe
2⤵
- Executes dropped EXE
PID:3900

C:\Windows\System\ThjjAdP.exe
C:\Windows\System\ThjjAdP.exe
2⤵
- Executes dropped EXE
PID:4992

C:\Windows\System\oprNBfY.exe
C:\Windows\System\oprNBfY.exe
2⤵
- Executes dropped EXE
PID:4300

C:\Windows\System\LkhTreQ.exe
C:\Windows\System\LkhTreQ.exe
2⤵
- Executes dropped EXE
PID:4060

C:\Windows\System\kAHbDCO.exe
C:\Windows\System\kAHbDCO.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\xRneixo.exe
C:\Windows\System\xRneixo.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\NQMAygA.exe
C:\Windows\System\NQMAygA.exe
2⤵
- Executes dropped EXE
PID:4200

C:\Windows\System\wFgAGFH.exe
C:\Windows\System\wFgAGFH.exe
2⤵
- Executes dropped EXE
PID:4028

C:\Windows\System\gCHvdLW.exe
C:\Windows\System\gCHvdLW.exe
2⤵
- Executes dropped EXE
PID:988

C:\Windows\System\ejrMyEa.exe
C:\Windows\System\ejrMyEa.exe
2⤵
- Executes dropped EXE
PID:3644

C:\Windows\System\TZmpdwL.exe
C:\Windows\System\TZmpdwL.exe
2⤵
- Executes dropped EXE
PID:556

C:\Windows\System\HUSUApP.exe
C:\Windows\System\HUSUApP.exe
2⤵
- Executes dropped EXE
PID:1124

C:\Windows\System\dHxiwLb.exe
C:\Windows\System\dHxiwLb.exe
2⤵
- Executes dropped EXE
PID:384

C:\Windows\System\naokwSe.exe
C:\Windows\System\naokwSe.exe
2⤵
- Executes dropped EXE
PID:4592

C:\Windows\System\OMKoKoW.exe
C:\Windows\System\OMKoKoW.exe
2⤵
- Executes dropped EXE
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1288,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4028 /prefetch:8
1⤵
PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HUSUApP.exe
Filesize
5.9MB

MD5
137591d176b53b9cd2b54bb3082711a9

SHA1
0cf23636b19ee624cfc07e6686a5604010f3af6e

SHA256
44be7d7586dd2ed325f72cccadfa91422409d8d302d4565967742695a98f6bd1

SHA512
c74ad14efaebbbca3cd08ec00fb31d8178dfc93a220ad62a7cf6330b30adf57f927fb065c4338cd880b61d9230d69e1790e72a8903ffe69c2656345062a44ee5

Download Submit
C:\Windows\System\KXNglDg.exe
Filesize
5.9MB

MD5
f3d558dab16334b9109e38e949ef32b3

SHA1
698367a02e6d2c24e99711ea5436a8151d71752d

SHA256
e8e183550ada999d48c100c7605b65ad87f9bd35af4b966682f7f636ff8538a3

SHA512
2cc5bb826904836a9f213a456c7b66468bd4269835bb71b37ee3f9380ce9d6e2c21b1c73004eb0502dbe7db447c75a89675aa99fada330db5f4a66112195370d

Download Submit
C:\Windows\System\LJSUWJe.exe
Filesize
5.9MB

MD5
a2b5258cb9c1b99ad1e1f34e06260bbd

SHA1
26e4c641a12366c34406fd7acd235d32d3fddf3a

SHA256
2a391c9b7ec19c989e12add365c0baed3e78816e46af75dd0c3a71462d08f661

SHA512
b5e6354ca2ef5e209244aa8e831c6b1804f36383c0d0f10bed88796db64fecb415d89a289d1e5aac2b4036c6899b6faf352b704ff80d3c274fe7a2f04f3bad84

