cobaltstrike | 7f87dcb6f51d354e36fa504751a4183cfd0343e14584ccf48e3b920203452275

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

2d096f9b854f1fa6cd242772dd203bdc
SHA1

502297b21e2d02defa652074818322675fcf85dd
SHA256

7f87dcb6f51d354e36fa504751a4183cfd0343e14584ccf48e3b920203452275
SHA512

fb3685e3df124835a67dca68ca4497bcb9928894bb0442593ef3823eaeea92a14c5fda72d89388e8c3ac42a3ebda35e5d93300a10a676db149a9d543357c233a
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUo:Q+856utgpPF8u/7o

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\GvCoWqR.exe	cobalt_reflective_dll
C:\Windows\System\eVOkuUU.exe	cobalt_reflective_dll
C:\Windows\System\iePhXpQ.exe	cobalt_reflective_dll
C:\Windows\System\eZSfNAA.exe	cobalt_reflective_dll
C:\Windows\System\BhmzlRO.exe	cobalt_reflective_dll
C:\Windows\System\toCZBjl.exe	cobalt_reflective_dll
C:\Windows\System\kwCLuyS.exe	cobalt_reflective_dll
C:\Windows\System\VzSXKFE.exe	cobalt_reflective_dll
C:\Windows\System\frQEngP.exe	cobalt_reflective_dll
C:\Windows\System\jOtQOpr.exe	cobalt_reflective_dll
C:\Windows\System\EkpeWZC.exe	cobalt_reflective_dll
C:\Windows\System\iVvLEIo.exe	cobalt_reflective_dll
C:\Windows\System\wjMqKIO.exe	cobalt_reflective_dll
C:\Windows\System\MAwHRuP.exe	cobalt_reflective_dll
C:\Windows\System\yiwEQYF.exe	cobalt_reflective_dll
C:\Windows\System\wnTKFkl.exe	cobalt_reflective_dll
C:\Windows\System\Axzfpcn.exe	cobalt_reflective_dll
C:\Windows\System\ibdQlYk.exe	cobalt_reflective_dll
C:\Windows\System\ZSNFoSm.exe	cobalt_reflective_dll
C:\Windows\System\NOkXaVb.exe	cobalt_reflective_dll
C:\Windows\System\YKeqTXz.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4804-0-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp	xmrig
C:\Windows\System\GvCoWqR.exe	xmrig
behavioral2/memory/396-8-0x00007FF695E10000-0x00007FF696164000-memory.dmp	xmrig
C:\Windows\System\eVOkuUU.exe	xmrig
C:\Windows\System\iePhXpQ.exe	xmrig
behavioral2/memory/1476-14-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp	xmrig
C:\Windows\System\eZSfNAA.exe	xmrig
C:\Windows\System\BhmzlRO.exe	xmrig
behavioral2/memory/1808-34-0x00007FF73FD20000-0x00007FF740074000-memory.dmp	xmrig
behavioral2/memory/996-41-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp	xmrig
C:\Windows\System\toCZBjl.exe	xmrig
C:\Windows\System\kwCLuyS.exe	xmrig
behavioral2/memory/4244-57-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp	xmrig
C:\Windows\System\VzSXKFE.exe	xmrig
behavioral2/memory/3740-68-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp	xmrig
C:\Windows\System\frQEngP.exe	xmrig
behavioral2/memory/4124-62-0x00007FF71C640000-0x00007FF71C994000-memory.dmp	xmrig
behavioral2/memory/1992-54-0x00007FF7680E0000-0x00007FF768434000-memory.dmp	xmrig
C:\Windows\System\jOtQOpr.exe	xmrig
behavioral2/memory/3140-42-0x00007FF601690000-0x00007FF6019E4000-memory.dmp	xmrig
C:\Windows\System\EkpeWZC.exe	xmrig
behavioral2/memory/1440-35-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp	xmrig
behavioral2/memory/4560-20-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp	xmrig
behavioral2/memory/4804-74-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp	xmrig
behavioral2/memory/5016-75-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp	xmrig
C:\Windows\System\iVvLEIo.exe	xmrig
C:\Windows\System\wjMqKIO.exe	xmrig
C:\Windows\System\MAwHRuP.exe	xmrig
behavioral2/memory/1476-88-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp	xmrig
behavioral2/memory/904-84-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp	xmrig
behavioral2/memory/396-83-0x00007FF695E10000-0x00007FF696164000-memory.dmp	xmrig
C:\Windows\System\yiwEQYF.exe	xmrig
C:\Windows\System\wnTKFkl.exe	xmrig
C:\Windows\System\Axzfpcn.exe	xmrig
C:\Windows\System\ibdQlYk.exe	xmrig
C:\Windows\System\ZSNFoSm.exe	xmrig
C:\Windows\System\NOkXaVb.exe	xmrig
C:\Windows\System\YKeqTXz.exe	xmrig
behavioral2/memory/3820-123-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp	xmrig
behavioral2/memory/2880-125-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp	xmrig
behavioral2/memory/5012-124-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp	xmrig
behavioral2/memory/3100-126-0x00007FF62A020000-0x00007FF62A374000-memory.dmp	xmrig
behavioral2/memory/5080-127-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp	xmrig
behavioral2/memory/1560-130-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp	xmrig
behavioral2/memory/2088-129-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp	xmrig
behavioral2/memory/456-128-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp	xmrig
behavioral2/memory/1440-131-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp	xmrig
behavioral2/memory/4244-133-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp	xmrig
behavioral2/memory/3140-132-0x00007FF601690000-0x00007FF6019E4000-memory.dmp	xmrig
behavioral2/memory/4124-134-0x00007FF71C640000-0x00007FF71C994000-memory.dmp	xmrig
behavioral2/memory/3740-135-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp	xmrig
behavioral2/memory/396-136-0x00007FF695E10000-0x00007FF696164000-memory.dmp	xmrig
behavioral2/memory/1476-137-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp	xmrig
behavioral2/memory/4560-138-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp	xmrig
behavioral2/memory/1808-139-0x00007FF73FD20000-0x00007FF740074000-memory.dmp	xmrig
behavioral2/memory/996-140-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp	xmrig
behavioral2/memory/1440-141-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp	xmrig
behavioral2/memory/3140-142-0x00007FF601690000-0x00007FF6019E4000-memory.dmp	xmrig
behavioral2/memory/1992-143-0x00007FF7680E0000-0x00007FF768434000-memory.dmp	xmrig
behavioral2/memory/4244-144-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp	xmrig
behavioral2/memory/3740-145-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp	xmrig
behavioral2/memory/4124-146-0x00007FF71C640000-0x00007FF71C994000-memory.dmp	xmrig
behavioral2/memory/5016-147-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp	xmrig
behavioral2/memory/904-148-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

