cobaltstrike | 85591d0f8567eadafdf51cb881ef28b93a06265f89573555a5c9843a713b4f9c

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

e727c9b5becd56c434ce1d7d4247f8d4
SHA1

0a5e86323da25deb53d0227bb296aedf81be0884
SHA256

85591d0f8567eadafdf51cb881ef28b93a06265f89573555a5c9843a713b4f9c
SHA512

f42ed876d2b8c6d4af72e68667d29adc9d23a30647e8819e7dfc2aa128bcbd77e0f75d9db3ea572e5cab7cd6d1c83f15e5ab8d087f06c8b5f76b5b5dc2834091
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lT:RWWBibf56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00070000000186ee-11.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018784-40.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001878f-42.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001873d-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018728-29.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000186fd-15.dat	cobalt_reflective_dll
behavioral1/files/0x000a00000001227e-6.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000187a5-50.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018683-54.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001925e-57.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c5-72.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960b-87.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960d-93.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960f-97.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019611-102.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019613-106.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961b-117.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961d-119.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019619-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019617-109.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019609-81.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2220-39-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/1072-37-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2888-36-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2432-31-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/2404-49-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2824-53-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2624-71-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2548-70-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2760-68-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/2892-82-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2404-83-0x0000000002320000-0x0000000002671000-memory.dmp	xmrig
behavioral1/memory/2716-134-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2404-75-0x0000000002320000-0x0000000002671000-memory.dmp	xmrig
behavioral1/memory/2952-67-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/3044-136-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2404-135-0x0000000002320000-0x0000000002671000-memory.dmp	xmrig
behavioral1/memory/2404-137-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/1504-145-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/1344-146-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/1780-160-0x000000013F1B0000-0x000000013F501000-memory.dmp	xmrig
behavioral1/memory/1756-159-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/1520-158-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/1512-157-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2420-156-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/1732-155-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/1516-154-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2404-162-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2548-215-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1072-217-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2432-219-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/2888-221-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2220-223-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2824-233-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2892-232-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2760-239-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/2624-238-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2952-235-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/3044-249-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/1344-251-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2716-256-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/1504-258-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2548	VefncNt.exe
1072	GeaMlTc.exe
2432	xASLqTq.exe
2220	EHPcAjI.exe
2888	atjsmYU.exe
2892	GAVtOQv.exe
2824	GTXTIUE.exe
2624	XfBMtab.exe
2952	LLrQkEo.exe
2760	qobjzod.exe
2716	PuuDapm.exe
3044	cTSFFGV.exe
1504	KfJXvYA.exe
1344	SlnGbNi.exe
1516	fdtdtaY.exe
1732	PLKBQkl.exe
2420	liYEpys.exe
1512	uZtvJwf.exe
1520	ODJoZYm.exe
1756	nKaZvlP.exe
1780	xkpbEZI.exe

