cobaltstrike | f9d108f1589450d66292e1c007311ffcb855474078bbb5cf0d0243fb6a9f9f8f

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

40616a25f9de64bbf242f3f85a7b3ec7
SHA1

f5a09d4c30869eb359b2b84e8c8d8b7e102a61a9
SHA256

f9d108f1589450d66292e1c007311ffcb855474078bbb5cf0d0243fb6a9f9f8f
SHA512

3529ac120f5bbde9a77b998884e79b2624127a6c8a4330591738a4a35cb072d203349b7fb1001781011df50a92442e00dea66cd03279d423dfa3309533b50418
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUg:E+b56utgpPF8u/7g

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012280-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d81-17.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d59-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ec4-33.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dea-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df3-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ecf-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016de8-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9f-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d77-105.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d67-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6b-78.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4b-72.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d54-69.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d43-61.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d2a-51.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f25-40.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6f-89.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-58.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f7b-48.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d79-23.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/1736-0-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/files/0x000b000000012280-3.dat	xmrig
behavioral1/memory/2172-9-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d81-17.dat	xmrig
behavioral1/files/0x0008000000015d59-10.dat	xmrig
behavioral1/memory/2848-29-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015ec4-33.dat	xmrig
behavioral1/memory/2792-37-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2140-42-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2848-95-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2664-102-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016dea-117.dat	xmrig
behavioral1/files/0x0006000000016df3-121.dat	xmrig
behavioral1/files/0x0006000000016ecf-125.dat	xmrig
behavioral1/memory/2140-139-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/files/0x0006000000016de8-114.dat	xmrig
behavioral1/files/0x0006000000016d9f-109.dat	xmrig
behavioral1/files/0x0006000000016d77-105.dat	xmrig
behavioral1/memory/2244-141-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/3032-101-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/1260-100-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d67-83.dat	xmrig
behavioral1/memory/1736-80-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2828-143-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/1736-142-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d6b-78.dat	xmrig
behavioral1/memory/1736-73-0x00000000024E0000-0x0000000002834000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d4b-72.dat	xmrig
behavioral1/files/0x0006000000016d54-69.dat	xmrig
behavioral1/files/0x0006000000016d43-61.dat	xmrig
behavioral1/memory/2132-54-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d2a-51.dat	xmrig
behavioral1/memory/2420-94-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2708-92-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/files/0x0007000000015f25-40.dat	xmrig
behavioral1/memory/2708-146-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d6f-89.dat	xmrig
behavioral1/memory/1736-88-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2828-87-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2104-77-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2420-147-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig
behavioral1/memory/2244-68-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2524-67-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d3a-58.dat	xmrig
behavioral1/memory/2664-150-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/3032-149-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/1260-148-0x000000013F940000-0x000000013FC94000-memory.dmp	xmrig
behavioral1/memory/1736-50-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/files/0x0007000000015f7b-48.dat	xmrig
behavioral1/memory/1736-26-0x00000000024E0000-0x0000000002834000-memory.dmp	xmrig
behavioral1/memory/2104-25-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d79-23.dat	xmrig
behavioral1/memory/2524-20-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2172-151-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2524-152-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2104-153-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2792-154-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2848-155-0x000000013F050000-0x000000013F3A4000-memory.dmp	xmrig
behavioral1/memory/2140-156-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2132-157-0x000000013F180000-0x000000013F4D4000-memory.dmp	xmrig
behavioral1/memory/2244-158-0x000000013F7E0000-0x000000013FB34000-memory.dmp	xmrig
behavioral1/memory/2828-159-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2708-161-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2420-160-0x000000013FC40000-0x000000013FF94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2172	kKvihkh.exe
2524	NMXMUHK.exe
2104	feJaqfS.exe
2848	aBFkfKm.exe
2792	lONIjFt.exe
2140	HnfWAze.exe
2132	lxnmROe.exe
2244	DLtDQWo.exe
2828	YjDPEwv.exe
2708	EtGyYTW.exe
2420	PiXbVjs.exe
1260	WBheYnB.exe
3032	PHFfOtP.exe
2664	limhWtn.exe
1784	NVUgmvA.exe
2892	HtTBSFY.exe
3004	sypUeXQ.exe
484	TZfYrZP.exe
552	AoIGQWI.exe
3024	cLekQrW.exe
1676	kvCrfiI.exe

