cobaltstrike | b870887edf730f6cebac8d51dc5b3736134a3da20122de9338daf5fb936d3846

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8726882b7c0bcac8a0d5a85f95ab8e80
SHA1

2509ffc945702365ab7ec8d55501635bbb258167
SHA256

b870887edf730f6cebac8d51dc5b3736134a3da20122de9338daf5fb936d3846
SHA512

1b9f6abfc2c6f4bc31467bdc229254ddd8d72bb727b3a2f76f0d2d4c9447bd0a6df6d655bdd11aedac22bda74c92edfea7ce6465810baa7ed761cc86a3040dbc
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001225a-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d75-7.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d7f-14.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e25-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015e47-22.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000160ae-30.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d68-37.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019030-41.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001920f-49.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925c-63.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019346-85.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001933e-81.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001932a-77.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192f0-73.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019273-69.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019241-61.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019234-57.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019228-53.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001903d-45.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016c89-33.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f1b-25.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral1/memory/3036-112-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2580-92-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2308-91-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2092-90-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2308-131-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2308-132-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/320-138-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2756-141-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2832-140-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2760-139-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/540-137-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/1724-136-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2604-148-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2880-143-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1160-153-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/1800-152-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2792-151-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/1808-150-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2636-149-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2772-147-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2840-146-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2904-145-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2764-144-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/3048-142-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2308-154-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2092-224-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/3036-222-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2580-225-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/540-227-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/1724-229-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2880-235-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/3048-243-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2764-247-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2832-252-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2840-254-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/320-238-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2904-240-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2756-231-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2760-233-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3036	nEjVXIp.exe
2092	DUtKJKb.exe
2580	oKTgfhj.exe
1724	ymnHJWH.exe
540	rKlybrg.exe
320	JjTgxyi.exe
2760	HavFgnm.exe
2832	fpKCvOb.exe
2756	lJZPYQp.exe
3048	WtviSja.exe
2880	mEMXyyl.exe
2764	EzzrSrw.exe
2904	FaOjbYi.exe
2840	KgqTCXa.exe
2772	cstakvt.exe
2604	kcaifNr.exe
2636	nOrdPiR.exe
1808	JaEZLTn.exe
2792	NCQkVRa.exe
1800	CKdtCPi.exe
1160	SmoRwWC.exe

