cobaltstrike | 01e1c33d380a47326bcfb9e6ebc1d56e0c344691da7aa40c82cd9ba4fff9668b

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

51408545cb7a2f1ca02b0c0a81aac8db
SHA1

c5e01bb25724faa16e45c73faa4261d3c25fb459
SHA256

01e1c33d380a47326bcfb9e6ebc1d56e0c344691da7aa40c82cd9ba4fff9668b
SHA512

adc1e705915ab2c57be15909b42d1e25f22b0cf22695658080b35c3ebc429a46cbf4e3c178fe7b01f731ebbc0daf0d3c71bb135d0197f0fc7e7bfc087e014d95
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ls:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral1/files/0x000b0000000120f6-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014b47-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014bb1-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000014bf3-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014f3e-36.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000150bf-42.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000014e80-31.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000153fc-49.dat	cobalt_reflective_dll
behavioral1/files/0x0031000000014737-58.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015442-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d41-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d59-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d79-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015e48-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015f71-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016101-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016241-108.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ff5-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015ec9-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d81-86.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000015d2a-70.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2188-13-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2612-21-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1344-41-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2452-48-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2684-52-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2108-61-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2612-62-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1344-63-0x00000000022D0000-0x0000000002621000-memory.dmp	xmrig
behavioral1/memory/668-119-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2592-124-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/2832-132-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2636-133-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/1344-134-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2452-142-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2108-144-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/1344-145-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2580-143-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/484-147-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2924-151-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/1628-156-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2004-155-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2968-153-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2948-152-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/1060-148-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/1568-154-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2804-150-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/592-146-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/1792-157-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/1344-158-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2188-211-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2684-213-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2612-215-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2592-217-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/2832-220-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2636-221-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2452-223-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2580-227-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2108-229-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/484-243-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/668-246-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/592-251-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/1060-254-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/2804-255-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

dYwcISc.exebnsSfLp.exeVWcxXdo.exeOjrFPTJ.exefyxUOtd.exeofIFkga.exeGnWiylI.exefKUMXdS.exeSlVFiIp.exexUapLNJ.exeIDGbubR.exeJqeiWXo.exemZvlxtv.exeZAsOiby.exewbWEgbH.exePNTWGnD.exeZODiTDB.exeWemzCBQ.exeRURCXhx.exewXgDbnv.exewVMBpOj.exe

pid	Process
2188	dYwcISc.exe
2684	bnsSfLp.exe
2612	VWcxXdo.exe
2592	OjrFPTJ.exe
2832	fyxUOtd.exe
2636	ofIFkga.exe
2452	GnWiylI.exe
2580	fKUMXdS.exe
2108	SlVFiIp.exe
592	xUapLNJ.exe
484	IDGbubR.exe
1060	JqeiWXo.exe
668	mZvlxtv.exe
2804	ZAsOiby.exe
2924	wbWEgbH.exe
2948	PNTWGnD.exe
2968	ZODiTDB.exe
1568	WemzCBQ.exe
2004	RURCXhx.exe
1628	wXgDbnv.exe
1792	wVMBpOj.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

