cobaltstrike | 9b45bab72bece536271556f53fc381f25ae2beee9cba2fe05a1e1a4523c3f6e7

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b0c258d05c152a721d67e8c37e8962bf
SHA1

d271a9f0b19c206b2f1d1d69f26780b11355fdee
SHA256

9b45bab72bece536271556f53fc381f25ae2beee9cba2fe05a1e1a4523c3f6e7
SHA512

34345143176824efd4aeccaf8398b936dc20d81977f07279f1204b97ce766bcd531f0ba998b1d356484bb35d519e5e5eed4eef6022090338550c22e41fadfb57
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lU:RWWBibd56utgpPFotBER/mQ32lUg

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fd-3.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001949e-10.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000193f7-7.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000194c4-23.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194d2-39.dat	cobalt_reflective_dll
behavioral1/files/0x003000000001939b-34.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194e3-53.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001958e-68.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a427-83.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a48d-119.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4a9-134.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b1-142.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4af-139.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a499-125.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a49a-129.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a48b-114.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a46f-105.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a42d-96.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41e-81.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000194e9-66.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194db-49.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral1/memory/2680-20-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/2532-40-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2336-42-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/1940-146-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2532-111-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/1820-147-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2664-106-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2532-102-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2588-97-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2532-94-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2532-93-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2772-78-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2144-148-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2532-63-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2852-62-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2724-87-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2532-149-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2532-70-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2956-69-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2452-154-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2532-150-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2412-54-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2532-158-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2132-159-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/3044-168-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2532-170-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2656-169-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2796-171-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/2100-175-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/1076-174-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2936-173-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2900-172-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2532-176-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2336-225-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2680-227-0x000000013FF10000-0x0000000140261000-memory.dmp	xmrig
behavioral1/memory/2412-229-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2852-234-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2956-236-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2772-244-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2724-246-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2588-248-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/1940-250-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2664-252-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/1820-263-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2144-265-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2452-267-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2132-269-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2336	LRVBhMW.exe
2680	maLiiYO.exe
2412	LqMCtxH.exe
2852	XVXhboO.exe
2956	qvBYIsP.exe
2772	JzpssJL.exe
2724	FgyRyBD.exe
2588	dUcnceU.exe
2664	mYQFIyY.exe
1940	YjxspwL.exe
1820	ejOrvbP.exe
2144	CQsKPAe.exe
2452	EBDyYoK.exe
2132	TFnqGTY.exe
3044	sTaTnyn.exe
2656	LkcJqsg.exe
2796	ENZvGFC.exe
2900	OaurmeC.exe
2936	GwFDdHs.exe
1076	AgAYaAy.exe
2100	RWwOrAA.exe

