cobaltstrike | 85a7268ab71ed72ef7e78700420b4064e53ca5e3de22d42f59c270a5fe0f8bc0

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

86680d41caab6b4c7ab7f5280fa04cf7
SHA1

3a9aea3c7e620166520f4ca52ebebbb9ca8c372f
SHA256

85a7268ab71ed72ef7e78700420b4064e53ca5e3de22d42f59c270a5fe0f8bc0
SHA512

22b386b5f4a332be7d0cbda3da8505b933cf45eae018afad7cfe44bbc151ed4b4653edab399af09013f942dca8504834d9b85ea1d44efe9313ea17b3772fd168
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a00000001225a-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c81-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c89-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016cf8-29.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d46-37.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d33-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4a-47.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016b17-54.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016db3-61.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194a7-73.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d4-98.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194f2-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019501-134.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019503-137.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194f6-129.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ea-119.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194da-108.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194b4-102.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194e2-99.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019494-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019408-74.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2944-41-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2812-43-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2368-45-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2748-35-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2684-50-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/2688-58-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2428-69-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2604-115-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2484-116-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2644-114-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/2724-111-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/2368-101-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/3004-100-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2768-67-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2812-142-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2796-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2368-145-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2368-154-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1108-165-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/1476-167-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/1036-169-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/1984-168-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/3016-166-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2472-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/1492-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/1768-161-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2368-170-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2684-218-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/2688-220-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2748-228-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2428-229-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2944-231-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2812-233-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2796-237-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2768-239-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2644-254-0x000000013FD00000-0x0000000140051000-memory.dmp	xmrig
behavioral1/memory/3004-255-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/2604-257-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2484-263-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2724-262-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2684	DIIyWxF.exe
2688	vgshxvb.exe
2428	cnubCRx.exe
2748	jsaHQyp.exe
2944	KkPxIiz.exe
2812	FYlyMpp.exe
2796	mUwBWlC.exe
2768	SmVIjGu.exe
2644	JZBtleg.exe
3004	ZcpyYsD.exe
2604	qaZsORR.exe
2724	VEccplX.exe
2484	lnjfdaP.exe
2472	cNrKrcy.exe
1768	zpEqXup.exe
1492	JYYODDz.exe
1108	fsYULhs.exe
3016	KCYrmxM.exe
1476	KiHjmyU.exe
1984	RsPbHkw.exe
1036	leidskH.exe