pid	Process
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1344-0-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/files/0x000b0000000120f6-6.dat	upx
behavioral1/files/0x0008000000014b47-12.dat	upx
behavioral1/memory/2684-14-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2188-13-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/files/0x0008000000014bb1-10.dat	upx
behavioral1/memory/2612-21-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/files/0x0008000000014bf3-22.dat	upx
behavioral1/memory/2592-26-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/files/0x0007000000014f3e-36.dat	upx
behavioral1/memory/2832-37-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/files/0x00070000000150bf-42.dat	upx
behavioral1/memory/1344-41-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2636-40-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2452-48-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/files/0x0007000000014e80-31.dat	upx
behavioral1/files/0x00070000000153fc-49.dat	upx
behavioral1/memory/2684-52-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2108-61-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2580-59-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2612-62-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/files/0x0031000000014737-58.dat	upx
behavioral1/files/0x0008000000015442-65.dat	upx
behavioral1/files/0x0006000000015d41-74.dat	upx
behavioral1/files/0x0006000000015d59-78.dat	upx
behavioral1/files/0x0006000000015d79-82.dat	upx
behavioral1/files/0x0006000000015e48-90.dat	upx
behavioral1/files/0x0006000000015f71-98.dat	upx
behavioral1/files/0x0006000000016101-106.dat	upx
behavioral1/files/0x0006000000016241-108.dat	upx
behavioral1/files/0x0006000000015ff5-102.dat	upx
behavioral1/files/0x0006000000015ec9-94.dat	upx
behavioral1/files/0x0006000000015d81-86.dat	upx
behavioral1/files/0x0006000000015d2a-70.dat	upx
behavioral1/memory/2804-123-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/668-119-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/1060-115-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/484-111-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2592-124-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/592-126-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2832-132-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2636-133-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/1344-134-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2452-142-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/2108-144-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2580-143-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/484-147-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2924-151-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/memory/1628-156-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/2004-155-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2968-153-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2948-152-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/1060-148-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/1568-154-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2804-150-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/592-146-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/1792-157-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/1344-158-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2188-211-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2684-213-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2612-215-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2592-217-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/2832-220-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2636-221-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\WemzCBQ.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wVMBpOj.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VWcxXdo.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fKUMXdS.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JqeiWXo.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wbWEgbH.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXgDbnv.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dYwcISc.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyxUOtd.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IDGbubR.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RURCXhx.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mZvlxtv.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PNTWGnD.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OjrFPTJ.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ofIFkga.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GnWiylI.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUapLNJ.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bnsSfLp.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SlVFiIp.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZAsOiby.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZODiTDB.exe	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 1344 wrote to memory of 2188	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1344 wrote to memory of 2188	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1344 wrote to memory of 2188	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1344 wrote to memory of 2684	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1344 wrote to memory of 2684	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1344 wrote to memory of 2684	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1344 wrote to memory of 2612	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1344 wrote to memory of 2612	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1344 wrote to memory of 2612	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1344 wrote to memory of 2592	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1344 wrote to memory of 2592	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1344 wrote to memory of 2592	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1344 wrote to memory of 2832	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1344 wrote to memory of 2832	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1344 wrote to memory of 2832	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1344 wrote to memory of 2636	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1344 wrote to memory of 2636	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1344 wrote to memory of 2636	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1344 wrote to memory of 2452	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1344 wrote to memory of 2452	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1344 wrote to memory of 2452	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1344 wrote to memory of 2580	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1344 wrote to memory of 2580	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1344 wrote to memory of 2580	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1344 wrote to memory of 2108	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1344 wrote to memory of 2108	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1344 wrote to memory of 2108	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1344 wrote to memory of 592	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1344 wrote to memory of 592	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1344 wrote to memory of 592	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1344 wrote to memory of 484	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1344 wrote to memory of 484	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1344 wrote to memory of 484	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1344 wrote to memory of 1060	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1344 wrote to memory of 1060	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1344 wrote to memory of 1060	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1344 wrote to memory of 668	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1344 wrote to memory of 668	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1344 wrote to memory of 668	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1344 wrote to memory of 2804	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1344 wrote to memory of 2804	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1344 wrote to memory of 2804	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1344 wrote to memory of 2924	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1344 wrote to memory of 2924	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1344 wrote to memory of 2924	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1344 wrote to memory of 2948	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1344 wrote to memory of 2948	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1344 wrote to memory of 2948	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1344 wrote to memory of 2968	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1344 wrote to memory of 2968	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1344 wrote to memory of 2968	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1344 wrote to memory of 1568	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1344 wrote to memory of 1568	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1344 wrote to memory of 1568	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1344 wrote to memory of 2004	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1344 wrote to memory of 2004	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1344 wrote to memory of 2004	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1344 wrote to memory of 1628	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1344 wrote to memory of 1628	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1344 wrote to memory of 1628	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1344 wrote to memory of 1792	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1344 wrote to memory of 1792	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1344 wrote to memory of 1792	1344	2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_51408545cb7a2f1ca02b0c0a81aac8db_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\System\dYwcISc.exe
  C:\Windows\System\dYwcISc.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\bnsSfLp.exe
  C:\Windows\System\bnsSfLp.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\VWcxXdo.exe
  C:\Windows\System\VWcxXdo.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\OjrFPTJ.exe
  C:\Windows\System\OjrFPTJ.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\fyxUOtd.exe
  C:\Windows\System\fyxUOtd.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\ofIFkga.exe
  C:\Windows\System\ofIFkga.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\GnWiylI.exe
  C:\Windows\System\GnWiylI.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\fKUMXdS.exe
  C:\Windows\System\fKUMXdS.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\SlVFiIp.exe
  C:\Windows\System\SlVFiIp.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\xUapLNJ.exe
  C:\Windows\System\xUapLNJ.exe
  2⤵
  - Executes dropped EXE
  PID:592
- C:\Windows\System\IDGbubR.exe
  C:\Windows\System\IDGbubR.exe
  2⤵
  - Executes dropped EXE
  PID:484
- C:\Windows\System\JqeiWXo.exe
  C:\Windows\System\JqeiWXo.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\mZvlxtv.exe
  C:\Windows\System\mZvlxtv.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\ZAsOiby.exe
  C:\Windows\System\ZAsOiby.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\wbWEgbH.exe
  C:\Windows\System\wbWEgbH.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\PNTWGnD.exe
  C:\Windows\System\PNTWGnD.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\ZODiTDB.exe
  C:\Windows\System\ZODiTDB.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\WemzCBQ.exe
  C:\Windows\System\WemzCBQ.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\RURCXhx.exe
  C:\Windows\System\RURCXhx.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\wXgDbnv.exe
  C:\Windows\System\wXgDbnv.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\wVMBpOj.exe
  C:\Windows\System\wVMBpOj.exe
  2⤵
  - Executes dropped EXE
  PID:1792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\IDGbubR.exe