GvCoWqR.exeeVOkuUU.exeiePhXpQ.exeeZSfNAA.exeBhmzlRO.exeEkpeWZC.exetoCZBjl.exejOtQOpr.exekwCLuyS.exefrQEngP.exeVzSXKFE.exeYKeqTXz.exeiVvLEIo.exewjMqKIO.exeMAwHRuP.exeNOkXaVb.exeyiwEQYF.exewnTKFkl.exeZSNFoSm.exeibdQlYk.exeAxzfpcn.exe

pid	process
396	GvCoWqR.exe
1476	eVOkuUU.exe
4560	iePhXpQ.exe
1808	eZSfNAA.exe
996	BhmzlRO.exe
1440	EkpeWZC.exe
3140	toCZBjl.exe
1992	jOtQOpr.exe
4244	kwCLuyS.exe
4124	frQEngP.exe
3740	VzSXKFE.exe
5016	YKeqTXz.exe
904	iVvLEIo.exe
3820	wjMqKIO.exe
1560	MAwHRuP.exe
5012	NOkXaVb.exe
2880	yiwEQYF.exe
3100	wnTKFkl.exe
5080	ZSNFoSm.exe
456	ibdQlYk.exe
2088	Axzfpcn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4804-0-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp	upx
C:\Windows\System\GvCoWqR.exe	upx
behavioral2/memory/396-8-0x00007FF695E10000-0x00007FF696164000-memory.dmp	upx
C:\Windows\System\eVOkuUU.exe	upx
C:\Windows\System\iePhXpQ.exe	upx
behavioral2/memory/1476-14-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp	upx
C:\Windows\System\eZSfNAA.exe	upx
C:\Windows\System\BhmzlRO.exe	upx
behavioral2/memory/1808-34-0x00007FF73FD20000-0x00007FF740074000-memory.dmp	upx
behavioral2/memory/996-41-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp	upx
C:\Windows\System\toCZBjl.exe	upx
C:\Windows\System\kwCLuyS.exe	upx
behavioral2/memory/4244-57-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp	upx
C:\Windows\System\VzSXKFE.exe	upx
behavioral2/memory/3740-68-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp	upx
C:\Windows\System\frQEngP.exe	upx
behavioral2/memory/4124-62-0x00007FF71C640000-0x00007FF71C994000-memory.dmp	upx
behavioral2/memory/1992-54-0x00007FF7680E0000-0x00007FF768434000-memory.dmp	upx
C:\Windows\System\jOtQOpr.exe	upx
behavioral2/memory/3140-42-0x00007FF601690000-0x00007FF6019E4000-memory.dmp	upx
C:\Windows\System\EkpeWZC.exe	upx
behavioral2/memory/1440-35-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp	upx
behavioral2/memory/4560-20-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp	upx
behavioral2/memory/4804-74-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp	upx
behavioral2/memory/5016-75-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp	upx
C:\Windows\System\iVvLEIo.exe	upx
C:\Windows\System\wjMqKIO.exe	upx
C:\Windows\System\MAwHRuP.exe	upx
behavioral2/memory/1476-88-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp	upx
behavioral2/memory/904-84-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp	upx
behavioral2/memory/396-83-0x00007FF695E10000-0x00007FF696164000-memory.dmp	upx
C:\Windows\System\yiwEQYF.exe	upx
C:\Windows\System\wnTKFkl.exe	upx
C:\Windows\System\Axzfpcn.exe	upx
C:\Windows\System\ibdQlYk.exe	upx
C:\Windows\System\ZSNFoSm.exe	upx
C:\Windows\System\NOkXaVb.exe	upx
C:\Windows\System\YKeqTXz.exe	upx
behavioral2/memory/3820-123-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp	upx
behavioral2/memory/2880-125-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp	upx
behavioral2/memory/5012-124-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp	upx
behavioral2/memory/3100-126-0x00007FF62A020000-0x00007FF62A374000-memory.dmp	upx
behavioral2/memory/5080-127-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp	upx
behavioral2/memory/1560-130-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp	upx
behavioral2/memory/2088-129-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp	upx
behavioral2/memory/456-128-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp	upx
behavioral2/memory/1440-131-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp	upx
behavioral2/memory/4244-133-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp	upx
behavioral2/memory/3140-132-0x00007FF601690000-0x00007FF6019E4000-memory.dmp	upx
behavioral2/memory/4124-134-0x00007FF71C640000-0x00007FF71C994000-memory.dmp	upx
behavioral2/memory/3740-135-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp	upx
behavioral2/memory/396-136-0x00007FF695E10000-0x00007FF696164000-memory.dmp	upx
behavioral2/memory/1476-137-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp	upx
behavioral2/memory/4560-138-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp	upx
behavioral2/memory/1808-139-0x00007FF73FD20000-0x00007FF740074000-memory.dmp	upx
behavioral2/memory/996-140-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp	upx
behavioral2/memory/1440-141-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp	upx
behavioral2/memory/3140-142-0x00007FF601690000-0x00007FF6019E4000-memory.dmp	upx
behavioral2/memory/1992-143-0x00007FF7680E0000-0x00007FF768434000-memory.dmp	upx
behavioral2/memory/4244-144-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp	upx
behavioral2/memory/3740-145-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp	upx
behavioral2/memory/4124-146-0x00007FF71C640000-0x00007FF71C994000-memory.dmp	upx
behavioral2/memory/5016-147-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp	upx
