cobaltstrike | 5a3aa2d791d05e1f7be8b711bf653a19207dbd1489ad7db57a78206c83424263

Analysis

max time kernel
144s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15/11/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

561edea81eab81f7d6ede4dd19ed409c
SHA1

372ca19783c85af3b87718288d8a12fac5f94f7b
SHA256

5a3aa2d791d05e1f7be8b711bf653a19207dbd1489ad7db57a78206c83424263
SHA512

c4998ea800284ebce6d7de7b037f2e6e618288e3eadb13b4ad08983001915bbec5ca64a4302e1a8ebdc7fb1bc010d23660031dad27c5f286f124954a8e6959b7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0003000000012000-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c3a-16.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016a66-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c51-19.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cec-37.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d29-53.dat	cobalt_reflective_dll
behavioral1/files/0x0036000000016560-66.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173a7-72.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173a9-79.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017492-97.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018683-118.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186e4-123.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ee-134.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186fd-137.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ea-128.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018676-113.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174cc-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017488-87.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d06-51.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000171a8-59.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cc8-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

resource	yara_rule
behavioral1/memory/2880-25-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2748-27-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/3068-26-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2560-36-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/2092-78-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2380-94-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/3068-110-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1976-109-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/3068-108-0x00000000022F0000-0x0000000002641000-memory.dmp	xmrig
behavioral1/memory/1508-102-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/1236-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2352-100-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/376-93-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/3068-92-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2996-91-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/3068-143-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2596-76-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/3068-68-0x00000000022F0000-0x0000000002641000-memory.dmp	xmrig
behavioral1/memory/3068-54-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/3068-144-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2812-33-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2796-31-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2348-161-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1352-160-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/832-159-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/808-162-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/1740-165-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/3068-166-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1988-164-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/400-163-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/3068-167-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2748-218-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2880-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2796-221-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2812-224-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2560-226-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/2596-236-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2996-238-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2380-242-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2352-241-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/1976-244-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2092-246-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/376-248-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/1236-256-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1508-260-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2748	OicvTzG.exe
2796	soYXxHa.exe
2880	yaqlPrK.exe
2812	XaydlZP.exe
2560	jRdHRNb.exe
2596	JToYeNb.exe
2996	FnIfXoq.exe
2380	LlTeebG.exe
2352	hYBUVaw.exe
1976	bpISVeP.exe
2092	oDzbAro.exe
1236	UcPkfRm.exe
376	ZdZgfIZ.exe
1508	iPPPdcQ.exe
832	FYiJFpr.exe
1352	rfkoxKS.exe
2348	rgydDTA.exe
808	saeVCAU.exe
400	NoPDUFP.exe
1988	knZaYsR.exe
1740	xIheIpV.exe