Filesize
5.2MB

MD5
8468860b54651572346b5f5bb5687b1a

SHA1
8dd25345b3d21a20d45a842b13e822c27515cf06

SHA256
27a3999f2e793a9c4ccfe7f5331243b2cc53f068790a9488df825ed78158b6ca

SHA512
21d6d53a08f219aa551b90c059581f3f900d5f2f8a29ee18f4a6e64ac13551df6f653158b9860ebc06057a48787d599c1d86947f85b731827e603e06c08f98fa

Download Submit
C:\Windows\system\JqeiWXo.exe

Filesize
5.2MB

MD5
cbf26af60fdf7725e0d6c5d2ed4318df

SHA1
ce68bd7d4ea2df1c6cca351735d61cd1ba602058

SHA256
79c0259d7185713c49ba0d602c34cb0eb3bf263ebf5e67735cbe22e0be60039a

SHA512
41920c85e26303660875075eb9aca5db83d8b6758cb294de04fce5dff5886f9512baf3d4ee2036cf8d9ca3bcf5f154c49a9e32202d67efde36142fd367dd269b

Download Submit
C:\Windows\system\PNTWGnD.exe

Filesize
5.2MB

MD5
4e0509a93b5f48d8d65b00a51c5d5c60

SHA1
e484eb9a8b4f31441851af4f3bd4c3df6585d03b

SHA256
3e20c426abd44fe175af0e4cc4999da664e4c87e99826cd39a55d37fac54442c

SHA512
2927cd584b247d6bf8c8a382cccc5aa7a294b71f0d3912e7ab16eb28000f7bef05b9863d4dd672a47b34cae8fa23e8295ff2e356b4788945fd21ce3dfa818e49

