cobaltstrike | 9e2327d0b6d11951f1dd6832cb48d8c554e57f1df9845fc24709ee774df3b5c6

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

3b93c55d63772cdaf7f89ed43fa54b55
SHA1

6838c06d9638dc0d0b611b2e33599773415be383
SHA256

9e2327d0b6d11951f1dd6832cb48d8c554e57f1df9845fc24709ee774df3b5c6
SHA512

5e108ba3402dc2091e6b1a05d77c84ba0eea07b31f76f8bfd51683da3e92e423def9170d6ee0476af05b9c7a644c3985b16d4951094483000fa49a15382da98a
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000700000001211a-3.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001944e-19.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001942e-31.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001967e-35.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019dd0-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d5f-111.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c6b-110.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019702-116.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d3c-119.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019fb7-126.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019dc6-91.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c51-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019994-70.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000196bf-69.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000194a4-68.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019462-67.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019444-66.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000193ee-65.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c53-58.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c50-51.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019468-85.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 35 IoCs

miner

resource	yara_rule
behavioral1/memory/2972-93-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2348-72-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2152-61-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2236-128-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/2264-108-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2896-107-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/2880-105-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2632-104-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2968-103-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2816-89-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2144-79-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2192-129-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2152-130-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/1276-150-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/1988-149-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/1800-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/1664-147-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/2240-146-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2624-145-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2780-143-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2156-141-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2904-139-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/2152-152-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/576-170-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2144-219-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2236-221-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/2348-223-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2972-225-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/2816-227-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2264-231-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2192-233-0x000000013F620000-0x000000013F971000-memory.dmp	xmrig
behavioral1/memory/2632-236-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2880-239-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2896-238-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/2968-230-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2144	yikcUEK.exe
2236	tjpUGKc.exe
2348	quoBtQX.exe
2264	nQGBzCX.exe
2192	PjuNhxT.exe
2816	GJUBLbX.exe
2972	BRkPKnb.exe
2968	HQdoZna.exe
2632	QYvYeMg.exe
2880	KmdwQrK.exe
2896	TjkJjNy.exe
2904	lenkmnA.exe
2240	KszwByI.exe
576	nVEHAnU.exe
1988	lSMiisZ.exe
2156	hwkugSR.exe
2780	xAXoakN.exe
2624	PjokPNT.exe
1664	deBbKqZ.exe
1800	rlUDnPL.exe
1276	KJpexIk.exe