behavioral2/memory/904-148-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\VzSXKFE.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MAwHRuP.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wnTKFkl.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eVOkuUU.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iePhXpQ.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EkpeWZC.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\toCZBjl.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YKeqTXz.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ibdQlYk.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Axzfpcn.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GvCoWqR.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NOkXaVb.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yiwEQYF.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSNFoSm.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wjMqKIO.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BhmzlRO.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jOtQOpr.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kwCLuyS.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\frQEngP.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVvLEIo.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eZSfNAA.exe	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4804 wrote to memory of 396	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	GvCoWqR.exe
PID 4804 wrote to memory of 396	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	GvCoWqR.exe
PID 4804 wrote to memory of 1476	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	eVOkuUU.exe
PID 4804 wrote to memory of 1476	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	eVOkuUU.exe
PID 4804 wrote to memory of 4560	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	iePhXpQ.exe
PID 4804 wrote to memory of 4560	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	iePhXpQ.exe
PID 4804 wrote to memory of 1808	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	eZSfNAA.exe
PID 4804 wrote to memory of 1808	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	eZSfNAA.exe
PID 4804 wrote to memory of 996	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	BhmzlRO.exe
PID 4804 wrote to memory of 996	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	BhmzlRO.exe
PID 4804 wrote to memory of 1440	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	EkpeWZC.exe
PID 4804 wrote to memory of 1440	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	EkpeWZC.exe
PID 4804 wrote to memory of 3140	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	toCZBjl.exe
PID 4804 wrote to memory of 3140	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	toCZBjl.exe
PID 4804 wrote to memory of 1992	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	jOtQOpr.exe
PID 4804 wrote to memory of 1992	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	jOtQOpr.exe
PID 4804 wrote to memory of 4244	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	kwCLuyS.exe
PID 4804 wrote to memory of 4244	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	kwCLuyS.exe
PID 4804 wrote to memory of 4124	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	frQEngP.exe
PID 4804 wrote to memory of 4124	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	frQEngP.exe
PID 4804 wrote to memory of 3740	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	VzSXKFE.exe
PID 4804 wrote to memory of 3740	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	VzSXKFE.exe
PID 4804 wrote to memory of 5016	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	YKeqTXz.exe
PID 4804 wrote to memory of 5016	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	YKeqTXz.exe
PID 4804 wrote to memory of 904	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	iVvLEIo.exe
PID 4804 wrote to memory of 904	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	iVvLEIo.exe
PID 4804 wrote to memory of 3820	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	wjMqKIO.exe
PID 4804 wrote to memory of 3820	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	wjMqKIO.exe
PID 4804 wrote to memory of 1560	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	MAwHRuP.exe
PID 4804 wrote to memory of 1560	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	MAwHRuP.exe
PID 4804 wrote to memory of 5012	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	NOkXaVb.exe
PID 4804 wrote to memory of 5012	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	NOkXaVb.exe
PID 4804 wrote to memory of 2880	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	yiwEQYF.exe
PID 4804 wrote to memory of 2880	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	yiwEQYF.exe
PID 4804 wrote to memory of 3100	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	wnTKFkl.exe
PID 4804 wrote to memory of 3100	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	wnTKFkl.exe
PID 4804 wrote to memory of 5080	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	ZSNFoSm.exe
PID 4804 wrote to memory of 5080	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	ZSNFoSm.exe
PID 4804 wrote to memory of 456	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	ibdQlYk.exe
PID 4804 wrote to memory of 456	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	ibdQlYk.exe
PID 4804 wrote to memory of 2088	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	Axzfpcn.exe
PID 4804 wrote to memory of 2088	4804	2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe	Axzfpcn.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\System\GvCoWqR.exe
C:\Windows\System\GvCoWqR.exe
2⤵
- Executes dropped EXE
PID:396

