cobaltstrike | da57c78e16e538c54d1060d07b21200ee3f67996073fabf35b23ca9b0e58bab1

Analysis

max time kernel
146s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
14-12-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

63aca0f86e1e0ba50843f68f1421b223
SHA1

5fa3daf44d87ad19861341c4ccff8d857f488d6e
SHA256

da57c78e16e538c54d1060d07b21200ee3f67996073fabf35b23ca9b0e58bab1
SHA512

8fecbdecfaecf83250496d1c4803f261be51f0372a556a57a84df370f7d0ea8c03d2492ba0e26a9950221209fc92ec325d25e2ea70056330d5afb649728f1715
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fe-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019c57-5.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019cba-10.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019d8e-27.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019f8a-36.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4d7-62.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4db-77.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4e0-92.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4e2-98.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4ed-119.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4ef-120.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4eb-114.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4e8-111.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4e6-106.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4e4-103.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4de-84.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4d9-72.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4d5-60.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001a075-52.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019f94-47.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019dbf-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2976-21-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/1612-144-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2796-53-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2188-44-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2308-40-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/580-150-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2308-146-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/1504-165-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2032-164-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/1976-163-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2444-162-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1348-159-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2740-158-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2764-157-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2684-156-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2860-155-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/3008-154-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2852-153-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2236-152-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2212-151-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2996-169-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2752-168-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/1084-167-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2308-170-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2976-227-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2188-228-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2796-230-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2212-244-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2852-245-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1348-251-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/580-253-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2236-258-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2684-264-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2740-263-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/3008-261-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2764-249-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2860-247-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/1612-270-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2188	mBsiArT.exe
2976	DNyIpOa.exe
2796	NfFQTGl.exe
2212	ZDyapMX.exe
2236	LeyRvKI.exe
2852	eSkMPXK.exe
3008	OUtRKKy.exe
2860	xgFebob.exe
2684	tjdAUZY.exe
2764	Bhlznzn.exe
2740	zIDANCX.exe
1348	sPxKiQi.exe
1612	hiHkBOW.exe
580	HvfHHkc.exe
2444	sRAZkwr.exe
1976	DdHUfvd.exe
2032	CToTwvq.exe
1504	MFEinHq.exe
1084	aWXxVFy.exe
2752	dDxZNbE.exe
2996	ctlNRkr.exe

