cobaltstrike | 6412482e0591934510b5697f27fe468399ac9957dc52567c875e3c3166316ed4

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

2a94cf09232cc6cedde3b0ecec351e36
SHA1

7dbccda6efeed0f3e62824499de482f21d0e3265
SHA256

6412482e0591934510b5697f27fe468399ac9957dc52567c875e3c3166316ed4
SHA512

8e0b0e6e316a7486b3e8590d9377c23293caec9ed5dbd3a9c3d446d90ce741bfe9fadd46df7da84d52bae9a0a6eb3098e09b571710722d6359fc72c3662829c7
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUc:Q+856utgpPF8u/7c

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c0000000122e0-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016a47-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c3d-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c58-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ca2-32.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001650a-37.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016cfe-59.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173fb-70.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d0b-80.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173e4-85.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173aa-60.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd3-44.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018678-120.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001747b-135.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018690-139.dat	cobalt_reflective_dll
behavioral1/files/0x001500000001866d-116.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001748f-107.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017409-106.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174ac-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017403-93.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001752f-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2024-0-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/files/0x000c0000000122e0-3.dat	xmrig
behavioral1/memory/2024-6-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/files/0x0007000000016a47-8.dat	xmrig
behavioral1/memory/2476-14-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/files/0x0008000000016c3d-10.dat	xmrig
behavioral1/memory/2084-20-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
behavioral1/files/0x0007000000016c58-22.dat	xmrig
behavioral1/memory/2680-27-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2748-33-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016ca2-32.dat	xmrig
behavioral1/memory/2024-34-0x000000013F2C0000-0x000000013F614000-memory.dmp	xmrig
behavioral1/files/0x000900000001650a-37.dat	xmrig
behavioral1/files/0x0008000000016cfe-59.dat	xmrig
behavioral1/memory/2804-64-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/files/0x00060000000173fb-70.dat	xmrig
behavioral1/memory/2832-73-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d0b-80.dat	xmrig
behavioral1/files/0x00060000000173e4-85.dat	xmrig
behavioral1/memory/2808-69-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2592-86-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2564-83-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2680-82-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2084-81-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
behavioral1/memory/592-78-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2024-76-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2024-65-0x0000000002350000-0x00000000026A4000-memory.dmp	xmrig
behavioral1/memory/2964-61-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/files/0x00060000000173aa-60.dat	xmrig
behavioral1/memory/2024-56-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/2024-50-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2836-40-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/files/0x0007000000016cd3-44.dat	xmrig
behavioral1/memory/2748-88-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2024-89-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/files/0x0009000000018678-120.dat	xmrig
behavioral1/files/0x000600000001747b-135.dat	xmrig
behavioral1/files/0x0005000000018690-139.dat	xmrig
behavioral1/memory/2876-119-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/files/0x001500000001866d-116.dat	xmrig
behavioral1/files/0x000600000001748f-107.dat	xmrig
behavioral1/files/0x0006000000017409-106.dat	xmrig
behavioral1/files/0x00060000000174ac-105.dat	xmrig
behavioral1/files/0x0006000000017403-93.dat	xmrig
behavioral1/memory/2024-134-0x000000013FB50000-0x000000013FEA4000-memory.dmp	xmrig
behavioral1/memory/2024-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/files/0x000600000001752f-122.dat	xmrig
behavioral1/memory/2024-115-0x0000000002350000-0x00000000026A4000-memory.dmp	xmrig
behavioral1/memory/2804-98-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/592-141-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2564-142-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2592-146-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2876-148-0x000000013F550000-0x000000013F8A4000-memory.dmp	xmrig
behavioral1/memory/2024-150-0x000000013FA70000-0x000000013FDC4000-memory.dmp	xmrig
behavioral1/memory/2836-152-0x000000013FEE0000-0x0000000140234000-memory.dmp	xmrig
behavioral1/memory/2476-153-0x000000013FFB0000-0x0000000140304000-memory.dmp	xmrig
behavioral1/memory/2084-154-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
behavioral1/memory/2748-156-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/memory/2680-155-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2808-157-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2964-158-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2804-160-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2832-159-0x000000013FE30000-0x0000000140184000-memory.dmp	xmrig
behavioral1/memory/592-161-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2836	vhoIrDj.exe
2476	IFpMWXx.exe
2084	mVFcgYy.exe
2680	ZlCAvPx.exe
2748	aTspIDz.exe
2808	rxvCjqF.exe
2964	gCQsbCe.exe
2832	zaDAlrc.exe
2804	HziEGiK.exe
592	MaSoBcp.exe
2564	qCQqSvD.exe
2592	UWWZkTw.exe
2876	RRdIRDF.exe
588	NcWyKIq.exe
2784	xfmSkYp.exe
2600	lSBQnNx.exe
2848	avNBWtZ.exe
820	vsDkTtP.exe
1232	IjVaLCL.exe
1992	cyltPFF.exe
1688	vYKJKgg.exe

