cobaltstrike | 5a46df71756294f25a91d709d89097ee0c13f460b1efaddb27f5cc292d1d456c

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5bd5361b69d7767d8f62c0c42a0af988
SHA1

848cc3a3ab1cac39cfb9c2efc306f65af7e689fd
SHA256

5a46df71756294f25a91d709d89097ee0c13f460b1efaddb27f5cc292d1d456c
SHA512

6933dbf8d9d158e564c954e6b533d9bf7b896a7de9d9939a39d76879fc44e5cde9a6bdf069658fe3d9442f249bb215967d9113b8c5ef03ec825a4f85ec0215ab
SSDEEP

98304:demTLkNdfE0pZ3s56utgpPFotBER/mQ32lU6:E+x56utgpPF8u/76

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012117-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016890-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016b86-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c89-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cf0-36.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4c-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d22-43.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d68-62.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018683-66.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018697-82.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000164de-86.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001870c-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019056-135.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018fdf-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d83-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d7b-122.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018be7-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018745-112.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001871c-107.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018706-92.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ca0-28.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 62 IoCs

miner

resource	yara_rule
behavioral1/memory/2204-0-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000012117-6.dat	xmrig
behavioral1/files/0x0008000000016890-10.dat	xmrig
behavioral1/files/0x0008000000016b86-12.dat	xmrig
behavioral1/files/0x0008000000016c89-18.dat	xmrig
behavioral1/memory/1968-34-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/files/0x0007000000016cf0-36.dat	xmrig
behavioral1/files/0x0007000000016d4c-46.dat	xmrig
behavioral1/files/0x0007000000016d22-43.dat	xmrig
behavioral1/memory/2428-42-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2140-65-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2820-64-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2052-63-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/files/0x0009000000016d68-62.dat	xmrig
behavioral1/memory/1732-61-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2412-60-0x000000013F4C0000-0x000000013F814000-memory.dmp	xmrig
behavioral1/files/0x000d000000018683-66.dat	xmrig
behavioral1/memory/2696-73-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/files/0x0005000000018697-82.dat	xmrig
behavioral1/memory/2812-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/files/0x00080000000164de-86.dat	xmrig
behavioral1/memory/2656-88-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2428-83-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2204-41-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2052-23-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/files/0x000500000001870c-98.dat	xmrig
behavioral1/files/0x0006000000019056-135.dat	xmrig
behavioral1/files/0x0006000000018fdf-132.dat	xmrig
behavioral1/files/0x0006000000018d83-127.dat	xmrig
behavioral1/files/0x0006000000018d7b-122.dat	xmrig
behavioral1/files/0x0006000000018be7-117.dat	xmrig
behavioral1/files/0x0005000000018745-112.dat	xmrig
behavioral1/memory/2696-139-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/files/0x000500000001871c-107.dat	xmrig
behavioral1/memory/2204-140-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2512-100-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2140-99-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2608-93-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/files/0x0005000000018706-92.dat	xmrig
behavioral1/memory/2204-32-0x0000000002530000-0x0000000002884000-memory.dmp	xmrig
behavioral1/memory/2244-31-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/2204-30-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/files/0x0008000000016ca0-28.dat	xmrig
behavioral1/memory/2820-27-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2292-9-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
behavioral1/memory/2812-142-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/2608-144-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/2512-145-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2292-147-0x000000013FD20000-0x0000000140074000-memory.dmp	xmrig
behavioral1/memory/2244-148-0x000000013F110000-0x000000013F464000-memory.dmp	xmrig
behavioral1/memory/1968-149-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2052-150-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/2820-152-0x000000013FB40000-0x000000013FE94000-memory.dmp	xmrig
behavioral1/memory/2428-151-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2412-154-0x000000013F4C0000-0x000000013F814000-memory.dmp	xmrig
behavioral1/memory/1732-153-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2140-156-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/2696-155-0x000000013F790000-0x000000013FAE4000-memory.dmp	xmrig
behavioral1/memory/2812-157-0x000000013FE80000-0x00000001401D4000-memory.dmp	xmrig
behavioral1/memory/2656-158-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2608-159-0x000000013F870000-0x000000013FBC4000-memory.dmp	xmrig
behavioral1/memory/2512-160-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2292	gupotxb.exe
2052	QXyhIQx.exe
2244	SLauFVc.exe
2820	GpWwlMR.exe
1968	qywLsUK.exe
2428	XwnJVgW.exe
2412	quIIfjC.exe
1732	rHIWSMp.exe
2140	sPTdVry.exe
2696	PBDhWDv.exe
2812	FaszRtQ.exe
2656	jsQJrVP.exe
2608	PiLHTRX.exe
2512	nUNuIUN.exe
2424	XcqWmZE.exe
1648	PORjNpU.exe
1772	jFClwzh.exe
1052	SiKyHpz.exe
1624	uJeXYab.exe
1472	KOxlrdv.exe
1124	ruQluaa.exe