Loads dropped DLL 21 IoCs

pid	Process
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/files/0x000b000000012280-3.dat	upx
behavioral1/memory/2172-9-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/files/0x0008000000015d81-17.dat	upx
behavioral1/files/0x0008000000015d59-10.dat	upx
behavioral1/memory/2848-29-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/files/0x0007000000015ec4-33.dat	upx
behavioral1/memory/2792-37-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2140-42-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2848-95-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2664-102-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/files/0x0006000000016dea-117.dat	upx
behavioral1/files/0x0006000000016df3-121.dat	upx
behavioral1/files/0x0006000000016ecf-125.dat	upx
behavioral1/memory/2140-139-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/files/0x0006000000016de8-114.dat	upx
behavioral1/files/0x0006000000016d9f-109.dat	upx
behavioral1/files/0x0006000000016d77-105.dat	upx
behavioral1/memory/2244-141-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/3032-101-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/1260-100-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/files/0x0006000000016d67-83.dat	upx
behavioral1/memory/1736-80-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2828-143-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/files/0x0006000000016d6b-78.dat	upx
behavioral1/files/0x0006000000016d4b-72.dat	upx
behavioral1/files/0x0006000000016d54-69.dat	upx
behavioral1/files/0x0006000000016d43-61.dat	upx
behavioral1/memory/2132-54-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/files/0x0008000000016d2a-51.dat	upx
behavioral1/memory/2420-94-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2708-92-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/files/0x0007000000015f25-40.dat	upx
behavioral1/memory/2708-146-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/files/0x0006000000016d6f-89.dat	upx
behavioral1/memory/2828-87-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2104-77-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2420-147-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2244-68-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2524-67-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/files/0x0006000000016d3a-58.dat	upx
behavioral1/memory/2664-150-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/3032-149-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/1260-148-0x000000013F940000-0x000000013FC94000-memory.dmp	upx
behavioral1/memory/1736-50-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/files/0x0007000000015f7b-48.dat	upx
behavioral1/memory/2104-25-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/files/0x0008000000015d79-23.dat	upx
behavioral1/memory/2524-20-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2172-151-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2524-152-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2104-153-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2792-154-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2848-155-0x000000013F050000-0x000000013F3A4000-memory.dmp	upx
behavioral1/memory/2140-156-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2132-157-0x000000013F180000-0x000000013F4D4000-memory.dmp	upx
behavioral1/memory/2244-158-0x000000013F7E0000-0x000000013FB34000-memory.dmp	upx
behavioral1/memory/2828-159-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2708-161-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2420-160-0x000000013FC40000-0x000000013FF94000-memory.dmp	upx
behavioral1/memory/2664-164-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/3032-163-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/1260-162-0x000000013F940000-0x000000013FC94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WBheYnB.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DLtDQWo.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sypUeXQ.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZfYrZP.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lONIjFt.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PHFfOtP.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YjDPEwv.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HtTBSFY.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kKvihkh.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AoIGQWI.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cLekQrW.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kvCrfiI.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lxnmROe.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\feJaqfS.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aBFkfKm.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HnfWAze.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\limhWtn.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EtGyYTW.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NVUgmvA.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PiXbVjs.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NMXMUHK.exe	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2172	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1736 wrote to memory of 2172	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1736 wrote to memory of 2172	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1736 wrote to memory of 2524	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1736 wrote to memory of 2524	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1736 wrote to memory of 2524	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1736 wrote to memory of 2104	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1736 wrote to memory of 2104	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1736 wrote to memory of 2104	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1736 wrote to memory of 2848	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1736 wrote to memory of 2848	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1736 wrote to memory of 2848	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1736 wrote to memory of 2792	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1736 wrote to