cobaltstrike | 908ff2d90bb8dffadeaea6b8039903e6d7719505bdb18d7f4715499bb59879dd

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

44d6e4e3b976c8917eddf3a72f86fc61
SHA1

83701bb67ef71aed967e0bc5b56c2cb1332caa83
SHA256

908ff2d90bb8dffadeaea6b8039903e6d7719505bdb18d7f4715499bb59879dd
SHA512

3b1b56b26759c5bc29bb50d925b664515a76d7577225b236fad7206a5648045fff4831fb081496b1d1d39c186ea7fc3cd7123e1b00073ce0de6756106de0707c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lz:RWWBibf56utgpPFotBER/mQ32lUP

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000f000000012245-3.dat	cobalt_reflective_dll
behavioral1/files/0x0017000000018657-9.dat	cobalt_reflective_dll
behavioral1/files/0x000f000000018662-11.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000190c6-35.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001878d-40.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186c8-27.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000017481-53.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c36-100.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3a-103.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019da4-109.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d20-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019db8-95.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d44-81.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c53-80.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c38-79.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000191f3-49.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019fb9-117.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a067-124.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a07b-126.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a0a1-134.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a301-140.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2964-39-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2948-44-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2992-56-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2684-86-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2552-87-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2584-97-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2948-94-0x0000000002280000-0x00000000025D1000-memory.dmp	xmrig
behavioral1/memory/2948-93-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1936-92-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2804-74-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2628-111-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2948-98-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2160-85-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2088-50-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2948-46-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2816-112-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2948-143-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2664-150-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig
behavioral1/memory/2524-157-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	xmrig
behavioral1/memory/2576-161-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/688-160-0x000000013F6D0000-0x000000013FA21000-memory.dmp	xmrig
behavioral1/memory/3000-159-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/552-162-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/1812-164-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2008-165-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/1652-163-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1164-166-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2948-167-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2088-214-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2992-221-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/1936-225-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/2160-224-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2964-227-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/2628-229-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2816-240-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2804-242-0x000000013F2D0000-0x000000013F621000-memory.dmp	xmrig
behavioral1/memory/2584-244-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2552-246-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2684-248-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2576-251-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2664-253-0x000000013F230000-0x000000013F581000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2088	nYjpkEZ.exe
2992	qBGSJaw.exe
1936	cmzprGF.exe
2160	gsUTYqU.exe
2964	vQnbzxn.exe
2628	uYZhNDJ.exe
2816	KzDfvgs.exe
2804	ZKHSOoW.exe
2584	wFQAilO.exe
2684	wgqIpcq.exe
2552	YNIIumc.exe
2664	xeHMCay.exe
2576	EWKTMHG.exe
2524	EmwTfZc.exe
3000	TrIpTFA.exe
688	DUAoNey.exe
552	xlhjykN.exe
1652	NOSpoMo.exe
1812	CsMPDAX.exe
2008	IJDEshF.exe
1164	CraaGAz.exe

