cobaltstrike | 5f18fb04e7318f89f30b0725910523e1dae06679e9e95b7fca262fc0c56bc61a

Analysis

max time kernel
135s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

1f957dd963ba2eee630c2a1753a7347e
SHA1

8da6c595a5a1076006dc8f3ae3089a5b47a16c27
SHA256

5f18fb04e7318f89f30b0725910523e1dae06679e9e95b7fca262fc0c56bc61a
SHA512

20bd5a2c5e3c6b719e42734e9330cbffac63432dabff81abcfbb931d8129fd8cba86bcd537c23c8af817ceb9bcf9310be57bbc84e53d7db3f4537ad8d6c135d7
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUe:T+856utgpPF8u/7e

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fb-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016398-10.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001660d-14.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016688-18.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001688f-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016b85-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c88-30.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016caa-34.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df7-45.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001707e-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017226-61.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018708-71.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001871a-81.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187a7-85.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870a-77.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001756f-69.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174f7-65.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000170da-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dff-49.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df2-41.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd8-37.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 54 IoCs

miner

resource	yara_rule
behavioral1/memory/1488-0-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/files/0x00080000000120fb-3.dat	xmrig
behavioral1/files/0x0008000000016398-10.dat	xmrig
behavioral1/files/0x000800000001660d-14.dat	xmrig
behavioral1/files/0x0007000000016688-18.dat	xmrig
behavioral1/files/0x000700000001688f-22.dat	xmrig
behavioral1/files/0x0007000000016b85-25.dat	xmrig
behavioral1/files/0x0007000000016c88-30.dat	xmrig
behavioral1/files/0x0009000000016caa-34.dat	xmrig
behavioral1/files/0x0006000000016df7-45.dat	xmrig
behavioral1/files/0x000600000001707e-53.dat	xmrig
behavioral1/files/0x0006000000017226-61.dat	xmrig
behavioral1/files/0x0005000000018708-71.dat	xmrig
behavioral1/files/0x000500000001871a-81.dat	xmrig
behavioral1/files/0x00050000000187a7-85.dat	xmrig
behavioral1/files/0x000500000001870a-77.dat	xmrig
behavioral1/files/0x000600000001756f-69.dat	xmrig
behavioral1/files/0x00060000000174f7-65.dat	xmrig
behavioral1/files/0x00060000000170da-57.dat	xmrig
behavioral1/files/0x0006000000016dff-49.dat	xmrig
behavioral1/files/0x0006000000016df2-41.dat	xmrig
behavioral1/files/0x0008000000016dd8-37.dat	xmrig
behavioral1/memory/2380-110-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2060-108-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/1488-111-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/1960-118-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/264-116-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/2708-120-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2988-124-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/2788-131-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/788-132-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2628-129-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2716-127-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/1488-126-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2724-125-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2804-122-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/2272-114-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/1488-113-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/1972-112-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/1488-133-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/memory/2060-135-0x000000013F650000-0x000000013F9A4000-memory.dmp	xmrig
behavioral1/memory/2272-137-0x000000013F330000-0x000000013F684000-memory.dmp	xmrig
behavioral1/memory/788-141-0x000000013F980000-0x000000013FCD4000-memory.dmp	xmrig
behavioral1/memory/2788-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2716-145-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2988-144-0x000000013F4F0000-0x000000013F844000-memory.dmp	xmrig
behavioral1/memory/264-143-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/2708-142-0x000000013F390000-0x000000013F6E4000-memory.dmp	xmrig
behavioral1/memory/2380-140-0x000000013FD90000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2804-139-0x000000013F920000-0x000000013FC74000-memory.dmp	xmrig
behavioral1/memory/1960-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp	xmrig
behavioral1/memory/1972-136-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2724-147-0x000000013FF20000-0x0000000140274000-memory.dmp	xmrig
behavioral1/memory/2628-148-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
788	PseUCGv.exe
2060	aQODKQC.exe
2380	ViqItYa.exe
1972	uhXWaCw.exe
2272	mSMRLbv.exe
264	urKbtgT.exe
1960	CZKrQZC.exe
2708	DfpOKZq.exe
2804	VXHeFjs.exe
2988	DyHsbJX.exe
2724	HVxYcEB.exe
2716	OieQUFh.exe
2628	irKbJoE.exe
2788	VqcnDil.exe
2736	bTdwHqz.exe
2652	UwJzxzP.exe
2596	EEHVhqH.exe
2648	Henrdmz.exe
1984	Thtsyfz.exe
2256	YKWRuNd.exe
1520	jYqLJMz.exe

