cobaltstrike | 5d05f3b2dd429b8e4ecd0ec2e8c74364174bcdee9a14ab36307f8cf03c2e2b7c

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6ac16a1e63e1c4fd6319ea0cbb7855d6
SHA1

97ece21889d250d2224b78bd9c7fcb1ed71c788c
SHA256

5d05f3b2dd429b8e4ecd0ec2e8c74364174bcdee9a14ab36307f8cf03c2e2b7c
SHA512

ec6cc0c33613d31e199bb8b3ee88a452ae3867cb9bf736204ed5db415f8ea425c9466e9cb88a9780b27dbb31367f4349adb928fa3ffb1aee437c83c8ab65e5f7
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibd56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000018710-3.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019240-5.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019246-20.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001926b-22.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001932d-37.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194cd-45.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c57-59.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3e-55.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001930d-34.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cba-68.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cca-80.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018b68-94.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d8e-98.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019dbf-105.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019f8a-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019f94-118.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a075-121.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a07e-134.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a09e-130.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a359-153.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a307-141.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/2056-19-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2088-41-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/1988-57-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/1968-46-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/3008-72-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2080-64-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2632-75-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2752-77-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/2088-84-0x0000000002400000-0x0000000002751000-memory.dmp	xmrig
behavioral1/memory/824-83-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/3028-90-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2088-93-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2656-99-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2088-146-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2936-160-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2088-161-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/2236-162-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/1028-164-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/764-168-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/744-170-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2088-171-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/300-180-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/1976-184-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2252-183-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/340-182-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2004-181-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2824-185-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2088-193-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2056-234-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/1968-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/2080-237-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/1988-238-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/3008-240-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2632-242-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2752-244-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/824-246-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/3028-249-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2656-251-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2936-255-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2236-257-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/1028-261-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/764-263-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1968	oNGkIzA.exe
2056	OuFcERk.exe
1988	bzxQQqt.exe
2080	HWqXNdA.exe
3008	KCAndYl.exe
2632	XAAPAyf.exe
2752	YHCqygS.exe
824	aZECxBO.exe
3028	dnwCNVi.exe
2656	kcithsi.exe
2936	SAvpnZe.exe
2236	aLMBLpT.exe
1028	ohJeWOq.exe
764	iUzlGKz.exe
744	bTDVSaS.exe
300	EAAoLFG.exe
2004	KamnRYZ.exe
340	vqelqAm.exe
1976	ugDoAMY.exe
2252	ZUKlFqQ.exe
2824	NfHYCbw.exe

