cobaltstrike | 5f1599e37a0886386fea827bdeb8c591d582f8c4fc37e29fa5e8224a426f88f6

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

8c3367cdffd87b16eb877420c7eef42b
SHA1

c41b6348a112f9c6fa973b65a2fd9dd14c446515
SHA256

5f1599e37a0886386fea827bdeb8c591d582f8c4fc37e29fa5e8224a426f88f6
SHA512

3eb70326a2c78f3722ea06b9ebf6f7d09f8df8fc3e8cc5ade5336d8efcc9e0e0a5c9efc06a5ec6043aca0d4cae58884ca476b3543dea1c064dcef709d7475c7d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibf56utgpPFotBER/mQ32lU1

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012118-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019259-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019268-12.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001926c-25.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019275-30.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001929a-36.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019513-64.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019640-75.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001964a-85.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000197c2-94.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019b0d-105.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019b0f-109.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019a72-99.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001964b-89.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019642-79.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001953e-69.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001950e-59.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194df-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019319-44.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d7-49.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019278-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2732-9-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2700-111-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2920-115-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2604-114-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2840-112-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/1296-117-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1632-119-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2608-118-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/1340-124-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2340-125-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2004-122-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/3044-121-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2212-120-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2168-128-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2936-148-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2240-149-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2636-147-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2756-145-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/1848-143-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1716-146-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2556-144-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2808-130-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/2168-150-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2168-151-0x000000013F340000-0x000000013F691000-memory.dmp	xmrig
behavioral1/memory/2732-218-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2700-221-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2808-222-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/2840-224-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2604-226-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2920-228-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/1296-230-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1632-234-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2608-232-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2340-243-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/1340-241-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2212-238-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2004-251-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/3044-237-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2732	aDeqGqU.exe
2808	UGtvXSY.exe
2700	pvncTXC.exe
2840	KYZpTdI.exe
2604	hQiRVmP.exe
2920	MAUiovi.exe
1296	HmTJlsi.exe
2608	WJofTog.exe
1632	LlDDdFE.exe
2212	cZGGnpD.exe
3044	XVscsgL.exe
2004	XtZQNdS.exe
1340	ZivLnDw.exe
2340	vXvpBqQ.exe
1848	uficsIf.exe
2556	ltsBvzi.exe
2756	amkzrQp.exe
1716	uiEbgJS.exe
2636	oHvrSWj.exe
2936	XCVVWQC.exe
2240	AIgCrqR.exe

