cobaltstrike | 7df55db767d4431ede8e8cb48702514a0a66d79cbab0c9efddcfb1f71c943639

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ff96732e7fe0d9c889c7752a069a5d1b
SHA1

f92cdc2782da4fa8a14952ebe5931d4bae873aeb
SHA256

7df55db767d4431ede8e8cb48702514a0a66d79cbab0c9efddcfb1f71c943639
SHA512

dcf32944fcf203b5650bb8d603889d7aaf890880c4d60892cd7fcd97afa9cf4960e2f35920db92c39e3b168af05fd2c03283f4304ed55ee859755e4d2ee215f6
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBibf56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral1/files/0x000b000000012270-6.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000174b4-11.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000175f1-26.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000175f7-32.dat	cobalt_reflective_dll
behavioral1/files/0x0011000000018683-34.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193f9-109.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193d0-99.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001938e-89.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001939f-87.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019354-83.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019358-80.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000192a1-72.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019426-114.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001927a-64.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193dc-107.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193cc-97.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019299-70.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019274-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019261-53.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018697-45.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017570-10.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2176-19-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2072-92-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2072-90-0x00000000023A0000-0x00000000026F1000-memory.dmp	xmrig
behavioral1/memory/2616-137-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/2408-136-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2336-67-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2556-138-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2072-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/1616-151-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2068-149-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/3032-148-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2820-147-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2000-163-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/1268-162-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/972-161-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/768-160-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/2656-159-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/784-158-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/664-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/1428-155-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2224-154-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/2572-60-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2072-59-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/3028-40-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/1644-21-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2572-17-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2072-165-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2572-215-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/1644-217-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2176-219-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/3028-230-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2336-229-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/3032-242-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/1428-248-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/1616-250-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2556-246-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2408-244-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2820-255-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2068-257-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2616-259-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xjgqBsX.exegyYWCoX.exeFtRIGtY.exeefYkkrg.exekBTgjMS.exeuyTqLts.exeQZHnbPq.exejtcekME.exeknCCDjN.exeCuuyEFF.exeVvNLyer.exebKddkUo.exeoMZFODJ.exeWPTulXD.exepmxGHri.exeZGhxOfw.exeAwDrlhh.exeLdqCVvY.exexlJdIHE.exexGCBGjt.exeeBGdxZx.exe

pid	Process
2572	xjgqBsX.exe
2176	gyYWCoX.exe
1644	FtRIGtY.exe
2336	efYkkrg.exe
3028	kBTgjMS.exe
3032	uyTqLts.exe
2820	QZHnbPq.exe
2068	jtcekME.exe
2408	knCCDjN.exe
2616	CuuyEFF.exe
2556	VvNLyer.exe
1428	bKddkUo.exe
1616	oMZFODJ.exe
2656	WPTulXD.exe
972	pmxGHri.exe
2000	ZGhxOfw.exe
2224	AwDrlhh.exe
664	LdqCVvY.exe
784	xlJdIHE.exe
768	xGCBGjt.exe
1268	eBGdxZx.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

