cobaltstrike | 090c2ac9f6f8a52b23ae70210f1b8f4d5c0e6f8ecb4b59fb4b75bf131751248e

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/09/2024, 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

87d78662597a0fc59a9d54d9eb983729
SHA1

2e0c3f33551af94fa885103672c462d4e56a7cd2
SHA256

090c2ac9f6f8a52b23ae70210f1b8f4d5c0e6f8ecb4b59fb4b75bf131751248e
SHA512

182735ad3a0191e01d8f16a4408b928179f8bb09cbb4f0e71b2ac7e5aee87b9ea1a0cdd7baa729b3eac1e0b6ce17a4588c248fb4ec5ba723755fec1ef6721823
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUW:E+b56utgpPF8u/7W

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012117-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016115-7.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001642d-21.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000165c2-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016814-28.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d29-34.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d64-44.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016fdf-60.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173a9-80.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017492-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017488-84.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173a7-76.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000171a8-72.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015f3b-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017079-65.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d89-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6d-52.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d68-48.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d5e-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016a66-33.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000162b2-15.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 58 IoCs

miner

resource	yara_rule
behavioral1/memory/2520-0-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/files/0x0007000000012117-3.dat	xmrig
behavioral1/files/0x0008000000016115-7.dat	xmrig
behavioral1/memory/2352-17-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/files/0x000800000001642d-21.dat	xmrig
behavioral1/files/0x00070000000165c2-25.dat	xmrig
behavioral1/files/0x0007000000016814-28.dat	xmrig
behavioral1/files/0x0008000000016d29-34.dat	xmrig
behavioral1/files/0x0006000000016d64-44.dat	xmrig
behavioral1/files/0x0006000000016fdf-60.dat	xmrig
behavioral1/files/0x00060000000173a9-80.dat	xmrig
behavioral1/files/0x0006000000017492-88.dat	xmrig
behavioral1/memory/1140-101-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/2640-130-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/1288-128-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2988-127-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2520-126-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2716-125-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/1900-123-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2520-122-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2724-121-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2912-119-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2520-118-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2872-117-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2744-115-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2520-114-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2008-113-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/1872-91-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/1736-89-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/files/0x0006000000017488-84.dat	xmrig
behavioral1/files/0x00060000000173a7-76.dat	xmrig
behavioral1/files/0x00060000000171a8-72.dat	xmrig
behavioral1/files/0x0009000000015f3b-68.dat	xmrig
behavioral1/files/0x0006000000017079-65.dat	xmrig
behavioral1/files/0x0006000000016d89-56.dat	xmrig
behavioral1/files/0x0006000000016d6d-52.dat	xmrig
behavioral1/files/0x0006000000016d68-48.dat	xmrig
behavioral1/files/0x0007000000016d5e-40.dat	xmrig
behavioral1/files/0x0007000000016a66-33.dat	xmrig
behavioral1/files/0x00080000000162b2-15.dat	xmrig
behavioral1/memory/2520-133-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/2352-135-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/1736-136-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1140-137-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/2352-138-0x000000013FE90000-0x00000001401E4000-memory.dmp	xmrig
behavioral1/memory/1872-139-0x000000013FFA0000-0x00000001402F4000-memory.dmp	xmrig
behavioral1/memory/2716-141-0x000000013F580000-0x000000013F8D4000-memory.dmp	xmrig
behavioral1/memory/2872-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/1288-144-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/1140-145-0x000000013FA20000-0x000000013FD74000-memory.dmp	xmrig
behavioral1/memory/1736-151-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2640-150-0x000000013FDA0000-0x00000001400F4000-memory.dmp	xmrig
behavioral1/memory/2988-149-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/1900-148-0x000000013FC10000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2912-147-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2744-146-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2724-143-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/2008-142-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2352	MKirEvP.exe
1736	VOfsyBt.exe
1872	ZdTepUJ.exe
1140	afWAxiU.exe
2008	yGtdsET.exe
2744	DIbRWYA.exe
2872	kldvEUm.exe
2912	oofqxDr.exe
2724	lBTBmqi.exe
1900	shhozOa.exe
2716	WbSxMAk.exe
2988	JmyBjak.exe
1288	NBXVrPU.exe
2640	tCPKwOh.exe
2600	fysYtnR.exe
2644	qEHDBjn.exe
1444	MHrIOme.exe
1408	SApTgDG.exe
2156	QaMyzsl.exe
2032	qVQJySV.exe
1788	WPlSIRP.exe

