cobaltstrike | dc4378994fa084346aed82ad5f75ae2ee8e1131d67daf86bf3b83d35a0c3b063

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 14:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a8906e6b789ed395a4bde3f0d7e06590
SHA1

f0825df64b10e57a0d438deb170b186061d07e62
SHA256

dc4378994fa084346aed82ad5f75ae2ee8e1131d67daf86bf3b83d35a0c3b063
SHA512

81b77f7227b84aaca6084f2467500ee6821184fcaefa4659324d58905172339ac3832a263f788a3282b267ca1801dd7d6cc59f54e85993b1a1912df58d73c539
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibf56utgpPFotBER/mQ32lUX

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012286-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015e4e-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f37-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f4d-21.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000160d9-29.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015fa5-25.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000162e3-37.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dbd-96.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016de2-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df2-124.dat	cobalt_reflective_dll
behavioral1/files/0x0033000000015d87-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df7-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dec-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dd8-113.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dcf-104.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d92-80.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016da7-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d72-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d76-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6e-53.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016140-40.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/2824-27-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/568-77-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/3016-137-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2180-97-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2824-92-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2428-91-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2180-90-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/1920-67-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/1840-66-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2596-59-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2180-58-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2708-57-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/2696-55-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2856-52-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2936-50-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2940-32-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2448-138-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2692-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2180-141-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/340-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2180-163-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/1824-161-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/768-160-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/3008-159-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1624-158-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/1168-156-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2036-162-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2180-164-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/2824-224-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2940-227-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2936-228-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2856-232-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2696-231-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2596-234-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2708-236-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/1840-238-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/3016-244-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/1920-242-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/568-240-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2428-246-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2448-254-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2692-258-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2824	xUBNVDa.exe
2940	KuiPwdb.exe
2936	vZCxthD.exe
2856	cavOukh.exe
2696	kcdFXAj.exe
2708	HbKfLhv.exe
2596	QRDYVTo.exe
1840	JHlcIam.exe
1920	vLwKAAh.exe
3016	iifQGOG.exe
568	hHaVXqq.exe
2448	XsFIkMJ.exe
2428	AVFqxCV.exe
2692	XCPGcRo.exe
1168	HCQEhDT.exe
1624	hvWxmyL.exe
340	GcFqLKc.exe
768	tEXaVXT.exe
2036	nhsOWoT.exe
3008	JsxrKzS.exe
1824	lrBgatz.exe