Loads dropped DLL 21 IoCs

pid	Process
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-0-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/files/0x00080000000120fb-3.dat	upx
behavioral1/files/0x0008000000016398-10.dat	upx
behavioral1/files/0x000800000001660d-14.dat	upx
behavioral1/files/0x0007000000016688-18.dat	upx
behavioral1/files/0x000700000001688f-22.dat	upx
behavioral1/files/0x0007000000016b85-25.dat	upx
behavioral1/files/0x0007000000016c88-30.dat	upx
behavioral1/files/0x0009000000016caa-34.dat	upx
behavioral1/files/0x0006000000016df7-45.dat	upx
behavioral1/files/0x000600000001707e-53.dat	upx
behavioral1/files/0x0006000000017226-61.dat	upx
behavioral1/files/0x0005000000018708-71.dat	upx
behavioral1/files/0x000500000001871a-81.dat	upx
behavioral1/files/0x00050000000187a7-85.dat	upx
behavioral1/files/0x000500000001870a-77.dat	upx
behavioral1/files/0x000600000001756f-69.dat	upx
behavioral1/files/0x00060000000174f7-65.dat	upx
behavioral1/files/0x00060000000170da-57.dat	upx
behavioral1/files/0x0006000000016dff-49.dat	upx
behavioral1/files/0x0006000000016df2-41.dat	upx
behavioral1/files/0x0008000000016dd8-37.dat	upx
behavioral1/memory/2380-110-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2060-108-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/1960-118-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/264-116-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/memory/2708-120-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2988-124-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/2788-131-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/788-132-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2628-129-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2716-127-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2724-125-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2804-122-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/2272-114-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/1972-112-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/1488-133-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/memory/2060-135-0x000000013F650000-0x000000013F9A4000-memory.dmp	upx
behavioral1/memory/2272-137-0x000000013F330000-0x000000013F684000-memory.dmp	upx
behavioral1/memory/788-141-0x000000013F980000-0x000000013FCD4000-memory.dmp	upx
behavioral1/memory/2788-146-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2716-145-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2988-144-0x000000013F4F0000-0x000000013F844000-memory.dmp	upx
behavioral1/memory/264-143-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/memory/2708-142-0x000000013F390000-0x000000013F6E4000-memory.dmp	upx
behavioral1/memory/2380-140-0x000000013FD90000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2804-139-0x000000013F920000-0x000000013FC74000-memory.dmp	upx
behavioral1/memory/1960-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp	upx
behavioral1/memory/1972-136-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2724-147-0x000000013FF20000-0x0000000140274000-memory.dmp	upx
behavioral1/memory/2628-148-0x000000013F340000-0x000000013F694000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\DfpOKZq.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VXHeFjs.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DyHsbJX.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqcnDil.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\irKbJoE.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bTdwHqz.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UwJzxzP.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PseUCGv.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ViqItYa.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uhXWaCw.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CZKrQZC.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OieQUFh.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EEHVhqH.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YKWRuNd.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jYqLJMz.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aQODKQC.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HVxYcEB.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mSMRLbv.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\urKbtgT.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Henrdmz.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Thtsyfz.exe	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 788	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1488 wrote to memory of 788	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1488 wrote to memory of 788	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1488 wrote to memory of 2060	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1488 wrote to memory of 2060	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1488 wrote to memory of 2060	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1488 wrote to memory of 2380	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1488 wrote to memory of 2380	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1488 wrote to memory of 2380	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1488 wrote to memory of 1972	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1488 wrote to memory of 1972	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1488 wrote to memory of 1972	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1488 wrote to memory of 2272	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1488 wrote to memory of 2272	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1488 wrote to memory of 2272	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1488 wrote to memory of 264	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1488 wrote to memory of 264	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1488 wrote to memory