cobaltstrike | f9007d7bef2130ed83dd2d11fc7df0e7d21ad46ca8952ba444bab5206198ce58

Analysis

max time kernel
141s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b4f84e8b8750170a1e4feb37f11d3602
SHA1

de8e52c6e30dc4632853b1a40703e25df8ed983b
SHA256

f9007d7bef2130ed83dd2d11fc7df0e7d21ad46ca8952ba444bab5206198ce58
SHA512

518628f9013f7e98c4d6f591daa9f90d877fc26fb1af7a7e560bd973366168b18e140d07f4ad8b13b50ed3674e3c7180384f25d6711a4f4b6524074f984246fd
SSDEEP

49152:ROdWCCi7/raA56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibj56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012281-3.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001868b-10.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186f8-21.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000186f2-25.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018742-40.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018731-34.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001878c-47.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001942c-54.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019456-63.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019438-60.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018669-69.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001945c-81.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019496-93.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019467-90.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d0-103.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ad-98.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ef-109.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194fc-113.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001952f-121.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001957e-123.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019506-117.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/1788-28-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2080-29-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/868-48-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/2148-52-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/3004-51-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2540-80-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2712-78-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2600-77-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/2728-75-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/868-74-0x0000000002320000-0x0000000002671000-memory.dmp	xmrig
behavioral1/memory/868-72-0x0000000002320000-0x0000000002671000-memory.dmp	xmrig
behavioral1/memory/2652-82-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/1716-134-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2984-136-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2788-138-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2784-139-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/868-140-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/868-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/784-157-0x000000013FA60000-0x000000013FDB1000-memory.dmp	xmrig
behavioral1/memory/1516-160-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2520-162-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/1956-159-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/300-158-0x000000013F9D0000-0x000000013FD21000-memory.dmp	xmrig
behavioral1/memory/564-156-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2052-161-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/1008-154-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/868-163-0x000000013FDE0000-0x0000000140131000-memory.dmp	xmrig
behavioral1/memory/3004-213-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/1788-217-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2148-216-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/2080-222-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2652-224-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2788-226-0x000000013FED0000-0x0000000140221000-memory.dmp	xmrig
behavioral1/memory/2784-228-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/2728-235-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2600-238-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/2712-239-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2540-241-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2984-252-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/1716-254-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/1008-259-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3004	SwiDsTp.exe
2148	GzSqedT.exe
1788	FkExRwo.exe
2080	kVVJiXu.exe
2652	QPZQbhM.exe
2788	YqeqmyS.exe
2784	WOgqqAO.exe
2728	wQKOBAg.exe
2600	pOUbeed.exe
2712	WkvLoxr.exe
2540	zjDZHBc.exe
2984	vaunbRJ.exe
1008	UhteIsI.exe
1716	VPCVofd.exe
564	oHGPXYz.exe
784	bbrCdXL.exe
300	QTXraCl.exe
1956	VKhKwED.exe
1516	eomsJQW.exe
2052	wimEQjf.exe
2520	ItzfEQW.exe