Loads dropped DLL 21 IoCs

pid	Process
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2308-0-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-3.dat	upx
behavioral1/files/0x0007000000019c57-5.dat	upx
behavioral1/files/0x0007000000019cba-10.dat	upx
behavioral1/memory/2308-8-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2796-22-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2976-21-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2188-18-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/files/0x0006000000019d8e-27.dat	upx
behavioral1/memory/2212-28-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/files/0x0006000000019f8a-36.dat	upx
behavioral1/memory/2852-41-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2236-35-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/3008-48-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2860-54-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/files/0x000500000001a4d7-62.dat	upx
behavioral1/files/0x000500000001a4db-77.dat	upx
behavioral1/files/0x000500000001a4e0-92.dat	upx
behavioral1/files/0x000500000001a4e2-98.dat	upx
behavioral1/files/0x000500000001a4ed-119.dat	upx
behavioral1/files/0x000500000001a4ef-120.dat	upx
behavioral1/files/0x000500000001a4eb-114.dat	upx
behavioral1/files/0x000500000001a4e8-111.dat	upx
behavioral1/files/0x000500000001a4e6-106.dat	upx
behavioral1/files/0x000500000001a4e4-103.dat	upx
behavioral1/memory/580-93-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/1612-85-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/files/0x000500000001a4de-84.dat	upx
behavioral1/memory/2740-73-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/1348-78-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/files/0x000500000001a4d9-72.dat	upx
behavioral1/memory/2764-66-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2684-61-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/files/0x000500000001a4d5-60.dat	upx
behavioral1/memory/1612-144-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2796-53-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/files/0x000800000001a075-52.dat	upx
behavioral1/files/0x0008000000019f94-47.dat	upx
behavioral1/memory/2188-44-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/files/0x0006000000019dbf-34.dat	upx
behavioral1/memory/2308-40-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/580-150-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2308-146-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/1504-165-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2032-164-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/1976-163-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2444-162-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/1348-159-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2740-158-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2764-157-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2684-156-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2860-155-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/3008-154-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2852-153-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2236-152-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2212-151-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2996-169-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2752-168-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/1084-167-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2308-170-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2976-227-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2188-228-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2796-230-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2212-244-0x000000013F720000-0x000000013FA71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\eSkMPXK.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgFebob.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ctlNRkr.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NfFQTGl.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Bhlznzn.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIDANCX.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sRAZkwr.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dDxZNbE.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DNyIpOa.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LeyRvKI.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hiHkBOW.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DdHUfvd.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MFEinHq.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mBsiArT.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZDyapMX.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OUtRKKy.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tjdAUZY.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sPxKiQi.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HvfHHkc.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CToTwvq.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aWXxVFy.exe	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2976	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2308 wrote to memory of 2976	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2308 wrote to memory of 2976	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2308 wrote to memory of 2188	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2308 wrote to memory of 2188	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2308 wrote to memory of 2188	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2308 wrote to memory of 2796	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2308 wrote to memory of 2796	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2308 wrote to memory of 2796	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2308 wrote to memory of 2212	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2308 wrote to memory of 2212	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2308 wrote to memory of 2212	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2308 wrote to memory of 2236	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2308 wrote to memory of 2236	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2308 wrote to memory of 2236	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2308 wrote to memory of 2852	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2308 wrote to memory of 2852	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2308 wrote to memory of 2852	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2308 wrote to memory of 3008	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2308 wrote to memory of 3008	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2308 wrote to memory of 3008	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2308 wrote to memory of 2860	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2308 wrote to memory of 2860	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2308 wrote to memory of 2860	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2308 wrote to memory of 2684	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2308 wrote to memory of 2684	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2308 wrote to memory of 2684	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2308 wrote to memory of 2764	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2308 wrote to memory of 2764	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2308 wrote to memory of 2764	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2308 wrote to memory of 2740	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2308 wrote to memory of 2740	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2308 wrote to memory of 2740	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2308 wrote to memory of 1348	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2308 wrote to memory of 1348	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2308 wrote to memory of 1348	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2308 wrote to memory of 1612	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2308 wrote to memory of 1612	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2308 wrote to memory of 1612	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2308 wrote to memory of 580	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2308 wrote to memory of 580	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2308 wrote to memory of 580	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2308 wrote to memory of 2444	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2308 wrote to memory of 2444	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2308 wrote to memory of 2444	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2308 wrote to memory of 1976	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2308 wrote to memory of 1976	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2308 wrote to memory of 1976	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2308 wrote to memory of 2032	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2308 wrote to memory of 2032	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2308 wrote to memory of 2032	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2308 wrote to memory of 1504	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2308 wrote to memory of 1504	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2308 wrote to memory of 1504	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2308 wrote to memory of 1084	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2308 wrote to memory of 1084	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2308 wrote to memory of 1084	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2308 wrote to memory of 2752	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2308 wrote to memory of 2752	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2308 wrote to memory of 2752	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2308 wrote to memory of 2996	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2308 wrote to memory of 2996	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2308 wrote to memory of 2996	2308	2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_63aca0f86e1e0ba50843f68f1421b223_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System\DNyIpOa.exe
  C:\Windows\System\DNyIpOa.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\mBsiArT.exe
  C:\Windows\System\mBsiArT.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\NfFQTGl.exe
  C:\Windows\System\NfFQTGl.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\ZDyapMX.exe
  C:\Windows\System\ZDyapMX.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\LeyRvKI.exe
  C:\Windows\System\LeyRvKI.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\eSkMPXK.exe
  C:\Windows\System\eSkMPXK.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\OUtRKKy.exe
  C:\Windows\System\OUtRKKy.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\xgFebob.exe
  C:\Windows\System\xgFebob.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\tjdAUZY.exe
  C:\Windows\System\tjdAUZY.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\Bhlznzn.exe
  C:\Windows\System\Bhlznzn.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\zIDANCX.exe
  C:\Windows\System\zIDANCX.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\sPxKiQi.exe
  C:\Windows\System\sPxKiQi.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\hiHkBOW.exe
  C:\Windows\System\hiHkBOW.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\HvfHHkc.exe
  C:\Windows\System\HvfHHkc.exe
  2⤵
  - Executes dropped EXE
  PID:580
- C:\Windows\System\sRAZkwr.exe
  C:\Windows\System\sRAZkwr.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\DdHUfvd.exe
  C:\Windows\System\DdHUfvd.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\CToTwvq.exe
  C:\Windows\System\CToTwvq.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\MFEinHq.exe
  C:\Windows\System\MFEinHq.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\aWXxVFy.exe
  C:\Windows\System\aWXxVFy.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\dDxZNbE.exe
  C:\Windows\System\dDxZNbE.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\ctlNRkr.exe
  C:\Windows\System\ctlNRkr.exe
  2⤵
  - Executes dropped EXE
  PID:2996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CToTwvq.exe