Loads dropped DLL 21 IoCs

pid	Process
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2520-0-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/files/0x0007000000012117-3.dat	upx
behavioral1/files/0x0008000000016115-7.dat	upx
behavioral1/memory/2352-17-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/files/0x000800000001642d-21.dat	upx
behavioral1/files/0x00070000000165c2-25.dat	upx
behavioral1/files/0x0007000000016814-28.dat	upx
behavioral1/files/0x0008000000016d29-34.dat	upx
behavioral1/files/0x0006000000016d64-44.dat	upx
behavioral1/files/0x0006000000016fdf-60.dat	upx
behavioral1/files/0x00060000000173a9-80.dat	upx
behavioral1/files/0x0006000000017492-88.dat	upx
behavioral1/memory/1140-101-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/2640-130-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/1288-128-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2988-127-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2716-125-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/memory/1900-123-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2724-121-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2912-119-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2872-117-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2744-115-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2008-113-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/1872-91-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/1736-89-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/files/0x0006000000017488-84.dat	upx
behavioral1/files/0x00060000000173a7-76.dat	upx
behavioral1/files/0x00060000000171a8-72.dat	upx
behavioral1/files/0x0009000000015f3b-68.dat	upx
behavioral1/files/0x0006000000017079-65.dat	upx
behavioral1/files/0x0006000000016d89-56.dat	upx
behavioral1/files/0x0006000000016d6d-52.dat	upx
behavioral1/files/0x0006000000016d68-48.dat	upx
behavioral1/files/0x0007000000016d5e-40.dat	upx
behavioral1/files/0x0007000000016a66-33.dat	upx
behavioral1/files/0x00080000000162b2-15.dat	upx
behavioral1/memory/2520-133-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/2352-135-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/1736-136-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/1140-137-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/2352-138-0x000000013FE90000-0x00000001401E4000-memory.dmp	upx
behavioral1/memory/1872-139-0x000000013FFA0000-0x00000001402F4000-memory.dmp	upx
behavioral1/memory/2716-141-0x000000013F580000-0x000000013F8D4000-memory.dmp	upx
behavioral1/memory/2872-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/1288-144-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/1140-145-0x000000013FA20000-0x000000013FD74000-memory.dmp	upx
behavioral1/memory/1736-151-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2640-150-0x000000013FDA0000-0x00000001400F4000-memory.dmp	upx
behavioral1/memory/2988-149-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/1900-148-0x000000013FC10000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2912-147-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2744-146-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2724-143-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/2008-142-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WPlSIRP.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VOfsyBt.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WbSxMAk.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKirEvP.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\afWAxiU.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yGtdsET.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DIbRWYA.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lBTBmqi.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shhozOa.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JmyBjak.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NBXVrPU.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZdTepUJ.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qEHDBjn.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MHrIOme.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fysYtnR.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oofqxDr.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tCPKwOh.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SApTgDG.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QaMyzsl.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qVQJySV.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kldvEUm.exe	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2352	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2520 wrote to memory of 2352	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2520 wrote to memory of 2352	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2520 wrote to memory of 1736	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2520 wrote to memory of 1736	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2520 wrote to memory of 1736	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2520 wrote to memory of 1872	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2520 wrote to memory of 1872	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2520 wrote to memory of 1872	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2520 wrote to memory of 1140	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2520 wrote to memory of 1140	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2520 wrote to memory of 1140	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2520 wrote to memory of 2008	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2520 wrote to memory of 2008	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2520 wrote to memory of 2008	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2520 wrote to memory of 2744	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2520 wrote to memory of 2744	