Loads dropped DLL 21 IoCs

pid	Process
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/files/0x0007000000012117-6.dat	upx
behavioral1/files/0x0008000000016890-10.dat	upx
behavioral1/files/0x0008000000016b86-12.dat	upx
behavioral1/files/0x0008000000016c89-18.dat	upx
behavioral1/memory/1968-34-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x0007000000016cf0-36.dat	upx
behavioral1/files/0x0007000000016d4c-46.dat	upx
behavioral1/files/0x0007000000016d22-43.dat	upx
behavioral1/memory/2428-42-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2140-65-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2820-64-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2052-63-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/files/0x0009000000016d68-62.dat	upx
behavioral1/memory/1732-61-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2412-60-0x000000013F4C0000-0x000000013F814000-memory.dmp	upx
behavioral1/files/0x000d000000018683-66.dat	upx
behavioral1/memory/2696-73-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/files/0x0005000000018697-82.dat	upx
behavioral1/memory/2812-85-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/files/0x00080000000164de-86.dat	upx
behavioral1/memory/2656-88-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2428-83-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2204-41-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2052-23-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/files/0x000500000001870c-98.dat	upx
behavioral1/files/0x0006000000019056-135.dat	upx
behavioral1/files/0x0006000000018fdf-132.dat	upx
behavioral1/files/0x0006000000018d83-127.dat	upx
behavioral1/files/0x0006000000018d7b-122.dat	upx
behavioral1/files/0x0006000000018be7-117.dat	upx
behavioral1/files/0x0005000000018745-112.dat	upx
behavioral1/memory/2696-139-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/files/0x000500000001871c-107.dat	upx
behavioral1/memory/2512-100-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2140-99-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2608-93-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/files/0x0005000000018706-92.dat	upx
behavioral1/memory/2244-31-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/files/0x0008000000016ca0-28.dat	upx
behavioral1/memory/2820-27-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2292-9-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
behavioral1/memory/2812-142-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/2608-144-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/memory/2512-145-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2292-147-0x000000013FD20000-0x0000000140074000-memory.dmp	upx
behavioral1/memory/2244-148-0x000000013F110000-0x000000013F464000-memory.dmp	upx
behavioral1/memory/1968-149-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2052-150-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/2820-152-0x000000013FB40000-0x000000013FE94000-memory.dmp	upx
behavioral1/memory/2428-151-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2412-154-0x000000013F4C0000-0x000000013F814000-memory.dmp	upx
behavioral1/memory/1732-153-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2140-156-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/2696-155-0x000000013F790000-0x000000013FAE4000-memory.dmp	upx
behavioral1/memory/2812-157-0x000000013FE80000-0x00000001401D4000-memory.dmp	upx
behavioral1/memory/2656-158-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2608-159-0x000000013F870000-0x000000013FBC4000-memory.dmp	upx
behavioral1/memory/2512-160-0x000000013F530000-0x000000013F884000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\XwnJVgW.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PBDhWDv.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jsQJrVP.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uJeXYab.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KOxlrdv.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QXyhIQx.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpWwlMR.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PORjNpU.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jFClwzh.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ruQluaa.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\quIIfjC.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PiLHTRX.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FaszRtQ.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nUNuIUN.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XcqWmZE.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SLauFVc.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rHIWSMp.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sPTdVry.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SiKyHpz.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gupotxb.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qywLsUK.exe	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2292	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 2204 wrote to memory of 2292	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 2204 wrote to memory of 2292	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 2204 wrote to memory of 2052	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2204 wrote to memory of 2052	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2204 wrote to memory of 2052	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 2204 wrote to memory of 2244	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2204 wrote to memory of 2244	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2204 wrote to memory of 2244	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2204 wrote to memory of 2820	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2204 wrote to memory of 2820	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2204 wrote to memory of 2820	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2204 wrote to memory of 1968	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2204 wrote to memory of 1968	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2204 wrote to memory of 1968	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2204 wrote to memory of 2428	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2204 wrote to memory of 