Loads dropped DLL 21 IoCs

pid	Process
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2948-0-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/files/0x000f000000012245-3.dat	upx
behavioral1/memory/2088-8-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/files/0x0017000000018657-9.dat	upx
behavioral1/memory/2992-14-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/files/0x000f000000018662-11.dat	upx
behavioral1/files/0x00070000000190c6-35.dat	upx
behavioral1/files/0x000600000001878d-40.dat	upx
behavioral1/memory/2628-42-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/files/0x00060000000186c8-27.dat	upx
behavioral1/memory/1936-26-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2948-41-0x0000000002280000-0x00000000025D1000-memory.dmp	upx
behavioral1/memory/2964-39-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2160-33-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2948-44-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/files/0x0009000000017481-53.dat	upx
behavioral1/memory/2992-56-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/2684-86-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2552-87-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/2584-97-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/files/0x0005000000019c36-100.dat	upx
behavioral1/files/0x0005000000019c3a-103.dat	upx
behavioral1/files/0x0005000000019da4-109.dat	upx
behavioral1/memory/1936-92-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2804-74-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx
behavioral1/files/0x0005000000019d20-71.dat	upx
behavioral1/memory/2628-111-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2576-104-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2664-102-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/2948-99-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/files/0x0005000000019db8-95.dat	upx
behavioral1/memory/2160-85-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/files/0x0005000000019d44-81.dat	upx
behavioral1/files/0x0005000000019c53-80.dat	upx
behavioral1/files/0x0005000000019c38-79.dat	upx
behavioral1/memory/2816-51-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2088-50-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/files/0x00080000000191f3-49.dat	upx
behavioral1/memory/2816-112-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/files/0x0005000000019fb9-117.dat	upx
behavioral1/files/0x000500000001a067-124.dat	upx
behavioral1/files/0x000500000001a07b-126.dat	upx
behavioral1/files/0x000500000001a0a1-134.dat	upx
behavioral1/files/0x000500000001a301-140.dat	upx
behavioral1/memory/2948-143-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2664-150-0x000000013F230000-0x000000013F581000-memory.dmp	upx
behavioral1/memory/2524-157-0x000000013F8A0000-0x000000013FBF1000-memory.dmp	upx
behavioral1/memory/2576-161-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/688-160-0x000000013F6D0000-0x000000013FA21000-memory.dmp	upx
behavioral1/memory/3000-159-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/552-162-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/1812-164-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2008-165-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/1652-163-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/1164-166-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/2948-167-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2088-214-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2992-221-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/1936-225-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/2160-224-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2964-227-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/2628-229-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2816-240-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2804-242-0x000000013F2D0000-0x000000013F621000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IJDEshF.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CraaGAz.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gsUTYqU.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EmwTfZc.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YNIIumc.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TrIpTFA.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xlhjykN.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CsMPDAX.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qBGSJaw.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cmzprGF.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZKHSOoW.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wgqIpcq.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uYZhNDJ.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vQnbzxn.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xeHMCay.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wFQAilO.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EWKTMHG.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DUAoNey.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NOSpoMo.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYjpkEZ.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KzDfvgs.exe	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2088	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2948 wrote to memory of 2088	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2948 wrote to memory of 2088	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2948 wrote to memory of 2992	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2948 wrote to memory of 2992	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2948 wrote to memory of 2992	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2948 wrote to memory of 1936	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2948 wrote to memory of 1936	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2948 wrote to memory of 1936	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2948 wrote to memory of 2160	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2948 wrote to memory of 2160	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2948 wrote to memory of 2160	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2948 wrote to memory of 2628	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2948 wrote to memory of 2628	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2948 wrote to memory of 2628	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2948 wrote to memory of 2964	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2948 wrote to memory of 2964	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2948 wrote to memory of 2964	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2948 wrote to memory of 2816	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2948 wrote to memory of 2816	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2948 wrote to memory of 2816	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2948 wrote to memory of 2804	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2948 wrote to memory of 2804	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2948 wrote to memory of 2804	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2948 wrote to memory of 2664	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2948 wrote to memory of 2664	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2948 wrote to memory of 2664	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2948 wrote to memory of 2584	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2948 wrote to memory of 2584	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2948 wrote to memory of 2584	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2948 wrote to memory of 2576	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2948 wrote to memory of 2576	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2948 wrote to memory of 2576	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2948 wrote to memory of 2684	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2948 wrote to memory of 2684	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2948 wrote to memory of 2684	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2948 wrote to memory of 2524	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2948 wrote to memory of 2524	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2948 wrote to memory of 2524	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2948 wrote to memory of 2552	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2948 wrote to memory of 2552	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2948 wrote to memory of 2552	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2948 wrote to memory of 3000	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2948 wrote to memory of 3000	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2948 wrote to memory of 3000	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2948 wrote to memory of 688	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2948 wrote to memory of 688	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2948 wrote to memory of 688	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2948 wrote to memory of 552	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2948 wrote to memory of 552	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2948 wrote to memory of 552	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2948 wrote to memory of 1652	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2948 wrote to memory of 1652	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2948 wrote to memory of 1652	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2948 wrote to memory of 1812	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2948 wrote to memory of 1812	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2948 wrote to memory of 1812	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2948 wrote to memory of 2008	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2948 wrote to memory of 2008	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2948 wrote to memory of 2008	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2948 wrote to memory of 1164	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2948 wrote to memory of 1164	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2948 wrote to memory of 1164	2948	2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_44d6e4e3b976c8917eddf3a72f86fc61_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\System\nYjpkEZ.exe
  C:\Windows\System\nYjpkEZ.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\qBGSJaw.exe
  C:\Windows\System\qBGSJaw.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\cmzprGF.exe
  C:\Windows\System\cmzprGF.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\gsUTYqU.exe
  C:\Windows\System\gsUTYqU.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\uYZhNDJ.exe
  C:\Windows\System\uYZhNDJ.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\vQnbzxn.exe
  C:\Windows\System\vQnbzxn.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\KzDfvgs.exe
  C:\Windows\System\KzDfvgs.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\ZKHSOoW.exe
  C:\Windows\System\ZKHSOoW.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\xeHMCay.exe
  C:\Windows\System\xeHMCay.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\wFQAilO.exe
  C:\Windows\System\wFQAilO.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\EWKTMHG.exe
  C:\Windows\System\EWKTMHG.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\wgqIpcq.exe
  C:\Windows\System\wgqIpcq.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\EmwTfZc.exe
  C:\Windows\System\EmwTfZc.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\YNIIumc.exe
  C:\Windows\System\YNIIumc.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\TrIpTFA.exe
  C:\Windows\System\TrIpTFA.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\DUAoNey.exe
  C:\Windows\System\DUAoNey.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\xlhjykN.exe
  C:\Windows\System\xlhjykN.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\NOSpoMo.exe
  C:\Windows\System\NOSpoMo.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\CsMPDAX.exe
  C:\Windows\System\CsMPDAX.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\IJDEshF.exe
  C:\Windows\System\IJDEshF.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\CraaGAz.exe
  C:\Windows\System\CraaGAz.exe
  2⤵
  - Executes dropped EXE
  PID:1164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CraaGAz.exe

