cobaltstrike | 14e0dff34fa1c258b721ab3fec53bf77eaf1183ae9439b0484a31167b2bff7c6

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-09-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e06ed1816f5aed4097ef2e054d2a234a
SHA1

04bb501f92a709a00b4bed09555391843a4a6c0b
SHA256

14e0dff34fa1c258b721ab3fec53bf77eaf1183ae9439b0484a31167b2bff7c6
SHA512

69f74f9bd79742edcd4cf9b6a44c426ca3bfdb4584f639a521e0acdc2a67f5cf9806a797475202f4569f50ed0f878f4ddf20ca5b682bc102946f054502fcd95d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lUl

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012117-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016890-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016b86-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ca0-33.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c89-38.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d68-63.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4c-61.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cf0-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d22-54.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000164de-32.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018706-80.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018697-77.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870c-94.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018683-88.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001871c-111.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018745-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018be7-119.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018fdf-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019056-141.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d83-131.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d7b-126.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/2280-16-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2300-67-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/3032-69-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/1460-68-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2468-45-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2468-42-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2468-51-0x00000000023F0000-0x0000000002741000-memory.dmp	xmrig
behavioral1/memory/2188-50-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2968-102-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2532-105-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2624-98-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2468-90-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2948-89-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/1276-106-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2468-108-0x00000000023F0000-0x0000000002741000-memory.dmp	xmrig
behavioral1/memory/2880-122-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2340-144-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2700-149-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/2468-146-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2620-159-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2468-158-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2548-164-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/3000-167-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/1080-170-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/1224-169-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2316-168-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2984-166-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1656-171-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2468-172-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2188-220-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2280-222-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2300-232-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/3032-234-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/1460-236-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2880-238-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2948-240-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2700-246-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/1276-249-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2624-252-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2340-251-0x000000013FFD0000-0x0000000140321000-memory.dmp	xmrig
behavioral1/memory/2532-254-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2620-256-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2968-258-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2280	VHTRKtf.exe
2188	nmOzuoZ.exe
2300	BRVTWnc.exe
1460	cPWyvhX.exe
3032	tISRsGW.exe
2948	fhyrJsK.exe
1276	oQkLFks.exe
2880	dMFJdvB.exe
2340	BwYVgUH.exe
2700	FBfvoKu.exe
2624	zVhVQOJ.exe
2532	blSuYhv.exe
2620	ClnCknz.exe
2968	YvAbDIG.exe
2548	oTWldgC.exe
2984	ndIWApB.exe
3000	PUnNHIX.exe
2316	avcepgg.exe
1224	DaCQXdd.exe
1080	PCtBLNJ.exe
1656	xWFdqsU.exe