Loads dropped DLL 21 IoCs

pid	Process
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/868-0-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/files/0x000a000000012281-3.dat	upx
behavioral1/files/0x000700000001868b-10.dat	upx
behavioral1/files/0x00060000000186f8-21.dat	upx
behavioral1/memory/1788-28-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/3004-14-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2080-29-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/files/0x00060000000186f2-25.dat	upx
behavioral1/memory/2148-19-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/files/0x0006000000018742-40.dat	upx
behavioral1/memory/2788-41-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2652-35-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/files/0x0006000000018731-34.dat	upx
behavioral1/memory/2784-49-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/868-48-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/files/0x000700000001878c-47.dat	upx
behavioral1/memory/2148-52-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/3004-51-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/files/0x000500000001942c-54.dat	upx
behavioral1/files/0x0005000000019456-63.dat	upx
behavioral1/files/0x0005000000019438-60.dat	upx
behavioral1/memory/2540-80-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2712-78-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2600-77-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
behavioral1/memory/2728-75-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/files/0x0009000000018669-69.dat	upx
behavioral1/files/0x000500000001945c-81.dat	upx
behavioral1/memory/2652-82-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/files/0x0005000000019496-93.dat	upx
behavioral1/files/0x0005000000019467-90.dat	upx
behavioral1/files/0x00050000000194d0-103.dat	upx
behavioral1/files/0x00050000000194ad-98.dat	upx
behavioral1/files/0x00050000000194ef-109.dat	upx
behavioral1/files/0x00050000000194fc-113.dat	upx
behavioral1/files/0x000500000001952f-121.dat	upx
behavioral1/files/0x000500000001957e-123.dat	upx
behavioral1/files/0x0005000000019506-117.dat	upx
behavioral1/memory/1008-132-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/1716-134-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2984-136-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2788-138-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2784-139-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/868-140-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/784-157-0x000000013FA60000-0x000000013FDB1000-memory.dmp	upx
behavioral1/memory/1516-160-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/2520-162-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/1956-159-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/300-158-0x000000013F9D0000-0x000000013FD21000-memory.dmp	upx
behavioral1/memory/564-156-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2052-161-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/1008-154-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/868-163-0x000000013FDE0000-0x0000000140131000-memory.dmp	upx
behavioral1/memory/3004-213-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/1788-217-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2148-216-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/2080-222-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2652-224-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2788-226-0x000000013FED0000-0x0000000140221000-memory.dmp	upx
behavioral1/memory/2784-228-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/2728-235-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2600-238-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
behavioral1/memory/2712-239-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2540-241-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2984-252-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\SwiDsTp.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FkExRwo.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QPZQbhM.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YqeqmyS.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WOgqqAO.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKhKwED.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ItzfEQW.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oHGPXYz.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QTXraCl.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GzSqedT.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kVVJiXu.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WkvLoxr.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pOUbeed.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wQKOBAg.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zjDZHBc.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vaunbRJ.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UhteIsI.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VPCVofd.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bbrCdXL.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eomsJQW.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wimEQjf.exe	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3004	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 868 wrote to memory of 3004	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 868 wrote to memory of 3004	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 868 wrote to memory of 2148	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 868 wrote to memory of 2148	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 868 wrote to memory of 2148	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 868 wrote to memory of 2080	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 868 wrote to memory of 2080	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 868 wrote to memory of 2080	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 868 wrote to memory of 1788	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 868 wrote to memory of 1788	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 868 wrote to memory of 1788	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 868 wrote to memory of 2652	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 868 wrote to memory of 2652	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 868 wrote to memory of 2652	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 868 wrote to memory of 2788	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 868 wrote to memory of 2788	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 868 wrote to memory of 2788	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 868 wrote to memory of 2784	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 868 wrote to memory of 2784	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 868 wrote to memory of 2784	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 868 wrote to memory of 2728	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 868 wrote to memory of 2728	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 868 wrote to memory of 2728	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 868 wrote to memory of 2712	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 868 wrote to memory of 2712	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 868 wrote to memory of 2712	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 868 wrote to memory of 2600	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 868 wrote to memory of 2600	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 868 wrote to memory of 2600	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 868 wrote to memory of 2540	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 868 wrote to memory of 2540	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 868 wrote to memory of 2540	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 868 wrote to memory of 2984	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 868 wrote to memory of 2984	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 868 wrote to memory of 2984	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 868 wrote to memory of 1008	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 868 wrote to memory of 1008	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 868 wrote to memory of 1008	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 868 wrote to memory of 1716	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 868 wrote to memory of 1716	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 868 wrote to memory of 1716	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 868 wrote to memory of 564	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 868 wrote to memory of 564	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 868 wrote to memory of 564	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 868 wrote to memory of 784	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 868 wrote to memory of 784	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 868 wrote to memory of 784	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 868 wrote to memory of 300	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 868 wrote to memory of 300	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 868 wrote to memory of 300	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 868 wrote to memory of 1956	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 868 wrote to memory of 1956	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 868 wrote to memory of 1956	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 868 wrote to memory of 1516	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 868 wrote to memory of 1516	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 868 wrote to memory of 1516	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 868 wrote to memory of 2052	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 868 wrote to memory of 2052	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 868 wrote to memory of 2052	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 868 wrote to memory of 2520	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 868 wrote to memory of 2520	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 868 wrote to memory of 2520	868	2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_b4f84e8b8750170a1e4feb37f11d3602_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:868
- C:\Windows\System\SwiDsTp.exe
  C:\Windows\System\SwiDsTp.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\GzSqedT.exe
  C:\Windows\System\GzSqedT.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\kVVJiXu.exe
  C:\Windows\System\kVVJiXu.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\FkExRwo.exe
  C:\Windows\System\FkExRwo.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\QPZQbhM.exe
  C:\Windows\System\QPZQbhM.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\YqeqmyS.exe
  C:\Windows\System\YqeqmyS.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\WOgqqAO.exe
  C:\Windows\System\WOgqqAO.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\wQKOBAg.exe
  C:\Windows\System\wQKOBAg.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\WkvLoxr.exe
  C:\Windows\System\WkvLoxr.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\pOUbeed.exe
  C:\Windows\System\pOUbeed.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\zjDZHBc.exe
  C:\Windows\System\zjDZHBc.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\vaunbRJ.exe
  C:\Windows\System\vaunbRJ.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\UhteIsI.exe
  C:\Windows\System\UhteIsI.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\VPCVofd.exe
  C:\Windows\System\VPCVofd.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\oHGPXYz.exe
  C:\Windows\System\oHGPXYz.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System\bbrCdXL.exe
  C:\Windows\System\bbrCdXL.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\QTXraCl.exe
  C:\Windows\System\QTXraCl.exe
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\System\VKhKwED.exe
  C:\Windows\System\VKhKwED.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\eomsJQW.exe
  C:\Windows\System\eomsJQW.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\wimEQjf.exe
  C:\Windows\System\wimEQjf.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\ItzfEQW.exe
  C:\Windows\System\ItzfEQW.exe
  2⤵
  - Executes dropped EXE
  PID:2520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FkExRwo.exe