Loads dropped DLL 21 IoCs

pid	Process
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2368-0-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/files/0x000a00000001225a-3.dat	upx
behavioral1/memory/2684-7-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/files/0x0008000000016c81-8.dat	upx
behavioral1/memory/2688-15-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/files/0x0008000000016c89-10.dat	upx
behavioral1/files/0x0008000000016cf8-29.dat	upx
behavioral1/files/0x0007000000016d46-37.dat	upx
behavioral1/memory/2944-41-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2812-43-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2428-27-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/files/0x0007000000016d33-40.dat	upx
behavioral1/memory/2796-49-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/files/0x0007000000016d4a-47.dat	upx
behavioral1/memory/2368-45-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2748-35-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2684-50-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/files/0x0009000000016b17-54.dat	upx
behavioral1/memory/2688-58-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/files/0x0009000000016db3-61.dat	upx
behavioral1/memory/2428-69-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/files/0x00050000000194a7-73.dat	upx
behavioral1/files/0x00050000000194d4-98.dat	upx
behavioral1/memory/2604-115-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2484-116-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2644-114-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/2724-111-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/files/0x00050000000194f2-124.dat	upx
behavioral1/files/0x0005000000019501-134.dat	upx
behavioral1/files/0x0005000000019503-137.dat	upx
behavioral1/files/0x00050000000194f6-129.dat	upx
behavioral1/files/0x00050000000194ea-119.dat	upx
behavioral1/files/0x00050000000194da-108.dat	upx
behavioral1/files/0x00050000000194b4-102.dat	upx
behavioral1/memory/3004-100-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/files/0x00050000000194e2-99.dat	upx
behavioral1/files/0x0005000000019494-94.dat	upx
behavioral1/files/0x0006000000019408-74.dat	upx
behavioral1/memory/2768-67-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2812-142-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2796-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2368-145-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/1108-165-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/1476-167-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/1036-169-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/1984-168-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/3016-166-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2472-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/1492-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/1768-161-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2368-170-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2684-218-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/2688-220-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2748-228-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/memory/2428-229-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/2944-231-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2812-233-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2796-237-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2768-239-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2644-254-0x000000013FD00000-0x0000000140051000-memory.dmp	upx
behavioral1/memory/3004-255-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/2604-257-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2484-263-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/2724-262-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\vgshxvb.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZcpyYsD.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JYYODDz.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fsYULhs.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RsPbHkw.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DIIyWxF.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KCYrmxM.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KiHjmyU.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\leidskH.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cnubCRx.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mUwBWlC.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JZBtleg.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lnjfdaP.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cNrKrcy.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zpEqXup.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jsaHQyp.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYlyMpp.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KkPxIiz.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SmVIjGu.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qaZsORR.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEccplX.exe	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2684	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2368 wrote to memory of 2684	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2368 wrote to memory of 2684	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2368 wrote to memory of 2688	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2368 wrote to memory of 2688	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2368 wrote to memory of 2688	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2368 wrote to memory of 2428	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2368 wrote to memory of 2428	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2368 wrote to memory of 2428	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2368 wrote to memory of 2748	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2368 wrote to memory of 2748	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2368 wrote to memory of 2748	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2368 wrote to memory of 2812	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2368 wrote to memory of 2812	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2368 wrote to memory of 2812	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2368 wrote to memory of 2944	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2368 wrote to memory of 2944	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2368 wrote to memory of 2944	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2368 wrote to memory of 2796	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2368 wrote to memory of 2796	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2368 wrote to memory of 2796	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2368 wrote to memory of 2768	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2368 wrote to memory of 2768	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2368 wrote to memory of 2768	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2368 wrote to memory of 2604	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2368 wrote to memory of 2604	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2368 wrote to memory of 2604	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2368 wrote to memory of 2644	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2368 wrote to memory of 2644	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2368 wrote to memory of 2644	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2368 wrote to memory of 2724	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2368 wrote to memory of 2724	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2368 wrote to memory of 2724	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2368 wrote to memory of 3004	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2368 wrote to memory of 3004	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2368 wrote to memory of 3004	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2368 wrote to memory of 1768	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2368 wrote to memory of 1768	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2368 wrote to memory of 1768	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2368 wrote to memory of 2484	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2368 wrote to memory of 2484	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2368 wrote to memory of 2484	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2368 wrote to memory of 1492	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2368 wrote to memory of 1492	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2368 wrote to memory of 1492	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2368 wrote to memory of 2472	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2368 wrote to memory of 2472	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2368 wrote to memory of 2472	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2368 wrote to memory of 1108	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2368 wrote to memory of 1108	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2368 wrote to memory of 1108	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2368 wrote to memory of 3016	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2368 wrote to memory of 3016	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2368 wrote to memory of 3016	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2368 wrote to memory of 1476	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2368 wrote to memory of 1476	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2368 wrote to memory of 1476	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2368 wrote to memory of 1984	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2368 wrote to memory of 1984	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2368 wrote to memory of 1984	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2368 wrote to memory of 1036	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2368 wrote to memory of 1036	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2368 wrote to memory of 1036	2368	2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_86680d41caab6b4c7ab7f5280fa04cf7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\System\DIIyWxF.exe
  C:\Windows\System\DIIyWxF.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\vgshxvb.exe
  C:\Windows\System\vgshxvb.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\cnubCRx.exe
  C:\Windows\System\cnubCRx.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\jsaHQyp.exe
  C:\Windows\System\jsaHQyp.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\FYlyMpp.exe
  C:\Windows\System\FYlyMpp.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\KkPxIiz.exe
  C:\Windows\System\KkPxIiz.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\mUwBWlC.exe
  C:\Windows\System\mUwBWlC.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\SmVIjGu.exe
  C:\Windows\System\SmVIjGu.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\qaZsORR.exe
  C:\Windows\System\qaZsORR.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\JZBtleg.exe
  C:\Windows\System\JZBtleg.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\VEccplX.exe
  C:\Windows\System\VEccplX.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\ZcpyYsD.exe
  C:\Windows\System\ZcpyYsD.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\zpEqXup.exe
  C:\Windows\System\zpEqXup.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\lnjfdaP.exe
  C:\Windows\System\lnjfdaP.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\JYYODDz.exe
  C:\Windows\System\JYYODDz.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\cNrKrcy.exe
  C:\Windows\System\cNrKrcy.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\fsYULhs.exe
  C:\Windows\System\fsYULhs.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\KCYrmxM.exe
  C:\Windows\System\KCYrmxM.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\KiHjmyU.exe
  C:\Windows\System\KiHjmyU.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\RsPbHkw.exe
  C:\Windows\System\RsPbHkw.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\leidskH.exe
  C:\Windows\System\leidskH.exe
  2⤵
  - Executes dropped EXE
  PID:1036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FYlyMpp.exe