C:\Windows\System\eVOkuUU.exe
C:\Windows\System\eVOkuUU.exe
2⤵
- Executes dropped EXE
PID:1476

C:\Windows\System\iePhXpQ.exe
C:\Windows\System\iePhXpQ.exe
2⤵
- Executes dropped EXE
PID:4560

C:\Windows\System\eZSfNAA.exe
C:\Windows\System\eZSfNAA.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\BhmzlRO.exe
C:\Windows\System\BhmzlRO.exe
2⤵
- Executes dropped EXE
PID:996

C:\Windows\System\EkpeWZC.exe
C:\Windows\System\EkpeWZC.exe
2⤵
- Executes dropped EXE
PID:1440

C:\Windows\System\toCZBjl.exe
C:\Windows\System\toCZBjl.exe
2⤵
- Executes dropped EXE
PID:3140

C:\Windows\System\jOtQOpr.exe
C:\Windows\System\jOtQOpr.exe
2⤵
- Executes dropped EXE
PID:1992

C:\Windows\System\kwCLuyS.exe
C:\Windows\System\kwCLuyS.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Windows\System\frQEngP.exe
C:\Windows\System\frQEngP.exe
2⤵
- Executes dropped EXE
PID:4124

C:\Windows\System\VzSXKFE.exe
C:\Windows\System\VzSXKFE.exe
2⤵
- Executes dropped EXE
PID:3740