pid	Process
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2072-0-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/files/0x000b000000012270-6.dat	upx
behavioral1/files/0x00080000000174b4-11.dat	upx
behavioral1/memory/2176-19-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/files/0x00070000000175f1-26.dat	upx
behavioral1/files/0x00070000000175f7-32.dat	upx
behavioral1/files/0x0011000000018683-34.dat	upx
behavioral1/memory/3032-50-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2068-54-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/2408-61-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2616-66-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/files/0x00050000000193f9-109.dat	upx
behavioral1/memory/1428-101-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/files/0x00050000000193d0-99.dat	upx
behavioral1/files/0x000500000001938e-89.dat	upx
behavioral1/files/0x000500000001939f-87.dat	upx
behavioral1/files/0x0005000000019354-83.dat	upx
behavioral1/files/0x0005000000019358-80.dat	upx
behavioral1/files/0x00050000000192a1-72.dat	upx
behavioral1/files/0x0005000000019426-114.dat	upx
behavioral1/memory/2616-137-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/2408-136-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2336-67-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/files/0x000500000001927a-64.dat	upx
behavioral1/files/0x00050000000193dc-107.dat	upx
behavioral1/memory/1616-98-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/files/0x00050000000193cc-97.dat	upx
behavioral1/memory/2556-138-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2072-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2556-79-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/1616-151-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2068-149-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/3032-148-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2820-147-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2000-163-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/1268-162-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/972-161-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/768-160-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/2656-159-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/784-158-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/664-156-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/1428-155-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2224-154-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/files/0x0005000000019299-70.dat	upx
behavioral1/memory/2572-60-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/2072-59-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/files/0x0005000000019274-57.dat	upx
behavioral1/files/0x0006000000019261-53.dat	upx
behavioral1/memory/2820-51-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/files/0x0008000000018697-45.dat	upx
behavioral1/memory/3028-40-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2336-28-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/1644-21-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/files/0x0007000000017570-10.dat	upx
behavioral1/memory/2572-17-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/2072-165-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2572-215-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/1644-217-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2176-219-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/3028-230-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2336-229-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/3032-242-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/1428-248-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/1616-250-0x000000013F340000-0x000000013F691000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\LdqCVvY.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pmxGHri.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZGhxOfw.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xjgqBsX.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gyYWCoX.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AwDrlhh.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bKddkUo.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FtRIGtY.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\efYkkrg.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oMZFODJ.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WPTulXD.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xGCBGjt.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kBTgjMS.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QZHnbPq.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jtcekME.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\knCCDjN.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eBGdxZx.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uyTqLts.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuuyEFF.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VvNLyer.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xlJdIHE.exe	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 2072 wrote to memory of 2572	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2072 wrote to memory of 2572	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2072 wrote to memory of 2572	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2072 wrote to memory of 2176	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2072 wrote to memory of 2176	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2072 wrote to memory of 2176	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2072 wrote to memory of 1644	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2072 wrote to memory of 1644	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2072 wrote to memory of 1644	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2072 wrote to memory of 2336	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2072 wrote to memory of 2336	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2072 wrote to memory of 2336	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2072 wrote to memory of 3028	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2072 wrote to memory of 3028	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2072 wrote to memory of 3028	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2072 wrote to memory of 2820	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2072 wrote to memory of 2820	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2072 wrote to memory of 2820	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2072 wrote to memory of 3032	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2072 wrote to memory of 3032	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2072 wrote to memory of 3032	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2072 wrote to memory of 2068	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2072 wrote to memory of 2068	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2072 wrote to memory of 2068	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2072 wrote to memory of 2408	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2072 wrote to memory of 2408	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2072 wrote to memory of 2408	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2072 wrote to memory of 2616	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2072 wrote to memory of 2616	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2072 wrote to memory of 2616	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2072 wrote to memory of 2556	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2072 wrote to memory of 2556	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2072 wrote to memory of 2556	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2072 wrote to memory of 2224	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2072 wrote to memory of 2224	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2072 wrote to memory of 2224	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2072 wrote to memory of 1428	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2072 wrote to memory of 1428	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2072 wrote to memory of 1428	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2072 wrote to memory of 664	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2072 wrote to memory of 664	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2072 wrote to memory of 664	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2072 wrote to memory of 1616	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2072 wrote to memory of 1616	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2072 wrote to memory of 1616	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2072 wrote to memory of 784	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2072 wrote to memory of 784	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2072 wrote to memory of 784	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2072 wrote to memory of 2656	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2072 wrote to memory of 2656	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2072 wrote to memory of 2656	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2072 wrote to memory of 768	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2072 wrote to memory of 768	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2072 wrote to memory of 768	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2072 wrote to memory of 972	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2072 wrote to memory of 972	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2072 wrote to memory of 972	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2072 wrote to memory of 1268	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2072 wrote to memory of 1268	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2072 wrote to memory of 1268	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2072 wrote to memory of 2000	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2072 wrote to memory of 2000	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2072 wrote to memory of 2000	2072	2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_ff96732e7fe0d9c889c7752a069a5d1b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System\xjgqBsX.exe
  C:\Windows\System\xjgqBsX.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\gyYWCoX.exe
  C:\Windows\System\gyYWCoX.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\FtRIGtY.exe
  C:\Windows\System\FtRIGtY.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\efYkkrg.exe
  C:\Windows\System\efYkkrg.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\kBTgjMS.exe
  C:\Windows\System\kBTgjMS.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\QZHnbPq.exe
  C:\Windows\System\QZHnbPq.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\uyTqLts.exe
  C:\Windows\System\uyTqLts.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\jtcekME.exe
  C:\Windows\System\jtcekME.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\knCCDjN.exe
  C:\Windows\System\knCCDjN.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\CuuyEFF.exe
  C:\Windows\System\CuuyEFF.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\VvNLyer.exe
  C:\Windows\System\VvNLyer.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\AwDrlhh.exe
  C:\Windows\System\AwDrlhh.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\bKddkUo.exe
  C:\Windows\System\bKddkUo.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Windows\System\LdqCVvY.exe
  C:\Windows\System\LdqCVvY.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\oMZFODJ.exe
  C:\Windows\System\oMZFODJ.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\xlJdIHE.exe
  C:\Windows\System\xlJdIHE.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\WPTulXD.exe
  C:\Windows\System\WPTulXD.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\xGCBGjt.exe
  C:\Windows\System\xGCBGjt.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\pmxGHri.exe
  C:\Windows\System\pmxGHri.exe
  2⤵
  - Executes dropped EXE
  PID:972
- C:\Windows\System\eBGdxZx.exe
  C:\Windows\System\eBGdxZx.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\ZGhxOfw.exe
  C:\Windows\System\ZGhxOfw.exe
  2⤵
  - Executes dropped EXE
  PID:2000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CuuyEFF.exe