Loads dropped DLL 21 IoCs

pid	Process
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-0-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/files/0x000c0000000122e0-3.dat	upx
behavioral1/memory/2024-6-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/files/0x0007000000016a47-8.dat	upx
behavioral1/memory/2476-14-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/files/0x0008000000016c3d-10.dat	upx
behavioral1/memory/2084-20-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
behavioral1/files/0x0007000000016c58-22.dat	upx
behavioral1/memory/2680-27-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2748-33-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/files/0x0007000000016ca2-32.dat	upx
behavioral1/memory/2024-34-0x000000013F2C0000-0x000000013F614000-memory.dmp	upx
behavioral1/files/0x000900000001650a-37.dat	upx
behavioral1/files/0x0008000000016cfe-59.dat	upx
behavioral1/memory/2804-64-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/files/0x00060000000173fb-70.dat	upx
behavioral1/memory/2832-73-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/files/0x0008000000016d0b-80.dat	upx
behavioral1/files/0x00060000000173e4-85.dat	upx
behavioral1/memory/2808-69-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2592-86-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2564-83-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2680-82-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2084-81-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
behavioral1/memory/592-78-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2964-61-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/files/0x00060000000173aa-60.dat	upx
behavioral1/memory/2836-40-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/files/0x0007000000016cd3-44.dat	upx
behavioral1/memory/2748-88-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/files/0x0009000000018678-120.dat	upx
behavioral1/files/0x000600000001747b-135.dat	upx
behavioral1/files/0x0005000000018690-139.dat	upx
behavioral1/memory/2876-119-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/files/0x001500000001866d-116.dat	upx
behavioral1/files/0x000600000001748f-107.dat	upx
behavioral1/files/0x0006000000017409-106.dat	upx
behavioral1/files/0x00060000000174ac-105.dat	upx
behavioral1/files/0x0006000000017403-93.dat	upx
behavioral1/files/0x000600000001752f-122.dat	upx
behavioral1/memory/2804-98-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/592-141-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2564-142-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2592-146-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2876-148-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx
behavioral1/memory/2836-152-0x000000013FEE0000-0x0000000140234000-memory.dmp	upx
behavioral1/memory/2476-153-0x000000013FFB0000-0x0000000140304000-memory.dmp	upx
behavioral1/memory/2084-154-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
behavioral1/memory/2748-156-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/memory/2680-155-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2808-157-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2964-158-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2804-160-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2832-159-0x000000013FE30000-0x0000000140184000-memory.dmp	upx
behavioral1/memory/592-161-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2564-162-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2592-163-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2876-164-0x000000013F550000-0x000000013F8A4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mVFcgYy.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lSBQnNx.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UWWZkTw.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MaSoBcp.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zaDAlrc.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HziEGiK.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NcWyKIq.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xfmSkYp.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cyltPFF.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\avNBWtZ.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZlCAvPx.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RRdIRDF.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aTspIDz.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gCQsbCe.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rxvCjqF.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCQqSvD.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vsDkTtP.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IjVaLCL.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vhoIrDj.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IFpMWXx.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vYKJKgg.exe	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2836	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2024 wrote to memory of 2836	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2024 wrote to memory of 2836	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2024 wrote to memory of 2476	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2024 wrote to memory of 2476	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2024 wrote to memory of 2476	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2024 wrote to memory of 2084	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2024 wrote to memory of 2084	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2024 wrote to memory of 2084	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2024 wrote to memory of 2680	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2024 wrote to memory of 2680	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2024 wrote to memory of 2680	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2024 wrote to memory of 2748	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2024 wrote to memory of 2748	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2024 wrote to memory of 2748	