cobaltstrike | 87397cce545ab0011e7da945cd1a3f5480560a131fb1168ed6019d6b8741ef5c

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/11/2024, 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

05186e131231f48647f6301375c4c298
SHA1

5f8524a790874c1bd0b38f1fc97cbbf0a6a97222
SHA256

87397cce545ab0011e7da945cd1a3f5480560a131fb1168ed6019d6b8741ef5c
SHA512

5cdb7a42b0f436cece640bcd9261151ad38d3934e75c82a60429592576db8130881587437a88546f8d0776c9db9551d344becb6bb7f098dd4f3085df2c67a675
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibf56utgpPFotBER/mQ32lUV

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0063000000011c27-6.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001878d-8.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000190c6-12.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019217-20.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019220-24.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019238-47.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019240-52.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a434-101.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a42f-93.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a42b-86.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a301-79.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a067-72.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a07b-70.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019fb9-62.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a46a-112.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a431-111.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a42d-110.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a345-109.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a0a1-108.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001925d-57.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000191f3-16.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2716-61-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2832-81-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2716-125-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2716-120-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/540-134-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2716-46-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2388-135-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2704-42-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2604-41-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2932-40-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2824-33-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2860-28-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2832-27-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/1112-137-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/1992-138-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/1728-139-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2716-140-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2716-150-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2804-158-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2716-164-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2772-163-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2776-161-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/840-160-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2424-159-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/1404-157-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/1956-156-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/2548-155-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/1056-154-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2920-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2716-165-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2832-217-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2824-220-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2860-221-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2932-223-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2604-225-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2704-235-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/1992-248-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/540-247-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2388-245-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/1728-252-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/1112-250-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2832	AGIejkh.exe
2860	PhxQGZk.exe
2824	XKulrTI.exe
2932	lgORIWY.exe
2604	rYNtmfJ.exe
2704	piFLndg.exe
540	RhDTOsl.exe
2388	BZorLFV.exe
1112	mMwglsY.exe
1992	orcxFPq.exe
1728	egfubtR.exe
2548	RfVPTyF.exe
1404	ZDOaWvX.exe
2424	lQqCCxp.exe
2776	iXOUUAA.exe
2772	TnMqBfs.exe
1056	JsEWFyx.exe
1956	gTTFbJC.exe
2804	kaBkrXZ.exe
840	tWQjxET.exe
2920	OPYlrwt.exe