Loads dropped DLL 21 IoCs

pid	Process
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-0-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/files/0x0007000000012117-3.dat	upx
behavioral1/memory/2280-16-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2188-15-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/files/0x0008000000016890-12.dat	upx
behavioral1/memory/2468-9-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/files/0x0008000000016b86-8.dat	upx
behavioral1/files/0x0008000000016ca0-33.dat	upx
behavioral1/memory/3032-37-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/files/0x0008000000016c89-38.dat	upx
behavioral1/memory/2948-39-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/1460-36-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2300-34-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2880-55-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/files/0x0009000000016d68-63.dat	upx
behavioral1/memory/2300-67-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2700-70-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2340-62-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/files/0x0007000000016d4c-61.dat	upx
behavioral1/memory/3032-69-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/1460-68-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/1276-47-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/files/0x0007000000016cf0-46.dat	upx
behavioral1/memory/2468-42-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/files/0x0007000000016d22-54.dat	upx
behavioral1/memory/2188-50-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/files/0x00080000000164de-32.dat	upx
behavioral1/files/0x0005000000018706-80.dat	upx
behavioral1/files/0x0005000000018697-77.dat	upx
behavioral1/memory/2968-102-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2532-105-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2620-101-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2624-98-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/files/0x000500000001870c-94.dat	upx
behavioral1/memory/2948-89-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/files/0x000d000000018683-88.dat	upx
behavioral1/memory/1276-106-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/files/0x000500000001871c-111.dat	upx
behavioral1/files/0x0005000000018745-115.dat	upx
behavioral1/files/0x0006000000018be7-119.dat	upx
behavioral1/memory/2880-122-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/files/0x0006000000018fdf-135.dat	upx
behavioral1/files/0x0006000000019056-141.dat	upx
behavioral1/files/0x0006000000018d83-131.dat	upx
behavioral1/files/0x0006000000018d7b-126.dat	upx
behavioral1/memory/2340-144-0x000000013FFD0000-0x0000000140321000-memory.dmp	upx
behavioral1/memory/2700-149-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2468-146-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2620-159-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2548-164-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/3000-167-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/1080-170-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/1224-169-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2316-168-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2984-166-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/1656-171-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2468-172-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2188-220-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2280-222-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2300-232-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/3032-234-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/1460-236-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2880-238-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/2948-240-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\avcepgg.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRVTWnc.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oQkLFks.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dMFJdvB.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FBfvoKu.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zVhVQOJ.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\blSuYhv.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvAbDIG.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oTWldgC.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nmOzuoZ.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cPWyvhX.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwYVgUH.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xWFdqsU.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhyrJsK.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tISRsGW.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DaCQXdd.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PUnNHIX.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PCtBLNJ.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHTRKtf.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ClnCknz.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ndIWApB.exe	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2280	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 2468 wrote to memory of 2280	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 2468 wrote to memory of 2280	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 2468 wrote to memory of 2188	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2468 wrote to memory of 2188	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2468 wrote to memory of 2188	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2468 wrote to memory of 2300	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2468 wrote to memory of 2300	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2468 wrote to memory of 2300	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2468 wrote to memory of 1460	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2468 wrote to memory of 1460	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2468 wrote to memory of 1460	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2468 wrote to memory of 2948	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2468 wrote to memory of 2948	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2468 wrote to memory of 2948	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2468 wrote to memory of 3032	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2468 wrote to memory of 3032	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2468 wrote to memory of 3032	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2468 wrote to memory of 1276	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2468 wrote to memory of 1276	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2468 wrote to memory of 1276	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2468 wrote to memory of 2880	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2468 wrote to memory of 2880	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2468 wrote to memory of 2880	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2468 wrote to memory of 2340	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2468 wrote to memory of 2340	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2468 wrote to memory of 2340	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2468 wrote to memory of 2700	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2468 wrote to memory of 2700	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2468 wrote to memory of 2700	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2468 wrote to memory of 2624	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2468 wrote to memory of 2624	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2468 wrote to memory of 2624	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2468 wrote to memory of 2620	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2468 wrote to memory of 2620	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2468 wrote to memory of 2620	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2468 wrote to memory of 2532	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2468 wrote to memory of 2532	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2468 wrote to memory of 2532	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2468 wrote to memory of 2968	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2468 wrote to memory of 2968	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2468 wrote to memory of 2968	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2468 wrote to memory of 2548	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2468 wrote to memory of 2548	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2468 wrote to memory of 2548	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2468 wrote to memory of 2984	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2468 wrote to memory of 2984	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2468 wrote to memory of 2984	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2468 wrote to memory of 3000	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2468 wrote to memory of 3000	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2468 wrote to memory of 3000	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2468 wrote to memory of 2316	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2468 wrote to memory of 2316	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2468 wrote to memory of 2316	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2468 wrote to memory of 1224	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2468 wrote to memory of 1224	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2468 wrote to memory of 1224	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2468 wrote to memory of 1080	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2468 wrote to memory of 1080	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2468 wrote to memory of 1080	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2468 wrote to memory of 1656	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2468 wrote to memory of 1656	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2468 wrote to memory of 1656	2468	2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-23_e06ed1816f5aed4097ef2e054d2a234a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\System\VHTRKtf.exe
  C:\Windows\System\VHTRKtf.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\nmOzuoZ.exe
  C:\Windows\System\nmOzuoZ.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\BRVTWnc.exe
  C:\Windows\System\BRVTWnc.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\cPWyvhX.exe
  C:\Windows\System\cPWyvhX.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\fhyrJsK.exe
  C:\Windows\System\fhyrJsK.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\tISRsGW.exe
  C:\Windows\System\tISRsGW.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\oQkLFks.exe
  C:\Windows\System\oQkLFks.exe
  2⤵
  - Executes dropped EXE
  PID:1276
- C:\Windows\System\dMFJdvB.exe
  C:\Windows\System\dMFJdvB.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\BwYVgUH.exe
  C:\Windows\System\BwYVgUH.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\FBfvoKu.exe
  C:\Windows\System\FBfvoKu.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\zVhVQOJ.exe
  C:\Windows\System\zVhVQOJ.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\ClnCknz.exe
  C:\Windows\System\ClnCknz.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\blSuYhv.exe
  C:\Windows\System\blSuYhv.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\YvAbDIG.exe
  C:\Windows\System\YvAbDIG.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\oTWldgC.exe
  C:\Windows\System\oTWldgC.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\ndIWApB.exe
  C:\Windows\System\ndIWApB.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\PUnNHIX.exe
  C:\Windows\System\PUnNHIX.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\avcepgg.exe
  C:\Windows\System\avcepgg.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\DaCQXdd.exe
  C:\Windows\System\DaCQXdd.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\PCtBLNJ.exe
  C:\Windows\System\PCtBLNJ.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\xWFdqsU.exe
  C:\Windows\System\xWFdqsU.exe
  2⤵
  - Executes dropped EXE
  PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BRVTWnc.exe