Loads dropped DLL 21 IoCs

pid	Process
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2180-0-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/files/0x000a000000012286-6.dat	upx
behavioral1/files/0x0008000000015e4e-8.dat	upx
behavioral1/files/0x0007000000015f37-15.dat	upx
behavioral1/files/0x0007000000015f4d-21.dat	upx
behavioral1/memory/2824-27-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/files/0x00070000000160d9-29.dat	upx
behavioral1/files/0x0007000000015fa5-25.dat	upx
behavioral1/files/0x00080000000162e3-37.dat	upx
behavioral1/memory/3016-69-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/568-77-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2448-83-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/files/0x0006000000016dbd-96.dat	upx
behavioral1/files/0x0006000000016de2-133.dat	upx
behavioral1/files/0x0006000000016df2-124.dat	upx
behavioral1/files/0x0033000000015d87-119.dat	upx
behavioral1/files/0x0006000000016df7-130.dat	upx
behavioral1/files/0x0006000000016dec-122.dat	upx
behavioral1/memory/3016-137-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2692-98-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/files/0x0006000000016dd8-113.dat	upx
behavioral1/files/0x0006000000016dcf-104.dat	upx
behavioral1/memory/2824-92-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2428-91-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/2180-90-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/files/0x0006000000016d92-80.dat	upx
behavioral1/files/0x0006000000016da7-86.dat	upx
behavioral1/files/0x0006000000016d72-68.dat	upx
behavioral1/memory/1920-67-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/1840-66-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2596-59-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2708-57-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/files/0x0006000000016d76-72.dat	upx
behavioral1/memory/2696-55-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/files/0x0006000000016d6e-53.dat	upx
behavioral1/memory/2856-52-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2936-50-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/files/0x0009000000016140-40.dat	upx
behavioral1/memory/2940-32-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/2448-138-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2692-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2180-141-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/340-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/1824-161-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/768-160-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/3008-159-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/1624-158-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/1168-156-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/2036-162-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/2180-164-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/2824-224-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2940-227-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/2936-228-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2856-232-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2696-231-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2596-234-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2708-236-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/1840-238-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/3016-244-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/1920-242-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/568-240-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2428-246-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/2448-254-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2692-258-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xUBNVDa.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vZCxthD.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kcdFXAj.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XsFIkMJ.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AVFqxCV.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsxrKzS.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KuiPwdb.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HbKfLhv.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HCQEhDT.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tEXaVXT.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hHaVXqq.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCPGcRo.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GcFqLKc.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hvWxmyL.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lrBgatz.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cavOukh.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QRDYVTo.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vLwKAAh.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JHlcIam.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iifQGOG.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nhsOWoT.exe	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2824	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2180 wrote to memory of 2824	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2180 wrote to memory of 2824	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2180 wrote to memory of 2940	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2180 wrote to memory of 2940	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2180 wrote to memory of 2940	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2180 wrote to memory of 2936	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2180 wrote to memory of 2936	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2180 wrote to memory of 2936	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2180 wrote to memory of 2856	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2180 wrote to memory of 2856	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2180 wrote to memory of 2856	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2180 wrote to memory of 2696	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2180 wrote to memory of 2696	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2180 wrote to memory of 2696	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2180 wrote to memory of 2708	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2180 wrote to memory of 2708	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2180 wrote to memory of 2708	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2180 wrote to memory of 2596	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2180 wrote to memory of 2596	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2180 wrote to memory of 2596	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2180 wrote to memory of 1920	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2180 wrote to memory of 1920	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2180 wrote to memory of 1920	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2180 wrote to memory of 1840	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2180 wrote to memory of 1840	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2180 wrote to memory of 1840	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2180 wrote to memory of 3016	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2180 wrote to memory of 3016	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2180 wrote to memory of 3016	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2180 wrote to memory of 568	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2180 wrote to memory of 568	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2180 wrote to memory of 568	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2180 wrote to memory of 2448	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2180 wrote to memory of 2448	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2180 wrote to memory of 2448	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2180 wrote to memory of 2428	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2180 wrote to memory of 2428	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2180 wrote to memory of 2428	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2180 wrote to memory of 2692	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2180 wrote to memory of 2692	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2180 wrote to memory of 2692	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2180 wrote to memory of 1168	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2180 wrote to memory of 1168	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2180 wrote to memory of 1168	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2180 wrote to memory of 340	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2180 wrote to memory of 340	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2180 wrote to memory of 340	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2180 wrote to memory of 1624	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2180 wrote to memory of 1624	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2180 wrote to memory of 1624	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2180 wrote to memory of 3008	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2180 wrote to memory of 3008	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2180 wrote to memory of 3008	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2180 wrote to memory of 768	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2180 wrote to memory of 768	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2180 wrote to memory of 768	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2180 wrote to memory of 1824	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2180 wrote to memory of 1824	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2180 wrote to memory of 1824	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2180 wrote to memory of 2036	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2180 wrote to memory of 2036	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2180 wrote to memory of 2036	2180	2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_a8906e6b789ed395a4bde3f0d7e06590_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System\xUBNVDa.exe
  C:\Windows\System\xUBNVDa.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\KuiPwdb.exe
  C:\Windows\System\KuiPwdb.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\vZCxthD.exe
  C:\Windows\System\vZCxthD.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\cavOukh.exe
  C:\Windows\System\cavOukh.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\kcdFXAj.exe
  C:\Windows\System\kcdFXAj.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\HbKfLhv.exe
  C:\Windows\System\HbKfLhv.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\QRDYVTo.exe
  C:\Windows\System\QRDYVTo.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\vLwKAAh.exe
  C:\Windows\System\vLwKAAh.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\JHlcIam.exe
  C:\Windows\System\JHlcIam.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\iifQGOG.exe
  C:\Windows\System\iifQGOG.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\hHaVXqq.exe
  C:\Windows\System\hHaVXqq.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\XsFIkMJ.exe
  C:\Windows\System\XsFIkMJ.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\AVFqxCV.exe
  C:\Windows\System\AVFqxCV.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\XCPGcRo.exe
  C:\Windows\System\XCPGcRo.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\HCQEhDT.exe
  C:\Windows\System\HCQEhDT.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\GcFqLKc.exe
  C:\Windows\System\GcFqLKc.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\hvWxmyL.exe
  C:\Windows\System\hvWxmyL.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\JsxrKzS.exe
  C:\Windows\System\JsxrKzS.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\tEXaVXT.exe
  C:\Windows\System\tEXaVXT.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\lrBgatz.exe
  C:\Windows\System\lrBgatz.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\nhsOWoT.exe
  C:\Windows\System\nhsOWoT.exe
  2⤵
  - Executes dropped EXE
  PID:2036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AVFqxCV.exe

