cobaltstrike | 5ad056eec7cd77089a95f73a6a2cdfbaae92241907a995cd776d06498a9178f3

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

04fbbd1877a49fcce7ace3cbafa9b7d2
SHA1

6360ebc9dbf194c2fd4bb30e179fef0e0b849b8a
SHA256

5ad056eec7cd77089a95f73a6a2cdfbaae92241907a995cd776d06498a9178f3
SHA512

a083da61f73bf95a100f075a8dfc69778849451fea795878f2d7d79f1314cb26ac3aef8a521df34386267fb9550f0e052ba848f48e995dc0202c62c7086855d3
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lL:RWWBib+56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000012261-3.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001706d-15.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f1-20.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016eca-10.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016dd1-36.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173f4-33.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000173fc-45.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017472-52.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-72.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019244-64.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019266-95.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001928c-112.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001937b-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019397-135.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001936b-127.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019356-122.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019353-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019284-107.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019263-92.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019256-89.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017487-86.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/1224-14-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/1708-40-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/3020-44-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/1708-67-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/3064-59-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2696-58-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2780-90-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2648-81-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/2132-79-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2604-141-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/1708-96-0x0000000002310000-0x0000000002661000-memory.dmp	xmrig
behavioral1/memory/2376-63-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/1708-56-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2128-53-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2548-148-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/1708-143-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2984-152-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/1660-153-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2708-156-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1736-166-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/1700-165-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/1560-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2760-162-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2068-163-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/1996-168-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/1664-169-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/1708-170-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/1224-222-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/3020-221-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/3064-225-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2128-226-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2132-230-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2780-232-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2376-242-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2696-243-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2648-245-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/2604-255-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2548-257-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/1660-259-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2984-261-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2708-271-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3020	FAfxDuB.exe
1224	GFIsqDr.exe
2128	bGPXFVd.exe
3064	DWyhIvK.exe
2132	QYWdhnk.exe
2780	sCMLokL.exe
2696	IyicKkd.exe
2376	ioruWGw.exe
2648	XeJTMTt.exe
2604	eIyhgcI.exe
2708	HAekNOT.exe
2548	SWxmHiG.exe
2984	sTHYeJn.exe
1660	krsIIgT.exe
2760	RBeYQpj.exe
2068	ZqaggTh.exe
1560	EIswOhh.exe
1700	yOwcDsF.exe
1736	OnRpAnz.exe
1996	RePFcnv.exe
1664	SlQWtdf.exe

