cobaltstrike | b61a33b8f3ba131b49e008cc6d23958e78b656107cb52513a6511de7ab05ab3e

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

d5f9ed32a40cf96ebb6f8198bcef48d6
SHA1

1eb9ddc149c046652f465bf3c7335c2d560f4250
SHA256

b61a33b8f3ba131b49e008cc6d23958e78b656107cb52513a6511de7ab05ab3e
SHA512

d711f70f68c350ef2416cce88b6f5f6cd9a41614759efe0a8e4e2021d91a13dfbaeccd30944ca4867af93639eee9416e788c0d1cd091e58624e31423c2607f9a
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l4:RWWBibd56utgpPFotBER/mQ32lUU

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\vBerted.exe	cobalt_reflective_dll
C:\Windows\System\kSlfnEp.exe	cobalt_reflective_dll
C:\Windows\System\gzgpKUa.exe	cobalt_reflective_dll
C:\Windows\System\XfLdzrm.exe	cobalt_reflective_dll
C:\Windows\System\hJZnwKk.exe	cobalt_reflective_dll
C:\Windows\System\NYdTTXa.exe	cobalt_reflective_dll
C:\Windows\System\BXkohfv.exe	cobalt_reflective_dll
C:\Windows\System\mgNWcWj.exe	cobalt_reflective_dll
C:\Windows\System\LYdkzQn.exe	cobalt_reflective_dll
C:\Windows\System\QKnUFDm.exe	cobalt_reflective_dll
C:\Windows\System\MSIghxO.exe	cobalt_reflective_dll
C:\Windows\System\XHboCMy.exe	cobalt_reflective_dll
C:\Windows\System\lVEygZH.exe	cobalt_reflective_dll
C:\Windows\System\RcOrsox.exe	cobalt_reflective_dll
C:\Windows\System\OkShhPa.exe	cobalt_reflective_dll
C:\Windows\System\MrYyBPe.exe	cobalt_reflective_dll
C:\Windows\System\zKAFJdq.exe	cobalt_reflective_dll
C:\Windows\System\MTHjaRQ.exe	cobalt_reflective_dll
C:\Windows\System\lZydIRh.exe	cobalt_reflective_dll
C:\Windows\System\tcUtBYk.exe	cobalt_reflective_dll
C:\Windows\System\tNabMAf.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3132-39-0x00007FF7A44F0000-0x00007FF7A4841000-memory.dmp	xmrig
behavioral2/memory/4364-50-0x00007FF647A40000-0x00007FF647D91000-memory.dmp	xmrig
behavioral2/memory/1528-49-0x00007FF7242A0000-0x00007FF7245F1000-memory.dmp	xmrig
behavioral2/memory/4000-46-0x00007FF6D5490000-0x00007FF6D57E1000-memory.dmp	xmrig
behavioral2/memory/4948-42-0x00007FF7BAC90000-0x00007FF7BAFE1000-memory.dmp	xmrig
behavioral2/memory/4644-81-0x00007FF760DD0000-0x00007FF761121000-memory.dmp	xmrig
behavioral2/memory/4952-72-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	xmrig
behavioral2/memory/4952-121-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	xmrig
behavioral2/memory/1200-123-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp	xmrig
behavioral2/memory/1480-124-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp	xmrig
behavioral2/memory/2900-139-0x00007FF691610000-0x00007FF691961000-memory.dmp	xmrig
behavioral2/memory/3268-142-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	xmrig
behavioral2/memory/116-141-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	xmrig
behavioral2/memory/1912-140-0x00007FF7AC880000-0x00007FF7ACBD1000-memory.dmp	xmrig
behavioral2/memory/1844-138-0x00007FF6682D0000-0x00007FF668621000-memory.dmp	xmrig
behavioral2/memory/2780-137-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp	xmrig
behavioral2/memory/2108-136-0x00007FF6029F0000-0x00007FF602D41000-memory.dmp	xmrig
behavioral2/memory/3668-135-0x00007FF6139F0000-0x00007FF613D41000-memory.dmp	xmrig
behavioral2/memory/2144-133-0x00007FF701C30000-0x00007FF701F81000-memory.dmp	xmrig
behavioral2/memory/3412-132-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp	xmrig
behavioral2/memory/3604-131-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp	xmrig
behavioral2/memory/2200-134-0x00007FF622770000-0x00007FF622AC1000-memory.dmp	xmrig
behavioral2/memory/452-130-0x00007FF737980000-0x00007FF737CD1000-memory.dmp	xmrig
behavioral2/memory/4952-143-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	xmrig
behavioral2/memory/4644-197-0x00007FF760DD0000-0x00007FF761121000-memory.dmp	xmrig
behavioral2/memory/1200-199-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp	xmrig
behavioral2/memory/4000-202-0x00007FF6D5490000-0x00007FF6D57E1000-memory.dmp	xmrig
behavioral2/memory/1480-203-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp	xmrig
behavioral2/memory/4948-210-0x00007FF7BAC90000-0x00007FF7BAFE1000-memory.dmp	xmrig
behavioral2/memory/4364-208-0x00007FF647A40000-0x00007FF647D91000-memory.dmp	xmrig
behavioral2/memory/1528-212-0x00007FF7242A0000-0x00007FF7245F1000-memory.dmp	xmrig
behavioral2/memory/3132-211-0x00007FF7A44F0000-0x00007FF7A4841000-memory.dmp	xmrig
behavioral2/memory/452-218-0x00007FF737980000-0x00007FF737CD1000-memory.dmp	xmrig
behavioral2/memory/3604-220-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp	xmrig
behavioral2/memory/3412-222-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp	xmrig
behavioral2/memory/2144-232-0x00007FF701C30000-0x00007FF701F81000-memory.dmp	xmrig
behavioral2/memory/2200-234-0x00007FF622770000-0x00007FF622AC1000-memory.dmp	xmrig
behavioral2/memory/3668-236-0x00007FF6139F0000-0x00007FF613D41000-memory.dmp	xmrig
behavioral2/memory/2108-238-0x00007FF6029F0000-0x00007FF602D41000-memory.dmp	xmrig
behavioral2/memory/2780-240-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp	xmrig
behavioral2/memory/2900-248-0x00007FF691610000-0x00007FF691961000-memory.dmp	xmrig
behavioral2/memory/1912-247-0x00007FF7AC880000-0x00007FF7ACBD1000-memory.dmp	xmrig
behavioral2/memory/3268-243-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	xmrig
behavioral2/memory/116-245-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	xmrig
behavioral2/memory/1844-250-0x00007FF6682D0000-0x00007FF668621000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

