cobaltstrike | 34ebc1459d2290d3748905d670dfc45aa369a40aabc728e4abce5964f42aa013

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-09-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

58bbdd9570b94ed5c04de4b3ba2e5e8b
SHA1

9ba6620ca549c4aba3e134c44f2489d6e855e2a1
SHA256

34ebc1459d2290d3748905d670dfc45aa369a40aabc728e4abce5964f42aa013
SHA512

0f22d0f73ed1ff16e4bbacf9a2747d575ffde95737ca58d4da5c18ac078ea3f2012c0684ab21a8eb378bdac361d14f46e151f5a5b9ad6f161b0e216a9caae52a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6ll:RWWBibf56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012117-3.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016cfe-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d13-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d24-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d2e-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d36-32.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d47-39.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018678-55.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019218-83.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019229-87.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f7-79.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f3-75.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190d6-71.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190cd-67.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001879b-63.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018690-59.dat	cobalt_reflective_dll
behavioral1/files/0x001500000001866d-51.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001752f-47.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174ac-43.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d3f-36.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d0b-15.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/1856-130-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/3068-129-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/1688-127-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2936-126-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2780-125-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2288-123-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2724-122-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2772-120-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2900-119-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2340-117-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2760-115-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig
behavioral1/memory/2184-113-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2108-111-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1128-109-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2696-131-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2696-132-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/1524-153-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/684-152-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2228-151-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/1676-150-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2648-149-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2620-148-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/2664-147-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2696-155-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/3068-222-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/1856-226-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1128-225-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2936-238-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/1688-252-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2780-250-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2724-248-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2900-243-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2760-236-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig
behavioral1/memory/2288-234-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2772-232-0x000000013F270000-0x000000013F5C1000-memory.dmp	xmrig
behavioral1/memory/2108-247-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2184-228-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/2340-230-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3068	UZhwCGI.exe
1856	UFSUsYF.exe
1128	XaOESBT.exe
2108	rIEoBfL.exe
2184	CUhdSBf.exe
2760	CCWCdWN.exe
2340	ohCrsoN.exe
2900	KEeWceE.exe
2772	jGVjIBK.exe
2724	qyDeCdK.exe
2288	OzAUVmj.exe
2780	OHFEsWO.exe
2936	jkKkECY.exe
1688	CxBwBqH.exe
2664	cmTupoe.exe
2620	SyusSoF.exe
2648	KwiwLtZ.exe
1676	KwPEyqG.exe
2228	HHjArta.exe
684	CakIyzD.exe
1524	RBcPdDK.exe