Filesize
5.2MB

MD5
43cacffe34a13fd8172640c6064bf777

SHA1
0cf4370910e601a87f59f1d153b0575bb271fb87

SHA256
09a3560cfb9ff2cd74ecb42de3f7e193f995ae680fd06968bfe11fc525d408a6

SHA512
47e889cd28f35bb1d2f973c97b54bddec95e6a288396053a3f66881bef7be0dc8952a798fb475fc0fe603f3b9cf36aa74eac51446404cca5cc236b0f6f7112cf

Download Submit
C:\Windows\system\EWKTMHG.exe

Filesize
5.2MB

MD5
b113d868f9393256aa93a67545ce0b71

SHA1
8615c677f1d41657f9436f3a2e73051195b59943

SHA256
d2184ecd8b4d17ed07075e16ddcb19d72896b96e25670b929c622ec73ec70c50

SHA512
31218066768dfb990d824afba91a5b84a77a572e8f9df9cd14ef09eebbb169c2b6d8399e1908b7f4bb922d4b420e1a81878fce3b44db3d17424adf3554cb73e3

Download Submit
C:\Windows\system\IJDEshF.exe

Filesize
5.2MB

MD5
0563b7737cd79263bebe1b70b7c3d517

SHA1
be5d0d9d59e47a0c9c6ac546736519d1d94d7b2a

SHA256
cc6b3836aebad77e1f3f328ac86e6255f0e400da8af07c92e608e2188c1622b7

SHA512
15af70461550eb6bd93638df34535be8c0680403aeb80995f768b2b421f4f81b1d6fcd7e6f24b070098f4eb94c6d1b3ffd726e4059de28a6811b97c964e72385