Download Submit
C:\Windows\System\LkhTreQ.exe
Filesize
5.9MB

MD5
0e155caa4fda5fe333b493e90382be15

SHA1
0ebb1c8c1493634b1bc4cce15550ba76dabc5f7a

SHA256
45d02011e9d37721764a687d9d5c89293d7639d30275bae1ce23385a3a91420c

SHA512
6f2151e3191697741d6071dc1cf9fada5b41cc2abbc66301245626fd6975a1065c8320881b47bd0d60579a291f38c0dd631b26e52b4d38eda220778e3c97a059

Download Submit
C:\Windows\System\MLJtEmf.exe
Filesize
5.9MB

MD5
53864f665e6c1b3a0e437669d4697eab

SHA1
075055eba6ec23a4ff05049ce4cfa59bddf6ed43

SHA256
40d3af7ef5b5880f94712969aedd0cfad9e940b9ad46a028024742fa2d864c18

SHA512
69bf6c8323555252fbc1b0ca002adbf1fe1805771e5d71bcc452d2acbb84ddd16dca9cce62cf62563a983e214d0bafb0ad9e10a61a6a0496d46d0f2379434520

Download Submit
C:\Windows\System\NQMAygA.exe
Filesize
5.9MB

MD5
59d8c342098a25b3f0239e0e3954f3ba

SHA1
687df1eb6f7f398cbd589bdd1e24797ad3a4f3d2

SHA256
973cbd4c712efe6078e93fbc942a806e0045d23e384521a5addf65171abe6d18

SHA512
f688a863fb82dd942e02838f726e92ef56c717f03ab4fb1c43a7856b452a1d2e5188cf2fe7111ea92e59da0503da7a68f0efa5d1e0060fda7fbe0c9523844c1d

Download Submit
C:\Windows\System\OMKoKoW.exe
Filesize
5.9MB

MD5
5b3f383df2c126a705341bca6d708f26

SHA1
69b2fe2d77afc09ffc1781acaad49854f0a9dccb

SHA256
a6bdd6cb137362cd4d8c9999b547c9294c77487d14726942fe550844f7c0f37e

SHA512
d1e37dd72c83b9ef5ba8c7daa9cfd5153a9aa12731ccb5f0dc38de849465b1f67e3601ddb7104fdd37da94ad3dcbf70727fd72f659896d41349cce41459bf92f

Download Submit
C:\Windows\System\TVkfMbl.exe
Filesize
5.9MB

MD5
67a158aaa338fcbc6b520bce8c3f8cab

SHA1
baeb460cbfaac2dbdcda2099c4dc3c5a140117f8

SHA256
ccb31a00ef5c549bb9abddfa0345a4da016c36dbcf79c1d2d57c3877d0709df4

SHA512
ae9124e05efeb9954d82e7417bc990356a39603bca85a086d0b09db4b836ddd2a143623b0591819d78e02ad21dd3bee96f20867032488d6e384e37c0c6ff399a

Download Submit
C:\Windows\System\TZmpdwL.exe
Filesize
5.9MB

MD5
88cde8c25f4668e082f1f4a8a93062e4

SHA1
ec6df06eec76c5fe040f85166d16c39f726ac92b

SHA256
01ae35c740902b956d67bd2651328704689ecc1bb89bcd15cee2103cbf05726c

SHA512
d23a43687d0bf3f696a873ca74b070260fd0504550f96eea46214a2485824964067af339d8f4fde71b7161dd7d086f0c9fb028dc7458a0ee5c270b807b0e8aea

Download Submit
C:\Windows\System\ThjjAdP.exe
Filesize
5.9MB

MD5
b4811c30160b23d7077697f3482e3c3a

SHA1
9c6ae72ec3b6603e1e3ac2b9f8badce570e5683c

SHA256
a02b7d184add8b95f6fecdedb23acbdea263bcb67781939d28417440c5356724

SHA512
1f03cad93628d28e6832917117049488ddb78d3ea59b2b4a03190f792d8711ca8f71e136a107cced76bf001892600a15b0b13235fd8905206163ad102633f856