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2024 wrote to memory of 2964	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2024 wrote to memory of 2964	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2024 wrote to memory of 2964	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2024 wrote to memory of 2808	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2024 wrote to memory of 2808	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2024 wrote to memory of 2808	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2024 wrote to memory of 2832	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2024 wrote to memory of 2832	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2024 wrote to memory of 2832	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2024 wrote to memory of 2564	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2024 wrote to memory of 2564	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2024 wrote to memory of 2564	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2024 wrote to memory of 2804	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2024 wrote to memory of 2804	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2024 wrote to memory of 2804	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2024 wrote to memory of 2592	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2024 wrote to memory of 2592	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2024 wrote to memory of 2592	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2024 wrote to memory of 592	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2024 wrote to memory of 592	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2024 wrote to memory of 592	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2024 wrote to memory of 2876	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2024 wrote to memory of 2876	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2024 wrote to memory of 2876	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2024 wrote to memory of 588	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2024 wrote to memory of 588	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2024 wrote to memory of 588	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2024 wrote to memory of 820	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2024 wrote to memory of 820	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2024 wrote to memory of 820	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2024 wrote to memory of 2784	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2024 wrote to memory of 2784	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2024 wrote to memory of 2784	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2024 wrote to memory of 1232	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2024 wrote to memory of 1232	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2024 wrote to memory of 1232	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2024 wrote to memory of 2600	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2024 wrote to memory of 2600	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2024 wrote to memory of 2600	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2024 wrote to memory of 1992	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2024 wrote to memory of 1992	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2024 wrote to memory of 1992	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2024 wrote to memory of 2848	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2024 wrote to memory of 2848	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2024 wrote to memory of 2848	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2024 wrote to memory of 1688	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2024 wrote to memory of 1688	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2024 wrote to memory of 1688	2024	2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_2a94cf09232cc6cedde3b0ecec351e36_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\System\vhoIrDj.exe
  C:\Windows\System\vhoIrDj.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\IFpMWXx.exe
  C:\Windows\System\IFpMWXx.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\mVFcgYy.exe
  C:\Windows\System\mVFcgYy.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\ZlCAvPx.exe
  C:\Windows\System\ZlCAvPx.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\aTspIDz.exe
  C:\Windows\System\aTspIDz.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\gCQsbCe.exe
  C:\Windows\System\gCQsbCe.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\rxvCjqF.exe
  C:\Windows\System\rxvCjqF.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\zaDAlrc.exe
  C:\Windows\System\zaDAlrc.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\qCQqSvD.exe
  C:\Windows\System\qCQqSvD.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\HziEGiK.exe
  C:\Windows\System\HziEGiK.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\UWWZkTw.exe
  C:\Windows\System\UWWZkTw.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\MaSoBcp.exe
  C:\Windows\System\MaSoBcp.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System\RRdIRDF.exe
  C:\Windows\System\RRdIRDF.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\NcWyKIq.exe
  C:\Windows\System\NcWyKIq.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\vsDkTtP.exe
  C:\Windows\System\vsDkTtP.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\xfmSkYp.exe
  C:\Windows\System\xfmSkYp.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\IjVaLCL.exe
  C:\Windows\System\IjVaLCL.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\lSBQnNx.exe
  C:\Windows\System\lSBQnNx.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\cyltPFF.exe
  C:\Windows\System\cyltPFF.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\avNBWtZ.exe
  C:\Windows\System\avNBWtZ.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\vYKJKgg.exe
  C:\Windows\System\vYKJKgg.exe
  2⤵
  - Executes dropped EXE
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HziEGiK.exe