Download Submit
C:\Windows\system\KzDfvgs.exe

Filesize
5.2MB

MD5
cfcb07b05a1a29e53498eecc031b5cdd

SHA1
7c500f2ae8d4e83467c81b27f1bde3c6d697c766

SHA256
470d21b2c5020373a47b0d039410e4404f9a48ae2df1b4699d523201ab26f5ab

SHA512
62d18e8219ca35fce6b95572897f8e38e2919d229d3f6fe57b300729ed033e95fad58405f72c2efbfe7612ad10e8993d924cc3608f0ce65ea5cdcba3fb54d280

Download Submit
C:\Windows\system\NOSpoMo.exe

Filesize
5.2MB

MD5
68f3d544c45ee9f7ced64a708b55b5a5

SHA1
1cb0304fe9a52dc700b37d125d39f762c87ba0ba

SHA256
1ca6d49021d70794a2d703f83b7dd5dd2395448269f06d96b727705f952d188c

SHA512
ec9220b816e6d8d409d0724265e87b2b9ace9087a23b5badf9d88bf467c4f4235d2baf0cb4ab7c10079eb1651cb0c9b5842991c71a29d33889d1773d6e32a3bd

Download Submit
C:\Windows\system\TrIpTFA.exe

Filesize
5.2MB

MD5
6df3cfe5eb2f34d679477a35fddb9023

SHA1
6177550ecf0e8f6d7622b0a28e08eae658b780f9

SHA256
1bd4eb0a6dbbec9f075cb3fbcc541d6477dc8c4a457d4259f9b194eab1200359

SHA512
aa414262de91a28121c73d20f280601d69dfc3bd5af265f6a1c2ec71e2e644be21cbc91710ccc59be8d326744ec2fe3e72a209ae0493d43f5f3c9c8ee9adfcb7

Download Submit
C:\Windows\system\YNIIumc.exe

Filesize
5.2MB

MD5
f1a28aa608b41f4651800308fee7792e

SHA1
37490b3f1700b709953f7edc94ebf2e3625a98a0

SHA256
82c2089745fec3f8ba0058285c77f42dd0be4ee7a2a0eeb51cd0d477ecc2c078

SHA512
a50bb98482ca3baeb353ed0bbfa998979498872e9175dd019ccbd32e08cdc233d1ebcbaf3a412ab96707dda4579b804aa67aa7d156d730a98a953a7ece3dc11a

Download Submit
C:\Windows\system\cmzprGF.exe

Filesize
5.2MB

MD5
63d1999e211b332883fcff87e48a1cfd

SHA1
593c785202c0e6d3f31c85056f380894064586e0

SHA256
c21e663d7178cd137eb68e2e9112d7c34492ff0e9eb38c0b15dfd3c1986bedc7

SHA512
92c9a00a180ed0909887ae871dad7a419136db6925135087f0cbe475f71c693ce32f916dbb5452cf490a341e96907edd08f04c2baab6cbb477a2a1e9f00540a1

Download Submit
C:\Windows\system\gsUTYqU.exe

Filesize
5.2MB

MD5
e07db04178ebf12103e68bd12a7f4003

SHA1
7dc361c3db90889fdf2f7cb8b1dee49a3028aaf4

SHA256
ccda53cc395ef9d8c848a1980e1d0197045ddfd4fed0e7bcd1da81ae0d740899

SHA512
d83fd4cf1d9d2cdbec2b72f2d64e2ff7472a8f76cb85cff22f067905ae6194d346dc41f9af62a929eba8cb4f2ca1c8bbda7ab01fa1458d009aecf3515dcefaa1

Download Submit
C:\Windows\system\uYZhNDJ.exe

Filesize
5.2MB

MD5
7097ff1339ca9b534ce32c38404b47f3

SHA1
07c464d8fd50f9000f7c52d3360a4dd352c68c65

SHA256
a3294123a7114bcc9a2c223997a1668bc62a37e1fe0b2be4577b6c3bea94038d

SHA512
059888369944cbaa500fdb36bd88684306f350d8c57355d0ac6190331f11ab9a87b5297b8b84b3482be7242ce5501c3b09c9cef51f9a9a463b68619d224c2b14