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2520 wrote to memory of 2744	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2520 wrote to memory of 2872	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2520 wrote to memory of 2872	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2520 wrote to memory of 2872	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2520 wrote to memory of 2912	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2520 wrote to memory of 2912	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2520 wrote to memory of 2912	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2520 wrote to memory of 2724	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2520 wrote to memory of 2724	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2520 wrote to memory of 2724	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2520 wrote to memory of 1900	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2520 wrote to memory of 1900	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2520 wrote to memory of 1900	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2520 wrote to memory of 2716	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2520 wrote to memory of 2716	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2520 wrote to memory of 2716	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2520 wrote to memory of 2988	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2520 wrote to memory of 2988	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2520 wrote to memory of 2988	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2520 wrote to memory of 1288	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2520 wrote to memory of 1288	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2520 wrote to memory of 1288	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2520 wrote to memory of 2640	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2520 wrote to memory of 2640	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2520 wrote to memory of 2640	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2520 wrote to memory of 2600	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2520 wrote to memory of 2600	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2520 wrote to memory of 2600	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2520 wrote to memory of 2644	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2520 wrote to memory of 2644	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2520 wrote to memory of 2644	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2520 wrote to memory of 1444	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2520 wrote to memory of 1444	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2520 wrote to memory of 1444	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2520 wrote to memory of 1408	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2520 wrote to memory of 1408	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2520 wrote to memory of 1408	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2520 wrote to memory of 2156	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2520 wrote to memory of 2156	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2520 wrote to memory of 2156	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2520 wrote to memory of 2032	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2520 wrote to memory of 2032	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2520 wrote to memory of 2032	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2520 wrote to memory of 1788	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2520 wrote to memory of 1788	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2520 wrote to memory of 1788	2520	2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_87d78662597a0fc59a9d54d9eb983729_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\System\MKirEvP.exe
  C:\Windows\System\MKirEvP.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\VOfsyBt.exe
  C:\Windows\System\VOfsyBt.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\ZdTepUJ.exe
  C:\Windows\System\ZdTepUJ.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\afWAxiU.exe
  C:\Windows\System\afWAxiU.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\yGtdsET.exe
  C:\Windows\System\yGtdsET.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\DIbRWYA.exe
  C:\Windows\System\DIbRWYA.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\kldvEUm.exe
  C:\Windows\System\kldvEUm.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\oofqxDr.exe
  C:\Windows\System\oofqxDr.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\lBTBmqi.exe
  C:\Windows\System\lBTBmqi.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\shhozOa.exe
  C:\Windows\System\shhozOa.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\WbSxMAk.exe
  C:\Windows\System\WbSxMAk.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\JmyBjak.exe
  C:\Windows\System\JmyBjak.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\NBXVrPU.exe
  C:\Windows\System\NBXVrPU.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\tCPKwOh.exe
  C:\Windows\System\tCPKwOh.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\fysYtnR.exe
  C:\Windows\System\fysYtnR.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\qEHDBjn.exe
  C:\Windows\System\qEHDBjn.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\MHrIOme.exe
  C:\Windows\System\MHrIOme.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\SApTgDG.exe
  C:\Windows\System\SApTgDG.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\QaMyzsl.exe
  C:\Windows\System\QaMyzsl.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\qVQJySV.exe
  C:\Windows\System\qVQJySV.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\WPlSIRP.exe
  C:\Windows\System\WPlSIRP.exe
  2⤵
  - Executes dropped EXE
  PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DIbRWYA.exe