Loads dropped DLL 21 IoCs

pid	Process
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2404-0-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x00070000000186ee-11.dat	upx
behavioral1/memory/2548-20-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/files/0x0006000000018784-40.dat	upx
behavioral1/files/0x000600000001878f-42.dat	upx
behavioral1/memory/2892-41-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2220-39-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/1072-37-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2888-36-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2432-31-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/files/0x000600000001873d-30.dat	upx
behavioral1/files/0x0007000000018728-29.dat	upx
behavioral1/files/0x00070000000186fd-15.dat	upx
behavioral1/files/0x000a00000001227e-6.dat	upx
behavioral1/memory/2404-49-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x00060000000187a5-50.dat	upx
behavioral1/files/0x0008000000018683-54.dat	upx
behavioral1/files/0x000700000001925e-57.dat	upx
behavioral1/memory/2824-53-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/2624-71-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2548-70-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2760-68-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/files/0x00050000000195c5-72.dat	upx
behavioral1/memory/2892-82-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/files/0x000500000001960b-87.dat	upx
behavioral1/files/0x000500000001960d-93.dat	upx
behavioral1/files/0x000500000001960f-97.dat	upx
behavioral1/files/0x0005000000019611-102.dat	upx
behavioral1/files/0x0005000000019613-106.dat	upx
behavioral1/files/0x000500000001961b-117.dat	upx
behavioral1/files/0x000500000001961d-119.dat	upx
behavioral1/files/0x0005000000019619-114.dat	upx
behavioral1/files/0x0005000000019617-109.dat	upx
behavioral1/memory/1344-94-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/1504-89-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/3044-84-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2716-77-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/files/0x0005000000019609-81.dat	upx
behavioral1/memory/2716-134-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/memory/2952-67-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/3044-136-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2404-137-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/1504-145-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/1344-146-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/1780-160-0x000000013F1B0000-0x000000013F501000-memory.dmp	upx
behavioral1/memory/1756-159-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/1520-158-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/1512-157-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2420-156-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/1732-155-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/1516-154-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2404-162-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2548-215-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/1072-217-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2432-219-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/memory/2888-221-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2220-223-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2824-233-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/2892-232-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2760-239-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/2624-238-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2952-235-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/3044-249-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/1344-251-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\GTXTIUE.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qobjzod.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KfJXvYA.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fdtdtaY.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nKaZvlP.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xkpbEZI.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VefncNt.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\atjsmYU.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\liYEpys.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EHPcAjI.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfBMtab.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PuuDapm.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uZtvJwf.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xASLqTq.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLrQkEo.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cTSFFGV.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SlnGbNi.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PLKBQkl.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ODJoZYm.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GeaMlTc.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GAVtOQv.exe	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2548	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2404 wrote to memory of 2548	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2404 wrote to memory of 2548	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2404 wrote to memory of 1072	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2404 wrote to memory of 1072	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2404 wrote to memory of 1072	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2404 wrote to memory of 2432	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2404 wrote to memory of 2432	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2404 wrote to memory of 2432	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2404 wrote to memory of 2220	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2404 wrote to memory of 2220	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2404 wrote to memory of 2220	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2404 wrote to memory of 2888	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2404 wrote to memory of 2888	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2404 wrote to memory of 2888	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2404 wrote to memory of 2892	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2404 wrote to memory of 2892	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2404 wrote to memory of 2892	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2404 wrote to memory of 2824	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2404 wrote to memory of 2824	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2404 wrote to memory of 2824	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2404 wrote to memory of 2952	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2404 wrote to memory of 2952	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2404 wrote to memory of 2952	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2404 wrote to memory of 2624	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2404 wrote to memory of 2624	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2404 wrote to memory of 2624	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2404 wrote to memory of 2760	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2404 wrote to memory of 2760	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2404 wrote to memory of 2760	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2404 wrote to memory of 2716	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2404 wrote to memory of 2716	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2404 wrote to memory of 2716	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2404 wrote to memory of 3044	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2404 wrote to memory of 3044	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2404 wrote to memory of 3044	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2404 wrote to memory of 1504	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2404 wrote to memory of 1504	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2404 wrote to memory of 1504	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2404 wrote to memory of 1344	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2404 wrote to memory of 1344	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2404 wrote to memory of 1344	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2404 wrote to memory of 1516	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2404 wrote to memory of 1516	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2404 wrote to memory of 1516	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2404 wrote to memory of 1732	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2404 wrote to memory of 1732	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2404 wrote to memory of 1732	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2404 wrote to memory of 2420	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2404 wrote to memory of 2420	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2404 wrote to memory of 2420	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2404 wrote to memory of 1512	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2404 wrote to memory of 1512	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2404 wrote to memory of 1512	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2404 wrote to memory of 1520	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2404 wrote to memory of 1520	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2404 wrote to memory of 1520	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2404 wrote to memory of 1756	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2404 wrote to memory of 1756	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2404 wrote to memory of 1756	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2404 wrote to memory of 1780	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2404 wrote to memory of 1780	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2404 wrote to memory of 1780	2404	2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_e727c9b5becd56c434ce1d7d4247f8d4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\System\VefncNt.exe
  C:\Windows\System\VefncNt.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\GeaMlTc.exe
  C:\Windows\System\GeaMlTc.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\xASLqTq.exe
  C:\Windows\System\xASLqTq.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\EHPcAjI.exe
  C:\Windows\System\EHPcAjI.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\atjsmYU.exe
  C:\Windows\System\atjsmYU.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\GAVtOQv.exe
  C:\Windows\System\GAVtOQv.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\GTXTIUE.exe
  C:\Windows\System\GTXTIUE.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\LLrQkEo.exe
  C:\Windows\System\LLrQkEo.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\XfBMtab.exe
  C:\Windows\System\XfBMtab.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\qobjzod.exe
  C:\Windows\System\qobjzod.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\PuuDapm.exe
  C:\Windows\System\PuuDapm.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\cTSFFGV.exe
  C:\Windows\System\cTSFFGV.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\KfJXvYA.exe
  C:\Windows\System\KfJXvYA.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\SlnGbNi.exe
  C:\Windows\System\SlnGbNi.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\fdtdtaY.exe
  C:\Windows\System\fdtdtaY.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\PLKBQkl.exe
  C:\Windows\System\PLKBQkl.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\liYEpys.exe
  C:\Windows\System\liYEpys.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\uZtvJwf.exe
  C:\Windows\System\uZtvJwf.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\ODJoZYm.exe
  C:\Windows\System\ODJoZYm.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\nKaZvlP.exe
  C:\Windows\System\nKaZvlP.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\xkpbEZI.exe
  C:\Windows\System\xkpbEZI.exe
  2⤵
  - Executes dropped EXE
  PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EHPcAjI.exe