Filesize
5.2MB

MD5
6a4057f277dae9e5655272fed7c9a2e2

SHA1
24b2a54a36816af644765a1607bb4f91a7db8c9b

SHA256
3ae56cdbcc756409f69976d7ac83f9b39525be6c9c94aed0fbcdcf02c3657738

SHA512
8ec9d2c744ec00ae00f6c718038ea3fc920512460caa6bced3629c2df93fd169fc1e5ecdbcdfe0408a5bab297cfe665234918fefa1d456eb3e7ce645f5559c9a

Download Submit
C:\Windows\system\DdHUfvd.exe

Filesize
5.2MB

MD5
dae69d3eb65f48821c69207291e11bff

SHA1
9a888627d6c6641ca322a0ea0bedac322d37922a

SHA256
3b52fc3ad0d29df6b442dab90b17f730856a617823f1ed01b6688aa5bd8a6016

SHA512
84c9d85235a44cbe671ef85b82f05d5d786889a28c416d143300694f82cad836706b930b74f72531194d97172c9ff19750f385a337e0cd11929ee304021226be

Download Submit
C:\Windows\system\HvfHHkc.exe

Filesize
5.2MB

MD5
4f6528ea64307ef1882e42606b857e8f

SHA1
3207667d154eb907cd28b1e5b1c1ad04f15db9f9

SHA256
fbe2468ab46933facbe7a4f23644896a7c25c4d63d23e19a765c08271523c4d3

SHA512
15595d590833c2bfe63174f23920501c43469f808423adf0816574c8307f63f4b3c29fccb26e03bb837f046d7f41a44f1fc06e06cfe811c35271d566b8c220d5

Download Submit
C:\Windows\system\LeyRvKI.exe

Filesize
5.2MB

MD5
953bea1d355c3c3621968f3c22e7e7d5

SHA1
b72472f0039b9020fbd6aeda51f52b8c3afa6c37

SHA256
8f7538f223bf8dbb4de8c41108d783c030cfac2b8f5b2b778e967f4e1e8c2f38

SHA512
1407a0801d81fdd06e2fd1378804c79d277a30de12d0e93c022ed7cc98333cc5f243dfe94beb77cffc01137b5a9ef8669e9385d6582d1f22092ce6062a5c5dc1

Download Submit
C:\Windows\system\MFEinHq.exe

Filesize
5.2MB

MD5
ab25b8ffc156e0c6f2e5949190703f7e

SHA1
673b097d2703ebe7e9203de9370dc278d3abe22a

SHA256
c69eadbf4ce45f534552becd7d1edcd5257415bd87f92c0fdb22295cfefc5cda

SHA512
82a0344572edba4cc54e7150bab06f538e64b9abcbf2b766be418f6fac14fec7cb4fdaf16f1d3b8fab0fd84311aff506c4b9313679a24a2846a2e5f48ab59f03

Download Submit
C:\Windows\system\OUtRKKy.exe

Filesize
5.2MB

MD5
df3964255a0ae063b3c724636dbbcc8e

SHA1
4290bded454ebb5a499e526437044443682f21cb

SHA256
737fd2e90791c91e92a25e7458ddf3cc2810e3d5c4debff34f4cb4ff7d405381

SHA512
c4dcde1c708be4611d204bd60c93e908f8c297e53ee9eddd2e788223cf1783d4dbfdac7c135da101286c4701fc62d1c1e1f850ac6823aef3bcb0c10ad579fd7d

Download Submit
C:\Windows\system\ZDyapMX.exe

Filesize
5.2MB

MD5
eada35b84e77e5f60871d35a54ad9bdd

SHA1
297dc150b4bf13d0caec5134fc95edb7e6f5f453

SHA256
35641257db14695f745cc7a186fcadcf01394e70bc9baceb29a459abbcb94bdd

SHA512
0d95b456d9ad03ea98f2206731a53d3e9d72c6774c4a5b65c9c98bab0b55c59949d43b6c8b2dd7fdba657f0fa02a5619b085c3a0d3f6bbdff0826813b2478f1c

Download Submit
C:\Windows\system\aWXxVFy.exe

Filesize
5.2MB

MD5
75190a6954527830a2da98511ce818de

SHA1
20f7b8dd7893e7800541cdfe6bb92e7739ce4231

SHA256
dfe63cb7c1cb0b249467f6f29f6cb5fd8a34fee79c97fc1fec156c3566aabd51

SHA512
458320a8a48be6b24cf492bb4178778664de5e38739818fc394d14722938ef74633d0f07cc6a8251245c832c26f883ed7fb9a5d2fc89b65986627868e5d89db8