memory of 2792	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1736 wrote to memory of 2792	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1736 wrote to memory of 2140	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1736 wrote to memory of 2140	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1736 wrote to memory of 2140	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1736 wrote to memory of 2132	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1736 wrote to memory of 2132	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1736 wrote to memory of 2132	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1736 wrote to memory of 1260	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1736 wrote to memory of 1260	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1736 wrote to memory of 1260	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1736 wrote to memory of 2244	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1736 wrote to memory of 2244	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1736 wrote to memory of 2244	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1736 wrote to memory of 3032	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1736 wrote to memory of 3032	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1736 wrote to memory of 3032	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1736 wrote to memory of 2828	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1736 wrote to memory of 2828	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1736 wrote to memory of 2828	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1736 wrote to memory of 2664	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1736 wrote to memory of 2664	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1736 wrote to memory of 2664	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1736 wrote to memory of 2708	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1736 wrote to memory of 2708	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1736 wrote to memory of 2708	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1736 wrote to memory of 1784	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1736 wrote to memory of 1784	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1736 wrote to memory of 1784	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1736 wrote to memory of 2420	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1736 wrote to memory of 2420	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1736 wrote to memory of 2420	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1736 wrote to memory of 2892	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1736 wrote to memory of 2892	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1736 wrote to memory of 2892	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1736 wrote to memory of 3004	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1736 wrote to memory of 3004	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1736 wrote to memory of 3004	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1736 wrote to memory of 484	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1736 wrote to memory of 484	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1736 wrote to memory of 484	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1736 wrote to memory of 552	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1736 wrote to memory of 552	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1736 wrote to memory of 552	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1736 wrote to memory of 3024	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1736 wrote to memory of 3024	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1736 wrote to memory of 3024	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1736 wrote to memory of 1676	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1736 wrote to memory of 1676	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1736 wrote to memory of 1676	1736	2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-12_40616a25f9de64bbf242f3f85a7b3ec7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System\kKvihkh.exe
  C:\Windows\System\kKvihkh.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\NMXMUHK.exe
  C:\Windows\System\NMXMUHK.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\feJaqfS.exe
  C:\Windows\System\feJaqfS.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\aBFkfKm.exe
  C:\Windows\System\aBFkfKm.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\lONIjFt.exe
  C:\Windows\System\lONIjFt.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\HnfWAze.exe
  C:\Windows\System\HnfWAze.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\lxnmROe.exe
  C:\Windows\System\lxnmROe.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\WBheYnB.exe
  C:\Windows\System\WBheYnB.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\DLtDQWo.exe
  C:\Windows\System\DLtDQWo.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\PHFfOtP.exe
  C:\Windows\System\PHFfOtP.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\YjDPEwv.exe
  C:\Windows\System\YjDPEwv.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\limhWtn.exe
  C:\Windows\System\limhWtn.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\EtGyYTW.exe
  C:\Windows\System\EtGyYTW.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\NVUgmvA.exe
  C:\Windows\System\NVUgmvA.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\PiXbVjs.exe
  C:\Windows\System\PiXbVjs.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\HtTBSFY.exe
  C:\Windows\System\HtTBSFY.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\sypUeXQ.exe
  C:\Windows\System\sypUeXQ.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\TZfYrZP.exe
  C:\Windows\System\TZfYrZP.exe
  2⤵
  - Executes dropped EXE
  PID:484
- C:\Windows\System\AoIGQWI.exe
  C:\Windows\System\AoIGQWI.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\cLekQrW.exe
  C:\Windows\System\cLekQrW.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\kvCrfiI.exe
  C:\Windows\System\kvCrfiI.exe
  2⤵
  - Executes dropped EXE
  PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AoIGQWI.exe