Filesize
5.2MB

MD5
13d613183cf746ec3bed8c06c9e6b6ef

SHA1
e7d5ee61b33ae9eb16c9ac8d08fb7c8476d7e362

SHA256
a358e8ce2cf3075f5738125086ee0e49d1212d8f98c1a383ca7cbb5886c6cec2

SHA512
195c2d1ff3999176aae406792bb3ed02058da6a0590efa322bf7fd0136d656b9bc8687950a7f7c6b3ba11774d0124afdc9fd38ad98046d10225b24f1959751b2

Download Submit
C:\Windows\system\GzSqedT.exe

Filesize
5.2MB

MD5
b8c877c73938bd30354b251af51b6ff8

SHA1
6d3582259c7326daf9a98258bac04cb31ce1cd76

SHA256
59fe8edc74972d229016257d9ece34546f9df48b3d5cc6cd3714b1bb40589e22

SHA512
d5208829c8ef8eeb47af89a021e0416474fa356b2c6df3d4acc327fa7034e84653ff2c66fb8c709c120e03e3e04c23d4725d4825077b65f854fcfd3cc89ba24c

Download Submit
C:\Windows\system\QPZQbhM.exe

Filesize
5.2MB

MD5
949562e4a4f0cf7b883218064f60cb6e

SHA1
51104d6498bc0708ed94067040b20fd3b2b735ba

SHA256
eace41aef3cb4ef30dbbd9297fa59c590d876019c007f17ca538865151eaffb0

SHA512
ffffa95d115aea4a4d126bba73e5f3d080a3c9e5e64f91d838e5b74c15ceb5c979207793cd08750cc7e9bb3cff3978f62b1cb0fc33cf528803638c35c5f76e00