Loads dropped DLL 21 IoCs

pid	Process
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2168-0-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/files/0x0007000000012118-6.dat	upx
behavioral1/memory/2732-9-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/files/0x0007000000019259-13.dat	upx
behavioral1/files/0x0007000000019268-12.dat	upx
behavioral1/files/0x000700000001926c-25.dat	upx
behavioral1/memory/2808-24-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/files/0x0006000000019275-30.dat	upx
behavioral1/files/0x000600000001929a-36.dat	upx
behavioral1/files/0x0005000000019513-64.dat	upx
behavioral1/files/0x0005000000019640-75.dat	upx
behavioral1/files/0x000500000001964a-85.dat	upx
behavioral1/files/0x00050000000197c2-94.dat	upx
behavioral1/memory/2700-111-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2920-115-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/2604-114-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2840-112-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/files/0x0005000000019b0d-105.dat	upx
behavioral1/files/0x0005000000019b0f-109.dat	upx
behavioral1/files/0x0005000000019a72-99.dat	upx
behavioral1/files/0x000500000001964b-89.dat	upx
behavioral1/files/0x0005000000019642-79.dat	upx
behavioral1/files/0x000500000001953e-69.dat	upx
behavioral1/files/0x000500000001950e-59.dat	upx
behavioral1/files/0x00050000000194df-54.dat	upx
behavioral1/files/0x0006000000019319-44.dat	upx
behavioral1/files/0x00050000000194d7-49.dat	upx
behavioral1/files/0x0006000000019278-34.dat	upx
behavioral1/memory/1296-117-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/1632-119-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2608-118-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/1340-124-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2340-125-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2004-122-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/3044-121-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2212-120-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2168-128-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2936-148-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2240-149-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2636-147-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2756-145-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/1848-143-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1716-146-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2556-144-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
behavioral1/memory/2808-130-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/2168-150-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2168-151-0x000000013F340000-0x000000013F691000-memory.dmp	upx
behavioral1/memory/2732-218-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2700-221-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2808-222-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/2840-224-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2604-226-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2920-228-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/1296-230-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/1632-234-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2608-232-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2340-243-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/1340-241-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2212-238-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2004-251-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/3044-237-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\uficsIf.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\amkzrQp.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aDeqGqU.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pvncTXC.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYZpTdI.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LlDDdFE.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XtZQNdS.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGtvXSY.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmTJlsi.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vXvpBqQ.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ltsBvzi.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oHvrSWj.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cZGGnpD.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZivLnDw.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AIgCrqR.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCVVWQC.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQiRVmP.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MAUiovi.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WJofTog.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XVscsgL.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uiEbgJS.exe	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2732	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2168 wrote to memory of 2732	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2168 wrote to memory of 2732	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2168 wrote to memory of 2808	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2168 wrote to memory of 2808	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2168 wrote to memory of 2808	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2168 wrote to memory of 2700	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2168 wrote to memory of 2700	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2168 wrote to memory of 2700	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2168 wrote to memory of 2840	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2168 wrote to memory of 2840	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2168 wrote to memory of 2840	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2168 wrote to memory of 2604	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2168 wrote to memory of 2604	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2168 wrote to memory of 2604	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2168 wrote to memory of 2920	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2168 wrote to memory of 2920	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2168 wrote to memory of 2920	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2168 wrote to memory of 1296	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2168 wrote to memory of 1296	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2168 wrote to memory of 1296	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2168 wrote to memory of 2608	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2168 wrote to memory of 2608	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2168 wrote to memory of 2608	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2168 wrote to memory of 1632	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2168 wrote to memory of 1632	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2168 wrote to memory of 1632	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2168 wrote to memory of 2212	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2168 wrote to memory of 2212	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2168 wrote to memory of 2212	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2168 wrote to memory of 3044	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2168 wrote to memory of 3044	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2168 wrote to memory of 3044	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2168 wrote to memory of 2004	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2168 wrote to memory of 2004	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2168 wrote to memory of 2004	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2168 wrote to memory of 1340	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2168 wrote to memory of 1340	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2168 wrote to memory of 1340	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2168 wrote to memory of 2340	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2168 wrote to memory of 2340	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2168 wrote to memory of 2340	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2168 wrote to memory of 1848	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2168 wrote to memory of 1848	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2168 wrote to memory of 1848	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2168 wrote to memory of 2556	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2168 wrote to memory of 2556	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2168 wrote to memory of 2556	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2168 wrote to memory of 2756	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2168 wrote to memory of 2756	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2168 wrote to memory of 2756	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2168 wrote to memory of 1716	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2168 wrote to memory of 1716	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2168 wrote to memory of 1716	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2168 wrote to memory of 2636	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2168 wrote to memory of 2636	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2168 wrote to memory of 2636	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2168 wrote to memory of 2936	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2168 wrote to memory of 2936	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2168 wrote to memory of 2936	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2168 wrote to memory of 2240	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2168 wrote to memory of 2240	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2168 wrote to memory of 2240	2168	2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-08_8c3367cdffd87b16eb877420c7eef42b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\System\aDeqGqU.exe
  C:\Windows\System\aDeqGqU.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\UGtvXSY.exe
  C:\Windows\System\UGtvXSY.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\pvncTXC.exe
  C:\Windows\System\pvncTXC.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\KYZpTdI.exe
  C:\Windows\System\KYZpTdI.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\hQiRVmP.exe
  C:\Windows\System\hQiRVmP.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\MAUiovi.exe
  C:\Windows\System\MAUiovi.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\HmTJlsi.exe
  C:\Windows\System\HmTJlsi.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\WJofTog.exe
  C:\Windows\System\WJofTog.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\LlDDdFE.exe
  C:\Windows\System\LlDDdFE.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\cZGGnpD.exe
  C:\Windows\System\cZGGnpD.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\XVscsgL.exe
  C:\Windows\System\XVscsgL.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\XtZQNdS.exe
  C:\Windows\System\XtZQNdS.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\ZivLnDw.exe
  C:\Windows\System\ZivLnDw.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\vXvpBqQ.exe
  C:\Windows\System\vXvpBqQ.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\uficsIf.exe
  C:\Windows\System\uficsIf.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\ltsBvzi.exe
  C:\Windows\System\ltsBvzi.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\amkzrQp.exe
  C:\Windows\System\amkzrQp.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\uiEbgJS.exe
  C:\Windows\System\uiEbgJS.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\oHvrSWj.exe
  C:\Windows\System\oHvrSWj.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\XCVVWQC.exe
  C:\Windows\System\XCVVWQC.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\AIgCrqR.exe
  C:\Windows\System\AIgCrqR.exe
  2⤵
  - Executes dropped EXE
  PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AIgCrqR.exe

