cobaltstrike | ce21df8138490d0163b3477b35e71011fdfba6f6e286178ebae0a4eb5c7b040f

Analysis

max time kernel
142s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6652f4a32be26fb3935c4a44c14ca3ad
SHA1

2fdc17811fd330f74718b41a1c41fe50d69b0724
SHA256

ce21df8138490d0163b3477b35e71011fdfba6f6e286178ebae0a4eb5c7b040f
SHA512

2689fe1ca4adc36bd5cace3bc37967367afd49110bab44541063c54e5cb96904679ac9e32b1654185e29dc8ab63e2f2f096b452251075be3c49d5e78618155c0
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lB:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012119-6.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001686c-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ab9-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c73-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ce7-41.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d1d-46.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000175e7-67.dat	cobalt_reflective_dll
behavioral1/files/0x001400000001866f-85.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f2-104.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018781-138.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018731-136.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000164ab-128.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878c-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018742-121.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f8-110.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001868b-101.dat	cobalt_reflective_dll
behavioral1/files/0x0011000000018682-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018669-75.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d36-59.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d2e-54.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cc5-26.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral1/memory/2820-50-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1216-123-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2332-118-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2728-111-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2624-140-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2456-81-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2644-80-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2388-72-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2104-141-0x0000000002370000-0x00000000026C1000-memory.dmp	xmrig
behavioral1/memory/2104-69-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2712-64-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2988-38-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2968-37-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2780-34-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/3044-28-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2640-143-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2104-144-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2344-159-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2380-165-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/1408-164-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/1724-163-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/1936-162-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2496-161-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/1892-166-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2104-167-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2968-225-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/3044-227-0x000000013FE80000-0x00000001401D1000-memory.dmp	xmrig
behavioral1/memory/2988-229-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2780-231-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2388-233-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2456-235-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2820-237-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2712-239-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2728-241-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2624-243-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2644-245-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2640-256-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2332-258-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/1216-260-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2968	wuPOvjx.exe
2988	UKqSlxt.exe
3044	XlqluQb.exe
2388	PDoICtQ.exe
2780	NGRCVcj.exe
2456	NNUFwuT.exe
2820	IxLrOLB.exe
2728	zEilnUQ.exe
2712	eYCpVzp.exe
2624	brpAREK.exe
2644	UcjgjLe.exe
2640	jySvRbC.exe
2332	mYzStUe.exe
1216	lHEsWIS.exe
1936	zBnNqei.exe
1408	fhLgfFk.exe
2344	OrKZdxT.exe
1892	yQMlAzT.exe
2496	ADivqcQ.exe
1724	VJvXoeT.exe
2380	XzdAUFq.exe