Loads dropped DLL 21 IoCs

pid	Process
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2696-0-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/files/0x0007000000012117-3.dat	upx
behavioral1/files/0x0009000000016cfe-8.dat	upx
behavioral1/files/0x0007000000016d13-20.dat	upx
behavioral1/files/0x0007000000016d24-24.dat	upx
behavioral1/files/0x0007000000016d2e-27.dat	upx
behavioral1/files/0x0007000000016d36-32.dat	upx
behavioral1/files/0x0008000000016d47-39.dat	upx
behavioral1/files/0x0009000000018678-55.dat	upx
behavioral1/files/0x0005000000019218-83.dat	upx
behavioral1/files/0x0005000000019229-87.dat	upx
behavioral1/files/0x00050000000191f7-79.dat	upx
behavioral1/files/0x00050000000191f3-75.dat	upx
behavioral1/files/0x00060000000190d6-71.dat	upx
behavioral1/files/0x00060000000190cd-67.dat	upx
behavioral1/files/0x000500000001879b-63.dat	upx
behavioral1/files/0x0005000000018690-59.dat	upx
behavioral1/files/0x001500000001866d-51.dat	upx
behavioral1/files/0x000600000001752f-47.dat	upx
behavioral1/files/0x00060000000174ac-43.dat	upx
behavioral1/files/0x0009000000016d3f-36.dat	upx
behavioral1/files/0x0007000000016d0b-15.dat	upx
behavioral1/memory/1856-130-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/3068-129-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/memory/1688-127-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2936-126-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2780-125-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2288-123-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2724-122-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2772-120-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2900-119-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2340-117-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2760-115-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2184-113-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2108-111-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/1128-109-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2696-131-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2696-132-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/1524-153-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/684-152-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2228-151-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/1676-150-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2648-149-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2620-148-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2664-147-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2696-155-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/3068-222-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/memory/1856-226-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/1128-225-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2936-238-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/1688-252-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2780-250-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2724-248-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2900-243-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2760-236-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2288-234-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2772-232-0x000000013F270000-0x000000013F5C1000-memory.dmp	upx
behavioral1/memory/2108-247-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2184-228-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/2340-230-0x000000013F810000-0x000000013FB61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rIEoBfL.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jGVjIBK.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CxBwBqH.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SyusSoF.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RBcPdDK.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UFSUsYF.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CUhdSBf.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KEeWceE.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KwiwLtZ.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HHjArta.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CakIyzD.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UZhwCGI.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XaOESBT.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ohCrsoN.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyDeCdK.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OHFEsWO.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cmTupoe.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CCWCdWN.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OzAUVmj.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jkKkECY.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KwPEyqG.exe	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3068	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2696 wrote to memory of 3068	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2696 wrote to memory of 3068	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2696 wrote to memory of 1128	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2696 wrote to memory of 1128	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2696 wrote to memory of 1128	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2696 wrote to memory of 1856	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2696 wrote to memory of 1856	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2696 wrote to memory of 1856	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2696 wrote to memory of 2108	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2696 wrote to memory of 2108	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2696 wrote to memory of 2108	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2696 wrote to memory of 2184	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2696 wrote to memory of 2184	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2696 wrote to memory of 2184	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2696 wrote to memory of 2760	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2696 wrote to memory of 2760	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2696 wrote to memory of 2760	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2696 wrote to memory of 2340	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2696 wrote to memory of 2340	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2696 wrote to memory of 2340	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2696 wrote to memory of 2900	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2696 wrote to memory of 2900	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2696 wrote to memory of 2900	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2696 wrote to memory of 2772	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2696 wrote to memory of 2772	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2696 wrote to memory of 2772	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2696 wrote to memory of 2724	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2696 wrote to memory of 2724	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2696 wrote to memory of 2724	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2696 wrote to memory of 2288	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2696 wrote to memory of 2288	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2696 wrote to memory of 2288	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2696 wrote to memory of 2780	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2696 wrote to memory of 2780	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2696 wrote to memory of 2780	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2696 wrote to memory of 2936	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2696 wrote to memory of 2936	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2696 wrote to memory of 2936	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2696 wrote to memory of 1688	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2696 wrote to memory of 1688	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2696 wrote to memory of 1688	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2696 wrote to memory of 2664	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2696 wrote to memory of 2664	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2696 wrote to memory of 2664	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2696 wrote to memory of 2620	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2696 wrote to memory of 2620	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2696 wrote to memory of 2620	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2696 wrote to memory of 2648	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2696 wrote to memory of 2648	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2696 wrote to memory of 2648	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2696 wrote to memory of 1676	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2696 wrote to memory of 1676	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2696 wrote to memory of 1676	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2696 wrote to memory of 2228	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2696 wrote to memory of 2228	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2696 wrote to memory of 2228	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2696 wrote to memory of 684	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2696 wrote to memory of 684	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2696 wrote to memory of 684	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2696 wrote to memory of 1524	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2696 wrote to memory of 1524	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2696 wrote to memory of 1524	2696	2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-13_58bbdd9570b94ed5c04de4b3ba2e5e8b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\System\UZhwCGI.exe
  C:\Windows\System\UZhwCGI.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\XaOESBT.exe
  C:\Windows\System\XaOESBT.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\UFSUsYF.exe
  C:\Windows\System\UFSUsYF.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\rIEoBfL.exe
  C:\Windows\System\rIEoBfL.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\CUhdSBf.exe
  C:\Windows\System\CUhdSBf.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\CCWCdWN.exe
  C:\Windows\System\CCWCdWN.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\ohCrsoN.exe
  C:\Windows\System\ohCrsoN.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\KEeWceE.exe
  C:\Windows\System\KEeWceE.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\jGVjIBK.exe
  C:\Windows\System\jGVjIBK.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\qyDeCdK.exe
  C:\Windows\System\qyDeCdK.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\OzAUVmj.exe
  C:\Windows\System\OzAUVmj.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\OHFEsWO.exe
  C:\Windows\System\OHFEsWO.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\jkKkECY.exe
  C:\Windows\System\jkKkECY.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\CxBwBqH.exe
  C:\Windows\System\CxBwBqH.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\cmTupoe.exe
  C:\Windows\System\cmTupoe.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\SyusSoF.exe
  C:\Windows\System\SyusSoF.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\KwiwLtZ.exe
  C:\Windows\System\KwiwLtZ.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\KwPEyqG.exe
  C:\Windows\System\KwPEyqG.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\HHjArta.exe
  C:\Windows\System\HHjArta.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\CakIyzD.exe
  C:\Windows\System\CakIyzD.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\RBcPdDK.exe
  C:\Windows\System\RBcPdDK.exe
  2⤵
  - Executes dropped EXE
  PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CCWCdWN.exe

