cobaltstrike | 4a8e69ca6d5ac5d38b003c9529bcb6c5f9800b14231a5f56efa82765d15ff7cf

Analysis

max time kernel
135s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

0415c36f700130d3928d7866df40f02a
SHA1

5ea74f98358c11153cae671e7508303dc6e20146
SHA256

4a8e69ca6d5ac5d38b003c9529bcb6c5f9800b14231a5f56efa82765d15ff7cf
SHA512

680f2ddd6c02861a35eff74846c9eda470d1bdd279b3da0b7e4409465e1562815eebfc501b2c593f2359c19257db108195d4c2dfb4539e9514ca80f182703260
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUn:Q+u56utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d0000000141df-3.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186f2-10.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186f8-9.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018731-16.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000193a4-35.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193ac-40.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001942c-45.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019438-50.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ef-85.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001957e-103.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001952f-100.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019506-95.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194fc-90.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d0-80.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ad-75.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019496-70.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019467-65.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001945c-60.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019456-55.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018742-26.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018781-30.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/memory/2364-0-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/files/0x000d0000000141df-3.dat	xmrig
behavioral1/files/0x00060000000186f2-10.dat	xmrig
behavioral1/memory/2320-11-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/files/0x00060000000186f8-9.dat	xmrig
behavioral1/files/0x0006000000018731-16.dat	xmrig
behavioral1/files/0x00060000000193a4-35.dat	xmrig
behavioral1/files/0x00050000000193ac-40.dat	xmrig
behavioral1/files/0x000500000001942c-45.dat	xmrig
behavioral1/files/0x0005000000019438-50.dat	xmrig
behavioral1/files/0x00050000000194ef-85.dat	xmrig
behavioral1/files/0x000500000001957e-103.dat	xmrig
behavioral1/files/0x000500000001952f-100.dat	xmrig
behavioral1/files/0x0005000000019506-95.dat	xmrig
behavioral1/files/0x00050000000194fc-90.dat	xmrig
behavioral1/files/0x00050000000194d0-80.dat	xmrig
behavioral1/files/0x00050000000194ad-75.dat	xmrig
behavioral1/files/0x0005000000019496-70.dat	xmrig
behavioral1/files/0x0005000000019467-65.dat	xmrig
behavioral1/files/0x000500000001945c-60.dat	xmrig
behavioral1/files/0x0005000000019456-55.dat	xmrig
behavioral1/files/0x0008000000018742-26.dat	xmrig
behavioral1/files/0x0008000000018781-30.dat	xmrig
behavioral1/memory/2892-110-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2764-112-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/1848-114-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2768-115-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2856-117-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/memory/2852-118-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2364-111-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/2488-108-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2364-119-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/2704-120-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/2848-121-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2824-126-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2592-128-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/memory/2836-124-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2600-123-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2364-130-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2320-131-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig
behavioral1/memory/2488-134-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/2764-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	xmrig
behavioral1/memory/1848-137-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2892-135-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/memory/2768-138-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2856-139-0x000000013FD80000-0x00000001400D4000-memory.dmp	xmrig
behavioral1/memory/2852-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2704-141-0x000000013F200000-0x000000013F554000-memory.dmp	xmrig
behavioral1/memory/2848-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp	xmrig
behavioral1/memory/2600-143-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2824-145-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2592-146-0x000000013FEF0000-0x0000000140244000-memory.dmp	xmrig
behavioral1/memory/2836-144-0x000000013F690000-0x000000013F9E4000-memory.dmp	xmrig
behavioral1/memory/2320-147-0x000000013FB90000-0x000000013FEE4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2320	yqGRmTK.exe
2488	ThDerCw.exe
2892	nWPeIaL.exe
2764	OQigWfZ.exe
1848	qCkxmJL.exe
2768	rZQhNCy.exe
2856	bEaDZZW.exe
2852	FMojOKG.exe
2704	iRKfxZT.exe
2848	FVAZcoU.exe
2600	nWmwRBm.exe
2836	PFQNlLg.exe
2824	BIVTjIu.exe
2592	xBMvPtE.exe
2192	xflRAPs.exe
2408	EnamIOG.exe
1996	pqCzmEc.exe
820	YkaezBQ.exe
2896	bYHiVEu.exe
2540	jcOKUzt.exe
2820	AUYVNaT.exe

