cobaltstrike | d46de897c3037a8d75b8d8edf0ac2c3646a68f948c2720b80fd07dc2c85581eb

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5899a7b8ae8d1dfd4b273989a82b8fbd
SHA1

83c943ef583811f61ee2c8c5de7a87537f88b31b
SHA256

d46de897c3037a8d75b8d8edf0ac2c3646a68f948c2720b80fd07dc2c85581eb
SHA512

13027c7cfcfaa588a37895a1a84237b485ffcaccb060f84a238b9f9ce0dae8dff8e7077741d6997983b7d6c24fd7cbd0758f6605d56d9723f248431abf524717
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l7:RWWBibf56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\xqCHPVy.exe	cobalt_reflective_dll
C:\Windows\system\XnmzhDV.exe	cobalt_reflective_dll
C:\Windows\system\bekhUUu.exe	cobalt_reflective_dll
\Windows\system\zFubbjP.exe	cobalt_reflective_dll
C:\Windows\system\jxIIpSm.exe	cobalt_reflective_dll
C:\Windows\system\aQJCKTH.exe	cobalt_reflective_dll
\Windows\system\nFfxNaX.exe	cobalt_reflective_dll
C:\Windows\system\MdBWpLC.exe	cobalt_reflective_dll
C:\Windows\system\nsvcOpA.exe	cobalt_reflective_dll
C:\Windows\system\RWdlypN.exe	cobalt_reflective_dll
C:\Windows\system\rXThNUI.exe	cobalt_reflective_dll
C:\Windows\system\hfREvnp.exe	cobalt_reflective_dll
C:\Windows\system\nzbBdRb.exe	cobalt_reflective_dll
C:\Windows\system\qpZJNeS.exe	cobalt_reflective_dll
C:\Windows\system\iVVkjuH.exe	cobalt_reflective_dll
C:\Windows\system\zFrMVyU.exe	cobalt_reflective_dll
C:\Windows\system\KNOQPmX.exe	cobalt_reflective_dll
C:\Windows\system\mHDBzSE.exe	cobalt_reflective_dll
C:\Windows\system\cwgmCBT.exe	cobalt_reflective_dll
C:\Windows\system\FxhCIVA.exe	cobalt_reflective_dll
C:\Windows\system\ANKYtrA.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2032-22-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2128-21-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/1972-20-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2732-114-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2792-116-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2860-117-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/1984-118-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2204-120-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2728-124-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2032-123-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2960-122-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2604-128-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2032-127-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2664-129-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2704-126-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2032-125-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2032-131-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/1292-135-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/1728-133-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2820-150-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2940-151-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/1560-149-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/1572-148-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/1536-152-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2268-147-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/2304-146-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/2032-153-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/2032-155-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/2128-222-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/1728-226-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/1972-225-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2792-228-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2860-230-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2732-232-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/1984-236-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2204-234-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2728-238-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2960-240-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2604-242-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2664-247-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2704-244-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/1292-255-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xqCHPVy.exeXnmzhDV.exebekhUUu.exeANKYtrA.exeFxhCIVA.execwgmCBT.exezFubbjP.exeKNOQPmX.exemHDBzSE.exeaQJCKTH.exejxIIpSm.exeqpZJNeS.exezFrMVyU.exenFfxNaX.exeiVVkjuH.exeMdBWpLC.exenzbBdRb.exerXThNUI.exehfREvnp.exensvcOpA.exeRWdlypN.exe