Filesize
5.9MB

MD5
2534388bbf71904fdf22056cea52e7c4

SHA1
99e370df259c6f8e16404f059278fff93e220f52

SHA256
350e4a05a5c6e682a43c8ef6b0279ae85bc3ca980a54271cc918f998c51b4bcc

SHA512
e731cfaaced3330730341025ea6fc812e4abc6bc424da3ad9519a718117be3905f8c968e69b32b129fbf1a5e882ab35330932b1dcdba0934e0ade123bd9d9072

Download Submit
C:\Windows\system\JmyBjak.exe

Filesize
5.9MB

MD5
2117acf1c95908feaa2876b97da22eef

SHA1
41b085cc90ee3bcd21ddfb7345e01360acf15c66

SHA256
a6ac8700009ef62899086782e571ff2b72cb1d2809c470fedb8742bb589f391a

SHA512
c515ac3b78091438b6cfad6a8aac5e60ef2505ab2bd1a6592a96a3a6671bd0868d9c60bb717a408e4c7f62ab949c0f22de61b00cbfe056158406663bf8ece8e3

Download Submit
C:\Windows\system\MHrIOme.exe

Filesize
5.9MB

MD5
fd24635b81484f3c09037fa2bc280a99

SHA1
564fb64bc7833601d6b7a83fd2fb6e50a0b09adb

SHA256
c7927decbd318da7bbc30c55aac4440afefc9566aa663f3764ffe88678fd8009

SHA512
dc5e816183368881f962025fb7a1022490ffec3bd27263e5ef7b8201fa45dc88e18f239b081fa5dcce533f9ef564399227fcac680d3679ddd73e0f96ea6cec40

Download Submit
C:\Windows\system\NBXVrPU.exe

Filesize
5.9MB

MD5
ad6776192fcec713a8d560d955f75163

SHA1
fc1eeda1c7bfd32363d685c29d28eabf90f4a766

SHA256
94df876bad33d418705c4f09206f5e70440eafe743337f6c589a9d834824c479

SHA512
93984054d11391a3005b92c7ad60e13931286447e7f50fe7dc851d6cf775066d09c8d2ef0f44526a339b320f4caa8c5b8c5d7817ef5d3b4e34a2ab437070f657

Download Submit
C:\Windows\system\QaMyzsl.exe

Filesize
5.9MB

MD5
1fe6d25d40ff96b9df382ecdb06b32dc

SHA1
6c9df1f7854fb709005b301d576bd9ed144cbb51

SHA256
05d943dc556469379cbf5bfbe74dcd5ca47c9670f2551c5c55e78618c4fc4462

SHA512
110f4c70ab8bba2d1b5b614bd70b339fb646b5871e603d6ba5c289b19540b551d0fb236b0cda4f57d370bc653160ebc665ad307696c59fa06d2c09284172388f

Download Submit
C:\Windows\system\SApTgDG.exe

Filesize
5.9MB

MD5
19e4040540f0f44719ac6bfc86969208

SHA1
4eca077e6d6d96610cbbafbe67b4bc735e592495

SHA256
aec9d5571a55dbaa9db56dbd33f00c609396babafb88297155f401e5c5ad4df0

SHA512
413113dcc0e57d8cf730e3f1079fc0179a78c3045657dcf83cd9b83c19f82eccd9ed9a428a750c48c7df7a29b482c855ec7377f11a178474c1f4deaba2a11a54

Download Submit
C:\Windows\system\WPlSIRP.exe

Filesize
5.9MB

MD5
048e1030824aa2bdb3d243697eec527b

SHA1
5e51bc677ce68139993211e4158f61bbb31eaa2c

SHA256
a46c102ee23e97982cb7e6702259a5fc0409bc4a7edddfa21f6063448005e12d

SHA512
64604608f5fa5edab5d79cde12cbb29e7b902cd12f3bafb5566b55f7531dd94f4f2bf81d0d8cb5de673e3196f753f4d2d17661d1f7a1cadfbeb44c8425b2f248

Download Submit
C:\Windows\system\WbSxMAk.exe

Filesize
5.9MB

MD5
9d9466b2a52c0bb8ae73cc66db4620d0

SHA1
8c461266074aecf257cd58cad25d98264726addc

SHA256
65a2e1ee42b0efa2a5dd9f834dba2a62df49bf128ddeaa7c7078ca82500ea8d5

SHA512
dc165abacee81ac7869eaf96c615d2032dfa2a75bdb0efd9e5e03d03ead7cb26896d47c7a223c1120adc80880f1e200eb4318f019dfc8e08e96324860902fdff

Download Submit
C:\Windows\system\ZdTepUJ.exe

Filesize
5.9MB

MD5
8e5702a55fc55d9f8c17cbad55826854

SHA1
c47652849d2b7687f8573e5d729d1764cda7fdac

SHA256
b030fc34ea577f1e7728b22604fb386c2b0bce8f6554e20b64021fc9e9df6389

SHA512
c2d5797f0126087e68460193768fe42a182fce322b824983ef6cad15d1530c46976af80bba19ba3f2740d9049dd80afc242162326b331dc016ddd3880a5b1a86