vBerted.exemgNWcWj.exekSlfnEp.exegzgpKUa.exeXfLdzrm.exehJZnwKk.exeNYdTTXa.exeBXkohfv.exeLYdkzQn.exeQKnUFDm.exeMSIghxO.exetNabMAf.exeXHboCMy.exetcUtBYk.exelZydIRh.exeMTHjaRQ.exezKAFJdq.exeMrYyBPe.exelVEygZH.exeOkShhPa.exeRcOrsox.exe

pid	process
4644	vBerted.exe
1200	mgNWcWj.exe
1480	kSlfnEp.exe
4000	gzgpKUa.exe
3132	XfLdzrm.exe
4948	hJZnwKk.exe
1528	NYdTTXa.exe
4364	BXkohfv.exe
452	LYdkzQn.exe
3604	QKnUFDm.exe
3412	MSIghxO.exe
2144	tNabMAf.exe
2200	XHboCMy.exe
3668	tcUtBYk.exe
2108	lZydIRh.exe
2780	MTHjaRQ.exe
1844	zKAFJdq.exe
2900	MrYyBPe.exe
1912	lVEygZH.exe
116	OkShhPa.exe
3268	RcOrsox.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4952-0-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	upx
C:\Windows\System\vBerted.exe	upx
behavioral2/memory/4644-6-0x00007FF760DD0000-0x00007FF761121000-memory.dmp	upx
behavioral2/memory/1200-12-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp	upx
C:\Windows\System\kSlfnEp.exe	upx
C:\Windows\System\gzgpKUa.exe	upx
C:\Windows\System\XfLdzrm.exe	upx
C:\Windows\System\hJZnwKk.exe	upx
C:\Windows\System\NYdTTXa.exe	upx
behavioral2/memory/3132-39-0x00007FF7A44F0000-0x00007FF7A4841000-memory.dmp	upx
C:\Windows\System\BXkohfv.exe	upx
behavioral2/memory/4364-50-0x00007FF647A40000-0x00007FF647D91000-memory.dmp	upx
behavioral2/memory/1528-49-0x00007FF7242A0000-0x00007FF7245F1000-memory.dmp	upx
behavioral2/memory/4000-46-0x00007FF6D5490000-0x00007FF6D57E1000-memory.dmp	upx
behavioral2/memory/4948-42-0x00007FF7BAC90000-0x00007FF7BAFE1000-memory.dmp	upx
behavioral2/memory/1480-35-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp	upx
C:\Windows\System\mgNWcWj.exe	upx
C:\Windows\System\LYdkzQn.exe	upx
C:\Windows\System\QKnUFDm.exe	upx
behavioral2/memory/3604-61-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp	upx
C:\Windows\System\MSIghxO.exe	upx
behavioral2/memory/3412-66-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp	upx
behavioral2/memory/452-54-0x00007FF737980000-0x00007FF737CD1000-memory.dmp	upx
C:\Windows\System\XHboCMy.exe	upx
C:\Windows\System\lVEygZH.exe	upx
C:\Windows\System\RcOrsox.exe	upx
C:\Windows\System\OkShhPa.exe	upx
C:\Windows\System\MrYyBPe.exe	upx
C:\Windows\System\zKAFJdq.exe	upx
C:\Windows\System\MTHjaRQ.exe	upx
C:\Windows\System\lZydIRh.exe	upx
C:\Windows\System\tcUtBYk.exe	upx
behavioral2/memory/4644-81-0x00007FF760DD0000-0x00007FF761121000-memory.dmp	upx
C:\Windows\System\tNabMAf.exe	upx
behavioral2/memory/2144-75-0x00007FF701C30000-0x00007FF701F81000-memory.dmp	upx
behavioral2/memory/4952-72-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	upx
behavioral2/memory/4952-121-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	upx
behavioral2/memory/1200-123-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp	upx
behavioral2/memory/1480-124-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp	upx
behavioral2/memory/2900-139-0x00007FF691610000-0x00007FF691961000-memory.dmp	upx
behavioral2/memory/3268-142-0x00007FF605190000-0x00007FF6054E1000-memory.dmp	upx
behavioral2/memory/116-141-0x00007FF774FF0000-0x00007FF775341000-memory.dmp	upx
behavioral2/memory/1912-140-0x00007FF7AC880000-0x00007FF7ACBD1000-memory.dmp	upx
behavioral2/memory/1844-138-0x00007FF6682D0000-0x00007FF668621000-memory.dmp	upx
behavioral2/memory/2780-137-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp	upx
behavioral2/memory/2108-136-0x00007FF6029F0000-0x00007FF602D41000-memory.dmp	upx
behavioral2/memory/3668-135-0x00007FF6139F0000-0x00007FF613D41000-memory.dmp	upx
behavioral2/memory/2144-133-0x00007FF701C30000-0x00007FF701F81000-memory.dmp	upx
behavioral2/memory/3412-132-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp	upx
behavioral2/memory/3604-131-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp	upx
behavioral2/memory/2200-134-0x00007FF622770000-0x00007FF622AC1000-memory.dmp	upx
behavioral2/memory/452-130-0x00007FF737980000-0x00007FF737CD1000-memory.dmp	upx
behavioral2/memory/4952-143-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp	upx
behavioral2/memory/4644-197-0x00007FF760DD0000-0x00007FF761121000-memory.dmp	upx
behavioral2/memory/1200-199-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp	upx