Filesize
5.2MB

MD5
7bf977225e7d46c19f2c2a0b9ca79e7a

SHA1
3dee46166e0ac7682dfcdd0a8cf503d1116b4f74

SHA256
99290915992b5f091274011e7341fac36ede5c725b0317eb823d51595ff038e2

SHA512
e10b28abc497d8637c0303af2f70b27f912a5b698f3a9a7b8e027ad577dcf9936733035baeab95c20704b54fd66809b862ff7a6bb7aa393c0fa51e16d30f31b3

Download Submit
C:\Windows\system\GcFqLKc.exe

Filesize
5.2MB

MD5
14467592f79a77ee1217d3d9c29cc255

SHA1
1b922baa6a2c49a77cff9c32986b96d308f91bab

SHA256
54af10b0e9ae3544500141e36daa732cc1e443baa98d25b98ba618e161baa3b1

SHA512
7cc9351e64d1265199e59d0045dcc825b65e1972efa868ce38cdf85dcf7d142c3c7f72251cec4a4a6e7f2d6b1800e95ec4616723c1367509230b54e5774840cc

Download Submit
C:\Windows\system\HCQEhDT.exe

Filesize
5.2MB

MD5
ac4536b607a8b9b1af41e8b71b6162e5

SHA1
83e4a309f0981cb5dfb21dcd90906d13173e2eb9

SHA256
e01ef8b0d6bdc0632fa51d290a3fa712f9fbaf822b73879bac40b2a1a3ec69b7

SHA512
4a511f685458a1a913f7aaaf67d2c6b2c3f8af4ee00bb3a709f12ab7056d40a2a22ae1c0dd11d087c06e81afc2e946415329b4895f4157e11c0d2e0b03a3c689

Download Submit
C:\Windows\system\JHlcIam.exe

Filesize
5.2MB

MD5
2616ab68c5af5f87d4d575c8b85b20fc

SHA1
35416eccb7b473ce0ae885862de4683cd5eb032b

SHA256
255e5070723903b3a4bb48ac0143496430f141cc5754632b8ab45a035a310109

SHA512
f2dbabe4bfd5261262df1cf56eaf1b35438ac7fceb08b3b7eee0bba49c776347cfa94dbdaad8158978d339fbda7d62e592f3bd1237b7c6adf4ed3fe1e29cd9db

Download Submit
C:\Windows\system\JsxrKzS.exe

Filesize
5.2MB

MD5
afba854f945b4f6ddb71c7e43339f884

SHA1
1fda945410fb53b400e2c3087a25f95314a28a97

SHA256
01329d15c70b573cba610659af2b07e74b299cdeef01dcf81bdfe3f67cfb462a

SHA512
e75792cbc6b6671de625b1d6973efd5be2fc0049e4fb262d3bf540ddfb67101a74c2e8f44229cf2c1eb9a2b433b2b3428d9e72cd4a67d684769b626e39dd5dcd

Download Submit
C:\Windows\system\QRDYVTo.exe

Filesize
5.2MB

MD5
7082e78200f4153b08cbc3f420ed3574

SHA1
a40ae7900cc1f58bd16fd867dcc73f982159fb64

SHA256
7f2a1f4f24c5d660ae293ecdf88f6e18e35472a8c35bcf4f953f843c959a2025

SHA512
042beacf2c837a1c87df9ce5a7ceaad40a147418825da83f17b4168380e5c698dca8b7491626f0f0f4660b2848a00968d21041bcafa217fa33572ac7d9332af0

Download Submit
C:\Windows\system\XCPGcRo.exe

Filesize
5.2MB

MD5
2ea55b96e22e4f8d98a5a8584dac554f

SHA1
aecf5cc48d3ed4d0476589a4bb2d70822ed97ea9

SHA256
383c368746f897099629574f681c6d1b5c66f88997459f05e42d0d71ef7c3c45

SHA512
eb9ff618ca92ce5653efd8c912d39ec85c4dc5d2cdca21f9221f1d4aa1221c2bc64235a11b0fa37c96150fd029f986e01eadbe2f24a2503ad1444e9cc5f53d07