Loads dropped DLL 21 IoCs

pid	Process
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/files/0x000b00000001225a-6.dat	upx
behavioral1/files/0x0008000000015d75-7.dat	upx
behavioral1/files/0x0008000000015d7f-14.dat	upx
behavioral1/files/0x0007000000015e25-18.dat	upx
behavioral1/files/0x0007000000015e47-22.dat	upx
behavioral1/files/0x00090000000160ae-30.dat	upx
behavioral1/files/0x0006000000018d68-37.dat	upx
behavioral1/files/0x0006000000019030-41.dat	upx
behavioral1/files/0x000500000001920f-49.dat	upx
behavioral1/files/0x000500000001925c-63.dat	upx
behavioral1/files/0x0005000000019346-85.dat	upx
behavioral1/files/0x000500000001933e-81.dat	upx
behavioral1/files/0x000500000001932a-77.dat	upx
behavioral1/files/0x00050000000192f0-73.dat	upx
behavioral1/memory/2840-110-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/3036-112-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2904-108-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2764-107-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2880-105-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2756-102-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2832-100-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2760-98-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/320-97-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/memory/540-95-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/1724-94-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2580-92-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2092-90-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/files/0x0005000000019273-69.dat	upx
behavioral1/files/0x0005000000019241-61.dat	upx
behavioral1/files/0x0005000000019234-57.dat	upx
behavioral1/files/0x0005000000019228-53.dat	upx
behavioral1/files/0x000600000001903d-45.dat	upx
behavioral1/files/0x0009000000016c89-33.dat	upx
behavioral1/files/0x0007000000015f1b-25.dat	upx
behavioral1/memory/2308-131-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2308-132-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/320-138-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/memory/2756-141-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2832-140-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2760-139-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/540-137-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/1724-136-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2604-148-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2880-143-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/1160-153-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/1800-152-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/2792-151-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/1808-150-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2636-149-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2772-147-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2840-146-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2904-145-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2764-144-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/3048-142-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2308-154-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2092-224-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/3036-222-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2580-225-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/540-227-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/1724-229-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2880-235-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/3048-243-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2764-247-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mEMXyyl.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kcaifNr.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CKdtCPi.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nEjVXIp.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oKTgfhj.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HavFgnm.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JaEZLTn.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUtKJKb.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fpKCvOb.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EzzrSrw.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lJZPYQp.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WtviSja.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FaOjbYi.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KgqTCXa.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cstakvt.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ymnHJWH.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rKlybrg.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JjTgxyi.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nOrdPiR.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NCQkVRa.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SmoRwWC.exe	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3036	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2308 wrote to memory of 3036	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2308 wrote to memory of 3036	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2308 wrote to memory of 2092	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2308 wrote to memory of 2092	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2308 wrote to memory of 2092	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2308 wrote to memory of 2580	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2308 wrote to memory of 2580	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2308 wrote to memory of 2580	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2308 wrote to memory of 1724	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2308 wrote to memory of 1724	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2308 wrote to memory of 1724	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2308 wrote to memory of 540	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2308 wrote to memory of 540	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2308 wrote to memory of 540	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2308 wrote to memory of 320	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2308 wrote to memory of 320	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2308 wrote to memory of 320	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2308 wrote to memory of 2760	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2308 wrote to memory of 2760	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2308 wrote to memory of 2760	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2308 wrote to memory of 2832	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2308 wrote to memory of 2832	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2308 wrote to memory of 2832	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2308 wrote to memory of 2756	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2308 wrote to memory of 2756	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2308 wrote to memory of 2756	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2308 wrote to memory of 3048	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2308 wrote to memory of 3048	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2308 wrote to memory of 3048	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2308 wrote to memory of 2880	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2308 wrote to memory of 2880	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2308 wrote to memory of 2880	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2308 wrote to memory of 2764	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2308 wrote to memory of 2764	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2308 wrote to memory of 2764	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2308 wrote to memory of 2904	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2308 wrote to memory of 2904	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2308 wrote to memory of 2904	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2308 wrote to memory of 2840	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2308 wrote to memory of 2840	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2308 wrote to memory of 2840	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2308 wrote to memory of 2772	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2308 wrote to memory of 2772	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2308 wrote to memory of 2772	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2308 wrote to memory of 2604	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2308 wrote to memory of 2604	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2308 wrote to memory of 2604	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2308 wrote to memory of 2636	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2308 wrote to memory of 2636	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2308 wrote to memory of 2636	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2308 wrote to memory of 1808	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2308 wrote to memory of 1808	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2308 wrote to memory of 1808	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2308 wrote to memory of 2792	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2308 wrote to memory of 2792	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2308 wrote to memory of 2792	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2308 wrote to memory of 1800	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2308 wrote to memory of 1800	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2308 wrote to memory of 1800	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2308 wrote to memory of 1160	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2308 wrote to memory of 1160	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2308 wrote to memory of 1160	2308	2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_8726882b7c0bcac8a0d5a85f95ab8e80_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System\nEjVXIp.exe
  C:\Windows\System\nEjVXIp.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\DUtKJKb.exe
  C:\Windows\System\DUtKJKb.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\oKTgfhj.exe
  C:\Windows\System\oKTgfhj.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\ymnHJWH.exe
  C:\Windows\System\ymnHJWH.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\rKlybrg.exe
  C:\Windows\System\rKlybrg.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\JjTgxyi.exe
  C:\Windows\System\JjTgxyi.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\HavFgnm.exe
  C:\Windows\System\HavFgnm.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\fpKCvOb.exe
  C:\Windows\System\fpKCvOb.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\lJZPYQp.exe
  C:\Windows\System\lJZPYQp.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\WtviSja.exe
  C:\Windows\System\WtviSja.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\mEMXyyl.exe
  C:\Windows\System\mEMXyyl.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\EzzrSrw.exe
  C:\Windows\System\EzzrSrw.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\FaOjbYi.exe
  C:\Windows\System\FaOjbYi.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\KgqTCXa.exe
  C:\Windows\System\KgqTCXa.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\cstakvt.exe
  C:\Windows\System\cstakvt.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\kcaifNr.exe
  C:\Windows\System\kcaifNr.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\nOrdPiR.exe
  C:\Windows\System\nOrdPiR.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\JaEZLTn.exe
  C:\Windows\System\JaEZLTn.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\NCQkVRa.exe
  C:\Windows\System\NCQkVRa.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\CKdtCPi.exe
  C:\Windows\System\CKdtCPi.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\SmoRwWC.exe
  C:\Windows\System\SmoRwWC.exe
  2⤵
  - Executes dropped EXE
  PID:1160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CKdtCPi.exe