Loads dropped DLL 21 IoCs

pid	Process
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-0-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/files/0x000700000001211a-3.dat	upx
behavioral1/files/0x000600000001944e-19.dat	upx
behavioral1/files/0x000700000001942e-31.dat	upx
behavioral1/files/0x000500000001967e-35.dat	upx
behavioral1/files/0x0005000000019dd0-113.dat	upx
behavioral1/files/0x0005000000019d5f-111.dat	upx
behavioral1/files/0x0005000000019c6b-110.dat	upx
behavioral1/files/0x0005000000019702-116.dat	upx
behavioral1/files/0x0005000000019d3c-119.dat	upx
behavioral1/files/0x0005000000019fb7-126.dat	upx
behavioral1/memory/2972-93-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/files/0x0005000000019dc6-91.dat	upx
behavioral1/memory/2348-72-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/files/0x0005000000019c51-71.dat	upx
behavioral1/files/0x0005000000019994-70.dat	upx
behavioral1/files/0x00050000000196bf-69.dat	upx
behavioral1/files/0x00070000000194a4-68.dat	upx
behavioral1/files/0x0006000000019462-67.dat	upx
behavioral1/files/0x0006000000019444-66.dat	upx
behavioral1/files/0x00070000000193ee-65.dat	upx
behavioral1/memory/2152-61-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/files/0x0005000000019c53-58.dat	upx
behavioral1/files/0x0005000000019c50-51.dat	upx
behavioral1/memory/2236-128-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2144-13-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2264-108-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2896-107-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2880-105-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2632-104-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2968-103-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2816-89-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2192-87-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/files/0x0008000000019468-85.dat	upx
behavioral1/memory/2144-79-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2236-42-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2192-129-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2152-130-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/1276-150-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/1988-149-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/1800-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/1664-147-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/2240-146-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2624-145-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2780-143-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
behavioral1/memory/2156-141-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2904-139-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2152-152-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/576-170-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2144-219-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2236-221-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2348-223-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2972-225-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/2816-227-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2264-231-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2192-233-0x000000013F620000-0x000000013F971000-memory.dmp	upx
behavioral1/memory/2632-236-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2880-239-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2896-238-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/2968-230-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\HQdoZna.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QYvYeMg.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\deBbKqZ.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tjpUGKc.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\quoBtQX.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TjkJjNy.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lenkmnA.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lSMiisZ.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KJpexIk.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nQGBzCX.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjuNhxT.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BRkPKnb.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xAXoakN.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PjokPNT.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVEHAnU.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rlUDnPL.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yikcUEK.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GJUBLbX.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hwkugSR.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KmdwQrK.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KszwByI.exe	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2144	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2152 wrote to memory of 2144	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2152 wrote to memory of 2144	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2152 wrote to memory of 2264	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2152 wrote to memory of 2264	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2152 wrote to memory of 2264	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2152 wrote to memory of 2236	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2152 wrote to memory of 2236	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2152 wrote to memory of 2236	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2152 wrote to memory of 2192	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2152 wrote to memory of 2192	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2152 wrote to memory of 2192	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2152 wrote to memory of 2348	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2152 wrote to memory of 2348	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2152 wrote to memory of 2348	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2152 wrote to memory of 2816	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2152 wrote to memory of 2816	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2152 wrote to memory of 2816	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2152 wrote to memory of 2896	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2152 wrote to memory of 2896	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2152 wrote to memory of 2896	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2152 wrote to memory of 2972	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2152 wrote to memory of 2972	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2152 wrote to memory of 2972	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2152 wrote to memory of 2904	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2152 wrote to memory of 2904	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2152 wrote to memory of 2904	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2152 wrote to memory of 2968	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2152 wrote to memory of 2968	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2152 wrote to memory of 2968	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2152 wrote to memory of 2156	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2152 wrote to memory of 2156	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2152 wrote to memory of 2156	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2152 wrote to memory of 2632	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2152 wrote to memory of 2632	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2152 wrote to memory of 2632	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2152 wrote to memory of 2780	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2152 wrote to memory of 2780	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2152 wrote to memory of 2780	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2152 wrote to memory of 2880	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2152 wrote to memory of 2880	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2152 wrote to memory of 2880	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2152 wrote to memory of 2624	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2152 wrote to memory of 2624	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2152 wrote to memory of 2624	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2152 wrote to memory of 2240	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2152 wrote to memory of 2240	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2152 wrote to memory of 2240	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2152 wrote to memory of 1664	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2152 wrote to memory of 1664	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2152 wrote to memory of 1664	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2152 wrote to memory of 576	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2152 wrote to memory of 576	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2152 wrote to memory of 576	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2152 wrote to memory of 1800	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2152 wrote to memory of 1800	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2152 wrote to memory of 1800	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2152 wrote to memory of 1988	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2152 wrote to memory of 1988	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2152 wrote to memory of 1988	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2152 wrote to memory of 1276	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2152 wrote to memory of 1276	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2152 wrote to memory of 1276	2152	2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_3b93c55d63772cdaf7f89ed43fa54b55_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\System\yikcUEK.exe
  C:\Windows\System\yikcUEK.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\nQGBzCX.exe
  C:\Windows\System\nQGBzCX.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\tjpUGKc.exe
  C:\Windows\System\tjpUGKc.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\PjuNhxT.exe
  C:\Windows\System\PjuNhxT.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\quoBtQX.exe
  C:\Windows\System\quoBtQX.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\GJUBLbX.exe
  C:\Windows\System\GJUBLbX.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\TjkJjNy.exe
  C:\Windows\System\TjkJjNy.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\BRkPKnb.exe
  C:\Windows\System\BRkPKnb.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\lenkmnA.exe
  C:\Windows\System\lenkmnA.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\HQdoZna.exe
  C:\Windows\System\HQdoZna.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\hwkugSR.exe
  C:\Windows\System\hwkugSR.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\QYvYeMg.exe
  C:\Windows\System\QYvYeMg.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\xAXoakN.exe
  C:\Windows\System\xAXoakN.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\KmdwQrK.exe
  C:\Windows\System\KmdwQrK.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\PjokPNT.exe
  C:\Windows\System\PjokPNT.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\KszwByI.exe
  C:\Windows\System\KszwByI.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\deBbKqZ.exe
  C:\Windows\System\deBbKqZ.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\nVEHAnU.exe
  C:\Windows\System\nVEHAnU.exe
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Windows\System\rlUDnPL.exe
  C:\Windows\System\rlUDnPL.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\lSMiisZ.exe
  C:\Windows\System\lSMiisZ.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\KJpexIk.exe
  C:\Windows\System\KJpexIk.exe
  2⤵
  - Executes dropped EXE
  PID:1276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BRkPKnb.exe

