cobaltstrike | 5f424e43ef0b5a411c0fee9be36cb2ec18d35e826f122a344ecafc4f0bcb256e

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/08/2024, 01:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

cf5f6f616b7eefcfc67b4abbcc76bb18
SHA1

56a092115100bfd01d322af3308160d3e3eb2ea9
SHA256

5f424e43ef0b5a411c0fee9be36cb2ec18d35e826f122a344ecafc4f0bcb256e
SHA512

dd2a58d7c3a234e546f2415efc4f4afdd22a0c913b927036ad2d1e6a454b6337ae6e1013cc6951516ca152a6bb18641836c65b4169a98713833ea453a7718a9d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00090000000120f9-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015dab-21.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015dbf-28.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e87-33.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001600d-38.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f8b-36.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001613b-47.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016db0-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ddb-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016eb4-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017406-90.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001747a-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017409-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017400-86.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173e4-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017073-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ed2-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ddf-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dc7-58.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000161fd-50.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d9e-22.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/1108-130-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2832-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2404-128-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1424-126-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2760-125-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/3012-124-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2760-123-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2012-122-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/3060-121-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2628-118-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2568-116-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/2760-132-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2740-27-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2676-12-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2936-134-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2820-136-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2860-135-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2760-137-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2612-159-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	xmrig
behavioral1/memory/1540-158-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/1844-157-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/1896-156-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2900-155-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/1732-153-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/1148-152-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2760-161-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2676-218-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2936-222-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2740-220-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2568-224-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/2628-226-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/1108-259-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2012-253-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2832-250-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/1424-255-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2860-245-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2404-248-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/3060-243-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/3012-242-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2820-238-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2676	qBygKAo.exe
2740	IIscyMN.exe
2936	KHjMBzA.exe
2860	WtoIdEr.exe
2820	sYCLlFg.exe
2568	cjkCGda.exe
2628	XeNLUre.exe
2832	QpLmkhq.exe
3060	jNODBZw.exe
2012	WwwnoGf.exe
3012	mfrUVxM.exe
1424	TLjMEaH.exe
2404	fhqOZUp.exe
1108	bsnuqCj.exe
1148	QXlcKlz.exe
1732	hqczJcq.exe
2900	gHCxDvf.exe
1896	GcUJEwa.exe
1844	VoNURCS.exe
1540	fIWrpbS.exe
2612	bMHOBCS.exe