Loads dropped DLL 21 IoCs

pid	Process
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2364-0-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/files/0x000d0000000141df-3.dat	upx
behavioral1/files/0x00060000000186f2-10.dat	upx
behavioral1/memory/2320-11-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/files/0x00060000000186f8-9.dat	upx
behavioral1/files/0x0006000000018731-16.dat	upx
behavioral1/files/0x00060000000193a4-35.dat	upx
behavioral1/files/0x00050000000193ac-40.dat	upx
behavioral1/files/0x000500000001942c-45.dat	upx
behavioral1/files/0x0005000000019438-50.dat	upx
behavioral1/files/0x00050000000194ef-85.dat	upx
behavioral1/files/0x000500000001957e-103.dat	upx
behavioral1/files/0x000500000001952f-100.dat	upx
behavioral1/files/0x0005000000019506-95.dat	upx
behavioral1/files/0x00050000000194fc-90.dat	upx
behavioral1/files/0x00050000000194d0-80.dat	upx
behavioral1/files/0x00050000000194ad-75.dat	upx
behavioral1/files/0x0005000000019496-70.dat	upx
behavioral1/files/0x0005000000019467-65.dat	upx
behavioral1/files/0x000500000001945c-60.dat	upx
behavioral1/files/0x0005000000019456-55.dat	upx
behavioral1/files/0x0008000000018742-26.dat	upx
behavioral1/files/0x0008000000018781-30.dat	upx
behavioral1/memory/2892-110-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2764-112-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/1848-114-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2768-115-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2856-117-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/memory/2852-118-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2488-108-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2704-120-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/2848-121-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2824-126-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2592-128-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/memory/2836-124-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2600-123-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2364-130-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2320-131-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx
behavioral1/memory/2488-134-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2764-136-0x000000013FDD0000-0x0000000140124000-memory.dmp	upx
behavioral1/memory/1848-137-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2892-135-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/memory/2768-138-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2856-139-0x000000013FD80000-0x00000001400D4000-memory.dmp	upx
behavioral1/memory/2852-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2704-141-0x000000013F200000-0x000000013F554000-memory.dmp	upx
behavioral1/memory/2848-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp	upx
behavioral1/memory/2600-143-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2824-145-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2592-146-0x000000013FEF0000-0x0000000140244000-memory.dmp	upx
behavioral1/memory/2836-144-0x000000013F690000-0x000000013F9E4000-memory.dmp	upx
behavioral1/memory/2320-147-0x000000013FB90000-0x000000013FEE4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jcOKUzt.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ThDerCw.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rZQhNCy.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEaDZZW.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRKfxZT.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PFQNlLg.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yqGRmTK.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FMojOKG.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nWmwRBm.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pqCzmEc.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YkaezBQ.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xBMvPtE.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xflRAPs.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EnamIOG.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYHiVEu.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUYVNaT.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nWPeIaL.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OQigWfZ.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCkxmJL.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FVAZcoU.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BIVTjIu.exe	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2320	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2364 wrote to memory of 2320	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2364 wrote to memory of 2320	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2364 wrote to memory of 2488	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2364 wrote to memory of 2488	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2364 wrote to memory of 2488	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2364 wrote to memory of 2892	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2364 wrote to memory of 2892	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2364 wrote to memory of 2892	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2364 wrote to memory of 2764	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2364 wrote to memory of 2764	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2364 wrote to memory of 2764	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2364 wrote to memory of 1848	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2364 wrote to memory of 1848	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2364 wrote to memory of 1848	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2364 wrote to memory of 2768	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2364 wrote to memory of 2768	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2364 wrote to memory of 2768	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2364 wrote to memory of 2856	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2364 wrote to memory of 2856	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2364 wrote to memory of 2856	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2364 wrote to memory of 2852	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2364 wrote to memory of 2852	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2364 wrote to memory of 2852	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2364 wrote to memory of 2704	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2364 wrote to memory of 2704	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2364 wrote to memory of 2704	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2364 wrote to memory of 2848	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2364 wrote to memory of 2848	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2364 wrote to memory of 2848	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2364 wrote to memory of 2600	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2364 wrote to memory of 2600	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2364 wrote to memory of 2600	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2364 wrote to memory of 2836	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2364 wrote to memory of 2836	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2364 wrote to memory of 2836	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2364 wrote to memory of 2824	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2364 wrote to memory of 2824	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2364 wrote to memory of 2824	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2364 wrote to memory of 2592	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2364 wrote to memory of 2592	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2364 wrote to memory of 2592	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2364 wrote to memory of 2192	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2364 wrote to memory of 2192	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2364 wrote to memory of 2192	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2364 wrote to memory of 2408	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2364 wrote to memory of 2408	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2364 wrote to memory of 2408	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2364 wrote to memory of 1996	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2364 wrote to memory of 1996	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2364 wrote to memory of 1996	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2364 wrote to memory of 820	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2364 wrote to memory of 820	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2364 wrote to memory of 820	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2364 wrote to memory of 2896	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2364 wrote to memory of 2896	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2364 wrote to memory of 2896	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2364 wrote to memory of 2540	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2364 wrote to memory of 2540	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2364 wrote to memory of 2540	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2364 wrote to memory of 2820	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	53
PID 2364 wrote to memory of 2820	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	53
PID 2364 wrote to memory of 2820	2364	2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe	53