Filesize
5.2MB

MD5
59f454d2f4bbfcbd3ab14f43462bdb34

SHA1
bfc55441747185b77bb3d01f97603583e313a195

SHA256
a04f811fe381f27c305f7f36ab3125ab78919d20338b53565a1773bf27b253ed

SHA512
607f30eab8e871452a94e6c5fd295484f5b7db1cae56adb797016f327b059ba8f11dbabb605b854e5a841f5d90bba269349c98de22f8cee8791354144e9b96b0

Download Submit
C:\Windows\system\GJUBLbX.exe

Filesize
5.2MB

MD5
7dec932cb0aaaa9cbd242ba7b17f2829

SHA1
9b56d85686f81ec9f1b20ca251d824e0794c09a6

SHA256
0c447e6c2ea3e290ccb772b4e1c5fad1e241d89f6ae2e78b955f2d42844ab632

SHA512
7458d7b2d453d92fe88aa8dcf17e56c78f7359dd61d50be51802991b87749b46eaaf5bf98979d9a616d491b419c223d0c52505780bad914b35181cceee4c9177

Download Submit
C:\Windows\system\HQdoZna.exe

Filesize
5.2MB

MD5
97fb6c4f6efcbd4e771795cae63e057d

SHA1
452e94e398f06d7da67db0ea3f3e2ce9d896eafa

SHA256
5ba22ea594ae1d497423c88785efbe46241260d150f593c2b2ab4ad6834974c5

SHA512
19b4cb3afa100afed0fcb9f00752a363b730a53e34f7e97489f581386851ec3b676978d7fc47b4a50b258fcce6b42be36736cafa53f99577100c9da9d15852d8

Download Submit
C:\Windows\system\KJpexIk.exe

Filesize
5.2MB

MD5
a39453afa5bafa7c7e0c222f2e2de35c

SHA1
1411b4936c553988b024396d2b9ecb2b9dfa191a

SHA256
0b638b77b375d813ae80373c487bf62bd4f37ab6db86b46920213c30a96ec4f6

SHA512
9a68b9d945c3cc20a5b4ab679b9ace9e12bbba8132c056a4334b7560019ca42303fbd3b67c37946100a81f1fcddc286083f295db9a076ef20549ba468603bad5

Download Submit
C:\Windows\system\KmdwQrK.exe

Filesize
5.2MB

MD5
b0bca433cdbb8cdbde1b2b487c79c88b

SHA1
a7e148ffc4347f00138fa8cab65b97693a5eacac

SHA256
5baca960037091ae1886666b7f224d1b839603e8aa7aeb457783bf679f805df4

SHA512
3aed6f19a4192b116d8d2b5f520ed507de268f935ddbb0599d59bd76d2ecce4afbc83f13af9d249edb32c4cb8e7c8022b2ed4c6b055926a81e509e927c85feac

Download Submit
C:\Windows\system\KszwByI.exe

Filesize
5.2MB

MD5
531a82bff6fcf0b544256b998ee7b337

SHA1
bd8036d845534ff724ca18429ff1c22aa1e2b474

SHA256
8bdfcfbeafdae4b6717fe111f3989c413a5a8218a6edc93fe96ceebf78d59997

SHA512
ae19eebed996f96db4a1d51902dd2e4aaf0e425fe39267ac91de8f0c2442231383374935b4d47a53d4a5d0147e2ce2677be5f7ecf583d4209f0d2d56588fc51a

Download Submit
C:\Windows\system\PjuNhxT.exe

Filesize
5.2MB

MD5
db86d490e3fb581b68fd2f055f8f47b4

SHA1
9df15a2ef123ee14a5176a81da475ef7227c2b7f

SHA256
59df85558a3af02943eb4a98de041a430ebfe7a2db1be3781672fe680c940d33

SHA512
4224116aebec21363f47675dac9c9025c2059f1f44e57b443070263c5c37b328850acbd1de7c94da36707fc890f4448d6467ab65dcb7ae8eac4448c265f21464