Loads dropped DLL 21 IoCs

pid	Process
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1708-0-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/files/0x000c000000012261-3.dat	upx
behavioral1/memory/1224-14-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/3020-13-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/files/0x000800000001706d-15.dat	upx
behavioral1/files/0x00070000000173f1-20.dat	upx
behavioral1/memory/3064-27-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2128-24-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/files/0x0008000000016eca-10.dat	upx
behavioral1/files/0x0009000000016dd1-36.dat	upx
behavioral1/memory/2132-34-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/files/0x00070000000173f4-33.dat	upx
behavioral1/memory/2780-42-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/1708-40-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/3020-44-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/files/0x00070000000173fc-45.dat	upx
behavioral1/files/0x0008000000017472-52.dat	upx
behavioral1/files/0x0005000000019259-72.dat	upx
behavioral1/files/0x0005000000019244-64.dat	upx
behavioral1/memory/3064-59-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2696-58-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/files/0x0005000000019266-95.dat	upx
behavioral1/memory/2984-93-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x000500000001928c-112.dat	upx
behavioral1/files/0x000500000001937b-132.dat	upx
behavioral1/files/0x0005000000019397-135.dat	upx
behavioral1/files/0x000500000001936b-127.dat	upx
behavioral1/files/0x0005000000019356-122.dat	upx
behavioral1/files/0x0005000000019353-117.dat	upx
behavioral1/files/0x0005000000019284-107.dat	upx
behavioral1/files/0x0005000000019263-92.dat	upx
behavioral1/memory/2548-91-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2780-90-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/files/0x0005000000019256-89.dat	upx
behavioral1/memory/2708-87-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/files/0x0008000000017487-86.dat	upx
behavioral1/memory/2604-85-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2648-81-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/2132-79-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2604-141-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/1660-100-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2376-63-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2128-53-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2708-142-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2548-148-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/1708-143-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/2984-152-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/1660-153-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2708-156-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1736-166-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/1700-165-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/1560-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2760-162-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2068-163-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/1996-168-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/1664-169-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/1708-170-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/1224-222-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/3020-221-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/3064-225-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2128-226-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2132-230-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2780-232-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/memory/2376-242-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FAfxDuB.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DWyhIvK.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XeJTMTt.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eIyhgcI.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZqaggTh.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SlQWtdf.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sTHYeJn.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yOwcDsF.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFIsqDr.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bGPXFVd.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sCMLokL.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ioruWGw.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IyicKkd.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAekNOT.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RePFcnv.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBeYQpj.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QYWdhnk.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SWxmHiG.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\krsIIgT.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EIswOhh.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OnRpAnz.exe	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 3020	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1708 wrote to memory of 3020	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1708 wrote to memory of 3020	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1708 wrote to memory of 1224	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1708 wrote to memory of 1224	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1708 wrote to memory of 1224	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1708 wrote to memory of 2128	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1708 wrote to memory of 2128	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1708 wrote to memory of 2128	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1708 wrote to memory of 3064	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1708 wrote to memory of 3064	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1708 wrote to memory of 3064	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1708 wrote to memory of 2132	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1708 wrote to memory of 2132	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1708 wrote to memory of 2132	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1708 wrote to memory of 2780	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1708 wrote to memory of 2780	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1708 wrote to memory of 2780	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1708 wrote to memory of 2376	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1708 wrote to memory of 2376	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1708 wrote to memory of 2376	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1708 wrote to memory of 2696	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1708 wrote to memory of 2696	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1708 wrote to memory of 2696	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1708 wrote to memory of 2708	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1708 wrote to memory of 2708	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1708 wrote to memory of 2708	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1708 wrote to memory of 2648	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1708 wrote to memory of 2648	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1708 wrote to memory of 2648	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1708 wrote to memory of 2548	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1708 wrote to memory of 2548	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1708 wrote to memory of 2548	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1708 wrote to memory of 2604	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1708 wrote to memory of 2604	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1708 wrote to memory of 2604	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1708 wrote to memory of 2984	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1708 wrote to memory of 2984	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1708 wrote to memory of 2984	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1708 wrote to memory of 1660	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1708 wrote to memory of 1660	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1708 wrote to memory of 1660	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1708 wrote to memory of 2760	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1708 wrote to memory of 2760	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1708 wrote to memory of 2760	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1708 wrote to memory of 2068	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1708 wrote to memory of 2068	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1708 wrote to memory of 2068	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1708 wrote to memory of 1560	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1708 wrote to memory of 1560	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1708 wrote to memory of 1560	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1708 wrote to memory of 1700	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1708 wrote to memory of 1700	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1708 wrote to memory of 1700	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1708 wrote to memory of 1736	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1708 wrote to memory of 1736	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1708 wrote to memory of 1736	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1708 wrote to memory of 1996	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1708 wrote to memory of 1996	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1708 wrote to memory of 1996	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1708 wrote to memory of 1664	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 1708 wrote to memory of 1664	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 1708 wrote to memory of 1664	1708	2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_04fbbd1877a49fcce7ace3cbafa9b7d2_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\System\FAfxDuB.exe
  C:\Windows\System\FAfxDuB.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\GFIsqDr.exe
  C:\Windows\System\GFIsqDr.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\bGPXFVd.exe
  C:\Windows\System\bGPXFVd.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\DWyhIvK.exe
  C:\Windows\System\DWyhIvK.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\QYWdhnk.exe
  C:\Windows\System\QYWdhnk.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\sCMLokL.exe
  C:\Windows\System\sCMLokL.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\ioruWGw.exe
  C:\Windows\System\ioruWGw.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\IyicKkd.exe
  C:\Windows\System\IyicKkd.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\HAekNOT.exe
  C:\Windows\System\HAekNOT.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\XeJTMTt.exe
  C:\Windows\System\XeJTMTt.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\SWxmHiG.exe
  C:\Windows\System\SWxmHiG.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\eIyhgcI.exe
  C:\Windows\System\eIyhgcI.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\sTHYeJn.exe
  C:\Windows\System\sTHYeJn.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\krsIIgT.exe
  C:\Windows\System\krsIIgT.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\RBeYQpj.exe
  C:\Windows\System\RBeYQpj.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\ZqaggTh.exe
  C:\Windows\System\ZqaggTh.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\EIswOhh.exe
  C:\Windows\System\EIswOhh.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\yOwcDsF.exe
  C:\Windows\System\yOwcDsF.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\OnRpAnz.exe
  C:\Windows\System\OnRpAnz.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\RePFcnv.exe
  C:\Windows\System\RePFcnv.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\SlQWtdf.exe
  C:\Windows\System\SlQWtdf.exe
  2⤵
  - Executes dropped EXE
  PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EIswOhh.exe