Filesize
5.2MB

MD5
c2b80fdf7627c32e7c0ea9325f2eedd1

SHA1
8bcd39a32da9149c3f1ccbeb1c240e200041ea4c

SHA256
9be8d19c444cf38cee1a1a0a8a97743183d462330fc14bcd99ec43dfc3f0cd7f

SHA512
e7a4d09e9ed80e6fdcde60fd4831ce10f6703cb7492694f725d3dad9e5536b299a0e3fd8ed8b2510a73cf29f972104f03f5caaa1ebc6cc1bd5244aa45c6e5d30

Download Submit
C:\Windows\system\EzzrSrw.exe

Filesize
5.2MB

MD5
2c60366042a768b3043e70584e5ff0ad

SHA1
7c1a7575d5bc6a053c6c905b709f4110bdc93b79

SHA256
5c158228de58de81b33ead60c56cff10d3d9ab48edfad22524c506ffe12849a4

SHA512
088906cd651745dd722c5f027de6a253e07eaf44f265e6f73f847483cd6360a6ec67124c512dc4add95648bb50fc3067b854387a83fa4a2e598c7548d6e20942

Download Submit
C:\Windows\system\FaOjbYi.exe

Filesize
5.2MB

MD5
7db5f11f74c785b85f8ffeab391e14a2

SHA1
4ff96f5bbbac8a495291ad9754a84b807997f169

SHA256
7909f559d42ad5efa731ab72375a703ddd4b2194a7c8e01ec04934d22db7d122

SHA512
a255773175b77d76dcd112b25958270520f22442c67cbbd1c4900513609e7a44990cec735559e26974f7f1a1f32fb0501adbe649404bf249784f3f1f17bc8232

Download Submit
C:\Windows\system\HavFgnm.exe

Filesize
5.2MB

MD5
6273a3b6ee51bf94829f1283f43fb2d1

SHA1
481dacb16e43fcfd27bc6dc0939839c1de34ef54

SHA256
35156384a668185353577fe3cc6a33c58e17eaf506fc9149f04a06447b738b9b

SHA512
40f0a0ed258ea87ac39c06d75734647dc4acdfcada77169a6407faf6a3debeb745af464786aa3cd2912700cb4075abc7f0fafa80a3dfa8e80fadf246b41c28d7

Download Submit
C:\Windows\system\JaEZLTn.exe

Filesize
5.2MB

MD5
9319ef03f62ac6dafcea889da3c90eb0

SHA1
6d1240e55030c8eb48347a26ef5fe872b4f586c8

SHA256
7a6c3b4122778a9c38efa1cc134a43f0ba2c0795e403c28ea1341dd6b125d486

SHA512
080e81300b120a2ddc0addcd6567d40dd57c79d6c96a37733632c29a468954db29bf7efb4aeec79ae4b1fcbeb5f845eaeb11e86be90bd141ab157cf05ce41b20

Download Submit
C:\Windows\system\JjTgxyi.exe

Filesize
5.2MB

MD5
cb1a8f41e57fe08654439a114b5184d5

SHA1
50d8bd793170fdb88ea471f1ec1aa27ab4dba8a8

SHA256
880bb10171d4a20b6f834778a424ff3db6d59b36a0c945ebe47a9bb36ab6fb17

SHA512
ebdfb59c7b020b6f200a101263efc0f702f82f04c4da55a100e09ee4ae6389184f8d50165f3aae2df89c098aca828a108a946f6c5b57082cc38a78b138368404

Download Submit
C:\Windows\system\KgqTCXa.exe

Filesize
5.2MB

MD5
e1f35ecebab9eb7b382452555f947540

SHA1
9536e57662d22c1b19828eca028eda48c5be73c7

SHA256
5088b58930e40c347d69895e29d2acab667f665f8df3d9fe57912f34152ccaff

SHA512
9b9cbb0ba837afbb650911e26a483c84c7e59dee6dc45b962db3f95a6b5356b686bcdf85c012fc208709d1d356febca5196522a541ca79c9d780d018e05f91a7

Download Submit
C:\Windows\system\NCQkVRa.exe

Filesize
5.2MB

MD5
1e2e98609d6a474b2a3261b0508fcebc

SHA1
1917f9425f95005a0fc2fb7627f272eec703adb2

SHA256
e306eba5ce36a551d5b9555624dc9b2b4cfe813296ef8252f70cae903e033b00

SHA512
b97848d1aaa68d492303c58df76cb06657ad6e5c6c1c604cd08af20bdb89f699cba6e4c8387ca3145294964553395323d4e09396b33ced742dd8050a9062d56b