Filesize
5.2MB

MD5
67a70b6f045c7fdf7f9816b59eecf015

SHA1
c7b12655ccd52dda607ad0a1cf9420c0c38cdf24

SHA256
c7b27028d04f9b7ee4287c3adeec0e9fc6b2a2f9af541d7d6c7e619b13bc518c

SHA512
2a423ff1558f3f77cc1254976ab24f4f90ecbff4b8f4d9e6373760f7b50c2aa728764d5e8e9f2ccdc900157aef67867aebedaf78a32965cf6d153e0862a30e9a

Download Submit
C:\Windows\system\CUhdSBf.exe

Filesize
5.2MB

MD5
d61bea0418bdc2f8080383c441883dee

SHA1
16c7aee4a7b2083e99768cd100c7f7a5e1e73ca1

SHA256
d5298e5a136bf9b61ab934e95a839cf469056aa14cbfa267c19dd3df30043ebd

SHA512
d3ead92227a6edee5a22dfb1132cecf1673df41de9d8fd62f1ee9ef1a6a52f35f143afb9d5c7fba983cb6706bed26d6858be50c4a44cafa0bce24f876bd404df

Download Submit
C:\Windows\system\CakIyzD.exe

Filesize
5.2MB

MD5
5e10222f370aefc75d96c00f72f2b3b5

SHA1
2e48448aedc5ec64b891cedf27b05f0a9d4a2801

SHA256
8ff29d0f499ab08ba458b8eff98d5be88fb3f549904c6d35e8a8433b2227b9dc

SHA512
d96465ce1c42f2e1f5b37789aa4b90f99784a0ce3060372ac61d57f5562c5e36c7e30d31e7c21b203f0ce2507d775b6bf16e5e5e7a9596e70c9d2efcba769f90

Download Submit
C:\Windows\system\CxBwBqH.exe

Filesize
5.2MB

MD5
83f9a6d2e82225f4c0d32c683803e786

SHA1
4c150d6df1f0799b82a431a8b5ce56f4b05de971

SHA256
f50b86ea3e49a82f21bc0fdbcbb887c2ec4d71b88b9471ccad02eb48828480df

SHA512
48562e61e0b8386a2d740298b8e50162d3e5e67d53f5d481b98e0b65375dd49bbce7d9c89331f2e04792ffc1846eeb6e30844b9f7eef116820aa61be9b1e11ba

Download Submit
C:\Windows\system\HHjArta.exe

Filesize
5.2MB

MD5
6e989b2b480c05b5209f27979746b458

SHA1
b926d7b3136441c1842c9584b3f4bbe0cebcf199

SHA256
e0e82d2f49b2b4d989dc91847de01c3d6779816061a03bb77d134d1a6fb87162

SHA512
551cdeabb547f7d42c9f4b4eb0c15ee1f561132ff27065cffc0abd39b4dd7531721e2122e3e61bc5bb301795958871e7e689390ff0e5b0a719fc869a762edb3a

Download Submit
C:\Windows\system\KEeWceE.exe

Filesize
5.2MB

MD5
a0146eb27507406378ee45dd0dde5f67

SHA1
00df7bc16ba0727c70a015f194b9fefee19e674a

SHA256
95a13079336142aa781f38c27dcc1d9d69c5b148d1aba4db73bc0db4e045915a

SHA512
8f62f77cc5cc596058340cce0096e854c62b0aad53b56d60a84233a73717b3eac766857c2679d4fbb405b27275abfe711b3976a1744ffc3ae696bc2f20ad9d3a

Download Submit
C:\Windows\system\KwPEyqG.exe

Filesize
5.2MB

MD5
dfa13ce4de77084c5bb2aceaee33f2fe

SHA1
1661ee3a56eb85558f5c3ddbc9beaa31563bdd53

SHA256
223ba37f05d27ecdb55fd074b648eab65ea1e710c59b3f85379d85869af5e8b2

SHA512
fa23968fbd3daa0ad1ad225db0fee0feb9ad91409af6498cbd50dc2f513513b7de34cb5d0aaee4ce700dc5b5e3d135b4e8abf171ae68ae8323250330a3bcc721