Filesize
5.2MB

MD5
61272887a173a4e4f7065ff2ef6bead3

SHA1
8cdfa6c17dd71148908b2d116037d388df427f5f

SHA256
b17c1922a9a9e2c444b607aef1845c9d9341b95b424a1a85db84d2a112b6043a

SHA512
6ac9b1024812073fc6b2bf6fa497bc669847d8f571524bd510ae5f082c12cdc4a7a69419cc3736acf78ef4a528fbc8913f9c3a7dfb7c8b09467f342d8b549702

Download Submit
C:\Windows\system\GFIsqDr.exe

Filesize
5.2MB

MD5
ea1979d92d736b070714cc3f8d01ff19

SHA1
5e816370bc36bccdec3be5c46bbbe0c177762c99

SHA256
eba8b3aae1fdb1465365eb9b584f35af3162809218d80c12b787791ba4a6bbcd

SHA512
d838042fdfc99c67ebd5fb3f2abddfd98ca9e5caa2a190286d18390e72c9d4e3e5f54c5fa056c71f73680fbb0408628c0b3fdecee66718dbc140ece91454397f

Download Submit
C:\Windows\system\HAekNOT.exe

Filesize
5.2MB

MD5
9e3e4e3de79eadc50910f4a42f6ec9e4

SHA1
2612cb198796184558e9a1be7857a24f422d6a22

SHA256
f5971c96b52a9c6b5c6efc6126ce72333ecce0cca381e39b8aa9d581f7e511d6

SHA512
b1276b276f577c695b13c2c873a776de5a56a8e5747ad85aebcb3f8aa67b5580503c0fe95a32f5e965b0495afc9ebf6acdc5bdd551dde5a282533aabf51f4c2c

Download Submit
C:\Windows\system\IyicKkd.exe

Filesize
5.2MB

MD5
56fefce18c74a6306814724f9c82d090

SHA1
85854dcdf3ea02453ddc4db9c91dff53949a0f64

SHA256
4c1a1c255cfc118bdc2cd9da589d799377f516413ac1ac3329131563912afa2f

SHA512
ce6be4600cac9fd22c792ed41b1b64fa140547d801296faa604d1ef6375071c8c065880278be43acce4cc381e9364dde427167b36c86d35281779f7e05e179a3

Download Submit
C:\Windows\system\OnRpAnz.exe

Filesize
5.2MB

MD5
13f01edd2c64e43c8127fa636c7e4a23

SHA1
d640e4633b25510db6942a15e2b6b6dfe88252f6

SHA256
512733ce2785783f63c17a06d49b68e6e80350b448ca70d52ad7bf139a6e4c82

SHA512
c8e9976b3a81b54919e8bc41ba086711a7eb340ae8efcabbac04eb83210bc298f50d0088192816aef34ba0b582a6cc2c0d54b7a0e2eb7378ab3ba447898301a4

Download Submit
C:\Windows\system\QYWdhnk.exe

Filesize
5.2MB

MD5
e9d9a841f7a4fd35a919302d3412dac0

SHA1
556daede9c3b9c08d701fcb3447e67b18fb3792c

SHA256
f471c4841a1d1d993b727d92a2d2a370aa0e93df933e12579986b656dd614cca

SHA512
5c44829297602a29d7670a75d650b8e520f23406147daa3583f6fd62d4af98de4c960769ebf1edc2fa532f444393e86dad03d4d4380fa6ad2728accc877ccf1a

Download Submit
C:\Windows\system\RBeYQpj.exe

Filesize
5.2MB

MD5
db07c8cefdf36759a2a1998b52bcd888

SHA1
78668f0fb589db88dc5c6e99c9f00c3684d576d5

SHA256
7ed6a9f1f5bf267bd8c6d7415910330dfe2365cd40e3fb4af00c8b5bc98dc262

SHA512
12022f19a8f22f2560c35719d3a592495df9b556ff960e23157e040f6498d556327464988e06d6ccd46860a1487ba26930d6835e8c58fc9df79e4fd51de19332