Download Submit
C:\Windows\system\afWAxiU.exe

Filesize
5.9MB

MD5
5f4f47d311303d3520233ebac85b0f1a

SHA1
b49c8afb246778005b573605a2bc8ad5b54face0

SHA256
1e430ca27d83571817700bff3accbf85d3677c34a12d40b6294ea608462236fb

SHA512
a9a422e13fd47c9bd63d5112c63189262267bfc9a5994a2fe6519915631880a9f54149a96c7429fe21f9ac96331ebb60a08317d87fb08f173693bce8bb203789

Download Submit
C:\Windows\system\fysYtnR.exe

Filesize
5.9MB

MD5
d7a25285e2c318eb954c7cabf1f4c9fd

SHA1
8171f0c6a53b5697206599595eb236048edc7290

SHA256
2cc04df019188ebe7c3986514bac30d8c8bf0956ead8cee88ff497f4b2cec1f8

SHA512
2d531d8fd042025cd58a50b55dd58ffb5b39e35c13fde2b965f5931037d0163d72da9217d3db559e15314f2828c5c60ababcf65a22293a9c3d271d2df6bcb62a

Download Submit
C:\Windows\system\kldvEUm.exe

Filesize
5.9MB

MD5
5645756ae39bf39088f7577eb57101d8

SHA1
56afff13c6ce8113c407628bad526de74cc6012d

SHA256
b51fdeb45aed49cfe157ce4d48eac4cca6c4c60d7b848a3c614f741cdfa58f54

SHA512
387ea106dcbef13cee4dd84e88950f9571cb95f3b12a50d759e3a84f240e39d5ea65739752c050913137c34cb3141504db216f1e93839a9eabcc79be2bc1350c

Download Submit
C:\Windows\system\lBTBmqi.exe

Filesize
5.9MB

MD5
cf6a994c44803a49b6df6deae009375c

SHA1
69da17ad7c892ea32dd705235094f08f81c5dc5c

SHA256
09620857c171f99936ac750bb1f56ad93600c9a2d1d41f2928ec21bcdf917213

SHA512
70d614299a144b0277cee46bd8b5688ebd4515274d6ce5e478650da5c389b73c6e48eaa6d8bf1d16106ddfad4c5d94448db60d4e25de48314df3a7f798005376

Download Submit
C:\Windows\system\qEHDBjn.exe

Filesize
5.9MB

MD5
4f4c0451afea8d5c8b378ad9a686f8ac

SHA1
a16b5abd0978094e3ff9695fe25220f123c39625

SHA256
777571635c4455f6bbea54d25f72a6c56c2499f5146bf3569d7a228f413ddc60

SHA512
ee2c5f01761d671932469db0f10ded7698434154e31a83dec2edd3e496c51f1588b7ce56bc2f87a7bdb34c29c257fc0490c69b59c4535d3f1d66108902543e09

Download Submit
C:\Windows\system\qVQJySV.exe

Filesize
5.9MB

MD5
680e41146c7f8c11490866e72bb2bcac

SHA1
292be1238622dead87b9c3671ad6985f61696217

SHA256
1ad51dea26f918be636d8cda6f2fcf5385d746db50b3dbb1aebc28ab60050cbd

SHA512
a47fa8ae02f85c0c6fb6c1883b500692b0714dc19cbb9aaf4ba773773e4724ef6b98a3334dbc62d1f7d5aa96a3ca1881d389e3fd56ecf387c55daa94d0b137fb

Download Submit
C:\Windows\system\shhozOa.exe

Filesize
5.9MB

MD5
b0cfc72ca845d8ebb3b9c76015da8906

SHA1
71808003f102ae1ed97037fa54b9cb7fb8553efa

SHA256
d99718964c09b11a6c69d4dbe70917336125fdf25835c6c8c020dc4b3a05ce71

SHA512
98120ada9b49e2e4b0711abdbeb4dad9adf370e1a9ab1340ccd78411b5011a0adad0b9dc44e7b8c18431b576453e2d81913a71c6dea29cea35f6f9bc0f2d9218