C:\Users\Admin\AppData\Local\Temp\2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_0415c36f700130d3928d7866df40f02a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\System\yqGRmTK.exe
  C:\Windows\System\yqGRmTK.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\ThDerCw.exe
  C:\Windows\System\ThDerCw.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\nWPeIaL.exe
  C:\Windows\System\nWPeIaL.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\OQigWfZ.exe
  C:\Windows\System\OQigWfZ.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\qCkxmJL.exe
  C:\Windows\System\qCkxmJL.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\rZQhNCy.exe
  C:\Windows\System\rZQhNCy.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\bEaDZZW.exe
  C:\Windows\System\bEaDZZW.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\FMojOKG.exe
  C:\Windows\System\FMojOKG.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\iRKfxZT.exe
  C:\Windows\System\iRKfxZT.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\FVAZcoU.exe
  C:\Windows\System\FVAZcoU.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\nWmwRBm.exe
  C:\Windows\System\nWmwRBm.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\PFQNlLg.exe
  C:\Windows\System\PFQNlLg.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\BIVTjIu.exe
  C:\Windows\System\BIVTjIu.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\xBMvPtE.exe
  C:\Windows\System\xBMvPtE.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\xflRAPs.exe
  C:\Windows\System\xflRAPs.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\EnamIOG.exe
  C:\Windows\System\EnamIOG.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\pqCzmEc.exe
  C:\Windows\System\pqCzmEc.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\YkaezBQ.exe
  C:\Windows\System\YkaezBQ.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\bYHiVEu.exe
  C:\Windows\System\bYHiVEu.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\jcOKUzt.exe
  C:\Windows\System\jcOKUzt.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\AUYVNaT.exe
  C:\Windows\System\AUYVNaT.exe
  2⤵
  - Executes dropped EXE
  PID:2820

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BIVTjIu.exe

Filesize
5.9MB

MD5
b42bfbab13d6fccdcd85e679fbf37065

SHA1
2aeb0732b7e81cd828cc13341dbe979df52eb9e3

SHA256
e28d686f5aa78d9416c610826aa8fc8d3edc66bdca8f8051b8356f1ea8ddb598

SHA512
722308e8d28faa8ac139d36f836eee6146b38ad98726c937fb65bca627cd9c5a2d77a7970312db2fde426f82b6deed0247d95e65cac2482747f60a7114b89e5c

Download Submit
C:\Windows\system\EnamIOG.exe

Filesize
5.9MB

MD5
24a965c5ddfc62d720763657b008ba34

SHA1
b58be8c665a9356792b0c1371971fc989c1e966b

SHA256
7501de640f3d2547ab458126dc8323b5cf307b6904a8a5535b3299bdb3f39fec

SHA512
1e5c44617dadf3c3b5dffe0236ac0d33d51d8cb311dbebe901d23cf9058ba21a66da59b05ca777924a5f65de3a414ed094f522276fb2423411154662cde4c04a

