cobaltstrike | e65ecae9528a8bde4c7815a8314f71b84c5bde85df58dbbff0505e5cd8858a0d

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bfae8c482ff1d8d77de46419fe777c1a
SHA1

d3ad1334fe96161cfeb9c10fd731df051df87539
SHA256

e65ecae9528a8bde4c7815a8314f71b84c5bde85df58dbbff0505e5cd8858a0d
SHA512

01f8cf7791b35370b9957e960c768b3d7a3cb017f9546b2ae56dc451788717595d1e2734ef1fc4b6ea00c61567e85d058d9f7863d42098cf8a0d2365043d5c5e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lf:RWWBibf56utgpPFotBER/mQ32lUD

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral1/files/0x0009000000012281-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd0-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016de8-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016eb8-20.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000173f3-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017400-35.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001904c-43.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-67.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001929a-87.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019278-83.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019275-79.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001926c-75.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019268-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019240-63.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-59.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f6-55.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d2-51.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190e1-47.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018f65-39.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001707c-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016edb-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1716-109-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/2996-110-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2600-125-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2648-126-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2920-142-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2848-138-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2300-133-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/1716-132-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2284-131-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/1252-130-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/1064-129-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/3060-127-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/1956-128-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2660-124-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/1804-123-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2804-122-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2208-120-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2992-119-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2864-117-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2736-116-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2356-115-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2788-114-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/1980-111-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/1716-144-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/1716-146-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/1716-168-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2996-214-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2284-217-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2788-218-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2208-224-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2804-226-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2848-222-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2736-220-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2300-232-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/1804-242-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2920-240-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2992-238-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2864-236-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2356-234-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/1980-249-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

dWcBwem.exefkyLdKS.exeYARsWwt.exegvfoodm.exeEFyNrnL.exexVZHCsb.exemDlTmmT.exerDdTBud.exewPwGorO.exeIdeqgOW.exeqdJVJJX.exeIVJLhyv.exeQWJsCZj.exeQtWyYTT.exeGzrZQVO.exeNKMfECh.exeRSkeiGg.exeoJluRtC.exeEaKyMFP.exeSXDYTMA.exegnOtvaz.exe

pid	Process
2996	dWcBwem.exe
1980	fkyLdKS.exe
2284	YARsWwt.exe
2300	gvfoodm.exe
2788	EFyNrnL.exe
2356	xVZHCsb.exe
2736	mDlTmmT.exe
2864	rDdTBud.exe
2848	wPwGorO.exe
2992	IdeqgOW.exe
2208	qdJVJJX.exe
2920	IVJLhyv.exe
2804	QWJsCZj.exe
1804	QtWyYTT.exe
2660	GzrZQVO.exe
2600	NKMfECh.exe
2648	RSkeiGg.exe
3060	oJluRtC.exe
1956	EaKyMFP.exe
1064	SXDYTMA.exe
1252	gnOtvaz.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