Loads dropped DLL 21 IoCs

pid	Process
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-0-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/files/0x0063000000011c27-6.dat	upx
behavioral1/files/0x000700000001878d-8.dat	upx
behavioral1/files/0x00080000000190c6-12.dat	upx
behavioral1/files/0x0006000000019217-20.dat	upx
behavioral1/files/0x0006000000019220-24.dat	upx
behavioral1/files/0x0006000000019238-47.dat	upx
behavioral1/memory/540-48-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/files/0x0008000000019240-52.dat	upx
behavioral1/memory/2388-54-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2716-61-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/1992-74-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/files/0x000500000001a434-101.dat	upx
behavioral1/files/0x000500000001a42f-93.dat	upx
behavioral1/files/0x000500000001a42b-86.dat	upx
behavioral1/memory/2832-81-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/files/0x000500000001a301-79.dat	upx
behavioral1/memory/1728-75-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/files/0x000500000001a067-72.dat	upx
behavioral1/files/0x000500000001a07b-70.dat	upx
behavioral1/files/0x0005000000019fb9-62.dat	upx
behavioral1/files/0x000500000001a46a-112.dat	upx
behavioral1/files/0x000500000001a431-111.dat	upx
behavioral1/files/0x000500000001a42d-110.dat	upx
behavioral1/files/0x000500000001a345-109.dat	upx
behavioral1/files/0x000500000001a0a1-108.dat	upx
behavioral1/memory/540-134-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/1112-60-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/files/0x000700000001925d-57.dat	upx
behavioral1/memory/2388-135-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2704-42-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2604-41-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2932-40-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2824-33-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/files/0x00070000000191f3-16.dat	upx
behavioral1/memory/2860-28-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2832-27-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/1112-137-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/1992-138-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/1728-139-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2716-140-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2804-158-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2772-163-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2776-161-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/840-160-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2424-159-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/1404-157-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/1956-156-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/2548-155-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/1056-154-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/2920-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2716-165-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2832-217-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/2824-220-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2860-221-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2932-223-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2604-225-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2704-235-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/1992-248-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/540-247-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2388-245-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/1728-252-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/1112-250-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZDOaWvX.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lQqCCxp.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iXOUUAA.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BZorLFV.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\piFLndg.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mMwglsY.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RfVPTyF.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gTTFbJC.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kaBkrXZ.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OPYlrwt.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgORIWY.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XKulrTI.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYNtmfJ.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\orcxFPq.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\egfubtR.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsEWFyx.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AGIejkh.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RhDTOsl.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tWQjxET.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TnMqBfs.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PhxQGZk.exe	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2832	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2716 wrote to memory of 2832	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2716 wrote to memory of 2832	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2716 wrote to memory of 2860	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2716 wrote to memory of 2860	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2716 wrote to memory of 2860	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2716 wrote to memory of 2824	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2716 wrote to memory of 2824	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2716 wrote to memory of 2824	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2716 wrote to memory of 2604	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2716 wrote to memory of 2604	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2716 wrote to memory of 2604	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2716 wrote to memory of 2932	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2716 wrote to memory of 2932	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2716 wrote to memory of 2932	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2716 wrote to memory of 2704	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2716 wrote to memory of 2704	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2716 wrote to memory of 2704	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2716 wrote to memory of 540	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2716 wrote to memory of 540	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2716 wrote to memory of 540	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2716 wrote to memory of 2388	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2716 wrote to memory of 2388	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2716 wrote to memory of 2388	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2716 wrote to memory of 1112	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2716 wrote to memory of 1112	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2716 wrote to memory of 1112	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2716 wrote to memory of 1992	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2716 wrote to memory of 1992	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2716 wrote to memory of 1992	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2716 wrote to memory of 1728	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2716 wrote to memory of 1728	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2716 wrote to memory of 1728	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2716 wrote to memory of 1056	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2716 wrote to memory of 1056	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2716 wrote to memory of 1056	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2716 wrote to memory of 2548	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2716 wrote to memory of 2548	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2716 wrote to memory of 2548	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2716 wrote to memory of 1956	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2716 wrote to memory of 1956	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2716 wrote to memory of 1956	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2716 wrote to memory of 1404	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2716 wrote to memory of 1404	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2716 wrote to memory of 1404	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2716 wrote to memory of 2804	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2716 wrote to memory of 2804	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2716 wrote to memory of 2804	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2716 wrote to memory of 2424	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2716 wrote to memory of 2424	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2716 wrote to memory of 2424	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2716 wrote to memory of 840	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2716 wrote to memory of 840	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2716 wrote to memory of 840	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2716 wrote to memory of 2776	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2716 wrote to memory of 2776	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2716 wrote to memory of 2776	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2716 wrote to memory of 2920	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2716 wrote to memory of 2920	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2716 wrote to memory of 2920	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2716 wrote to memory of 2772	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2716 wrote to memory of 2772	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2716 wrote to memory of 2772	2716	2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_05186e131231f48647f6301375c4c298_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System\AGIejkh.exe
  C:\Windows\System\AGIejkh.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\PhxQGZk.exe
  C:\Windows\System\PhxQGZk.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\XKulrTI.exe
  C:\Windows\System\XKulrTI.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\rYNtmfJ.exe
  C:\Windows\System\rYNtmfJ.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\lgORIWY.exe
  C:\Windows\System\lgORIWY.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\piFLndg.exe
  C:\Windows\System\piFLndg.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\RhDTOsl.exe
  C:\Windows\System\RhDTOsl.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\BZorLFV.exe
  C:\Windows\System\BZorLFV.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\mMwglsY.exe
  C:\Windows\System\mMwglsY.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\orcxFPq.exe
  C:\Windows\System\orcxFPq.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\egfubtR.exe
  C:\Windows\System\egfubtR.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\JsEWFyx.exe
  C:\Windows\System\JsEWFyx.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\RfVPTyF.exe
  C:\Windows\System\RfVPTyF.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\gTTFbJC.exe
  C:\Windows\System\gTTFbJC.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\ZDOaWvX.exe
  C:\Windows\System\ZDOaWvX.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\kaBkrXZ.exe
  C:\Windows\System\kaBkrXZ.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\lQqCCxp.exe
  C:\Windows\System\lQqCCxp.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\tWQjxET.exe
  C:\Windows\System\tWQjxET.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\iXOUUAA.exe
  C:\Windows\System\iXOUUAA.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\OPYlrwt.exe
  C:\Windows\System\OPYlrwt.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\TnMqBfs.exe
  C:\Windows\System\TnMqBfs.exe
  2⤵
  - Executes dropped EXE
  PID:2772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AGIejkh.exe