Download Submit
C:\Windows\system\FMojOKG.exe

Filesize
5.9MB

MD5
f0e89326b37b2d1de450482fc977c6d4

SHA1
ffb3179cb45cc509f02d0613e88c91a6a48d147f

SHA256
de9987589c66535ddfe35e72a4a7b10df3b7ccfd2d41a47d083d87c9470d5404

SHA512
593e0464d53685fdde2cab980a9534db1a871d5e4e9ba38f6665ad528d8df8f5c7d5572f3d569a760edbb189d0892902fb453b0df908b3588efe8c8ad75c8bce

Download Submit
C:\Windows\system\FVAZcoU.exe

Filesize
5.9MB

MD5
084e6851f7c79a36d0424838a41f7ec2

SHA1
ed9d08e1e4b7edc68bb9bf80c1da5b1ebb439ce8

SHA256
5cf0b788bc79b018ce13a2780d2d904a514b37484db9a223f8b0e06eab0dea73

SHA512
02d47adc5b9fdbd102e75bed7bf2b727ca588cecce7eeb33efa8b8af9912b60ab5077568165805459341a2fd88808c34161955e09d5f731b7435d10abaa84a45

Download Submit
C:\Windows\system\PFQNlLg.exe

Filesize
5.9MB

MD5
6255e6a5a507365d0f53337e1c382798

SHA1
ee865a2f835a0bd52f742579c9c2265534cc5614

SHA256
0b89b6819f643d2b58178b8e8e1ed820a8f9ca8d0b92ac8de6f3d5c88d914617

SHA512
07785768e562c1dd6321708b082ac27d6bb8a4bc83bb5337cc441908e63671f2d71cd007e10b2767766f3a0f4b8f0e939ebc465b39e844b4d764d60338ae6236

Download Submit
C:\Windows\system\ThDerCw.exe

Filesize
5.9MB

MD5
262168b793b0dbdfaab2000b8297b0d4

SHA1
e1e2ec12ffe02acaf22db354760676c8b19ba63c

SHA256
49b589027c06f9b975a8d4b3bc08c53c9c546d5aa12b1862c2cef04261572cc4

SHA512
3619145b642db79d597afd19839f35d809e36e80ebf4f9686c9a7f683f2efe67f5e7b01a356fe8ff9e17d19d3ea70b77ef642ebc592f32ab6ffc981d22cf5683

Download Submit
C:\Windows\system\YkaezBQ.exe

Filesize
5.9MB

MD5
88a7923504074efebf56b09c4c7f873f

SHA1
7e1e1ca1d6ad2e3ed91e163db133aa46b7ff7151

SHA256
a28c2ab3ace65a594761c5fec6b296896f26620a68dabb47eacde5d1f77d5597

SHA512
d1209dac62df1fd54c53e1755a3fcf944d7a24b84e17df88b173f1ef8ba34a4be28ac8e4634fbc4e855c54d61e5ad87220924ab7491057ddb535b293218e846e

Download Submit
C:\Windows\system\bEaDZZW.exe

Filesize
5.9MB

MD5
ed6424164167749e7708b8363f43320f

SHA1
e2b52e210957aaad2e13b3423a7c5e6bb4e4067b

SHA256
0f88e9bb1f8ecda5ec5fd3c41fa3f34b9410fd7381182551342f7fe7695d7dd0

SHA512
9f8fe6889e728ce3f90ea9148c41c42ed3d222e55a14654cfd24248f983bd3ff2dcc53b6ba88b92b27cf574f2d5207c2effdca4967451777d7acb4910a67cf49

Download Submit
C:\Windows\system\bYHiVEu.exe

Filesize
5.9MB

MD5
583c13b82f1320104b738cac10b4fdb2

SHA1
9b0c3ce4c0a330d5473c93eff49ba847a895ca40

SHA256
4513d71a5c526d3f487d675eaf456167d4457da89b5ded010122f3f0ce10f608

SHA512
70c3ce0025dfc0e75ee16dd084cede82ae7a8d422dc8b3697714853b1926ab7b23289faa9f0f9b1822f581fa38388f9826b4952ffa6d1dfd88f008224f905382