Loads dropped DLL 21 IoCs

pid	Process
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2760-0-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/files/0x00090000000120f9-6.dat	upx
behavioral1/files/0x0008000000015dab-21.dat	upx
behavioral1/files/0x0008000000015dbf-28.dat	upx
behavioral1/memory/2860-29-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/files/0x0007000000015e87-33.dat	upx
behavioral1/files/0x000700000001600d-38.dat	upx
behavioral1/files/0x0007000000015f8b-36.dat	upx
behavioral1/files/0x000900000001613b-47.dat	upx
behavioral1/files/0x0006000000016db0-54.dat	upx
behavioral1/files/0x0006000000016ddb-62.dat	upx
behavioral1/files/0x0006000000016eb4-70.dat	upx
behavioral1/files/0x0006000000017406-90.dat	upx
behavioral1/files/0x000600000001747a-98.dat	upx
behavioral1/memory/1108-130-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2832-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2404-128-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/1424-126-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/3012-124-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2012-122-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/3060-121-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2628-118-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/2568-116-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/2820-99-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/files/0x0006000000017409-94.dat	upx
behavioral1/files/0x0006000000017400-86.dat	upx
behavioral1/memory/2760-132-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/files/0x00060000000173e4-82.dat	upx
behavioral1/files/0x0006000000017073-78.dat	upx
behavioral1/files/0x0006000000016ed2-74.dat	upx
behavioral1/files/0x0006000000016ddf-66.dat	upx
behavioral1/files/0x0006000000016dc7-58.dat	upx
behavioral1/files/0x00080000000161fd-50.dat	upx
behavioral1/memory/2740-27-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2936-25-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/files/0x0008000000015d9e-22.dat	upx
behavioral1/memory/2676-12-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2936-134-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2820-136-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2860-135-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2760-137-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2612-159-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	upx
behavioral1/memory/1540-158-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/1844-157-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/1896-156-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2900-155-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/1732-153-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/1148-152-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2760-161-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2676-218-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2936-222-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2740-220-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2568-224-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/2628-226-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/1108-259-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2012-253-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2832-250-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/1424-255-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2860-245-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2404-248-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/3060-243-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/3012-242-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2820-238-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KHjMBzA.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IIscyMN.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtoIdEr.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QXlcKlz.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GcUJEwa.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bMHOBCS.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TLjMEaH.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhqOZUp.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bsnuqCj.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gHCxDvf.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VoNURCS.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fIWrpbS.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sYCLlFg.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QpLmkhq.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNODBZw.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WwwnoGf.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hqczJcq.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBygKAo.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cjkCGda.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XeNLUre.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mfrUVxM.exe	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2676	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2760 wrote to memory of 2676	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2760 wrote to memory of 2676	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2760 wrote to memory of 2936	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2760 wrote to memory of 2936	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2760 wrote to memory of 2936	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2760 wrote to memory of 2740	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2760 wrote to memory of 2740	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2760 wrote to memory of 2740	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2760 wrote to memory of 2860	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2760 wrote to memory of 2860	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2760 wrote to memory of 2860	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2760 wrote to memory of 2820	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2760 wrote to memory of 2820	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2760 wrote to memory of 2820	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2760 wrote to memory of 2568	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2760 wrote to memory of 2568	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2760 wrote to memory of 2568	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2760 wrote to memory of 2628	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2760 wrote to memory of 2628	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2760 wrote to memory of 2628	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2760 wrote to memory of 2832	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2760 wrote to memory of 2832	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2760 wrote to memory of 2832	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2760 wrote to memory of 3060	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2760 wrote to memory of 3060	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2760 wrote to memory of 3060	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2760 wrote to memory of 2012	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2760 wrote to memory of 2012	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2760 wrote to memory of 2012	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2760 wrote to memory of 3012	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2760 wrote to memory of 3012	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2760 wrote to memory of 3012	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2760 wrote to memory of 1424	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2760 wrote to memory of 1424	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2760 wrote to memory of 1424	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2760 wrote to memory of 2404	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2760 wrote to memory of 2404	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2760 wrote to memory of 2404	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2760 wrote to memory of 1108	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2760 wrote to memory of 1108	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2760 wrote to memory of 1108	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2760 wrote to memory of 1148	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2760 wrote to memory of 1148	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2760 wrote to memory of 1148	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2760 wrote to memory of 1732	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2760 wrote to memory of 1732	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2760 wrote to memory of 1732	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2760 wrote to memory of 2900	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2760 wrote to memory of 2900	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2760 wrote to memory of 2900	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2760 wrote to memory of 1896	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2760 wrote to memory of 1896	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2760 wrote to memory of 1896	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2760 wrote to memory of 1844	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2760 wrote to memory of 1844	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2760 wrote to memory of 1844	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2760 wrote to memory of 1540	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2760 wrote to memory of 1540	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2760 wrote to memory of 1540	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2760 wrote to memory of 2612	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2760 wrote to memory of 2612	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2760 wrote to memory of 2612	2760	2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_cf5f6f616b7eefcfc67b4abbcc76bb18_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\System\qBygKAo.exe
  C:\Windows\System\qBygKAo.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\KHjMBzA.exe
  C:\Windows\System\KHjMBzA.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\IIscyMN.exe
  C:\Windows\System\IIscyMN.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\WtoIdEr.exe
  C:\Windows\System\WtoIdEr.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\sYCLlFg.exe
  C:\Windows\System\sYCLlFg.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\cjkCGda.exe
  C:\Windows\System\cjkCGda.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\XeNLUre.exe
  C:\Windows\System\XeNLUre.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\QpLmkhq.exe
  C:\Windows\System\QpLmkhq.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\jNODBZw.exe
  C:\Windows\System\jNODBZw.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\WwwnoGf.exe
  C:\Windows\System\WwwnoGf.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\mfrUVxM.exe
  C:\Windows\System\mfrUVxM.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\TLjMEaH.exe
  C:\Windows\System\TLjMEaH.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\fhqOZUp.exe
  C:\Windows\System\fhqOZUp.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\bsnuqCj.exe
  C:\Windows\System\bsnuqCj.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\QXlcKlz.exe
  C:\Windows\System\QXlcKlz.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\hqczJcq.exe
  C:\Windows\System\hqczJcq.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\gHCxDvf.exe
  C:\Windows\System\gHCxDvf.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\GcUJEwa.exe
  C:\Windows\System\GcUJEwa.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\VoNURCS.exe
  C:\Windows\System\VoNURCS.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\fIWrpbS.exe
  C:\Windows\System\fIWrpbS.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\bMHOBCS.exe
  C:\Windows\System\bMHOBCS.exe
  2⤵
  - Executes dropped EXE
  PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GcUJEwa.exe