Filesize
5.2MB

MD5
8bf42dd9b5643ae06a5b1269e519f6e0

SHA1
fff732fc13b501305ddd614191e3ceba5267084f

SHA256
1e41a26ae6d2d69bcb2d2aad199238fd65fe4b0352cfd58dd51ff6007b74552f

SHA512
bb2e210f684963390c7b1018a39408ad9da8aea3ad07be8d4e6666d5bc44e8e86c0191b231e8319dd9151ffe4390db99e05e755872991818ac1f84c4e19abf7e

Download Submit
C:\Windows\system\BwYVgUH.exe

Filesize
5.2MB

MD5
8d4d2d354e9ec772ea7c9335f0faec5c

SHA1
7336535e8dc834cb9d1f0907cadf231bdd7137ab

SHA256
79012def851aa307b5402e65531de13785f6ac768a2950b0d71226151a19d6be

SHA512
d85becb5f3659655daa23c01513ecc252fc1366005a28b24e770cabc94663d32f1d1e716ece88013eb0b788849dbad4279e5eb72f5343fa84f33a768fe24fd0d

Download Submit
C:\Windows\system\DaCQXdd.exe

Filesize
5.2MB

MD5
8602528ddb6e702d8d4b923f5846909a

SHA1
0d3889cdb2a62337c19e04149322a4655829866c

SHA256
e696bb50f124eacd897b0b5a475f441d1dbfa826eb6e4a2606a7f31f71da5f9e

SHA512
e8e79a54c603aa0c2e2c0da14317946ea701d522e4ee03f1589e9854d24fbdfe40bc7938c2d1897bd70f321af96152d631f11204fb24c75f9a410abdc6fa4de7

Download Submit
C:\Windows\system\PCtBLNJ.exe

Filesize
5.2MB

MD5
aea76bf321feef335edccb2b8c7865ca

SHA1
f976b178cb923d8c4c8f101e0336dd28dd26f43a

SHA256
c7a31d06855079e594946de4225d842b127bbf5cec9eeed66d04f06a5c39fc8a

SHA512
158fcfa098d12e639ba68c6987fd3435d7790299a25839a457b3ec75cee534381c65f01ebde4999f646ed4b018f3ecbafaf19acba49f4272941c7609492ecde3