Download Submit
C:\Windows\system\QYvYeMg.exe

Filesize
5.2MB

MD5
4ac5ce8224da6bd411b98d7b3c4e560e

SHA1
18ca13ee28e57acf0aae0c93487639abe11e6674

SHA256
d61ff240e382c89675e2df7b1c9a638af9d7b253f5ec64849bb1a4db1d2e7dfe

SHA512
ad0465e114f27bcd79299ae73a518b155b6ba921c1fea7bd13891040d33200e1c89e980a4c5ee4f3415397b8b5747a3c0795a35ce053322aaedd78b676beddf6

Download Submit
C:\Windows\system\TjkJjNy.exe

Filesize
5.2MB

MD5
17ef5255d9de56517de9443a20ecc206

SHA1
e979639f92d5c4ae0f70ac4c960f02d182b4593b

SHA256
4ceea6d797b9b39a4eadb271f1f39782e68605c041bf5df8f405ce168df66f34

SHA512
c736e4f76dbfa67300a61f32df3e432bb3f47d294c622b482ada41c391ebc7c3b87b6aa27fe0bc2c7cd56923e81efa06f94399f6348a13b2a8ba6831629af063

Download Submit
C:\Windows\system\deBbKqZ.exe

Filesize
5.2MB

MD5
cb526f9804b2314324f21dbea1ee4c9a

SHA1
4c48d26d2af0cbf6dee8cac56169be1ad2ebd4cb

SHA256
12e1a75fc8308a8af991a5b2ade3990a5934b5ed1ae15fabf2b876d6c6f529c5

SHA512
eebb313bf2b7b5d2cb275a824fd0b3fac000647bd34bd2b6b918fcb9e4e8108eb1697cf5050a97ee4b8bdbb97277e33987e60b1f62b0d32f5c57251210628589

Download Submit
C:\Windows\system\hwkugSR.exe

Filesize
5.2MB

MD5
444eaf3ec8643423078c6d9e10ab4f1a

SHA1
a91274c73943a93fb79b0e20d00195fb08923e5a

SHA256
d65cc35ed409049553f1278a21800a2e6600c707a4d870963c995543d77f1b9a

SHA512
c82c11aeec05cdc5407080ef1441d98c99e607413428267c2c713a0fa9ce6e868f34401f97b268bd988f33fdb0c428fe2d651248c9c27ba42b24a7d3a7657e91

Download Submit
C:\Windows\system\lSMiisZ.exe

Filesize
5.2MB

MD5
cd70b6674f8fbceb45ee9d7592e95e6f

SHA1
b7f186382be8800468e8cc1df7954413f4260fcb

SHA256
a571d0e4156ed811c2e01889c695958009a7ced004a7a4a5f4fb3fbca3fdcfb5

SHA512
148e910751f89d27adf1eb0ddd3e6bd117015ba6b69876b253760f7d5e45c8d2a1237a1f4a7a0b74ace1cff7a23a0c9c76e178a56d0e2adc3d7bd83bfb462721

Download Submit
C:\Windows\system\nQGBzCX.exe

Filesize
5.2MB

MD5
0a7285d1f734ef5e1d5e9040b970707e

SHA1
54fb01666ec60bebd69168f3110d75e16365de68

SHA256
c5cdd5b378989a87447f9be2c5f5e4f3bbf5bd5fa03fd11ba0c2baee1567dcd8

SHA512
25cc7f10cecd9a3d3136c46fc85b84ea1bc925f34ad92c2a1476afa2a6802c10b91781f3b052a7cbd338b2f5de6c008215f851c40b68d1a7a6a23a5ec700b408

Download Submit
C:\Windows\system\nVEHAnU.exe

Filesize
5.2MB

MD5
cc4d2cfb79396e2ebb76793fe5f7697c

SHA1
5a209d63a3551089ef4b276588666a445e369655

SHA256
5f2b75aa731f3c2b226766160a392faa5052189b55c8360cbe4b7cb51c909518

SHA512
6b1092de7ea851732f8e7d388e69e5fb617be20896ec40a6a0c0e1f18220e4a585cadf30136d20e61f791ccca1cd0189c3d4a3dc404a820f87c438e5120b9b5b

Download Submit
C:\Windows\system\tjpUGKc.exe

Filesize
5.2MB

MD5
d2c295eeda2050d6e8ce48709bcd4196

SHA1
7cc25ea1361b2126f93799dc82ad49b543167e1c

SHA256
ab45d06beebf3c30d75d52e002eea7b8c0b92d7eb3764c53295b2c86e0ff0f35

SHA512
87605c76d3cb9c5e5d914fd8e1d3c6e48b55e3d453b58f7d61193466e544f4607e8aa1e1dcb386fdf9c0bb6a4e391cdf70478bfd95e7588ce39bac44831e0499