Filesize
5.2MB

MD5
e7f71c3fe0a3a4f5656ea75d01822f42

SHA1
d9babd1430d0b3b4f052e7750cea80cd45eaaca4

SHA256
5bea58d75e9942f636e83b842c7e7a69220017b89d744e2aba187c6e38c9d63e

SHA512
ac5a005b2d4d4a87f100c07a6768f62077868e35496f49c9fb76936d84304f2f56f3c40dfe3bfa3ff71f207ab7724e2a87938daa0f0ed7787960ce1f325600ed

Download Submit
C:\Windows\system\JYYODDz.exe

Filesize
5.2MB

MD5
bed98529512f3406654a58a3a334a63b

SHA1
aed960701d3f8b0eed4d2bc229a1fe4f13efb719

SHA256
9a9be9b602cfa9766fb66b1d6b4bf156654a6284ec454c8fd8249a24cdef2821

SHA512
64af93c49776fc4800c5ba2e9c2ef32cee53dfe4720943d459ffc6138025a65de89c6eecd7471efb4aa08784c7e9c51fcb60c41fe4caccc0eb7a757c2596038b

Download Submit
C:\Windows\system\JZBtleg.exe

Filesize
5.2MB

MD5
eb638fdace932972740d1d18c014d162

SHA1
b42bc5031243ee54f10cbe7e9ecf17fb25d4c136

SHA256
7daba3beada354640a5c06e64c3bd05a27de19780cb9569917c689346aaa7fcb

SHA512
812da061ea41abd6fa0bdd52eb02649785363e292bd5d76e4f749711e0e7d8a3745adff87af61cbf45d1bdbff5e57c66b16f0b5819dc3428c0cb91af75d9a119

Download Submit
C:\Windows\system\KCYrmxM.exe

Filesize
5.2MB

MD5
e45e41a3a403f85b58b66059ea9feff4

SHA1
c1c1bb431bcb807df98621717d9530634308c99a

SHA256
007514f79b93585faa800db292f7f69401e22dc0db57e860c78282dbd3ce6644

SHA512
aead9295975a5becb5f0124313a449b180a5777496b3766c6f9e5971d85f87d582b3d25a20e7949fc540e72371946fc510c16c1926fe1d909a4824dcd8e72007

Download Submit
C:\Windows\system\KiHjmyU.exe

Filesize
5.2MB

MD5
8442226dada85e403a5dd3afe9cdc8e4

SHA1
5becb98a4f66dff0b167b01e42380419748ec84e

SHA256
46bfe1471de18b906ba642ce14c66c0459bca87adf6e2cce90b13837a62764f9

SHA512
0d90652c5e0d1a5fd7cc0558fb7800e4e36f474af5978e65c5f8846940925e12d31f9d2f1a6d3d56f6475ea10b763cbdfc80374d23b34149e2486b0f5591b8a1

Download Submit
C:\Windows\system\KkPxIiz.exe

Filesize
5.2MB

MD5
61d53a636600bec2d04c987379da5240

SHA1
33e755dd51eaa2357c00408ed2f2232fd0f28382

SHA256
37c3e19a140ac5cd136143557e8f27757ed368a2a4a58500760728063fb47377

SHA512
d39c4529b8b6cbcb175f1ad81ba59f183668becf59ab3098b8418a6296d56f8368b477494e12a4bbdbe25e5675252eb6f1959790e70f86ea17b15e6fa83f7676

Download Submit
C:\Windows\system\RsPbHkw.exe

Filesize
5.2MB

MD5
6c67712ecb1321db478266ed70018bc2

SHA1
1d18389e191b1cc5d2b12d588256345042802af0

SHA256
6875002b8bef767a0915417d5c87dae7a6ce543b7290b179cd16abb0640bc0c8

SHA512
1b8ce828bc04baf60e1cc8405ddf811d602d434f532b32fb60ff373ce7f335968441b4dde93dd816e39d543a47fda440aef4c09c4d7c55de2c6f7ce6b230e878

Download Submit
C:\Windows\system\VEccplX.exe

Filesize
5.2MB

MD5
602f1811b1512304eab44b4c4854404d

SHA1
558d09f60b268b855650b0d216392b8b9aa4a006

SHA256
35a89148283f6eb8bbf7f3a12afd02b9d172c550ff91eb6639a0cc1ce17b337c

SHA512
7ffe36175822ecc14cbecab87b4d86aeb6e5843a1b6e05957b49fbadf2eef17b38cc54647fb1b6218d626b1d3886fbb34475007cbeedc944cea68f3166d98da3