Download Submit
C:\Windows\system\dDxZNbE.exe

Filesize
5.2MB

MD5
febbd8fa0d84db69a218e2c7eb0a442b

SHA1
3af738191b7580a16357361cbc7aaba2c63a291f

SHA256
a65f57eeb0d14622eaeeebdfa8ffff66ceb1b08997dce005cf109d488debbf89

SHA512
08e67ee379aa4c3b1bfeaadc9b95712b2b6cc26f3b8611a55b76354dc1d18046b2db4bb14c5e7c5cf43bcd0a261b0418ab45d63dec529ebf3bf14ce3e3bbdc1d

Download Submit
C:\Windows\system\hiHkBOW.exe

Filesize
5.2MB

MD5
b2abed8457864cd658dcd522b416265a

SHA1
1b12f58ca3c89a40faeaa4372dc9c009afad4f42

SHA256
ef74a7212b654a73d7f2972e953c72ddfd8250d385aaa419c5985331a75a4f46

SHA512
77c7a44baa53b6d830b64d5bb8f35ebc3b183c757893025f4c70823f576bb859fc2561f6ae0c07d3ce3c904550a8e20e52d2762dce0b7608ded9b177afcd597b

Download Submit
C:\Windows\system\mBsiArT.exe

Filesize
5.2MB

MD5
d05f70b3e2fefbca438d60d6eaa8f3c1

SHA1
1c8d4f1c3c09f7bbb9b81a82ec53f40f3a8432f4

SHA256
3882feddf7090d9c68f604ec7b03c100c7a3bbf792ed321ce71bbe4d64c28c49

SHA512
ec1172319d5a2f2df85bcfa1f3553ce8117884bb0792cdf6c6e9e881d2607279cf4206400a93567f8267f793575c7c11af24a6e6a80d085f6f2bf8726aedec83

Download Submit
C:\Windows\system\sPxKiQi.exe

Filesize
5.2MB

MD5
0bb28ceda38c01cfb8eefded0e4005d5

SHA1
ccd0a61e8e1add340b7d34bc97b8c8b0ccf58744

SHA256
91005b58c704137404b5b337fa5ded06cf44a203f07f3443c25e33c2127a1ee8

SHA512
07c839236518262af91730fb2b627221145416df617c9b7158de6a1b2b9c849aaf967a7055913be97f14ba806f607df24f2a5f75bb7ae32ae72558ee2ed07ba3

Download Submit
C:\Windows\system\sRAZkwr.exe

Filesize
5.2MB

MD5
97c835546f71f78cb910ede2540c2e8a

SHA1
2245f2036582b9fa6a43285eddb1f0e472b0f013

SHA256
99d45c1fb38bc80e49efc4326f26f48df180a02575d3b7e8e1f93eadb2dcb2e5

SHA512
7f963d6a22d4a8c7e797db805b52b9da29f331c3dc8f7efbbebd0e2ab517c8c06e0d81cf248244a6895c4ffe3ac5a5c2a4364b24ed8ec648c35604b54018f8dd

Download Submit
C:\Windows\system\tjdAUZY.exe

Filesize
5.2MB

MD5
ce8d28cc9ce9e9adc61842e6d4cf8a3c

SHA1
550206644d208705bf3239244338286b63884532

SHA256
5f0844b412bbde76fc4cf85aa94d1f5dae8b24e2f55b050a50568a62f33667cb

SHA512
ea8cd9cf8bb64eecf413ac0c8135235c36ed17797b2b63b995cbc7d9f8d0070c7b946a88030cb3e6844585acd5f60786b0a1b9fd718792ade6672115216d91f9

Download Submit
C:\Windows\system\xgFebob.exe

Filesize
5.2MB

MD5
a348c3dc092990b07d4485e139c494f2

SHA1
4eba5152357990c9d9861892eb575b4c376c6277

SHA256
c4eeeaffc548b8acb4894a00a6075f7891e91b29218cd60eba31cdb22c02a8ed

SHA512
f46eb1a068976a881c6bbc65a9e645b38e7718a456a4ed54b90d891966d087e8c7f764d56e5cb8ea685871ca30087918fd456c62cfec98162e6894285076742f