Filesize
5.2MB

MD5
8ff01a985bde2d7f5d158203516e8c42

SHA1
59ab32d8f5f145ab75b736bca742922fb701a04d

SHA256
f1254fa736c875f9db77e98bd4551c19c5d9258d045cfd0b28885488d2fb202c

SHA512
000c647734a07b2e079b7fca19b30aa4bba0f15b0dc4360ebe014159e64b222094ca5307a1b06111116e96ac9120a173f2dc649c46d427210714c44f81147d9d

Download Submit
C:\Windows\system\FtRIGtY.exe

Filesize
5.2MB

MD5
97b529c5df75d8300f10affdaa3a663b

SHA1
61f9a4df48165457b6e4f0e1944b412444c4a1b5

SHA256
f14d29189bec40a94deb1fda17680bde574c63808d05e23a19e3b05be55a1926

SHA512
2a9d66bc5c3e1864ad8332e603327d0a03662a7651e7b5cb21e2caebe67aad7726cf23dcf3167b61dbaef744194a407b00216e4bcd3304b30753dcc0f07afded

Download Submit
C:\Windows\system\VvNLyer.exe

Filesize
5.2MB

MD5
092f678e598c61d3cedf546752a2b4e1

SHA1
29efe9baaa50c506ff1318b09d8cc1fcd05177c1

SHA256
b49166bffd91c7c527afed27ddc7b8f69f1156a409a45448580678aeae8ac488

SHA512
6a51d65b271605d1961c1b4efedd4bd6774234abc8528c54783f4291b2bf49c9e4a6d192a3255faa989e9aeed85eee26b3edbd90fc142ea1a490ad419d343fe2

Download Submit
C:\Windows\system\WPTulXD.exe

Filesize
5.2MB

MD5
a8d7b1cbc35892f79f82f625e76a3fbe

SHA1
dbc4780b8dcec89559965714aa6d0c85175d5295

SHA256
a24ca48fee58061b37269d3395689ee212d676b8c304daf92bae609fb057ea25

SHA512
bc6780b8e1bcb665574626a8a92c3ecf7ed62eff19515169cb4f97fa19ce5b3a0d3bf467d327d5245d5092f2ab7758138c274a90fb2c93f8edb9be1166d9e004

Download Submit
C:\Windows\system\ZGhxOfw.exe

Filesize
5.2MB

MD5
89a9434e31441e9b3c98f0601e2b7587

SHA1
ba18cb4d72f18b9c6d45ed85edec1d5fc1fa46e1

SHA256
6ed993d4ea8c1e8a3e6f242d4fc43da2dadbb40eecd31ccb48d223d7e403ce06

SHA512
dad9c7d2cb90f67ac61c1b427e73c21344ad89f436939194fc2e795d888dc0206ab1b4b6521b6b670539c8114927a5395a36348d8e906b852b930ff3889437c8

Download Submit
C:\Windows\system\bKddkUo.exe

Filesize
5.2MB

MD5
11ecbd81c425b5c660049e6fb7e90523

SHA1
49ffb30506d3999ad177879863924128ee30feee

SHA256
007b68ae11b59068d9e303b5285756f7ace3f9ac1a6655e5c712fd67b147ae4e

SHA512
1d47173dc97537089858c6aab15ad2a51ecfabf7ec1216e0d5d394a329ef7e5e4f90a49b10c3fbc776e61bc062d0016c6b6a86ccf7619e0d75f0e65b04e2c83d

Download Submit
C:\Windows\system\efYkkrg.exe

Filesize
5.2MB

MD5
1f1b88047047ebe886cfde09a7f3146f

SHA1
72f1257e3e4ed7c2e99ab8a23f8fd4366241be32

SHA256
cb8f253b681821ead377e1cc9aab5671708e485b976b7310bca51814c2636522

SHA512
3e665696d4d52b1ae08103e36d5bc7c694b3ae8ffb0c439f5fb54f15553cc22418d7257148a52a8eca308d04765af2b14a205cea9314cbbf2a2f62bcf8a2e256