Download Submit
C:\Windows\system\KwiwLtZ.exe

Filesize
5.2MB

MD5
548def469f095563613801107948817f

SHA1
a083760085ab6501cbb7e905e1e117be04e635a8

SHA256
4fdbf822dc8c3bee7f167da1d0eaf75a7b569229da1361ac9f1f44609a1ce3bb

SHA512
aba3af43e63b0e1cdcdd0a02778d7189444202dfc5e48d2aa0b49ddcd56277c8d61ccb44425dbbac95e2e488c24ea30e5428198c2fdff7f31d26ba9870e027e0

Download Submit
C:\Windows\system\OHFEsWO.exe

Filesize
5.2MB

MD5
058eca974088f0a4f9d08adce6d3f338

SHA1
243cfa352f3eb59467aef178b2eac66eb74b110f

SHA256
8ffff0c99d9885fd60cbb2f7479f62767de11c730fdc2a84f89b7edeb112feb9

SHA512
e97a537ed7e7414722f3b7d586a2c41f6b68d52ea28161c5d66a8a45ac12cba0b68d6aa4f5a1a9c0407d5832a0351370c38baa513df4012f3a534f3bcaf60c4a

Download Submit
C:\Windows\system\OzAUVmj.exe

Filesize
5.2MB

MD5
50bf8c82c07a2e95753d58588e8f5850

SHA1
3e6b2caef5c6156f211e1c15a0c4971bb65362f9

SHA256
2f79f2e8cca751922ca94303597713e400a9883de762152d2d2712130156e4f7

SHA512
6cf243d1ce44d8887e532769dedd9f679cc4e5a35fef0e4b7468d24342f4077720935c24fef0029ee66947c7178477326d8f9e640e13ba5e40afd88095225702

Download Submit
C:\Windows\system\RBcPdDK.exe

Filesize
5.2MB

MD5
9537e72447f6d61dd3324f903a5fbfb0

SHA1
e20300dc3565eec59547ea02220c62bb078767f1

SHA256
b01947d774fa1720da6bb183d221b965339c4a163b0b6ce8d92cb69bbbeefa30

SHA512
55c36c568875ea52a3cce022f2a9459e5dcac5bc4d9bdf178dccb52991eadf5aa9e45cee6a9d9db6a02a70487b4e14ba469c1f6011a1547bcffdf7c4d7c64d49

Download Submit
C:\Windows\system\SyusSoF.exe

Filesize
5.2MB

MD5
8a31cae6fda7d022c2c067f705742889

SHA1
b26f83aac469b472a4fb39ef6a1c0ed4be5a412c

SHA256
311b28ff60ec819f6e773e7dc028c5cf73a86ae7da783e99574fab5acc367757

SHA512
09e8c4d4436379819b6a9cca387348e9dbe7f1df401929fbb8cbdd25d5d95228d1861a43c8e75d3803f1222512636eeeccbc7be459ec4e97caab93a1c56fdf40

Download Submit
C:\Windows\system\UFSUsYF.exe

Filesize
5.2MB

MD5
5cddce8d5e2d4da1ef67f7fd544480c7

SHA1
577fad832d3eb70a875313a43d672f2d287791d4

SHA256
a3835c7a6b724972584e605f1b3563a6ed996e6dbcf37bc5277e813eba6a6ddf

SHA512
79f905783accfd75f83f937945c98e116826d1830e91fc6e7f5aa250fea3f4ab8b2ce0826b09401636f3399d1d1669425400548e5cfaea0846c3bb7a1d36948a

Download Submit
C:\Windows\system\XaOESBT.exe

Filesize
5.2MB

MD5
568578f7940819ef11da058bbda2194e

SHA1
f482ab0eec7828119812780048c92cc8afd9b44d

SHA256
f2ffd39d6166bb92b1e641387a95d6f2f925c0a7144b334e7cfb230345e491b2

SHA512
dbfffdb59a2847e4fdfc6524668ea3d0b39aeda36d4931581ddb02bc22c73cd6ba63c08ec2f00c7905079d693180167391cff23de944cc15f5b02f07df29361f

Download Submit
C:\Windows\system\cmTupoe.exe

Filesize
5.2MB

MD5
df04a259da118e8ec8eaf4141b43e6e7

SHA1
2312cbc27f159ae8efd65d4187eb514c6c31fcf7

SHA256
44f77a5f5db46f9f8368651cba3996ef1106ab9e098ace7b594d8a0868e4aff9

SHA512
5c8b774581ff01299ba0e49595749e67723bea261379da7d12bcf01f147c5a1ed13c2ec6d19e784fde675a7869940f015c8aca0311a9de9b55008752343baddb