Loads dropped DLL 21 IoCs

pid	Process
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2104-0-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/files/0x0007000000012119-6.dat	upx
behavioral1/files/0x000800000001686c-11.dat	upx
behavioral1/files/0x0008000000016ab9-12.dat	upx
behavioral1/files/0x0008000000016c73-18.dat	upx
behavioral1/memory/2388-31-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/files/0x0007000000016ce7-41.dat	upx
behavioral1/files/0x0007000000016d1d-46.dat	upx
behavioral1/memory/2820-50-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2728-56-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/files/0x00060000000175e7-67.dat	upx
behavioral1/files/0x001400000001866f-85.dat	upx
behavioral1/files/0x00050000000186f2-104.dat	upx
behavioral1/files/0x0005000000018781-138.dat	upx
behavioral1/files/0x0005000000018731-136.dat	upx
behavioral1/files/0x00080000000164ab-128.dat	upx
behavioral1/files/0x000500000001878c-132.dat	upx
behavioral1/memory/1216-123-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/files/0x0005000000018742-121.dat	upx
behavioral1/memory/2332-118-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2728-111-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/files/0x00050000000186f8-110.dat	upx
behavioral1/memory/2624-140-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/files/0x000500000001868b-101.dat	upx
behavioral1/files/0x0011000000018682-94.dat	upx
behavioral1/memory/2640-89-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2456-81-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2644-80-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2388-72-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2624-71-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2104-69-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/files/0x0006000000018669-75.dat	upx
behavioral1/memory/2712-64-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/files/0x0008000000016d36-59.dat	upx
behavioral1/files/0x0008000000016d2e-54.dat	upx
behavioral1/memory/2456-42-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2988-38-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2968-37-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2780-34-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/3044-28-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2640-143-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/files/0x0007000000016cc5-26.dat	upx
behavioral1/memory/2104-144-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2344-159-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2380-165-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/1408-164-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/1724-163-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/1936-162-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/memory/2496-161-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/1892-166-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2104-167-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2968-225-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/3044-227-0x000000013FE80000-0x00000001401D1000-memory.dmp	upx
behavioral1/memory/2988-229-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2780-231-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2388-233-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2456-235-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2820-237-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2712-239-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/memory/2728-241-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2624-243-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2644-245-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2640-256-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2332-258-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\zBnNqei.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhLgfFk.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XzdAUFq.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UKqSlxt.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NGRCVcj.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNUFwuT.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IxLrOLB.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eYCpVzp.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wuPOvjx.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\brpAREK.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrKZdxT.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADivqcQ.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zEilnUQ.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UcjgjLe.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jySvRbC.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yQMlAzT.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XlqluQb.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PDoICtQ.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mYzStUe.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lHEsWIS.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJvXoeT.exe	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2968	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2104 wrote to memory of 2968	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2104 wrote to memory of 2968	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2104 wrote to memory of 2988	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2104 wrote to memory of 2988	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2104 wrote to memory of 2988	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2104 wrote to memory of 3044	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2104 wrote to memory of 3044	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2104 wrote to memory of 3044	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2104 wrote to memory of 2388	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2104 wrote to memory of 2388	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2104 wrote to memory of 2388	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2104 wrote to memory of 2780	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2104 wrote to memory of 2780	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2104 wrote to memory of 2780	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2104 wrote to memory of 2456	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2104 wrote to memory of 2456	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2104 wrote to memory of 2456	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2104 wrote to memory of 2820	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2104 wrote to memory of 2820	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2104 wrote to memory of 2820	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2104 wrote to memory of 2728	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2104 wrote to memory of 2728	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2104 wrote to memory of 2728	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2104 wrote to memory of 2712	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2104 wrote to memory of 2712	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2104 wrote to memory of 2712	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2104 wrote to memory of 2624	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2104 wrote to memory of 2624	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2104 wrote to memory of 2624	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2104 wrote to memory of 2644	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2104 wrote to memory of 2644	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2104 wrote to memory of 2644	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2104 wrote to memory of 2640	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2104 wrote to memory of 2640	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2104 wrote to memory of 2640	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2104 wrote to memory of 2332	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2104 wrote to memory of 2332	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2104 wrote to memory of 2332	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2104 wrote to memory of 2344	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2104 wrote to memory of 2344	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2104 wrote to memory of 2344	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2104 wrote to memory of 1216	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2104 wrote to memory of 1216	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2104 wrote to memory of 1216	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2104 wrote to memory of 2496	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2104 wrote to memory of 2496	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2104 wrote to memory of 2496	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2104 wrote to memory of 1936	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2104 wrote to memory of 1936	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2104 wrote to memory of 1936	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2104 wrote to memory of 1724	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2104 wrote to memory of 1724	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2104 wrote to memory of 1724	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2104 wrote to memory of 1408	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2104 wrote to memory of 1408	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2104 wrote to memory of 1408	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2104 wrote to memory of 2380	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2104 wrote to memory of 2380	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2104 wrote to memory of 2380	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2104 wrote to memory of 1892	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2104 wrote to memory of 1892	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2104 wrote to memory of 1892	2104	2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-27_6652f4a32be26fb3935c4a44c14ca3ad_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System\wuPOvjx.exe
  C:\Windows\System\wuPOvjx.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\UKqSlxt.exe
  C:\Windows\System\UKqSlxt.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\XlqluQb.exe
  C:\Windows\System\XlqluQb.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\PDoICtQ.exe
  C:\Windows\System\PDoICtQ.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\NGRCVcj.exe
  C:\Windows\System\NGRCVcj.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\NNUFwuT.exe
  C:\Windows\System\NNUFwuT.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\IxLrOLB.exe
  C:\Windows\System\IxLrOLB.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\zEilnUQ.exe
  C:\Windows\System\zEilnUQ.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\eYCpVzp.exe
  C:\Windows\System\eYCpVzp.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\brpAREK.exe
  C:\Windows\System\brpAREK.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\UcjgjLe.exe
  C:\Windows\System\UcjgjLe.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\jySvRbC.exe
  C:\Windows\System\jySvRbC.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\mYzStUe.exe
  C:\Windows\System\mYzStUe.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\OrKZdxT.exe
  C:\Windows\System\OrKZdxT.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\lHEsWIS.exe
  C:\Windows\System\lHEsWIS.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\ADivqcQ.exe
  C:\Windows\System\ADivqcQ.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\zBnNqei.exe
  C:\Windows\System\zBnNqei.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\VJvXoeT.exe
  C:\Windows\System\VJvXoeT.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\fhLgfFk.exe
  C:\Windows\System\fhLgfFk.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\XzdAUFq.exe
  C:\Windows\System\XzdAUFq.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\yQMlAzT.exe
  C:\Windows\System\yQMlAzT.exe
  2⤵
  - Executes dropped EXE
  PID:1892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\IxLrOLB.exe