pid	process
2128	xqCHPVy.exe
1728	XnmzhDV.exe
1972	bekhUUu.exe
1292	ANKYtrA.exe
2732	FxhCIVA.exe
2792	cwgmCBT.exe
2860	zFubbjP.exe
1984	KNOQPmX.exe
2204	mHDBzSE.exe
2960	aQJCKTH.exe
2728	jxIIpSm.exe
2704	qpZJNeS.exe
2604	zFrMVyU.exe
2664	nFfxNaX.exe
2304	iVVkjuH.exe
2268	MdBWpLC.exe
1572	nzbBdRb.exe
1560	rXThNUI.exe
2820	hfREvnp.exe
2940	nsvcOpA.exe
1536	RWdlypN.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2032-0-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
C:\Windows\system\xqCHPVy.exe	upx
C:\Windows\system\XnmzhDV.exe	upx
C:\Windows\system\bekhUUu.exe	upx
behavioral1/memory/1728-19-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2128-21-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/1972-20-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/1292-28-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
\Windows\system\zFubbjP.exe	upx
C:\Windows\system\jxIIpSm.exe	upx
C:\Windows\system\aQJCKTH.exe	upx
\Windows\system\nFfxNaX.exe	upx
C:\Windows\system\MdBWpLC.exe	upx
C:\Windows\system\nsvcOpA.exe	upx
C:\Windows\system\RWdlypN.exe	upx
C:\Windows\system\rXThNUI.exe	upx
C:\Windows\system\hfREvnp.exe	upx
C:\Windows\system\nzbBdRb.exe	upx
C:\Windows\system\qpZJNeS.exe	upx
C:\Windows\system\iVVkjuH.exe	upx
C:\Windows\system\zFrMVyU.exe	upx
C:\Windows\system\KNOQPmX.exe	upx
C:\Windows\system\mHDBzSE.exe	upx
C:\Windows\system\cwgmCBT.exe	upx
C:\Windows\system\FxhCIVA.exe	upx
C:\Windows\system\ANKYtrA.exe	upx
behavioral1/memory/2732-114-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2792-116-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2860-117-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/1984-118-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2204-120-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2728-124-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2960-122-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2604-128-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2664-129-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2704-126-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2032-131-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/memory/1292-135-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/1728-133-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2820-150-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/2940-151-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/1560-149-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/1572-148-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/1536-152-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/2268-147-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/2304-146-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/memory/2032-153-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/memory/2032-155-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/memory/2128-222-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/1728-226-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/1972-225-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/memory/2792-228-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2860-230-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2732-232-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/1984-236-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2204-234-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2728-238-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2960-240-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2604-242-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2664-247-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2704-244-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/1292-255-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\zFubbjP.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zFrMVyU.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nFfxNaX.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XnmzhDV.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cwgmCBT.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MdBWpLC.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nsvcOpA.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KNOQPmX.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mHDBzSE.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hfREvnp.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWdlypN.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FxhCIVA.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rXThNUI.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ANKYtrA.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aQJCKTH.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxIIpSm.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qpZJNeS.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVVkjuH.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nzbBdRb.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xqCHPVy.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bekhUUu.exe	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2032 wrote to memory of 2128	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	xqCHPVy.exe
PID 2032 wrote to memory of 2128	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	xqCHPVy.exe
PID 2032 wrote to memory of 2128	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	xqCHPVy.exe
PID 2032 wrote to memory of 1728	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	XnmzhDV.exe
PID 2032 wrote to memory of 1728	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	XnmzhDV.exe
PID 2032 wrote to memory of 1728	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	XnmzhDV.exe
PID 2032 wrote to memory of 1972	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	bekhUUu.exe
PID 2032 wrote to memory of 1972	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	bekhUUu.exe
PID 2032 wrote to memory of 1972	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	bekhUUu.exe
PID 2032 wrote to memory of 1292	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	ANKYtrA.exe
PID 2032 wrote to memory of 1292	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	ANKYtrA.exe
PID 2032 wrote to memory of 1292	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	ANKYtrA.exe
PID 2032 wrote to memory of 2732	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	FxhCIVA.exe
PID 2032 wrote to memory of 2732	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	FxhCIVA.exe
PID 2032 wrote to memory of 2732	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	FxhCIVA.exe
PID 2032 wrote to memory of 2792	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	cwgmCBT.exe
PID 2032 wrote to memory of 2792	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	cwgmCBT.exe