Download Submit
C:\Windows\system\QTXraCl.exe

Filesize
5.2MB

MD5
38d1fbc3cf720796ebb82ca1958d5d4b

SHA1
168d806f7908eb88573c7cc0cf8a63d36daf33b2

SHA256
74e07f4fbec4a0166a44b6b605b7c7736470c9a85982de84d6a1eed3add435d3

SHA512
c23d53530fd30e4a390eadbd0607323bb85ae3af6643cb88a0a5bc21d2fcc1a8259714fcbe6227c71727508687c1cf808f4c039dbbc9ef747152f114e0942fa2

Download Submit
C:\Windows\system\UhteIsI.exe

Filesize
5.2MB

MD5
b57a9e3fc8a4618af60c2c5967a44026

SHA1
bd67e513e2a4b1e6a3177239d3a7708e24939adf

SHA256
a189496dbbbe4680cebb23dd8f1e2e7619bf893b8d8fab0842445d7443fd8d50

SHA512
1860abff36a9cb2065b4dfb4d6431747069d58e79cd00add5291ad8c75501fea2d6d436487919536ab338a7562b19c55f73952d8d041b49449102ba79802a669

Download Submit
C:\Windows\system\VKhKwED.exe

Filesize
5.2MB

MD5
9150e93c1135c6f6ce7d2577efc5b7f1

SHA1
30e724f1c767a39f88f9c1134932b4895de1a40a

SHA256
4e75d6bbba99fa1ea8cd44e0efde7e001520755a1b9a25cea53f16ae90bf0ad6

SHA512
06dbc8826171de7dd2d0045e8b4b7abf81ec019453203f7c742cb20daadc1cc24ec553d24ff295213ff341b62471c25d7e18a76729c3560a6797f9876001aefa

Download Submit
C:\Windows\system\VPCVofd.exe

Filesize
5.2MB

MD5
8a06f1ec2e505a55c7c5bd76c5c734f5

SHA1
a142c1edd68b7c3b47e20344454148a33cccc40e

SHA256
6a229ea2c4040c5295ed0f669ed77edf46e4798c7110dcaaa0d809902e23847d

SHA512
6d54c7af75dfe1d00c64dcf1c5a00c335b7f20de4df460ae753e7b90050ffc8e2a49664e7594aff98bd164ff357266e9cb77f709c513df9f0d15d36fc04b9dae

Download Submit
C:\Windows\system\WOgqqAO.exe

Filesize
5.2MB

MD5
58d9cae6b7df60b8568b4cb670c719ed

SHA1
8b94da99b5309fc3fcb4909c1a5ff90ecaa11b0d

SHA256
68cfaff8e48820b83ea682c7fa69244bb76b3b807a87388c26b2775f45ac1044

SHA512
ae655eb6a4bd9b97a6af0c79edf82b8cb8f5504281ced1d3092874fb3e21f5b8e8416853f8464419919c08016bf46744bd1418f431328eab6485177bcad948e0

Download Submit
C:\Windows\system\WkvLoxr.exe

Filesize
5.2MB

MD5
ab2ea0eac5183aecaa7e774fc6988cf4

SHA1
7d1852e7c672cedd24f02a542c2937bb6f38de7d

SHA256
29ccc7842f256533ac247949a52b493040e033d4a303e5c7c2adfc69b097f6c3

SHA512
f779b4991c291d893d07b8b442e176ef6c6cbef1407d98b61c05ffbebae0c4f53e81dbb477c0d656f53cbd2d8e0c4696676a10e37e234d7e0b9ff0be630c75de

Download Submit
C:\Windows\system\YqeqmyS.exe

Filesize
5.2MB

MD5
0ff1f698845fb27199554afbd23bdab4

SHA1
c404dbdd37867e9b8e7f8801f0bcefe2e3ddc814

SHA256
c6d121ca73b5341a77284ae49a8e2a4e0b9dfa774efb035cb29cf2591da0a5dd

SHA512
daec400f769c9a495acb58e11cbe9579243d1f6a7de9be5e275a42ac4ee7e429df1cc258c6bba4e1cc9ccdb09d302218545af21a79e748aca5850bf234ba7534

