cobaltstrike | 398edf7ec3ed8691b5d8a930706b87b18d5da1b50a0457164647acfe1fc1f204

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ad10e3a08a8f10d7a6ceaea9881fa24e
SHA1

b703df52275e6a6f9de6fdf6e06f0c6fc43ec7df
SHA256

398edf7ec3ed8691b5d8a930706b87b18d5da1b50a0457164647acfe1fc1f204
SHA512

b40cc323251eaa6b99be104390dc3ffdab9193d6bac5dad8444e23040252afcae80650f14d478c84eea41be5319b79016b4f00069bbb6876ce6ef3b786b369dc
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibd56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b64-5.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b68-10.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6b-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6a-33.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6c-39.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6f-52.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b71-61.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b70-66.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023b65-71.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6e-50.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b6d-42.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b69-27.dat	cobalt_reflective_dll
behavioral2/files/0x0031000000023b72-78.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022dc9-84.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022dcd-91.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023a32-116.dat	cobalt_reflective_dll
behavioral2/files/0x0014000000023a30-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b74-128.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b75-126.dat	cobalt_reflective_dll
behavioral2/files/0x000e000000023a2b-115.dat	cobalt_reflective_dll
behavioral2/files/0x0011000000023a15-107.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3180-73-0x00007FF741390000-0x00007FF7416E1000-memory.dmp	xmrig
behavioral2/memory/2548-74-0x00007FF74B800000-0x00007FF74BB51000-memory.dmp	xmrig
behavioral2/memory/3888-19-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp	xmrig
behavioral2/memory/3668-117-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp	xmrig
behavioral2/memory/2360-104-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp	xmrig
behavioral2/memory/3576-99-0x00007FF60D640000-0x00007FF60D991000-memory.dmp	xmrig
behavioral2/memory/3612-98-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp	xmrig
behavioral2/memory/4596-92-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp	xmrig
behavioral2/memory/3888-86-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp	xmrig
behavioral2/memory/1520-85-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp	xmrig
behavioral2/memory/1308-83-0x00007FF795490000-0x00007FF7957E1000-memory.dmp	xmrig
behavioral2/memory/4912-80-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	xmrig
behavioral2/memory/4912-132-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	xmrig
behavioral2/memory/4664-144-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp	xmrig
behavioral2/memory/552-142-0x00007FF612060000-0x00007FF6123B1000-memory.dmp	xmrig
behavioral2/memory/388-140-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp	xmrig
behavioral2/memory/1796-139-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	xmrig
behavioral2/memory/3000-145-0x00007FF6BACC0000-0x00007FF6BB011000-memory.dmp	xmrig
behavioral2/memory/2324-147-0x00007FF6C7AE0000-0x00007FF6C7E31000-memory.dmp	xmrig
behavioral2/memory/2104-146-0x00007FF6763F0000-0x00007FF676741000-memory.dmp	xmrig
behavioral2/memory/3316-153-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp	xmrig
behavioral2/memory/4376-151-0x00007FF664C20000-0x00007FF664F71000-memory.dmp	xmrig
behavioral2/memory/4556-152-0x00007FF730860000-0x00007FF730BB1000-memory.dmp	xmrig
behavioral2/memory/3612-150-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp	xmrig
behavioral2/memory/2172-149-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp	xmrig
behavioral2/memory/4912-157-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	xmrig
behavioral2/memory/1520-210-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp	xmrig
behavioral2/memory/3888-212-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp	xmrig
behavioral2/memory/4596-214-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp	xmrig
behavioral2/memory/2360-216-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp	xmrig
behavioral2/memory/3576-218-0x00007FF60D640000-0x00007FF60D991000-memory.dmp	xmrig
behavioral2/memory/3668-225-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp	xmrig
behavioral2/memory/1796-227-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	xmrig
behavioral2/memory/388-229-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp	xmrig
behavioral2/memory/3180-231-0x00007FF741390000-0x00007FF7416E1000-memory.dmp	xmrig
behavioral2/memory/552-233-0x00007FF612060000-0x00007FF6123B1000-memory.dmp	xmrig
behavioral2/memory/2548-235-0x00007FF74B800000-0x00007FF74BB51000-memory.dmp	xmrig
behavioral2/memory/4664-237-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp	xmrig
behavioral2/memory/1308-245-0x00007FF795490000-0x00007FF7957E1000-memory.dmp	xmrig
behavioral2/memory/3612-247-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp	xmrig
behavioral2/memory/2172-249-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp	xmrig
behavioral2/memory/4376-254-0x00007FF664C20000-0x00007FF664F71000-memory.dmp	xmrig
behavioral2/memory/4556-258-0x00007FF730860000-0x00007FF730BB1000-memory.dmp	xmrig
behavioral2/memory/2324-260-0x00007FF6C7AE0000-0x00007FF6C7E31000-memory.dmp	xmrig
behavioral2/memory/3000-262-0x00007FF6BACC0000-0x00007FF6BB011000-memory.dmp	xmrig
behavioral2/memory/2104-256-0x00007FF6763F0000-0x00007FF676741000-memory.dmp	xmrig
behavioral2/memory/3316-264-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pSXbetk.exeMQIInLz.exetEFHFty.exeDjhUhCS.exeEeAEqtl.exehGJlFGr.exefcnkCtu.exeaGAUXTH.exemtkxcdP.exevLYwRFy.exeqHBcmOg.exePqkbXJT.exeLxDHWeW.exeSxZXwyO.exesEJCBxn.exespUtPYz.exeQQqVFwO.exeCmYftwl.exemgUnXSQ.exesIQgeDB.exeJQABloI.exe