Download Submit
C:\Windows\system\RURCXhx.exe

Filesize
5.2MB

MD5
826e3bd2f92ad01c3bb9e96a571db3ba

SHA1
7e29c9e8a6ac26c1e4cfaa30a5893665c3a93480

SHA256
a68e0ff2e8110fdf5af63db53e42b22a712324ca6e01c379e1ec3c25274953f0

SHA512
677de4c5110a7e6b48245f8a0b7647640ded5da4b413ecf54e2f64a9469056d0e3c9d53c6d6bc11490d928fdd254f5fcd94e7687f317599300f94a7b6e4c8651

Download Submit
C:\Windows\system\SlVFiIp.exe

Filesize
5.2MB

MD5
1852569e5b23714b6ecb3bdbfb820dea

SHA1
d09f61c6d092a401f0cb6c969b5ed1f6ed4d68d3

SHA256
83253ee7cc8243c4e524e6b445f9031e6c42ed27963ea76c188ce3c65a9d9af6

SHA512
f1bcb82a6871ac37368bca04bc2879a2b47a23bf9e8edffab28e1a861c471fa167bd652c2ff1e49e35f5e04a84714f12d6ebd905ea302e770f5b510231d532ac

Download Submit
C:\Windows\system\VWcxXdo.exe

Filesize
5.2MB

MD5
977af7dcfb46a71c2e11b6e998887933

SHA1
29b09df1f35448923c2466910cf919f4784af5f6

SHA256
4e9c35e19180f46e3c4cc99d0da2f5a96f89f012e3316093b77fdeef645c22ce

SHA512
5c2cec90b3f0d2a0dadfad6be939689f47eb9c3edc1b4a8e70737b81231a333a996b62012bc18724e601ec00adf03b285d65ffbd727e9a9e7becb69f0a7934dd

Download Submit
C:\Windows\system\WemzCBQ.exe

Filesize
5.2MB

MD5
e0f020f267c25c86c26744462f88fba4

SHA1
4fb8249c724fdf91dfc6714a9c0c5e674f711c59

SHA256
c654a9d2f484e4cc5cf435a30d334d673ba91c2f50ebae793dad9fccafcf27af

SHA512
03c41ccb71a0f66bd1b7780f6395ce057b424c6bad3102f3a3121ecd484cb76b60cd18367d926ab403791a0ff1eeb90db96af75e5cd19efb2c9a6a41aa3c5748

Download Submit
C:\Windows\system\ZAsOiby.exe

Filesize
5.2MB

MD5
7cac7ccff0189c72bc982ce84e4da879

SHA1
f4d78cbbd36f8eeb1cba899da82b8156fe7f1e70

SHA256
782f4c4dcfeda55c33e138d8d0ee6545d8104a71866c866ce9984952b88b3cc4

SHA512
8758de6454aca89bac3bdc8937d62314281c9b5b8077318ab32b9bed714bca5a3bd8b12eb297d2b3f83ce23e4c8c56e8052082d12987e0b1da2ae2cf3266aff2

Download Submit
C:\Windows\system\ZODiTDB.exe

Filesize
5.2MB

MD5
716c8ba21630e46eb51bb10a5cdefe4d

SHA1
c9e77031f799710319153dd89a3187eae76d1eb3

SHA256
cfbad4729ac7008b26b71c01054bff65697bcaaf62cd228bb3926be32be793c7

SHA512
351a482242ce74f5cca5263ce8243391360d59e8b9c3e5c81a791131e41bdaa6b436ba545317d7ad20c26c18334b0137b5140f68261b7cc087d71e21a4de71cb