Download Submit
C:\Windows\system\YvAbDIG.exe

Filesize
5.2MB

MD5
64b064184928b9a4b7df46b4d828a272

SHA1
caaa4e7a7eedd0d966f06be6159a32ab995f5501

SHA256
38b4cc63adfa5d0dfae7fc48a81ee54d8636dc8e9fdf79768059b5128486772a

SHA512
860f80602625040c8a1f7a6d9c3f4399cd53a0dd29c17740db49a1e7430005a9afe56802322aeaff2d2ec3edd6c8878ae0e5aae42758efda73a7b7555719a6b8

Download Submit
C:\Windows\system\avcepgg.exe

Filesize
5.2MB

MD5
14194ab9407be671e9f8ce369b2b9aa8

SHA1
afbe45831cb0cd7cd0f10be5d648809e25aa82b9

SHA256
b8dbe81ae039c85844bd53dac8548847748c9e4b94acd8cf45ab104707ca8fd2

SHA512
c7db77ec1df7156e6c67f38f742c75432664abdaf5bf405090fd5acf402a71d80a1906dd850e016c6bc479050f6b77bcef4eb6e9db417608f1532dfef9be8975

Download Submit
C:\Windows\system\cPWyvhX.exe

Filesize
5.2MB

MD5
93e50dd8643d988b18f1761d2d4c95cb

SHA1
753fccf12005ed5adc6e14024eb11b2b1e75ccaa

SHA256
912ce399cf1367828d6d55b38d2c2f313ad7e15dd6b68fb8919a901efe38d431

SHA512
59a128b81bbdb031049f5696150fc22577a948d94127d99476ae250abd0ccb7bcfeb218ff0e659477f84fe21e4422cf7a39d85b63807435d6c841997c707cd59

Download Submit
C:\Windows\system\dMFJdvB.exe

Filesize
5.2MB

MD5
82973467536a9f5999b776336a00da22

SHA1
eff5fa0623ca0ff5b042c7b4151bd4b54c727f6d

SHA256
f651d08a949c02ffa331a0e0fb4f3f1c1bd094125e36acc0dc9397bea6a45539

SHA512
f13598cae2f29b127975357d630a6e94886f8b1605f0476e1b808dd4acc0770fd7cf91823f3e7697844b2387e10adec351ff8d42520850e9a764787d277929df

Download Submit
C:\Windows\system\fhyrJsK.exe

Filesize
5.2MB

MD5
6fe67be3585485663dba4b6290c8194e

SHA1
da9fc3586f2ba29c5be2d3a2cfe8fd91dd3c7efe

SHA256
a127dcba0b58b3b90136aca331b448f716fa8ff966e3399c526ea120b3d4a847

SHA512
70d096687a50a6057d16dbb21c6c33547f30c91457ddca737d881d753c946c54c50a44cbefcc14f108cd11a187d1984557a790d9af6ffa4bfa37bc5dfcfda7f4

Download Submit
C:\Windows\system\ndIWApB.exe

Filesize
5.2MB

MD5
969bb23a14305e76374477e1e15b5edc

SHA1
9f80e2af74d26922db2f2cd9749570d7af0bb10c

SHA256
4e0a1d5466bd6e4d88a94d5133cab33db2a982c9989942bdc2ac08bf40a89357

SHA512
aa4019562c28eb56d23f155c62c6627798e1acb245e281ad692be325372e30be9ebabc13c7d0c8ed00b2581e17811da1dcf10e82eba395d016a38b5ebc32c051

