cobaltstrike | 71a347e7d06668540a220cfc058a0f3a16013e8001f50fa649675674f978fd95

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4fb53bf9172786f06fd13971bbbf3e80
SHA1

c7c2a49e473b7f365389e00b7ffefa6c0fc2b66a
SHA256

71a347e7d06668540a220cfc058a0f3a16013e8001f50fa649675674f978fd95
SHA512

2629093fd0a503142e2697754d6cf67383f02a1d1df04abf181e09c3ec2c99dbcd8f2cd3472658f0f5b962e56570f97eaf59885e6a67e8d3ad1889c45c3ea8f7
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibf56utgpPFotBER/mQ32lUt

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000012262-3.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017234-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017116-10.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017236-23.dat	cobalt_reflective_dll
behavioral1/files/0x0010000000016ff2-33.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017415-39.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000174d5-46.dat	cobalt_reflective_dll
behavioral1/files/0x00020000000178b0-51.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ce8-59.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018d02-67.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018d1e-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018cf2-70.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018dcf-75.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ddd-95.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018dea-102.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e46-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e65-119.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e9f-129.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018ea1-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e96-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018e25-109.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/2948-22-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2216-21-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2736-20-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2216-41-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2604-36-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2788-45-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2820-47-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2652-50-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2884-58-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2604-63-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2216-76-0x00000000021B0000-0x0000000002501000-memory.dmp	xmrig
behavioral1/memory/2148-94-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1492-92-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2216-135-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/3028-137-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2216-138-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2240-91-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2868-86-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2040-81-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2148-147-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2328-156-0x000000013FA70000-0x000000013FDC1000-memory.dmp	xmrig
behavioral1/memory/1964-157-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2888-154-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2872-155-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/432-158-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/948-160-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2836-159-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/784-161-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2216-163-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2820-214-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/2736-213-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2948-220-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2884-222-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2604-224-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2788-226-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2652-229-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/3028-231-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2040-238-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2868-240-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2240-242-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/1492-249-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2148-251-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2888-253-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2820	oOUoieA.exe
2736	ugKvvtD.exe
2948	DujRIiR.exe
2884	zhkmioL.exe
2604	NskhqYH.exe
2788	tzuqJkT.exe
2652	ojEnwjw.exe
3028	jDRKetG.exe
2868	HaqdSJB.exe
2040	LltRQpy.exe
2240	ZlddPeQ.exe
1492	zsrkLKB.exe
2148	OVKcFln.exe
2888	sVJgrdZ.exe
2872	HTwgRuz.exe
2328	GSIddcY.exe
1964	AhukhCm.exe
432	cJChFkI.exe
2836	DRNVqQx.exe
948	TlvMpln.exe
784	lNItWmk.exe