C:\Windows\System\YKeqTXz.exe
C:\Windows\System\YKeqTXz.exe
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System\iVvLEIo.exe
C:\Windows\System\iVvLEIo.exe
2⤵
- Executes dropped EXE
PID:904

C:\Windows\System\wjMqKIO.exe
C:\Windows\System\wjMqKIO.exe
2⤵
- Executes dropped EXE
PID:3820

C:\Windows\System\MAwHRuP.exe
C:\Windows\System\MAwHRuP.exe
2⤵
- Executes dropped EXE
PID:1560

C:\Windows\System\NOkXaVb.exe
C:\Windows\System\NOkXaVb.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System\yiwEQYF.exe
C:\Windows\System\yiwEQYF.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\wnTKFkl.exe
C:\Windows\System\wnTKFkl.exe
2⤵
- Executes dropped EXE
PID:3100

C:\Windows\System\ZSNFoSm.exe
C:\Windows\System\ZSNFoSm.exe
2⤵
- Executes dropped EXE
PID:5080

C:\Windows\System\ibdQlYk.exe
C:\Windows\System\ibdQlYk.exe
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System\Axzfpcn.exe
C:\Windows\System\Axzfpcn.exe
2⤵
- Executes dropped EXE
PID:2088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\Axzfpcn.exe
Filesize
5.9MB

MD5
606ea2f6025c724dbbc0e1d29cbae871

SHA1
7670264e18e6d69b5d89766ac6df368cbf718601

SHA256
d5c000c476489809ef9377935818bc183457ef72fb36aab28320ed53c965b0c2

SHA512
f3be7e82a5b85905e95b54da60ef520f0de41fadb337be4943891a55109b64a87c6daa134553b5404abd9f1fa550d538f51f0bace19e822cf918831066cccfba

Download Submit
C:\Windows\System\BhmzlRO.exe
Filesize
5.9MB

MD5
09c7c14f7cd82f84465bc971e2a3f3b1

SHA1
395bb0518cde0f9019114d38c5edfe3c3189330f

SHA256
a8b9fafa6d324e800af7e24137bc69c2e07310327b3ce5887c450fb6f7aecf94

SHA512
b36706484d01ec6f39b6f4858e26c944661c2e8710270edafb30f38be27dc2683ff91918d17cbb7e4c92ef50156dbb049c044ea982a658664d7e2eadb5ee865c

Download Submit
C:\Windows\System\EkpeWZC.exe
Filesize
5.9MB

MD5
29b084df434b83fd7c8cabfa93582fe6

SHA1
66c3669c9ed94229373b49c82cd6e916729487d0

SHA256
1d305b5871ba79943cc6d8b3ecd0461dd6302c2d2d263453832f6a5c967bd80a

SHA512
c4e6e8dc5e61c913d292d6b12ce2cc7bc21895f09f9c3e5b3c3b9b669a3a5fcdd6cca74a72b57187d7078f2fd51ccec62c0216582103df10bc635dcfb3ab884e

Download Submit
C:\Windows\System\GvCoWqR.exe
Filesize
5.9MB

MD5
1f4a49b60707576a87dfc2dc308b5fc8

SHA1
185daf4779408600eb0655f5d28586f9355a4807

SHA256
57313050f1782c77af45c81436d829aea642e5b6ee2dac90aa0134b38bae28cc

SHA512
0e20a1d453d6c6362c7c4d426f4617b4e5976aaa6e95094612f18b97101415568f1c6285c90be3a19bff5ae2e478013f3a815b46f25f5f6e8214870c38584186

Download Submit
C:\Windows\System\MAwHRuP.exe
Filesize
5.9MB

MD5
daae171eec1bd62b10824da2c16c1b53

SHA1
5945146ada9bc3b68aacfb3a23059b694d83239f

SHA256
1cd0e27717cade15eae20eaae8e29beb1b6d1aac11ef89100b91bca32f72a28c

SHA512
2253d70bc21fade4cdda7dbfb0b477167aa1ff8d11e6a09521c219edc36f5389c6535235f14c3e06cf810db999f6be329fc9deb20323f14a79b93be9eace44ed

Download Submit
C:\Windows\System\NOkXaVb.exe
Filesize
5.9MB

MD5
4e5f82a7dd34d5d6cf566853d8a53084

SHA1
8309f933e9754794959529f1d8972c4c6f069d9d

SHA256
3906e0085b1a7cec0a77082790607ea4cd40c1a546173627f5285cc10a045444

SHA512
bcb55b8bd8ee76447fcf4775e21cd8efb472428e9139e484fb50d8612e1eb883ff2419370eb259ce21978e25035fc2fe972f4978d8cad562cc869abfef0571a5