Loads dropped DLL 21 IoCs

pid	Process
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-0-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/files/0x0003000000012000-3.dat	upx
behavioral1/files/0x0008000000016c3a-16.dat	upx
behavioral1/files/0x0008000000016a66-11.dat	upx
behavioral1/files/0x0008000000016c51-19.dat	upx
behavioral1/memory/2880-25-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2748-27-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2560-36-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/files/0x0007000000016cec-37.dat	upx
behavioral1/memory/2596-42-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/files/0x0008000000016d29-53.dat	upx
behavioral1/files/0x0036000000016560-66.dat	upx
behavioral1/files/0x00060000000173a7-72.dat	upx
behavioral1/memory/2092-78-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/files/0x00060000000173a9-79.dat	upx
behavioral1/memory/2380-94-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/files/0x0006000000017492-97.dat	upx
behavioral1/files/0x0005000000018683-118.dat	upx
behavioral1/files/0x00050000000186e4-123.dat	upx
behavioral1/files/0x00050000000186ee-134.dat	upx
behavioral1/files/0x00050000000186fd-137.dat	upx
behavioral1/files/0x00050000000186ea-128.dat	upx
behavioral1/files/0x000d000000018676-113.dat	upx
behavioral1/memory/1976-109-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/files/0x00060000000174cc-105.dat	upx
behavioral1/memory/1508-102-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/1236-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2352-100-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/376-93-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2996-91-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/1236-84-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/files/0x0006000000017488-87.dat	upx
behavioral1/memory/2596-76-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/1976-69-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2380-55-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/3068-54-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2996-52-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/files/0x0007000000016d06-51.dat	upx
behavioral1/memory/2352-61-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/files/0x00070000000171a8-59.dat	upx
behavioral1/memory/3068-144-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2812-33-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/files/0x0007000000016cc8-32.dat	upx
behavioral1/memory/2796-31-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2348-161-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/1352-160-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/832-159-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/808-162-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/1740-165-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1988-164-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/400-163-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/3068-167-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2748-218-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2880-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2796-221-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2812-224-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/2560-226-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/memory/2596-236-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/2996-238-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2380-242-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2352-241-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/1976-244-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/2092-246-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/376-248-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rgydDTA.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\saeVCAU.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JToYeNb.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LlTeebG.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iPPPdcQ.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZdZgfIZ.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfkoxKS.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OicvTzG.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\soYXxHa.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yaqlPrK.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYBUVaw.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oDzbAro.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NoPDUFP.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xIheIpV.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XaydlZP.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jRdHRNb.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FnIfXoq.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\knZaYsR.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpISVeP.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UcPkfRm.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYiJFpr.exe	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2748	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 3068 wrote to memory of 2748	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 3068 wrote to memory of 2748	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 3068 wrote to memory of 2796	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 3068 wrote to memory of 2796	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 3068 wrote to memory of 2796	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 3068 wrote to memory of 2880	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 3068 wrote to memory of 2880	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 3068 wrote to memory of 2880	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 3068 wrote to memory of 2812	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 3068 wrote to memory of 2812	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 3068 wrote to memory of 2812	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 3068 wrote to memory of 2560	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 3068 wrote to memory of 2560	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 3068 wrote to memory of 2560	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 3068 wrote to memory of 2596	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 3068 wrote to memory of 2596	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 3068 wrote to memory of 2596	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 3068 wrote to memory of 2996	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 3068 wrote to memory of 2996	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 3068 wrote to memory of 2996	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 3068 wrote to memory of 2380	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 3068 wrote to memory of 2380	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 3068 wrote to memory of 2380	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 3068 wrote to memory of 2352	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 3068 wrote to memory of 2352	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 3068 wrote to memory of 2352	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 3068 wrote to memory of 1976	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 3068 wrote to memory of 1976	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 3068 wrote to memory of 1976	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 3068 wrote to memory of 2092	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 3068 wrote to memory of 2092	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 3068 wrote to memory of 2092	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 3068 wrote to memory of 1236	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 3068 wrote to memory of 1236	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 3068 wrote to memory of 1236	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 3068 wrote to memory of 376	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 3068 wrote to memory of 376	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 3068 wrote to memory of 376	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 3068 wrote to memory of 1508	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 3068 wrote to memory of 1508	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 3068 wrote to memory of 1508	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 3068 wrote to memory of 832	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 3068 wrote to memory of 832	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 3068 wrote to memory of 832	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 3068 wrote to memory of 1352	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 3068 wrote to memory of 1352	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 3068 wrote to memory of 1352	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 3068 wrote to memory of 2348	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 3068 wrote to memory of 2348	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 3068 wrote to memory of 2348	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 3068 wrote to memory of 808	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 3068 wrote to memory of 808	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 3068 wrote to memory of 808	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 3068 wrote to memory of 400	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 3068 wrote to memory of 400	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 3068 wrote to memory of 400	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 3068 wrote to memory of 1988	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 3068 wrote to memory of 1988	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 3068 wrote to memory of 1988	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 3068 wrote to memory of 1740	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 3068 wrote to memory of 1740	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 3068 wrote to memory of 1740	3068	2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-15_561edea81eab81f7d6ede4dd19ed409c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System\OicvTzG.exe
  C:\Windows\System\OicvTzG.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\soYXxHa.exe
  C:\Windows\System\soYXxHa.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\yaqlPrK.exe
  C:\Windows\System\yaqlPrK.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\XaydlZP.exe
  C:\Windows\System\XaydlZP.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\jRdHRNb.exe
  C:\Windows\System\jRdHRNb.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\JToYeNb.exe
  C:\Windows\System\JToYeNb.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\FnIfXoq.exe
  C:\Windows\System\FnIfXoq.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\LlTeebG.exe
  C:\Windows\System\LlTeebG.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\hYBUVaw.exe
  C:\Windows\System\hYBUVaw.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\bpISVeP.exe
  C:\Windows\System\bpISVeP.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\oDzbAro.exe
  C:\Windows\System\oDzbAro.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\UcPkfRm.exe
  C:\Windows\System\UcPkfRm.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\ZdZgfIZ.exe
  C:\Windows\System\ZdZgfIZ.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\iPPPdcQ.exe
  C:\Windows\System\iPPPdcQ.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\FYiJFpr.exe
  C:\Windows\System\FYiJFpr.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\rfkoxKS.exe
  C:\Windows\System\rfkoxKS.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\rgydDTA.exe
  C:\Windows\System\rgydDTA.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\saeVCAU.exe
  C:\Windows\System\saeVCAU.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\NoPDUFP.exe
  C:\Windows\System\NoPDUFP.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\knZaYsR.exe
  C:\Windows\System\knZaYsR.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\xIheIpV.exe
  C:\Windows\System\xIheIpV.exe
  2⤵
  - Executes dropped EXE
  PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FYiJFpr.exe