Filesize
5.2MB

MD5
4b75f4f116e034e7b6eb22c84737310f

SHA1
d2498b0e269074208a59d7608d85c7a3ab16553f

SHA256
844d38d6968ed127685a5ab3836d621871a6e8682589daa352b42b5c7ebc7603

SHA512
c603e99609814fe39c3400fe4dd2eefe299fc55ba569b3cdb95fe0f826cae894951dbb686ad16f6e2c1a7f897010332072f1708170f3b5fd606d45c05bded30f

Download Submit
C:\Windows\system\IIscyMN.exe

Filesize
5.2MB

MD5
5aabfbed76268f99707482ba17e630e8

SHA1
67c966409a1abf493de33291ac5e5f857a1ba7d1

SHA256
a0ddbabb861dc54e88e8700e7145c344225ae18541e56ff46b9ca947690dae83

SHA512
4b7814c21b69e11e260bd3183f619d8cf0829f25693e0b937d9aefbbc12dd482e5a5d60345ea508dcf35745801d46a6d43a978aaea31326ca15671c715905029

Download Submit
C:\Windows\system\KHjMBzA.exe

Filesize
5.2MB

MD5
9e0ca5596d290c97c21709c6c19afdd9

SHA1
327e68d99f4b6bb69af1e1a0bcc855697279a3bb

SHA256
811d4cda975be526effe64a6db6ffbcdfac46b0783af837383faf1ed974d3788

SHA512
409530ced610e4d1d95f7517d5914ade218484280cb4ea4fdbb89e0f30abe5e8e974824919135c1de3f37082516a877b847f93c70dd21d386eca7f9d4d20cd1e

Download Submit
C:\Windows\system\QXlcKlz.exe

Filesize
5.2MB

MD5
beaf9362dc4ed34bfa14964335883d19

SHA1
b6616e837601df3dcf4b94bf21291b5ad557dc45

SHA256
0a89e3058976b0c09e8108465d6ba74a9df4d5052b18fed7ce7dc4fed54bc00b

SHA512
7b14551d3de48227ef75a244ad6bdd81af5a38d22bc0cc121d2f3560ed971ab18233589de1b8815953300ddf04ab24b1c99eacdc49ff5adfc5c20e08354118aa

Download Submit
C:\Windows\system\QpLmkhq.exe

Filesize
5.2MB

MD5
4bf44bdbd09a07d6de633a5d40290c6d

SHA1
bf6164562094553c9f1ce46f7c12d026a4793416

SHA256
af65f86a756038bf28a08bc9b8e0d48e4deb00a779d8df32553ca40cc09db48f

SHA512
ebfeb7b8138e99fc7e09cf843f8e3093d970b4ffe9096346b2301cf82264b62cb3dfabd6ecc1d2f51ae6e0c46660b9b7d68ba5ec3eb2f8f20d28d7ea9f041e97

Download Submit
C:\Windows\system\TLjMEaH.exe

Filesize
5.2MB

MD5
f7ff9342e60269d87c3d9a19e6234032

SHA1
d07b793ecba868db7db0bd4d55e36864a825fafa

SHA256
6cb5968706c79206a787860f53f1fe662620638b2e89dc9b226c643ca21283f1

SHA512
9bd511115a467203b553557ac2a898043f76c06a8552949242f13576da15401e2e8d712d39c97e761b5989ae55ad885d6531d7f1244a15abebe4d4944b4f4e71

Download Submit
C:\Windows\system\VoNURCS.exe

Filesize
5.2MB

MD5
528d6ff1a178f38a448581833905686b

SHA1
7ca8bd5decf3f3a0ec6f602b1194caba21a53de5

SHA256
1b1566b610821280f52b7ff62f04100294af56309b68dcfdb6f5e8a424ee7318

SHA512
ec65f506f78b9f172752d3889d44603f120601a2312c1f5d5a176512196452df631b805dfcbbe25678baa9d5e451f25cc77f1c27caf4537ba62f9d3c85613c22