pid	Process
1520	pSXbetk.exe
3888	MQIInLz.exe
4596	tEFHFty.exe
2360	DjhUhCS.exe
3576	EeAEqtl.exe
3668	hGJlFGr.exe
1796	fcnkCtu.exe
388	aGAUXTH.exe
3180	mtkxcdP.exe
552	vLYwRFy.exe
2548	qHBcmOg.exe
4664	PqkbXJT.exe
1308	LxDHWeW.exe
2172	SxZXwyO.exe
3612	sEJCBxn.exe
4376	spUtPYz.exe
4556	QQqVFwO.exe
3316	CmYftwl.exe
2104	mgUnXSQ.exe
2324	sIQgeDB.exe
3000	JQABloI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4912-0-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	upx
behavioral2/files/0x000b000000023b64-5.dat	upx
behavioral2/files/0x000a000000023b68-10.dat	upx
behavioral2/files/0x000a000000023b6b-23.dat	upx
behavioral2/files/0x000a000000023b6a-33.dat	upx
behavioral2/files/0x000a000000023b6c-39.dat	upx
behavioral2/files/0x000a000000023b6f-52.dat	upx
behavioral2/files/0x0031000000023b71-61.dat	upx
behavioral2/files/0x0031000000023b70-66.dat	upx
behavioral2/memory/3180-73-0x00007FF741390000-0x00007FF7416E1000-memory.dmp	upx
behavioral2/memory/2548-74-0x00007FF74B800000-0x00007FF74BB51000-memory.dmp	upx
behavioral2/files/0x000b000000023b65-71.dat	upx
behavioral2/memory/4664-68-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp	upx
behavioral2/memory/552-63-0x00007FF612060000-0x00007FF6123B1000-memory.dmp	upx
behavioral2/memory/388-55-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp	upx
behavioral2/memory/1796-45-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	upx
behavioral2/files/0x000a000000023b6e-50.dat	upx
behavioral2/files/0x000a000000023b6d-42.dat	upx
behavioral2/memory/3668-35-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp	upx
behavioral2/memory/2360-31-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp	upx
behavioral2/memory/3576-26-0x00007FF60D640000-0x00007FF60D991000-memory.dmp	upx
behavioral2/memory/4596-24-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b69-27.dat	upx
behavioral2/memory/3888-19-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp	upx
behavioral2/memory/1520-6-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp	upx
behavioral2/files/0x0031000000023b72-78.dat	upx
behavioral2/files/0x0002000000022dc9-84.dat	upx
behavioral2/memory/2172-90-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp	upx
behavioral2/files/0x0002000000022dcd-91.dat	upx
behavioral2/memory/4376-110-0x00007FF664C20000-0x00007FF664F71000-memory.dmp	upx
behavioral2/files/0x000e000000023a32-116.dat	upx
behavioral2/files/0x0014000000023a30-119.dat	upx
behavioral2/files/0x000a000000023b74-128.dat	upx
behavioral2/files/0x000a000000023b75-126.dat	upx
behavioral2/memory/3668-117-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp	upx
behavioral2/files/0x000e000000023a2b-115.dat	upx
behavioral2/memory/4556-113-0x00007FF730860000-0x00007FF730BB1000-memory.dmp	upx
behavioral2/files/0x0011000000023a15-107.dat	upx
behavioral2/memory/2360-104-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp	upx
behavioral2/memory/3576-99-0x00007FF60D640000-0x00007FF60D991000-memory.dmp	upx
behavioral2/memory/3612-98-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp	upx
behavioral2/memory/4596-92-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp	upx
behavioral2/memory/3888-86-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp	upx
behavioral2/memory/1520-85-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp	upx
behavioral2/memory/1308-83-0x00007FF795490000-0x00007FF7957E1000-memory.dmp	upx
behavioral2/memory/4912-80-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	upx
behavioral2/memory/3316-131-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp	upx
behavioral2/memory/4912-132-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	upx
behavioral2/memory/4664-144-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp	upx
behavioral2/memory/552-142-0x00007FF612060000-0x00007FF6123B1000-memory.dmp	upx
behavioral2/memory/388-140-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp	upx
behavioral2/memory/1796-139-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp	upx
behavioral2/memory/3000-145-0x00007FF6BACC0000-0x00007FF6BB011000-memory.dmp	upx
behavioral2/memory/2324-147-0x00007FF6C7AE0000-0x00007FF6C7E31000-memory.dmp	upx
behavioral2/memory/2104-146-0x00007FF6763F0000-0x00007FF676741000-memory.dmp	upx
behavioral2/memory/3316-153-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp	upx
behavioral2/memory/4376-151-0x00007FF664C20000-0x00007FF664F71000-memory.dmp	upx
behavioral2/memory/4556-152-0x00007FF730860000-0x00007FF730BB1000-memory.dmp	upx
behavioral2/memory/3612-150-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp	upx
behavioral2/memory/2172-149-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp	upx
behavioral2/memory/4912-157-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp	upx
behavioral2/memory/1520-210-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp	upx