Loads dropped DLL 21 IoCs

pid	Process
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2216-0-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/files/0x000d000000012262-3.dat	upx
behavioral1/memory/2820-7-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/files/0x0006000000017234-12.dat	upx
behavioral1/files/0x0008000000017116-10.dat	upx
behavioral1/memory/2948-22-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2736-20-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/files/0x0006000000017236-23.dat	upx
behavioral1/memory/2884-29-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/files/0x0010000000016ff2-33.dat	upx
behavioral1/files/0x0006000000017415-39.dat	upx
behavioral1/memory/2216-41-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2604-36-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/files/0x00080000000174d5-46.dat	upx
behavioral1/memory/2788-45-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2820-47-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2652-50-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/files/0x00020000000178b0-51.dat	upx
behavioral1/memory/3028-56-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2884-58-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/files/0x0005000000018ce8-59.dat	upx
behavioral1/files/0x0005000000018d02-67.dat	upx
behavioral1/files/0x0005000000018d1e-71.dat	upx
behavioral1/memory/2604-63-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/files/0x0005000000018cf2-70.dat	upx
behavioral1/files/0x0005000000018dcf-75.dat	upx
behavioral1/files/0x0005000000018ddd-95.dat	upx
behavioral1/memory/2148-94-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/1492-92-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/files/0x0005000000018dea-102.dat	upx
behavioral1/files/0x0005000000018e46-114.dat	upx
behavioral1/files/0x0005000000018e65-119.dat	upx
behavioral1/files/0x0005000000018e9f-129.dat	upx
behavioral1/files/0x0005000000018ea1-132.dat	upx
behavioral1/files/0x0005000000018e96-124.dat	upx
behavioral1/memory/3028-137-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/files/0x0005000000018e25-109.dat	upx
behavioral1/memory/2216-138-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2240-91-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2868-86-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/2888-99-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2040-81-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2148-147-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2328-156-0x000000013FA70000-0x000000013FDC1000-memory.dmp	upx
behavioral1/memory/1964-157-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2888-154-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2872-155-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/memory/432-158-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/948-160-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2836-159-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/784-161-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2216-163-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2820-214-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2736-213-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2948-220-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2884-222-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/2604-224-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2788-226-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/2652-229-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/3028-231-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2040-238-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2868-240-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/2240-242-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/1492-249-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ugKvvtD.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jDRKetG.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZlddPeQ.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lNItWmk.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oOUoieA.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DujRIiR.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zhkmioL.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LltRQpy.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sVJgrdZ.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSIddcY.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AhukhCm.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NskhqYH.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HaqdSJB.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cJChFkI.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tzuqJkT.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojEnwjw.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zsrkLKB.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OVKcFln.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTwgRuz.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DRNVqQx.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TlvMpln.exe	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2820	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2216 wrote to memory of 2820	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2216 wrote to memory of 2820	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2216 wrote to memory of 2736	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2216 wrote to memory of 2736	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2216 wrote to memory of 2736	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2216 wrote to memory of 2948	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2216 wrote to memory of 2948	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2216 wrote to memory of 2948	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2216 wrote to memory of 2884	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2216 wrote to memory of 2884	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2216 wrote to memory of 2884	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2216 wrote to memory of 2604	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2216 wrote to memory of 2604	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2216 wrote to memory of 2604	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2216 wrote to memory of 2788	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2216 wrote to memory of 2788	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2216 wrote to memory of 2788	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2216 wrote to memory of 2652	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2216 wrote to memory of 2652	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2216 wrote to memory of 2652	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2216 wrote to memory of 3028	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2216 wrote to memory of 3028	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2216 wrote to memory of 3028	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2216 wrote to memory of 2868	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2216 wrote to memory of 2868	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2216 wrote to memory of 2868	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2216 wrote to memory of 2040	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2216 wrote to memory of 2040	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2216 wrote to memory of 2040	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2216 wrote to memory of 1492	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2216 wrote to memory of 1492	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2216 wrote to memory of 1492	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2216 wrote to memory of 2240	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2216 wrote to memory of 2240	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2216 wrote to memory of 2240	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2216 wrote to memory of 2148	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2216 wrote to memory of 2148	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2216 wrote to memory of 2148	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2216 wrote to memory of 2888	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2216 wrote to memory of 2888	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2216 wrote to memory of 2888	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2216 wrote to memory of 2872	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2216 wrote to memory of 2872	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2216 wrote to memory of 2872	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2216 wrote to memory of 2328	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2216 wrote to memory of 2328	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2216 wrote to memory of 2328	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2216 wrote to memory of 1964	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2216 wrote to memory of 1964	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2216 wrote to memory of 1964	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2216 wrote to memory of 432	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2216 wrote to memory of 432	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2216 wrote to memory of 432	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2216 wrote to memory of 2836	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2216 wrote to memory of 2836	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2216 wrote to memory of 2836	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2216 wrote to memory of 948	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2216 wrote to memory of 948	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2216 wrote to memory of 948	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2216 wrote to memory of 784	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2216 wrote to memory of 784	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2216 wrote to memory of 784	2216	2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_4fb53bf9172786f06fd13971bbbf3e80_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\System\oOUoieA.exe
  C:\Windows\System\oOUoieA.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\ugKvvtD.exe
  C:\Windows\System\ugKvvtD.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\DujRIiR.exe
  C:\Windows\System\DujRIiR.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\zhkmioL.exe
  C:\Windows\System\zhkmioL.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\NskhqYH.exe
  C:\Windows\System\NskhqYH.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\tzuqJkT.exe
  C:\Windows\System\tzuqJkT.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\ojEnwjw.exe
  C:\Windows\System\ojEnwjw.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\jDRKetG.exe
  C:\Windows\System\jDRKetG.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\HaqdSJB.exe
  C:\Windows\System\HaqdSJB.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\LltRQpy.exe
  C:\Windows\System\LltRQpy.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\zsrkLKB.exe
  C:\Windows\System\zsrkLKB.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\ZlddPeQ.exe
  C:\Windows\System\ZlddPeQ.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\OVKcFln.exe
  C:\Windows\System\OVKcFln.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\sVJgrdZ.exe
  C:\Windows\System\sVJgrdZ.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\HTwgRuz.exe
  C:\Windows\System\HTwgRuz.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\GSIddcY.exe
  C:\Windows\System\GSIddcY.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\AhukhCm.exe
  C:\Windows\System\AhukhCm.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\cJChFkI.exe
  C:\Windows\System\cJChFkI.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\DRNVqQx.exe
  C:\Windows\System\DRNVqQx.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\TlvMpln.exe
  C:\Windows\System\TlvMpln.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\lNItWmk.exe
  C:\Windows\System\lNItWmk.exe
  2⤵
  - Executes dropped EXE
  PID:784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AhukhCm.exe