2428	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2204 wrote to memory of 2428	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2204 wrote to memory of 1732	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2204 wrote to memory of 1732	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2204 wrote to memory of 1732	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2204 wrote to memory of 2412	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2204 wrote to memory of 2412	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2204 wrote to memory of 2412	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2204 wrote to memory of 2140	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2204 wrote to memory of 2140	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2204 wrote to memory of 2140	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2204 wrote to memory of 2696	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2204 wrote to memory of 2696	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2204 wrote to memory of 2696	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2204 wrote to memory of 2656	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2204 wrote to memory of 2656	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2204 wrote to memory of 2656	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2204 wrote to memory of 2812	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2204 wrote to memory of 2812	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2204 wrote to memory of 2812	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2204 wrote to memory of 2608	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2204 wrote to memory of 2608	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2204 wrote to memory of 2608	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2204 wrote to memory of 2512	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2204 wrote to memory of 2512	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2204 wrote to memory of 2512	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2204 wrote to memory of 2424	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2204 wrote to memory of 2424	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2204 wrote to memory of 2424	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2204 wrote to memory of 1648	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2204 wrote to memory of 1648	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2204 wrote to memory of 1648	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2204 wrote to memory of 1772	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2204 wrote to memory of 1772	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2204 wrote to memory of 1772	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2204 wrote to memory of 1052	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2204 wrote to memory of 1052	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2204 wrote to memory of 1052	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2204 wrote to memory of 1624	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2204 wrote to memory of 1624	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2204 wrote to memory of 1624	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2204 wrote to memory of 1472	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2204 wrote to memory of 1472	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2204 wrote to memory of 1472	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2204 wrote to memory of 1124	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2204 wrote to memory of 1124	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2204 wrote to memory of 1124	2204	2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_5bd5361b69d7767d8f62c0c42a0af988_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\System\gupotxb.exe
  C:\Windows\System\gupotxb.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\QXyhIQx.exe
  C:\Windows\System\QXyhIQx.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\SLauFVc.exe
  C:\Windows\System\SLauFVc.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\GpWwlMR.exe
  C:\Windows\System\GpWwlMR.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\qywLsUK.exe
  C:\Windows\System\qywLsUK.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\XwnJVgW.exe
  C:\Windows\System\XwnJVgW.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\rHIWSMp.exe
  C:\Windows\System\rHIWSMp.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\quIIfjC.exe
  C:\Windows\System\quIIfjC.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\sPTdVry.exe
  C:\Windows\System\sPTdVry.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\PBDhWDv.exe
  C:\Windows\System\PBDhWDv.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\jsQJrVP.exe
  C:\Windows\System\jsQJrVP.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\FaszRtQ.exe
  C:\Windows\System\FaszRtQ.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\PiLHTRX.exe
  C:\Windows\System\PiLHTRX.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\nUNuIUN.exe
  C:\Windows\System\nUNuIUN.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\XcqWmZE.exe
  C:\Windows\System\XcqWmZE.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\PORjNpU.exe
  C:\Windows\System\PORjNpU.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\jFClwzh.exe
  C:\Windows\System\jFClwzh.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\SiKyHpz.exe
  C:\Windows\System\SiKyHpz.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\uJeXYab.exe
  C:\Windows\System\uJeXYab.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\KOxlrdv.exe
  C:\Windows\System\KOxlrdv.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\ruQluaa.exe
  C:\Windows\System\ruQluaa.exe
  2⤵
  - Executes dropped EXE
  PID:1124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FaszRtQ.exe

Filesize
5.9MB

MD5
bf458a68b2825c336e904afad10bd3c5

SHA1
13672d952def907528c421376144c314b57de605

SHA256
b838631594c16c74d802c39c5cd2fd76240e9d81f2e5b808e21de6210d06c7d5

SHA512
444d0c993e56c992dda68ae41933db7247b411fa5e1f9168b59cfe448d561f545575d0b8945a0550d6b224ab821a208940a50b1655e341731c24431a901edfba