PID 2032 wrote to memory of 2792	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	cwgmCBT.exe
PID 2032 wrote to memory of 2860	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	zFubbjP.exe
PID 2032 wrote to memory of 2860	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	zFubbjP.exe
PID 2032 wrote to memory of 2860	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	zFubbjP.exe
PID 2032 wrote to memory of 1984	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	KNOQPmX.exe
PID 2032 wrote to memory of 1984	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	KNOQPmX.exe
PID 2032 wrote to memory of 1984	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	KNOQPmX.exe
PID 2032 wrote to memory of 2204	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	mHDBzSE.exe
PID 2032 wrote to memory of 2204	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	mHDBzSE.exe
PID 2032 wrote to memory of 2204	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	mHDBzSE.exe
PID 2032 wrote to memory of 2960	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	aQJCKTH.exe
PID 2032 wrote to memory of 2960	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	aQJCKTH.exe
PID 2032 wrote to memory of 2960	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	aQJCKTH.exe
PID 2032 wrote to memory of 2728	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	jxIIpSm.exe
PID 2032 wrote to memory of 2728	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	jxIIpSm.exe
PID 2032 wrote to memory of 2728	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	jxIIpSm.exe
PID 2032 wrote to memory of 2704	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	qpZJNeS.exe
PID 2032 wrote to memory of 2704	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	qpZJNeS.exe
PID 2032 wrote to memory of 2704	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	qpZJNeS.exe
PID 2032 wrote to memory of 2604	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	zFrMVyU.exe
PID 2032 wrote to memory of 2604	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	zFrMVyU.exe
PID 2032 wrote to memory of 2604	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	zFrMVyU.exe
PID 2032 wrote to memory of 2664	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nFfxNaX.exe
PID 2032 wrote to memory of 2664	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nFfxNaX.exe
PID 2032 wrote to memory of 2664	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nFfxNaX.exe
PID 2032 wrote to memory of 2304	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	iVVkjuH.exe
PID 2032 wrote to memory of 2304	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	iVVkjuH.exe
PID 2032 wrote to memory of 2304	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	iVVkjuH.exe
PID 2032 wrote to memory of 2268	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	MdBWpLC.exe
PID 2032 wrote to memory of 2268	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	MdBWpLC.exe
PID 2032 wrote to memory of 2268	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	MdBWpLC.exe
PID 2032 wrote to memory of 1572	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nzbBdRb.exe
PID 2032 wrote to memory of 1572	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nzbBdRb.exe
PID 2032 wrote to memory of 1572	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nzbBdRb.exe
PID 2032 wrote to memory of 1560	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	rXThNUI.exe
PID 2032 wrote to memory of 1560	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	rXThNUI.exe
PID 2032 wrote to memory of 1560	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	rXThNUI.exe
PID 2032 wrote to memory of 2820	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	hfREvnp.exe
PID 2032 wrote to memory of 2820	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	hfREvnp.exe
PID 2032 wrote to memory of 2820	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	hfREvnp.exe
PID 2032 wrote to memory of 2940	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nsvcOpA.exe
PID 2032 wrote to memory of 2940	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nsvcOpA.exe
PID 2032 wrote to memory of 2940	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	nsvcOpA.exe
PID 2032 wrote to memory of 1536	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	RWdlypN.exe
PID 2032 wrote to memory of 1536	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	RWdlypN.exe
PID 2032 wrote to memory of 1536	2032	2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe	RWdlypN.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_5899a7b8ae8d1dfd4b273989a82b8fbd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System\xqCHPVy.exe
  C:\Windows\System\xqCHPVy.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\XnmzhDV.exe
  C:\Windows\System\XnmzhDV.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\bekhUUu.exe
  C:\Windows\System\bekhUUu.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\ANKYtrA.exe
  C:\Windows\System\ANKYtrA.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System\FxhCIVA.exe
  C:\Windows\System\FxhCIVA.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\cwgmCBT.exe
  C:\Windows\System\cwgmCBT.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\zFubbjP.exe
  C:\Windows\System\zFubbjP.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\KNOQPmX.exe
  C:\Windows\System\KNOQPmX.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\mHDBzSE.exe
  C:\Windows\System\mHDBzSE.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\aQJCKTH.exe
  C:\Windows\System\aQJCKTH.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\jxIIpSm.exe
  C:\Windows\System\jxIIpSm.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\qpZJNeS.exe
  C:\Windows\System\qpZJNeS.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\zFrMVyU.exe
  C:\Windows\System\zFrMVyU.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\nFfxNaX.exe
  C:\Windows\System\nFfxNaX.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\iVVkjuH.exe
  C:\Windows\System\iVVkjuH.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\MdBWpLC.exe
  C:\Windows\System\MdBWpLC.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\nzbBdRb.exe
  C:\Windows\System\nzbBdRb.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\rXThNUI.exe
  C:\Windows\System\rXThNUI.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\hfREvnp.exe
  C:\Windows\System\hfREvnp.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\nsvcOpA.exe
  C:\Windows\System\nsvcOpA.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\RWdlypN.exe
  C:\Windows\System\RWdlypN.exe
  2⤵
  - Executes dropped EXE
  PID:1536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ANKYtrA.exe