Download Submit
C:\Windows\system\cNrKrcy.exe

Filesize
5.2MB

MD5
bc3165c01ae8bcc04597ba3d299e70e6

SHA1
a05f6e65602655fb38735e764d655e3f22253ed5

SHA256
8e1b1f2f7ac3eb73fc36b8f3e767b548f047377adf5d536b1be506a0b1bc6751

SHA512
4fef3ee0ba5b7209bd17f4b5f5ea268464026543c7341470009702070a6d276069265ea9bb3bd65dcf626f7cf8ad725f9f3876f414d0ce3d8c89dd38f7d184af

Download Submit
C:\Windows\system\cnubCRx.exe

Filesize
5.2MB

MD5
c1ac1867dca9f22db449c333cc96bba1

SHA1
990a22c4ba9e28758df13025e5efe776ce5b5107

SHA256
67e56c295bdb9f037dbc5a4f6cbad41c6bf0b10a57afe59046fa1bcdded399f3

SHA512
15fcbd1f70be6158ed25e32b174a684d6fed4ac60ae6996ffe6330fb302352db4f7a46391e36d1fd654bb12ecbf91060f5decf5605f471615c223f9aa21902a4

Download Submit
C:\Windows\system\fsYULhs.exe

Filesize
5.2MB

MD5
abacb32aca963d4edc68190ef64150d6

SHA1
09068f1af97f4aef961bd76f760db85f9b4d95a7

SHA256
11795550db94790bbc2c6ca1f6f50d319c905ce1cceaf25291a6f6da593ae1a7

SHA512
5c838c83d0e1ac9da3f52ec0b7aca42bab496430a09380fdb4c4a61b23e18d14a44b7cfcb4a7c3eb55cba504664332e799ec2806dd98426ea9badd1a1177a9fb

Download Submit
C:\Windows\system\jsaHQyp.exe

Filesize
5.2MB

MD5
c98e656e25da875534cd16ed8c8b3f74

SHA1
52a4cdb1bb0ea80f3debac33a0f62552ec0bbc49

SHA256
07a33e9f73d98399599abf5ecc6f762172b288b6d42d97c547adb995ae8b79ba

SHA512
02087df95bdc1253db396019383cf6b9effd014ae0a4c69d3c62d6d9cb47fe233f115b54f7c8ebdf4ad85ef5fae535c8e8c7e849b32a6b05e9be85971b9ddff8

Download Submit
C:\Windows\system\lnjfdaP.exe

Filesize
5.2MB

MD5
aa9ec92541e2f112a2ebf997d3e0379d

SHA1
90d9ab6bea70d059170f93909deff4372c86ae72

SHA256
7e901a309c41537a791c03998f2eade5da32a8c0bd2e63e45573bd652e1c7849

SHA512
24a4991f624a86a629209cfb80d88442141044b1b50f00253d5861c3bd618d52b4074532a4ccd07418af490e33df814eb780ddf937652103735b63889202b0d2

Download Submit
C:\Windows\system\mUwBWlC.exe

Filesize
5.2MB

MD5
ce13f15337bbeafe4ac19f40e08c2c62

SHA1
ab2b00be6a484a54d60c8693a9c625d5de390527

SHA256
de01b321865c8644026383f3606655b4e6298a6cf320556cf25986bd90e7cd15

SHA512
37a18dfa5f178d4c1ff430ef0d747b702e7ea25e5a5803149e91a317a98b2be9e1d8f0ce6e2cfc45b6c609ba8e81b54cd7c475fc260cc7cafe7a6ccf9323c896

Download Submit
C:\Windows\system\zpEqXup.exe

Filesize
5.2MB

MD5
fdfb2c7cc8b524c52fc3bba076704b9a

SHA1
97a1925a57947f374855e688b403d5348e733d29

SHA256
62d772d54edd471e27904d3d97b9e51aaa3a5693adc9e90f8e81a275e328622e

SHA512
e7325a045336640a24bb745f1e2601393b3266205235f91402b45c083c528ec89372313be25c78ee679aba0342eb00ff731388ba5357b11179538169f852d40e

Download Submit
\Windows\system\DIIyWxF.exe

Filesize
5.2MB

MD5
5e883936d1e2e0cd915e3e4b858b9547

SHA1
7ee58f638baac91b408c9c8b071d4822b2442060

SHA256
0d2be84683f604192b4a69edbf393b5ed5fff875f0dfdb987ca103b5673a968b

SHA512
769b9f512440f5c5b55b9c2e50a122221c6237aec9626cbcb56897185f404d12e1c8f70751a90e5a16691d46bda2d941f9f38de117d80fb996dd1e4f10b54b6b