Filesize
5.2MB

MD5
c902d36a0f213aeefb6e968c5c8db2e1

SHA1
29117edf6ea801067ed43f90b1697924f3f88861

SHA256
aa4e74e5d72a97e473f33fdc29d47a1b9d82e3202284f4efd292e0b9a84f3d48

SHA512
39ba1e34d7a72c39bb1d6223a7a4f448b454073708cf8bb2ace69adaa64b12672d5b97bf3108794234b85910f84c2e083c26280c4c407ad7f1c435545cfb1229

Download Submit
C:\Windows\system\KYZpTdI.exe

Filesize
5.2MB

MD5
0d90f2cf1dd0bfd335775a47c5e27d26

SHA1
ca745a192b3a63485f8b9cc07bcc4dbc6ae7e51d

SHA256
a073d2fc59e27ccd1c5cc99291c682c6d162e05e97b0a71374dea71bfc658b72

SHA512
f673c60b2a7737ec87d44a53cc412326b04e34c2b3cb380f0c14a36f3730b34def3fa2e1c6eba8b36627b6d770ebb9aaa740648f3746202d5e3c58383eea37b7

Download Submit
C:\Windows\system\LlDDdFE.exe

Filesize
5.2MB

MD5
2589ef5c149d22cf5d3bc9bcf64c5d13

SHA1
c8deccdb7cf42db40772ae1ec82a9e74f63e6fac

SHA256
b1fe39223a94e3141be5b075c0eee9314976ce35812c5b327d4e22623b633af4

SHA512
0efb70a55a68bd017538914110841f54cf8f06f9270064a0d8ce8ea22c8912aa75b0f0d990e2dc4bfa327f1a022d07edb458f3054b07166ad954b4844d4bc84e

Download Submit
C:\Windows\system\MAUiovi.exe

Filesize
5.2MB

MD5
0fca19b73650d9714ec4de0eacdea19b

SHA1
cd542b1f87a4f5eb14540d164f4cc4662d742b81

SHA256
8a2c6f2255751ad8051f849af26b62dce3b7984964c0c5d8462f032723930b31

SHA512
64ebabd19f8d617d3d7636e490b866f61b581807b8094aebbd14eefa016bc10e8933626e7f81af6b0a9ae760eed034b7f4eb5d1125ea9ff9c1f8de3b63f553a5

Download Submit
C:\Windows\system\UGtvXSY.exe

Filesize
5.2MB

MD5
de1ba1fdfa87feb6aad3718225506c40

SHA1
24d62371badf1582b941edb70c358eb7db4dfee1

SHA256
a7c4f5e02669bffe25e41bcb1ed631c96ada3f9dfecfa57aefde479d42156d1a

SHA512
3064f9057263a0aa41e97e9cfa754642cad228f0ac0bd128251a6d5992fdd5acd8eb4865ef3e35dacc24bad711d402e9cec8598df9f645e4ca75a75f819c9837

Download Submit
C:\Windows\system\WJofTog.exe

Filesize
5.2MB

MD5
9b27ad450b4701e0c029825ef74a7cbc

SHA1
978ecc2f486faeb8de2826d6f4beb20c3d3be77b

SHA256
0e3082d07302ea02f52ae6fc71a388ce5c6b4e00bc2b49d9758c74354cada2bc

SHA512
4854d2b58a42d79aa7fcf28775e6d9095e292b246edd6f248bfc55b2116afd3c56885363f9f19aa2f153d28bb766fed66162cf27b829045444f3bc0c492ac6d2

Download Submit
C:\Windows\system\XCVVWQC.exe

Filesize
5.2MB

MD5
505edaf2b763ffe61f49fc8b239534a5

SHA1
84911384260adba024d091f66aa4b39b04a88549

SHA256
14fa1987df8a75e34b98afc5808db685095fc39f5cba623760ed8bfb09a23806

SHA512
615369d237479f627929f0fe612e6c07ac6deac468cb4cd9f7f8bacb7e7be96b6783cb684ac39f0660e9be39e18b30e560c84d05e23d6a06fa5c32f3dc461a02