Download Submit
C:\Windows\system\XsFIkMJ.exe

Filesize
5.2MB

MD5
d5b928bc98521aaf71bbf3c51aa62171

SHA1
c0d1d76f80032c8bf776b24fbd6b1ed888af06dd

SHA256
7624303f036be299438b69b60d561a6246812d781e4c0403146b360a2ad6ff2b

SHA512
47e47d4963e3ed30d03b9732fbec9f7b046adf03036b854670622562a9cc5b831dc53e6455ebc0bd3bcf6b51d124c8204e6c22bafe5bfd419fe99302810e5da1

Download Submit
C:\Windows\system\cavOukh.exe

Filesize
5.2MB

MD5
209f4b919fdde025999c4c99074b4eb3

SHA1
0707fc1d49174601a3f78ff0ce76b54c435c1956

SHA256
d5555021f77a65b6aa3c8baaea811168de4863ec96e02ffa7a541a73e326c1d4

SHA512
b6da0c2d391b6f76b0b2c28e38e8b6d409f40b7673f476ed32ebbaf759aec045eff8859994dcd890fdabef1cec9f03aed53f8e44855a390fa679d214d7837776

Download Submit
C:\Windows\system\hHaVXqq.exe

Filesize
5.2MB

MD5
b0e76552bc0c426214ec2dae71ad0476

SHA1
7ef7280347032bee7448b2fb13f08c7fbbb228fd

SHA256
b3ca6e6ac59a3cfce8e4d0f4e79ebba7756343d3c8feb7528a0590e4d4f805dd

SHA512
79296a3bdcbc0c79b7e9789ba0607745bcf3172e63e2790839290b757d3bffcfbacd4c0c530808f83fcb09ce7a5051bb16a82ee41da480c083f59cb93fa02754

Download Submit
C:\Windows\system\hvWxmyL.exe

Filesize
5.2MB

MD5
d92fb4cac1df48520c155deb601b06b6

SHA1
92a54e497f629851ab925b7f3e131db84bb7eece

SHA256
0d44d125ceb0a837f7eb1d94f367fe9d96826f25d09ec2e70e698a039aae16f5

SHA512
0c394a4b9406e32c353491d77ce67feb794ca5a9de5bd4a94d2d0b20d2092180c9f0dd6641b8f9fbd30df72b3d98da69f82c791d45486f8b6943d9cb61a685e2

Download Submit
C:\Windows\system\iifQGOG.exe

Filesize
5.2MB

MD5
91a2d600c38aa09dddd0bf8a8adae359

SHA1
c3f65018639327f8cbc16ab4c86894b9e852317f

SHA256
b7b22ff89b48f590902af615b168b7893f26d57f56ee0bd49edb9b8ca6829cd2

SHA512
a2b676a11f9eb142067af0258adbe5e843405a7b9c394cd852eaeef74f1c31060b2a136128a1ac9cdee49599dc88fa94902f0947d27f291c1f7e602bcbd6137c

Download Submit
C:\Windows\system\kcdFXAj.exe

Filesize
5.2MB

MD5
169e5babfc6960bd572140c94c206e2a

SHA1
e4341a8b40e5e398844447a4f676b2a26932f17a

SHA256
405661f4692b55add6357b78218b9f1078083389d76c436c72753576f56f7f1c

SHA512
5e08b472c0d60e2fc387a1fc92a39a9e8f39c87ef621cff49be3f6e3fdf9f117d7a5154e7d246b426351f421980804d5896df7e7a220528e5ed08762156ddd05

Download Submit
C:\Windows\system\nhsOWoT.exe

Filesize
5.2MB

MD5
4ce0c09a999255ea0d5a34c3ad38c946

SHA1
d4bb375854602e3a0dae260c8704e927a7d65ac4

SHA256
087dfee813968d015e6f77c574389266244d72af3839459b4ad3e57b1f8533f5

SHA512
4df2809b115e68062faa50e3c6d970e6b4b51862691fd7ce57dcf657e6f8036f6e2820213e835e6fee5307d412d282254a9c681f6075e535c37e5f12778d246a

Download Submit
C:\Windows\system\tEXaVXT.exe

Filesize
5.2MB

MD5
726b318120563925750d8c0088b6e8b1

SHA1
a12c359caaedeaa744f9950a535eca31f0dc663b

SHA256
4db475d7d6231423c726b08bf5b1d23cf1e260c1adb5dcd2c6ad5e4674b2d7cb

SHA512
42c642bde94e6ea98ffe2d87b6edf35febf6b2ba695f3be08a3da6e7de29870a1fb7bd70bd5ecd4b729ab52c888e66630a0a3003e6325f27c145bd0129b9ddc9