behavioral2/memory/4000-202-0x00007FF6D5490000-0x00007FF6D57E1000-memory.dmp	upx
behavioral2/memory/1480-203-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp	upx
behavioral2/memory/4948-210-0x00007FF7BAC90000-0x00007FF7BAFE1000-memory.dmp	upx
behavioral2/memory/4364-208-0x00007FF647A40000-0x00007FF647D91000-memory.dmp	upx
behavioral2/memory/1528-212-0x00007FF7242A0000-0x00007FF7245F1000-memory.dmp	upx
behavioral2/memory/3132-211-0x00007FF7A44F0000-0x00007FF7A4841000-memory.dmp	upx
behavioral2/memory/452-218-0x00007FF737980000-0x00007FF737CD1000-memory.dmp	upx
behavioral2/memory/3604-220-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp	upx
behavioral2/memory/3412-222-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\mgNWcWj.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfLdzrm.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tNabMAf.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RcOrsox.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lZydIRh.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zKAFJdq.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJZnwKk.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BXkohfv.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QKnUFDm.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MSIghxO.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHboCMy.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tcUtBYk.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MrYyBPe.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gzgpKUa.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NYdTTXa.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYdkzQn.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OkShhPa.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vBerted.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kSlfnEp.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MTHjaRQ.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lVEygZH.exe	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4952 wrote to memory of 4644	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	vBerted.exe
PID 4952 wrote to memory of 4644	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	vBerted.exe
PID 4952 wrote to memory of 1200	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	mgNWcWj.exe
PID 4952 wrote to memory of 1200	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	mgNWcWj.exe
PID 4952 wrote to memory of 1480	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	kSlfnEp.exe
PID 4952 wrote to memory of 1480	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	kSlfnEp.exe
PID 4952 wrote to memory of 4000	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	gzgpKUa.exe
PID 4952 wrote to memory of 4000	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	gzgpKUa.exe
PID 4952 wrote to memory of 3132	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	XfLdzrm.exe
PID 4952 wrote to memory of 3132	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	XfLdzrm.exe
PID 4952 wrote to memory of 4948	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	hJZnwKk.exe
PID 4952 wrote to memory of 4948	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	hJZnwKk.exe
PID 4952 wrote to memory of 1528	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	NYdTTXa.exe
PID 4952 wrote to memory of 1528	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	NYdTTXa.exe
PID 4952 wrote to memory of 4364	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	BXkohfv.exe
PID 4952 wrote to memory of 4364	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	BXkohfv.exe
PID 4952 wrote to memory of 452	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	LYdkzQn.exe
PID 4952 wrote to memory of 452	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	LYdkzQn.exe
PID 4952 wrote to memory of 3604	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	QKnUFDm.exe
PID 4952 wrote to memory of 3604	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	QKnUFDm.exe
PID 4952 wrote to memory of 3412	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	MSIghxO.exe
PID 4952 wrote to memory of 3412	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	MSIghxO.exe