Download Submit
C:\Windows\system\iRKfxZT.exe

Filesize
5.9MB

MD5
79df319b725232f53986586ff0613f92

SHA1
dc119804287596d1fde3bd9cba10f4c8df705da7

SHA256
0a26f87407aa998aa328501c84f5faa1591a78d98ab89c4f64597d0ed8e47afe

SHA512
8b842ab6cdd91fc18af6a771558b99b0ce0cc9b450b040a7c863202ed222f2c6112b49946a3806f5d49a58b4172290eaeeb5ff1dff575ff837e816a80e3ac9d0

Download Submit
C:\Windows\system\jcOKUzt.exe

Filesize
5.9MB

MD5
6e1f1ebd7601e49efb97394e4b4d916c

SHA1
426bf2d1d23b3afcabc115e8ddcdfb34d8911fe9

SHA256
c1e578398bef69d23e93342989c02ef6eee01a7124250bdeb509b4472ebf26ac

SHA512
8f2d2789eeb7f2ee92b122c7f96dfcefd9bced35e2667edd57c871ffa75b6073fe7fedf7a402ff4f516ee54e096b2072b510f9fd1d6b9bd04ca56a53c47a68e5

Download Submit
C:\Windows\system\nWPeIaL.exe

Filesize
5.9MB

MD5
a6f9cffb9adee673b5ff9ce000b65bd4

SHA1
5a185b29aec30cb0f0cf03b2c1a24340935eb851

SHA256
1bd71cfca7ba772d47280db3c371d060d6d055d43c262ef3868abf91259171e9

SHA512
5452751beebd0fe5891ff9291435bb83ae3b1d62c152db6fab641e18c1508240dd6883deb27ee78b6c573d5106f606770dbcde306aaa9733da83755bd1f2d49f

Download Submit
C:\Windows\system\nWmwRBm.exe

Filesize
5.9MB

MD5
56e3a19f16bb7f34ebdbe217b685019d

SHA1
a5dc9fefe9f197ca8ef45fb78fe96106da5eadaf

SHA256
e14b1508bfe27cba6be7010916888bae651d8fef233e8abf6ebabdaf967ca3c0

SHA512
6c629d706af962fd02df606e8f76cb30fa4e772a8009a81005ed6e2bcb84e90ece91df10a1766735bcc36b0046ba31a302deb49e9c3c8d51f0249ace6c8733b0

Download Submit
C:\Windows\system\pqCzmEc.exe

Filesize
5.9MB

MD5
a7f5838374d59aedf697bd17efd1b699

SHA1
da385138c637f181484ecc1378f33a264b62256c

SHA256
7a9ed7f99cfa610cad2d4ede73ce2f687ee7f131e3024060bd0f771c37c295e1

SHA512
6c15e64517ae0de61e524bdd20abf807eccc23871cce835f5af5952ea3327309ce81e9a37a3619d6dc47305bac73f4d0bc6c30f1ee9ef72a2838b16e2dcd9b8a

Download Submit
C:\Windows\system\qCkxmJL.exe

Filesize
5.9MB

MD5
7f58f483e04cfa48058103a639dd42b4

SHA1
191dccd2f5f7b6c3ce20bb8295adf7d05203bcc8

SHA256
44b2b1ef8f2950b2fce85c538ca0ca168fa7fd6dcc1401419489d1f2392e76fd

SHA512
6d44bd3a4cbb7c690a63fc1d8270b76ea5fdbac620e8cb4e6a8ebeb753f52ec03183bcfbea651da640a59600d245fe4d387fee971fa68f369af494af0d30da6a

Download Submit
C:\Windows\system\rZQhNCy.exe

Filesize
5.9MB

MD5
34a819f17cad8b1c3d12a7798cca7e7e

SHA1
7c16bf114bd93eb784fb403b416a97312cbaa6d5

SHA256
6b18dba553fb44804221184fc10ed01e7c4735ab2eaf549e15a2f10a6f7545d3

SHA512
65ba9dd26efba5d9adde05b23eeef8cbd59aed6bce4a3ba7db078100737bde207e857834adb6c0970c232ade7701384f6622f755d0a545bf47139cef1a05fad1

