cobaltstrike | ceca52b85e07b4cb0cb04a8a32f471553d9680124f27518b5f510d0c9a7bfddf

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 15:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

170e8e11adbf6e99f7d77b7433e347ef
SHA1

abb4ce815a248af4b9cb294b01894798d3d2d95b
SHA256

ceca52b85e07b4cb0cb04a8a32f471553d9680124f27518b5f510d0c9a7bfddf
SHA512

fb0749947ccdfc667be047105921516a0aee47f0a22dfbdb2f73766ef113aab104fc0a811b371c1cc08cfd61ed8603505a210dd73c80d9477b110846e53ace70
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l+:RWWBibd56utgpPFotBER/mQ32lU6

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012101-6.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000186b7-13.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186bb-15.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186c2-23.dat	cobalt_reflective_dll
behavioral1/files/0x0029000000018671-36.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018725-51.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018f9a-66.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fa2-84.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fc4-120.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fca-129.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fcd-134.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fe2-138.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fc7-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fc2-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fba-109.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018fb0-101.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018faa-92.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018f9e-77.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018ab4-64.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018710-48.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870b-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2128-21-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2904-22-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2120-29-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2808-40-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2216-137-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2544-142-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/3040-143-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2808-145-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2420-149-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/2088-102-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/2096-93-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/2632-85-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/1952-161-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2872-166-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/264-167-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2032-165-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2944-164-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/3000-163-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/2396-162-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/1628-169-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/2952-70-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2760-49-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2660-45-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2808-170-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2760-221-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2904-223-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2128-225-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2120-227-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2952-235-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2660-236-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2096-238-0x000000013FA00000-0x000000013FD51000-memory.dmp	xmrig
behavioral1/memory/2632-240-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2216-246-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2088-248-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/2544-250-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/3040-252-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2420-254-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/1952-256-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2760	wqwsquW.exe
2904	tQNMVwR.exe
2128	iDowtDX.exe
2120	XCPZISS.exe
2952	VHePdvx.exe
2660	rgTkSff.exe
2632	hfbQSSY.exe
2096	CPKtzNV.exe
2088	WJgKHZB.exe
2216	IHEIJKc.exe
2544	gRqKDNg.exe
3040	VjpxLlv.exe
2420	VnOCfbv.exe
1952	ABAVrUS.exe
2396	lHYAHJu.exe
3000	PGjMQuz.exe
2944	sTENVOv.exe
2032	TRseoic.exe
2872	wdXuHqs.exe
264	upaUdBT.exe
1628	aaFmRiK.exe