PID 4952 wrote to memory of 2144	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	tNabMAf.exe
PID 4952 wrote to memory of 2144	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	tNabMAf.exe
PID 4952 wrote to memory of 2200	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	XHboCMy.exe
PID 4952 wrote to memory of 2200	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	XHboCMy.exe
PID 4952 wrote to memory of 3668	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	tcUtBYk.exe
PID 4952 wrote to memory of 3668	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	tcUtBYk.exe
PID 4952 wrote to memory of 2108	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	lZydIRh.exe
PID 4952 wrote to memory of 2108	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	lZydIRh.exe
PID 4952 wrote to memory of 2780	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	MTHjaRQ.exe
PID 4952 wrote to memory of 2780	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	MTHjaRQ.exe
PID 4952 wrote to memory of 1844	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	zKAFJdq.exe
PID 4952 wrote to memory of 1844	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	zKAFJdq.exe
PID 4952 wrote to memory of 2900	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	MrYyBPe.exe
PID 4952 wrote to memory of 2900	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	MrYyBPe.exe
PID 4952 wrote to memory of 1912	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	lVEygZH.exe
PID 4952 wrote to memory of 1912	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	lVEygZH.exe
PID 4952 wrote to memory of 116	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	OkShhPa.exe
PID 4952 wrote to memory of 116	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	OkShhPa.exe
PID 4952 wrote to memory of 3268	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	RcOrsox.exe
PID 4952 wrote to memory of 3268	4952	2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe	RcOrsox.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_d5f9ed32a40cf96ebb6f8198bcef48d6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\System\vBerted.exe
  C:\Windows\System\vBerted.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\mgNWcWj.exe
  C:\Windows\System\mgNWcWj.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\kSlfnEp.exe
  C:\Windows\System\kSlfnEp.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\gzgpKUa.exe
  C:\Windows\System\gzgpKUa.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\XfLdzrm.exe
  C:\Windows\System\XfLdzrm.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\hJZnwKk.exe
  C:\Windows\System\hJZnwKk.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\NYdTTXa.exe
  C:\Windows\System\NYdTTXa.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\BXkohfv.exe
  C:\Windows\System\BXkohfv.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\LYdkzQn.exe
  C:\Windows\System\LYdkzQn.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\QKnUFDm.exe
  C:\Windows\System\QKnUFDm.exe
  2⤵
  - Executes dropped EXE
  PID:3604
- C:\Windows\System\MSIghxO.exe
  C:\Windows\System\MSIghxO.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\tNabMAf.exe
  C:\Windows\System\tNabMAf.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\XHboCMy.exe
  C:\Windows\System\XHboCMy.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\tcUtBYk.exe
  C:\Windows\System\tcUtBYk.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\lZydIRh.exe
  C:\Windows\System\lZydIRh.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\MTHjaRQ.exe
  C:\Windows\System\MTHjaRQ.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\zKAFJdq.exe
  C:\Windows\System\zKAFJdq.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\MrYyBPe.exe
  C:\Windows\System\MrYyBPe.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\lVEygZH.exe
  C:\Windows\System\lVEygZH.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\OkShhPa.exe
  C:\Windows\System\OkShhPa.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\RcOrsox.exe
  C:\Windows\System\RcOrsox.exe
  2⤵
  - Executes dropped EXE
  PID:3268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BXkohfv.exe