Filesize
5.2MB

MD5
4af296d47e2cebf4266e7b4b5e85bd21

SHA1
7590c38b02c37abfa7d6d3a7288fe772afe0ba8b

SHA256
ccc5631f83624482053952338fea47ee4f33c9856cd5e6ed2710fde50e897e6e

SHA512
b2f63a2f7c18a686c4b6da6c393029b6e5712aa6078f4a1ace74e82de1c33b22922da5c4c68123a70ec5a6f549b300fbbad2849aaad62b0038eda7c967b3db85

Download Submit
C:\Windows\system\FxhCIVA.exe

Filesize
5.2MB

MD5
ddf42744f0c920692642c970ddcd2433

SHA1
be89558c057b9bf9f0795f762b09d24fce1435ec

SHA256
43b71a293a06c4343cf794362de03b393cc401832a1bce77185d3f491d017d75

SHA512
47c09ee148fd1a3a6ef132511fa32eff17a87aeea8c065e2713db2cd11f6b34723ca63f38c3ff92229f6c145981e7cf12194cfbbe630ccc739aaee447058daad

Download Submit
C:\Windows\system\KNOQPmX.exe

Filesize
5.2MB

MD5
88aa78ab0038da9b5438d0c0082e5c62

SHA1
28b0a553acaf50f34475f62d7a0e211f6d2f980e

SHA256
73f294e395bdcfc5318d8236c21e18e45f638791267e422c1fecc343d4865251

SHA512
dc2798e9d113a76d4465d7fe075bfac9ec9392957de45c746a98c755c7974eaff57a9d71c13cd8429ef9fdba63ad4a979b5de00d752d4ac49b68ef579c4216a7

Download Submit
C:\Windows\system\MdBWpLC.exe

Filesize
5.2MB

MD5
8b10a0310a47963aaabb79c159d74476

SHA1
f9e2354a5a24ddc3f48e243e2bf8c55e3e814c7a

SHA256
16b66b5b86b5b48c54faed627b819dc0ce97b61f38cc8a9f0b0b51713481ec66

SHA512
5942cbfc54e3ab89cf735520d079ac81bc9b3faeccba32c7876224361e7fc28c3b18d67a88ba0f573190a5c71581d4430ea6885a594aefef8a6747e944d911e6

Download Submit
C:\Windows\system\RWdlypN.exe

Filesize
5.2MB

MD5
c2767c7dee9a05fc63ba413f08e6aa9d

SHA1
992b5e480665d7c54f414497e422c5df4bd2ae70

SHA256
5f9eb46cbea24e7d6e200b214f5cac697285b1ea01de26689f798ada4eecab71

SHA512
5696bbec26ac3bf2d2609d9e113173a6b1cb12734a668757d6b074bd4c229677409fb9248b2697883cb04872c7319eb507148367a401097e2d18a422f2ec7305

Download Submit
C:\Windows\system\XnmzhDV.exe

Filesize
5.2MB

MD5
7ba5735dea3f6ab532e1afed28e5b0b5

SHA1
a9780d1104500e34a4b2c119c2ff97116183dfd6

SHA256
1a9e823e624ecbae5bd29d9277a11274be697dc5553989c55dad221e267c1c06

SHA512
212058ccd94cd5fe505de4a0a3a0637a498abb16e4056456e0787189dfe28adb6f512e44366316163f8f544c7dd18ec7c0c13979199cd484aadfcb8ad1fc618f

Download Submit
C:\Windows\system\aQJCKTH.exe

Filesize
5.2MB

MD5
1229924ca8f9f0b51275101eb5b9ff37

SHA1
c006b751097aa51ff2f11d3f9772d5086e04a925

SHA256
dc774060c35d1110eca959eaf1a04be6546009486e0a1f54cc09af4a4687423e

SHA512
ed33cd0eda95c862d2e13b76c48ad42990e071cd5ce96ff2c18beacf1402f8ca0f927d94105641c52992b67261325147c767b3b83cfd402f74d1b7964b863ef2

Download Submit
C:\Windows\system\bekhUUu.exe

Filesize
5.2MB

MD5
2ea808308266c853571093e34551da95

SHA1
de038e5d5545df67f6baca9f6f103a5497bf17bf

SHA256
3c32eb2e46b869096428e090aaae46a76599dcf06390a4424df9d602e9ff7922

SHA512
6cc9287fb5fdbeac1577b865eb29a8d6c85d2c478070ac012ddb86b85e69bd6b35c64640053f18f5d33f372438e098a52d92d8825182cef0346772192a2994ba