Loads dropped DLL 21 IoCs

pid	Process
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2808-0-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2760-9-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/files/0x0008000000012101-6.dat	upx
behavioral1/files/0x00070000000186b7-13.dat	upx
behavioral1/files/0x00060000000186bb-15.dat	upx
behavioral1/memory/2128-21-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2904-22-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/files/0x00060000000186c2-23.dat	upx
behavioral1/memory/2120-29-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2952-35-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/files/0x0029000000018671-36.dat	upx
behavioral1/memory/2808-40-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/files/0x0005000000018725-51.dat	upx
behavioral1/memory/2096-57-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/files/0x0005000000018f9a-66.dat	upx
behavioral1/memory/2216-71-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2544-78-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/files/0x0005000000018fa2-84.dat	upx
behavioral1/memory/1952-103-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/files/0x0005000000018fc4-120.dat	upx
behavioral1/files/0x0005000000018fca-129.dat	upx
behavioral1/files/0x0005000000018fcd-134.dat	upx
behavioral1/files/0x0005000000018fe2-138.dat	upx
behavioral1/memory/2216-137-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2544-142-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/files/0x0005000000018fc7-124.dat	upx
behavioral1/memory/3040-143-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/files/0x0005000000018fc2-114.dat	upx
behavioral1/files/0x0005000000018fba-109.dat	upx
behavioral1/memory/2808-145-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2420-149-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/2088-102-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/files/0x0005000000018fb0-101.dat	upx
behavioral1/memory/2420-94-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/2096-93-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/files/0x0005000000018faa-92.dat	upx
behavioral1/memory/2632-85-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2808-82-0x00000000023A0000-0x00000000026F1000-memory.dmp	upx
behavioral1/memory/1952-161-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/files/0x0005000000018f9e-77.dat	upx
behavioral1/memory/2088-65-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/files/0x0009000000018ab4-64.dat	upx
behavioral1/memory/2872-166-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/264-167-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2032-165-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2944-164-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/3000-163-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/2396-162-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/1628-169-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/2952-70-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2632-50-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2760-49-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/files/0x0005000000018710-48.dat	upx
behavioral1/memory/2660-45-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/files/0x000500000001870b-34.dat	upx
behavioral1/memory/2808-170-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2760-221-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2904-223-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2128-225-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2120-227-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2952-235-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2660-236-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2096-238-0x000000013FA00000-0x000000013FD51000-memory.dmp	upx
behavioral1/memory/2632-240-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XCPZISS.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WJgKHZB.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gRqKDNg.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnOCfbv.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aaFmRiK.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rgTkSff.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPKtzNV.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHEIJKc.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lHYAHJu.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wdXuHqs.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\upaUdBT.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqwsquW.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iDowtDX.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VHePdvx.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hfbQSSY.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ABAVrUS.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sTENVOv.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQNMVwR.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VjpxLlv.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PGjMQuz.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TRseoic.exe	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2760	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2808 wrote to memory of 2760	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2808 wrote to memory of 2760	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2808 wrote to memory of 2904	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2808 wrote to memory of 2904	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2808 wrote to memory of 2904	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2808 wrote to memory of 2128	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2808 wrote to memory of 2128	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2808 wrote to memory of 2128	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2808 wrote to memory of 2120	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2808 wrote to memory of 2120	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2808 wrote to memory of 2120	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2808 wrote to memory of 2952	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2808 wrote to memory of 2952	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2808 wrote to memory of 2952	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2808 wrote to memory of 2660	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2808 wrote to memory of 2660	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2808 wrote to memory of 2660	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2808 wrote to memory of 2632	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2808 wrote to memory of 2632	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2808 wrote to memory of 2632	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2808 wrote to memory of 2096	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2808 wrote to memory of 2096	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2808 wrote to memory of 2096	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2808 wrote to memory of 2088	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2808 wrote to memory of 2088	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2808 wrote to memory of 2088	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2808 wrote to memory of 2216	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2808 wrote to memory of 2216	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2808 wrote to memory of 2216	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2808 wrote to memory of 2544	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2808 wrote to memory of 2544	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2808 wrote to memory of 2544	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2808 wrote to memory of 3040	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2808 wrote to memory of 3040	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2808 wrote to memory of 3040	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2808 wrote to memory of 2420	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2808 wrote to memory of 2420	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2808 wrote to memory of 2420	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2808 wrote to memory of 1952	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2808 wrote to memory of 1952	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2808 wrote to memory of 1952	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2808 wrote to memory of 2396	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2808 wrote to memory of 2396	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2808 wrote to memory of 2396	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2808 wrote to memory of 3000	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2808 wrote to memory of 3000	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2808 wrote to memory of 3000	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2808 wrote to memory of 2944	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2808 wrote to memory of 2944	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2808 wrote to memory of 2944	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2808 wrote to memory of 2032	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2808 wrote to memory of 2032	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2808 wrote to memory of 2032	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2808 wrote to memory of 2872	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2808 wrote to memory of 2872	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2808 wrote to memory of 2872	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2808 wrote to memory of 264	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2808 wrote to memory of 264	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2808 wrote to memory of 264	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2808 wrote to memory of 1628	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2808 wrote to memory of 1628	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2808 wrote to memory of 1628	2808	2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-04_170e8e11adbf6e99f7d77b7433e347ef_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\System\wqwsquW.exe
  C:\Windows\System\wqwsquW.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\tQNMVwR.exe
  C:\Windows\System\tQNMVwR.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\iDowtDX.exe
  C:\Windows\System\iDowtDX.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\XCPZISS.exe
  C:\Windows\System\XCPZISS.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\VHePdvx.exe
  C:\Windows\System\VHePdvx.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\rgTkSff.exe
  C:\Windows\System\rgTkSff.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\hfbQSSY.exe
  C:\Windows\System\hfbQSSY.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\CPKtzNV.exe
  C:\Windows\System\CPKtzNV.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\WJgKHZB.exe
  C:\Windows\System\WJgKHZB.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\IHEIJKc.exe
  C:\Windows\System\IHEIJKc.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\gRqKDNg.exe
  C:\Windows\System\gRqKDNg.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\VjpxLlv.exe
  C:\Windows\System\VjpxLlv.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\VnOCfbv.exe
  C:\Windows\System\VnOCfbv.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\ABAVrUS.exe
  C:\Windows\System\ABAVrUS.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\lHYAHJu.exe
  C:\Windows\System\lHYAHJu.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\PGjMQuz.exe
  C:\Windows\System\PGjMQuz.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\sTENVOv.exe
  C:\Windows\System\sTENVOv.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\TRseoic.exe
  C:\Windows\System\TRseoic.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\wdXuHqs.exe
  C:\Windows\System\wdXuHqs.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\upaUdBT.exe
  C:\Windows\System\upaUdBT.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\aaFmRiK.exe
  C:\Windows\System\aaFmRiK.exe
  2⤵
  - Executes dropped EXE
  PID:1628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ABAVrUS.exe