Download Submit
C:\Windows\system\bbrCdXL.exe

Filesize
5.2MB

MD5
a938b20d410d2883968bab85e6a950b1

SHA1
2ede7090b8613e7e6e246539f4c41df867cb03e7

SHA256
fc45c331a9c99966ec7669a5629f56d5532636eab97534794b6ad324f84ef459

SHA512
87903918e7b58221da5dd8f08ff6aa327f7d1dfa95b3ef714cf3800cf651c324db290b472108b9941af8d7f1d71c19eb7a612cc649ae8183a4f23ce7bfdc2088

Download Submit
C:\Windows\system\eomsJQW.exe

Filesize
5.2MB

MD5
707e7484a56f16850523585791ba5748

SHA1
83b153d0be104085fc83ad6fb87ae66568bcaa05

SHA256
54cab259db02db232f4ef6a569dd1dec4824c85075e9be223cba511de63b1664

SHA512
d15fd1fad6c5bafa78974f2d460e08bca710beda24c16dd32a530a3e01762347e4f3b3d97a60603ad4a3f5acef9c793d9d21db6f1e26ea4fc42b4ec971088f47

Download Submit
C:\Windows\system\kVVJiXu.exe

Filesize
5.2MB

MD5
3218d37233e671fad388162a35b672de

SHA1
1e21e1c6d8f96b19a7be78941643af1938534163

SHA256
c6c5f07390923ac318524994b731e24e247122c2c9f20198600fa8a3ae1a0c20

SHA512
57c0de61bbd098af2fcd1aa7801f6782a2cee972656d523e86b2e29d0f983268f551efbd7ffecd9660cc4feba05b91200b0955c4e9a8c66b28c5f68305eee144

Download Submit
C:\Windows\system\oHGPXYz.exe

Filesize
5.2MB

MD5
f48851cc2ad8d2454e3a42eb9bfc72c4

SHA1
55ac18a43874cca6e5d62fdedf8e595f6097f6ae

SHA256
8cd5f856a6ce9949612133bdcbee451a7413e194448f1f7b174e9d7cc2b19d1d

SHA512
19234fe4517f936b3e05c1e6228224e726f657024f7801edb05cb054cd32fe795709fdd2da64c7634ac9dde88369375acf70355808e9186f5e4b9eba57dcf2d9

Download Submit
C:\Windows\system\wimEQjf.exe

Filesize
5.2MB

MD5
6bbd7ee699d423f0c1e269c479fa57bd

SHA1
737012563f3f0d1f0a5cdf7c4f5b4388be077309

SHA256
2df5190ab8e96850b574627dec943afa5f61da75fe19874fb28f13c60e404b25

SHA512
b1f8707fb708c6be042c6be702c3eabd850ca01b3490520134270f2a64e962086d71a36f755153f5d21ce89d87c7e75fbc37a54c6e73fc0aab2ba59f3cf6c72b

Download Submit
\Windows\system\ItzfEQW.exe

Filesize
5.2MB

MD5
7eb5444e80421fef980f44a0e89df9e8

SHA1
0ec3aacfb28d96b226cbd7bfc75566137877d3a8

SHA256
1b3f47b2afe6befb71594f6678959130030322ec537c5da1eaf76bbbc50aff8a

SHA512
2893bee91d2e1ccf8fea652ed8642e7150e15b3fd2c31ca69f8deef22468cce7d09a886dab9e5f6cac0b0842bb9349956e6b82570dc6eceb3d662ad61bc74302