Download Submit
C:\Windows\system\SmoRwWC.exe

Filesize
5.2MB

MD5
6da8dd22ee85c3c5bc72e999d829fb7d

SHA1
cf3d2014c684aff6bbf55b50b715dd367b5af7d8

SHA256
d5d19f79dfeec87d14016bb38dcd3ec6f1e1378a2debafde19fb93a968af77a9

SHA512
6d104abf5d0a80421bf06b0044c93ffaccd1290474a310fa0c1f163b1a96d116ed0b367b6a2599e42f5c1273702388c0512d883e4cf2590fb56851861a1ffee9

Download Submit
C:\Windows\system\WtviSja.exe

Filesize
5.2MB

MD5
8d354aa2a0a5ea39901fa6a20d5023cf

SHA1
c0f0159e35fe6a5741edf84c89bc2404803ad4ff

SHA256
6708c222607030b72ef199e67fdf23d1436a8e4b2c589e134a773f320947e1bf

SHA512
c18b526460a289c2b3c307c8f69c6067a8f53dd3653b2633d3eb5e959240ee4524a9ee40b792f827a6e49887b7210b61b9a5327003d77ac3eb66c58ee044ad68

Download Submit
C:\Windows\system\cstakvt.exe

Filesize
5.2MB

MD5
060cfba4701b757bd59d2aa142d1ed25

SHA1
efdb8606d91c83fba3a1d8579e901d63436eb0f4

SHA256
df5d200f17d28e23190c1aab7555baff89648e75b0d48ecd674f7029b414c7e8

SHA512
723cc09364c7390150c17494fdce02d9e00ef90807edae5fa8a42f2071c54803ff341e11ea66dfcec7b110a0fc822cc7f6165f9121ac7296b09157c21fc88ceb

Download Submit
C:\Windows\system\fpKCvOb.exe

Filesize
5.2MB

MD5
b09b863dd72886c0e1ed588cbd4d178e

SHA1
55a32c88d1c376def53ea79a77ca9f9a5a9c847b

SHA256
5af9c9551cae1ad2f16174dee5aadcd55e0b39c1513ca48068ca323ffa4a760a

SHA512
e60b164f47ce257cbe4f2543b9555282acbd5957e6d97c58c8c24ebeed2a7355e7680c7745bb9e79e4cd386bbcaa521ae9a2712cdb56ed253b01e9cf90ac7737

Download Submit
C:\Windows\system\lJZPYQp.exe

Filesize
5.2MB

MD5
3ba31dbcc7af2ee4fca8cd1f3c933736

SHA1
90c4ee57765b2ffff06ade49bc32c08dde3455d6

SHA256
3a5f32c1c3b9ce86007d11fa856e5319eed0c32da323d6570ef8615e9a0627f8

SHA512
d3c41221e8452a64ef3578825ac5b2e96fb96908a3111f633f15987bcfc7bc8a126e9eb0c9b99ef4fc51099732ed214b8b267eae4ef52f1d179708e7955d951f

Download Submit
C:\Windows\system\mEMXyyl.exe

Filesize
5.2MB

MD5
3b360119349150476f70ef53b4a3bc70

SHA1
cc52715c11955e6b0dca96d14eb3ea43aed41b22

SHA256
1346367fd8ec13618e9d79fc9906986ab2d51c4ce69cdae077202808d6e06f89

SHA512
d7a8f2ab10e82f3a9f23caf39b9a710915bc20810f52252ef6e3094f3a92a948b386d0810a8a3a43963750050e9f55f94964b4a4377562f3b7ae4ae72441a78e

Download Submit
C:\Windows\system\nEjVXIp.exe

Filesize
5.2MB

MD5
7cdcc676e1269e5c06eb4316eb764582

SHA1
2e55489332be5f6bc0e4e7874ea13be5988cd073

SHA256
6ef864ef3dde4d108e0ca07c8aab315c8346fc38d642a3a4bd249d48ee55052a

SHA512
8f4c20f4e119c90474bcc007e8bdc627a402f3f052fa6941272374f4c165d8fce23d2b0c4c5b02e33ec8cbc9a050df1178232cac21244b45a44e144e24bfbe14