Filesize
5.2MB

MD5
c3408fead4ad66cba2a21140648e107b

SHA1
89d27dcab25b5cd7ad5562d9a9a90b08d0c334b2

SHA256
353ce2c4ce9f1144d1a8b7a912494cb7b803dc305329b7a79982a30795d5d9cc

SHA512
45b6359dc2a08a6d061f32bbc4a302a3a7d509cb91e31dca481dd92263d8aeadd4cc1ae1edba143f6cc2d90dba4818abfb45af078190629ded3e03e529220883

Download Submit
C:\Windows\system\PGjMQuz.exe

Filesize
5.2MB

MD5
9b39b1dda58dc055cbda2a19b3850bb5

SHA1
69bc5c90aa206581b46861ecaa8df4222198b12c

SHA256
6cc580cc1a93d3a17f21ffa6f1acdb486f2b8370d2a002619e4922b6a71c9464

SHA512
9798f28b2971b10ebe1db1f7db6a0b6c00ee50b1a474f8371f92142152707896571563179def11e3f266e70763384e227429daea9fa592e933ead929598c058d

Download Submit
C:\Windows\system\TRseoic.exe

Filesize
5.2MB

MD5
4f99eb7b5676793a9a8ad7d9ad740a8c

SHA1
b491f4256e07f6fc8014bc01eb0a66b02f555b39

SHA256
38acf2b351400fca9dbf21e3bd13e8bc78995ac9ef5f89ac545c9ed0e5de7730

SHA512
b819491be6f07f238d06fc70a31d5453630188a687dcf73bbda3e32c92c43419cc3e83c5acb3ff7c7a6c23be496d47b5a9905b415a7cff111859b9e027662787

Download Submit
C:\Windows\system\VHePdvx.exe

Filesize
5.2MB

MD5
3d396f35c23ff2591cf5917b548e84cd

SHA1
734d33d963d621844ee0186f0b2b423d552ebd41

SHA256
aebbdf57258854515ce8a9087c4573880c728b4b481ed381fcebcf0de6bbd242

SHA512
06d137c43b7827d99e2dac5983ae0a34d0afbfd442a09d4fbed3bd0d8d855ef732f8d3a37405c3292dedc61c707ac691b6b7f968afb7f87266385cb8d86627e2

Download Submit
C:\Windows\system\VjpxLlv.exe

Filesize
5.2MB

MD5
f06ff7843cabdac4bb7fcab9c270abba

SHA1
bfd547771c7780b8ec533dfce25ff61823adf143

SHA256
3c1e9fcbb32a94fdb9646a4eb054ac016393df92671fcaf1a7df460480eb939b

SHA512
2cbeb2795d9d7fa83a7de35a15adee8bfe73ffd663932fdbb0636e7d0db641788b05a7ff57b5e04473420e1686e099c45e77a5db060d3e25e43a7884e32b1a5f

Download Submit
C:\Windows\system\VnOCfbv.exe

Filesize
5.2MB

MD5
1659cd8f67ac74904ec741ba0663b01f

SHA1
0b24b2037be624cbf54086958d687705604684d9

SHA256
b4c5fb6c9cd0ec7759e1efc782b2e7c34201645332d2435a8bc87bb472d4dbe8

SHA512
6cbc9aaf6865f73cf26d6d33a300230bd2cb70f23ef69efa098df41795e83140c70954def53a9da00ba3c18e4e3e1548d40dc559060c74bc46a12c03c0ceb2b7

Download Submit
C:\Windows\system\WJgKHZB.exe

Filesize
5.2MB

MD5
c79a80d9477c7adf28339bd488053fbc

SHA1
53f228542cd8b96eb9fb3d8f6a2e7083a61048c8

SHA256
8ee219aaf4e79ab69a14bccb63c17a77f39275f77836db7b6995acba2577873c

SHA512
1b0b677f10571a6238a2d1534dcaef957b97b62265bdfc49f36c3f90f08deff8c145086ea8182d88e8bd8b06683b7dc10d9ba954cdd4b05f72e5f0fbfc442b2f