Loads dropped DLL 21 IoCs

pid	Process
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2088-0-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/files/0x0008000000018710-3.dat	upx
behavioral1/files/0x0006000000019240-5.dat	upx
behavioral1/memory/2088-6-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/1988-21-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/files/0x0006000000019246-20.dat	upx
behavioral1/memory/2056-19-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/1968-17-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/files/0x000600000001926b-22.dat	upx
behavioral1/memory/2080-29-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/files/0x000800000001932d-37.dat	upx
behavioral1/memory/2088-41-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/3008-35-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/2632-42-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/files/0x00060000000194cd-45.dat	upx
behavioral1/memory/1988-57-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/824-58-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/files/0x0005000000019c57-59.dat	upx
behavioral1/memory/2752-50-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/1968-46-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/files/0x0005000000019c3e-55.dat	upx
behavioral1/files/0x000800000001930d-34.dat	upx
behavioral1/files/0x0005000000019cba-68.dat	upx
behavioral1/memory/3008-72-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/3028-65-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2080-64-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2656-73-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2632-75-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2752-77-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/files/0x0005000000019cca-80.dat	upx
behavioral1/memory/2936-88-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/824-83-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/3028-90-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/files/0x0009000000018b68-94.dat	upx
behavioral1/memory/2236-97-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/2656-99-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/files/0x0005000000019d8e-98.dat	upx
behavioral1/memory/1028-104-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/files/0x0005000000019dbf-105.dat	upx
behavioral1/memory/764-112-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/files/0x0005000000019f8a-113.dat	upx
behavioral1/files/0x0005000000019f94-118.dat	upx
behavioral1/files/0x000500000001a075-121.dat	upx
behavioral1/files/0x000500000001a07e-134.dat	upx
behavioral1/files/0x000500000001a09e-130.dat	upx
behavioral1/memory/2088-146-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/files/0x000500000001a359-153.dat	upx
behavioral1/files/0x000500000001a307-141.dat	upx
behavioral1/memory/2936-160-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2236-162-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/1028-164-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/764-168-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/744-170-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2088-171-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/300-180-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/1976-184-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2252-183-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/340-182-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2004-181-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2824-185-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2088-193-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/2056-234-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/1968-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/2080-237-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dnwCNVi.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aLMBLpT.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KamnRYZ.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugDoAMY.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HWqXNdA.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YHCqygS.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aZECxBO.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iUzlGKz.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bTDVSaS.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZUKlFqQ.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OuFcERk.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bzxQQqt.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XAAPAyf.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vqelqAm.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oNGkIzA.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kcithsi.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SAvpnZe.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NfHYCbw.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCAndYl.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohJeWOq.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EAAoLFG.exe	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2056	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2088 wrote to memory of 2056	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2088 wrote to memory of 2056	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2088 wrote to memory of 1968	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2088 wrote to memory of 1968	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2088 wrote to memory of 1968	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2088 wrote to memory of 1988	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2088 wrote to memory of 1988	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2088 wrote to memory of 1988	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2088 wrote to memory of 2080	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2088 wrote to memory of 2080	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2088 wrote to memory of 2080	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2088 wrote to memory of 3008	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2088 wrote to memory of 3008	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2088 wrote to memory of 3008	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2088 wrote to memory of 2632	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2088 wrote to memory of 2632	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2088 wrote to memory of 2632	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2088 wrote to memory of 2752	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2088 wrote to memory of 2752	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2088 wrote to memory of 2752	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2088 wrote to memory of 824	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2088 wrote to memory of 824	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2088 wrote to memory of 824	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2088 wrote to memory of 3028	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2088 wrote to memory of 3028	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2088 wrote to memory of 3028	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2088 wrote to memory of 2656	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2088 wrote to memory of 2656	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2088 wrote to memory of 2656	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2088 wrote to memory of 2936	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2088 wrote to memory of 2936	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2088 wrote to memory of 2936	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2088 wrote to memory of 2236	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2088 wrote to memory of 2236	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2088 wrote to memory of 2236	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2088 wrote to memory of 1028	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2088 wrote to memory of 1028	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2088 wrote to memory of 1028	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2088 wrote to memory of 764	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2088 wrote to memory of 764	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2088 wrote to memory of 764	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2088 wrote to memory of 744	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2088 wrote to memory of 744	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2088 wrote to memory of 744	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2088 wrote to memory of 300	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2088 wrote to memory of 300	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2088 wrote to memory of 300	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2088 wrote to memory of 2004	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2088 wrote to memory of 2004	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2088 wrote to memory of 2004	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2088 wrote to memory of 340	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2088 wrote to memory of 340	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2088 wrote to memory of 340	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2088 wrote to memory of 2252	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2088 wrote to memory of 2252	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2088 wrote to memory of 2252	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2088 wrote to memory of 1976	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2088 wrote to memory of 1976	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2088 wrote to memory of 1976	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2088 wrote to memory of 2824	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2088 wrote to memory of 2824	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2088 wrote to memory of 2824	2088	2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_6ac16a1e63e1c4fd6319ea0cbb7855d6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System\OuFcERk.exe
  C:\Windows\System\OuFcERk.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\oNGkIzA.exe
  C:\Windows\System\oNGkIzA.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\bzxQQqt.exe
  C:\Windows\System\bzxQQqt.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\HWqXNdA.exe
  C:\Windows\System\HWqXNdA.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\KCAndYl.exe
  C:\Windows\System\KCAndYl.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\XAAPAyf.exe
  C:\Windows\System\XAAPAyf.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\YHCqygS.exe
  C:\Windows\System\YHCqygS.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\aZECxBO.exe
  C:\Windows\System\aZECxBO.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\dnwCNVi.exe
  C:\Windows\System\dnwCNVi.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\kcithsi.exe
  C:\Windows\System\kcithsi.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\SAvpnZe.exe
  C:\Windows\System\SAvpnZe.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\aLMBLpT.exe
  C:\Windows\System\aLMBLpT.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\ohJeWOq.exe
  C:\Windows\System\ohJeWOq.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\iUzlGKz.exe
  C:\Windows\System\iUzlGKz.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\bTDVSaS.exe
  C:\Windows\System\bTDVSaS.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\EAAoLFG.exe
  C:\Windows\System\EAAoLFG.exe
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\System\KamnRYZ.exe
  C:\Windows\System\KamnRYZ.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\vqelqAm.exe
  C:\Windows\System\vqelqAm.exe
  2⤵
  - Executes dropped EXE
  PID:340
- C:\Windows\System\ZUKlFqQ.exe
  C:\Windows\System\ZUKlFqQ.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\ugDoAMY.exe
  C:\Windows\System\ugDoAMY.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\NfHYCbw.exe
  C:\Windows\System\NfHYCbw.exe
  2⤵
  - Executes dropped EXE
  PID:2824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KCAndYl.exe