Filesize
5.9MB

MD5
dc07d54c18d1ce0f784cdccd7ff03edf

SHA1
fc180885e626feacf173774a4c343ebbf54207e3

SHA256
22b2df97f29e90b2332a2f3f0e7d406dda552bdd4f65f84fe5abc482b0ed8f0e

SHA512
13c30dd33bab46ffaf5fba0c1fb43e6377e114645f71a7a1ac780ae6d93ce879051e4752d7d0a6bc87b8538a7a059c0e6774267322c666c5833c191024043f2e

Download Submit
C:\Windows\system\DLtDQWo.exe

Filesize
5.9MB

MD5
4a2dd76a6e8740047d293a372570ab5d

SHA1
2ca8e8c57d91bd3c9ac2a4001c9c20cbdde5a914

SHA256
6848718a056bc03b9c31a0f73618d96bc6c1638a0e4ecaf72edb69eff5a02c93

SHA512
983c1218ce0fb0609e15d20a3eb7cc27fe047ac58c4ac594e2dcf53917fc838fc2ab9c5015d18767bbc2c17e8c41ee87754d01e650ad19c9d0a3913a37ab8f16

Download Submit
C:\Windows\system\EtGyYTW.exe

Filesize
5.9MB

MD5
a3ae4472077e42c73ae1d41b4c968e11

SHA1
5c147f9c8f535dd802fcc03e5d1759a653ec6851

SHA256
29de0b7e460714421bb1330acfb1d9b0955bc3ab2a16722401ec867ee6ae3b46

SHA512
d8a2ab21a5f6bf0a8453c4df62196a6832a06fe59dc41573d51f6c10563b3bbe32d0e5be6ae98246d49270b70d96377716a6b4031ee346efd7c7c1a21336bb00

Download Submit
C:\Windows\system\HnfWAze.exe

Filesize
5.9MB

MD5
c9934ec963d267a116331eff279e4539

SHA1
6fb1558e37ecd3855f77b5e089c1344a02153b25

SHA256
c4b1b9b0d9220d03e8cee47c0e98d30481c7c8c39d5648afadadac00c42d43bd

SHA512
5c21716faf7f8d74cff0e09e568d07be77061e0f0d672c2b8daa74fcdc7219ae49e02768fc623f2f11657e5e89bae7105f8668c39f7bf9b0d70cd63b3db1e140

Download Submit
C:\Windows\system\HtTBSFY.exe

Filesize
5.9MB

MD5
b2aaa9e7c464eb21367d4d3ef459d244

SHA1
bc4d3ab13fbedc02b43c830f4f20e6e80f97476f

SHA256
2009570ecc453e960782e2b6ea2d88d8c94b5021b6123e1281b2193eedafb2bd

SHA512
7d642befce31921293131e3d56b2e1a4102eaca623ad7943cac067a31b9810edbf5544a0e7de31bc56216e42b4d66755ec07327849b495fcb5b1ee23eb211576

Download Submit
C:\Windows\system\PiXbVjs.exe

Filesize
5.9MB

MD5
d9e8e911badc599c09cb93c002632511

SHA1
d91f2077151d2b384ac88410c1999abc491e3d5f

SHA256
c68800a5d186f5ee393e82933713831ff441bb1a7420e2ded9e3d5c804dd3f0d

SHA512
773f65bd2387b4ffea3fe7fe408f09cfba168c337c73b69382d4070d1b79a558511635909cbdb6e0dc9442723b6fd9840f24806277cf1e3125f434fdd1e52a15

Download Submit
C:\Windows\system\TZfYrZP.exe

Filesize
5.9MB

MD5
ae85712a95ec05c03d353d4f677ffdc2

SHA1
5f4f0f319d1fd035bdc75d84b5e28cb3f08acd98

SHA256
18212babc0d19119857a41e3488a1bde35025968697aaa2ad9f96ff9b96c5209

SHA512
3cd1c02d0a93a836d2cd7c2b19d4e37cf78fdd76f809b2ab43b6f562948e8f95efcd52bf73ea5cd6cbe8700305761ea3e2074fc2441175080103cea3127cd654

Download Submit
C:\Windows\system\YjDPEwv.exe

Filesize
5.9MB

MD5
26888fa99c165b1132bc3aa87a648ab0

SHA1
744fbf45b778aa97615258c61f200b9dad8392d4

SHA256
1ec25a740026c7ba97f70a84e11b893f8f472581cef92260e9e1b36b8c602b7e

SHA512
a189b7162e8f65e8b3a1c7c4dadc4d48e77c000921dcd232c464fcee7af4776b9606c84dee967c61bda11ec42a5b8d51b8514e5c5a8e2fa8cf6278c426b5b589

Download Submit
C:\Windows\system\aBFkfKm.exe

Filesize
5.9MB

MD5
b04a5b02280514b507d432e3f9387fee

SHA1
833a2fde0cd40624c1ce9317a677683db211281f

SHA256
f6b7b8011645e1ad2a0b4f5d97ea23fbb4abcb6bbb754e3c99a602eb68f37510

SHA512
08a9725a2506085943e79812f1c5ead0a676768899afdb057e69e65af35a66d0b1682d3a758d3e102adf61f94ab8c31681b06f01c9c751550ef2cd2dd51b3778