Download Submit
C:\Windows\system\RePFcnv.exe

Filesize
5.2MB

MD5
3e136c3a1b8870fa88c3774e31b9afba

SHA1
003287d1ba2757fd7aa126ec6e4c6577b0716c2f

SHA256
1e76468f35c8ebcd89cd3ad14a545e7ce5fb22741ff6bd79167d05377a50d881

SHA512
3a4701c8b1ca7ae93442d042e33c6bbcdd0ffcddca24a250a29956cbc9b4f31b3349efd0d5dc2d78f9f99aa5e719bf2327ba991a7e74e6f5ef9331b02a2b0ab3

Download Submit
C:\Windows\system\SWxmHiG.exe

Filesize
5.2MB

MD5
0358e93ce9acf9b176d9c2274d9d9a21

SHA1
5660bf3e9a5308659ed4cab40bcfa6792bc9665f

SHA256
f7e6d4b4cd7d8bfc69095feab8064eadf5004f000d217cc2b87603e4839c6b61

SHA512
36b1e6f60ab50020ddfd8f7db16007e9dec5a6524557031c6e7156524a421913f6d157412e46d3cbc882b2ee1a9646b6a3af1bf45ca9ec49e4447527b780e8b0

Download Submit
C:\Windows\system\ZqaggTh.exe

Filesize
5.2MB

MD5
16bdf474da17382dc9d7c3c1499ba2dc

SHA1
086d1070a1b712faa9e12fc6242b934e38ddb5e8

SHA256
c751dfeb564b989c648a956ef66c61d6125176de30b62bec57f8d516118f2cca

SHA512
fe4eefd697d1dc56ea9265c5704216a6f26de3fbaaaf1ad41352445b62dd6328ef1f852a004af7882a22bb69e0129e20a090c47565aa887a1e00ff1d070f41ca

Download Submit
C:\Windows\system\sTHYeJn.exe

Filesize
5.2MB

MD5
fe7f66986c6a69d3dde7978770a7b03e

SHA1
ca133e1709a282adaa5aa5ab5849efbf757e99ba

SHA256
d0616cc3d16ba2afbae45759c9a5cd651278d5ec8c3409f848c1be1c0e771b09

SHA512
533727fb520894e249ce43c9132799effa863c148999407590b1ccc1c7e7d8aedfd58dd416cbb2ece5b17272aabcd6b9f0cdc683521f1a4563d08c6523f6923b

Download Submit
C:\Windows\system\yOwcDsF.exe

Filesize
5.2MB

MD5
8bc7f38b08e72902d30971d1dc2b4831

SHA1
68b0a988fa29f14614e3dc73472dacb6110cdcfb

SHA256
506fb0660d0181e0c5e5f0d4b8c1626bd867f0b394188287f263d93be3c988f7

SHA512
d38ea9629443de976afe9060959c5153e840d6022e7b61da48e1e0f57c48483ff66ac1032afbea499d7b036d4300753acd040058297f47399d7bc3429ed0f693

Download Submit
\Windows\system\DWyhIvK.exe

Filesize
5.2MB

MD5
19d0e7b7e19fe4618b0ed6251883b0d3

SHA1
543393f75ffe99760e65e5bed7dfaed301a903e8

SHA256
7d50564f23c42c2c19c0685e30b1089594c8bbe991f549a33943c31a3279d785

SHA512
ea918688cde6d9646c66d6a7901c2a397c5bf0ef0585db28c828231c16a5e4f566cfd5f8beb6699bdc07bf10ed8ca5143ab7021b5fa580feb33984cdde66ee3c

Download Submit
\Windows\system\FAfxDuB.exe

Filesize
5.2MB

MD5
c857f0ee6fa7491fb5cec5f8fc7e3273

SHA1
a417c0e7c8b5d7ad8be084d03b841f3b1ed11fd1

SHA256
aaeb9d20d7146295b1b1f4a078c800810d5112bc9995b52a280b66f4fd240538

SHA512
88facca7a1f3d46f30bb50a6334dea9c74c797778760a5be725a9eeb1203cb524972bf5d49d49eebda975334c2066c41462e082d3ea942bfd1379b49dc3ffc2e

Download Submit
\Windows\system\SlQWtdf.exe

Filesize
5.2MB

MD5
75ec87ac2326cd5819d12a22a23e6ac0

SHA1
11ea7fd5e32c6776c88ee49259e532b7715467ca

SHA256
4e56ec3d3383ae69555b0023b48d072c4c3cef592608bf013b43edeea5928c44

SHA512
32a1d8feb5899081ba612740f6e13bba9590837eeffd197c67911b4af88e3b66af647f2083cb123e839b6ffdd88e64303c1a86815102de1ad9a760092c1c76d5