Loads dropped DLL 21 IoCs

pid	Process
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-0-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-3.dat	upx
behavioral1/files/0x000600000001949e-10.dat	upx
behavioral1/files/0x00070000000193f7-7.dat	upx
behavioral1/memory/2412-21-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2680-20-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2336-13-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/files/0x00070000000194c4-23.dat	upx
behavioral1/memory/2852-28-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/files/0x00060000000194d2-39.dat	upx
behavioral1/memory/2772-41-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2532-40-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/files/0x003000000001939b-34.dat	upx
behavioral1/memory/2532-33-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2336-42-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/files/0x00060000000194e3-53.dat	upx
behavioral1/files/0x000700000001958e-68.dat	upx
behavioral1/memory/1940-74-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/files/0x000500000001a427-83.dat	upx
behavioral1/memory/2664-67-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/1820-82-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2132-107-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/files/0x000500000001a48d-119.dat	upx
behavioral1/files/0x000500000001a4a9-134.dat	upx
behavioral1/files/0x000500000001a4b1-142.dat	upx
behavioral1/files/0x000500000001a4af-139.dat	upx
behavioral1/memory/1940-146-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/files/0x000500000001a499-125.dat	upx
behavioral1/files/0x000500000001a49a-129.dat	upx
behavioral1/files/0x000500000001a48b-114.dat	upx
behavioral1/memory/1820-147-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2664-106-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/files/0x000500000001a46f-105.dat	upx
behavioral1/memory/2452-98-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2588-97-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/files/0x000500000001a42d-96.dat	upx
behavioral1/files/0x000500000001a41e-81.dat	upx
behavioral1/memory/2772-78-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2144-148-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2144-88-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/files/0x00080000000194e9-66.dat	upx
behavioral1/memory/2852-62-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2724-87-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2956-69-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2588-59-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2724-50-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2452-154-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2532-150-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/files/0x00060000000194db-49.dat	upx
behavioral1/memory/2412-54-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2132-159-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/3044-168-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2656-169-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2796-171-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/2100-175-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/1076-174-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2936-173-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2900-172-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2532-176-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2336-225-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2680-227-0x000000013FF10000-0x0000000140261000-memory.dmp	upx
behavioral1/memory/2412-229-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2852-234-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2956-236-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FgyRyBD.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YjxspwL.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CQsKPAe.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TFnqGTY.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\maLiiYO.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EBDyYoK.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GwFDdHs.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AgAYaAy.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dUcnceU.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OaurmeC.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LRVBhMW.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqMCtxH.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XVXhboO.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qvBYIsP.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LkcJqsg.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ENZvGFC.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RWwOrAA.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JzpssJL.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYQFIyY.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejOrvbP.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sTaTnyn.exe	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2336	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2532 wrote to memory of 2336	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2532 wrote to memory of 2336	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2532 wrote to memory of 2680	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2532 wrote to memory of 2680	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2532 wrote to memory of 2680	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2532 wrote to memory of 2412	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2532 wrote to memory of 2412	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2532 wrote to memory of 2412	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2532 wrote to memory of 2852	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2532 wrote to memory of 2852	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2532 wrote to memory of 2852	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2532 wrote to memory of 2956	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2532 wrote to memory of 2956	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2532 wrote to memory of 2956	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2532 wrote to memory of 2772	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2532 wrote to memory of 2772	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2532 wrote to memory of 2772	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2532 wrote to memory of 2724	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2532 wrote to memory of 2724	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2532 wrote to memory of 2724	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2532 wrote to memory of 2588	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2532 wrote to memory of 2588	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2532 wrote to memory of 2588	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2532 wrote to memory of 2664	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2532 wrote to memory of 2664	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2532 wrote to memory of 2664	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2532 wrote to memory of 1940	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2532 wrote to memory of 1940	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2532 wrote to memory of 1940	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2532 wrote to memory of 1820	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2532 wrote to memory of 1820	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2532 wrote to memory of 1820	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2532 wrote to memory of 2144	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2532 wrote to memory of 2144	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2532 wrote to memory of 2144	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2532 wrote to memory of 2452	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2532 wrote to memory of 2452	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2532 wrote to memory of 2452	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2532 wrote to memory of 2132	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2532 wrote to memory of 2132	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2532 wrote to memory of 2132	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2532 wrote to memory of 3044	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2532 wrote to memory of 3044	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2532 wrote to memory of 3044	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2532 wrote to memory of 2656	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2532 wrote to memory of 2656	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2532 wrote to memory of 2656	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2532 wrote to memory of 2796	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2532 wrote to memory of 2796	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2532 wrote to memory of 2796	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2532 wrote to memory of 2900	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2532 wrote to memory of 2900	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2532 wrote to memory of 2900	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2532 wrote to memory of 2936	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2532 wrote to memory of 2936	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2532 wrote to memory of 2936	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2532 wrote to memory of 1076	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2532 wrote to memory of 1076	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2532 wrote to memory of 1076	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2532 wrote to memory of 2100	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2532 wrote to memory of 2100	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2532 wrote to memory of 2100	2532	2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_b0c258d05c152a721d67e8c37e8962bf_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System\LRVBhMW.exe
  C:\Windows\System\LRVBhMW.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\maLiiYO.exe
  C:\Windows\System\maLiiYO.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\LqMCtxH.exe
  C:\Windows\System\LqMCtxH.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\XVXhboO.exe
  C:\Windows\System\XVXhboO.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\qvBYIsP.exe
  C:\Windows\System\qvBYIsP.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\JzpssJL.exe
  C:\Windows\System\JzpssJL.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\FgyRyBD.exe
  C:\Windows\System\FgyRyBD.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\dUcnceU.exe
  C:\Windows\System\dUcnceU.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\mYQFIyY.exe
  C:\Windows\System\mYQFIyY.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\YjxspwL.exe
  C:\Windows\System\YjxspwL.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\ejOrvbP.exe
  C:\Windows\System\ejOrvbP.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\CQsKPAe.exe
  C:\Windows\System\CQsKPAe.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\EBDyYoK.exe
  C:\Windows\System\EBDyYoK.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\TFnqGTY.exe
  C:\Windows\System\TFnqGTY.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\sTaTnyn.exe
  C:\Windows\System\sTaTnyn.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\LkcJqsg.exe
  C:\Windows\System\LkcJqsg.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\ENZvGFC.exe
  C:\Windows\System\ENZvGFC.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\OaurmeC.exe
  C:\Windows\System\OaurmeC.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\GwFDdHs.exe
  C:\Windows\System\GwFDdHs.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\AgAYaAy.exe
  C:\Windows\System\AgAYaAy.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System\RWwOrAA.exe
  C:\Windows\System\RWwOrAA.exe
  2⤵
  - Executes dropped EXE
  PID:2100