Download Submit
C:\Windows\system\bnsSfLp.exe

Filesize
5.2MB

MD5
64fc15f59b2eb643b13502e5c4bec75a

SHA1
af5f1e8463acbdeddcab7341bbe33dd44cea1ead

SHA256
184e57cfe6a114cde0f0f8bd464ba2cc1c5f00de1810f571df7633fd9544b3b6

SHA512
889415ad4a3b1c28d3ff49bebbaf6dfec53761b6e47e8fa0543c3209e296cd62a3c5b41504aac1a26dc4eba4bd2c3548ec8976f486b6555ce86fe09d72e911ec

Download Submit
C:\Windows\system\dYwcISc.exe

Filesize
5.2MB

MD5
75a715cb4b697b7aa83d4f84166963c8

SHA1
062dbf2078eda23c207d578fe899117d8e35ec67

SHA256
cda634d2ba063ae65fca1eebc6ece6a5be66f40e5aecc58d731b73a70a922ff7

SHA512
ab90a7023ecfd555be5e0820a4437d2e3c0b9488ca9bafeb13d6d7e95d1ca9c31a7486833a4666d60aea2942a3944a146faa5805ef359f92ce40ca5b5f858284

Download Submit
C:\Windows\system\fyxUOtd.exe

Filesize
5.2MB

MD5
07eb8813b80b897d6eeca49daf1ea997

SHA1
cc1e842721956a5ac5c351c7d200a603f30d3f01

SHA256
7a40750ea1f2da40aaf2ed5f7acf14e511ba81ba47304d5b131898ef42ab1fcb

SHA512
e90175d4f63c9a0afe2c28e1889c7815fc03575fa5773bfb221f14d23159cf9d50830d1898f5513938c00e866bffa100db0345958913fe677360232cd2f67ad6

Download Submit
C:\Windows\system\mZvlxtv.exe

Filesize
5.2MB

MD5
d17e6108a5d8a3ae7ce691e7bd9e1d2c

SHA1
dbba1f9f0485b2a19cf7499552b24dcdf1842e81

SHA256
97811fc7943806827c90337b2e4e79999419a4408d77912c859f47e1cd2602a6

SHA512
a46ed761c2f72d2b898577429e2411995623c8302213033209dd0d5216302eb23781ea43f1566526ea6d4cac9cb4273317604245b16dcc7cbd3db1be45c52e20

Download Submit
C:\Windows\system\ofIFkga.exe

Filesize
5.2MB

MD5
18d7c09c4079e11111526b9386adc787

SHA1
3040458bf91f2d667a7ba32d11cc17ee406ed342

SHA256
769db1f0186535032676104bbe9c96431a4d48735f25094e138ab5d887718232

SHA512
f7fd38cadb1142e0b832aac69dcccb073c2f74fff883a89031c2d8d894d5bdf2067628c947292502c54b5554d094e92c9cb6b665f23714472947163b023058c9

Download Submit
C:\Windows\system\wXgDbnv.exe

Filesize
5.2MB

MD5
60a8ae24b889e0398948f98e8bd77385

SHA1
3fd71d0ed6cdda437e2ca73e7dab2af378206735

SHA256
0e223a25037a7c74c7dc54362c5a8f1404605c5e5e1ed848fca2e0f8b3bda724

SHA512
f41828f0f0abe868562879c1a1df3e099a425860b11f9e81ad88b5e6288558011ce5e322584663a8a8607128867926b85eb495be8ca9f517c89a36256154becc

Download Submit
C:\Windows\system\wbWEgbH.exe

Filesize
5.2MB

MD5
8588b3adf8ee930c73c1b0caa083cb73

SHA1
802fdb9130ad354f4aeac47aeb9b123fe59f53cb

SHA256
e487405128978abde86e7f9a17d61aed88961f523bfd5fe9b2d9b8ef815ae60d

SHA512
daf42f596cdadd50b7f937950ce38a5249cba4e1fbf040569ff418b5f9f191e67717eb24de189302ecbd0cbc1cee14b95fa4f4c0e4191ddfd7a9df7282a3e8e5