Download Submit
\Windows\system\PjokPNT.exe

Filesize
5.2MB

MD5
e3c807de70b3df2ce8b8e186e5de8a6e

SHA1
6b32c4ea0c2dd03f73499c6abe8713e3d20260ae

SHA256
e1c9703179a4aebf515243eb5e95c8507bdb3c60ac87af256494b878f038b39a

SHA512
dd8e3c4d1fecb276f3e913af7150f9ab8d985ea71a7177ae4c58488ec3f88383455c6e6feb73f91c00916e5903c53beddc28a42ed619dc20126b2d0a030e2485

Download Submit
\Windows\system\lenkmnA.exe

Filesize
5.2MB

MD5
c8ee23657696a707d219990ede3d341c

SHA1
d7d019d6b9ae720d64b5522756407999ff72398d

SHA256
5f872f9be15a079b87cf51b4721f316247a418642421b9a0342f5f6c6e6d0acc

SHA512
5d09d7eccd4c727e45108349eed300302ed37f4f62c7483df15a6157a2fd74a2a366e6027993d734396db95eb951b739f238d4d6edc6dcd396f84e5494aed3f9

Download Submit
\Windows\system\quoBtQX.exe

Filesize
5.2MB

MD5
8e6c6e1ac14fd3d3461492dfbd75d76b

SHA1
1e06edd696e26424f891e6a6d3e60c05c7507571

SHA256
47ec283e996e46ae03d38e4e9159e81c58f9562f28e1e5e8f95c8d46e3282bf8

SHA512
4f72c3fbd2da260430a8ec3c8246d0e4ca5c125d51fe80975e30b1d1e0caa4d0b1394b10ff676384cd479f2d71e6c2fdee786a1e1e8088b65ea96bea8c8fa39d

Download Submit
\Windows\system\rlUDnPL.exe

Filesize
5.2MB

MD5
4e40c5792273395a7114a6a32330da5b

SHA1
ae731812ebff0957b802edbf127804f28a8b5a69

SHA256
379841d89990efc2d472e3b17a5c09f84d3c6f26670d2e9a45ca057d9fa10e0d

SHA512
af5f70f9428f980bbbd15744ca3f6aaae49cc332b05ef8845120b3850c4b19e7baaef2e986ca5e82555d0f7015ab822e677d9875f18e0ccc12f86eb7e4854060

Download Submit
\Windows\system\xAXoakN.exe

Filesize
5.2MB

MD5
e734ffc55f158b72d306eb194a07023b

SHA1
439db3f1342cbbf371f2fb8e37119799e5cb862f

SHA256
f2f189a0c0c5e7caee1c98241defe341219e73d71c006facfa554bbc6aea478c

SHA512
78fbe3316fa5d1064af9c4c2514faca31b3641b548449a0d77f1294c9894dfbdee1d0dabec03bc91d66bf49e219241ba93609b637f9bbfee3f3a402fec33dff0

Download Submit
\Windows\system\yikcUEK.exe

Filesize
5.2MB

MD5
3238dbc67ea5b3c893d3502dde80991e

SHA1
1682e77ac114a29492aaf9ab0f14bb6de905519f

SHA256
a232ee8e586bdb97b8c0c56af45eba55376cb81ec6c5c3d37a48cf002bc7aaec

SHA512
da466797a56e8d5af6949dc830f84ba5b7d0cc57b527eaf85c3499053c51d24420ec2ae848f8d2ce8529a6982342f6a1e93f04a76727436303fe66a5f8b84102

Download Submit
memory/576-170-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/1276-150-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/1664-147-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/1800-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1988-149-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-79-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-219-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-13-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2152-0-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-106-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2152-38-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2152-61-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-152-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-26-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2152-18-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-64-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-22-0x0000000002240000-0x0000000002591000-memory.dmp

Filesize
3.3MB

Download
memory/2152-57-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-49-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2152-30-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-130-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-141-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-87-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2192-233-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2192-129-0x000000013F620000-0x000000013F971000-memory.dmp

Filesize
3.3MB

Download
memory/2236-221-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-42-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-128-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-146-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2264-108-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-231-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2348-72-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2348-223-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2624-145-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2632-236-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2632-104-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2780-143-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-89-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-227-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-239-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-105-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-238-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-107-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-139-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2968-103-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2968-230-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2972-225-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2972-93-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download