Filesize
5.2MB

MD5
24b0783a3b31e18335a3f4eed7bc5b99

SHA1
9fc4ee8579a41be10cbfe7bac0d301cf4eb35da4

SHA256
84bb1b6e18d499101ee3bb1593004d1980c23a849c3d9d7a52d4dde0c2ae53f5

SHA512
15e1fac45dfa26f9c89dccb46bfdbb711a9badccd273fba51312fc5d1711ed8b69db2411bad8f59b27b103a70b67324b139cc24ff669b5c0689b09fc79e29eb2

Download Submit
C:\Windows\System\LYdkzQn.exe

Filesize
5.2MB

MD5
ad27ce7333ad92a14ba61fe4da5e025a

SHA1
410ad67a236299f93d1894f0cd94e89b7f855dd9

SHA256
43fcd21e549950366cab4427ef76ac264e8611e40ecd5923e233f7ca059ef6b1

SHA512
b4cedf4385fc2f7139c5a54b3af0f9dd12b984274544db6237837492ad7de49e9478afb5f993c157ed8c74e06135e3d43b52c11fe02836de277fd527f5354791

Download Submit
C:\Windows\System\MSIghxO.exe

Filesize
5.2MB

MD5
52262319f7887f8d46bc189b0e6ea0bc

SHA1
4aa4317ac8f7247ea241483d7b1132b964680b54

SHA256
f2a94d9d1793736e7998215df6f3470ee4f57dc60de1ab6c15135252370878cd

SHA512
d19d8978e3ee8c54c84b1a9b5e5a0cc19d0a25eaba81a9ee9cb1ddf0218212e9dafade10f3aeee2eadb55d149d6a5c536985bd8726782ecc2af77613dd379bfd

Download Submit
C:\Windows\System\MTHjaRQ.exe

Filesize
5.2MB

MD5
a5f74491a00cd6c211a421669b9d901b

SHA1
2d09d91c8032038f86e4d06aac255ff0855ef20e

SHA256
b335a5cdda926446926c90388fa7fd83417f3fe9e2d2746e096f8d7a84aa317d

SHA512
3a64ff5481e5f9f7142e0a8bc25cf437a358a7ebd41b6d8f8f839435d500ae11624e7866d7ee6b98ff36afadec49f8d5de136d91ad1aca720d1ee7a9f40db9b5

Download Submit
C:\Windows\System\MrYyBPe.exe

Filesize
5.2MB

MD5
c7bc47187e3d6e084edb664a8db86fce

SHA1
58d10900ee34e4bdde91790676c539d42972e433

SHA256
deef3a76ef9f33d0c0794127a22b08c78c9e04eb660fb517abdec92536bdcbca

SHA512
90f85a24a169eab512b6dc319755137cadad8957b4b41d8227c0eda94579a22fd789d913e2f98376c45d8bf200f8ace5e8153f13a9e96f9d4a7fb465221840a9

Download Submit
C:\Windows\System\NYdTTXa.exe

Filesize
5.2MB

MD5
96e380040d51936bba7532fc5929cb7c

SHA1
70a33f0cfbf7bfe417e9896734a1fe7114eaf3f2

SHA256
94a1fc49524ccc49bb78f70a68d8966b94f3fa2796ceceeac04f7a812c92b6f9

SHA512
37dd8a71e9ccbaf3f707cf51a0b25cd9149a343b9218d85630ee8f0f2b490c6c492cf96fb37f328c0684bfa0c517c0b80088c127d481dab496d210f39aed64b0

Download Submit
C:\Windows\System\OkShhPa.exe

Filesize
5.2MB

MD5
b3975413a6c6c38983ca77e229dd82ce

SHA1
c17c599b1a2e1cb43195a7339414dce15311ec7b

SHA256
8cf932338b0da34d4ffe0a38c29607881c09959ed5a72855267a7303a9d04a8f

SHA512
92d0880016ed1ac51bd306e6a72ec45c11ba67aa332f8d52d39902c1456856995f2c6567a0d61d4768cd2bc56a0a6827b1cf0e2ffaf5098b9cedfc06fd4fce21