behavioral2/memory/3888-212-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp	upx
behavioral2/memory/4596-214-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\PqkbXJT.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LxDHWeW.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QQqVFwO.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CmYftwl.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EeAEqtl.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aGAUXTH.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mtkxcdP.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qHBcmOg.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sIQgeDB.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fcnkCtu.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vLYwRFy.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SxZXwyO.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\spUtPYz.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mgUnXSQ.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pSXbetk.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjhUhCS.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hGJlFGr.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JQABloI.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MQIInLz.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tEFHFty.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sEJCBxn.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 4912 wrote to memory of 1520	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4912 wrote to memory of 1520	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4912 wrote to memory of 3888	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4912 wrote to memory of 3888	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4912 wrote to memory of 4596	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4912 wrote to memory of 4596	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4912 wrote to memory of 2360	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4912 wrote to memory of 2360	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4912 wrote to memory of 3576	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4912 wrote to memory of 3576	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4912 wrote to memory of 3668	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4912 wrote to memory of 3668	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4912 wrote to memory of 1796	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4912 wrote to memory of 1796	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4912 wrote to memory of 388	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4912 wrote to memory of 388	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4912 wrote to memory of 3180	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4912 wrote to memory of 3180	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4912 wrote to memory of 552	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4912 wrote to memory of 552	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4912 wrote to memory of 2548	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4912 wrote to memory of 2548	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4912 wrote to memory of 4664	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4912 wrote to memory of 4664	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4912 wrote to memory of 1308	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4912 wrote to memory of 1308	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4912 wrote to memory of 2172	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4912 wrote to memory of 2172	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4912 wrote to memory of 3612	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4912 wrote to memory of 3612	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4912 wrote to memory of 4376	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4912 wrote to memory of 4376	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4912 wrote to memory of 4556	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4912 wrote to memory of 4556	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4912 wrote to memory of 3316	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4912 wrote to memory of 3316	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 4912 wrote to memory of 2104	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4912 wrote to memory of 2104	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 4912 wrote to memory of 3000	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4912 wrote to memory of 3000	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 4912 wrote to memory of 2324	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 4912 wrote to memory of 2324	4912	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	109