Download Submit
C:\Windows\system\nmOzuoZ.exe

Filesize
5.2MB

MD5
8141f9bda0695bc12af0fafd2ec0e53b

SHA1
939530159b2f88644aeb6ddea2cac1a2c8326141

SHA256
e640556cd0ca3afba3c8e8c54b6a28707d83929ead64f0e3d01eccc5c2144476

SHA512
295358b87c7d07bc982de7a3258e80ae4ebbea6990dd4822334e11788118e3b10a64bf23272cc35bebdae12ab2d918098766d16f55962bd926d7c2ab54e46bbd

Download Submit
C:\Windows\system\oQkLFks.exe

Filesize
5.2MB

MD5
e294aa71df3a4c83073fed0c5b666ccd

SHA1
5b2c73cc2624e6f56d9872fc0b5ba78463b58b69

SHA256
c55e2c249e14cab5bb374d80f21d5506cd50947c14ad24371d27b3c2af44d52f

SHA512
60db27b3dc36dda2e877c5d1d3954ecae3e47da3e70031b79ddf150f7c8a891af1feeb583bc55e4f3688d447578deb165e1d5f0d1cbf86a6f80f451cc662220a

Download Submit
C:\Windows\system\oTWldgC.exe

Filesize
5.2MB

MD5
cb96fcf9c698541b3fb924abd8b9f931

SHA1
7ef87e0655d49362977634395497b1ae9184fa95

SHA256
4c8da72fdfc8e8fd6002b82bbc5392722aec678e4dc7146810b590f3d8a1967b

SHA512
336a604c893c5dc0358d6d2bcc16a77554624fa8e2f200d8010cce6be979734546f5b46f2ab3e1c5ebec8a3f17292543bc8beb2f0ef08586888a7dfeb9466f57

Download Submit
C:\Windows\system\tISRsGW.exe

Filesize
5.2MB

MD5
3771f2db0287e2e87d20adbd9a21dbca

SHA1
9da9249e0c4582a33177948b45d195d8195826a3

SHA256
60b1167b543f3096ce8deefa041d71b8e93449814595bd444933b57ca538a2d4

SHA512
e7d57baf12b4c5f6114c1d1f872dd64017ec444619406ce77207033a72df425a7ef1cbe1cb45d154664a634e757a5b41fa2e988b27ae998300ef1246988d7e95

Download Submit
C:\Windows\system\xWFdqsU.exe

Filesize
5.2MB

MD5
6d0f07c7a69c0061fe1eb7835eee7a4b

SHA1
d21733571ac56f2819824f14d2cabae6e2e2ac39

SHA256
efb56f0aa3c1e4e52391ac87c9384c8ae1d500632e56c1070067df3034e1ac9c

SHA512
40c39666098e373b411f8ec8991eedbd3d291e0c6888883ff4ac05de2976fa78f070edeb464194530779f46480e5cabb7e06a03d7ee61a87fa7d6d98d3758963

Download Submit
C:\Windows\system\zVhVQOJ.exe

Filesize
5.2MB

MD5
58b3e79559c049dbe05c774673052f8f

SHA1
d2095b70efe051a47bb3b143ced96741d6ee1e4d

SHA256
42147c1cc6c689a9de882cc190b21aacf6dfcb84507ef5894cc8533e81a68c75

SHA512
a843cd4c55b6dd6648c2143c5a1c2015af0b159b7938e1f66d0a3327d833b4838ff49affa762ea63b05e4e175ea43856ff9d36648618996b2a48d7422cf122ea

Download Submit
\Windows\system\ClnCknz.exe

Filesize
5.2MB

MD5
cf3d685f184283995e5824f12a388db2

SHA1
f225b1bde773c19a51eca398c9e93734733d0b7a

SHA256
f7cab8797918ee33a103816b9a307b7ee2ff90d4720ce7765d3c4fd41f324a39

SHA512
3777546af58a6b05ed9632673ec3ec31bfe5452f6605deff09d1d3a039bddd2cfdf924ffb2e63649432d3a83dba4be32041c37d51f522a0be9062ac2f0395a5b