Filesize
5.2MB

MD5
d02be193138add26202a50d8d8c2ee2c

SHA1
cf3a0a7b2b145c6546afc3174949000c3f11e014

SHA256
aad91a1b5d08ca28344782bc8c01147738d81cba220edc06afb64a326e7d227d

SHA512
256d770b421ea09956ff3c4b2f6819deac91ba07db3a8dbeb4162b958d1f59410b22c9302f968174bd085b412fbba21e40ae95f3479218f14ca3a7841cf01110

Download Submit
C:\Windows\system\GAVtOQv.exe

Filesize
5.2MB

MD5
5cd5c2bad45ba6651619fa9bb46b8bba

SHA1
fd40c69c225cf95667f3dc19bd39067f78d9dec8

SHA256
8f3e4c3a389902f763ce191268e0e484fc594613db62fc3f117c13053dd0df57

SHA512
8c3a6fe537abb7c20fd16691ebf6a71333effd1099b178e403a0c549efc01e9058ed3cac1969a5f76bdf3e2d8d6bbc723076ad5960498b0bed657d4693bbfd7d

Download Submit
C:\Windows\system\GeaMlTc.exe

Filesize
5.2MB

MD5
3677d8f214c348f46453c8f2e22dc334

SHA1
f86577e6ecc0dec5b19984ce226c34b150eeb39a

SHA256
44f25e98042a36f990246644cb718eeee652d3e481fed0b36f1e641f3abb5efb

SHA512
6214c775b1b73d3037bade9bd415214e81722b2837a2bdde7b4acc6379db80ffe5c3aa3821c361fba59883326de05a3de3d90074e2323f3081885b185494da82

Download Submit
C:\Windows\system\KfJXvYA.exe

Filesize
5.2MB

MD5
b86f4d98350d1a6ec0d0a4a9a8eb7bcb

SHA1
024c5208fd29291afed1e838cb9fb8323606a133

SHA256
1dec4e4365568377dc9a194a7fea90a6e30d964736c858ec5d7d71248025b321

SHA512
15e2734ee938450989165956ea9b2063665cfc74e358fe4598531abfff99645a6c7f13a0b0e4908e00175445acaccf74b1e474795796d21e39e3d67e7f8639b6

Download Submit
C:\Windows\system\ODJoZYm.exe

Filesize
5.2MB

MD5
512387337770119fe9d3cb277495b719

SHA1
c7cfe2cdafaca9ad3c12794de76066d0fb69383d

SHA256
87e6095df1b28f3f11a169c709f32c13326e6f8b40298067a51623fe1072a352

SHA512
40637de43f6955782c373e3204c7e16b481c741dec10eff54c3cd298026238a38595628354feb731a20cac3d3df745f8d95b50734737bf5dd59e368d239b2447

Download Submit
C:\Windows\system\PLKBQkl.exe

Filesize
5.2MB

MD5
d22c54c46fe8f5e46556242649ebf296

SHA1
e414bf257927d17c6e9e2a9aa85307cea2317f65

SHA256
f8d34e56d3ea485ceb67646d1b0f69d4108a9eb1622f0ed3e622f91690970e5b

SHA512
3c8f4a051b300844cc31204c700058a8f6ae87e559b860aa09945fb112252d81c13da05c8aca5cc77f92dc7ae3706fc5ce32086b57bba16014ea202e52a03401

Download Submit
C:\Windows\system\SlnGbNi.exe

Filesize
5.2MB

MD5
3cfa25526d0e5f6ac80cac4571d47e96

SHA1
d4732f42b5590e8b2af2531e6a6cd439c2f14817

SHA256
dbe3cf5bf4da0ca8ce024b5aa69a429334137ffa0af29fcea3e4060ea9548c08

SHA512
3eb87a516efd726f02726fc621eb46c7eeb12d0121e846671815c1d03a0340249a314c2ccbb6dddd5c24ca32bae8a421869cf877da48b56fc383560170a6b540