Download Submit
C:\Windows\system\KOxlrdv.exe

Filesize
5.9MB

MD5
046c364f8e601f4389e0bf6d9fbb505a

SHA1
0d4a982cf0f6570dc10225abc5d0348fd73f50ae

SHA256
b4c91e7ea1e5e5a7174dee02af057ff1eab33ef2a9db243fc719e1bf36e64ab6

SHA512
580abf2275de29b1d59df67eb16c0dc04bd185048a2dadc166894776e63e5f6f83b0dc36e957eb0970efd7f07442bca1c9b1ea5d6ade6b2fdd48be1139245adc

Download Submit
C:\Windows\system\PORjNpU.exe

Filesize
5.9MB

MD5
61430020b10e85e1ec48c26c8a93500b

SHA1
2b86b961938f0374386dfeb88dc2e47c6d4ecc31

SHA256
64b5222a7b6ef9911c83b675abfa1be8f58e791a14209d21b1682e843dd13083

SHA512
76a4f4ebc1ad02055571ddaffc865790d51a98381ce7e8ca5206829d36b0d0f2894879fe4bd6deb176014ccbbbf56bcd3d6549aafbf5f9b0fb67d2fc6dfa12b8

Download Submit
C:\Windows\system\PiLHTRX.exe

Filesize
5.9MB

MD5
47f8f9360d9dbd206f8d6873cd842630

SHA1
d3467d8fe4d64b61bdb17c8232a550e5e164be7e

SHA256
76bf16ac04d57152334f864531ee57cb2cb8bcb05b15c1aea23e848787eb9a5f

SHA512
b68ff3b9010e08873395ca687d497e14e370568ed238f4bd5d425d14445f06f5260f445b6a8479ba860f53147b83a6a48546e728189d7e41edd6942581a4cc80

Download Submit
C:\Windows\system\SLauFVc.exe

Filesize
5.9MB

MD5
de92522ec8a175baba83fa34892047a7

SHA1
09d602c609cf671c9067d4a7c3d751baa3a11f8a

SHA256
ae1b8555c422719d943bfaf458416146f3c0a7a5fc3eca77a3d20e60abf9fbca

SHA512
1b388e753f7f747c70b6c72114511ec0905828bcdc16e80a68121aea97ea502c147e26a4233c8f198b1be4788093dce47c726b768a0532cbb9e9c5bc59261233

Download Submit
C:\Windows\system\SiKyHpz.exe

Filesize
5.9MB

MD5
a6b0cb9e97becb54697d801722a7e105

SHA1
395905dbf576e8c4904df43817603376fcee66ee

SHA256
06683f0d5bc733c66c32540d15ae4e1f46aab4c263fcdff1a7e299357ed9a0d2

SHA512
7e628759d3566039d58405b93e0cfcb13774f10fca55c1d56bcf97df54722dfe1491dab52b0b5ceae0aa11dc05c6b857b3f87c5928e17bfd8b393b43a9dd1645

Download Submit
C:\Windows\system\XcqWmZE.exe

Filesize
5.9MB

MD5
f635546b47394bf400c03ae7a25fa74f

SHA1
8c0a9c281fe7c5940a3aa277684054c3cc3dbeb0

SHA256
6e363040f632a0f0db4c0a35de383c9e2200f6da24462ff85a42f022cd14bd36

SHA512
385e4345620766c81f3f16e31c697f8a18816f3489f10170dec1625716e4ca92af436f2772741278cddd1c5e148830eeb2d81af6046fbca40883a6820f018c24

Download Submit
C:\Windows\system\gupotxb.exe

Filesize
5.9MB

MD5
3bf9a3bd740017218c37b47db35f9684

SHA1
6e4e00c5064afbc2c17839f5064580d03fa7871b

SHA256
6712f7252863a522e9ff2d2c1766a0ce77ec329a5bbedd064ee9f3d324f78d0e

SHA512
8bd758060e2a3a031366e9257ce5d6e5888733eb5c5e3c05f9e46ffa6347abff087403c31405ea3e3478bcbd468916af126c6da6b230581cef73fe99839647bf

Download Submit
C:\Windows\system\jFClwzh.exe

Filesize
5.9MB

MD5
02399c098fc9afd4ac740d75eb699952

SHA1
bd07cfca90f88c9802017fbf67c6b4400d612fe6

SHA256
f7cf7ff2a0e92666b8d5d8d768465497f88774394b5d525a9f83f1fd2b4ef1b6

SHA512
3d5c07359928e0d6f336c5976efd3e4d108e28f9b45c7cd0acf7da55d49bb9b9d04cbcb8fd2aae7d5d8a512cecb2b769a0a36cd199eea6e5d8dc68f7b84c869b