Download Submit
C:\Windows\system\XVscsgL.exe

Filesize
5.2MB

MD5
a0c61157ef664b6646af77e6554695cb

SHA1
9ddc0ca0463fd9bde58a291f23449ddc7fbf4544

SHA256
4fe853c1afad229f8b2e19089be9f3291d109f1d514bab3abdce02854138fb7b

SHA512
748d3e19772433fb7b97fe7690f32ce6fd0ecd67fbe2fe493cd9a0ce38459b9d2439abd4decde97f54e2fdc015bdfac9a490b33f0e89164827d26a4e14d67341

Download Submit
C:\Windows\system\XtZQNdS.exe

Filesize
5.2MB

MD5
9f259b3971f2f39e9a2b02593c7a632e

SHA1
58de100f1b87163554d54c09879528ea1123c7cd

SHA256
bae13f318943936fb4f88a693dfb4b60bce3370bc409651eccb8bf36503f3da8

SHA512
b34c61af824bc07544d318e0f34aa19d5e7547ccdf36bf92995bc4b6f11ca5bdb5bbe6900afab6e7f4a1906eaa06abdfc50eaad2b0a4cdccef6a7e0d129357d2

Download Submit
C:\Windows\system\ZivLnDw.exe

Filesize
5.2MB

MD5
e6d9190665241d912dffcb8d25a63326

SHA1
e67af8da20cf61312301c939c31bb222ad1fcd6f

SHA256
0dafc80d0f62a189dddd7d3e6bdecfbff82febed98d184a0a147598fb06c5c02

SHA512
24490cc9cee2d4910d5b99bb17093b6925d4eae1bd2c2c10ac722355b24cc50023a86b4d2694d8c60d4612aff0dec5a1b626ea1587ea7de3a3b1527d96d043d7

Download Submit
C:\Windows\system\aDeqGqU.exe

Filesize
5.2MB

MD5
ba23ca1177384807d65169732e22a93c

SHA1
1029ec08ca4dc2b137d15e9a45e23ba66ec9c05a

SHA256
e1700adbd01766ed2b7e159febabc60ceb9d9939602b2ae1977ef752ce145417

SHA512
1c5a0e75a0067b3e39a273a5ab84d1b8265aaaac48f6078039a07ae7bdce4cf78b905c71901d712e749b344b80ad25cd2fd732f5a7672ae32ef56a28f9680999

Download Submit
C:\Windows\system\amkzrQp.exe

Filesize
5.2MB

MD5
1f5364845ebccc947636d562d1c19255

SHA1
ee432c2c5e909d14c263df70487f3ccce415db69

SHA256
026ae3c27731603324736835c1e9a9b05fef7b70e42fa1f5dc489ba4419c924f

SHA512
8102766552696b02f638d954c5a890b3f2219f9d3fd98a80e476d5e01c0dd0bae9f716abdb1a40c9e2e2bb8af15b6ee11b789902b445d9c72e32edc8b405c77c

Download Submit
C:\Windows\system\cZGGnpD.exe

Filesize
5.2MB

MD5
e7d7ff1c2b6c4381ec75deb300baded5

SHA1
9bcb0012f31735ecab532686f321c90c1a287fe7

SHA256
3ec5a1bfd4de8bd57f6b49093e49947c94bb2e8a55cd41ba1df71fe57850a242

SHA512
72c732b5614e7192d92f722f963c71b214f63c52975d20464436130c277c0036c6d65919d55ee9de0c487f4125e2a3d0baa9837968c957f542634b48b2578270

Download Submit
C:\Windows\system\hQiRVmP.exe

Filesize
5.2MB

MD5
a3674ef93b371c6738b07ad0b431ff76

SHA1
44dc90098fa21c9a36c9edf79ef77ef2d4f1fb66

SHA256
8fb70074aeeb71e141e8b769992470a34bda1e2449df598c9880055063a83b3f

SHA512
f6d260a8debf4bea66a2c49ab14c97a349d94ad01867ccfd2274a13de4518b2724b9972424d1ee8ab40bb7f95f9947390126370ecb2e6d6e82c51c662f153e58

Download Submit
C:\Windows\system\ltsBvzi.exe

Filesize
5.2MB

MD5
8f00367f129857ca203590afe2e4ff34

SHA1
7beca89fb500ee7f37e9862e440d05c708f0f350

SHA256
0b0dcec4974a052fe02de184b8f5c4243cd9d3f1263dd69494b33a395b5445cf

SHA512
fd5a41eafae3318e48036ad0ef3e088bf17bded2491b1d87bfca6527addab323d27e84d034c3eed64ac1ff8d8a730f5af54d16d60dc85b032d998a5d25a3f463