Download Submit
C:\Windows\system\nOrdPiR.exe

Filesize
5.2MB

MD5
10393b5e5819a38b16e5c2e6a5aeb7ab

SHA1
4991ce0b39d468d66ad635af5d152db706accbe7

SHA256
c91d6d759ebbeb72db746aac622bd9242824b8833b6521f872f0227b5f75b3bb

SHA512
4dc200c29f23ede505e5cea14cb29ddabac2264a198abbea459483ab2b4818cb0a50cff29cddc14f1fcb2d6e1c08584005db842f93b5e8d0413c2db9115ff957

Download Submit
C:\Windows\system\oKTgfhj.exe

Filesize
5.2MB

MD5
6351702060c76f50e907987f20a9a2de

SHA1
41f127720d35b0b1d2846a19a9781f5b7edf603e

SHA256
0d91c325b5a356bfdf09f529a7dbb49647d68e1e43ae913e0d5945aaace108b9

SHA512
c857b0fbf936f3a294f9747d490bfa635059fd116f7b141acbe780bf8b04d95a60cf5531b3291826ad1238f0cb788c33b6f02407a76106b72ec5bfb1ffa7e106

Download Submit
C:\Windows\system\rKlybrg.exe

Filesize
5.2MB

MD5
bb929f45e2b4763ea8aaf4ff1381563f

SHA1
39fdd09aa638c25eb3f4302f59e2cf41ba5b3e05

SHA256
15351014473b6360d832b4f893b94451f0c9401399d34c62b1c0e13e0719f2f7

SHA512
27d66eed912fd884489c2819a5c07614f01e595b209e95e6a4bd6ce9dca35d6aa608321bb95af424aa034d5e50dab45992dc855072ca51da324d959c4e2173f7

Download Submit
C:\Windows\system\ymnHJWH.exe

Filesize
5.2MB

MD5
60b7d6ebe7b07d322bfe3d45b948d92b

SHA1
3223dabd890ef03e4981d5e848d250f71b4e34f2

SHA256
8025851687a2150bbacbc06f28af49f86b859086bc3c692361c9ac080132f11a

SHA512
3b02d3658bd9e568e30a0f0c2fb85680dd731b06698e098709f923ba41229b48a3f7d7c55fb3c1d251eb99c5c1d4504e831cf2519e03ef96db93186657e8cc2a

Download Submit
\Windows\system\DUtKJKb.exe

Filesize
5.2MB

MD5
6b60c7185c692df67cded6481d988c95

SHA1
695865a354dad8fedf1862b09be78ac762776dea

SHA256
557177e09c4fe2352be9786c4f214f4db2d5028751d686ede120dd72a18391c2

SHA512
c95310423d23c20f77f0708dd2414f31ddadef0312b43017038d0e4c97d18028967688536f6c744734eaaa54e6a83c81e370dddb6ce8ff58a38a8cbf3221f32d

Download Submit
\Windows\system\kcaifNr.exe

Filesize
5.2MB

MD5
8d911972f5a60589d5e72cd79a1dcebe

SHA1
3a9555d7699bd646c3be079e050779e1bbcaa2b9

SHA256
dee6d6532b5bf4f9d0a48b6bd5ef2c3e9e2d8da94f7edc70aeee4cff8d672df6

SHA512
3acaca89718132c12a1110bd4c56c6b3c369854c5a1007f63e87d60c5dbfdec5304ac580e25da0452141814aa272071cdb461b060bed79694bbb18a539ee9580

Download Submit
memory/320-138-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/320-238-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/320-97-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/540-95-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/540-227-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/540-137-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1160-153-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/1724-229-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1724-136-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1724-94-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1800-152-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/1808-150-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2092-90-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2092-224-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-104-0x00000000023C0000-0x0000000002711000-memory.dmp

Filesize
3.3MB

Download
memory/2308-93-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2308-91-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2308-96-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2308-89-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-0-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-101-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2308-154-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2308-103-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2308-99-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2308-106-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2308-131-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-132-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-111-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2308-109-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2580-225-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2580-92-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2604-148-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2636-149-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-102-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2756-231-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2756-141-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2760-233-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-98-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-139-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-247-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2764-107-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2764-144-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2772-147-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/2792-151-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2832-100-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2832-140-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2832-252-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2840-146-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2840-110-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2840-254-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2880-235-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2880-105-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2880-143-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2904-108-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-145-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-240-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-112-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-222-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/3048-142-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/3048-243-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download