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AgAYaAy.exe

Filesize
5.2MB

MD5
773dbd3685f65c87edc9aa03e125574d

SHA1
d89164cce6a84d43eaec15012c6af25930e316a3

SHA256
e427726308e16b3ddc396ea89f7f16892ce73c0c1cf88932a698ac2ccb0f4f01

SHA512
b2e948a44f189b02315a16a89d38d439bad8a10bba8ddba58de1e92c4e0e797d23f555d366dca7b19b6c2e9e66f5d75d7fa13412a733efc101e82ed85fa8b2c5

Download Submit
C:\Windows\system\EBDyYoK.exe

Filesize
5.2MB

MD5
2bdb4029d41a6771567a82bf150adab7

SHA1
4bd5ede8230cd385b5ffd4f0338a66f51b1fc135

SHA256
4a60c9098aeb8d8b3590176f8049c3481a12253405c116eca206e6491224e4bf

SHA512
2ef37b1530f5b9ace1ab6dbe8243b99d18f49f5393307d9d80674b626e152d32fa41b394fecb0c88c19a212a1cbfd1f90afe73fec89832757743643fc6e562ba

Download Submit
C:\Windows\system\ENZvGFC.exe

Filesize
5.2MB

MD5
e716bd795f9eef18807998d38e4c929d

SHA1
2fbd8bb35d5bcfc04f9181cf221de835b8fdede2

SHA256
7d0e018d19c6476e1095fe376aa3b1445921468d6527b23605f3ec7690808aa7

SHA512
40a054823490512c29e0d53d7d91683c009d6139de05f253999a093bb05971434b6fc022b6bd1b54296bd927149d489d1f9def6685628301f0c141dd49a0294d

Download Submit
C:\Windows\system\FgyRyBD.exe

Filesize
5.2MB

MD5
3ba3caebccc527a76aee47a12bed7d0a

SHA1
b1ba1d4cdfdc1c83df3fca675207406cd7a61c87

SHA256
12cdc02265955154cae24c1a04e402e75f620366565b7f61b79d6d1af04e0c12

SHA512
68a6af6279fbe5fe9672c5a2caf1d389d9fe51961e1505f8f0748c97eb53d47c231ae54611e16e4bea8f327374265a4a007df84dbb5951e323104b3564b49b7d

Download Submit
C:\Windows\system\GwFDdHs.exe

Filesize
5.2MB

MD5
a0b84dcdbdc12f11bbe4a36477af6796

SHA1
0404eb1656bf88b2e6fc4bd511ab6b2ef1198d5d

SHA256
e2dfe4663099e9fbf14df875eb55962456b4692c449994f262990693772fc7eb

SHA512
8a0288eb0c322998419b83fdb25776f42f203603dae38d135785220fae35612377e79a479fa4d4317d343657bd36dff560d38603e99a3289b07514ab4313f278

Download Submit
C:\Windows\system\JzpssJL.exe

Filesize
5.2MB

MD5
3f81554305139adf1eb128f0017405c3

SHA1
25c344ff2968c5859f440a0edb628bae393ae0dc

SHA256
2159a5c14f503f2a13937521a48ef5fe19fbbd6efaac18f034c919275fc1b3ad

SHA512
7dc28a7e5cea6b8e9994cefe4595ec214f2b4a8ee3f6b35d6bd0138bc8992caf7a1c513549c30475db5dba8ce37d15b5a3e8aaca647015ca5eaa45b4d0411f77

Download Submit
C:\Windows\system\LkcJqsg.exe

Filesize
5.2MB

MD5
d5b571b652dacb3a85650aafa394a34a

SHA1
f811e9d28cc3e4f3a3a2b25fc23607d1fb36cbdf

SHA256
3671afcc1fd155aeee969fea23abba0bb86ffe8c29e64bec6439725fed7c1e81

SHA512
22a5a0dd10e9ecf735c595ac0a99dbb504df97a6d1c8bb002079afe1924adbbb872483612a91c66da6763bcb7cef86c9759213beb31d483fcc498a7d0baa6a7d