Download Submit
C:\Windows\System\QKnUFDm.exe

Filesize
5.2MB

MD5
62e8888b987033f2826df3702909d749

SHA1
fa0946689f53c265c7500cba77f041a31758a2e3

SHA256
dd39eccca055083f83e53ae00a0606e2c7642ba53dd4dbc549606a965966d534

SHA512
3b3b7bbc393204a5fa9f63ea08c159fa749a445fdff67301e9a7e49dcc09f90631264d1e884cf868f6d018d990b0ecdc60b443d4b6083de066f168333ca751bd

Download Submit
C:\Windows\System\RcOrsox.exe

Filesize
5.2MB

MD5
fecd5c61a984b5c80132c2d14cd8f417

SHA1
bf14765b42d6299f0cec1bed6c30a3ad2eea9447

SHA256
b3726f0fbdb38397ed9b89a869dc4fba9ae6c25e4eec1032daa4a10eee5008de

SHA512
866c69fc937b1c1c9a02d90598cede9b685d3bf6688fdd46e8f12e5c430c7aea0787b9a08ba30054c3401304c6d4bb681a61956f692761b0c8c83674876a5059

Download Submit
C:\Windows\System\XHboCMy.exe

Filesize
5.2MB

MD5
e9e6e9846127d772d3c3f2d0c582a6dd

SHA1
874ee776fc928782f48e5c21d12594c83a6f262f

SHA256
dbd5b0b134a87f16c1a2cc9a58d45bf52c4ef31d28edbf8eb274d8890240bcd3

SHA512
4a15abf7c45fe799a8ec60a1a3d558d94e3fe1c29aebf43fe8c38840c44619e27c1c55e1ccc1385a097c6a34aae27cd30094df79ae5715a20b4248a4ff4ed998

Download Submit
C:\Windows\System\XfLdzrm.exe

Filesize
5.2MB

MD5
74addd34bd10bf47f3f79a9a3bf2645a

SHA1
5afbd453d5ad22faa67f8fd9d1fb2b607b688c69

SHA256
052136e6102be1e946cb5f3f9cb3afeba07b06b1d3d64847c6d093a59b57d2a9

SHA512
fc37f7485453790aa26d8f11da1fec6c53313e470e578dfd2b5a49e41810af654830622ca4fbccfdb4092ab8fd540cae5eecb9e6dbc23c91e1bdfa1e1685b337

Download Submit
C:\Windows\System\gzgpKUa.exe

Filesize
5.2MB

MD5
fe169b070d69e3c276ccb7e7fa978770

SHA1
f78ac7d40f8d3592a2198b5ef5659a571611dbb4

SHA256
8b5d119dc9ed7ff3076cc7bda3db28cae36a779f8c7201baceb2d2720947b277

SHA512
546d04447b02af364454a12690e0b3ab09ce03d96e6688ec90931798014fe2315f4890b228fc0b0ce32272c6ddf89766abf3da961507c248aae13c559c4f2792

Download Submit
C:\Windows\System\hJZnwKk.exe

Filesize
5.2MB

MD5
04d5e69814630f113eacb7c9fae087d8

SHA1
960fbdb978494093650b185b4990bf73431b968e

SHA256
7bc57a96886e29404247ded8e3ca78de08fc924b64bf226eed7e1ac8885f1fbf

SHA512
595a0c6fa92f7f27b5661052e92d5b64f9e7b763ec613d2e711a706de52b5f320c47235db634b6b521832265228690a7fd02dd86dfa74b314ece224f081f6f55

Download Submit
C:\Windows\System\kSlfnEp.exe

Filesize
5.2MB

MD5
5c33725c8cb09cac23a596438bcc1b84

SHA1
f89ae515989cbc628f4a5b7a6e596e76ca198d80

SHA256
b31459bb89ef5bc02d2ab6114048e84e8cbd6679dc5f22b470b0feb412536764

SHA512
7616c18bd397e2f136056014e0789ea736583f1ebfe396d18936fa1e2778348b12efea76638d4c531163ec73bc229ca3ace609d12361d46a01f0aff28be97c2d