pid	Process
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1716-0-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/files/0x0009000000012281-3.dat	upx
behavioral1/memory/2996-10-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/files/0x0008000000016dd0-12.dat	upx
behavioral1/files/0x0007000000016de8-16.dat	upx
behavioral1/files/0x0007000000016eb8-20.dat	upx
behavioral1/files/0x00080000000173f3-32.dat	upx
behavioral1/files/0x0007000000017400-35.dat	upx
behavioral1/files/0x000600000001904c-43.dat	upx
behavioral1/files/0x0005000000019259-67.dat	upx
behavioral1/files/0x000500000001929a-87.dat	upx
behavioral1/files/0x0005000000019278-83.dat	upx
behavioral1/files/0x0005000000019275-79.dat	upx
behavioral1/files/0x000500000001926c-75.dat	upx
behavioral1/files/0x0005000000019268-71.dat	upx
behavioral1/files/0x0005000000019240-63.dat	upx
behavioral1/files/0x0005000000019217-59.dat	upx
behavioral1/files/0x00050000000191f6-55.dat	upx
behavioral1/files/0x00050000000191d2-51.dat	upx
behavioral1/files/0x00060000000190e1-47.dat	upx
behavioral1/files/0x0006000000018f65-39.dat	upx
behavioral1/files/0x000700000001707c-27.dat	upx
behavioral1/files/0x0007000000016edb-24.dat	upx
behavioral1/memory/1716-109-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2996-110-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/1980-107-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2600-125-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2648-126-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2920-142-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2848-138-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2300-133-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2284-131-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1252-130-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/1064-129-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/3060-127-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/1956-128-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2660-124-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/1804-123-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2804-122-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2208-120-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2992-119-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2864-117-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2736-116-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2356-115-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2788-114-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/1980-111-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/1716-144-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/1716-146-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2996-214-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2284-217-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2788-218-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2208-224-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2804-226-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2848-222-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2736-220-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2300-232-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/1804-242-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2920-240-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2992-238-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2864-236-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2356-234-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/1980-249-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\EFyNrnL.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wPwGorO.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QWJsCZj.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QtWyYTT.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oJluRtC.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzrZQVO.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NKMfECh.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RSkeiGg.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dWcBwem.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gvfoodm.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rDdTBud.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IdeqgOW.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qdJVJJX.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaKyMFP.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SXDYTMA.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gnOtvaz.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fkyLdKS.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YARsWwt.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xVZHCsb.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mDlTmmT.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IVJLhyv.exe	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 1716 wrote to memory of 2996	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1716 wrote to memory of 2996	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1716 wrote to memory of 2996	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1716 wrote to memory of 1980	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1716 wrote to memory of 1980	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1716 wrote to memory of 1980	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1716 wrote to memory of 2284	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1716 wrote to memory of 2284	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1716 wrote to memory of 2284	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1716 wrote to memory of 2300	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1716 wrote to memory of 2300	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1716 wrote to memory of 2300	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1716 wrote to memory of 2788	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1716 wrote to memory of 2788	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1716 wrote to memory of 2788	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1716 wrote to memory of 2356	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1716 wrote to memory of 2356	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1716 wrote to memory of 2356	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1716 wrote to memory of 2736	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1716 wrote to memory of 2736	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1716 wrote to memory of 2736	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1716 wrote to memory of 2864	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1716 wrote to memory of 2864	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1716 wrote to memory of 2864	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1716 wrote to memory of 2848	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1716 wrote to memory of 2848	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1716 wrote to memory of 2848	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1716 wrote to memory of 2992	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1716 wrote to memory of 2992	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1716 wrote to memory of 2992	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1716 wrote to memory of 2208	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1716 wrote to memory of 2208	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1716 wrote to memory of 2208	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1716 wrote to memory of 2920	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1716 wrote to memory of 2920	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1716 wrote to memory of 2920	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1716 wrote to memory of 2804	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1716 wrote to memory of 2804	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1716 wrote to memory of 2804	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1716 wrote to memory of 1804	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1716 wrote to memory of 1804	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1716 wrote to memory of 1804	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1716 wrote to memory of 2660	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1716 wrote to memory of 2660	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1716 wrote to memory of 2660	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1716 wrote to memory of 2600	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1716 wrote to memory of 2600	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1716 wrote to memory of 2600	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1716 wrote to memory of 2648	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1716 wrote to memory of 2648	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1716 wrote to memory of 2648	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1716 wrote to memory of 3060	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1716 wrote to memory of 3060	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1716 wrote to memory of 3060	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1716 wrote to memory of 1956	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1716 wrote to memory of 1956	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1716 wrote to memory of 1956	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1716 wrote to memory of 1064	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1716 wrote to memory of 1064	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1716 wrote to memory of 1064	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1716 wrote to memory of 1252	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1716 wrote to memory of 1252	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1716 wrote to memory of 1252	1716	2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_bfae8c482ff1d8d77de46419fe777c1a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\System\dWcBwem.exe
  C:\Windows\System\dWcBwem.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\fkyLdKS.exe
  C:\Windows\System\fkyLdKS.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\YARsWwt.exe
  C:\Windows\System\YARsWwt.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\gvfoodm.exe
  C:\Windows\System\gvfoodm.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\EFyNrnL.exe
  C:\Windows\System\EFyNrnL.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\xVZHCsb.exe
  C:\Windows\System\xVZHCsb.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\mDlTmmT.exe
  C:\Windows\System\mDlTmmT.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\rDdTBud.exe
  C:\Windows\System\rDdTBud.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\wPwGorO.exe
  C:\Windows\System\wPwGorO.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\IdeqgOW.exe
  C:\Windows\System\IdeqgOW.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\qdJVJJX.exe
  C:\Windows\System\qdJVJJX.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\IVJLhyv.exe
  C:\Windows\System\IVJLhyv.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\QWJsCZj.exe
  C:\Windows\System\QWJsCZj.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\QtWyYTT.exe
  C:\Windows\System\QtWyYTT.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\GzrZQVO.exe
  C:\Windows\System\GzrZQVO.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\NKMfECh.exe
  C:\Windows\System\NKMfECh.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\RSkeiGg.exe
  C:\Windows\System\RSkeiGg.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\oJluRtC.exe
  C:\Windows\System\oJluRtC.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\EaKyMFP.exe
  C:\Windows\System\EaKyMFP.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\SXDYTMA.exe
  C:\Windows\System\SXDYTMA.exe
  2⤵
  - Executes dropped EXE
  PID:1064
- C:\Windows\System\gnOtvaz.exe
  C:\Windows\System\gnOtvaz.exe
  2⤵
  - Executes dropped EXE
  PID:1252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EFyNrnL.exe