Download Submit
C:\Windows\system\gRqKDNg.exe

Filesize
5.2MB

MD5
72d4a6344491c8050def2b660de00f11

SHA1
6f0e3329d4de192dd2cd61615b5625946ca4ce63

SHA256
6400d5100656b8f715e08cde3f60b0998b65d67663bdabca569c1d29d2e3c387

SHA512
26630a48acbb0bdb4d29e2d72088ccc0ff6fb90a3e5985f38138ae51ac5cab328ff5938f2281e44557f1a73b0a37e7c28000ef168bf19ba2f9bf4735630c0148

Download Submit
C:\Windows\system\hfbQSSY.exe

Filesize
5.2MB

MD5
91a1f0248c28723f30bef9182d22ae0b

SHA1
f34b5ab7c92681729637fea3936deac03d624cce

SHA256
e00321621a866668262ffc6838fe88c008ff8cc678975e21aa148b252de207c0

SHA512
8f0212c2e47b526cf7616bc7a41f185b9a41349434743282116d9c6d7baa5d37bef6c2bd88d7c2e7558fe55f6abb38f45909fb5d0f1855c733311499dae75038

Download Submit
C:\Windows\system\lHYAHJu.exe

Filesize
5.2MB

MD5
28a86fe98c0154a1df770ba2b868aa3a

SHA1
0ab8811ee386440872dbe0e83dbdb329c0e70b99

SHA256
8e49801e67cbaf165c994be075173553307d3d7d976aff00ba2171da2b669e39

SHA512
be8e4e844686bc34767da4c3eb4c9b600f4e49dbab72e90e2d4791de90f3c6348e4a49b36b593a8316322e940128687eb0bee58549a92d3c4cc51a3d61b0a326

Download Submit
C:\Windows\system\sTENVOv.exe

Filesize
5.2MB

MD5
a3bfc49ecfe7c03a2ac80e2598b33000

SHA1
beff0ceeee0b146511b7f335ee8c535cb834f1e7

SHA256
65513d54347a6276c752a3c4c844e44515033c1b1c3f5e1c14d3618066ab3e48

SHA512
061c7046162c99042ea3c1d0553d254c2794507368679dd57749d7c34328bf76ba122d855255caf3872d585a4a4876c004588d8eaee95d0097b9a4a8cf6bcf6f

Download Submit
C:\Windows\system\tQNMVwR.exe

Filesize
5.2MB

MD5
be6424e4d23552514c3420f393079555

SHA1
9876fdfd80e30b558ef34e4040e0d755906cd269

SHA256
16d3d73784cd9f21090b473b2acfa30bbf5a2b8481fa090fe3d839447099a388

SHA512
7a96866065a89595623f9f01c6882f7709547863280c7066d346f957c35a59aee1cf74463bbec5884649253dae54c0909c912dc71d5b96530cd80297cf0f542c

Download Submit
C:\Windows\system\upaUdBT.exe

Filesize
5.2MB

MD5
57a93a8d399bca9f53f8b381ce0683a9

SHA1
e1d34d6f74a9270f54236898f21087d84bce0e7a

SHA256
4a1bec3fbb072598cc54fa85416bc6cb1ac0ad476997c1f9a8494e2a71f6677c

SHA512
e57e0ba3f0a0ee4f87b7ca8af4f85c3b7bd0974e81c6b2f6772a6fac641fbbea99c49b1ec5fc4b17392d0ceba18c0e80c913727e6bde1b739250c2a5970c3f37

Download Submit
C:\Windows\system\wdXuHqs.exe

Filesize
5.2MB

MD5
a88bd60c05ff563d5a605b5d5999305f

SHA1
2b61a35a54dde61fc51c02a302ad9f2ca195853d

SHA256
2493007d6c0e2852ff56ac94489ce74f35e8a36a878c420c7e2d4f6ec2ae9512

SHA512
bdcd4001ca023d39ebdd3e362b5e1d3bf98f9eac0de77a38eed271746ab716f609f94c7a0aee5da9d19c4bfcfd285c3f4d1c5b282f7244e62adf3d93cbc638ff

Download Submit
C:\Windows\system\wqwsquW.exe

Filesize
5.2MB

MD5
a7f4a7c6c0a01a94739a9751a9cfb42b

SHA1
21a4e4055db4c71a939cfd5711ddf6b367960ca7

SHA256
38f2296cf93f5bd7804cf5f6280ff5d28061f89c575dcf354326291f13d9dc3a

SHA512
99a1cc8224195928f86b931bbd9606909a1208a26a4a3d852a3bbb4c89a97049111d064e62178cabbfb34a68db78c8c6edc81b005b4a958480215034a02fa948