Filesize
5.2MB

MD5
1aa24b645c752d53b5541e2bf46db03c

SHA1
eaf19099f6b387bc1fd4e8c2551d97811ca07b29

SHA256
c68b6d1642e6a654b406579d196f16016dc213535d74561f878dfe46b317f31d

SHA512
cfdec3adcd0a322374ff7874feff1420ad7d345229ef4fdd78e4ec0bd6d57c44440a41484a6ba8ac856d2686eb554bd45ec95ce9e89ca2ee428a4fc52e564b74

Download Submit
C:\Windows\system\FnIfXoq.exe

Filesize
5.2MB

MD5
992c865973c18cdaaaf7a9e763df53d6

SHA1
1e4da05143e75245604c11a4bb33131e9af3eb31

SHA256
3322c52c353f3f7466ad68b6f4ef60bb2f863d68599d3d75ff01c8659497e826

SHA512
708d03b26649823a03523ae2f0d88d22fb6674fc35ea21c88d069ddfb33e3be38ac43d9a1897c7be1f068ce859730cd6cc0d9cee4baca22882f9bc5337635899

Download Submit
C:\Windows\system\LlTeebG.exe

Filesize
5.2MB

MD5
a75a2ea7f960fd23050c1bfb1289281a

SHA1
9f6b7319bfa0ea2a20f22d38a1d3d32efb5441f2

SHA256
85d6e64449d8785b18bbfdfe0564d9e8afcc7910cd419f2aa7dd15834b272ba7

SHA512
146d06d6e0661b8f6f5ef1c60273b019e6a6b011ae13b88aace63f5faa851b68903d877588a83f39784a524c43ca9e20ce2f2296f23cb7b626a48809ba62d4f7

Download Submit
C:\Windows\system\NoPDUFP.exe

Filesize
5.2MB

MD5
36a7cdfbda316b0b99445e5535420922

SHA1
778e75fcf882d54ac8ecbd83768717455b786504

SHA256
22ff4cebd38d81b8730359d5b3dd068b4737254913a117c821b9a819b3336512

SHA512
a47638f39b537698708fc11a85bc5cfc6c5f23f38feb6853fb1b0942cf10d6bbbaaf8a5bf207658a313c4e22c53273ddaedb68e91817a7277b4a9134531d049c

Download Submit
C:\Windows\system\ZdZgfIZ.exe

Filesize
5.2MB

MD5
5128216ea68308f609e99a9dcbf0a9d4

SHA1
0519a60e34ad2d95217a21018bec69992d117bc6

SHA256
24d6a498068360bdc841fcff9df031489b3c7bef0cb444c272a4c9db8c4f7d09

SHA512
cf16a450a87c94d045dca23fbec400a7031dad214a6420958e747fb9a2dc49cc4a76fe4a5c11dd70c2b21317e82c3e4627c218f3d8c171f50a72e386870647e7

Download Submit
C:\Windows\system\bpISVeP.exe

Filesize
5.2MB

MD5
3faf7d7bd371fa41d6fc6f8df751276e

SHA1
330d1eaacc11827d57dd6f2645062d88dfeed834

SHA256
9ea17cdd13c877a2ad0d2481d4a77dd4bd0c2dd7d0f6319de82d60beb35d657a

SHA512
0a3b8d1129793409e12898eddeaf47c1cbde947cbefb240d477dca12edfae60d2e80e455a3b87c2280af7ace5ca3d5549947df111247367fc37c45b64d2335b4

Download Submit
C:\Windows\system\hYBUVaw.exe

Filesize
5.2MB

MD5
6f05d494cb9b478c4d7436113654d006

SHA1
4a31d86f83f2c9ceb3b81539314de97b5b2381d3

SHA256
6d40e56485d2a243b48881e9072e919c147b1de3751a034a20622b4964bab84b

SHA512
6b4ad3291b53da033bc0467f934bb6a133c9172ee0a9a5091732504908f0c67b05452184f790b96efc71aaed7a42fe225f13c510db5fab826e34fb7b081c4e92