Download Submit
C:\Windows\system\OaurmeC.exe

Filesize
5.2MB

MD5
ede3e385fa8bbb5852961fd83a544bbb

SHA1
ae1cac6866e0d72566d21c7a0084319943805806

SHA256
35b6137ae879ebc96889c49b916fff06002d15db2cc460ff68cccd71919f3d5a

SHA512
3738da5d6fe4e2d2fac59910a932fc63f25ff453edfd27551675e8271a7b68a54d296ae4daccc76ecf3614b816206ab1c72fceab1ccc4f7722bd24e2487cf88d

Download Submit
C:\Windows\system\TFnqGTY.exe

Filesize
5.2MB

MD5
541ffa945c3fc0b4456deaab4ae76bab

SHA1
242f85e2f0bfb141bdaee8b975e222ad6ae6725f

SHA256
8dd0a862c02506abc7240483a0732d9c9e72c859c8b7643f132b0bf37cc19d9f

SHA512
dcdbd27414c9639aa947124e15ca6ffd1d37efaf7d795534a1bb48807662ca9e22143a8a4ed5ff2ea15726f9dcd6e6357b99934f32817d5c48d0f82f5e67b7c5

Download Submit
C:\Windows\system\ejOrvbP.exe

Filesize
5.2MB

MD5
b0f9440cfc3099e74bcbb889b1241174

SHA1
336f7f7e6ce2f31b7b3acf2e0240ba5ac4b36d0c

SHA256
b32df736a263e2d28a5e9f2c91cc09025ac4e61f410a304f7d3947fe18bd61ec

SHA512
32a074ca2901d6b14343ac4e141552a8f93a2443bd61c4ead2ee2c82949a843947ed9469ad68f43c9d29424385254c501b7cc5145ef7efd60b5fa1be25465523

Download Submit
C:\Windows\system\mYQFIyY.exe

Filesize
5.2MB

MD5
9ca692e6446ec17de8e23c71243e925b

SHA1
b26fa9c7b1093083f5e1ffb5b25756dddd17c171

SHA256
59d6d0aad08a17c7f56ba61ade3e160424cfc9b12bdae8584cf821ffcbedf8b5

SHA512
43a483a7bdac0a641de952abdc23d0ac09746aa54e0b1356b75b4bd71b654cd90123bea9ae74d459e94dd37f4e67025dc836246c52970e46dd5b989214259495

Download Submit
C:\Windows\system\qvBYIsP.exe

Filesize
5.2MB

MD5
1e1e895f334888e65a8ee97329e0188f

SHA1
4d00a7656a4ae3a132bb999033a8c3a48e96a948

SHA256
79602d20ddb9672e316873708bce8c484db550bd6a036fcd72d4206a050f4f93

SHA512
cfff974084276d0f861d8797c93400a3a0fa2c1853dcfbf5b8e81055a9335ac44d439fc2ae0ebb56ad0ce802c9f0a5e284665c8ea0fe21a128c87b99edc5dbb1

Download Submit
C:\Windows\system\sTaTnyn.exe

Filesize
5.2MB

MD5
e565a5de9846eb0212d2f7889983ca88

SHA1
47c677547a61b18a11f099f764edfa8bcd2a1755

SHA256
218578dc73b7827fff5c8b74b4954efabc0d92008256ebe5a4deb8a9312890e7

SHA512
f721e1192c58a7609733e513360d4e88e2b45a829ab08a666e8b3f57725f54e91c72ee923893806d574b4e5b6edf330a148bd97cb456cb6bb3d9f4eccb7b11d6

Download Submit
\Windows\system\CQsKPAe.exe

Filesize
5.2MB

MD5
8b80ef7cc135272dc49329a7a48951a1

SHA1
49815da9490e28021048cd2caf98568b8be13329

SHA256
96c293aef9cbd4d6802d9128d75adf5068aa52f204f03a210f312740eab1111c

SHA512
d153326f099893a8adc6edde64d08744b1ff5130b4f310e178acda319bcf08765227fd04254f6be6fce54c423d3e0cdbc4cf28ce67d63a032348377cc104541d

Download Submit
\Windows\system\LRVBhMW.exe

Filesize
5.2MB

MD5
b08bccfa4b9393c68f88fc20ab04a7fb

SHA1
6d4841dcc155c2ad39a32d3a09b79bcdc295ea08

SHA256
58109eb94b743c80a47500622ffefb1dfed6144f444d0a67894bff85d6e569b0

SHA512
750488ea5131ac3bca7ddd6acc6a56528d06dece46d9c69f498a53b5317d0374345c916222147dcad7180a36146d434cc7769f1f34be0e9c9094e1f9421fa0fb