Download Submit
\Windows\system\XeJTMTt.exe

Filesize
5.2MB

MD5
a6cde88af5958a894b697f881661d4a2

SHA1
b65f8f3fc90d8190c4d64f946df91ba149d09132

SHA256
168de1d111750ad97e047ae74039769b71a4375405ed6bedb0d4c1453ccbdbe4

SHA512
28f6e0f19402acb3d5e1203ed92550b2dfca8ddd71129ec102d94c54a6c351f022a2d5befade33c1ec32782e2e50ada9c8f573140c868e3c689342324d58a4a9

Download Submit
\Windows\system\bGPXFVd.exe

Filesize
5.2MB

MD5
37f77b2070dfe9ee854dbdc9c620c872

SHA1
b4651d3047ee9589739ee8362ef5b59625f8de25

SHA256
a82bff5a05142d412a959100cad3a6bbabe1c081173e59d1467bcf8fdcfcaf86

SHA512
766f9743a0d8e65e01f51f9aec0912bc0f00a1f6e9c461b158e04d9a4cd50d889f6dfbda445ad65f4f4568a9ac139f8ffbbb643599b60abcccabf81f60244b5d

Download Submit
\Windows\system\eIyhgcI.exe

Filesize
5.2MB

MD5
ed351ad6c8b3b61097ca4f76dbc02775

SHA1
c426a916261ba5c4bf12759c4bc27c5774f20c1d

SHA256
6a2d804dfa21667d04e420b885315492b5387f0fe163a3f8c575aaa3ff1751da

SHA512
31a87f95d57e935f379a653d3b317e9578e686fdd7145aef7744c7e1654d7199aaed1fd502df07972a61374c3535b01d8d768bef2c634f732b7322461833093d

Download Submit
\Windows\system\ioruWGw.exe

Filesize
5.2MB

MD5
f516b5206aa8ce8c0d00bbe185b07588

SHA1
c6a67d72c0451744c58eadb8d1900a98d8f5300b

SHA256
8b9114c88af28c127363af072d5a53a47ca9fa0cad2fa41e4482c196fc1ba75d

SHA512
1ffd6160169adec4d2ace795689604a3bc908e2b773fb1e876a3b23e1e65598b19073ae6675d0fcfe2e02ff319aa4af0ef2505b7ce67b95e48be448d4e5a91c7

Download Submit
\Windows\system\krsIIgT.exe

Filesize
5.2MB

MD5
8db1858c20338cc85c02af0f32faa2d5

SHA1
9287e1eab3735b02acc9b980de34bb5889d05672

SHA256
0c6d651870dcdf8bfce3efd261561d453db5860c0b796e4412a4f704196ab58c

SHA512
4d873efbdedeb72977ee39ed4b355bf756ba255a69f0c5460fe38815988000931292d92995d8da2d5682cda9b78b8ff8976ed60daa754ce66b6583b90e88622b

Download Submit
\Windows\system\sCMLokL.exe

Filesize
5.2MB

MD5
06f4e5bb4e4d11af20c95576803ebcf3

SHA1
cfe79182ff56b85391558ba9654b84cb018e044d

SHA256
37332a897a7e04de0100e6bacdade1440e3a150ad566816ce4a6e4593bc17baa

SHA512
6d6df20793edc69b9f52a37068586554b2e48e98475681e269d8f9e04419356665e7c9df8ba8e08e38969fda6b696e166a3f80cbb6b73f22ec157e4746646f95

Download Submit
memory/1224-14-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1224-222-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-259-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-153-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1660-100-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-169-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/1700-165-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/1708-139-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-99-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-96-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-170-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-67-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-0-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-17-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-28-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-105-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-167-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-37-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-30-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/1708-140-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-48-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1708-40-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-143-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1708-56-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-84-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1708-83-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/1708-82-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/1736-166-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-168-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-163-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2128-226-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2128-53-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2128-24-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2132-79-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2132-34-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2132-230-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2376-63-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2376-242-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-91-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-257-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-148-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-85-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2604-255-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2604-141-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2648-245-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-81-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-243-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-58-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-87-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-271-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-142-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-156-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-162-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2780-90-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2780-42-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2780-232-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2984-261-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2984-152-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2984-93-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/3020-13-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-44-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3020-221-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-27-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-225-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/3064-59-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download