Download Submit
C:\Windows\system\gyYWCoX.exe

Filesize
5.2MB

MD5
638f506116d41c304255fdf6fceaa744

SHA1
cbd280efd4f1f7f576cc72bb5259d020e05e2c6c

SHA256
e9f84616f97cf02506fa0681cf11f4fd4f9b02c41371b1287b759aacdeecbc01

SHA512
e443a7a6e2a3321c4ff1976ea743d33d4278f8a69a4f666b814961d9c96f69eb84b959ea202f8cbfc6a19ae5b0d5ac096dcd95e8648a4cce6ec38b05b47de5b1

Download Submit
C:\Windows\system\jtcekME.exe

Filesize
5.2MB

MD5
d733a0c9ce317ae043fd8e919e1010f8

SHA1
d6f9d6ee965971da93ac49f22a8b9cb2e6611dc6

SHA256
2a932444ba016c4bc61090f194055826e4906f4034458629efc707410bd121ec

SHA512
15a3120906838029c7de8bdcc9123b04908e58047ca1cfc7b009eaedd99df0324a0bb3ed215a20ec2a3d3d7aa5b4d90e36c4524de82ed6011456e8b8a4674de7

Download Submit
C:\Windows\system\kBTgjMS.exe

Filesize
5.2MB

MD5
d2b5a1a0dc94c3d52e0a50e32d57c16c

SHA1
39456539051006ee7bc925cf695f11b64bf8e594

SHA256
031801403be15649fee5db88f7766c7fc965a702ece48cdfa83cb76ad07c5ddb

SHA512
7c72530b1cd1557b8940496d7b8f5540ff7c61cf3a897bdeeff5c52f70c56e67c2f0fbbdabcaf98099d1acd22dbe8260475ad6e2a7533c767e53a79a2ab130ae

Download Submit
C:\Windows\system\knCCDjN.exe

Filesize
5.2MB

MD5
1d5412fcd822b8144ed42a6f4bd60d90

SHA1
9a7d89517a4f7f4cf7d3d94afa8a6647a9b89bf1

SHA256
b9c4b4b4856d0d3d8e1187065559db537c6f52345233c37fe9a021c24e05873c

SHA512
673898d00e012e174352ac929084d9e03d5a6c5bd44a462c52d9e3874040f618d5e5fbc384cb2c93de6cb0b067c5a7fd93dc7a6fca74ca0c4e746c4a838ce15f

Download Submit
C:\Windows\system\oMZFODJ.exe

Filesize
5.2MB

MD5
a4bc05ebacbdc9cdf8ea0b091f688aa5

SHA1
a6fedda682a84a7d48874f54ea818faef9a7df65

SHA256
e5f3b5ac8a05c68bbbb25e01bf47fdb95c15932f88421c56ddc7e139fb743f58

SHA512
5c89351bb827dad98ed252ab68c0cb98ca51594c9efc0d9344b57a37f64ffc5a5aad32a57087fd588660f2b64be15f8b530cbbbd8fab268b2d351af605449356

Download Submit
C:\Windows\system\pmxGHri.exe

Filesize
5.2MB

MD5
3f16fc3b1727388af4a0f6dad0f186e3

SHA1
becf1f988d2aea8203e646dac46e5c2e3e98d757

SHA256
fe3894479cf7886bc3134d090d50ccfbf52acf25a5ee59cbb3d9fab9ee8bdf07

SHA512
5c3c1c5d67912cffe2489570451c63f84bef9000ed0cd0cb3b030fa18382f3836d6cacbbec98a97f9f51f561760e00ded2057852f72fdb1a3b9cf58902b01e86

Download Submit
C:\Windows\system\uyTqLts.exe

Filesize
5.2MB

MD5
a8cd9061eb58a50180cd701b808be529

SHA1
5636df0e8b782b8d5f41da94ec830e2969b0fc2c

SHA256
dacb6b6f5bf762a2ae9cfeda57bf042b80d7ec35430b2a5a1fec334fecd737f9

SHA512
fe3ee67f6f9c2028bcebad320fe4a1cdc797d3a684f4952c51da0c2eefac965fc4bf5d1cbabbaf75d972427844c1adbc91ae60edaa547034906913699b595864

Download Submit
C:\Windows\system\xjgqBsX.exe

Filesize
5.2MB

MD5
258fce5fde65d9a923c3876227fe9cbe

SHA1
ab687378909e9da0c28409c84cfbf25c0542c6d9

SHA256
6aa0bed8f355e03b147e2809fe38dd2a915b14507d3817940fd42c137d7ca5c9

SHA512
9ca7b5368879b273b54294ee2cdc72da18790fe6e90c6f1a30142dc1272bd4ea0f0c5acba942f1c9dc7970bffe7c5d6e0ec16d2f99cee7f26c382c49c900f644