Filesize
5.2MB

MD5
a51a9968d40dc3c56c4c462a9b0c5145

SHA1
04b1f9e7186c4ab478b7561bf2661d774b8e46ad

SHA256
0a2cedb61637ed961a1f425c597325a04f1e4cfdf4ba68502c19c86c36d0f4b6

SHA512
4f0440419265f42bb66c9d32ce486c886bf252d5207c3e0cfc7778b282bc41c35d86fabe73f4c6bd5adaf3bf8d8097315861d1cf0b85f0dc6c502a6c4d35f596

Download Submit
C:\Windows\system\NfHYCbw.exe

Filesize
5.2MB

MD5
4ed0260d87efff1bd74b04722eaa58d3

SHA1
25780dc065d01ac31711d92a44703d62f8623b8d

SHA256
6164208022440d3926b1fb158984fa3214e1123190fee8a4378aab398691d0b8

SHA512
3576e9ef89a9463f337cbf68955b826ac7173f5668913bc5130f09a6adfe2e72eac2c9b4c816722b83640bc178cd23f92dd4152e5145de55d9372b9d0ad58d80

Download Submit
C:\Windows\system\aLMBLpT.exe

Filesize
5.2MB

MD5
292ebab4c2cd257ad1491a02bdda5cc6

SHA1
b9595158bb15c7b0ca3cfe402c6a21857969a57e

SHA256
63dde6d61b98aceb1e579bffacff969e0067c030f1ab674c2bf269f7185a4c7d

SHA512
81f0a173cb3650f4db1684dc6bdc99e5d130241f720a8f6a2630ae6b8d3d0fe06353d7bffd163ee3972d582b78accd946447b5b72f7783e00fce991f6b6f3eae

Download Submit
C:\Windows\system\aZECxBO.exe

Filesize
5.2MB

MD5
b5fcddab61391a94042b76eaeb9c3be6

SHA1
9ee3509fc5305b1d57f32f6f1ee272816b598a07

SHA256
e795e3edb2474308546eeb996b8722262b8c939e12f27883e97c1868b4a630f6

SHA512
d21549e79a8759907946f333b64cf007f46701c910f445a36647116fbc7a3f553ae2c4c256144daf06d04f737e3c18cebf6065d9b4dbb0efc8fceb17561309d3

Download Submit
C:\Windows\system\bzxQQqt.exe

Filesize
5.2MB

MD5
513fe8569cf57f80bc8acdb65635ef57

SHA1
77826497ca14e389dad96fc154163b28ea84fa73

SHA256
7fb1d1a786816cd4c80a4e8ec0d453afdec53e130d354f8e45092302b1185200

SHA512
89dfe49b11552838641c192656e06c62c695a3c97b2a1f8be74a1e25c8dfcafcf558cd6d9a5c93d9b8236f316ab7decae35488d874544aa5eabee213264bc2cd

Download Submit
C:\Windows\system\oNGkIzA.exe

Filesize
5.2MB

MD5
6c3a6383c9db690a537a5d41c1934f35

SHA1
4707e181aa125579685fcda599a169aaa04ff032

SHA256
a6ccb7563bfdec878f8cc144c983a6b4faceb9b0c0785c2ee8f8215bb8709719

SHA512
f56571e48b78ae9c0df28a335438aba3f158eb9ed16948cd6bf59adcf62af8d431933918321065e194e7ab5a818486a42966d8d19c4d13cbd8484e348b75c24a

Download Submit
C:\Windows\system\ugDoAMY.exe

Filesize
5.2MB

MD5
c7fcc1470d79a698abd21a1e0c7e1416

SHA1
f8071989533f5bd445c24fe7c8e86cead2775ab3

SHA256
7a349c2722b8b4c8b802c55d4fc1c03ddcd72f7f64bdd803018b6344cced9198

SHA512
6867ff5cf91b434503b100a29bb79e43f790020dc7437ef3be1de5ac5bc8239843e28841867dc67dbbb0d5985538f9844a0308942cfdee187252eeea8535773c