Download Submit
C:\Windows\system\vQnbzxn.exe

Filesize
5.2MB

MD5
055e14c63adc3639c34ac47b00654f77

SHA1
800d8d5afe7a875df1b6749fb3eb1c963a83da08

SHA256
9ad8933281cf65e1273328e3ebd3a274d6a88f72b1f81fc87374df8a65646984

SHA512
319c4cf7cff81c4021e07d662e7be5416f39179067fba39a8b0fc9ad05a6f1df79d74cf50e858f12cfd713c782e4605a4306748a0ea7d855af77fe5bac7a9d9a

Download Submit
C:\Windows\system\wFQAilO.exe

Filesize
5.2MB

MD5
460d63c8cb7e811be9e3c1a4b893c5df

SHA1
3f11644bd0825c96425ed1fbbf747d7fea69867d

SHA256
ecb001a989f6439c43977cbe8a2815e3dcc07140d765cdb5f052a855dc6ffbb5

SHA512
f9bf6ae52b2c7c552362aaeecdd23b5ce8bb90ab8a4e7fdd5aa6ad44d31016ef59186d2898fd112b9a96cad582749d9c550348c3bd372111b11c3e4dfcc966ec

Download Submit
C:\Windows\system\wgqIpcq.exe

Filesize
5.2MB

MD5
c56bb4e628a62240262777ee7bc1a60f

SHA1
5679101fd64fff2b566b55aba2c614a96a03488e

SHA256
9f030a83e86bbfb1f513b6e9f1c3a8b452a7a8b84a05bc7a000d72a3523a208f

SHA512
8061b2f38fae64da2e27b965773d7472791375f52a5b4f364433aeecfca0b109c7d8a4d639e5ee747d825f4d3993c2ba4c002b6bc3db9d0247733ae7ed136d38

Download Submit
C:\Windows\system\xeHMCay.exe

Filesize
5.2MB

MD5
83a92b71fb94bdcd420baa4b45c02309

SHA1
b27d6407a30cca92b6c025bbdc0cafa4ee2e2f85

SHA256
3607897bf65fd2f1e0437444d6c4c402c38a98c996c9f53ee91b405d838630f6

SHA512
6e51e1752d61fd9e775ae0ae5f464aad3ed418e7ad493d7f52c4f98164d65ef857fc5f627ef01bb348b185ec1345d489316536796256f9b825878fd22c9219cc

Download Submit
\Windows\system\CsMPDAX.exe

Filesize
5.2MB

MD5
b05b1a8e2d99467097ded259864148a3

SHA1
b746bbe445d13b243816ae74242e28bc067acc6f

SHA256
254ff19808838c59bb6d4e95cc900dbf2857f07bcde8b40c464f9ab2410abcb4

SHA512
290aef2dee777e7842b9a3f2f9f3026d5a3eb7f7a652976f27e8658c0b9e870ee670582bc4b52d4d032f7c013d5e2c4d7c382c2bb519dd615710f1ddd2e80282

Download Submit
\Windows\system\DUAoNey.exe

Filesize
5.2MB

MD5
467e47b521c33f3f96f57bf866e206af

SHA1
53d466474bb761bee324a00805c4c35f9415e8e5

SHA256
d2aa8dc641d6679d80ffa444abcd1bb573e115450e8bc5c04e119667c30d19eb

SHA512
85057e957fe25a7d4fe1f8bbf60663c5b0e21306550e675314013c9c744c14b51f66d45bbef8abfcfd404a3a8fb8be33a1dfa6f7d1abb084dc582c8cac9c44d2

Download Submit
\Windows\system\EmwTfZc.exe

Filesize
5.2MB

MD5
a3d182a54687e46dba278766064aeb65

SHA1
30b8fd299982c5bbc325dc4a8c18a4c87bfd392b

SHA256
064a972622502498e258dec7d520dbbee2f6f1826049a23c45071114cf8c3817

SHA512
0fe647e3239dd23149da7d2c3c7d41dd16fb451477ee10f3727fc466e75a27f65c9249b66ce752b03f0cc7e50ab02a2c727d5b68be26529b41ac0b4d8661f550