Filesize
5.2MB

MD5
82a51a62ad135eba3c435b4c6b16c353

SHA1
5e537d9ba801af52cd28151a3a0ca6411b5450da

SHA256
1b9e8164ac996fef3286f69dbf5e7f04fbe55a1a8d2e1a0ef7b0bc826392a6f7

SHA512
a786c3d1a862a1a489f53c63b24e03e434f3145129788b12e7eb73856e0c7b82afe80b4dcfdf95806ce03a0be10e12feba05f230e5e5b105e765b55631644a57

Download Submit
C:\Windows\system\EaKyMFP.exe

Filesize
5.2MB

MD5
2348ae7461585ace285ae8c5ab7c72e8

SHA1
de72123a6b1722f96706997ac16e9d1ccafc663e

SHA256
2553182850b4b529b3c29e265ef8e65d716252796407dfc6e01d19c426aae84c

SHA512
d34ab0088a589bad4d92c6a0df0a3460d0a3e63c1b5518afddec4162b0fb3b3f23aa2e6efa29c39ef3164a85811f2dd23e0dd0e8fab7f5b305fe48496bd1ecc6

Download Submit
C:\Windows\system\GzrZQVO.exe

Filesize
5.2MB

MD5
e3bb560bcc8e3eeba3645e26645f55dc

SHA1
3ff44b691bcaaa24b171062fc6b035cdd7e510e0

SHA256
d96cdd48271620437871ee9ccce4d5db6ba49558d67f05556cf249d924f75e35

SHA512
311273f848dfa3155a40a16acd9d1d464df01895d71e700a6126f795774289f2a8bfb1e979fb24a541e34c42ba2dcd14aa7be44c05eb5149fa6024f980a4a4c6

Download Submit
C:\Windows\system\IVJLhyv.exe

Filesize
5.2MB

MD5
03b7cf33c1be91a4e4d46d8475cd2644

SHA1
8574eefecf38b37e164cbd7fd897d6fc12609954

SHA256
48017522c881030fd3a26336e41af8ea8ab0e6bf2777d78345ebffd589c178ac

SHA512
aa900e58df326e74aa5e3e3650abdb722b650f70703e8357470b831a455f53c0b51df86cbe146d32d6a4dde190f38e18bfcdec5c18443bafaeab3e6081ee3bb3

Download Submit
C:\Windows\system\IdeqgOW.exe

Filesize
5.2MB

MD5
30f2ba387935aa8f06b8b623c20a8eba

SHA1
e84195c98a79fcc1cca13298fa5e48d02b189c64

SHA256
7c8d4b100731e187c686dc1bfa39c11d27b48264abbd8a9193f22414151cd5e5

SHA512
85fdb8950d20ad2de94a26a0e976410b2a995134fbc7b25f989732ab99f00583d3495874d4d4487947d2fe0fc679aecc99a54690585008b89d19de0808963cf6

Download Submit
C:\Windows\system\NKMfECh.exe

Filesize
5.2MB

MD5
c5db41b403e1ef2c99b539fa95bff744

SHA1
9c62ccad10eb48cf75cfeed4232535811c263704

SHA256
cec6d084375d12a7a1428e3b7998d20e6f449b720d650296c37f2d7726442631

SHA512
595d580c042a03bb61bf2544ba853921c655622a44e89eb697a870987d852b52eee8540cd07169e495e37a65455e2a1540db0274b5864e1a3f3af81a171fb8f7

Download Submit
C:\Windows\system\QWJsCZj.exe

Filesize
5.2MB

MD5
c15bea2f584833e875fbe815c7a9e8b0

SHA1
938bc6dee35e966627c56ef50665a27d1aa18994

SHA256
2699b76fae600437ce7f7f6be1ac19565fd3f1349a80ed66bddf5417e117b57d

SHA512
539f3a0f07b84ec185e10e5cf550b0a1dbcac1bb85b1abba120abe96c02aae588cfd42c526f845faf1c12db8487f0a328d92d3bc583d09d06d31158368f3d99e