Download Submit
C:\Windows\system\tCPKwOh.exe

Filesize
5.9MB

MD5
ecdef2f8116dbb1a2996923ce8ef41e6

SHA1
0e99ad9cd70cd002344b97bc7f8480013eda01f5

SHA256
9169c983dc29c2bc8b68020292cd9cfc37ff0ee02a8e14da6f58198afa3c6f9f

SHA512
e7f4fa896f79f57a08b8814d0c47bb71b6a8971681cc6bca9d8cea050f9c072b5bdc5ba1be62502199c025eb314c63039f2626a054ecffbbf8190a7ccd7cba61

Download Submit
C:\Windows\system\yGtdsET.exe

Filesize
5.9MB

MD5
626fac4f9e23476f4f5251118f4add93

SHA1
711016d390027a2fc4a2e378284549f119a826d2

SHA256
74004b8650b6e9f64efb2efaa3f6216c618c4203a443d135c2972f6aa1769bb2

SHA512
863766b2d67ff3701abac08b737966bd4e68567fe3ad376f24d0804d09c40a6c25908de74d7c73f2d8a370083ffd1da4e19a0695a7195c67eafb1e384bbaaf87

Download Submit
\Windows\system\MKirEvP.exe

Filesize
5.9MB

MD5
270a527dcfcd14c054de34e0671917ad

SHA1
164343be1128d54743eca92ff8ff0af84871d7dd

SHA256
9eb21169b9aa8394b55c5cd31d8461194df24351aa5f451162f60c2c4edda679

SHA512
879a30af41237b8d86a8adce479490fea6c70c3a6fecc4ce89f637460180bb079e6257d2e8fe8336a88d20b55be1e7de2e83ec28c861a4c3d1fb3d03b747bc97

Download Submit
\Windows\system\VOfsyBt.exe

Filesize
5.9MB

MD5
bb42450ae395ee8a9bb22ceaa64748e3

SHA1
94c3eda4c1d04daecfec91a6e4e96b27e4c4bbe3

SHA256
2e384f0f8565b5bcd2e67d1928aaa57cc1976e915da1f6c1f73a01bf771d3b37

SHA512
a0f86664d20c4727a280a299f17638ccd6c87fbe0aa891c3273d7767a6f3204a53465aab8b31062f11fa362bcde75088ef2b7fc465a67dd9e8403dd52717979c

Download Submit
\Windows\system\oofqxDr.exe

Filesize
5.9MB

MD5
b4f6fb74d92ba59e8355478f88e14355

SHA1
b284f00eb00173273d8ad787d6d1a04258a1915a

SHA256
b6f098270c39e10b669df2da0758e167ef1c6667e4dce388a37985564fc99270

SHA512
50bd99c897f9d23225e4a3dd624f939b374bc4f176213245c68a836b2c4721c8985cb6d1665543ec6a8b1f566bf40b129501f350961033b6e6fa803333d3cf8d

Download Submit
memory/1140-145-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1140-137-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1140-101-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/1288-128-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/1288-144-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/1736-136-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1736-151-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1736-89-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/1872-139-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-91-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/1900-123-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/1900-148-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2008-142-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2008-113-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-135-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-138-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2352-17-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-126-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-131-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-116-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2520-118-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-112-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-120-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-114-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2520-122-0x000000013FC10000-0x000000013FF64000-memory.dmp

Filesize
3.3MB

Download
memory/2520-124-0x0000000002270000-0x00000000025C4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-132-0x000000013FA20000-0x000000013FD74000-memory.dmp

Filesize
3.3MB

Download
memory/2520-134-0x000000013FE90000-0x00000001401E4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-133-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-0-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-129-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2520-90-0x000000013FFA0000-0x00000001402F4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-150-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-130-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-141-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2716-125-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-121-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-143-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-115-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2744-146-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2872-140-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-117-0x000000013FDA0000-0x00000001400F4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-147-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2912-119-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-149-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-127-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download