Download Submit
\Windows\system\AwDrlhh.exe

Filesize
5.2MB

MD5
15283a1078754f52b33d9dc5665794c9

SHA1
eaa009618b5d83271d28a98e54190327e52f18b0

SHA256
c637bbd7cf7bb5fb94a78d69df72dd7b3c4ead86b6cbb08648623e67b3bc3fd9

SHA512
fa1df79f56d62203743b053f18e803ff9a992b824fc101831192a2f597051e4f36b8c04e887420cf20e6cd7d5d4ded4151e499e8c45da26f1132a72f49f41ee2

Download Submit
\Windows\system\LdqCVvY.exe

Filesize
5.2MB

MD5
1cd2a3bd19e25986d856b20061396ee3

SHA1
7d813df15fa0382f586323d351cb3490aefa26a3

SHA256
e26051c61b41c1823d8a54038025997eb3c730d8f2b741db441f119b93f2ecd4

SHA512
6897d99ea2f4a06e713d869f6c938b85d36ce500a891e3fa431cccfe837752d4af481e5211300036e102334572ccdfbb47c08bf438077cf192290aca2ff79e5c

Download Submit
\Windows\system\QZHnbPq.exe

Filesize
5.2MB

MD5
34a400151ca88b2322b5e338b16a6f12

SHA1
371bf5dfe176fa9b905633b146186b6aa227445f

SHA256
1bc9452026688b8883c3b9ebe42e63b00738e271c32d435e29a65d4c7f3d28c5

SHA512
a30e9ace7edae9ffa53675ee396e124f7f3039582adce9c6860e2fdfe436d0a1e9795ebbb87f10aca703a621d2eb717dd3fd28e92491afb1a6e010a8be4d2675

Download Submit
\Windows\system\eBGdxZx.exe

Filesize
5.2MB

MD5
3c60c9dd604612dfbc5e55f988bc5da3

SHA1
54b6547c6fbeabd26418eea582af5f8c69acec10

SHA256
9be99a415a8beecd9211ad6e615074c4c0ea16b989727cabb7208ce96e3dcb13

SHA512
a14fe4c41642e34564aa4628f8e0c55040db1f3b99323356e5b9a991a174acab10bfca836a63b2ed8750d9535b0c177dc4262fa91715a9ff29963577bf93a7f5

Download Submit
\Windows\system\xGCBGjt.exe

Filesize
5.2MB

MD5
e659e86520b6319d088f3255ca15a81e

SHA1
660ae7fee5e0bd25e6d18a01de8c1fca769d3574

SHA256
c9465192ef4a1f26b38bf682ae358afd3523ef9c07a0e24387f54541d27b8d35

SHA512
5c92af937d16997dfc96fe539d906faa59fde647cda2f7a504b89fa2b0e8e4ba9d7c7a69d9d80af2ede11d67542a500f7a5d1d5c0eb0d6ec6a7502b666f830ed

Download Submit
\Windows\system\xlJdIHE.exe

Filesize
5.2MB

MD5
8fb9eb980c1129c842263ee3a021cc01

SHA1
b6f876c2ecf9474fd9d695ee61ca746ae094596c

SHA256
180326ece62d5fbd3bea0d5d4c7db8ea2e0ca1fea0cd8476075e56be0a43be1b

SHA512
d5a304155ed51e197f47dfb257720da8e2cede5d33c3baca504c1d85ce108c956325045888884d1777252f7bbdcec5dbd4abfc99f085168214c1e64cda50fdb2

Download Submit
memory/664-156-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/768-160-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/784-158-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/972-161-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/1268-162-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1428-155-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/1428-101-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/1428-248-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/1616-151-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1616-98-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1616-250-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/1644-21-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-217-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-163-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-149-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2068-257-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2068-54-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2072-22-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-59-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2072-39-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2072-96-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/2072-0-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2072-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2072-90-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-164-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2072-108-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2072-44-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-141-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-27-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2072-140-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2072-52-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-20-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-103-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2072-92-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2072-75-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2072-165-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2072-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2072-41-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2176-219-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2176-19-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2224-154-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2336-28-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2336-229-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2336-67-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2408-61-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-136-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-244-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-79-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2556-138-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2556-246-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2572-17-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2572-60-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2572-215-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2616-66-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2616-137-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2616-259-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-159-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-147-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2820-255-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2820-51-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/3028-230-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/3028-40-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/3032-242-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-148-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-50-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download