C:\Users\Admin\AppData\Local\Temp\2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Windows\System\pSXbetk.exe
  C:\Windows\System\pSXbetk.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\MQIInLz.exe
  C:\Windows\System\MQIInLz.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\tEFHFty.exe
  C:\Windows\System\tEFHFty.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\DjhUhCS.exe
  C:\Windows\System\DjhUhCS.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\EeAEqtl.exe
  C:\Windows\System\EeAEqtl.exe
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Windows\System\hGJlFGr.exe
  C:\Windows\System\hGJlFGr.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\fcnkCtu.exe
  C:\Windows\System\fcnkCtu.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\aGAUXTH.exe
  C:\Windows\System\aGAUXTH.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\mtkxcdP.exe
  C:\Windows\System\mtkxcdP.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\vLYwRFy.exe
  C:\Windows\System\vLYwRFy.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\qHBcmOg.exe
  C:\Windows\System\qHBcmOg.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\PqkbXJT.exe
  C:\Windows\System\PqkbXJT.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\LxDHWeW.exe
  C:\Windows\System\LxDHWeW.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\SxZXwyO.exe
  C:\Windows\System\SxZXwyO.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\sEJCBxn.exe
  C:\Windows\System\sEJCBxn.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\spUtPYz.exe
  C:\Windows\System\spUtPYz.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\QQqVFwO.exe
  C:\Windows\System\QQqVFwO.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\CmYftwl.exe
  C:\Windows\System\CmYftwl.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\mgUnXSQ.exe
  C:\Windows\System\mgUnXSQ.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\JQABloI.exe
  C:\Windows\System\JQABloI.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\sIQgeDB.exe
  C:\Windows\System\sIQgeDB.exe
  2⤵
  - Executes dropped EXE
  PID:2324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CmYftwl.exe