Filesize
5.2MB

MD5
b9c819d567dae3af6f667683b0253900

SHA1
bd10a8c2a91a13815bf6d6817269ef6ed6e8663b

SHA256
38023aa9c26a4d5120c05788fae273f7c0b9e801dac232342f854f5c4ee83931

SHA512
84d8d88ce2b369ec04ca9e4b4a55ea563d747f88df5ba8528826512259df040384aac353cd60f134685d161ea21457d6020f8e744bee3b4dabf515e6e53f2baf

Download Submit
C:\Windows\system\BZorLFV.exe

Filesize
5.2MB

MD5
7b60013ce4fd48bd6a84f432c11967b0

SHA1
450af8243f7a27d4b59aca497c4f607494bb28ee

SHA256
aff093b15e8f5c8ec293d9442700a01140a2aabc83e0099d2eaa09fc65da29dc

SHA512
371a16d9588f7f04c120a4399eeaf64115ea1caaf5ff3c09254cb0f0e5bc489b553608e05c839ee39fdcdad9e3b14e9ab491d6db995475ba578a7483bc7bdf4f

Download Submit
C:\Windows\system\RfVPTyF.exe

Filesize
5.2MB

MD5
8a5f555e27fb30b171600ccfa6c5d893

SHA1
a6b51e5353b7a0ea1acebb2ef65b2a0b9141b222

SHA256
60250d4ad3ac64a8cc53d80d3991a57f9ae9d796349f5b99ab1d31c1a4a538a3

SHA512
fa280e4b9ee070c8954affe2e75ff190ed046028d44a1b8dcd0892f48a0b75280a64e8b00210bd1df0e07fd933458ebdf65f5bfc66394d2373f369c81e3c639b

Download Submit
C:\Windows\system\RhDTOsl.exe

Filesize
5.2MB

MD5
a97a7f7009692f1d4d80de5131348682

SHA1
fe9bf4d0891199443e43f5958ff2f7370632d9a5

SHA256
d2d41ad386438766cb192fa5ba3c886057d26e2a9332e44e7ef314b9fcd6719c

SHA512
244f04916196a72b502532758eb64ebabeb3df59c5f91a85fc8aec5d1bd2abdaf5e2853bbb90fbd79fc64ff34357ba6f9a587e194b7cdfc77e99843521705550

Download Submit
C:\Windows\system\TnMqBfs.exe

Filesize
5.2MB

MD5
f453fff2353628b0ad648b0fcb6d61a7

SHA1
05ae415c21190cd91c5f948f374d967491eb909d

SHA256
4147628fdd5aeb994885bec4206b02d410dda0329ff8ef605429ad2fcb65efff

SHA512
255aefa1117a4587ba0bf33eaf9d0e021425e6bc222896cde037466f4836f4fbf2cff3581b090e473bab9c166ab5242a90d73b6ec0d81e0fae3222c0163f51e2

Download Submit
C:\Windows\system\ZDOaWvX.exe

Filesize
5.2MB

MD5
055f6a062997b404464d23817c126fca

SHA1
53184350a9d4ad077c8eae58cbc5ca8f42d24929

SHA256
d0bd81fd9cb9c38f4ff9aa74d7bf932fed01e63290aefd70fdde1177e76afc44

SHA512
13af9bf6336892ceeef5b99a087dc96c8d9fc1e893c36a0c7266ad225b7cfca515842a3d045a047dd0fdede10be16710bcbe34aad5be81c96ccc56ef7c48b515

Download Submit
C:\Windows\system\egfubtR.exe

Filesize
5.2MB

MD5
c9e823d15b445c89dc618ac9938ecf51

SHA1
e39469961979c1e48a5ce92e20d5ea276b889d9f

SHA256
cd66b7024c0c46f5c905a89f5bc0838d81d5a7f9334e948aa60f30ff3c306aa3

SHA512
6769c6080e139ff3caa2d473c8b932206f3e74816a03a304e390d8dbb0565ebb37d5e768f4e66be91adcd70d0567e664a23c51d634054b58c35e8ff215e2f7d7