Download Submit
C:\Windows\system\cwgmCBT.exe

Filesize
5.2MB

MD5
d1dbba7d417d3ef78e2bba0d69875bf4

SHA1
7fa56a7eb1fe54ec8a7d058721ad8ba23be6487d

SHA256
006d9aa5d2d875a2b24d97166ef5959c5c084c81a1afb5eb0a242a573af9de61

SHA512
b20ff71b3c3852eec91dc571101cdad288e39bd54df6f39761b20cb182cf935ab94c0c93c184c98e3d5e4bec9087bba70d17f2e9fbb08b705da881ea09d81657

Download Submit
C:\Windows\system\hfREvnp.exe

Filesize
5.2MB

MD5
22f4d81b6a0978332ee979389939bfd4

SHA1
cc7b6ba02faaf930fcf3667c2775d610f1e6c7d4

SHA256
c661875e393b71b4afe0f09346d1a1408517a9fb35fac5a4d6a3c0e1ecd89117

SHA512
bc519be5fa99fd8daad2d8de289485cacbd24109e37a8ebbfddf9430c199d3a9f63691fbf015f2b12e5fdabca83b7494febbf2f12026dca1d790a3e92e27482f

Download Submit
C:\Windows\system\iVVkjuH.exe

Filesize
5.2MB

MD5
58986ec003bd3331674d7811a96f074e

SHA1
7f38e48729f451b5359641f7847bba355791f02f

SHA256
b781829535a14aa3567bb490082e9907827f9710124615799b32dfe0ada7fe3a

SHA512
70ab45881119c5500f64023d7b128c73401c1f9b21b13c1f674d48a5aac79da79394c3dd9b401eef569fd871c4c5e26d6940494dd489ae2857884e7aa410ace4

Download Submit
C:\Windows\system\jxIIpSm.exe

Filesize
5.2MB

MD5
e2ba4de9cd0d47a5389d747dd0a44e8d

SHA1
a5d3f734d8f66b2f9d567e12ea58be3dfe137837

SHA256
88e9353380c25c8cf891706eadaa997f29d37f6b41e4eb4f6987640a35802acd

SHA512
3e7815c4ae10775cdc3f15cdae61a52d6315488697ef3641957724a3992868833c7f6197f70cbdeb461a8e51846b6d2064214ca1cb9c1a531d4b8bca0c098d3f

Download Submit
C:\Windows\system\mHDBzSE.exe

Filesize
5.2MB

MD5
64a2be84b2d70c71b772f94909ee47e4

SHA1
229133d99b4593b8d881121885506ab9d7b7ad91

SHA256
6867b6cfdb79c7c22200f7d3c8967c3005197f7309e4a519d55899c098d6a24d

SHA512
79b9a2acfe6d773d5a10c392f4685c2148e743c619093564955fb2f60e9d4540a5e1ac517ececc52c33bbcd21bab52a289498e656b5f14699308278779e107b4

Download Submit
C:\Windows\system\nsvcOpA.exe

Filesize
5.2MB

MD5
b98ff29886d2db34f8fe89a197cbfabc

SHA1
f02e686e830c2f4a15eabbfd48ddacd7297e26db

SHA256
c1c5ceab9377fd58bdc04fac3b4af5d9389fbf4e4c83a4c9bbb4571cd7268cdf

SHA512
6af5fb89adfc18c77db4ac0d24abd08d925d7e6de6481e1a8a93c16cd227bf03a9aaeadebe2f5942adff892bb065c4a82ea4b9bb9ce83bcff8c87d7df2d88442

Download Submit
C:\Windows\system\nzbBdRb.exe

Filesize
5.2MB

MD5
a570e240cf5192259cd61a48d03cc87e

SHA1
40060c03a8f24982d70271545eb8a6c57f2416ae

SHA256
3f93579b92e1aa5475b51d4c612d19632e72e761cf1a6c17797ba5c3afb5fe0f

SHA512
e83f67ab501ae54d9f98bd0da9f52ffb6535664e864aa1f0a12807a85b69abada611ec8428b7d10c1b5aefe6e630b395ca472d1763b706690483b2f591d0f2ea