Filesize
5.2MB

MD5
09ee08e4ea48cb5441c9550fc5c408bf

SHA1
5c870d7085b11ff584c9ceb6782021e4294afb8d

SHA256
91cac819881e0204d73a5eb7dcbcc1bb3c8d2bc6f7016bb48efcb816e0353e8b

SHA512
9ab163dd5a2455ae55b9a3b2e653b718a853c3c208e82a89157d39c060e83bbdece4200d3b880637f7b2ab66df78e5f82a66c7ed85cd09d3573d9603bb1e6063

Download Submit
C:\Windows\System\DjhUhCS.exe

Filesize
5.2MB

MD5
9ff5c387e85e06e791884c1ee554f6be

SHA1
4ba54dd8faef43365cd5ce4f5bf66235398cb90a

SHA256
edda8a9dd1181b975a1a4d3119d81b4a23c6cb824f32fd38b38fa95309b5ad11

SHA512
d9d02df8905e98fa3518d536a4b04e8b4ada3fb6be4ca49117381d6a990e3b098d8973646cca6ccb4f131863181ccaa356484475f3746733591cf21521ef3e59

Download Submit
C:\Windows\System\EeAEqtl.exe

Filesize
5.2MB

MD5
a3d152f48bf5ede566c6a9c1b332ed97

SHA1
7a141fe897b5536189185a2ab7ed96134a3f5833

SHA256
df345df7c8cb3c83ae2accc23c63910664c938ace923a73c20c989e420e1f96c

SHA512
880e9777cb0afd1c9de0e17b5fa9dbe4cf35ce009a484135a6cd17ed0d8bc84653f717df7495a675bee573ba76657d25314b736d44ed6f73d172aa15a5814ac1

Download Submit
C:\Windows\System\JQABloI.exe

Filesize
5.2MB

MD5
5ba6561d26f9ac6786bfd0827ecbf20e

SHA1
18b0331f73b524def56ea6186d07f0be205c59ae

SHA256
95c4485a07a8a4e26cbb177626740f901f1b12b78aacf6312f668a81d92e3778

SHA512
98d19f76db9fdc4ee374f295d7c53353ec5414db0f51344d1eb7de2eb42e1a0698d9cdf69fdeeb1f0e955aae960a8d70c6a8e9fceb3e493f732d4e4a3d62f2f3

Download Submit
C:\Windows\System\LxDHWeW.exe

Filesize
5.2MB

MD5
2123fc1d8e6050c1ab1082263dfe1ff3

SHA1
818b144e76fb5d619dc267191e66e43a18b27cb7

SHA256
f6d60527e09b56550d5369b4097797c338d53c5987aaf7fb52684af27522bbfb

SHA512
95c7b73aa7f99007d435a0ba2f054c423759aa76ac0ae275d24a6b8bd33494f021a08d2288daa100a66d06992869c038b1862c6727db51006f35e768a5faa1fc

Download Submit
C:\Windows\System\MQIInLz.exe

Filesize
5.2MB

MD5
01c8e10da7153d9b95f24cd3c62483e5

SHA1
3b3978043462ea9605be879ab8244ee38a4e1cd9

SHA256
97c8138d4521b5fc95898fb9166e8e7a7314d543572c2f59113c212b971d7b76

SHA512
6671528231e7cc47e87c97b66be62420ad7d42f52f0d2c6f08ecae98d3cc1e781df55702b60e7f6b3e5b65744fd4d3b1c3f86843547806a6dbbfffb3020fee57

Download Submit
C:\Windows\System\PqkbXJT.exe

Filesize
5.2MB

MD5
664774fac9eab571761fc5bb0367e5aa

SHA1
4dccb845f6c4e6a0046e979f76d5a22ebf01afa4

SHA256
9caf31f8f8546f2de9ebcca8c0b4889399a754ecc583434697e6580d650f82c5

SHA512
dcb74cddff805745ec26f22f1a62253f3c800a582e88642a49651c55fa4d265b42ca2a60e25b29133e63c60ebfb31d8d665d7fb74be24e2683cc69530e9b25b6

Download Submit
C:\Windows\System\QQqVFwO.exe

Filesize
5.2MB

MD5
5007811b0998623632d468b7f0a30d06

SHA1
dfaedf6bff67855abd3e6f1ed6139ebab3c90663

SHA256
4c7f6a65292b8c0526f198bd292efe49f5c6682795fa1feda1a8d88e9ce3a278

SHA512
04ce33c8bc12d3e286228d45383308311346a19385b7046a8f0f8d73a382a37e29db0f07c117ce9f84fc6191b0ed75170c5f8203d846875cb758f648696998ad

Download Submit
C:\Windows\System\SxZXwyO.exe

Filesize
5.2MB

MD5
990f742b7ada4bb0224b9ca0044e1398

SHA1
fec8af7aa079f5551301073f6a720e8269f018fe

SHA256
43bd415cbbdb13b59090a8e0158ae13dae7b4059d81fe040263fa37d4b86e997

SHA512
48a82fdd2283a7ae61d2b18e06c7cd92c9bf5e9d1053d6fac1ada5244afa410034255f5117161ab46cf3130acbee80348b57ded39772bba7c6d7949f218fde8e