Download Submit
C:\Windows\system\vqelqAm.exe

Filesize
5.2MB

MD5
3a796988a87e8ea106503c29bd03e737

SHA1
d803fe47bdbeb179225aab026e5dbc0e481f920c

SHA256
92e408d76db4f34673ff59c26d1f4248a543de356f777a2dca8a75916c4d91b1

SHA512
4b0fb43b339de5ac275f7dfd7058c85d8a9c5defa51b36509d641bb9d5c8ebdd61ea8751c20480e9271b4da8448bce37deebe3e144625c0a708fe118e4a64230

Download Submit
\Windows\system\EAAoLFG.exe

Filesize
5.2MB

MD5
4755635dd7b6cca6a05ac45392482748

SHA1
0ddcda043fddba0b13927fd79a6c291615eb09c6

SHA256
aa92d178c003f1b168816a66b34e99defa8039adabf0c31f989d549eca0e4696

SHA512
fe43b407c6e2b4a7628e2034e0b24a061ebd5fb316e4861d52497ccb027027adedb11bdff8f81c0e38b2929305c2b8e1d7a0b532e8fdec8176f01b7db3506145

Download Submit
\Windows\system\HWqXNdA.exe

Filesize
5.2MB

MD5
814b5372ec315182a56b460d5d8681e6

SHA1
c3b5733b0f7fc904dd7523588b0598fe58f0f0bd

SHA256
e38464b5996a727a7225b9e7521508777904f5d9ea71f2d4081d4da87737c719

SHA512
001ecee3b493dbd99101e8626a92bdaa1844c58a047cb1c118a97bdc313004a68d2944525283d8b58e8fddd6afb56f903d67567044351357668e24b9785cc5da

Download Submit
\Windows\system\KamnRYZ.exe

Filesize
5.2MB

MD5
a9eca01f039c314ae65654ce35743d66

SHA1
44f60abccb7a1bee0db48fa41401cdc4bc80d706

SHA256
727a0680c81001dfe2768151a35f62d76abd5693a86a2560d14fe90b6a52cae7

SHA512
b96618f98c221492368de6647f7a789db1e5f5d71c6ad5b8ae9e74f2bb3fdb7da4811ce337595478fa16202d0462d98113e08ed41e54b0e7028c6c1754daabc1

Download Submit
\Windows\system\OuFcERk.exe

Filesize
5.2MB

MD5
51657437bb2f5b70f44ef1a67ca1e37a

SHA1
b1341561e584d72c492309f3de557eb94207c913

SHA256
e322b31a1b2eb9e6e711449b89b1dc86d6e5b4298db5498aaf9a3e63175d25b3

SHA512
ea08c959e919381d15b1d01802ff62a755a965d9dbd495b021fd395e7688a70dab6bcd96fb61a0522656b783dc0946326d337ec4454e9340585ffe45f85f7f98

Download Submit
\Windows\system\SAvpnZe.exe

Filesize
5.2MB

MD5
c80914c14092336b2a5055c2294f295f

SHA1
3a3b2ab5e2367dd315c04c496c321e667ada674a

SHA256
264b206910a9a29a521240a98af4d789daa9914eb9269a45c44b44fe0cd34e58

SHA512
cb078764f1d16de1f1dddc82f0b2c3db761dfb638b75147ddbf9839de807dc95c2edae80235ef0bc22e36f6315bef2bac9af1abad5f2048a14703f213e615680

Download Submit
\Windows\system\XAAPAyf.exe

Filesize
5.2MB

MD5
b439ddc14665fc2269fa02cf457892fa

SHA1
0f458d5257b862a055596fc017fda5e9a16500ce

SHA256
5d03ac2636a94928436e4c1b226301c90576433d9e526323281122940e2d81bf

SHA512
07054221ae1d91dc28421a71fc4ee98e7ae43de92e1ceb39e1372c1f286c1ab9f876e4c9e8309492dcc8ba3035855c2ba15cc1add45a7b51b96d455d7b9e613a

Download Submit
\Windows\system\YHCqygS.exe

Filesize
5.2MB

MD5
f0374d44bd830b8269dfbe72f7d7bbf3

SHA1
edc364dd3913d6009a46d37aa944378d36dc35b3

SHA256
bc5dd9cebd4f3bbd48c153d5a1c38d7d21d33a4a980289bf7e04430f61cba361

SHA512
fef98736d757b5a2dde0fc9493724156d0f985726547f2d78db62758aab4c89c0e6c24d5cc0069ea57362c517090fe2f2dbdfcfec651fcafbd6bc54605b08051