of 264	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1488 wrote to memory of 1960	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1488 wrote to memory of 1960	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1488 wrote to memory of 1960	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1488 wrote to memory of 2708	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1488 wrote to memory of 2708	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1488 wrote to memory of 2708	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1488 wrote to memory of 2804	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1488 wrote to memory of 2804	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1488 wrote to memory of 2804	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1488 wrote to memory of 2988	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1488 wrote to memory of 2988	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1488 wrote to memory of 2988	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1488 wrote to memory of 2724	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1488 wrote to memory of 2724	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1488 wrote to memory of 2724	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1488 wrote to memory of 2716	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1488 wrote to memory of 2716	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1488 wrote to memory of 2716	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1488 wrote to memory of 2628	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1488 wrote to memory of 2628	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1488 wrote to memory of 2628	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1488 wrote to memory of 2788	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1488 wrote to memory of 2788	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1488 wrote to memory of 2788	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1488 wrote to memory of 2736	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1488 wrote to memory of 2736	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1488 wrote to memory of 2736	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1488 wrote to memory of 2652	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1488 wrote to memory of 2652	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1488 wrote to memory of 2652	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1488 wrote to memory of 2596	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1488 wrote to memory of 2596	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1488 wrote to memory of 2596	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1488 wrote to memory of 2648	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1488 wrote to memory of 2648	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1488 wrote to memory of 2648	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1488 wrote to memory of 1984	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1488 wrote to memory of 1984	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1488 wrote to memory of 1984	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1488 wrote to memory of 2256	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1488 wrote to memory of 2256	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1488 wrote to memory of 2256	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1488 wrote to memory of 1520	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1488 wrote to memory of 1520	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1488 wrote to memory of 1520	1488	2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_1f957dd963ba2eee630c2a1753a7347e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\System\PseUCGv.exe
  C:\Windows\System\PseUCGv.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\aQODKQC.exe
  C:\Windows\System\aQODKQC.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\ViqItYa.exe
  C:\Windows\System\ViqItYa.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\uhXWaCw.exe
  C:\Windows\System\uhXWaCw.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\mSMRLbv.exe
  C:\Windows\System\mSMRLbv.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\urKbtgT.exe
  C:\Windows\System\urKbtgT.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\CZKrQZC.exe
  C:\Windows\System\CZKrQZC.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\DfpOKZq.exe
  C:\Windows\System\DfpOKZq.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\VXHeFjs.exe
  C:\Windows\System\VXHeFjs.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\DyHsbJX.exe
  C:\Windows\System\DyHsbJX.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\HVxYcEB.exe
  C:\Windows\System\HVxYcEB.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\OieQUFh.exe
  C:\Windows\System\OieQUFh.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\irKbJoE.exe
  C:\Windows\System\irKbJoE.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\VqcnDil.exe
  C:\Windows\System\VqcnDil.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\bTdwHqz.exe
  C:\Windows\System\bTdwHqz.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\UwJzxzP.exe
  C:\Windows\System\UwJzxzP.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\EEHVhqH.exe
  C:\Windows\System\EEHVhqH.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\Henrdmz.exe
  C:\Windows\System\Henrdmz.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\Thtsyfz.exe
  C:\Windows\System\Thtsyfz.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\YKWRuNd.exe
  C:\Windows\System\YKWRuNd.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\jYqLJMz.exe
  C:\Windows\System\jYqLJMz.exe
  2⤵
  - Executes dropped EXE
  PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CZKrQZC.exe