Download Submit
C:\Windows\system\QtWyYTT.exe

Filesize
5.2MB

MD5
f8a32790e5209d519addf704be797929

SHA1
35c8b791bdee1ec31cbcd5a28bb065f7f7789008

SHA256
abb3c2879f3c35e8b38b326e637c0954ec28cc0bce05224d0b5743adef845bb0

SHA512
e1e09c29d0cb740f520f70fe21f937edc2ac59fb12b5252279bf12c023138864b74f51cff775b8df295eaa5a944c32c101c1d3354b9b9602b85d7772e21f5ebc

Download Submit
C:\Windows\system\RSkeiGg.exe

Filesize
5.2MB

MD5
aafbeda7621841d8ed28f9f353bf08b8

SHA1
765dcca45656d667ae2437171d735bb360a0388c

SHA256
d6978d151a98619c8838c30cc6d6ab4241ac10028751faa9c74b5f5d814fdd8d

SHA512
7221c0b2f51bfdd6de614b85f7ec4a08f3da268e1f42add98f0b63320a219f79751ae5b750352213b4d1ec0ad4c449c3acbe473ef85047058a854a4ea436ec69

Download Submit
C:\Windows\system\SXDYTMA.exe

Filesize
5.2MB

MD5
af5191116687d3b0cbab1ada3b8cd440

SHA1
c4ec2e98d8bf173e97f05d2ecb471335075b15fe

SHA256
d07fe46e6af3be3aad6b422eac15f1f626b6d2c550c9dc20d8bcda919b914c91

SHA512
e1470a588c80a47843a898bfb3e87e6a4b5279f633f99c0f17b4e6a8b294e9b47cff5e30c6853ae3fdb0a406ec13212684e76f9cab9c41d182c3ed04e7f9ed54

Download Submit
C:\Windows\system\YARsWwt.exe

Filesize
5.2MB

MD5
f7d154964e34a02b9e2596cf0827c814

SHA1
afc438097cd91fd40bf4d0cdcb91f41697c75e0e

SHA256
7ab90c3e6df650b50d922658c83e713bfe6121b8de95261556efc9e50808ca85

SHA512
b2159df63cf52fc5f84079eb9ea6cda78cfdaddb899436ecf5304faa6ca3efc9ff207bd75fad5cd6fae1801f0c4dd73acaec78a8c893d0f57cf802af950c9015

Download Submit
C:\Windows\system\fkyLdKS.exe

Filesize
5.2MB

MD5
dcc425d2e879c00d99a345c705aa0014

SHA1
edbbaf4e325f1473c03b5f9f7841ce9c3cb53043

SHA256
6a60e7c4960178e08a0b014d21f6dd98e44eab0bb35e39e05a01003976146b91

SHA512
52a0fe97b3df910662a84c35fada62f766d9cc8de2efeabf1e1ce42b38df4aaefbea9b026825c2a374c65a84a72226a9b8b5549045d5dba7bbe8c64fc37dd81a

Download Submit
C:\Windows\system\gnOtvaz.exe

Filesize
5.2MB

MD5
6b9bff9cd50f8b01359ff36b0e88f8ab

SHA1
1d99988da86145a35871eef28fe21e8e021f5c9f

SHA256
0b7e77d838dc74e920f78d6c5a4fe73b57cc0e6c68c5d6dfc55115d48b56fa7d

SHA512
8b63dba7612808ee06e01b29f38450a8d3f58947f1ca18b0df443d9f967c5703bbcd52768ca34677c9dc839649d4ccd34af6236bf9a084755158ce6c1194424b

Download Submit
C:\Windows\system\gvfoodm.exe

Filesize
5.2MB

MD5
b04ce59a5228318f5ea3ecd382988316

SHA1
cdd9da2fe0aa04ae54c527fa696a6208ce148b6a

SHA256
57779d00f8b26f3692ec56b4f829ef2533d72e1efef110f153ed5cd1faab9662

SHA512
78b78a883e5d62d3bf89a5b4fd09f65d2f658fd587fa4db4cfb89cb15672e90cc0e92332e5371b8a4e480f72a99c09d2b78174dbbaaf40d7c88d2cbab1a429d2

Download Submit
C:\Windows\system\mDlTmmT.exe

Filesize
5.2MB

MD5
d839c2409b7e9685dbc166afdd42e0c9

SHA1
1483a64fc3cc01e30b54307d1e87b6b99981d5df

SHA256
e27b80cf831261de465ba098e629471ed3cd70267ab687b51ff9763d27501f22

SHA512
28326dd1b87d981dae9aba109f8b0efde29f65693c1211853724b420b6367387fe689d15fd0b9cccb8c32876303f208fbd90863388e183ecba2c85baa58b8537