Download Submit
C:\Windows\System\aGAUXTH.exe

Filesize
5.2MB

MD5
ede36485a6e96d5a68552d73b75ac9f2

SHA1
b87a7d37696a425d6c737eac3a8e59ee3d42c5dc

SHA256
d2541a07df9fe3da61220c623f5294533fed02f849e327186fa4a57ef487782b

SHA512
2095d576debb02dc89e6aff11588271e632a49ed98cfb20a5028804e2dd35059a6d8d2dc967d0d4e876f15daaa35a50ac4c300bcbd1eda3a46c95b34f6e36062

Download Submit
C:\Windows\System\fcnkCtu.exe

Filesize
5.2MB

MD5
448ee1a07b965e66803d6e8039a7e3df

SHA1
3db536f562c2a4c5b71c706c7f688dc113406587

SHA256
09995f8573c64f85003a03218af55322b8d731f6e41a04ec7ae462564d03b4da

SHA512
bf7ec280da72a05e04dfd6fb57535de6acb3b3fcceeaab6dc78ddcd1c4bfba828c6a2b30e259cf95eaa102f72e6d437a048e0db20487cebbad99a8694b695dd1

Download Submit
C:\Windows\System\hGJlFGr.exe

Filesize
5.2MB

MD5
0ba554423505951230873b7394e8a420

SHA1
12eafc595bd06c97f83036212a83d7b23cd8b2f2

SHA256
12555cf77e06952ce185f6e2376e3361ccdc71e24742b734300e523873904ff8

SHA512
19ea37d5803bee123401bd6641fe20abe28ad98c0708d061cfe8987886d9d17c19e80460cf1788dc66175b29fb3536586595f47810335e928acbaa3326e4b891

Download Submit
C:\Windows\System\mgUnXSQ.exe

Filesize
5.2MB

MD5
312913953662989d5bc0ca9ff68fd096

SHA1
719b06df08a55b73145f23dbf6c7e45d39019d78

SHA256
b06b8789cb3af29a4f7dd877ef3597648b4978ebfe55d54c02e554a141ced02b

SHA512
017ac7b96e47eef113d6d21be6481709668c145e0da67b04b42cb541f77613800b34ab1960d74c90aa0bbe8b0b17244a5a74efc08c0930b8741b3a3203982ee8

Download Submit
C:\Windows\System\mtkxcdP.exe

Filesize
5.2MB

MD5
66cb68398917870e414dd09ef010abc4

SHA1
1223b461554681111683453211f5403c21eb0ed0

SHA256
1fda8c4971d2fbef7a3865f896893ab40def9a39baff507ff77a22cdccf7265e

SHA512
8677843a9d305affcb9ba83709a4bfafdd78956ee8f1e7db560673fed72eba193504d10f6190cd7478196b20cf8669a828bce465ad08b5cb67c19b98a0dc965b

Download Submit
C:\Windows\System\pSXbetk.exe

Filesize
5.2MB

MD5
ed03dc903654767f9c707e581ce0c150

SHA1
20c9425e70169724266207c8ac9d1ee064efb9d4

SHA256
8b848cbdddb38d93e0821b07f58ba0120b734e722e48678ecd6b40cc93796495

SHA512
8abc8d2e0652e69fe9e83f2bf7a5389ee2443cf8a8032720f593f48fa1b37b0f825d4ee26a7cdefba5b9ca970dddf61bfcda7dbac012572a565d385ba7e2ad00

Download Submit
C:\Windows\System\qHBcmOg.exe

Filesize
5.2MB

MD5
c46d003ab8940d4c8643fb7be1cf391f

SHA1
ac6f1e9c5246aaa29be27d19ae349f40228c173a

SHA256
65d7e1066b69fb9aa525e6771443435bcc9cf5962a5197fc271e48fc978b25dd

SHA512
635e66b824a0e320632b82ed5ae284919103826b99d16ec95770b319d75558f49207523fb38b4e46c4bf58317f2ae78846ebd7c4d7993a42d3b1bd6e38ab28a0