Download Submit
\Windows\system\SmVIjGu.exe

Filesize
5.2MB

MD5
860e16a9b303d5207ed37e2a1d969e1d

SHA1
c5162e2ffc66e2adcb6cf1db8a687b6219bee060

SHA256
83c63c601086c6db0fa6b6678350f82c697e1fe1d0efcd0f574a97026c004631

SHA512
d8751b478ac9c81bb211523db00840241d392c4ac474897059b63a2ebb1d23a34b8ccd11fd54c84a31ba27b8b351d88beb6cb33502431b87cdebf425a6bdfb58

Download Submit
\Windows\system\ZcpyYsD.exe

Filesize
5.2MB

MD5
555daf5a88019da846959cf58c6598a2

SHA1
da213228abc99e50f9f580aa34c18027c8fddbbd

SHA256
339878fa2c8b0f727490b9479c5cb771b6a3f4ac935928f74dd0c8e74165c694

SHA512
4b741e79c5ca6b0150f2aadc209631443b1149121e136025e28c7355c24e662c1b7f5f23748bbb6f2e99e8d5c508f6d4f8145d9cdbb3bd90cce4d8d676cb7935

Download Submit
\Windows\system\leidskH.exe

Filesize
5.2MB

MD5
dc93ee3bd0cf85c7dac2058db78845f9

SHA1
4fb44bb99918bb80b9359ffa26635948f48f4733

SHA256
923bdb4154660f9ce475581a06aed51a2a226b9b7d91fa99ade245701676c61d

SHA512
561de9a3926f1273e6e7202ed5364e7ad4a02d7b9564320c287c437609a01a0822778244e1c220df2a4fc1d19b1baf79156f4db8b5fb66cc9c5561768128a3de

Download Submit
\Windows\system\qaZsORR.exe

Filesize
5.2MB

MD5
1c234d103e0fd9cad45d789dbab17f23

SHA1
aab9ad19499ad925a14ad4f9e57f669b8095fe2b

SHA256
47ec4bc6034738b51c6fb43963b0fcbb503ce4fdc58bdde8b2d519a0bf6784f9

SHA512
f28199c180770a05274463ece1b4b687bfd7ff8cef525d9e3b1fa8989b9799fb34956314f11869f5d97f360fbf990aafa71c0d951a34a64be13e859bc55d5eba

Download Submit
\Windows\system\vgshxvb.exe

Filesize
5.2MB

MD5
c5143c45bd0f058689235c9f6e7b120c

SHA1
6424e730cea78459ea43059efa5dfe14c5fa071b

SHA256
7574d26d6d9fd324e104a7e36e4da7c12ed4daa96447d34d4fab0a7ebffceecf

SHA512
c77d118d903ea7510b69076051da574f7934128ea6728c064322daaf07e38f43a5e3b04b1873a1471a316a7f20bb1164d60c71e95ea1a968b4493bd95680d905

Download Submit
memory/1036-169-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-165-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-167-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/1492-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-161-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/1984-168-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2368-20-0x0000000002330000-0x0000000002681000-memory.dmp

Filesize
3.3MB

Download
memory/2368-38-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2368-170-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-60-0x0000000002330000-0x0000000002681000-memory.dmp

Filesize
3.3MB

Download
memory/2368-51-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-106-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2368-112-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2368-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2368-12-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-156-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2368-113-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-154-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-153-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-0-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-34-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-145-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-36-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2368-109-0x0000000002330000-0x0000000002681000-memory.dmp

Filesize
3.3MB

Download
memory/2368-45-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-107-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-141-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2368-48-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-101-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2368-143-0x0000000002330000-0x0000000002681000-memory.dmp

Filesize
3.3MB

Download
memory/2368-72-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-97-0x0000000002330000-0x0000000002681000-memory.dmp

Filesize
3.3MB

Download
memory/2368-95-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-27-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2428-229-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2428-69-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2472-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-263-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2484-116-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/2604-257-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2604-115-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-114-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2644-254-0x000000013FD00000-0x0000000140051000-memory.dmp

Filesize
3.3MB

Download
memory/2684-50-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-218-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-7-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-58-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-220-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-15-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-111-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-262-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-35-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2748-228-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2768-67-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-239-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-237-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2796-49-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2796-144-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2812-233-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-142-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-43-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2944-231-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2944-41-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/3004-255-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/3004-100-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/3016-166-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download