Download Submit
C:\Windows\system\oJluRtC.exe

Filesize
5.2MB

MD5
e075a877ff4a0b9900b028ca8aebd7cf

SHA1
d66c5380be99c744628e303377c10e2134ec1b13

SHA256
a97c31c1db0366a974acd3ebf5129399ec8f74f7daa06f6b70b72798c136121b

SHA512
3967374e21a516b0b9e060f01ae848e870480cca72ac39fb5bebae430560dbc5a374c8797734abdef72ff2337e87d574e30d2d513047bce61e274d2f4fe1f96c

Download Submit
C:\Windows\system\qdJVJJX.exe

Filesize
5.2MB

MD5
f28fe2f6f6aa08861ae694a840f2fd77

SHA1
0c28708d6221739de7ddbeac0bf06da4abb203da

SHA256
1ede65a86bdbde40893d963a9279f1a47d1589de33f10acc57b34391dbb448ab

SHA512
41ccd92fe3862ccd3550b79d0dbb48a9b92b3314c834eff4f26357d4362c0afc0c8f2382edffa1ee6a0a73c05f76942a7f959dd20c5375f328718f8e8a2b911a

Download Submit
C:\Windows\system\rDdTBud.exe

Filesize
5.2MB

MD5
515396e0cee2ecec7825eb45cfedb82b

SHA1
d03ba0757a95aa9ae096042ce47545464bfd942c

SHA256
47038fb56caad8246455eee682dd3c9ceb4e361c713ec5b0657a81d151e5154d

SHA512
e7376e1992a59dc96685f4a997f963643e68b7031130cfe4f42be4b219f723ec16e869c2f9e33d7c10b4cc20876f31247c7e1320668a1cecf5ef0ef4c6b4b445

Download Submit
C:\Windows\system\wPwGorO.exe

Filesize
5.2MB

MD5
5d0be493dd1477734da1440ee0bc0065

SHA1
bedd6307331428261a0a8285ffd8074d67e842c3

SHA256
ceff69df3b6f6d0db8b6b78ad711acfe73d58477198d03e8e57d472dcae90cc9

SHA512
d3e65b9165cc72bd89b9a9aac743e05f727db3db82de328a2453acbc9e5c14699ff3805901674bea3725f404fa3aad0c39866a78be525ea77324f6b5c8cac5dd

Download Submit
C:\Windows\system\xVZHCsb.exe

Filesize
5.2MB

MD5
533b69a3db1c91048d6beb14817d0ad7

SHA1
53d533de3ad03eb264fa2505f23686f8ced4b861

SHA256
096307539f245d9edfe2dd6b2fb54b1585a8cdd1097ae7969005bae3899464d5

SHA512
28ff1deffe870468628c556de8b0f628acc110761c5ca7eedbc2ea5e513f9bc6d20f86ae29a98be01357ca71d0f14786307ce58f4d6080f3540a6cb06b050616

Download Submit
\Windows\system\dWcBwem.exe

Filesize
5.2MB

MD5
79db13fc7e64ced2213bd9f990b21fcb

SHA1
6877f18611e380dd5497b7177531ad71b0b3b9c9

SHA256
8920a9dbcdb0e8fc8a6ac652d2c2def1f44b139fbb3c98d0f103c2c84cdb537a

SHA512
e2b8da1f036fc5b708cfdc2d764baec2ab6fc86fe80b7eb8d153732e3c0b6258d5d029c82636f95dc9fff77fc7d32a85689bce2a1bb860e9ea3db519b1b8fc2d

Download Submit
memory/1064-129-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1252-130-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-136-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-145-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/1716-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1716-109-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/1716-132-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/1716-168-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/1716-143-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-146-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/1716-141-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1716-140-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-139-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/1716-144-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/1716-137-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/1716-0-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/1716-135-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/1716-134-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/1804-242-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/1804-123-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/1956-128-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1980-111-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/1980-107-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/1980-249-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2208-120-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-224-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2284-131-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2284-217-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2300-232-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2300-133-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2356-115-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2356-234-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2600-125-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2648-126-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2660-124-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2736-116-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2736-220-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2788-218-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2788-114-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2804-226-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-122-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-138-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2848-222-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2864-236-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2864-117-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-142-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2920-240-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2992-119-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2992-238-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2996-10-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2996-214-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2996-110-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/3060-127-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download