Filesize
5.9MB

MD5
602e9b72acd207d4036fc5ea08512492

SHA1
a31096a7a2d7591e7ddefac6b23e1da4578d83d8

SHA256
0f0b43f8d24a4ae9f0ed29120169b1fedde661febf0222ebe1224b95af451d46

SHA512
6baee1671c49d6feffd6e84dfc39dfe54e86d1f7eee72b3522a2a82a9b15dbf1ad782162f81703094c23e65e456b5f9d575cbf96734968421ec3e9e34b941222

Download Submit
C:\Windows\system\NcWyKIq.exe

Filesize
5.9MB

MD5
00a4622bc874da67bbea728b1e09b607

SHA1
6f685c80603c1f20e914fa2e35e9a4b8758ee6af

SHA256
15dcb47ca6e5eaf422fc2b448eb59824c64904bc645f31df38ce6eaa8918e8bc

SHA512
5ef570313417206849a9dcd26f52eed126886ca9cf93c77fe31f4c29428554b14911d74424328ca55c58d058dac6712a6aeccf09052e0787afd8d0d1fd46fc0f

Download Submit
C:\Windows\system\RRdIRDF.exe

Filesize
5.9MB

MD5
cfb2dd9505c4f5331df2eb5dfb4971ad

SHA1
8ec20c2078ce47d69f222d8f2ee56b6f225490e2

SHA256
9f889159dfc058ad71943ded8fc0ca9b0d03228b4dec6e1e8a5acf60b4d38d26

SHA512
ff6d90dce96fcd29a072d5995a0c21b77ebb7d96181ae515597645fb6f5c474c488c2b32e3fd88455fafd870f5748389fced45174023f9a5ab127fe16e753b00

Download Submit
C:\Windows\system\UWWZkTw.exe

Filesize
5.9MB

MD5
fcb92f39f325ac508fc48e0dfb8e718e

SHA1
03d3550f8b31d0c2de842aeadf6119fc60c1a28a

SHA256
62503be81b9ff8d7da97a08ed22d68ffdd6616581b947fede64b2b9b4ebe0316

SHA512
9789485f6a2ae743dc6b34ce193876616224bd31935372b21e6f143cf8f7152e53defdb9567af5b256f15e1ce946350032ca1b8e1441f925d4d352cf533d88ed

Download Submit
C:\Windows\system\aTspIDz.exe

Filesize
5.9MB

MD5
258f1019b5934ab45ab3b4f1e8840108

SHA1
124e0d9ae03e580b7ba27c9682a993d51b603009

SHA256
58be93633977cc067071af290a89df7b4eee19def0748ce1669094686c52b7d3

SHA512
2cab2e38cdba880686ed228753263543da477f65c0c2d459fd9055e1222bb2d64f7f9cb47064ca2eb1389a5c79863d07a46b3723851007c01efd13076cb8f02f

Download Submit
C:\Windows\system\lSBQnNx.exe

Filesize
5.9MB

MD5
0431a3ce8ba4d924baca48f3d5961c3a

SHA1
d0efa91fd5c66c7ee0583498ae6dd8669b04a487

SHA256
b61811da69993eef2fb31c5d353d4122d39c4ef07ac477b952d8fafdd8d0f14f

SHA512
67ce872bbfcbce1a046cf28f09e6d280a26256b38344e346ea8beabb9c21b2d59f436efe704b8d1325633f23118fe53db68de89fb8686a8e2f69069c384abdd0

Download Submit
C:\Windows\system\mVFcgYy.exe

Filesize
5.9MB

MD5
20316ba229be26bbbb0b28ad3a8310e1

SHA1
7bc92a10ad747f9c9dc5c98a01ca557e9f2838c5

SHA256
a632ae45f4fbaae9faaaa075374f65072442cafe479df122abe8b7cdf2832502

SHA512
f735e57cf7ae06c0f7c0d19c91b856cfec3912a66a9da6047561b718115e4ca37631d330a92253149098952a45d6ce7998fd88c89622764958283d7565082879

Download Submit
C:\Windows\system\qCQqSvD.exe

Filesize
5.9MB

MD5
1831d08bbe04a62a25f6464fb35d7fb2

SHA1
63ee3450e979dd2c69c1a8dd4218eefe7ccd4356

SHA256
798b9c04d7f8c034b79eab769475aff968288aeb397e58fb5e5e3a92b8bbd67d

SHA512
81cb6ae9e3c693ae9bad07bb249ab0b9fb93f3ba3db1ee44e2269d68c36f9374eb43cd968d9dda7ff4d2ae0da833f45e09b8366313a1af46ff164a52bdb4ca34

Download Submit
C:\Windows\system\rxvCjqF.exe

Filesize
5.9MB

MD5
89674864ec07525859672d8373538ac3

SHA1
6e9be6e3f82278e5c226cf224ee756d9e42ab689

SHA256
84cac63b2902b12a138d4a32678152c4232bb4a4dd056d6b49e99b3b7aacc92c

SHA512
d8a9fa069d08efbee2e6cd05ec2a7b670bdd3fc46501b6cfe35f7f81f58e0c31b4dc61581e6e215002fa1c6155ad0fd0745ac36477028bef9bcb3efc6e00c3a2