Download Submit
\Windows\system\ZKHSOoW.exe

Filesize
5.2MB

MD5
099d6f6115a29610c80e0da56592bf1d

SHA1
55001da591f8c5931e70be894affaeaaa5a50a84

SHA256
f74fe793bb74a35073164d836d0b2c95b00b21b144def9b930e9740a94a59239

SHA512
28d1e6f27cd65ee5382ed3f24da9b27feb1bd41cc42f9f30d8e933a29d3057f21fe562d05e5cc03178169f9928679bd890c98e995880c4477a2f4268b22f40cf

Download Submit
\Windows\system\nYjpkEZ.exe

Filesize
5.2MB

MD5
a1bc535ddfa7836d566968fbb68f8051

SHA1
2f915cc36a20e39c9bc282a0b666013a8ab3e3ce

SHA256
7f00dfa599c28b72d503703500a785bbf1375e97e17370078da2a940e60be0e9

SHA512
59552baf8d9fdd2fd2cb772a77da4cc8e6e2630fcb85d67a6d8215da65ab15c723bfba84e6bd27b1df8e96943e93c51bc947d1adfb50b72b2d89bc0347beeb33

Download Submit
\Windows\system\qBGSJaw.exe

Filesize
5.2MB

MD5
bd0ac3c8e12f52dae2004c23b7381020

SHA1
fe457b51321e39c67764f265f16250df86edb530

SHA256
313e378cc710ed2c6c924c3de6848137aa9e44eac55911dde68f3d3cf53833e5

SHA512
1bd7243926696d4b466d8d21f1088857d33f5ec67c29a0b2f0cc0e751f538867c6c8bad755d2daec363e7b0998ad1d34635dd97359897bd6547ce5b2ed2b2dd4

Download Submit
\Windows\system\xlhjykN.exe

Filesize
5.2MB

MD5
67bc4d580506c121e4e14787d853824b

SHA1
d72b337ab836ade7ecf6e610744236d3de33006e

SHA256
3e998cf97411b770a41e1a194fc3b66cd70bce7c95bb657728e8a8fe2c71828c

SHA512
7f3b58d602af960592cca104252787b05ce04601e5305cba8154c16709e7734008beb9def9817c82aa6f2cf5631b8deb14be9d434924d496c2f816c6653fa2a1

Download Submit
memory/552-162-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/688-160-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/1164-166-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-163-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/1812-164-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/1936-92-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-26-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/1936-225-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-165-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2088-50-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-8-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-214-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2160-33-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2160-224-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2160-85-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2524-157-0x000000013F8A0000-0x000000013FBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2552-87-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2552-246-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2576-161-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-251-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2576-104-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2584-97-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2584-244-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2628-111-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2628-42-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2628-229-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2664-102-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2664-150-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2664-253-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2684-248-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2684-86-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2804-74-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2804-242-0x000000013F2D0000-0x000000013F621000-memory.dmp

Filesize
3.3MB

Download
memory/2816-51-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-112-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-240-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-0-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2948-93-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2948-143-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2948-139-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2948-98-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-96-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2948-44-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2948-99-0x000000013F6D0000-0x000000013FA21000-memory.dmp

Filesize
3.3MB

Download
memory/2948-34-0x0000000002280000-0x00000000025D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-36-0x0000000002280000-0x00000000025D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-37-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-101-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-41-0x0000000002280000-0x00000000025D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-167-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2948-94-0x0000000002280000-0x00000000025D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2948-18-0x0000000002280000-0x00000000025D1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-77-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2948-46-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-142-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2948-89-0x000000013F230000-0x000000013F581000-memory.dmp

Filesize
3.3MB

Download
memory/2964-227-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2964-39-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2992-14-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2992-221-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2992-56-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/3000-159-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download