Download Submit
C:\Windows\System\XwwmErX.exe
Filesize
5.9MB

MD5
0d6cbc88cb38747a5b425f0c865d2ce9

SHA1
edf22cb00bfe04641171e0ed7987de3018476f1e

SHA256
fba59ce5fc3bd41db5158d6f2708b8467b1454cc14d3d25005079936d62deb09

SHA512
8291f4b1280d8c349205fc766a22cb0206b9e3ab4121978660c300ee8a2117a750758c15d67bf857283030e16ef13639f420c43238352e49202959aa682ee5a8

Download Submit
C:\Windows\System\dHxiwLb.exe
Filesize
5.9MB

MD5
8d29f3f2479d486d16a55977f3acc9ad

SHA1
a65e0ba86abe8d348eecb4f2e7c516144b22dad0

SHA256
69586babb4d68fed77b08060c799df7cabae17ebdc1739497575a1283357f558

SHA512
c05cfbddd540164f0f44dca2ce0a26fea13da4f473e00e488096ede45654affb82a9c4652fdd6d88ab551ad669b26991dbf0fcc9b7fcd8e687b7d5bf6e158f55

Download Submit
C:\Windows\System\ejrMyEa.exe
Filesize
5.9MB

MD5
61dff6a428f3b07c820cf18660787709

SHA1
2491936b3ee246c1e9e3d2a58e4158aaff0cbf8b

SHA256
b765afe25f3024e72558c332829530e99aab190520ff0596de45c90319fa2fb2

SHA512
bf6b2113dcd0085cd70a258da567e025c55dfb26eef7d629046b209cc1ea86c630a846ad9806f536e1b636d63eead0970e58cc5fc1c275fb2536694cfbe1ad14

Download Submit
C:\Windows\System\gCHvdLW.exe
Filesize
5.9MB

MD5
d9b4d736792068f62e5876733ce11331

SHA1
13c49eb17013d4ed1e8ca4f9e6d4736cedb7cc22

SHA256
bc290123927b5d64fe87586ce0c44b0c979f867288abb999b8196d3777d883e2

SHA512
c49cebbcdd9822a48619b564c493190a757fef09329db45bdfbcc807f80d21d22e0f5de97f8e59e117ae99b35487b2d26763b82f9059bd7a21a8e58cf6f2fa86

Download Submit
C:\Windows\System\kAHbDCO.exe
Filesize
5.9MB

MD5
2e780a3b6034f2dfec502190e986618a

SHA1
ccc5ba51b0d27a3fbaa33bb00f70c46c1b363f50

SHA256
4837fbaedc5eeaf7c5e02d5de1bd54a783604083b70b5794e6e9383a254fd5cc

SHA512
8cb9519355f4dbc4b8cd6bfd55aeec93cba45c35da8d14dd3a9db5c0cf63af20834469dd1dbd6e887457a04f68187b58daf69c9c1a176f07a01b816fd779c389

Download Submit
C:\Windows\System\nVymQWL.exe
Filesize
5.9MB

MD5
124dc11fdc513511f7b757999e3ed3dc

SHA1
dbd28d1af5718baf82d1d6665020caf0e9f91514

SHA256
1533ece2a56ebf52cc52fff529da09c8f21649ff1ff1d5da34a679d509ccaa06

SHA512
f16fbc084c9c71dc2bc2d9eb2adf0433f695677ff849024ed09f1b6de057e1e7aa0e6a2133bdc7b06f092608cadf5bfc4a9243c4616b528bc9dec997295e6215