Download Submit
C:\Windows\system\jGVjIBK.exe

Filesize
5.2MB

MD5
905578e745d9bda94f4c47c5c666fc76

SHA1
026391310cd143c7ebe2c81483d1662cb6e031b5

SHA256
0b799fb8fe321c7eba4964bfbd658265d836b6743148de76b249d0a474a6f664

SHA512
84bb0f38bed0aa6ceeb5e0e29f02c71f6a2bfb9289038e76c97516d30dd8539d48f96d10709b2bb5d342f4890964631b9983e04ef4a2b10db080463ff26d0187

Download Submit
C:\Windows\system\jkKkECY.exe

Filesize
5.2MB

MD5
16dcd1940476239838165164d4d772f9

SHA1
530bb0322c5f91ae8286f945257e3732f2ab95b1

SHA256
a4cab1eb72b1356bf0809c5e082855fb02f7bbcd9727e9d6229be4aaa4fdb4d5

SHA512
97ca88fdc470b682a0e2c4fb98f526761dbf4279af486d0ffee943b659b138df5857f9e7a7c0f174f27fd881184c41c0617a6eebec0ec0eeaf046b9b6091c0c3

Download Submit
C:\Windows\system\ohCrsoN.exe

Filesize
5.2MB

MD5
688c880bef8613ba83ed5690cc70dd20

SHA1
f81a4d2583eccf29ddd851a66596b13b93b55630

SHA256
e93f41783328a0824cd3ccc9c476d3269eb509d48da34d04309172bc3bef66bf

SHA512
706f5a0b7057f43c4dd02d592d7491a4586b2b5681de43ff918969da819c5398d44819aedadc14cd9086bfc193339c113e23211838bb6612161a8ea0d0ece913

Download Submit
C:\Windows\system\qyDeCdK.exe

Filesize
5.2MB

MD5
ee1fd39d54b5b869523d623b7919c268

SHA1
9726e20a9e7edd0b77931f280ec881fb2b7b77f3

SHA256
bb0cbae1883e22f892ab3ccfce74b476d4edd1bac3d59693016d823195a75f55

SHA512
22713d92538bbe70a7f0560873a5db16cc9c428af5c3f1181ec3fab73e39a4e8d656a3421137c847f95abf2ba00188908ecfb6900578fe4f466d043c01be6171

Download Submit
C:\Windows\system\rIEoBfL.exe

Filesize
5.2MB

MD5
01f5d917f5fe4936d13898d88a4853ee

SHA1
f382d3d4f16104daf0d3a9ed80f19e2d48781e34

SHA256
2ccfb5e0dd24f7319fb5def8c43e40abb83367a0f317ddb534338fde73102215

SHA512
fbf26114c3f147423dd39629e19ceec4ea371e0f31e60f72610ada1d3a426c0b00739d491af64b65a55afabc6028277abb7ad9a429112fbce596006a4e33af58

Download Submit
\Windows\system\UZhwCGI.exe

Filesize
5.2MB

MD5
628786fef23ff8130d3aea07ad0baeb0

SHA1
b4131e477e9daabdf6c87074778681ea25332592

SHA256
f396491f5449817e841cfa6f1e175e80c570c12bfb689c2fb8502d8b77fbc298

SHA512
ac984daf937cb98624f8bb52080f3aba3498de3d741f8d4ffdc96818f08ee6e975e9fc15f1c2eb593a4fa5e08fac730fe862c3c9e61980900839355595539364

Download Submit
memory/684-152-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-109-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-225-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1524-153-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/1676-150-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/1688-252-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1688-127-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1856-130-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/1856-226-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2108-247-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2108-111-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2184-228-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2184-113-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2228-151-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2288-234-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2288-123-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-117-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2340-230-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2620-148-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2648-149-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-147-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-132-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-154-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2696-155-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-118-0x0000000002220000-0x0000000002571000-memory.dmp

Filesize
3.3MB

Download
memory/2696-108-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2696-131-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-114-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2696-124-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-10-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2696-128-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-121-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-116-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2696-112-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/2696-0-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2696-110-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2724-248-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-122-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-236-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2760-115-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2772-232-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-120-0x000000013F270000-0x000000013F5C1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-125-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-250-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-243-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2900-119-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2936-126-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2936-238-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/3068-222-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/3068-129-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download