Filesize
5.2MB

MD5
3290b4ad8fdc96220b2a7c40fa18cc24

SHA1
8ce1c7a010aea9c1c3b196cd2a296f7a6e5ebbf9

SHA256
94e4a7d1b8aa682ba9950a243ec2f72a5eb68adb8d204a670220e04c6d8402c8

SHA512
e84003ce3f62254804eac46c28f20d51964b308e687bbcc61941c23672cfa2356b6f37996c55cfca9602ce77e73e847286612a8bc74f2a58971565452acfd55e

Download Submit
C:\Windows\system\DRNVqQx.exe

Filesize
5.2MB

MD5
850a1474f25c0941950cd5c6bce6d7e5

SHA1
a2aa6d9017a7fce165685156916b172963e1347c

SHA256
9ffcada869ab1770881745f15dccc84af56e365ad4a4762ccd0c03bb7d42aa60

SHA512
7c14636e5d13bfea5c75aaa1170829e33629b85c3a450a0c573b67c1dc361f796b62a45b06e48149bf021a1c1a76fd9bf568777d4f8805952c1196775b99c33c

Download Submit
C:\Windows\system\GSIddcY.exe

Filesize
5.2MB

MD5
4f646613ee4d19dc48dcb4c69983038f

SHA1
3895d0d2e4341f038a045e532db0ae671b31791d

SHA256
d7ae4dec9f0df3bebdd6a6c177db65653b2067328ec48dd3bb374dac13afd0c9

SHA512
4d482f704fa22dff7bdac2e8759f6549cd25a53e86f258b9baa7e4c398551ed5bb77d9051e1f8983b2d394680902ec0cc2edf6b6524cdcd1769bbd46ddad64ef

Download Submit
C:\Windows\system\LltRQpy.exe

Filesize
5.2MB

MD5
cf81f62774aecac3e7f7c845d9004f4e

SHA1
479b6d73c32e4c9353c56727231b544af233b643

SHA256
b309d03859f6ff2c21ee3fea4d130db950f2e0910d8045b3488f80e1b8734fa4

SHA512
e742f3f2d7cae69b84c0eb399ca077035624efc3a71156862a05ac1cfabb2280a44be0de2939b9afeabbfe39a514ac3f62216a1acab8ad6637127483447118e5

Download Submit
C:\Windows\system\NskhqYH.exe

Filesize
5.2MB

MD5
2bfedb9b70204cb13dc57c04c756e4d2

SHA1
1f54153384aba7bc9302970e07857d6f6cad3624

SHA256
cda81e1ff458aa45afc8fc681eb2e3ee218a3839ff860db6e34f38a9f2a7bd5e

SHA512
c33b8958cfb7e4926e9343148a370368dc9c35c507ae7bb66395c031764152df2993e06b1686e45245bd918ab0aa91bac736c99b51df6b55f80501ab50332c05

Download Submit
C:\Windows\system\TlvMpln.exe

Filesize
5.2MB

MD5
98bfaa54834fa48c2a440df21a95658a

SHA1
c5f164c81904ef2ad50265f0c0372a74dc2d5d57

SHA256
e7902071b6a9e1a0b03e09fde48ea3cdd3fe116d29bff760d48d36b9187b6c0b

SHA512
ba425a2d7125ab19685bdf0a6598fd50fb8f3681b3b37420b2bc8b2e31010700b85faabb0988572fda114927bc9dd231d58bf19f0f22a3a55884e1141cf3508d

Download Submit
C:\Windows\system\cJChFkI.exe

Filesize
5.2MB

MD5
16a7865de92b67b41d163e560e27a110

SHA1
afd0b6bfbb666ff223e7e353bf4e4289cbee7e5c

SHA256
d3568d748d8976c8d1f7f15419c850724942b7aa75cf694a3bd43ed1a5e5928c

SHA512
03fa62092ff4b917cc907673af11511ac5c8ba212dcbdb24aacee845ee5f0d121502216f7ea0204722e06128cc3cce9c2aa2e55780f3ead4b66f449f8941e9d4