Download Submit
C:\Windows\System\naokwSe.exe
Filesize
5.9MB

MD5
68ebedda8a39606dde174bb4a3ef2f7d

SHA1
051d8cf18631fec35e8425e2fe8af4d647b61a04

SHA256
a499ebfc23dd43dd6d3fdfc3a5c62873a7ab79b50b7d4711ed44836a68eec87e

SHA512
60f1b55fd029867fd1c8bbf1742a5170f5eb06a4f3ffe747a719a0b12b83eafed2b8160a2136aa2ea5d467b54b459860208564357233644553bd1d0f1b26a5a6

Download Submit
C:\Windows\System\ocZPHol.exe
Filesize
5.9MB

MD5
88a2c693324690187ffe7f9c19faf3d5

SHA1
10c1e5b905565252beb3e951023ea46cfe33ac8d

SHA256
fa2ec71eebeef30c351d37b070772b4ef4f39785b28d9733277f67e9e1c89d23

SHA512
027325a51f625db8492038f653d29afe01bcc739256a6a32b72231dc1ff5ea5555d687f5b5ba0599f6c70ce04b5a39450c19b43591e7aefe868d673a264e6c2a

Download Submit
C:\Windows\System\oprNBfY.exe
Filesize
5.9MB

MD5
edf5f1f80f3f472e1f925d5f0be86ac8

SHA1
016d61021f500d2a1704ce67d0bd96c2f2cf5cbc

SHA256
295f73e9675f7c096156fd86ad348e042b77724ad69666d95fd128c1e7a5671f

SHA512
7c7761ec445d4c95a38f15822ea72ace1fdcb65d6a180ad29c44ee61a0e9d51e419801cccfb90e0beb6224e6ff749eac3293cf858ac8bf983d30122e855f985b

Download Submit
C:\Windows\System\wFgAGFH.exe
Filesize
5.9MB

MD5
eb40bcc00a0323a8117501d008ee445e

SHA1
4394b0f609dbcae149b1691d2d3a7b0731beb359

SHA256
490b8d46c3f3a2519f3a4361484a40f68815e8c231017452eacb80e7d23d2d3b

SHA512
eba4592ce9ff1f8299ddabf5e70d1dc3507d5d5746e00c0516559278c3392a0e57ca5485379b79c7c632ed03eeedeac13ce604c0f0b4051642f947819d63cff6

Download Submit
C:\Windows\System\xRneixo.exe
Filesize
5.9MB

MD5
25457721ba8119ae74514b51ea3464c0

SHA1
d1b96cf522c8070792de241518b8a89a05124cf8

SHA256
97de0b93bf8897409a219b65aab812efa784eff67797e535de135710249728df

SHA512
3f09f944d4512d89c08fbc0045ac4341340f31f5b6261536cb64d5f0007c2d54412cc2155e27f8fb62d553184fad29ae297142098bbc81cad3a745ba4da2296f

Download Submit
memory/384-121-0x00007FF6052B0000-0x00007FF605604000-memory.dmp

Filesize
3.3MB

Download
memory/384-157-0x00007FF6052B0000-0x00007FF605604000-memory.dmp

Filesize
3.3MB

Download
memory/556-155-0x00007FF65E770000-0x00007FF65EAC4000-memory.dmp

Filesize
3.3MB

Download
memory/556-112-0x00007FF65E770000-0x00007FF65EAC4000-memory.dmp

Filesize
3.3MB

Download
memory/820-159-0x00007FF772D90000-0x00007FF7730E4000-memory.dmp

Filesize
3.3MB

Download
memory/820-133-0x00007FF772D90000-0x00007FF7730E4000-memory.dmp

Filesize
3.3MB

Download
memory/988-95-0x00007FF647160000-0x00007FF6474B4000-memory.dmp

Filesize
3.3MB

Download
memory/988-152-0x00007FF647160000-0x00007FF6474B4000-memory.dmp

Filesize
3.3MB

Download
memory/1124-113-0x00007FF630F30000-0x00007FF631284000-memory.dmp

Filesize
3.3MB

Download
memory/1124-156-0x00007FF630F30000-0x00007FF631284000-memory.dmp

Filesize
3.3MB

Download
memory/1124-138-0x00007FF630F30000-0x00007FF631284000-memory.dmp

Filesize
3.3MB

Download
memory/1212-38-0x00007FF70AC70000-0x00007FF70AFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1212-144-0x00007FF70AC70000-0x00007FF70AFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-72-0x00007FF714950000-0x00007FF714CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-149-0x00007FF714950000-0x00007FF714CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-134-0x00007FF714950000-0x00007FF714CA4000-memory.dmp