Download Submit
C:\Windows\system\jsQJrVP.exe

Filesize
5.9MB

MD5
ece66b3b73454119cd30c76afc278ca7

SHA1
27dc9dd4d14b98b4e9034c9104d3d23727573016

SHA256
767e2b962d202b7842b929158e2afcba0d00b9f3fc92b96d7c11873015a00156

SHA512
ec57fcb70afefd12e1aea138c79bb4d67dd68f5bb8522c050edb66e208bcdd898446a2d1e220dee8a96c5f4f76828a15cc997c20405a6ef5c9d7e1266cbe8e8a

Download Submit
C:\Windows\system\nUNuIUN.exe

Filesize
5.9MB

MD5
853d554ba6c8f6227a53fddcfbd71a5d

SHA1
c8cf3b7c7868b02b05179ec44b0e881f42065d06

SHA256
da241c26bdebe8a7ebdc6df59402114950ca205f5073f1e51f578f44eaef302a

SHA512
015a925e0071fccec6d1e1124c634adda5593b847593d5319e4d685d4559b45899f90ee0c5dd0229d9565022e14a7556f2f64c3cffe75e9396ee9edb4388d155

Download Submit
C:\Windows\system\qywLsUK.exe

Filesize
5.9MB

MD5
a2980e7a2b74f3eaf2ad6d8ece05345a

SHA1
a8fd92559a7a169d6027bd4aa0db6b9c3fbf220f

SHA256
78b754fccf9ce074f3822022172d176350ccf7e4ff8f5a5aebc3af7c30234318

SHA512
0aaf2250eca057ceaef5ab36081111e4ddc84f52927350fce8e22737aedf57582c415d1a40ae1cf732b9a7fa30eeea4ace109b22721271eef878bb1111604b70

Download Submit
C:\Windows\system\sPTdVry.exe

Filesize
5.9MB

MD5
8b4c862232711b0e7c04538bee355498

SHA1
a28cbacf661056251561b8b95411a6bd93bc382b

SHA256
99a7fcb086693bfea0fd553da20ff0c13ce54cc0972753a4f170165a22c8a2b3

SHA512
88cef562bef97215806c025a9e267172a2c4d4e2b2b18ae0cff2379aad2328bcdee00fc7af1500ad6be46832ec26fa11ed81c646ca67d2ff23731248553346c4

Download Submit
C:\Windows\system\uJeXYab.exe

Filesize
5.9MB

MD5
9d53aba5800c1f7504a72dc5f3e3b594

SHA1
ab46f75ec8412e69412a9ef45c61d66ba2b993e4

SHA256
b5450b2a66eb68e8f7b3565353f6249e03371e88c29521633c11803ca01cd392

SHA512
674e0cf803f6e75b2d75886c93dcd145ab31e77b7fa710c2f0e3e707c0891e76653dc1f2d91f86127344b86ca5c2435d0297e66274db4c017cc60c652997f45f

Download Submit
\Windows\system\GpWwlMR.exe

Filesize
5.9MB

MD5
ba928241142bbf82f2416d616eb490a5

SHA1
de5979a1fabeb51a0bcc11d3f608dfc8d8b0faa7

SHA256
cf4eb8490d5735e1874f89cf554a651606d12afdc155d93b5ffe76297ed4d15e

SHA512
e615c9b621b7bdd57ee7673862a5498e2f9a60eef7d78784351f1eb29f25b0bd5da73d9d2830c98d90f12d0325ccd99c3e554bc1681d9f04d3d508cea690cd7d

Download Submit
\Windows\system\PBDhWDv.exe

Filesize
5.9MB

MD5
6e7261b7dd53c01b00a741316061f9a7

SHA1
4aefa6a1439427ef4b5d6574c111a9f7d9f57ffa

SHA256
8d849dab29176ae5798e530dcb532c1e40dd3f887906c8c6bd3bb21c1d5c0114

SHA512
7595f3fbcd477d672370833f8b249be48d4caff973e9fc1eb87193cffa4d5f9a431a60bc9ca593bd60228ebf45e45d0b367f59e3b3a2e80ed4006e7a7ffa49fb