Download Submit
C:\Windows\system\vYKJKgg.exe

Filesize
5.9MB

MD5
22682665e58649b36fff59c3df889fd8

SHA1
684bb3ff6a176753c5cffad9a5cc6dd7913d14e2

SHA256
2474fbc99a9f0e38bb705c5d3148ed4d1c5d6a3394d919851d920cb68cc18b63

SHA512
eefea3c694279767945a725fa17937430f5a980807cf8fec641253bb8550a04f45666ce268c07ef8b573025e99c3a15b346c3220b583527676f11ccf43551a34

Download Submit
C:\Windows\system\vsDkTtP.exe

Filesize
5.9MB

MD5
c819c7df268be8edacba861955cfee98

SHA1
14079eca772360993c481f01967eaca0429ec58f

SHA256
9843f8994bca6df60dc7393a01d8c96c3ddd99989f6214e2935d7ecfb44e8a32

SHA512
52e77df7b135218a8359c70254e507adafa745cb3ba26b533413075980626aa556e997cc20c2ce0f35d02cf0a5e90de68360f64afd88fc068e67706ebe28527e

Download Submit
C:\Windows\system\xfmSkYp.exe

Filesize
5.9MB

MD5
a73605fc3c13d668cc5184134f7bc98b

SHA1
b4c1d8bf317160b73aac4ccc6eb5274e8cb7bad3

SHA256
5541cc6924f1c82bec0ad56f2c7a807cb63519b839ce8e0874c3e8497c14cfe1

SHA512
03d1eea5ffd9807b01673d4cba0a8fb0c50b11c784031198b43a2ea43dcc277676445c828f803748108fa51d2b7c0c633712b32618f30f74bba024160dbe7f7d

Download Submit
C:\Windows\system\zaDAlrc.exe

Filesize
5.9MB

MD5
f5fedf0b836ddcc2a2f6cb406d32672c

SHA1
9461f4d9e4143ff8d41621106fc61a1c858556f8

SHA256
da4400c4df8cdb709b74e1793dc0e542ccdb6571498d823dd6b07745c9b9cacc

SHA512
87bb3489ac3b7a32cb3cd17e7e712b359c358bc04d58e4ecc6e55d1f3742da1d7964e0f4fab26a8df8367b2d36381ea564e9d645387e5579b533b541a9afd4f0

Download Submit
\Windows\system\IFpMWXx.exe

Filesize
5.9MB

MD5
d4498644804e1b79d197fbb4d5555ad4

SHA1
cbaf4c4c95c8400115944e8341211061b803963b

SHA256
6cffca7e0b2f9041021bc9d95805bfd9ed4f2469abe77f55df7cafa652b64c27

SHA512
d595598eeba2c96a29dcaa60e8060ddb1f308ea101839b636bbc0c85dbabee3c5c4740a6d986c7ea2885cad24fbb7f07d7825b9fece1563d63281e1e9cc451fb

Download Submit
\Windows\system\IjVaLCL.exe

Filesize
5.9MB

MD5
dbde8f5cbf468223b046027b8dc3a8be

SHA1
ed50871dbf34f29ef876e4cd8e38d130b76e791a

SHA256
6b7615c92a30c0f9f062aadd07322456e75e8d6d4977935d69d0d70b02f28b75

SHA512
1f58432566a317e087b80407c6507fd639a955407976b51b6d0a021dcc5e90dd95b9ebb1ebb0b2f03a6e78bb5b4e4e95eb896e309cdc39492d450a28e637e016

Download Submit
\Windows\system\MaSoBcp.exe

Filesize
5.9MB

MD5
1c0b32009aa467eb95772bb706c54432

SHA1
127327521e0a5889a51ad4c8bb1277934cdad346

SHA256
335df916f98cbcbfe6798aca4ff37fa05d7f560a9036f00341fc2cdb7732e54a

SHA512
b6e650bbe776cc2b7c47f60ca1046fffa142d55e4c65e87d4cf0970b69582002bac5a064dd855a0f2eb01897b7d84c6c26dea93c963ca93148c8f35b89cb6599