Download Submit
C:\Windows\system\iPPPdcQ.exe

Filesize
5.2MB

MD5
0745cf79a2adefa56be0edb88fa86501

SHA1
17811b45a04dd480b7e67402a63d022113d98547

SHA256
4f7b665227e2287f0f7488c440d2bc9093421cf193d9c5f5abef1cf2f699d55b

SHA512
20c2c72f96b149d402a81d78a260d0710076476c814675aa37fdf86b5a27b48a2824978cabd794cf4570931e4ed0a53ce9f76d035f4c979385bf3698a5669bad

Download Submit
C:\Windows\system\jRdHRNb.exe

Filesize
5.2MB

MD5
b69daa03786e2bfce21d560ac5a5feef

SHA1
c273d3dad99483c27f3f5f088b4cc768ab1a5385

SHA256
383846ea3045828b66aefb3107ed8c514f0fabea8fb9cc4589272cd92eee5a6e

SHA512
383c9f9cf6b0f9c4b8e0422c3d0bb661578d3b073f903e3f48c7072511d21263b2f904d87e3f6f80adcab45457ce455146aa4e2a4682af7e96e612fa248a81f8

Download Submit
C:\Windows\system\knZaYsR.exe

Filesize
5.2MB

MD5
4f3f53bfad985f1bfd84ec6a9c2ed89d

SHA1
d09ed21307bce373e10f04cd4a9aa63d39f1978a

SHA256
0d41ab27639c7013b8d333a869b43d0ff39bced5fbf5f1ec64e5da35951040b3

SHA512
479b27aa38864de8346c321c690c50bb160f545fbde6a6cad10ac12f77cd356c41ae5d52b8ee1365f810c677d4ad092b1893f564a5f93fabd47656fe568ea267

Download Submit
C:\Windows\system\oDzbAro.exe

Filesize
5.2MB

MD5
6ae4e698fbc0973de4339f231ac19daf

SHA1
174ad9b9846e2a1e2aaac61409865c7f057ff2d5

SHA256
f3ec2d928ef6dfa8a32082bf3854ba1a345d664ec5a1a48b0c0c9a0c5918e4aa

SHA512
e269662125a49eff91585d9d8048e2ef5660affbd72fadff468e9ee8267512264b190d2a931f90147d9f1635b4b80e98780a1cccff5113ee351ee35880678ddb

Download Submit
C:\Windows\system\rfkoxKS.exe

Filesize
5.2MB

MD5
86cb96dbe52a554ad0cc12ebdae21be3

SHA1
e07ce362d49ac6ad76df7c3d52ab1b76e5c79583

SHA256
0cf9488e8e6e0bd7200c3d8e305d1d232b1532b6cc1ec57d80496b5cbf8f103e

SHA512
6d663e5a71b1a9cd4ec84b0418e87acc0b8f726784ba8b4a6c5207e9660bcc52e69b570ffa5fe12d74c8e0bfbadcbfe05fd358924f4ae6327df08e8f0e08d063

Download Submit
C:\Windows\system\rgydDTA.exe

Filesize
5.2MB

MD5
30e4f3dc080873614474f7ed34355893

SHA1
678857d014d2ea3f00069c4a14b416aef512b9b2

SHA256
51607112d4055d4ea6c050f8892ac33f7be896e1c2bf6dc2baaf9ddfad38be42

SHA512
d35b1da09231f029e22ac9c71392c0b4b9f6b3fbde74e2b27ef95a1dddf68e6ef5172c84e485e2406a0b78ea8e27bc8351e2e76713401cf266502229d7083afc

Download Submit
C:\Windows\system\saeVCAU.exe

Filesize
5.2MB

MD5
5cdcdc8caf1de5c70903cfc72205682d

SHA1
e759076a33224b00197fff87a0598b91c7105498

SHA256
f23b081bfa220c6b06bb9457a8e7620128e908f4b3ba8dabc145265698bed718

SHA512
5de1ba64e056f808195776b7423297ee78458df80764e1070b6069da2b48d9b816a2e2e2f8dcf0f7f5d107bc390e1aa0ec92afc54d50adb26a3082ac24f44f4e

Download Submit
C:\Windows\system\soYXxHa.exe

Filesize
5.2MB

MD5
a5538b975c1601c03154c93b3d225300

SHA1
0a8804d4f3910c45fce24c893d373e9e92d47a3f

SHA256
d6f05c042ade18a03b03020cef0afe7531b4008618580fe3157993501d6ec5c4

SHA512
b865dbd835dc654f1dd9ec7680f6576c9adfe16eee1106853253f023b8b2ae2399e4f31aa5826474b5830e7cc105b58eda7ecbc122b36389bb5530daad26cbff