Download Submit
C:\Windows\system\WtoIdEr.exe

Filesize
5.2MB

MD5
8a3eecb1c3ce547e1db854e7ac98d543

SHA1
b8c8d86037b4c2b7d923f948ee57a19194f6f109

SHA256
c098ecb3e519558104d23cd50b697a389c85258b77ab3bd6fa3b6fd51c76c8fc

SHA512
dad7dcd7c529421930eb3545e325c8525870fe837b2086a09a603b8561ec9afb1758ce891aab6a71a156fc93d9fa1172ea951056b88b85791bb12b69909be0fc

Download Submit
C:\Windows\system\WwwnoGf.exe

Filesize
5.2MB

MD5
43b74ed2f08d1457ce4625535be1e0b8

SHA1
17fdf48b300665afc8fda60cf12a971acce34378

SHA256
67219951ba40b54abf388955ebb9944f3a580fa2bd7faae377cab70c691f0c1a

SHA512
7616aaa99a689ab8458143ae551bb1bfed58d09a4df6662f4b336bf540789819ced56087e6c49d09cbecd8016e6f4a35bb8c36ea19ae4208e2c1376f4e0afa29

Download Submit
C:\Windows\system\bMHOBCS.exe

Filesize
5.2MB

MD5
1d2aa8960d34715d0c969892cb7ac0de

SHA1
bb57c39beab4003009d160849ccca2bd0eb6b9f3

SHA256
c889688312e36a346751e0ed0acbf6c4828a70b6d8e2b49ded871a6a0bdfdeff

SHA512
962c392aeb8fd3d8526f4866a74100037df9f640b3959d34d3b0bf1764cc183d8508d3559f4d965c27a3fe558d6989e29f83882e1652e17d4e67599fa668d4e8

Download Submit
C:\Windows\system\bsnuqCj.exe

Filesize
5.2MB

MD5
52275b6dc2ead13b4c14b59217729288

SHA1
d4c38bf33dfcf73a7b7ff0ee5d4d2256d23f706d

SHA256
4ff79bd5f23b74ac49c9c8168d4a99d55d5dc75a2c80111043eb4843206e7148

SHA512
378ece4f80f514fea62b73425c8069686555d73356353d3c0bdc27f03620d64edf18195083d8762b0311a611c240af730aa0f54c803aff3557a2a93d8b87b6b3

Download Submit
C:\Windows\system\cjkCGda.exe

Filesize
5.2MB

MD5
add9cbf8da2d060e351037defecff6a2

SHA1
83a924c3f474f9b633c1ff8a0660577ffd40bb20

SHA256
f50d0109413b244c8541df2b91475874ee52ca4ceda01dd398c28c06c21f9452

SHA512
16195243ab4d4f8b7528eb402cb9914657ecdc08b9759f579691f3ce6b080ac5c2ac515e0f5288a6b93854185e92e4af2656770abd689d982451c053a68000aa

Download Submit
C:\Windows\system\fIWrpbS.exe

Filesize
5.2MB

MD5
ab4295fddf1083a290ff15e27208b761

SHA1
303a25e55f44d098a31eab3d97260c5b18f810f6

SHA256
1635b265028e33760d8e2a1ff6377dbf1f8bc08a0d63de0161078dabe08fbdb9

SHA512
7a2d1d26f66995a368d4a5addd25059dba6a34b0c062c932f50b8f473def8324b25fe288f64afe4ce6e40ecd5cbebe55f5af49c32a91fec6699d34bec954b8f1

Download Submit
C:\Windows\system\fhqOZUp.exe

Filesize
5.2MB

MD5
06106e6798adf529c18fd74bcd90d3e0

SHA1
89d9cc1cb29c1ed936ca236cd958141fa7cd9935

SHA256
c2b747f4525c98ea3315480f5a658ed583f0d9052beb89023027bc77ca8ffb5e

SHA512
2424132132c818f7d4ec4b43d57a95237a743eb846497231d0d6493f49f7984416e4e647b180e9bcd4cdeb9a0e94759964ad72661713bd168ac1e87279261af1

Download Submit
C:\Windows\system\gHCxDvf.exe

Filesize
5.2MB

MD5
583a72bf6f09daeda9b2c4c1f086ad04

SHA1
4e445c431e54b17d78430f0d5b17a3dec595891f

SHA256
cc617c079c0447d0052921efcbb3c64261e8e4a88e4578729be0ba21d4542d31

SHA512
4e5f8e016bc0e5feb7b9f7a4177aeb87accc93a1f8b7312d4a0b6e79b848a23446a4f868ed5dd95d3dbcd1d688b326fe9f41d74d6024b5fbcd66043d8e17b86a