Download Submit
C:\Windows\system\oHvrSWj.exe

Filesize
5.2MB

MD5
ef87700aceaf150df1e059f85bb286fb

SHA1
dc0cf5bcd76440a925c64aa81634cbf9603d9cef

SHA256
585e5599bdfb112ef0d581333a61ecf1525addeacad6988641c142b9af17f0ea

SHA512
e735d9a789ef243fb207968ab29389930dd1106069248d8bd624aca3e76560d61a9f935704269e1b4637ae656c79cf5e517fb60517929f55295997436b94516e

Download Submit
C:\Windows\system\pvncTXC.exe

Filesize
5.2MB

MD5
d2e395ea77277da3b7c421fa0bce1458

SHA1
b979783549767801cf2a744226769ce539d87b4f

SHA256
53664c1ebcc99e44d4c8e29559c026dafe055ad2c21892d571aa375e735c104b

SHA512
0ac22f42d74563af26cfdd5c7d450221883346fc5628b696949c5481c49738e7aeff41f940f39fb8564def0f834f8911c8e97627539d62224814466a1cecc67f

Download Submit
C:\Windows\system\uficsIf.exe

Filesize
5.2MB

MD5
1de74f8a4685416ce53d3b924dd43487

SHA1
24215d4ce2f99ae4400af27c6677345e64a589bd

SHA256
3dbbec36d1b44747df4c8c4049a0bdcdbf6c85967a53681756389a853fba5d99

SHA512
0cf8536232453f28043eae7e752bf68ba4b1eb919472a428eed09dc82b1045ac8cceaa460a5a6e9de52faa844253205f7a5987706b5856ec7b2c74baf15a6bc0

Download Submit
C:\Windows\system\uiEbgJS.exe

Filesize
5.2MB

MD5
ebbb62e692f225cb5345e7e1b559b3ac

SHA1
a9456caa57086ce4fa018602ab05f3cf34db17c4

SHA256
bafae0f6e094250b2f11c76772bd2a930e3263765568222d41217cfac9cae342

SHA512
1f1187302ce1f251a76b911d21180bd37f1fdcf5f98a8ac3954a4f4dd0a1c292131b453cb91e2b63a3718ed37994f15db33d73915ca22c6dd23be3cbc10aa6a9

Download Submit
C:\Windows\system\vXvpBqQ.exe

Filesize
5.2MB

MD5
244146302818dc955a3af0bf456a2595

SHA1
463f4ced19731f4e9c1e02812b8be8f445999bf5

SHA256
32b826e1fc7f0e114f0dd42b735bb44be12a32dd42ff92c4b589af38b30f8b4b

SHA512
a9e1c7a3f9cf2987278eafd9d810643e130bb84e82ce40e8436f3424118520e9b7779bade2473a0389760c98bd68101cd3217547199983219d463f1908f25ff9

Download Submit
\Windows\system\HmTJlsi.exe

Filesize
5.2MB

MD5
8ee56679ba650e503f643dc9f47bbc86

SHA1
6c9416d9f8f346b1af5b08bb7e01231966d7df1c

SHA256
2af9e2ca40514351c83bc5f7ab81a6b400796e4849446802a7343e6a302aa99a

SHA512
702707b24b6cbfaf011993c36f3feadf0b9e064612ba79b1cf9d3cc8b86810ea91c730745bfab8de3f2fa10eadd8706eadc07786cbdb15527eb8adf2bd05dc85

Download Submit
memory/1296-117-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1296-230-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1340-241-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1340-124-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-119-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1632-234-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-146-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/1848-143-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-122-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-251-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-7-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2168-128-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2168-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2168-18-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2168-151-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2168-0-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2168-116-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/2168-127-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2168-126-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-123-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2168-113-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2168-150-0x000000013F340000-0x000000013F691000-memory.dmp

Filesize
3.3MB

Download
memory/2212-120-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2212-238-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-149-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2340-125-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-243-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2556-144-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-226-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2604-114-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2608-118-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2608-232-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-147-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-111-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-221-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-9-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-218-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-145-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2808-222-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-24-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2808-130-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-224-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2840-112-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2920-228-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2920-115-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2936-148-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/3044-121-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/3044-237-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download