Download Submit
C:\Windows\system\ojEnwjw.exe

Filesize
5.2MB

MD5
dd1efbac0a44956ca50d469d3f66beca

SHA1
fdb5da1686a84c20c2bfbd5759adb1f897d3412c

SHA256
f333755146fefc9208487b3e23fcf1d318be4b8f97c7705425a5091fea51e52a

SHA512
51fe7bb14ce21dd635e33ea740dedfd45312aaee4796e9c932cf42eb548c2fa04b36d9c530cc8f9213d5728ffb92bae0e3f366cdd7c8b535deb9a809b3730b96

Download Submit
C:\Windows\system\tzuqJkT.exe

Filesize
5.2MB

MD5
0a33c1eb6493962d6d058830e02cd83f

SHA1
7d43848b42ad73ba28c4c4a3101ea06c0986b13d

SHA256
e567ef518c812a77387986b7722e57169e0c30b0667473e18781c2231cc25452

SHA512
f3f894907ad422f0c3ffb863d6b1bc82dfbe468893c2f1f95503f66338e7e12f7f03e1d64333b2e15962ecf9b6f97f9b6b7bd07e825ed1a06ecb0e986f912d81

Download Submit
C:\Windows\system\ugKvvtD.exe

Filesize
5.2MB

MD5
311dd7837a18fae9240f6ddad19de28c

SHA1
d07646942c7d07bf97f3e7a22a2eb36909dfb54a

SHA256
bf282ee175e953831cac2d43ecc22bdb4ff8bb4f3d8b19521843c2f47846d4e4

SHA512
89bd8dacf44d11eb91821f9684493b698518a4954a96b34236a004cc3aa58910d0611e271dbdf1f6ba1c197b984d31dfeff2a320c293f78e7d5fc762e117c901

Download Submit
\Windows\system\DujRIiR.exe

Filesize
5.2MB

MD5
1def6aa10c5ee959b263f16f2a14ea16

SHA1
b70c65586e3996baeca248eee0734a4abe107802

SHA256
dbc5465f2e801fbf909609c7a2e053c43cff722f30ff0dc91331a49e9c8209ef

SHA512
acb2a819fb3ca59e67397b657ff5785091ccebac1a1af9e29ee76438309cd4e6091c7e8aba88f89a3dc22bcc0baffda3daa3bb3aa21362ecc2477eb56a07301e

Download Submit
\Windows\system\HTwgRuz.exe

Filesize
5.2MB

MD5
41d48256ed1d531ec34aae992bceece0

SHA1
22662086683b4a693f0bfcf60bf493b65e79c63f

SHA256
67dcaa9b52a9a1fe29e3aa6746010f1f577b1682336940258aaf72f6db527623

SHA512
5824385faa16a3337061007914bc3e6bcc31df823277d8b2b48098e4e923d22b0fdcb4f1c1511eff6f6a7141f0b89a0fe5f74c29d8e200eed617a405da5afcb7

Download Submit
\Windows\system\HaqdSJB.exe

Filesize
5.2MB

MD5
33610b805a3ae8680e245bd64f0f085f

SHA1
6d282a382788951e4a05bdf35ef1cb5029a3c746

SHA256
c37de238549bde6a8f7062ae57df0e43da7ac1d43317e2cca9a281e92a226fd5

SHA512
225d861de2c9301c8e739010b53a2335549ef73591ae432ad587198dff7620b4a6dec4c55fe16983c17f042a707eb2d9c50cb7000786ea23472d07a06395efe4

Download Submit
\Windows\system\OVKcFln.exe

Filesize
5.2MB

MD5
a62a3c47f61bba998f171cf4b8ae6556

SHA1
176339b730b5ec9cecfa8d86c6ba583d225ad897

SHA256
601cef2d512501645f6cda6de9bdba01274e5ebce8736f4a8ef652b999b7a790

SHA512
2ad5c4cfa3d628babaa5a35e53ebeda7332a560957b8b00bd40b0e2980d68827bed8e8cfdd3be1ec535d6b91f21481dd276de4b8793e040baf3d37d9d8ee95b6

Download Submit
\Windows\system\ZlddPeQ.exe

Filesize
5.2MB

MD5
f1e046b48bd92681eeb6ae464a147137

SHA1
5e19a872248ab339414b5a20d67e036bdf903995

SHA256
b25e6abc89181bf377d0fa1686c7b26bc4dbd782aea23cd22737694a891fabf4

SHA512
69c901453795c3c8007ffaa61817d99a7a055ea8fd0d9f076e0436c1581dab3ad26cc24340fb219bb0fe2ad83b6596d301e153ec193cd772eb2f85f996894116