Download Submit
C:\Windows\system\VefncNt.exe

Filesize
5.2MB

MD5
dab5b1bc008e967d9fedd41833403491

SHA1
6089c8c93e5ed71219180a315283e86f184583e4

SHA256
653ba3145b44b4ef808d455e80b027358417d0521fe5ba217c4251a2c6974912

SHA512
92755d062853799de596ba68a3bbb8786f3debfa42f5b658e5d12955334611709e6fd0ecce0641ba1c6a88f887d0884b9703f5cb5b8acd12d559d6ad87a86319

Download Submit
C:\Windows\system\atjsmYU.exe

Filesize
5.2MB

MD5
92eab969863b6e23c40c55717f5bef0b

SHA1
5e1db085b8c67cbc534b27c9735aa2c62d425f3c

SHA256
130ab4750e81fd60ea80abc049b31cb10484f27232948a7c9a62a2a3c3c5a017

SHA512
ce0ddf4862dd68f9c8c832809081340d66dc87932336555a429750ae58270214c2a2689b7f16b0f4141a1e55674681c3e3d95b923cd70593500e8869076b4258

Download Submit
C:\Windows\system\cTSFFGV.exe

Filesize
5.2MB

MD5
ce40f3696cb61c3318e36252f92d1b4e

SHA1
c1c157eca6221c0b34670f07845e49a9e93a8fc1

SHA256
b0f49e7f506f425bd2513af24a3c4bc70a4f96cc033265b172a254e93e327576

SHA512
608b48333459e4a8d922977716f11f12523e37b13e15775897a843234ca307122076ba8cb637f0186832eb3164d84af8e90fcbc4d793d7d6bb334f2fe388ab19

Download Submit
C:\Windows\system\fdtdtaY.exe

Filesize
5.2MB

MD5
82f8dc7127d05d730ffd08412472c2a8

SHA1
e3a8a4514e3a22b0e5b3ba2dda1279ca5003a5d6

SHA256
82cd836188d4a2dfce54de9e6d27c4e252272e84418bf92b3566579954b93959

SHA512
149e5ef3433a4983a150de7ad21bc216ac53a0bef023f89a28e5942ade4702cfd30256bb2b236717c0ed53ceea122c351ee507c8472f76edaeae41e5992c571a

Download Submit
C:\Windows\system\liYEpys.exe

Filesize
5.2MB

MD5
4c10d920c238f5d0a831d6f86d4fb4c9

SHA1
1a855218315b717339a3587c5d2a3e068d0bf7da

SHA256
5a2c5b3eec9631da29bed67bfbc1331c716821d4b863216ec250edd83a72bb6a

SHA512
afacceaa00e75725af363641c36739940cf46e4bba558644b2a17b7bca659d9bacb41884d45ee2d8316f23d611d2366283794b8f75135487d737ae0d7f8967e5

Download Submit
C:\Windows\system\nKaZvlP.exe

Filesize
5.2MB

MD5
5121483a95a88af9ddef501cafc2bc2e

SHA1
5d1a4036111c1ac403f0c38773ba7f0249f9e9bf

SHA256
21fe761bc909cef9dcb2fef23e0d2e1eb7f055a065d9eea707b880b14def1d38

SHA512
74e0ca061d2db822e5971bd33e763f4dacb433b567e364713ff251f551ecaad41cc5670d2309e464e9910e390373e11b8c9a7a485d6e59d77a8457b8b3c06845

Download Submit
C:\Windows\system\uZtvJwf.exe

Filesize
5.2MB

MD5
3c223a4abb328db491d42d6e6ea31c85

SHA1
30c2b65f485313e18f8d345d4e3826eee4c1ec69

SHA256
123f6639540dec5b716a866efbc7d9252a19051e77fdc345b538557ec25805c1

SHA512
d025787f1d71c10b4358ebac6b66190a4d80154967285a0ddae3e3b8d6aeb13e00d13d95df73ce34dcb351f1404dce2b80227054c318a0e1bdf32d8fad49c20f

Download Submit
C:\Windows\system\xASLqTq.exe

Filesize
5.2MB

MD5
b294c542f6c2ff163b1f0ac1916e3d0e

SHA1
59964ef80940674f54e330043ab93d4750aeda4f

SHA256
6912aa3696900387e13a506a7a30743b8962fc76d7e19b950098f9e05a438ee2

SHA512
210fe0c91a2b14e4f82255305d0614de61b43c0eda299dbb1f44cd975d3a8df8ad3a3d973adbb5f2ea9def46d3ad646f8373a0b97595966f2fa8c1acde5e9ef1