Download Submit
\Windows\system\FBfvoKu.exe

Filesize
5.2MB

MD5
9a92aefd1f515fc7c122f1d2663f0260

SHA1
ac160b6598d555b73789334cc99405333e4eafe4

SHA256
416d429de1e730578ff722e048fc6145e00936e1c8e1d778798fd75a31495a04

SHA512
f4821454251bfe71fb07d099552f08085bdb677c5513d57054fc90a2db50bfeeacee4467d5d6b41dc227c2fce870adb7dc2f267a78a5ac0ec8cf821c86bfe47a

Download Submit
\Windows\system\PUnNHIX.exe

Filesize
5.2MB

MD5
3de702c8720e4106e6cd0491ba155762

SHA1
07a58486ea9ff9dadea9cbb76f9054fce58d8531

SHA256
e73d642e48213f3da300a8e9b5b6a190b672f179b027960480ff0582bc8ca2b3

SHA512
d6004e965d9296b90354122afa505e72be61c8f0cf507ef86b95cfcd0459fefbe7c42a6a8409642c1988ba025fcfffc82e37201e081050ee1a3a7a4c6a9f945a

Download Submit
\Windows\system\VHTRKtf.exe

Filesize
5.2MB

MD5
2ac502bd4fddd77b4fc7500577afaee9

SHA1
0daa4f930955e7d35b3e32012cac7620a46423a7

SHA256
150907c74a0e3fbf35bb9b9658452eb0bbc6eb2bec8a3a50e85435722f6b4115

SHA512
2f674ab52e1db7a9ac61fed2ba81bade4d02e052eaf2b7966b92ab05af63989c97d4f07a552e86a4b9a33a6e3f87dc19547871adedfcd264b2f2f320873f73f2

Download Submit
\Windows\system\blSuYhv.exe

Filesize
5.2MB

MD5
d49b5d4362a0a0dd49a6af373b1430e9

SHA1
871bbc892e0e795c846bc51afd243bb8dea194c5

SHA256
215cf968b4439f202afb9d03398c4ddf87374f20f14669a4f2b601d8e3ec755a

SHA512
a91d9d83bcd2fd4569825de5b89faaf09d41c339bc3623a5776bd90bb3722733f25ee2ed064e88ce61d2cf9117a2b47223a80cdfc93d58d8895c322cb632005f

Download Submit
memory/1080-170-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/1224-169-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1276-106-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1276-47-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1276-249-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1460-236-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/1460-68-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/1460-36-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/1656-171-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/2188-50-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2188-15-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2188-220-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2280-222-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2280-16-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2300-232-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2300-67-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2300-34-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2316-168-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2340-144-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2340-62-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2340-251-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2468-95-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-158-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2468-0-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2468-90-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2468-10-0x00000000023F0000-0x0000000002741000-memory.dmp

Filesize
3.3MB

Download
memory/2468-103-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2468-104-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2468-112-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2468-9-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2468-108-0x00000000023F0000-0x0000000002741000-memory.dmp

Filesize
3.3MB

Download
memory/2468-30-0x00000000023F0000-0x0000000002741000-memory.dmp

Filesize
3.3MB

Download
memory/2468-96-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-26-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2468-51-0x00000000023F0000-0x0000000002741000-memory.dmp

Filesize
3.3MB

Download
memory/2468-42-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-45-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2468-64-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2468-172-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-145-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2468-58-0x000000013FFD0000-0x0000000140321000-memory.dmp

Filesize
3.3MB

Download
memory/2468-146-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-165-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2532-254-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-105-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-164-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2620-159-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-256-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-101-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-252-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2624-98-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2700-70-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2700-149-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2700-246-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2880-55-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2880-122-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2880-238-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2948-89-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2948-240-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2948-39-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2968-102-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2968-258-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2984-166-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/3000-167-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-234-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/3032-37-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/3032-69-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download