Download Submit
C:\Windows\system\cLekQrW.exe

Filesize
5.9MB

MD5
a8b3f2b75503e4eebf57c0a9dd288ecb

SHA1
4dadea003d4cfbe1bf6647e2a09a7852f30e8e19

SHA256
3b51ad8a69790e35a4e6c71a4adddf00b8a0ea7c44ab5c8f4329839662e25761

SHA512
451065dbc2777119e7206ff22b411c4d394bd554e49a18ae6bd29d6eb5bba03fb07fb90991dc75dc2bac38ace742238f4623b2881c59192c7672be62204b636a

Download Submit
C:\Windows\system\feJaqfS.exe

Filesize
5.9MB

MD5
0983deae1d32bc3d1d24b7c562c452b0

SHA1
09809725955f40131819c5c1ba38cd52a810ba4c

SHA256
f6bc3ab6790f820c53070230703cf986b89072e120b5273227cd34886735e6aa

SHA512
3cb121d0dbe9aefc092de90ecb9c86e9a1a4078d0adff5790403e6bf9608081995311c356b06ab9f6fddb1ad2649ae38a49d33c85d3513629a2b4cefdf299e8e

Download Submit
C:\Windows\system\kvCrfiI.exe

Filesize
5.9MB

MD5
abf9358113e33be4d6c009b589f8ae69

SHA1
3db402105d5b2176f6ba4f0b60480d4b914aaece

SHA256
12f686a0b3ea33db45c5703542a80aeba879d47431cb3185269ae075d5d3cec2

SHA512
cb4bcff425f5a3d357cd908fe9d024ebe2efb66d7833a0403bf2ce0e06ab951fec903710a0b453a1bd812539990d188b25432fdb63c2f61aabff5b4c608b3232

Download Submit
C:\Windows\system\lONIjFt.exe

Filesize
5.9MB

MD5
c42675cafc0a9eacb6717615ad01b450

SHA1
ef05157354a4b70ab3196f3de9f4cc868a6035cc

SHA256
61f323da19932aeac4487af1cc9d4b460b3997045964d45a169fb41dc03ea4d4

SHA512
db037d4e9f96b3b58bd5fbe29f22ac3639e27ba00487e348a7af9f1e6286280c12f86bd00ce08403ec1272bec315f5805199d4c9048bd3ae23e5db03d8cd5c19

Download Submit
C:\Windows\system\lxnmROe.exe

Filesize
5.9MB

MD5
5b3f00db340a98dee85465a799394043

SHA1
723fd6128be670f5ded4ea6ac3b0de5ef463b650

SHA256
0457a47797bae7c3302125a0b9061a6c4c5a845af1a9280271332de40991b540

SHA512
e88cb931edfdc57567d3a169089d5d94f12955fdca393125a0aee8098610f148d756a22510c38f0aefc4f631df8d58c9b0e24462ebd7cc381fb0bd36b16af19d

Download Submit
C:\Windows\system\sypUeXQ.exe

Filesize
5.9MB

MD5
811a9c3ce725d83d82909c6c29ec7af4

SHA1
1de47a6168a236c80b770ccf1c6798729382b39b

SHA256
af8d70443fdf90961304ec219b958d8d78803f969a6c6e92388594b4979f0401

SHA512
b9ef3c1a6c7939d9cedf57cc81c7cc8c729b80b39968643cd604993d8f7b5f1c37cb92157120c0a3b2468b2fc455e9fa62057b30713f8f463b9deb44737cec68

Download Submit
\Windows\system\NMXMUHK.exe

Filesize
5.9MB

MD5
0f36dcb536ee56cedac84d8f80cc53d3

SHA1
4c91dd2591973594a40a49aacefba0434a580420

SHA256
10dee26127b8d30a2a4a2fc52eb1a56a5c9e1cbc0f91d2244597b5a0fd56c4ae

SHA512
6ce67ce9044203c9746d77a097e9049dbb71978d489bf6411784b0bbe93afcbe6235f2cc62809c0c6185cf8d4635782e9143a1b495a8a8c19b6e0b814f4cd9a5

Download Submit
\Windows\system\NVUgmvA.exe

Filesize
5.9MB

MD5
375f62a119df0faa9e1cff7846fad0e1

SHA1
b8fce85fa88576fe341a532ecf7f0fcc08b98e54

SHA256
377836f800ea87237c6611c07efe39377e923c19efe66ee9f537ea1ff68c6b2e

SHA512
48aa3fc59e958201294d21824b2675312b7c0f154710908c10f36736f20f5c954abf1e55640011f462ea75ce89566f8ce18b9a78d734e905caae3c5ec79b311b