Download Submit
\Windows\system\QXyhIQx.exe

Filesize
5.9MB

MD5
f321d187518dbbc46931d8eabe43387c

SHA1
d56e4fb135df4047a54b3b74b695faec7668fdf4

SHA256
07557ff12680dbe48c1368ab427e3fc27b5f4615892862b0edf081918137b095

SHA512
b556306dceb618f32b0bea6637d9b91be4f4ae74e23cdcc8564228c89016dc0b10fcb792fdf38e9dd846f78ba8c0bcd3db202752cfaf5ae59ed22b0289722aea

Download Submit
\Windows\system\XwnJVgW.exe

Filesize
5.9MB

MD5
f7a584b124afac14d2e23552c1782846

SHA1
740b2baa099d94a852d14d7e42e54e7278415d84

SHA256
613f68fe5e89888350e869bef2c4055d1664fd5b8d3ec2ee2b75cf317b1bcb09

SHA512
79bef5d1eb2ce311fea052c0930d26d8aea52e71061fa4caa8d4b62f23d213bb7da4a5817814abdb3ddf872851dda9cb9a28f0700f0809e591e161c5cf5d3030

Download Submit
\Windows\system\quIIfjC.exe

Filesize
5.9MB

MD5
1ff91778fd65183d791eddf52c4b9e0c

SHA1
d3c76572a4082c41a8c1bc5a19bcd73f74d323c5

SHA256
e4a0b3b3538c386e3f6a64c648ac2f73f91fcea3a315eaaef67156483e4443dd

SHA512
a11ea344775d542472d03ce51ca550ffa99b4b156a54752105f3d5c59ddd8723bc825effd32e8da29f05ecd1a11fb3f71398624ea58a26a6fa267d5ab750231b

Download Submit
\Windows\system\rHIWSMp.exe

Filesize
5.9MB

MD5
8823ce6a1007f70a192727fce3674a9f

SHA1
a442e4d7237e03b296c21d11cafa6efee06ed106

SHA256
018c85d11ec10ada5a4670a48d0645d75743b080a33912c37a87b8cb1bfed75e

SHA512
a0f78a4112bc00829675388be0124f4cd73281a01f010308ce7a196d8d0c8256578944d87e353a8b2c859212b3f4411d893d565b03eb2aec8c0041c574c56f5b

Download Submit
\Windows\system\ruQluaa.exe

Filesize
5.9MB

MD5
2f6a7a393daaff66c17284310d98d757

SHA1
6b3c7859443e77f9b6885c11a886f040c8161813

SHA256
a73268a8d95a57e2de4612fd932c3f534dd4cf83dc40add2ce2afadbe8fac714

SHA512
c7b7c936dfcca46ebc3d88df7d1237ee270201ca8d64c0ef6b60aa5a39b2d272fdb5d878947238bf5f2ba2ea9b22a367987ddefb2650227e2b241dbb778a7627

Download Submit
memory/1732-61-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1732-153-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1968-34-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1968-149-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2052-63-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-150-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-23-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-99-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2140-65-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2140-156-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2204-59-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2204-30-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2204-41-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-67-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-81-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/2204-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2204-8-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/2204-77-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2204-33-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2204-49-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2204-146-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/2204-0-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-105-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/2204-104-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-140-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2204-143-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-37-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2204-141-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/2204-32-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/2204-90-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2244-31-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2244-148-0x000000013F110000-0x000000013F464000-memory.dmp

Filesize
3.3MB

Download
memory/2292-147-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2292-9-0x000000013FD20000-0x0000000140074000-memory.dmp

Filesize
3.3MB

Download
memory/2412-154-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2412-60-0x000000013F4C0000-0x000000013F814000-memory.dmp

Filesize
3.3MB

Download
memory/2428-151-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2428-42-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2428-83-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2512-100-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2512-160-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2512-145-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2608-159-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-93-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2608-144-0x000000013F870000-0x000000013FBC4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-158-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2656-88-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2696-155-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-139-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2696-73-0x000000013F790000-0x000000013FAE4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-157-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-142-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2812-85-0x000000013FE80000-0x00000001401D4000-memory.dmp

Filesize
3.3MB

Download
memory/2820-27-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2820-152-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download
memory/2820-64-0x000000013FB40000-0x000000013FE94000-memory.dmp

Filesize
3.3MB

Download