Download Submit
C:\Windows\System\VzSXKFE.exe
Filesize
5.9MB

MD5
a33db2cbbf41db87243393d097b213b5

SHA1
b7e95077e126b8c7dc618067a277153df4411121

SHA256
2dadc05301b47023797153cf9ef9be2c6438b16143028f2e3569a9cc3ec67444

SHA512
bbc0294f02abbb0e1a43d286c1665a470cdcf1c467faacec228964094680b37254cef3685ac0800d55c7ca21793ad2f106a7836eaa4ee87ff7be062a90575044

Download Submit
C:\Windows\System\YKeqTXz.exe
Filesize
5.9MB

MD5
4ea2c12075c85933a393825fafb6f4a4

SHA1
c681dd9d8fbc096e784cf11f4adde765abe33663

SHA256
ff915efa4dfed7f33a5a8151847364bb2a0e42fd8b1fe07e84e3f67efcfd7183

SHA512
e0ca2dcb1702eeaaea0760ce5e46019241282c51b416835229b367e8eddef5350494dfdfba5e08b2e1bdea9150c6c095a7376e50f1dfb83064c52e0f32d63299

Download Submit
C:\Windows\System\ZSNFoSm.exe
Filesize
5.9MB

MD5
b5b7dbec1e1c751e614978a49eec1a59

SHA1
484e3416dbfdb92339d627a6c327cff14666210d

SHA256
0ea3043005de97c431484e577def089d7f03e38d1c710e0c13771b3b8570be96

SHA512
e92a0e48ded429b8db2e6c13d4b4f82afe186ab8d801e8a56d1693a146182f8b97e3be785cba14ba08123e7b3ec84ad3c330481801c80eff282179b9f880d0a7

Download Submit
C:\Windows\System\eVOkuUU.exe
Filesize
5.9MB

MD5
fb7d12f019f93f59c257560ff893067b

SHA1
b70d12374e87d5a1da760d1b25e6431908063cdb

SHA256
beaa9bb07459aa01cfde88a40720592a10328ea48b7bd0d24ccb40241dd0f9ab

SHA512
522db0642422a174b3ec3c5352b991a02749aa7a550a2ef62facab835db704e9c38f14d9f80e878d7cacbc694f562f57ddcfb859496cedc227fdc58050632d8e

Download Submit
C:\Windows\System\eZSfNAA.exe
Filesize
5.9MB

MD5
f6b6d47d4383e57072085e05f7bfb992

SHA1
dedf48f3d7b362adc370692507383523b673e522

SHA256
4c2fa74cc905ba8984297261792624bfcb25a8b3d6f72426df1fe0a028e4b417

SHA512
0b98798e17984a7744fb29d26c5053924efa42ccdf1f07d3b2b8475a6270c2769165e72a1a716410f1b01ab9797292c621230393701d5ecaba701443840e2774

Download Submit
C:\Windows\System\frQEngP.exe
Filesize
5.9MB

MD5
83f7d92391fff78217b059e6b23f31f6

SHA1
cffad3f969dea5d7ed5e30b8b8214f60a9cce22f

SHA256
c8cf18d8b350c6ef476e3a8c24b2519b044b3bd11424fa2a8afeb87e90244e2a

SHA512
ae71adce2f099d2289b056c95a61f9078c884248a7c676b75b3e6900be9fb930b2985082d169ec73ae63b620a30f7807a114837b6a84510958c66ba3bd11d58e

Download Submit
C:\Windows\System\iVvLEIo.exe
Filesize
5.9MB

MD5
dacc4dd5f0ec810e6fddc357074a675b

SHA1
a5c0932d3aa7967f43ad8c03f6e46f4e77b67bf6

SHA256
4d50c61fea19fea877defa60ffb9b70ee7215a3149d1e5bcbd7c1f687d7e7fb7

SHA512
4f26b582fb5614454d6a8977e2cec29182b66f27a4224a7e6bbc5c06dfef1cc0c418b7bd08c0c85f1f1b46fe375bccff568df859d465c4ef83604eb55a998f43