Download Submit
\Windows\system\jDRKetG.exe

Filesize
5.2MB

MD5
b884aac5bf0d2da0bade46cdb7ed82b2

SHA1
a19b15f48127a6a56825ef2df324c29d10e1ac99

SHA256
d1566422b7ae9f6255a469cb765ce6783ebc5786f6efaca386083c65f3fdfb2b

SHA512
6cfbb1846beb6ebf8a871bb81297280c3182353a51656f80142e4f2a91b98a447a9b8d7a29f9ddc398f94dad417a24adff06f6bcac16ae98498f421b369dc9a4

Download Submit
\Windows\system\lNItWmk.exe

Filesize
5.2MB

MD5
6b18139a344ca3832f5f6c10397ffa01

SHA1
7acc19840e9fb4b6a5d2edb4a8cfdf0bc7a6dfd4

SHA256
087535a405749f333229e6d5ddff4b02287a0dc2a6c5f8999e5a1c1b4fe827c8

SHA512
4e824d78ecad7db51a0100d77d39936a082fb446ea38cfba5a02c8d930674ff86827bd896864e1a9dc873c91801dd86e59cb528d3ee8906af8c7e5d243af8126

Download Submit
\Windows\system\oOUoieA.exe

Filesize
5.2MB

MD5
7961dd780db53ea6c752ee17fd84cf0e

SHA1
42f662e1c85e469a50afe93336234ae15c7bd409

SHA256
4e444dfaafd65be358f2423505dff11719b189ac909f4451daf3f432d8f598be

SHA512
10809bab5f82fa82d8c7d43f18a021389362df832cf41b7f0f216ade9a374921868809aca14a30ede3d8355aa3e08c884c64b11f48492bb674f791f3a8c4963a

Download Submit
\Windows\system\sVJgrdZ.exe

Filesize
5.2MB

MD5
659af2676d663c7bf37bf9bcbecdc358

SHA1
3ffde2c1075689b80ea2135779dec346b54a3d8d

SHA256
17915090a0c0c74154ce689ff6feb79d0e8d6bb1611dadf8af498f41e0453515

SHA512
78687742b92d5f95586c56bae13a6cbb650d82d927fd55f0554c2050cbf99c5d235f273eabcf5abe1872805e27bd34076bf1e581576c3ad2c64ff979f5ee6896

Download Submit
\Windows\system\zhkmioL.exe

Filesize
5.2MB

MD5
90fc4317c4fcc99a2a701ab46ee7c8fb

SHA1
7e896129eaf77c6e94bab8e32f985cf2588b51ff

SHA256
176722140bcfd921afa79004b5e7506746763d85316e9603b72d545935d19119

SHA512
e5c2d8c6531991ba23f1c6e0110f693aa66a3d45014cf5cdd1e37043f62e08bf0f50d49ca89658230ff5fc4ef0dd5aceba763926ee3c156c331f6e0170ed6528

Download Submit
\Windows\system\zsrkLKB.exe

Filesize
5.2MB

MD5
8c9c0664b686b8ab88c6dacca78968c2

SHA1
5604eebf823531cc681622a71d85d5efe30c6cff

SHA256
45e93249d621f4807faf2318d97a515065570090848b705d70a8b7fb972f5e5c

SHA512
d065817bd163ffaa297e03d31b68f74849bd07dc8967289f2af3ee70db9fe6fd8cc15b464b5d1bf5fed338fbc83d28088d9179103aaba0261243b5e7f2ac3ff9

Download Submit
memory/432-158-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/784-161-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/948-160-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-249-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/1492-92-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/1964-157-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2040-238-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2040-81-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-147-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2148-251-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2148-94-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2216-87-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2216-138-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-41-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-153-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2216-27-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2216-18-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-0-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-21-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-52-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2216-135-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2216-84-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-96-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2216-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2216-76-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2216-162-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2216-88-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/2216-49-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-163-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-85-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2240-91-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-242-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-156-0x000000013FA70000-0x000000013FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-224-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-63-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-36-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-50-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-229-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-213-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-20-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-45-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2788-226-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2820-7-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2820-47-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2820-214-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2836-159-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2868-86-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2868-240-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/2872-155-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2884-29-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-58-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-222-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-253-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-99-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-154-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-22-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-220-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-231-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/3028-56-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/3028-137-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download