Filesize
5.9MB

MD5
b703cd1181c137d4de6a31ea57399b9a

SHA1
5b687fd124ffded5d6757b968a1d15d031b2e578

SHA256
f049aac1d21da11e662860add926351acc40d4a860a6289efed9a70098829357

SHA512
bdabdaef2c2faf6ead34cca2cb14af8b9cecd13040d5f1f7c5e781a56ced32684c2f5f303acbf5aa86db0ed1507c387fe6f1b8671e4366a17142763a59a613f8

Download Submit
C:\Windows\system\DfpOKZq.exe

Filesize
5.9MB

MD5
c68ec3976a903e98fc380938e20e7563

SHA1
05c6c01d9fcd50cd6129334d3e61a8b9a2f90bac

SHA256
a12205886a8162262ba05da450b323bd471f17282a8dd382dbdd30c0296e0632

SHA512
5988da3a297e8d00239cd12a0616bc3cf926a427d49060b1240229aef94f8289170e2ca08268d1f8a2f1aae61747c8eb0319a3e3f7aca11eebc1d50e6a302001

Download Submit
C:\Windows\system\DyHsbJX.exe

Filesize
5.9MB

MD5
717b7fd9a410dc241aa1c4f274101ab2

SHA1
e22e3addb9e4673ebf5dacdb6d7d5a6853fc6dbe

SHA256
ee62c0b13718dbe48addbed3c4b584ff1cc39fcb87bd4e84f3689d2bfa76f4eb

SHA512
280a1eb2a72ef13e00db292fc812881e1c555fdc868bdcd310f465bd55661866b7af1368b4c317c58f53feddb6ce43f2235e187ab3889922a4415c118233000b

Download Submit
C:\Windows\system\EEHVhqH.exe

Filesize
5.9MB

MD5
ebdcefb2efcd70cf600db5621d2fc326

SHA1
c3d62e9ecd8a9845b389395cfe2113c7d95889a3

SHA256
c76e69f0d3c4f758a96103c104d348962a5660f881f9d254dcb4b1406cb5f367

SHA512
16d1f5c252493c1bc18d0ee351323fdcfbbd1c6af6034f707aaf764df38394f80c1db1cd420487d0f7c8a210c196030a7383d2086cdf76e450fe45a150220fee

Download Submit
C:\Windows\system\HVxYcEB.exe

Filesize
5.9MB

MD5
828e69faf17b22feadc5c8cfb29576f3

SHA1
4340ef25ee8d9e060109cd0cbfb965c61866afbd

SHA256
095fb332009b8d5d6a06071342406f00672978ff44fa0cd2c00f7073a682fa40

SHA512
f3316e5c993f1ed9a12790c06086488aa0967ebd5b24a7e1f9af7c1b3d4e31a7d3a150168574923a714359622c4c67030d2ab1c6439d4b3a4ab046cf3abd796e

Download Submit
C:\Windows\system\OieQUFh.exe

Filesize
5.9MB

MD5
28ffbbabd4aa49c3698b04bd691b2cb2

SHA1
0f81cb9a3f3a168fd9f9867ecdc949771ba0ebcf

SHA256
3abb665691202c9a6f707713118f0d11723948da30d8dbdaaf4d7595e05e88b3

SHA512
e0ef5ab5705f3c2fbf4be70902bff56757ee2f602ab235d8536fbe5ce5532c69c400e2254ea9b38695f33d03a9ab425ccaefdd5461046aa78152ac047577a73a

Download Submit
C:\Windows\system\Thtsyfz.exe

Filesize
6.0MB

MD5
b4b9b182ede9e3f75b0b0eb72c99b714

SHA1
da107e70de587c44857f47f393f3b228f071a643

SHA256
4770d122a030cc222f3ff2fbd8d141c2e81d0597e5b935c7ef2a6be20304ca21

SHA512
ae8a5628445a837bca91011e0c6f5e3e187893c39e18f463376d8ed550112f49cd5c604d6679ce0c8248e74ae90a42acd037aa20a8c6f9713ddf79fc602b8713

Download Submit
C:\Windows\system\UwJzxzP.exe

Filesize
5.9MB

MD5
a320b7c34004c1a47668647159098cc3

SHA1
8fbbae4aed664faf08b95eef48072d8d364b0d05

SHA256
7d0fbdd4f4f78621cb8b3311403bec2066c23014992a8362af1cfd7bc03738a5

SHA512
cf7b2114bfecb8f77253b8e993a0cfa0c1a3ec205ce024d79b946df3ee22e8b24bd3fa1f003e28155a337653ac68cbbf0a3a66a7a669e3854590a6b1a99a2225

Download Submit
C:\Windows\system\VXHeFjs.exe

Filesize
5.9MB

MD5
cb9be3e30a3296dd66815d44d2d804a5

SHA1
ae090c713d5373937e53e93fb8f3cd60efdfb4a5

SHA256
3d25af4e5adeb835d68a4fb394b92f9dcd41bc52fee9a26dee900a27cb4d0d68

SHA512
24cb66928ea72e552a827b34dc3048540cdeec092078870ab3131dcc1d9edfbf8b9c08b0319ecfefde530ea9f644776846b75ee3762696ecf52a92e53c4a4590