Download Submit
C:\Windows\System\ibdQlYk.exe
Filesize
5.9MB

MD5
5253520e9f8977a20226035712c2ac7b

SHA1
dce71fb886bb49ccc7a0f5c2906c889b88ea31b9

SHA256
c74a5478066c637ed73a4ee34bf9b76da667abf1133572acb7736a939ed62d2e

SHA512
2a731395a65ad7eded8e77491323240393e07042e84ac82afaae2c77927d01c465166d13d0164741fd7d1939e57fb888d53ab63e27f6724198d8436cc5204566

Download Submit
C:\Windows\System\iePhXpQ.exe
Filesize
5.9MB

MD5
3328b7b82713033f765c51bcc14960a5

SHA1
2243698451d6b354d3dda0f1d86d1a36d72adfd9

SHA256
a78ecd3e477a912bce8b4eb3ab94111ece3d45de9dd1cd73d8c9eab7b0d98ce5

SHA512
7854a7b227e2cab4d703e07a4be940158b33fb553147007f4ea50ce54a7af4a6c2a4ebc7b3e701be9a3516c7e13e17b1647d11da9f70f33036a5c978d0223399

Download Submit
C:\Windows\System\jOtQOpr.exe
Filesize
5.9MB

MD5
a09b23ff570d1f2263c1272915a9d822

SHA1
fe956549ff25d5d55e6e44bd61797f1383d22c41

SHA256
2b856d39cc8f6d8483e317acb918619637cef7e243818926f52efbc71e9b4afa

SHA512
e52edc49677f0e46478802a225d4a96ea821c931a9683a037d80e5fe89887eeff810ee692541034f2b24d69a863b085335b9546ea90b1b5be33f1e6c232d8d27

Download Submit
C:\Windows\System\kwCLuyS.exe
Filesize
5.9MB

MD5
5e545ac31846fabce0dc18f2d526fd78

SHA1
eb86c99e6e58e35638bb11ab9e31181cc10882ec

SHA256
025521ebd603f10a3e80d049e8b1bf0f51d286161bc8bb1ea95ca991471dd13b

SHA512
d275994844bbdde60adcc36e24d3f4d4c66c95d004dbff8dd60403dedb2a08dd40e8c20dac0691b684ecf0c358b74b11df244f81d0e8aa2735708a9ce939a0ed

Download Submit
C:\Windows\System\toCZBjl.exe
Filesize
5.9MB

MD5
d8291c425ef892b8f40b181ed5576de3

SHA1
8080a1622d73f2aa3eeddd7cd30270c2d6eba7dd

SHA256
247d46d99c875460e054f3363894e74ce053b5151fbe3eea7e0a8a03a004a904

SHA512
6667559107ffc8f25f55475f6a740211707fee0d2f126781e0bc428bdf65870e512508337187baebdee99a96fecd785d5d82e954cdf7ad905c6e8b2ba86f1965

Download Submit
C:\Windows\System\wjMqKIO.exe
Filesize
5.9MB

MD5
50ca8a5e39f2b3b71a331bca7b437df3

SHA1
a58b30bad57799fa24697705156909a0a594b726

SHA256
61a281e3277f01ca7f71b7e82a73ff79f3ac070e4f3e584467a9437ac9fb2169

SHA512
1e06bcad48f4a2d70fc9566c7918a349a2d047d58997bb428776ba31ad5f65f07402c1776fa298432c32b2619cac955c474147e22a45d6afcf3941da6ebf0c55

Download Submit
C:\Windows\System\wnTKFkl.exe
Filesize
5.9MB

MD5
f8872188489f59784d23b8abea4b1ed8

SHA1
0697f539d03a203a3b2d7c4b7a8c177d28cfbe90

SHA256
6888ef34e2a0b64c16dab0d946903432e8c7ce7e66f83e09fc656e0bb23c9b3b

SHA512
f2b70bb5a79ac63826dd6831e6a61ba2ff2ec1a0002ade4f18c7c35ac5e73d89ec6975eee6f57979a79bd0ddc2a1458e7b1fa3bfbce4388541e9c2b271fd8641

Download Submit
C:\Windows\System\yiwEQYF.exe
Filesize
5.9MB

MD5
cba46e58b11c73c3a4f0fb457610affd

SHA1
df46387adae779a16aa63066e43f37c40aa5946e

SHA256
c0a26bf4a4175f7f571c9e21c489c64f0e0ec3c54afb7397936b4d504ea629b2

SHA512
fc2e4ea813f50decc3ee6573ebd1bd6089671fa646180bdf2f56385c3e4ca859bfba571adc40e29ea9467fdf902f7751818131573d1330ac0d71c15f4e49dd78