Download Submit
C:\Windows\system\iXOUUAA.exe

Filesize
5.2MB

MD5
92d0ec7f128bf5eda378c15cbccb7be5

SHA1
c7c271eff00d0f6df66a747a241e682ac074b305

SHA256
b685a64b9af09d0a470a8a3e0a095eab1850d7c375871aeac4137d02f250fec5

SHA512
3ad8fbc37a8c9fb1743183803c2a95d712e0eaf031819cb03eb25e5fdcff4e3f21c7fb31625236c87be2970127edd0deb6e3d9a5cd7495cbcc487c33c96aa847

Download Submit
C:\Windows\system\lQqCCxp.exe

Filesize
5.2MB

MD5
d1d19a4cc928c1963e6a227ad10c9795

SHA1
4d4c29d6ea0b0e48925a630a7a68bf8d45d05e52

SHA256
3d9c14cd63b645b48020c556025d30c7b6a6ada6d3813dfcdab9bf40e9f0f6fb

SHA512
617ad2f493e166f260123382d2c3a82d796426607a4b6ad742209c2d962a4b8de5fee338bcaffcf4e7097fabede4ebba04ced5d4cb7eb302386c4c4d741470d8

Download Submit
C:\Windows\system\mMwglsY.exe

Filesize
5.2MB

MD5
a364175b73ac7e4bb0e450eec11248b0

SHA1
327356c83606a4fd7472d76fa46e006bb066ac44

SHA256
bcd1bf775c7f5b4c54879f064568926f49bb0ed55c4b3fdc4a693034f7e9352c

SHA512
e4430792b93a0b779371d623897bab3e86671dcbc9273c0d669064d651673f479e21bf4e5b13db17c68b3358f5dfcc6a0311d0e5314d43a215a6d8e079357632

Download Submit
\Windows\system\JsEWFyx.exe

Filesize
5.2MB

MD5
156a9c35fd7438e1fe5f5c29084ed816

SHA1
6e0004defd3cdd7230a046c6f7c4d141da444366

SHA256
9e44ccc8aa416fdad13f6dc7a9510009755fb26e5e1a034eee753b29cd1be0ef

SHA512
9ac6f17678caad38ab0d748e23e6ba9b6b62ffcdc3722f2e131e9efed3a6ae542ac381ad11296d0235cf0ec154a9cb1d288f8a73fd6e34fe0f0e00512c44fc5d

Download Submit
\Windows\system\OPYlrwt.exe

Filesize
5.2MB

MD5
3b8b197a119f5fae1cc94f1d6bec6963

SHA1
235d5af126462f809a51af2612b98372209d6ca4

SHA256
579fe4e4843d327096806818d8b49cea3adacc139e2526006a485491b7ffcc16

SHA512
1635440f70d9ae90aab8f0a476f6805168405b442f8af62183cbf09e8136ea0baa2e92d1a762f72b5e0a09deee757c6cdb52f96abca48dd63195b8d107c6e160

Download Submit
\Windows\system\PhxQGZk.exe

Filesize
5.2MB

MD5
47275ccbc4d16968fb86a2662565e6df

SHA1
61eed0309cfdb3a070c52a91fc1b1f7456e2df93

SHA256
d5e74ff9cce9f21cfb058fcdc636cf6b5553e62028befed3b4ebb89f323f2055

SHA512
57ad3a2ce8e286f4c0319a97071e10a18c45a6d743fdafe9a68257e208d5e6a2e7cf281aa9b47f26a9137a736564647a8384de4324d926b9f07c71ac9ca12610

Download Submit
\Windows\system\XKulrTI.exe

Filesize
5.2MB

MD5
78c212c40eb473f054313adf509896cd

SHA1
198ffad70f57f981ebafcd779e7b212becb99094

SHA256
ee6f1dcd7e79d104074c5965a9be38acc2ffb51913b5c52368693d0fc6739455

SHA512
9ef2b564b0d1d58b24fad65831cc38edf6bea54b9b4c80409ced7b24b8e9ad126f7f6af72a0efe7035ea37d04b0bbf1f943e0369e70256a970d16dfc5c156a4c

Download Submit
\Windows\system\gTTFbJC.exe

Filesize
5.2MB

MD5
58909c0e0eb2ac0009dba38ad5d71729

SHA1
8743c46e13857181d1911a689a2775e3f277fe34

SHA256
15c036195debc13b27c3cc98d546e09f60220721836846394c036ba4d15eb0ce

SHA512
80566570d79519e1a309d6a4a6e8dd6c14aa20a8d3baf019040e06fc9ae42274c9e16c3b5763ce9b8540c1918d0f939fe18e7dd7cc30ad3ac6267880a236337c