Filesize
3.3MB

Download
memory/2444-73-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2444-150-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2444-135-0x00007FF68B960000-0x00007FF68BCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2636-139-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp

Filesize
3.3MB

Download
memory/2636-80-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp

Filesize
3.3MB

Download
memory/2636-7-0x00007FF6BF8C0000-0x00007FF6BFC14000-memory.dmp

Filesize
3.3MB

Download
memory/2748-140-0x00007FF714540000-0x00007FF714894000-memory.dmp

Filesize
3.3MB

Download
memory/2748-14-0x00007FF714540000-0x00007FF714894000-memory.dmp

Filesize
3.3MB

Download
memory/3644-103-0x00007FF7B1550000-0x00007FF7B18A4000-memory.dmp

Filesize
3.3MB

Download
memory/3644-154-0x00007FF7B1550000-0x00007FF7B18A4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-110-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-146-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp

Filesize
3.3MB

Download
memory/3900-44-0x00007FF6A1160000-0x00007FF6A14B4000-memory.dmp

Filesize
3.3MB

Download
memory/4028-86-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp

Filesize
3.3MB

Download
memory/4028-137-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp

Filesize
3.3MB

Download
memory/4028-153-0x00007FF6EC8E0000-0x00007FF6ECC34000-memory.dmp

Filesize
3.3MB

Download
memory/4060-69-0x00007FF69A1C0000-0x00007FF69A514000-memory.dmp

Filesize
3.3MB

Download
memory/4060-148-0x00007FF69A1C0000-0x00007FF69A514000-memory.dmp

Filesize
3.3MB

Download
memory/4200-151-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp

Filesize
3.3MB

Download
memory/4200-136-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp

Filesize
3.3MB

Download
memory/4200-85-0x00007FF6C5D10000-0x00007FF6C6064000-memory.dmp

Filesize
3.3MB

Download
memory/4300-56-0x00007FF6C4D90000-0x00007FF6C50E4000-memory.dmp

Filesize
3.3MB

Download
memory/4300-145-0x00007FF6C4D90000-0x00007FF6C50E4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-0-0x00007FF63ABA0000-0x00007FF63AEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4484-1-0x00000226C26E0000-0x00000226C26F0000-memory.dmp

Filesize
64KB

Download
memory/4484-68-0x00007FF63ABA0000-0x00007FF63AEF4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-158-0x00007FF79ADA0000-0x00007FF79B0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4592-132-0x00007FF79ADA0000-0x00007FF79B0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-30-0x00007FF712280000-0x00007FF7125D4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-107-0x00007FF712280000-0x00007FF7125D4000-memory.dmp

Filesize
3.3MB

Download
memory/4628-143-0x00007FF712280000-0x00007FF7125D4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-142-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-94-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4648-27-0x00007FF766C70000-0x00007FF766FC4000-memory.dmp

Filesize
3.3MB

Download
memory/4992-127-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp

Filesize
3.3MB

Download
memory/4992-48-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp

Filesize
3.3MB

Download
memory/4992-147-0x00007FF7F18D0000-0x00007FF7F1C24000-memory.dmp

Filesize
3.3MB

Download
memory/5040-23-0x00007FF726D00000-0x00007FF727054000-memory.dmp

Filesize
3.3MB

Download
memory/5040-141-0x00007FF726D00000-0x00007FF727054000-memory.dmp

Filesize
3.3MB

Download