Download Submit
C:\Windows\system\ViqItYa.exe

Filesize
5.9MB

MD5
1420f53488f8205056750bb940b0a56a

SHA1
752ad7b46af9ec66af2bc879bf34f5297d95f298

SHA256
2d2788e42e5f4df6ac6ccade8b7fa284a528cbfc3f55adf1fbfe489bff917694

SHA512
18522bc39cb30518bcdf9b37f152b6bf5518acbfa828d1250dc8e65e2ad9fd146c9b164cfc9cb5aa97b04ae2c34c0a24a6d4db14afa57a40a54e6050362c2863

Download Submit
C:\Windows\system\VqcnDil.exe

Filesize
5.9MB

MD5
4cdbddb09a76fbcb25b1c67d2edc0561

SHA1
494acdf0afe5ae45d99e346269e30af23ea0a6ce

SHA256
47a87ba39a0245b4e5b14819b83917558880a2b8149d41ffcb23de196e29994c

SHA512
894e2205d8368c3657cc2e71678bd8a92f782db176dedcca1e27cc818889675baec30e3502f9a65e4ce4b3896d4f5e1966500efebf9270a882934e8f9ea95aa6

Download Submit
C:\Windows\system\YKWRuNd.exe

Filesize
6.0MB

MD5
99597a679ec135dd850bcde7d8794bc7

SHA1
00308cbd71ea98f3c6b5a88f9786c82f95ff4486

SHA256
0f1246ebc5c9d11b21da5eb64b24e7a3801a3b90dcc4a3fa6e1bc1e2021d043a

SHA512
808f1c580fd892b2f0d61d3c937902146cb365ce914ab1e7925572f257468207222216dc065f6bedf9452753e8a90a4d4a2a5be26bc9b0bcb112a2565c1ded2f

Download Submit
C:\Windows\system\aQODKQC.exe

Filesize
5.9MB

MD5
ca45dbb82bc2d89adc2102024465fd27

SHA1
ee3f65260eafec4edf76fc7a6d39ea41f32e677b

SHA256
e64a24ef55f1147bc6fc36d51865e6d862dfb7c750b51a4aa975be746a2ee17a

SHA512
a13ddfbe066d20bc161868e1de612fbe0d14d80dea652dc9070a5ce2d5cd96cca9164d3b585c2d066155b584a7f5b02165347f6dd3ceaa8b8312c825b15387ae

Download Submit
C:\Windows\system\bTdwHqz.exe

Filesize
5.9MB

MD5
679f2897b23b80e36c99bdd183887f21

SHA1
0f4087a06667efb0baebde4d9daa8d400945ce93

SHA256
591d82190c5743d3fc457028408460dc7f45ebdbc31424247238123eb4c0085a

SHA512
e90e15cba184d7a0deecd4ae80a0602960f8e27f2e5b6746d475e8927999ab4c56cab20fed6c8250c9273902b9deced02bd1e31cfa10460c12602b9ac6b704d8

Download Submit
C:\Windows\system\irKbJoE.exe

Filesize
5.9MB

MD5
3b4adbfb84922e9f830527961a5eb52e

SHA1
5fd9e6ec1d426e985d815fbd97822aec23bf5c80

SHA256
df778474ae4ebc0ad0699c097e224a0e43a5abc44d0f6f0c2a071d1f0f2ba13f

SHA512
0e703ada8deaf4c85833a07365237b529abc20db6790ec56221a9a71dea22d1b9bb7c435e2d739e56ed10eb1efeba540d1da9b190b1de6245a1c4738550d6237

Download Submit
C:\Windows\system\jYqLJMz.exe

Filesize
6.0MB

MD5
ee341c152d15ebe55a0f417016446823

SHA1
df8fe5de6ce456833d6c3c9a13d580f5102e6ff6

SHA256
52c0e7883e99298a3321e9dcdc7328e12e326aab4fc9831d80b4fb14924ae023

SHA512
da7ce357102cb90aa7a5459a7dfb86a4f5ad1e7a5cedc18cc2708869a2530565d1002d361a1922698d60797c90791e10f46be9d727aaf540b7666de2e4dbca85