Download Submit
C:\Windows\System\sEJCBxn.exe

Filesize
5.2MB

MD5
b0b27b18b2905ff966293fe3a785032a

SHA1
3cbf7e6bd87abcc26b456b315d3d5fded5f6da3e

SHA256
0fe50d60ee4ae88be49e31e4c3957925ecaf43fce99f1eb25b88a4a5a1ffff91

SHA512
508d57e3074ac2fd827811c2fec3432fc814cd28cb98a56555609309998f56ded888d18ebbd7c6540b7d7599beffdb602000bd1bc3460ead0e2290350ef9853c

Download Submit
C:\Windows\System\sIQgeDB.exe

Filesize
5.2MB

MD5
8011a5ad8ab06c3e97aaef61d8a5f443

SHA1
7199c8f91864b0a6cc2492c4e82e5160e84034f4

SHA256
e01da5f0068a8fd1d1d34e8656d589849dec0b5ae30b17aa3d0abf6111fadc15

SHA512
d2dbd402c1411815e6bb712c1f602e0097756900ce669333aedcf8b0f1fc446ff54439571dfac75cf9a4b90da69bdb9ab52a46734dcdd50412c75335fa95c6c1

Download Submit
C:\Windows\System\spUtPYz.exe

Filesize
5.2MB

MD5
13e50d8c3bfa51504a8733423a2ea9e8

SHA1
8411ae165cfab95c7cb9dd862f0e7c846f6a63b8

SHA256
86b6b11087a3d00879c1c7b5aa94650e6b087d9d44eca87173f6842adbfad458

SHA512
114bd82cdc6a790d085367f76d9f01976ff9d09b9bceed037ce1447ea4b93f0b837841cb24274b538f267329db8971e3bbc4ed47d59a5d507073ca2414555b8b

Download Submit
C:\Windows\System\tEFHFty.exe

Filesize
5.2MB

MD5
d9f02005bb618ac3c822d24d8f15ff0e

SHA1
0ec96011734967ed1f90e4cfd7002f4bdcbe5711

SHA256
f8d249dd38751587dd5c915ba28a1c58f84fc57a1e78db336bffdde386002241

SHA512
e59407a8e65fe1e6604d4b02bcb447e4f098d4eeb8152530a081713656fbaed00293908372d228db0af4c56abac69cc7358aeccd0d02269572df623caf202519

Download Submit
C:\Windows\System\vLYwRFy.exe

Filesize
5.2MB

MD5
8fcd3f7045e94a4cc1cbd64d965a6d09

SHA1
cbb31d7c02071c9c3836e02507ff3bb74427f4f7

SHA256
bdc2e48486c00b0fbe5d9624f8c88bee99cec0d2d673b870ded1d70ee000d8e6

SHA512
7c8b6fb0d991c3febc4b03fb1f6dfa70cf68f6d6696128e9011c90afd7cc5b6dd5da6e044117beadf370e099c9bf5cadf2826c43f0daf2fb53295da4b04c5ccc

Download Submit
memory/388-229-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp

Filesize
3.3MB

Download
memory/388-140-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp

Filesize
3.3MB

Download
memory/388-55-0x00007FF6E5920000-0x00007FF6E5C71000-memory.dmp

Filesize
3.3MB

Download
memory/552-63-0x00007FF612060000-0x00007FF6123B1000-memory.dmp

Filesize
3.3MB

Download
memory/552-142-0x00007FF612060000-0x00007FF6123B1000-memory.dmp

Filesize
3.3MB

Download
memory/552-233-0x00007FF612060000-0x00007FF6123B1000-memory.dmp

Filesize
3.3MB

Download
memory/1308-245-0x00007FF795490000-0x00007FF7957E1000-memory.dmp

Filesize
3.3MB

Download
memory/1308-83-0x00007FF795490000-0x00007FF7957E1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-85-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-6-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1520-210-0x00007FF6B4A90000-0x00007FF6B4DE1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-139-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-45-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-227-0x00007FF6A2070000-0x00007FF6A23C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-256-0x00007FF6763F0000-0x00007FF676741000-memory.dmp