Download Submit
\Windows\system\SwiDsTp.exe

Filesize
5.2MB

MD5
15c91ef8cf5ee071a320d95d48e11de8

SHA1
e1a33957b3df711a66bb656b24f883f860d7752d

SHA256
29cfedc5fa123fe071971dafb407516243313f9a35d0d12de7f1e680085e5588

SHA512
6da6c36966eea7dcbdad8a6399bc732faddc90fbf2d3dc49af24d9271ad2fd8de199ecbd6f7109dadefd388e599d1d6cb7a5e86c63f5e3bba181f113674f07f6

Download Submit
\Windows\system\pOUbeed.exe

Filesize
5.2MB

MD5
188d273334860a232dd0844598a892e8

SHA1
7052b2c0a68a43b896f44da5d89ec2bebd34ac17

SHA256
ea0ae3ca2649923c4804ebac837e913577d406d819a78d99cdee52fd0a2392b8

SHA512
f5f41c7c7d059d991b739df985ee42ac252ffce33accdb57639ad48600b84ac7e9f0dd1b2c49da11aaa4bea5518babc893dc18bb6825ecab9cfa203a09ecf43e

Download Submit
\Windows\system\vaunbRJ.exe

Filesize
5.2MB

MD5
23e19cd1f42b1fd98e7d495aee07d0da

SHA1
1028e6c1b2f3b9f36b41cdee516d708aa47e396a

SHA256
e7c8079e67736fb3e701d497d5b05825f4d13831f4fc596103a425e7370bc042

SHA512
d7fe275a386e2c639ca5a6013530593cffeaac6f2b64378606eda4ee48b2106b3184c37abf7a88f076e550adad22a7344ffeda65fb4b8312671a0965c48dce25

Download Submit
\Windows\system\wQKOBAg.exe

Filesize
5.2MB

MD5
8099f535545417803807b7980740aa70

SHA1
e6c329e93db2d68c59bcabe4b557645e07acf4cb

SHA256
0c71c065386976a95fb35b7d217b08e996f0ecaef1f96208743516660187f866

SHA512
5dffaf9175bade8a87766337269296553b86c871509dfd66430416ea843290edd6dae61019ba8c65242069eb476c2d3789db6c1a9bc775d08a61f06b6ebc1236

Download Submit
\Windows\system\zjDZHBc.exe

Filesize
5.2MB

MD5
05abc4486412844ff1822e9dedd298ec

SHA1
8530a0e18f84419cdd4bfdef530545de0beba91d

SHA256
033bec4bd9e98409cadf846d30934e5a422bbdb9a25f36bc1d6be83f73353f4e

SHA512
ae854b9558cfa17f13d6ac9fa440429a3278ddea345d867ddced0900875014c2f736d011fb1d8837887520a3fc6be6c57a7123f057a9bd6041c75976234d4390

Download Submit
memory/300-158-0x000000013F9D0000-0x000000013FD21000-memory.dmp

Filesize
3.3MB

Download
memory/564-156-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/784-157-0x000000013FA60000-0x000000013FDB1000-memory.dmp

Filesize
3.3MB

Download
memory/868-45-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/868-74-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-135-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/868-38-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-26-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/868-79-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-163-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/868-23-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/868-133-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/868-72-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-31-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-0-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/868-20-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/868-48-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/868-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/868-140-0x000000013FDE0000-0x0000000140131000-memory.dmp

Filesize
3.3MB

Download
memory/868-137-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/868-106-0x0000000002320000-0x0000000002671000-memory.dmp

Filesize
3.3MB

Download
memory/1008-154-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-259-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/1008-132-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/1516-160-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/1716-134-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/1716-254-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/1788-217-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/1788-28-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/1956-159-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2052-161-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2080-29-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2080-222-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-19-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-52-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2148-216-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-162-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2540-80-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2540-241-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2600-238-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-77-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2652-224-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2652-82-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2652-35-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/2712-78-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2712-239-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2728-235-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2728-75-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2784-228-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2784-139-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2784-49-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2788-226-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2788-138-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2788-41-0x000000013FED0000-0x0000000140221000-memory.dmp

Filesize
3.3MB

Download
memory/2984-136-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-252-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-14-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/3004-51-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/3004-213-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download