Download Submit
\Windows\system\kaBkrXZ.exe

Filesize
5.2MB

MD5
40a2bc8e3fb8aac86d664b952f0a451d

SHA1
5ae43aa0054316854873de69f96a99631b3aa4d3

SHA256
26952a20515c7711cfcd6114a4b07c0e33c5e7e8f6b787ffd6623c4a48587c9f

SHA512
e53ce5922201b9cc1920b876c9f0cca13ff1551f5efc13383ab33d916cdbda5539c0b71ea96c5b298c717412004d40b57232553093d077afc9579c33b5edcce0

Download Submit
\Windows\system\lgORIWY.exe

Filesize
5.2MB

MD5
dd00ef5e8e199bd9a367593e30269d9e

SHA1
76a4a1d48576c2469afd90270a1f552fa0c3009e

SHA256
e1004ce27ebc9e2368200fe37ed6dbe130cf566cb3e03179f5b9b94c3315f3f6

SHA512
f4e577c27dc343bc58d0e37a7ebad9b76384fdb0b589471b2a20650724aefd7e40746617cefb4a96930e31a8b2d7128754e16dea12c9f8b391d23e035b5be004

Download Submit
\Windows\system\orcxFPq.exe

Filesize
5.2MB

MD5
7639157031d528afba33251fc4c28c16

SHA1
0587b89d83ea6ecabb0f7c8bf4804e2073646fda

SHA256
20a9fe3fd0d16d424043003007f12ffd7a5efd299b3d5108e073964aabb3630f

SHA512
ae3c459e7514125e98d4d4c8dc0b660c49119cade15f36e6d8c677d6f564dc42d35ac22d58d82edb08ad246e10fc7c3c9dd0d7af118252193f4d915497696d11

Download Submit
\Windows\system\piFLndg.exe

Filesize
5.2MB

MD5
4769069330a58c38d4ba877f197af5a0

SHA1
cdf915a3d42cc70737259736fb382a9c5ffa3e3a

SHA256
e08d918589edd2c3565d33db77de61aa1f703ba6ec2188e9ccc8b8e74019ba93

SHA512
9ee262b50a10e8f980f2c30b90959d35d6463240a7c5ff4638cab3df456fe80547f06dbedca25976506e82b9470bd40486aa0b53f70aadcb9637da73ab2edc0a

Download Submit
\Windows\system\rYNtmfJ.exe

Filesize
5.2MB

MD5
409f668e8d4f440428b73285856bd3c9

SHA1
b58bb7b9653400faff96a07ad15706a78c08dac4

SHA256
c5be9d46e3e601ec2417f5dedc2aa404b97b193238484ab3648bfec78be2e52c

SHA512
161b62c5a0f88bb3486b9963dadf6af99ac6d1733c6a5b61dbd27f2c268141b62d9fcfabe71a4b7122919a28a589a9f0a2740a670497d041f62748a7bb568942

Download Submit
\Windows\system\tWQjxET.exe

Filesize
5.2MB

MD5
e886b2151e7190efec24fa0ffa16beac

SHA1
36b75d913559b23916adb51badf2fe2a7b93f167

SHA256
a22704041cca4cbb04d9eb190cae575e05f4e4730528ef12b2ac4faaf79feb09

SHA512
38d2ad1fc03f8b16560a76e4a7b9f4c907ff95634ebf153f40714c3817a8239e97a3952ba95fdb733d97d48e4da21f869d1d83d38b5d0a73ba336613e7d07bf0

Download Submit
memory/540-134-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/540-247-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/540-48-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/840-160-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/1056-154-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1112-137-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1112-250-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1112-60-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/1404-157-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/1728-75-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-139-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-252-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-156-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/1992-74-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/1992-248-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/1992-138-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2388-245-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2388-54-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2388-135-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2424-159-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2548-155-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2604-225-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-41-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-42-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2704-235-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2716-53-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2716-59-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2716-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2716-39-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2716-30-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2716-36-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-61-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2716-124-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2716-46-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2716-0-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2716-140-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2716-151-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2716-150-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-125-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2716-164-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2716-123-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2716-165-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2716-38-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2716-69-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2716-118-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-120-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-121-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2716-122-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2772-163-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2776-161-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-158-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2824-220-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2824-33-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2832-217-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2832-81-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2832-27-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2860-221-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2860-28-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2920-162-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-223-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2932-40-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download