Download Submit
\Windows\system\ZUKlFqQ.exe

Filesize
5.2MB

MD5
dc886df942e33f51a250b8a4ad14370d

SHA1
7ff49f40cae9febfb4e0d69c3b459d20783b3946

SHA256
cec8319d985d81c42299cf7079f96bc9204ef7704aec611fdb3d82c3139c320a

SHA512
febc3bae0a7c389654ac6613d57faa73b38fa717fce0c87069adb53ca4a284888da9961b636c1bbea513d605ecf11b68cf4357139adceed3617c87eec1de75f5

Download Submit
\Windows\system\bTDVSaS.exe

Filesize
5.2MB

MD5
d5862bfbf639c1bf48f77f7238496d96

SHA1
8ea1026949ec8bfd09471db896b9c64f558aba4a

SHA256
ed45860f09ac967e7d68e24f43aac5f7daca6a16442784e7b056c687e9d2deda

SHA512
9f990f22106cc7f44e2cbcae8266fdc70c0c9c056916ac92f64792ce78a2031f66e0ade2279a364523024019faef3cc43071fbbe70b882c69bd323c26a1a2ea2

Download Submit
\Windows\system\dnwCNVi.exe

Filesize
5.2MB

MD5
64ab8895be81efaa1a0214f605bc3376

SHA1
707ec88e40f0d177255ba47a1cedc1e02266bf37

SHA256
1a38727dcb2b0912d9ebbcc1d84edb7516887fdf9bb993381a28814d11d07781

SHA512
85aec3f642fa563b27e4917aa36a44efd4a6e78f4491119391874101b7153f7c62a4bf0a4c52cdd6d7a7cca7c85f9973a0247f7b25778cafc50b2bc087a7d533

Download Submit
\Windows\system\iUzlGKz.exe

Filesize
5.2MB

MD5
a70365711319d3829e0fb14f639e7fcc

SHA1
fb47d9394bb17b581df16877e80af53b1570b3dc

SHA256
c751f9856680a889b15430b4bd20d3596a2b23446b07e5e8572a12e569747cd7

SHA512
73474cd9befae42fcbdfd03bda7a21ef11263adac6c6879fd458fa80c57d50213c31f8e263a9c46925bb1fe41abafd24e534e2f6aa162a77782901c344ee9e63

Download Submit
\Windows\system\kcithsi.exe

Filesize
5.2MB

MD5
60ebb0a6c00597a0fbed419a50628054

SHA1
54e973aa0da0395fc9fa1c66d351067081b7a572

SHA256
d89a9f44decddfe7a4f4648d6c3e19c01562e920f298b971e0812e8ee45aa62b

SHA512
013a06594bb9eabbe9222fcfca69a6522e60fba390d4b387fa0c2c3e1ce8c76faf12cb3c3a6995665591d80a645deb553cb8eed1f01f8fbc693b9ed955b1a053

Download Submit
\Windows\system\ohJeWOq.exe

Filesize
5.2MB

MD5
30d0c2db061ca26067d04db107f603c9

SHA1
fd54fcf4e31f898c47707354b01cdd325d8c723d

SHA256
c3be3ce8ea0f74a706d719a85ed216e59dc905c951a3aa233ff5365dbaa7cad4

SHA512
319c8510fb4b79b90117d6660456ee54d7c0250c96aa0a67ac83f41a5118ecd3139e4bec4d86900826a95c12f423947e201bea762715800943fec44566dfa119

Download Submit
memory/300-180-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/340-182-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/744-170-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/764-168-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/764-112-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/764-263-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/824-58-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/824-83-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/824-246-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1028-104-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1028-164-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1028-261-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1968-233-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1968-46-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1968-17-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/1976-184-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-57-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-238-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-21-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-181-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-234-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2056-19-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2080-29-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2080-237-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2080-64-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2088-95-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-41-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-93-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2088-100-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2088-0-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-6-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2088-108-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-84-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-23-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-86-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2088-115-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-14-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-78-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-76-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2088-193-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-146-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-152-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-69-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-56-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-60-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2088-161-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2088-38-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-163-0x0000000002400000-0x0000000002751000-memory.dmp

Filesize
3.3MB

Download
memory/2088-171-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2088-31-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-97-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2236-162-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2236-257-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2252-183-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2632-75-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-42-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-242-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-73-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2656-251-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2656-99-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2752-50-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2752-77-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2752-244-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2824-185-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2936-160-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-88-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2936-255-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-240-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-35-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-72-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-249-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/3028-90-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/3028-65-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download