Download Submit
C:\Windows\system\xUapLNJ.exe

Filesize
5.2MB

MD5
ef7597f600b9e1c7b1b469eecc96740d

SHA1
bc5f4e739bf3a785e6e74176b758c5a42aca5d34

SHA256
cce7247b7aa9cd875f923a11517358e8b4102d3ffc0a0507838cc180fa188026

SHA512
d8c96d5523350845bd45a21132883939a7204c46087bd1a58b8859a1e72d99893cbacfdfdb1889b3d89028243050e8c6b0e1c3125076cc75ab7d2ee42667c895

Download Submit
\Windows\system\GnWiylI.exe

Filesize
5.2MB

MD5
87acaeaab7da9f719e874c980b7895f8

SHA1
a73b2e2298bc196b078a0a4f5d7fe16141ea02d8

SHA256
0dc8ed239a19f3d4f07d80d61a0bada9cd49fdefec45a149a3096ba199fb8e51

SHA512
e5140cbefec5df1990e7ffdc4c7618e1c0c26d004835ae706a7a4b7a1f212c8c8974ebb72aa57dfbc9555bf6b45f6d5316fbb7ff4d131cec21b6b466e2fa3079

Download Submit
\Windows\system\OjrFPTJ.exe

Filesize
5.2MB

MD5
85f2449ce5a8428b6712b80926fc1cd2

SHA1
0991850982635cfe5ba654764b10a927b2d400ed

SHA256
29953a4a5c893bcc1e9026f21d132275727d1d811ca40489f3f9e85ad3c43e65

SHA512
1b6411d73c5ef15b7ca9d4ee1223a9aa0f8d00bef5c0f33a502060b293124419dfeb96e56be8d2da4361f824d81dc05d40e2c1dcb896ffae9954158b0c8c7dda

Download Submit
\Windows\system\fKUMXdS.exe

Filesize
5.2MB

MD5
5d2b4125e1ec0b62470cdca150bec775

SHA1
2643d0fa6314897f35fd99790785b297a34d1f5c

SHA256
7c49cf110fb128a013f00192f5115f48d43624f7e51dba85e8c3f5709c24e72e

SHA512
350441c3c2aa494499578b1e705040241b4786c5df53518bca3951ab3a498142e1f4e260b52050180e6e551ac8be50317bbfc9f54da367dc66988d1ba87eb188

Download Submit
\Windows\system\wVMBpOj.exe

Filesize
5.2MB

MD5
501aa509b5262cd6f97250bfcc293811

SHA1
2b48758a598e191759986a09b1f06a06b4d30c9c

SHA256
a5587bbeab01a2855c127af6759e1cb50951db2b27e4c5a5d24308bbe5b0fab7

SHA512
4eb43b3b7767f5a58d00e641795566c16f1cd028421ca10e3a0df90356a4206c3a28b79c27999079dbb8d1735ef87329b543a81dc65588b866fa84dffda56229

Download Submit
memory/484-243-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/484-111-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/484-147-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/592-146-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/592-126-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/592-251-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/668-119-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/668-246-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/1060-115-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1060-148-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1060-254-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1344-121-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-41-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1344-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1344-158-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1344-63-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/1344-145-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/1344-28-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/1344-9-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1344-0-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1344-46-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/1344-117-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/1344-134-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1344-113-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1568-154-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1628-156-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1792-157-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2004-155-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2108-144-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2108-61-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2108-229-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2188-13-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/2188-211-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/2452-142-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-48-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2452-223-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-143-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2580-227-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2580-59-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2592-217-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2592-26-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2592-124-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2612-215-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2612-62-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2612-21-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2636-221-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2636-40-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2636-133-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2684-213-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2684-52-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2684-14-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2804-123-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-150-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-255-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-37-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2832-220-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2832-132-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2924-151-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-152-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2968-153-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download