Download Submit
\Windows\system\ZlCAvPx.exe

Filesize
5.9MB

MD5
e1c042b97c170ec759d052c703db7643

SHA1
04c4f82887436c1e8feebc4395f615af83590c8b

SHA256
5ee8c12c84b88de0dfee5e393ffb7ab248dcde9320a06270ea7b690cd279dfb7

SHA512
cd52299a1b7c1cd58ea927d9336446f7d332d46a29cfb45c54c52bc1785a24be3d56aacd55f2917ad98bf4f466f0d02a8d519d445d94b1dc37c02a4f64aa9048

Download Submit
\Windows\system\avNBWtZ.exe

Filesize
5.9MB

MD5
72b731b82b25671100e3eb0e28b457ce

SHA1
a891abc2aa8bb49e4a7f693bcb9c84056fb487f2

SHA256
0641d178b9d6ac49c0094c0a7ec3b8981693aa595ca0abfb83cf2ab5b6e05d7a

SHA512
495564106ca5ecb3bf5eda60f07eb49df0a7f3689963a836b7dab0605981028252574792e7f994cd95ee15bc525fadefd846a39172e10c79b466fc8efbb4368c

Download Submit
\Windows\system\cyltPFF.exe

Filesize
5.9MB

MD5
1b3d9c1ffc8246291623a0a6229ab7f2

SHA1
13dfd312c1e1119197945523322e0fa8e4bf3e4a

SHA256
d094b9a845424a3f58b1c5e9edac67791a9308b730e7659f9f1b3fb6ae2b91f6

SHA512
a9cfcb484ebd80304f7e710f98ad0ff508c51a45879a67a49952482d0e513dc4cf9f6bf4f5e2874527e2a609a98172d3eac77411abb8dc8c43c8c0decef808cd

Download Submit
\Windows\system\gCQsbCe.exe

Filesize
5.9MB

MD5
77b695151d30c4b681cca17c0b108831

SHA1
796a949412fa57f4721484e5db31ed1a7ea9e625

SHA256
10e29c14c56d26d38dffdf7a1a1f4a977388824a3c10b016ddc6b77ab01693bb

SHA512
8f303a68719f8d05014f2872c3c1df2b539d9e4c1bfcdc2611077022c016f9aff349ff9024b5a95ff3b1304f819b57d83dcd309ee5b246384022430ccab4575f

Download Submit
\Windows\system\vhoIrDj.exe

Filesize
5.9MB

MD5
2ecfd739cd27271603109327392cc6cb

SHA1
ba02ea2d038140559b6349fd7c0829169409ffd3

SHA256
00632ba5edd605d49507651ff4253c529ab4214be38041ef354dd6ba39e97a1f

SHA512
7b41c4865f0cea4492a2617605f7befbf6cb009bb2d5fe705dcf2e6491a9e97f12f8e84e5a4d72d3ed5b9737dd934a718aa96d0d62b3689a140b7cfedf9e2e9e

Download Submit
memory/592-78-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/592-141-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/592-161-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2024-89-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2024-151-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2024-150-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-149-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2024-147-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-76-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2024-72-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2024-71-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-65-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-6-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2024-77-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2024-56-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2024-50-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2024-115-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-15-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2024-124-0x0000000002350000-0x00000000026A4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-0-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2024-125-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2024-132-0x000000013FD30000-0x0000000140084000-memory.dmp

Filesize
3.3MB

Download
memory/2024-34-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2024-29-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-140-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2024-133-0x000000013FA70000-0x000000013FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-23-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2024-134-0x000000013FB50000-0x000000013FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-20-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/2084-154-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/2084-81-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/2476-14-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2476-153-0x000000013FFB0000-0x0000000140304000-memory.dmp

Filesize
3.3MB

Download
memory/2564-83-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2564-162-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2564-142-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2592-86-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2592-146-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2592-163-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2680-27-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2680-155-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2680-82-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2748-156-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-33-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-88-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-160-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2804-98-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2804-64-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2808-157-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2808-69-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2832-73-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2832-159-0x000000013FE30000-0x0000000140184000-memory.dmp

Filesize
3.3MB

Download
memory/2836-152-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2836-40-0x000000013FEE0000-0x0000000140234000-memory.dmp

Filesize
3.3MB

Download
memory/2876-148-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-119-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2876-164-0x000000013F550000-0x000000013F8A4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-158-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2964-61-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download