Download Submit
\Windows\system\LqMCtxH.exe

Filesize
5.2MB

MD5
a050e7be0e1bf8d2772960f13c5b4451

SHA1
19eeeb50a724781b1d7fd52e143f39c34fc84442

SHA256
86148564e07204216d6c47db170403281b9f1eb4738d8109e883522ca784354f

SHA512
492b1ba0aca0a5729f4e4ffeb1378b55443bbf36249a7921523c47936c77d84756af32c2821397a02754f67a4606767f7942ab465693bb03011b769ae501f6b0

Download Submit
\Windows\system\RWwOrAA.exe

Filesize
5.2MB

MD5
2bd21c0c8cc62bf245feb9cca867a51a

SHA1
1949c6f16a1ca817186a1f937cea296ddaa2dfa1

SHA256
507cbd1170b382fb02556170fd086b151d4707a11c18152deefe1e37b11aa1c7

SHA512
596755706f214d6994dce356cfc25ac51da15f9c03854e9e88eedf6d42488fcb9ff5f6f087e80124ea9dc301f9e3e31703b53565a5a21ee8cb4260950cc91274

Download Submit
\Windows\system\XVXhboO.exe

Filesize
5.2MB

MD5
2bea03e470c333c2284c58eff10baabc

SHA1
c0bb8e1807aacc54aa6837846e3343ecfe8553c6

SHA256
e68f4a066c9ac76c08bef3c31253093035559c3812ebfbea76e8d3778de86c3f

SHA512
36a10269fcb2cd45e39544defb4a6cec90b460905e145f0bed15f5437c71a23865ecbe3f728b5bc1f7bc123778fc62e1f0900811fcff36dc9b0d64fc2eb3a064

Download Submit
\Windows\system\YjxspwL.exe

Filesize
5.2MB

MD5
59ab3ab62a468794bec6e5c478c6e1c5

SHA1
1f99e1bf02b47fd330680f2ddd3295e7aaed7d58

SHA256
5f8f0b56d32b898d6c270c9fec474aa99ba34acc9fdadf89f536dbf770bcdc35

SHA512
47c703e32ae324f3d874a6ba7cdfe1cf78339c0bb147edc51de740e6ddf873f74df2aa5b6e313809af4eca1a417b8a952fff26f740586b9c2e97cdc24d61e6f6

Download Submit
\Windows\system\dUcnceU.exe

Filesize
5.2MB

MD5
193124f68c40b3bb34b9372a722b71bb

SHA1
3aef1b23a808965be6ab498ece41a4006292554e

SHA256
e60be5c5ab75b249753f4f8d12c6299407fd8ae0a1fcf4d5da696178bb51d29b

SHA512
155661b9b9686cca56487ce9cdde2b3d806c1912970b9e7591687b6da6a371ddf5b9af5bb27d427c71cb7e6401999912b03cdc6e518a93c2f134d71f206011a7

Download Submit
\Windows\system\maLiiYO.exe

Filesize
5.2MB

MD5
00a383a9435ab46a96bffb0b5f1f99ec

SHA1
d85fd5914297c4b25d76c739c6c25000c6a33925

SHA256
f3398afa1b4435a434217fa92f45ab93e1fdcd9f33a45af31b4eaef30fc47433

SHA512
498e8cd57f3295d5ece9378b66556631be638af121dcdec1429f0a134c485db5e3ba48e2533ac48ab99e739ec291e845df0196529405ddc66b966f9d21529a57

Download Submit
memory/1076-174-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-263-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1820-82-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1820-147-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/1940-146-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1940-74-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1940-250-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2100-175-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2132-107-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2132-159-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2132-269-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2144-148-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2144-88-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2144-265-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2336-13-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2336-42-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2336-225-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2412-21-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2412-229-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2412-54-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2452-154-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2452-267-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2452-98-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2532-94-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2532-33-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-0-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-93-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2532-102-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2532-103-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-17-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2532-111-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-63-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-15-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-24-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-149-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2532-84-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-70-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-176-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-40-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-37-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-112-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-150-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-170-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-46-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-55-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2532-44-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2532-158-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2588-59-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2588-97-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2588-248-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2656-169-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-106-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-67-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-252-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-227-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2680-20-0x000000013FF10000-0x0000000140261000-memory.dmp

Filesize
3.3MB

Download
memory/2724-87-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2724-50-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2724-246-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2772-244-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-41-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-78-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-171-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/2852-28-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-234-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-62-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-172-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2936-173-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-236-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-69-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-168-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download