Download Submit
C:\Windows\system\qpZJNeS.exe

Filesize
5.2MB

MD5
81b3ce62dfe509f957a0ff0f3047d45e

SHA1
e8cf8e50b47f3a9fb1b8069d77045ff62ee541f5

SHA256
98a15a29799a0d22322dc45834834c28b52be58ac9880c70a4b1a97c083caf28

SHA512
c30bba32a77d7a94ba890bd11ef813002d2335f276bf4981e5a1fd8dfc92d32b0151bf174673a548fb98a83d00c442f40aab6000ced587bdb8aa2f09e9c7af83

Download Submit
C:\Windows\system\rXThNUI.exe

Filesize
5.2MB

MD5
7042c4ca3ad2d21be608a22608d0968d

SHA1
36faddf9d7be0b3bca552159f7c6324eb6e665af

SHA256
29b961131183fc42e59448a48d65f2dc0e689136b4eefaf9715483320d933bc5

SHA512
71a6dea1e5d9250292c97912b3de2fa524ffd4a46ccf54d2618b5e0ad8a64ed81e2898a88fed9abcf092d4f6e4f991dd8199fac36254e9b50acc6eb7858a16c8

Download Submit
C:\Windows\system\xqCHPVy.exe

Filesize
5.2MB

MD5
7e49d34b38d0db1f7710d8e44e9b54c6

SHA1
534974c92b55c8c8ff1d003b07cf86921e971b7b

SHA256
96aa8605a7fecd60219b25ea611c457c33403f7dfb98723a28346b4ebc52555d

SHA512
dbab9649cd8c9b896f3b946d717e48d569a27b49a7d7d5f8cc64e3941846cbd74f69c796c84e921405b2262fb862533f82e1c428c6310abf85ca22c419875af0

Download Submit
C:\Windows\system\zFrMVyU.exe

Filesize
5.2MB

MD5
06bf48b440138ee0d21324ff12499839

SHA1
89267de3beb4b63b9a65e5fa331044ab450b9cd3

SHA256
ee31150beea92147d0a079504d6c42e24ef8d1a3869dde21471c8629530ddb89

SHA512
4061f7d2dbf65ea67bbbd1b8160cf1f7bfdbb294d73bc5cd8c0630a50963d61f58397b2593a825868fea276165e80338ca51488445ed69bc92a3f78f6d00bd27

Download Submit
\Windows\system\nFfxNaX.exe

Filesize
5.2MB

MD5
5b4a950d72e5a4e2d1fe8c6d621b3e9c

SHA1
e03344de2c6df332200b78d4b37008f23e070103

SHA256
a082c68fc06716cc107fbf133578afafc30827e0c8294491587b24d6f867b0a0

SHA512
84437ba87f596c1a9e41c01654429f2549ad55899e675f09daac19299640cbeb8d978a5c1d902409dbc276fd9ae306a7bfb7eabed5ba6c65c4ba27c708ab3ea5

Download Submit
\Windows\system\zFubbjP.exe

Filesize
5.2MB

MD5
e1aa937eb1a5a8e0b3c7c6b065711aad

SHA1
dd0868deaed0d215cf6f147e8d12d7aa4c239ea1

SHA256
f59c7cc7daef33b5e0e4b5b847e4a206e55ab8079d6466dd468f2cc7e598be74

SHA512
2ff9aa7a7e852d1a28389c9904f31c1ca28b6f7e527da6d9ad913130ac94bbbe72edd5f5cd7034f8e335caf3b974d17ae03c3633a292bad5ea8a3568bc328c4c

Download Submit
memory/1292-28-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1292-135-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1292-255-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1536-152-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/1560-149-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/1572-148-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-226-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1728-133-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1728-19-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/1972-20-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/1972-225-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/1984-118-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/1984-236-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2032-123-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2032-153-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2032-121-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2032-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2032-155-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2032-115-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2032-154-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2032-119-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2032-127-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2032-130-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-10-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-0-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2032-125-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-131-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2032-22-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2032-27-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2128-222-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-21-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-120-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2204-234-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2268-147-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2304-146-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2604-128-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2604-242-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2664-129-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-247-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-244-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-126-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2728-124-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2728-238-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2732-114-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-232-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-228-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-116-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-150-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2860-230-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-117-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-151-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2960-240-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2960-122-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download