Filesize
3.3MB

Download
memory/2104-146-0x00007FF6763F0000-0x00007FF676741000-memory.dmp

Filesize
3.3MB

Download
memory/2172-249-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp

Filesize
3.3MB

Download
memory/2172-90-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp

Filesize
3.3MB

Download
memory/2172-149-0x00007FF73C9E0000-0x00007FF73CD31000-memory.dmp

Filesize
3.3MB

Download
memory/2324-147-0x00007FF6C7AE0000-0x00007FF6C7E31000-memory.dmp

Filesize
3.3MB

Download
memory/2324-260-0x00007FF6C7AE0000-0x00007FF6C7E31000-memory.dmp

Filesize
3.3MB

Download
memory/2360-104-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp

Filesize
3.3MB

Download
memory/2360-216-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp

Filesize
3.3MB

Download
memory/2360-31-0x00007FF7BACB0000-0x00007FF7BB001000-memory.dmp

Filesize
3.3MB

Download
memory/2548-235-0x00007FF74B800000-0x00007FF74BB51000-memory.dmp

Filesize
3.3MB

Download
memory/2548-74-0x00007FF74B800000-0x00007FF74BB51000-memory.dmp

Filesize
3.3MB

Download
memory/3000-262-0x00007FF6BACC0000-0x00007FF6BB011000-memory.dmp

Filesize
3.3MB

Download
memory/3000-145-0x00007FF6BACC0000-0x00007FF6BB011000-memory.dmp

Filesize
3.3MB

Download
memory/3180-231-0x00007FF741390000-0x00007FF7416E1000-memory.dmp

Filesize
3.3MB

Download
memory/3180-73-0x00007FF741390000-0x00007FF7416E1000-memory.dmp

Filesize
3.3MB

Download
memory/3316-264-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp

Filesize
3.3MB

Download
memory/3316-131-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp

Filesize
3.3MB

Download
memory/3316-153-0x00007FF7D15C0000-0x00007FF7D1911000-memory.dmp

Filesize
3.3MB

Download
memory/3576-99-0x00007FF60D640000-0x00007FF60D991000-memory.dmp

Filesize
3.3MB

Download
memory/3576-26-0x00007FF60D640000-0x00007FF60D991000-memory.dmp

Filesize
3.3MB

Download
memory/3576-218-0x00007FF60D640000-0x00007FF60D991000-memory.dmp

Filesize
3.3MB

Download
memory/3612-98-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp

Filesize
3.3MB

Download
memory/3612-247-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp

Filesize
3.3MB

Download
memory/3612-150-0x00007FF6D7420000-0x00007FF6D7771000-memory.dmp

Filesize
3.3MB

Download
memory/3668-225-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-35-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp

Filesize
3.3MB

Download
memory/3668-117-0x00007FF6772A0000-0x00007FF6775F1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-86-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-212-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/3888-19-0x00007FF79A390000-0x00007FF79A6E1000-memory.dmp

Filesize
3.3MB

Download
memory/4376-254-0x00007FF664C20000-0x00007FF664F71000-memory.dmp

Filesize
3.3MB

Download
memory/4376-151-0x00007FF664C20000-0x00007FF664F71000-memory.dmp

Filesize
3.3MB

Download
memory/4376-110-0x00007FF664C20000-0x00007FF664F71000-memory.dmp

Filesize
3.3MB

Download
memory/4556-258-0x00007FF730860000-0x00007FF730BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-152-0x00007FF730860000-0x00007FF730BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-113-0x00007FF730860000-0x00007FF730BB1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-24-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-92-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-214-0x00007FF745E80000-0x00007FF7461D1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-237-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-144-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4664-68-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4912-0-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp

Filesize
3.3MB

Download
memory/4912-157-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp

Filesize
3.3MB

Download
memory/4912-80-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp

Filesize
3.3MB

Download
memory/4912-132-0x00007FF7A1010000-0x00007FF7A1361000-memory.dmp

Filesize
3.3MB

Download
memory/4912-1-0x000001FEA8850000-0x000001FEA8860000-memory.dmp

Filesize
64KB

Download