Download Submit
\Windows\system\GTXTIUE.exe

Filesize
5.2MB

MD5
62be475e791d6d5f03e847637f8d8a0d

SHA1
2115b4e498b64142ad266b705748442b9e7ee02e

SHA256
4cdb82c3239221e20cd0321eaf9ac5455e9c7e6a67836d5b80ed98f11c3a16dc

SHA512
c7148db471db01d929204a966ac5bfd164bbacdd29804bea5f34bee0dc0afc9ac5e9c4082965bc29a22c941f5a3c06d5ccd9b0890b263e8eb25c1a6dd282118f

Download Submit
\Windows\system\LLrQkEo.exe

Filesize
5.2MB

MD5
2bb2e55669ce18af99cd9a5eb7a3d333

SHA1
9b266e7981c1aa473a1687568c7a2a9b8d5f80fd

SHA256
03e83f1b08e3a09dfd1d54e8e0da4f1b32d54a2e9ed8b2c399e30d2160eaebf7

SHA512
2b0eddf7ddf5f832d4db273a436ff9f40e68307b6f35390bbc8e0e6b4003270791750bbf31e6abd0ac01ba3f5ee25d805464aca3ebff0937e8e896e37c056e0b

Download Submit
\Windows\system\PuuDapm.exe

Filesize
5.2MB

MD5
161c124e9818a778a3619938bbb9c623

SHA1
031ff498432437da1cd0c993054e2785a88402f0

SHA256
774d4d74c9b97f26871dfda02d022e034f5c269155ca369b5990cc0f54f118a0

SHA512
d69cf41a38d8c43c0b31a78dda417efa307e4ef3012d6b9fbb39eb0a72d70aae7161a67e6c24513900336d6150879ca0ecc6eda1ed2da7eeaccabfc9497d08eb

Download Submit
\Windows\system\XfBMtab.exe

Filesize
5.2MB

MD5
a1e78ce7343ae9f8b0e4cef3abde8ccc

SHA1
f099f2007ca7c744415cc5f3cda8c3a559b0abe6

SHA256
614bfe70ad519b2bda36c41451ddaa948171a789e94cf698cbd7a1dc9bb8684d

SHA512
0dbdd82b967d9ab576e882e3331ab62b6eb4747a659f1d73dcd932addff90084e1ed7f2360fa2ca2fe19ebdf32aac4914a0bd2a548550e239971c34f4e75a87a

Download Submit
\Windows\system\qobjzod.exe

Filesize
5.2MB

MD5
8a1a87a7f2641ae8ba3cadf131c0399f

SHA1
c47d9f43793be0269267747d0737057c8ac8b763

SHA256
72ef7c590e9ec49dad241b7230947da23638187dffd30f47575e05799637a972

SHA512
59ff5235fdef837d717de0c94c92f52c64878d009af0b558b82855a583592886603474d2cae2b2e6e66797ccfe5b5250896741cb27b4a7d7301615ec641ca17c

Download Submit
\Windows\system\xkpbEZI.exe

Filesize
5.2MB

MD5
75016d0391aabfbb638826bec978faee

SHA1
6a7ba3542ceb229521ca1482e1f9069fed3b620b

SHA256
68b5d8c1b670e9aa3fe9c9e02048c97e31a81d3ee0d4b2174a622bcee1d3d67a

SHA512
6a28ff41300323219cb1dd50f2c5b37ccccf8b4b5cce02c2aebd7e4714cdae1655da7256c8f6fe5c266406b2ac8dbd756328b6300157a1188c68b1a3295fe925

Download Submit
memory/1072-217-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1072-37-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-251-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-94-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-146-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1504-258-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1504-89-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1504-145-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1512-157-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-154-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/1520-158-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/1732-155-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1756-159-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/1780-160-0x000000013F1B0000-0x000000013F501000-memory.dmp

Filesize
3.3MB

Download
memory/2220-39-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2220-223-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2404-75-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2404-34-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-28-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-133-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-38-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-0-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2404-83-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-161-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-43-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2404-35-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-69-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2404-162-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2404-66-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2404-49-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2404-135-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2404-137-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2420-156-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2432-31-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2432-219-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-70-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-20-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-215-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-71-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2624-238-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2716-256-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-134-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-77-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-239-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-68-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-233-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2824-53-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2888-221-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-36-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-232-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-41-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-82-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-67-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2952-235-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-84-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-136-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-249-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download