Download Submit
C:\Windows\system\xBMvPtE.exe

Filesize
5.9MB

MD5
67173fd43df3d40b0e90ad9bbfe3217c

SHA1
f469dae0b12c4fe21e510785e1faeee250a8582c

SHA256
178c329ef89117cb46d7c03b757f7719cd0192346ce2cc9716a4ee03c9650cdb

SHA512
5e32c889221ecd15e01f4184a776e4fea0bfbb8f6f7970ec2f4d675fb1d4ae3e8ee8fcf954cf625f9402caa52cc599a72f2c2b726ac75ea0f1c42d6790d4d9af

Download Submit
C:\Windows\system\xflRAPs.exe

Filesize
5.9MB

MD5
3bffcac42cffc8e3963293eb18e465a9

SHA1
59d32d8cde37f543410e486502c2bb450b197c01

SHA256
a6313a106e689d34d94b397bf0e79920f90b7f34f230b7844a5d969af7fba83d

SHA512
cbbbb3a981b25370039f74518c7e730da7c8b2694ffc3d649a5e138fb7c15d3f4f53a385e2afb545f08b73649ee62f20b02a7e1333f67409960771ff033ba2c1

Download Submit
\Windows\system\AUYVNaT.exe

Filesize
5.9MB

MD5
bb237cfd6d404e79aa1e8dd2aabe5dd8

SHA1
3e8bd22e92ba6b62938e8acbb42394dc1e5ce858

SHA256
a54cc62b0a8d85ae562c5dc2ce70287a4656f5a9c5ca3ef2033ed88c8c42a054

SHA512
ae69a3758f7cd815f6d682a3e54cfc08d5d466631097e3f365a37a302252e4ee066465968115f1a2451859cdfd0ec31a867361788a1197ab8b651a5ac36d00ad

Download Submit
\Windows\system\OQigWfZ.exe

Filesize
5.9MB

MD5
faa11bb6806b7b659c5cf0e5173755f7

SHA1
3fd612c4a0b93cccf5a5c46d5467c653aa57d9b3

SHA256
b0d7410ec4f52c36c5c91d60ea092d2861945ff913a79479e4fa7f90a5fcb3b1

SHA512
d145407d3c1edb61c7ac4b19aafcd5405833e01fc49fbd704508e122ad15a7170c9e44fd05d90dbac10f37f231936b50d1b94c69bdd66c126e4ade9c1f422108

Download Submit
\Windows\system\yqGRmTK.exe

Filesize
5.9MB

MD5
437d172a4397e2af252375dccfb06906

SHA1
9c17137e2548091c1fdbe88bf009368ed79c4f5b

SHA256
68b716b98786fb7b15e92c80aa2ea122ab0135698854d1fae1cdc5f71762511f

SHA512
7327945184fef98ff7cbbde8077bf6e7151b0ef7bd3aa45df98b9bc0dc6564f9a6cca72313aff718e31e3501425d5b856aeafd86e6a2d005cc77b30bf3322a16

Download Submit
memory/1848-114-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-137-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-11-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-147-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2320-131-0x000000013FB90000-0x000000013FEE4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-111-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2364-119-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2364-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2364-132-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2364-116-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-113-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-0-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-127-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2364-109-0x0000000002450000-0x00000000027A4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-130-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2364-129-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2364-133-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2364-122-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2364-125-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2488-134-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2488-108-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/2592-128-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2592-146-0x000000013FEF0000-0x0000000140244000-memory.dmp

Filesize
3.3MB

Download
memory/2600-143-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2600-123-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2704-120-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2704-141-0x000000013F200000-0x000000013F554000-memory.dmp

Filesize
3.3MB

Download
memory/2764-136-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2764-112-0x000000013FDD0000-0x0000000140124000-memory.dmp

Filesize
3.3MB

Download
memory/2768-115-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2768-138-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2824-126-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2824-145-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2836-124-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2836-144-0x000000013F690000-0x000000013F9E4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-121-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2848-142-0x000000013FAB0000-0x000000013FE04000-memory.dmp

Filesize
3.3MB

Download
memory/2852-140-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-118-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-139-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2856-117-0x000000013FD80000-0x00000001400D4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-135-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/2892-110-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download