Download Submit
\Windows\system\PHFfOtP.exe

Filesize
5.9MB

MD5
354e3566abb894524f3107906077b707

SHA1
fb34e9878bd7a9778d1ac192b0e581393565beff

SHA256
42f6b5f8cf0f2224a4fbf55fb2778ce781405a68cf0c7a0e800f09257594bb8b

SHA512
f856b259cf59a7626bce7030d9f93af99d384879a0caa3d0a4611c8a7a5177f6dd31364e5099cd92f8879b88933185883f48f42f0e49ecb415d54b5faa53be0c

Download Submit
\Windows\system\WBheYnB.exe

Filesize
5.9MB

MD5
1aecf3a7b3468a1060cd79c250518331

SHA1
95e1ca30e278b0b3fa914ef64a52224623372370

SHA256
c8c9ee673e6eca4ff54e51c52e4020c85a5ffa98dffc18158efc79194a37003b

SHA512
21edee5bd901449789acb606001edd764e909df43f00786d5b1c8df6d1a2fd15c26bca4dd02aa6280ace5312929df53688cdf2ab9a93671c9252efe5039237ee

Download Submit
\Windows\system\kKvihkh.exe

Filesize
5.9MB

MD5
8cca8df870ed6f1f2df51c50ebb6f03f

SHA1
09f3b8448bdfb38bfb217f1233e57da123196f3a

SHA256
d0f2e3e211b7fb70c97b6148f443d28edef022186c3d7240636a452b3806cd04

SHA512
f738b823d74b5126eb6f1e00a4178319cc1c3fbde97c5278a8a5b0b94ca2e6daf396e5d095f960ee5e00d253229d60817e6ecc95d96c9cd695cc5dbe4c1ca90d

Download Submit
\Windows\system\limhWtn.exe

Filesize
5.9MB

MD5
802348941f7c96011fd67090f1802076

SHA1
179a982c6f3d09b8d5d743ea0da7325581836e8e

SHA256
7c192a8ab024bea0487a246850ff45c685dec15d853150a00309b66964401a97

SHA512
dc8f6a16fb65f41a0834bb414789cc54f9e39f9cec7fa16ddc01e27f5e5412dd6472fb463ba572fff30c70845f239491b3a12e2c3d47f0c9483d2533f0ca3600

Download Submit
memory/1260-148-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1260-162-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1260-100-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1736-41-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/1736-80-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1736-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1736-142-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1736-36-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1736-73-0x00000000024E0000-0x0000000002834000-memory.dmp

Filesize
3.3MB

Download
memory/1736-8-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/1736-140-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1736-50-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1736-55-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/1736-26-0x00000000024E0000-0x0000000002834000-memory.dmp

Filesize
3.3MB

Download
memory/1736-14-0x00000000024E0000-0x0000000002834000-memory.dmp

Filesize
3.3MB

Download
memory/1736-60-0x000000013F940000-0x000000013FC94000-memory.dmp

Filesize
3.3MB

Download
memory/1736-93-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1736-27-0x00000000024E0000-0x0000000002834000-memory.dmp

Filesize
3.3MB

Download
memory/1736-0-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/1736-88-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/1736-90-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1736-145-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/1736-144-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1736-91-0x000000013FBE0000-0x000000013FF34000-memory.dmp

Filesize
3.3MB

Download
memory/2104-77-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-153-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2104-25-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-54-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2132-157-0x000000013F180000-0x000000013F4D4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-156-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2140-42-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2140-139-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2172-151-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2172-9-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2244-68-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2244-158-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2244-141-0x000000013F7E0000-0x000000013FB34000-memory.dmp

Filesize
3.3MB

Download
memory/2420-147-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2420-94-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2420-160-0x000000013FC40000-0x000000013FF94000-memory.dmp

Filesize
3.3MB

Download
memory/2524-67-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-20-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2524-152-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-164-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-150-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-102-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-92-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2708-161-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2708-146-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2792-37-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2792-154-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2828-87-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-159-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2828-143-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-155-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-95-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/2848-29-0x000000013F050000-0x000000013F3A4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-101-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-149-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-163-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download