Download Submit
memory/396-136-0x00007FF695E10000-0x00007FF696164000-memory.dmp

Filesize
3.3MB

Download
memory/396-8-0x00007FF695E10000-0x00007FF696164000-memory.dmp

Filesize
3.3MB

Download
memory/396-83-0x00007FF695E10000-0x00007FF696164000-memory.dmp

Filesize
3.3MB

Download
memory/456-156-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp

Filesize
3.3MB

Download
memory/456-128-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp

Filesize
3.3MB

Download
memory/904-84-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp

Filesize
3.3MB

Download
memory/904-148-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp

Filesize
3.3MB

Download
memory/996-140-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp

Filesize
3.3MB

Download
memory/996-41-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp

Filesize
3.3MB

Download
memory/1440-131-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1440-35-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1440-141-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp

Filesize
3.3MB

Download
memory/1476-137-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp

Filesize
3.3MB

Download
memory/1476-88-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp

Filesize
3.3MB

Download
memory/1476-14-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-130-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp

Filesize
3.3MB

Download
memory/1560-149-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp

Filesize
3.3MB

Download
memory/1808-139-0x00007FF73FD20000-0x00007FF740074000-memory.dmp

Filesize
3.3MB

Download
memory/1808-34-0x00007FF73FD20000-0x00007FF740074000-memory.dmp

Filesize
3.3MB

Download
memory/1992-143-0x00007FF7680E0000-0x00007FF768434000-memory.dmp

Filesize
3.3MB

Download
memory/1992-54-0x00007FF7680E0000-0x00007FF768434000-memory.dmp

Filesize
3.3MB

Download
memory/2088-155-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp

Filesize
3.3MB

Download
memory/2088-129-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp

Filesize
3.3MB

Download
memory/2880-125-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp

Filesize
3.3MB

Download
memory/2880-152-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp

Filesize
3.3MB

Download
memory/3100-126-0x00007FF62A020000-0x00007FF62A374000-memory.dmp

Filesize
3.3MB

Download
memory/3100-153-0x00007FF62A020000-0x00007FF62A374000-memory.dmp

Filesize
3.3MB

Download
memory/3140-42-0x00007FF601690000-0x00007FF6019E4000-memory.dmp

Filesize
3.3MB

Download
memory/3140-142-0x00007FF601690000-0x00007FF6019E4000-memory.dmp

Filesize
3.3MB

Download
memory/3140-132-0x00007FF601690000-0x00007FF6019E4000-memory.dmp

Filesize
3.3MB

Download
memory/3740-135-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp

Filesize
3.3MB

Download
memory/3740-68-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp

Filesize
3.3MB

Download
memory/3740-145-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp

Filesize
3.3MB

Download
memory/3820-123-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp

Filesize
3.3MB

Download
memory/3820-150-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp

Filesize
3.3MB

Download
memory/4124-134-0x00007FF71C640000-0x00007FF71C994000-memory.dmp

Filesize
3.3MB

Download
memory/4124-62-0x00007FF71C640000-0x00007FF71C994000-memory.dmp

Filesize
3.3MB

Download
memory/4124-146-0x00007FF71C640000-0x00007FF71C994000-memory.dmp

Filesize
3.3MB

Download
memory/4244-57-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp

Filesize
3.3MB

Download
memory/4244-133-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp

Filesize
3.3MB

Download
memory/4244-144-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp

Filesize
3.3MB

Download
memory/4560-138-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp

Filesize
3.3MB

Download
memory/4560-20-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp

Filesize
3.3MB

Download
memory/4804-0-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp

Filesize
3.3MB

Download
memory/4804-74-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp

Filesize
3.3MB

Download
memory/4804-1-0x0000015A60780000-0x0000015A60790000-memory.dmp

Filesize
64KB

Download
memory/5012-151-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp

Filesize
3.3MB

Download
memory/5012-124-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp

Filesize
3.3MB

Download
memory/5016-147-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp

Filesize
3.3MB

Download
memory/5016-75-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp

Filesize
3.3MB

Download
memory/5080-127-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp

Filesize
3.3MB

Download
memory/5080-154-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp

Filesize
3.3MB

Download