Download Submit
\Windows\system\CPKtzNV.exe

Filesize
5.2MB

MD5
ca6db060f0c2fe03188f81c30fbcd969

SHA1
579f33402b68989c7a73d59fcee3c7120df83097

SHA256
a432dbbd57d27d8d9f22d6dd516fb7c87590f7385a074ea6f139cf9741948d97

SHA512
cd539941f58a1c926160180404645478535465121141b90f30e8226e6a0fc128dc6fe14a6560f9a734c1ea391c3e798c2f615911ce1eecaa8555db330373d73b

Download Submit
\Windows\system\IHEIJKc.exe

Filesize
5.2MB

MD5
caecddb4ca39a1ac1c93063702df06d6

SHA1
df0ca83660060c24a49ee2cd400aa4f4ee2fd456

SHA256
64c1cf577dadb5a8a4ffb48d6521c116f0da9f61987192903356011962c67ff3

SHA512
140fa0ad49076698ca686bcc2f7d040d1a1ade28a7b18870f8c4fff14c8edba6f5f0f7c4f35690e895c63a3ef5c3aa91ad2ecb883a40380067d3785cc5705de8

Download Submit
\Windows\system\XCPZISS.exe

Filesize
5.2MB

MD5
3ed5b38dba15cf9a0af6314c3d59d6c1

SHA1
7b3294f9476fdfe3ce2c21976609d979ae02edbf

SHA256
a47bf221fd2c6b0859acc3e8e0bb447304bfdc6e153bd432e761ffb903fe0bd3

SHA512
fec62f5a85fc258c339f49bb02c510b3876289deea51da70208c7a943f4b90dadd3ea7a683cf4f025991568eb712b324bd13d0265903bbe50e47291d5ab9c5dd

Download Submit
\Windows\system\aaFmRiK.exe

Filesize
5.2MB

MD5
32d91071cb67dff2fb8216a607f244b0

SHA1
943ad8c396750c230b5427676edbca8dbfe539e2

SHA256
f31c12595ab7555a05686fbb7ef943bfe05e8b1eeef1ca64ca9da1e8d3ab9908

SHA512
4aa2d8e0bc74b2193b4bcd5765eaf1249604ce509d9ff54119213bcd25c44238268cb10af05910a7bfee5e66a8337f1e5522df9fbe7b2b6b3ab71b56f7a32489

Download Submit
\Windows\system\iDowtDX.exe

Filesize
5.2MB

MD5
ba7fa1029af8c03cd75309c6a6dd4ef8

SHA1
eb17dc149b8b045b1afdd3470a23c858491f3119

SHA256
5d5927b9eb7cbfcdb07f00e43bc5a690e6e5038236d5e573b191de64d2214073

SHA512
a963e36a3ef53ad72bab22996d0cb7fac44672a51de914e83de65ce03ee93ff8008938401415d9c8dc33f903fb6bf71340cdb5c0a916ab90758c00164ad966d1

Download Submit
\Windows\system\rgTkSff.exe

Filesize
5.2MB

MD5
816d216c6be48e4d623f2fae1bee3fd8

SHA1
f922535f16ddea35ffafd8552dafe10987ebc66a

SHA256
8b296cac4b29dac5b2557bd611358cbe8a6d2c90aabe67e69d41cae0e0e72895

SHA512
a7cc0b78b7619bd3fd227aa0016cbd5ca68cb1e7cfdabe2aadf4115561a9e508c75183109cb15fe3729ca7cca40baaac7e6d31d8b76b28ef6d386162d9efe8c8

Download Submit
memory/264-167-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/1628-169-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-103-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-161-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1952-256-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2032-165-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2088-248-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-65-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-102-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-93-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2096-57-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2096-238-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2120-227-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2120-29-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2128-225-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2128-21-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2216-246-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-71-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-137-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2396-162-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-149-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-254-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-94-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-78-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-142-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-250-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-240-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-85-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-50-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-45-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-236-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-221-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2760-49-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2760-9-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2808-98-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-99-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2808-90-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-7-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2808-60-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-144-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-0-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2808-107-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-67-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-145-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2808-168-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-37-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-82-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-53-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2808-52-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-40-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2808-31-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2808-170-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2808-89-0x000000013FA00000-0x000000013FD51000-memory.dmp

Filesize
3.3MB

Download
memory/2808-156-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-19-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-28-0x00000000023A0000-0x00000000026F1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-166-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-223-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-22-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2944-164-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2952-235-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2952-35-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/2952-70-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/3000-163-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/3040-252-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/3040-143-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download