Download Submit
C:\Windows\system\zIDANCX.exe

Filesize
5.2MB

MD5
78a64cff0586f7051b2da163ea0c341c

SHA1
1a88ae519806be29af2a3c391b3a71a79dfcc275

SHA256
48f281591e3fe3975e97f467a9c15c6339cb35f7ff9dd55f397bcb27489c491d

SHA512
ba0abaa63f4e0168dbd87097ac865e96a65f5dd926bc3fc263dd78d39675d2c55cd4048d63879bf432096be784708185f9c3c8f657332ad5e65edf874dc01f2e

Download Submit
\Windows\system\Bhlznzn.exe

Filesize
5.2MB

MD5
ff333bc002898fd0f9037f19dabbd803

SHA1
a3bfca5590b830e93d3bf545e04a1e84a00249fc

SHA256
7baf33124e5f624f1303634fbe5c8cdf746a236f4312e692e88f78a86064c667

SHA512
ca78d60b8fa4aa46a9492be35e3727d992803e7ed1a8c1d2f718d7ec310b41ade4dfe8cdf6cf1d60ed8815a2d5d2bf0ab52bf5d7cd56b815bb95cc1b0b9ead31

Download Submit
\Windows\system\DNyIpOa.exe

Filesize
5.2MB

MD5
58b01d580201c2ef086aaf9db87e2905

SHA1
b3e2c026393f4bda20c404646082ffe989b83af8

SHA256
7c6557c3caec56bdd5ec7ef88cd737618a4c3bb65cf83adc2e99a534931aa5bf

SHA512
645e83c6f2d0439e0ae887070e20c97337bfac7a84127d677c3b0e9b103c1583e9cfc942598ed66bd3b50e0da0317461d0fd16b2c941e74692ce84fc799ce84a

Download Submit
\Windows\system\NfFQTGl.exe

Filesize
5.2MB

MD5
9aeac38938e601edfefdea21142de48b

SHA1
32e7765a1416db18c04aa9ab30a389a4a6fb492f

SHA256
7a4ecebb2d066a4fbb7a05fc7dbbd1b074ac346358e354f0d249ba1abd9c6b4b

SHA512
4eddf3c295021aa2366b81155753cfe4bc2a273f4454911668ccc5c6c6ffeefc9e34b5ffe3a5f30dd9c0dc85918473307a175bbcf23d504dceb9fac15a5fe51b

Download Submit
\Windows\system\ctlNRkr.exe

Filesize
5.2MB

MD5
94f5ec43c3857036a5905b17d08b2cc7

SHA1
79c2732d7babcda85601e76896c41c15665a56d2

SHA256
fd76f32443e501976e38c003dd5973c81c6d8309415231fbdea909da37c28b2c

SHA512
8b1572a8b2c7c971f77fd2a7745f6cb620c422fce66f8c6f7f4bcd09b105096e8f8a09e8a49e4f1bb749fb4f2378410c376b82a6526dfafa16dac90e9909105a

Download Submit
\Windows\system\eSkMPXK.exe

Filesize
5.2MB

MD5
d747dfac8d49c07f72a4fa013e78f816

SHA1
cb4ab69dee1eed623d948548e5fbd9d2dd1f3417

SHA256
2cf32ee6baf5b923b7e51eb9f55d2a84de740d635947da6c8f323cfd79fb5e58

SHA512
2437d3766375086d1e64a0a91acced60b0e46eacc274d5c10570245dd8fbf766fb080bca921978324a14da3e6093c59318efc4b48224394cd92fb0a999b7da5f

Download Submit
memory/580-253-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/580-93-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/580-150-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/1084-167-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/1348-78-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1348-159-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1348-251-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/1504-165-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1612-85-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/1612-144-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/1612-270-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/1976-163-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2032-164-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2188-44-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2188-228-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2188-18-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2212-151-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2212-28-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2212-244-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2236-152-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2236-35-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2236-258-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2308-63-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-124-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-143-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2308-0-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-24-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2308-75-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-57-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2308-170-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-13-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-81-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2308-50-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2308-82-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-69-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-145-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-88-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2308-31-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-40-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-37-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-89-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-146-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-166-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2308-95-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-96-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2308-123-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2308-19-0x00000000022D0000-0x0000000002621000-memory.dmp

Filesize
3.3MB

Download
memory/2308-8-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2444-162-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2684-156-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2684-264-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2684-61-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2740-158-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-263-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-73-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2752-168-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-157-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-66-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-249-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-230-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-53-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-22-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-153-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2852-245-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2852-41-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2860-155-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2860-54-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2860-247-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2976-21-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2976-227-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2996-169-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/3008-154-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-261-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/3008-48-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download