Download Submit
C:\Windows\system\xIheIpV.exe

Filesize
5.2MB

MD5
222183c3da96604cf5ec0a72dd595586

SHA1
2f5048395eb947ff0d1ae6b3f1b5299ba36c277a

SHA256
9bacf6e5cee5d77d12da9c7dea7408bd6eedf9c613262819e2f6adc5f190ddba

SHA512
9374bb1f3b89e7f5ddf21ef6a88203a45f98ec07a44461c7abebd0c7c69f26e37e770f11f4949d419561c032b57f3deb2d37bb8b837ab452774b9b0ac03e78a3

Download Submit
C:\Windows\system\yaqlPrK.exe

Filesize
5.2MB

MD5
29221405e5b5b3809d1344114e5d1ddc

SHA1
9114969243ffe13a29ee5750c41e2147f9ad64ca

SHA256
cc8374292ea4201d0b0bc6e8192007596b399f45717f4d77718465fe24389db3

SHA512
59a58f6030e4c2d0153beca2bfa5cf68e09d2a479841a0c087882834f4d300875b3bc8f543d873a702b54825e9d424501ca86d5e84dbc11561e2c089f71ff267

Download Submit
\Windows\system\JToYeNb.exe

Filesize
5.2MB

MD5
bc6559155b481b69b1af1aa207a0d7ca

SHA1
20d382a517e9cbb839ae6214b61965f4d7bf2a8d

SHA256
362dd3ef326f27115146286280fbcea7914ba1241b73ddf93cc632fdadf10d4f

SHA512
557145d30ec0f0737bff558a70d87fe1a96f46991d4e9a55353a7d91497258a4552e7a1a7b9383a6913e5843ee5e46ae217553e34789e9c03dd94af4b1ce53e1

Download Submit
\Windows\system\OicvTzG.exe

Filesize
5.2MB

MD5
6b57586dd7fd462dd94fc49a9ce40d4e

SHA1
d6f954852610dd865bdb2b4ec84b1f32266ec1c5

SHA256
f660fd749f97bf98dee6b19890e41047651670ce9b3e316f370bbe0225b1b140

SHA512
612bd10c4b7d11f683ff28e3a8492a3ca301c7c770eb5f0d02e751641465ab671a3de36726b9ce6b97bb5a0c140cf0de041088b0d8d31ec30d241b663929bfa8

Download Submit
\Windows\system\UcPkfRm.exe

Filesize
5.2MB

MD5
a2d5f7f49ac80926a7779b7ab72adca0

SHA1
c0ec0c303d5458eb3be28c984e5d0015d1a27b35

SHA256
bdd779c5c8a7bfac0991008c688aea548d12e330bd33c8a605d11a3a485933c5

SHA512
22571841ac5f937de588fdea75601a1f5eebb06a78792bb839c786417933e01f02cdb25a77f89360a0b80e64aa51e087b3c1e1a64225363a39afdcb470d2aa12

Download Submit
\Windows\system\XaydlZP.exe

Filesize
5.2MB

MD5
2459d7f8770a9941065d89e2cf4e0433

SHA1
51013d4dd03da92acebb08aeda254a7a1989ac33

SHA256
f9f4bc37971cce40495e6b9fc125d645b67a3e104d9702f1fa29c6013c790240

SHA512
993a7878de76c2e905c7b7bb726469e0dc693de7862248dc9182a1fc2b58d82f99e6dbdce6d0dd592570fee83f5e690670c1d747dc74353d683c5cffe85c9aa2

Download Submit
memory/376-93-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/376-248-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/400-163-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/808-162-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/832-159-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1236-84-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-256-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1352-160-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1508-260-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1508-102-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1740-165-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1976-69-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-109-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1976-244-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-164-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2092-246-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2092-78-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2348-161-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2352-100-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2352-241-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2352-61-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2380-242-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2380-94-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2380-55-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2560-36-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2560-226-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2596-236-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-76-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-42-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-218-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-27-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-221-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-31-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-224-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-33-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-222-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-25-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-91-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-52-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-238-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-143-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/3068-77-0x00000000022F0000-0x0000000002641000-memory.dmp

Filesize
3.3MB

Download
memory/3068-23-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-26-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-166-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3068-50-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-7-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-167-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/3068-54-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/3068-35-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/3068-0-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/3068-144-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/3068-68-0x00000000022F0000-0x0000000002641000-memory.dmp

Filesize
3.3MB

Download
memory/3068-83-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-40-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-92-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/3068-101-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/3068-141-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-108-0x00000000022F0000-0x0000000002641000-memory.dmp

Filesize
3.3MB

Download
memory/3068-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/3068-110-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/3068-140-0x00000000022F0000-0x0000000002641000-memory.dmp

Filesize
3.3MB

Download