Download Submit
C:\Windows\System\lVEygZH.exe

Filesize
5.2MB

MD5
63ba811db8abc78a89cb54174421fa45

SHA1
78930a9dc98e1338e0f0dba834fa8bf2f974811c

SHA256
6f20ff486be33c2f8db1b7818d120b68200158841798f4a7439b48331f7ae24f

SHA512
9105c15e7b190ed9242c6b8b4b619f248e92e09846810d2d99c1534d2e4c4e84a0606ef2a71d8a9662164c872449f764f79435510491d11a6e0ad7fef9e63838

Download Submit
C:\Windows\System\lZydIRh.exe

Filesize
5.2MB

MD5
78ae78af330ce8baa759a9ea9ce4ceed

SHA1
652cb54a9631916fd8d7e3ca89283bd940e71cc1

SHA256
70099a33029faf37897078f1c9d5871765df1fd55e0cdaf59c88a8b471a80e8d

SHA512
d4498e91cf31b0746c902e862e9e658398b55ce03d3fb672dc5f9d8e172c797f3257e3016e6dea9fe89faecc54675abf5041564eec9bbd1af2cc971a42d3f3f7

Download Submit
C:\Windows\System\mgNWcWj.exe

Filesize
5.2MB

MD5
40ae3d485069c36a187c636f9d158a60

SHA1
234fc37f425a7cffdf714f13be4b23bf8d5da4a3

SHA256
5c8e4c17f778ac28e171f03a40f8afa8393bdc967bd6a452e12696bd37fca558

SHA512
65d547ada11aa8c59435ef7e9708faf2255133c997dafbb25216541d036040b7ec91f502584670c518217555e10c8d6adc71cb49319791dfd109d60709b11820

Download Submit
C:\Windows\System\tNabMAf.exe

Filesize
5.2MB

MD5
489fb143c7bda71037b8ec21d9ff2ff3

SHA1
12d4a26bd42107c586a4cfb9f0a6002c79d75d46

SHA256
0eb8bcfdaca6767601b27e135247067b3568c8674837a8d1d0d8e74b4411b7ea

SHA512
0e652ea0a93e1a13f23a4a22d64bd5d5f59814e39cb0e5c76034416b40c612e026e6d5bdbd29d0d47c23d5f4776609d6975cd067e2aa5630a2715e040c6bbf6b

Download Submit
C:\Windows\System\tcUtBYk.exe

Filesize
5.2MB

MD5
2f0d5828ae1fefe3d61fc814484124d9

SHA1
1fff7edfda60685294960f4a5dee4217695deb60

SHA256
84020737849bbbe8b737fddec4f6a7a8096db5bd378e3250bbf196a485b1fa97

SHA512
bac870a227ccb6837f7acf00be319f2655d7bb285b29837085a1bc4cec7b022dc58959f0ba216ead2ce60f95bf4c981dc1ac7982973692957ac47810aa95ef9d

Download Submit
C:\Windows\System\vBerted.exe

Filesize
5.2MB

MD5
e37a11806dc44ea84529a0bbaec89529

SHA1
b194182fafdcccce1dadd7c4c0652c473d6b7807

SHA256
12766f91dd23620bc7592988d5c10bd817141b74c52fa3de1a6fe39508aa445b

SHA512
ac10f23da579b3b7ba7c891ee9eff46024e5075f197fa165b44dd59ea642d7f1b99b4c5312e7ce592cb7f6d7d805abc5d45382c3dcccc9c222e9e2fa7a0d1092

Download Submit
C:\Windows\System\zKAFJdq.exe

Filesize
5.2MB

MD5
5cc778eddf64cdf3b40ffd99863cbbf4

SHA1
5cd179f64aa2066e94714b2b8ed669a63995b1c1

SHA256
feacb7980560e190f0430e1e52c315ccffb682ccc59e8acd4f605dd9ee0fee53

SHA512
323fc9db93875654b92e159677b0a62921ca42545de95e05291a227d6c08089098e6d35d18a79dd44aeec10448024d66fbc0638b50d92b6168d69d9aeb6315b2

Download Submit
memory/116-141-0x00007FF774FF0000-0x00007FF775341000-memory.dmp

Filesize
3.3MB

Download
memory/116-245-0x00007FF774FF0000-0x00007FF775341000-memory.dmp

Filesize
3.3MB

Download
memory/452-54-0x00007FF737980000-0x00007FF737CD1000-memory.dmp

Filesize
3.3MB

Download
memory/452-130-0x00007FF737980000-0x00007FF737CD1000-memory.dmp

Filesize
3.3MB

Download
memory/452-218-0x00007FF737980000-0x00007FF737CD1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-199-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-123-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/1200-12-0x00007FF789D50000-0x00007FF78A0A1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-35-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-203-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1480-124-0x00007FF799D90000-0x00007FF79A0E1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-212-0x00007FF7242A0000-0x00007FF7245F1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-49-0x00007FF7242A0000-0x00007FF7245F1000-memory.dmp