Download Submit
C:\Windows\system\hqczJcq.exe

Filesize
5.2MB

MD5
eaed49026975c5fd6aa8cba4b39f68cd

SHA1
3bd3d91710a522a809627b055bfe7301fd9a1769

SHA256
953135eac9dbc3d96158ab8ef012e33d65059a7c92304b44e5d271c1ac045074

SHA512
d2b36f683d54fa5f1617b13e1a6468125b1542a0521c475cfd907bf28ce98150f4f34ae056c44f06e02d50801d9b8e5949251770a2f236fd459a08fb9e7bed9c

Download Submit
C:\Windows\system\jNODBZw.exe

Filesize
5.2MB

MD5
5c7ec80632e5a1d709d7f9ec14f01d12

SHA1
fa9a8f3daa4c10a573179168967224f370305abf

SHA256
d641bd8cc96254954d370ddb1403e38f2fb07547eda8be5de0029b81406700fc

SHA512
48ca85b1991429efdd9faa5e7f576f21f850d0319cface5e13ed5f03a1e6969866101dd4ea6ae261715ba4f55ded8920bd170c7f2218eb68fa7c78925791477e

Download Submit
C:\Windows\system\mfrUVxM.exe

Filesize
5.2MB

MD5
382528a8911ca65ba914d594973fb56f

SHA1
21aead5c8dc9d254941284aae0cab83217c0ce08

SHA256
714cfd58390a2917aa683881a2bb6b01cac115f0c27421aad2fb4a2b33c6dcf0

SHA512
f2dda531599bb27eaef0d7b6e93783216e8c2e0abee9b5f158a33ac7d9716bfdb4703a316f36b36f5e2a6d27d47fcc8eaee926966cf03b03e465432e7d19ad57

Download Submit
C:\Windows\system\qBygKAo.exe

Filesize
5.2MB

MD5
774ae02d07a5c5ffaf5c223df317acbe

SHA1
da09e1f7644fad694d7a83ab5bb3661d1e5999e8

SHA256
933b3c3d99a99424457671ea5a45b8a29e6b5aec89707b783a1c7479a5e214ad

SHA512
2afc93996021d968729f29aa06a96fa461dd06ac13ec0950054f59752d052868e4eb345d7445f2df34b8e5bdb560ebab0d432d941b0f46e04c5f876a4c684cf6

Download Submit
C:\Windows\system\sYCLlFg.exe

Filesize
5.2MB

MD5
e15acc7dafd5f3376516809318815477

SHA1
5be7e71dbbd511bb4dde0958abb3845f5217e712

SHA256
b0ae5f97600eb32d49fa91cfcb35b957dabbff00590a4d934b7e952f21780116

SHA512
285b2ebfd02516d6b2f0bfbaf8471a2633b25f1f997837e663fc68a861946ea213608b3b687cf6a682102c7d20e307d04445bffc69ba83b1070782b5cd2add9d

Download Submit
\Windows\system\XeNLUre.exe

Filesize
5.2MB

MD5
e84a69ebd3029415b0e23ef96eab5c14

SHA1
5e26e7eda841d772595b2ec1fef30b87c6292e86

SHA256
53d75398c3ecc1b084f3f6b53bd744d78b559067e99eb7ab088951acb4fb82d1

SHA512
9b75e3e7b2f08d1356f8dea6e1752229b62f134acb8abe817a6ddc2b08e13e3fb1d38842856cf487104d1386fb0eab7a0aed100c9ea632bb042eef418847ab95

Download Submit
memory/1108-130-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-259-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1148-152-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1424-126-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1424-255-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1540-158-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/1732-153-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-157-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/1896-156-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-122-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2012-253-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-248-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2404-128-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2568-224-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2568-116-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2612-159-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-226-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-118-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-218-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2676-12-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2740-27-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2740-220-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2760-137-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2760-129-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-119-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2760-24-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-1-0x0000000000190000-0x00000000001A0000-memory.dmp

Filesize
64KB

Download
memory/2760-20-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2760-127-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2760-117-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-8-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2760-16-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2760-120-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2760-160-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2760-125-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2760-100-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2760-0-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2760-132-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2760-123-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2760-154-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2760-161-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2820-99-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2820-136-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2820-238-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2832-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2832-250-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2860-135-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-29-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-245-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-155-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2936-222-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2936-134-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2936-25-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/3012-124-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/3012-242-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/3060-121-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/3060-243-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download