Download Submit
C:\Windows\system\vZCxthD.exe

Filesize
5.2MB

MD5
846037ee55d83ed56325b27a85579186

SHA1
fbf9ffeef0aa448bc287c6d14bf163f300358af2

SHA256
eb2b8104dede466c8bd75f9d58e2e38ff0ae514136b37ee2b9838372ac50b5c1

SHA512
7a3140d124fc0527ed3d88d424f6f3814b79c78e8b455ee7b98d4b64cc3101e340e9b1147e958d381d983549489f3907d3600da4a864675d2cea7ea0896c89c6

Download Submit
C:\Windows\system\xUBNVDa.exe

Filesize
5.2MB

MD5
17e748cea3598c3eee2949896a1b450e

SHA1
9a9e569f32476b7b1dd9d6cc1b3dac5ec516a993

SHA256
abb4e699f60fbc7388905bc159f0af1619daadaa7c19310d750606f431068df9

SHA512
1065ff293f1581ff861a75d50687ce2b7882a021651f0a68a6d678cdccba31bb8e3c438acd2f1583e7a0d078c98e4df69f4da0ac579a8e7a4a39c85fdab38833

Download Submit
\Windows\system\HbKfLhv.exe

Filesize
5.2MB

MD5
5bc16c3289aecc659524c055ab848e07

SHA1
9f660bbf1569bf266e50c08901561a1802d478f9

SHA256
faed0c3bb2e9d8379c747ec49b3cc297ff771432a37f5ec37860ab0ece34aef8

SHA512
91e76642d2927c1e5c9d808c2f5e8c4869fb34799697df445329add2a3b2825cbed788d8cea2a1129edeb9ffac340ec50271b269299a31c2c596adcc0bfe1a91

Download Submit
\Windows\system\KuiPwdb.exe

Filesize
5.2MB

MD5
c0110df6d3a90336c9bdba4ec9a00f38

SHA1
31a2044b31bb8f0ec87fe86cb8af2658179c24b6

SHA256
19a1e928795ea928446c44b99c98b2c868d1d31d1afb38c5a33fa7ae17dd1726

SHA512
d16ee6d47a2bdde311365a65c9f2dc640a34ac111d9dd20550563eb0668b8d26a232ee0a980fcecbe6662c9a0f02be4d9564a64a0f83c42ce154338b46b57913

Download Submit
\Windows\system\lrBgatz.exe

Filesize
5.2MB

MD5
9790b31235d87920b8e6fa73d4ebe704

SHA1
6e5f983608435aaece0b01f1f35d3d8239063db3

SHA256
180859249bcab631982ee298aab9b7e80b1e7c702f26f01c9575c48df4cca755

SHA512
1627973f82200d041ddb27f88d01653958b1e2437c1ccbf2f7471331abf248f5ba0cdd5e624c0ba54abed0a3a016977c31def111aadf92aa042c9363c14401b0

Download Submit
\Windows\system\vLwKAAh.exe

Filesize
5.2MB

MD5
4563ea8b72310a31b9f7063923a5fd9f

SHA1
b0d0d13ca26c4133b60786488d1e5d30fe9868c2

SHA256
4926eb0a464a4b11fe2d6af002eb826e9de9d21f2e1a2d1bd1e7184201ae86fe

SHA512
679ba9eeb3932e5297b92c533546dd9cb65abf806dd77d0fd2af361cbf8f7139e645bd53480264dda0c33d608a41ab7d48b4ea315fc99f0f57aabfd49e0e7c65

Download Submit
memory/340-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/568-240-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/568-77-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/768-160-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/1168-156-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/1624-158-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1824-161-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/1840-238-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-66-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1920-242-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/1920-67-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2036-162-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2180-100-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2180-90-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-99-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2180-163-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2180-64-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2180-63-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-62-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/2180-60-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2180-141-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-58-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2180-76-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-82-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-0-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-54-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-105-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2180-51-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2180-139-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-41-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2180-97-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2180-164-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-246-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2428-91-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2448-138-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-83-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-254-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-234-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2596-59-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2692-140-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2692-258-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2692-98-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2696-231-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-55-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-57-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-236-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-92-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-224-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-27-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2856-52-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2856-232-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2936-50-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2936-228-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2940-227-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/2940-32-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/3008-159-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/3016-244-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/3016-69-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/3016-137-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download