Download Submit
C:\Windows\system\mSMRLbv.exe

Filesize
5.9MB

MD5
b7d3556550a8086be9d51a72de3a6e9a

SHA1
8a9280cb3de13fb925210d45bb3743865fe68c05

SHA256
bcaa3ca5d72b59029267e1f594546bd8ce7a21c99f5aa25f2cd69054013d868c

SHA512
ae7797d8cba183265640623ddcf02320bbc0ff9c22e86200914904648408c4f6feccaf572db92883e17dff83f88478904e51ffe021e99419003a1113228ed6ab

Download Submit
C:\Windows\system\uhXWaCw.exe

Filesize
5.9MB

MD5
d35742338c702beb0d2a559769fac517

SHA1
cdb3812667885d0559b28be7e9625ccba8ae514a

SHA256
ee9919ee88047c4f21d58187de43d9ac91771bb2587c1dcaeb9fef70a28c75a9

SHA512
312c3bc6ae26754b9a823bf79084d8631f901094468263c161313d87623f1e882d1867fa23d0d108de7c5afc6d88531d8674ffb78ef2f0aa6b5054004b3de905

Download Submit
C:\Windows\system\urKbtgT.exe

Filesize
5.9MB

MD5
e5e024e3b21f5e1d7aa934ed25031a6f

SHA1
f5a7451365f4ed25b8d3932aaabed166f2ab4802

SHA256
cb1df4dd85e6f87340e3eaaf1692060770bdf18a0e655ed3c17fce0289d0ac52

SHA512
fa898244bf6c9ed94dee641c19a473d32cfcb4de76c4b08a14cb85bea2f883a37e817552ff8a6c82d37045990d77fbdb68c84b6440c26532eb536d5897e16cad

Download Submit
\Windows\system\Henrdmz.exe

Filesize
5.9MB

MD5
457ebe6951e13a838b16abe41e7d0fb3

SHA1
f8e8b686cd40648ccafbb474bb34e4ea90fd8d22

SHA256
8631a21388dd6fa4fddaecc5a0903130865ee778d8b5321a980fad4f187d02eb

SHA512
e626ede9783e250a037199a7f94d5b2464ed4edeafc931c9a49a372dc52b3f4a0bf64c3c20d93788c47835f310b7c0db2b7a003f06c1766cbf1c6fa37c6c3f55

Download Submit
\Windows\system\PseUCGv.exe

Filesize
5.9MB

MD5
18e41984aa01e200076e8748211bc700

SHA1
8678366895e2a404149538a8f6beaa2a31f0d15f

SHA256
6a0b05b12d9cbe5480a9b0c36fc00ec7690512dcf462e6aeb427db2803e7387d

SHA512
a9649755b17db9c46fc377ae7e358ac8a5b9cc7ecc28c6868c9021abb62402bada4073d1b959ee362fc0efcb68053eee69ba41facfd58416867f85106cbbc476

Download Submit
memory/264-116-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/264-143-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/788-141-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/788-132-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-133-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/1488-109-0x0000000002470000-0x00000000027C4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-107-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1488-117-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/1488-111-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-121-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/1488-134-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-0-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/1488-113-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/1488-115-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-130-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1488-119-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/1488-128-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1488-123-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/1488-126-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1960-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/1960-118-0x000000013F8E0000-0x000000013FC34000-memory.dmp

Filesize
3.3MB

Download
memory/1972-136-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-112-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-135-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-108-0x000000013F650000-0x000000013F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-114-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2272-137-0x000000013F330000-0x000000013F684000-memory.dmp

Filesize
3.3MB

Download
memory/2380-140-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-110-0x000000013FD90000-0x00000001400E4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-129-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2628-148-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2708-120-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-142-0x000000013F390000-0x000000013F6E4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-127-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2716-145-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2724-125-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2724-147-0x000000013FF20000-0x0000000140274000-memory.dmp

Filesize
3.3MB

Download
memory/2788-146-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2788-131-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2804-139-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2804-122-0x000000013F920000-0x000000013FC74000-memory.dmp

Filesize
3.3MB

Download
memory/2988-144-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download
memory/2988-124-0x000000013F4F0000-0x000000013F844000-memory.dmp

Filesize
3.3MB

Download