Filesize
3.3MB

Download
memory/1844-250-0x00007FF6682D0000-0x00007FF668621000-memory.dmp

Filesize
3.3MB

Download
memory/1844-138-0x00007FF6682D0000-0x00007FF668621000-memory.dmp

Filesize
3.3MB

Download
memory/1912-140-0x00007FF7AC880000-0x00007FF7ACBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1912-247-0x00007FF7AC880000-0x00007FF7ACBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-238-0x00007FF6029F0000-0x00007FF602D41000-memory.dmp

Filesize
3.3MB

Download
memory/2108-136-0x00007FF6029F0000-0x00007FF602D41000-memory.dmp

Filesize
3.3MB

Download
memory/2144-75-0x00007FF701C30000-0x00007FF701F81000-memory.dmp

Filesize
3.3MB

Download
memory/2144-133-0x00007FF701C30000-0x00007FF701F81000-memory.dmp

Filesize
3.3MB

Download
memory/2144-232-0x00007FF701C30000-0x00007FF701F81000-memory.dmp

Filesize
3.3MB

Download
memory/2200-134-0x00007FF622770000-0x00007FF622AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-234-0x00007FF622770000-0x00007FF622AC1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-137-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-240-0x00007FF61BDA0000-0x00007FF61C0F1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-139-0x00007FF691610000-0x00007FF691961000-memory.dmp

Filesize
3.3MB

Download
memory/2900-248-0x00007FF691610000-0x00007FF691961000-memory.dmp

Filesize
3.3MB

Download
memory/3132-211-0x00007FF7A44F0000-0x00007FF7A4841000-memory.dmp

Filesize
3.3MB

Download
memory/3132-39-0x00007FF7A44F0000-0x00007FF7A4841000-memory.dmp

Filesize
3.3MB

Download
memory/3268-142-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/3268-243-0x00007FF605190000-0x00007FF6054E1000-memory.dmp

Filesize
3.3MB

Download
memory/3412-222-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp

Filesize
3.3MB

Download
memory/3412-132-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp

Filesize
3.3MB

Download
memory/3412-66-0x00007FF764BD0000-0x00007FF764F21000-memory.dmp

Filesize
3.3MB

Download
memory/3604-220-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp

Filesize
3.3MB

Download
memory/3604-61-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp

Filesize
3.3MB

Download
memory/3604-131-0x00007FF7C4B40000-0x00007FF7C4E91000-memory.dmp

Filesize
3.3MB

Download
memory/3668-236-0x00007FF6139F0000-0x00007FF613D41000-memory.dmp

Filesize
3.3MB

Download
memory/3668-135-0x00007FF6139F0000-0x00007FF613D41000-memory.dmp

Filesize
3.3MB

Download
memory/4000-202-0x00007FF6D5490000-0x00007FF6D57E1000-memory.dmp

Filesize
3.3MB

Download
memory/4000-46-0x00007FF6D5490000-0x00007FF6D57E1000-memory.dmp

Filesize
3.3MB

Download
memory/4364-208-0x00007FF647A40000-0x00007FF647D91000-memory.dmp

Filesize
3.3MB

Download
memory/4364-50-0x00007FF647A40000-0x00007FF647D91000-memory.dmp

Filesize
3.3MB

Download
memory/4644-197-0x00007FF760DD0000-0x00007FF761121000-memory.dmp

Filesize
3.3MB

Download
memory/4644-81-0x00007FF760DD0000-0x00007FF761121000-memory.dmp

Filesize
3.3MB

Download
memory/4644-6-0x00007FF760DD0000-0x00007FF761121000-memory.dmp

Filesize
3.3MB

Download
memory/4948-210-0x00007FF7BAC90000-0x00007FF7BAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4948-42-0x00007FF7BAC90000-0x00007FF7BAFE1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-0-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-143-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-121-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-72-0x00007FF7D9760000-0x00007FF7D9AB1000-memory.dmp

Filesize
3.3MB

Download
memory/4952-1-0x000001ECA1670000-0x000001ECA1680000-memory.dmp

Filesize
64KB

Download