Filesize
5.2MB

MD5
026d2996ce3408b8e405349bf6b07812

SHA1
fcc383707da2e53e327f7965c5d88d9bbfa99fa2

SHA256
66528e60d02314429e19d5cf5fd5a9cbb61656ee275d0f2fa3903c5ec55363de

SHA512
4ebb3c9ae3cca745631da1897ad972aecb7462cc10c92f8be0184aff2ae0eba0d45f81d5974d91db7200d48259886e1a0e2900db66acb2c4219b86814ca4e750

Download Submit
C:\Windows\system\NGRCVcj.exe

Filesize
5.2MB

MD5
ea432dc854508ada4be1ce6a88227f30

SHA1
63fa54551117e749df1dfdd0da91f45493b49fef

SHA256
ae347a0289c74444f307cb32c245547c51c9795c8696c8e2fc1dcb3a1a57328f

SHA512
2c2fca5e03b1ea3222bd3913e0d3a07d9ce231e6886765169a86c9885da438d4c56770f6b1945a05f0ee0efcaebb7c4c82f0833e6d730c68e52874753f879906

Download Submit
C:\Windows\system\NNUFwuT.exe

Filesize
5.2MB

MD5
fa548ad3d77dec3132c9ff04806c9661

SHA1
1569978ec8feb21bf9bdbbdb08b47b51e92c0057

SHA256
645616937d8bd628ca156a9a860899d5f8dfc539fd987aa00325fa7f8309e325

SHA512
80963b1de10efdbb941745214f0b479d034fece9df05ce4c80b027fd80dd35e4e24e093f0eb9d1d8329de0803f50fd9bb7950d6a205b8455261a98bc7e9caea7

Download Submit
C:\Windows\system\OrKZdxT.exe

Filesize
5.2MB

MD5
c6faca793827224ab57bcb965e688698

SHA1
c88f8300a11006c71d0b2f74e32bcd234fbcdb6e

SHA256
2b9580343a8785c016fd224c953f25d89e2abc14a8910a026efb251b14f91559

SHA512
67d75ca14100f20ce4f3d95e945d3b864f21780fa9c7210dedb441e40fd01663ed27c224f5cefd65c381a5945d492b84aef55f5da79b6d2da92c3c47ffd25c72

Download Submit
C:\Windows\system\UKqSlxt.exe

Filesize
5.2MB

MD5
2b50832b34afa1974f6c1535ac795dea

SHA1
97c1f7d25b539973726b04b08ca08b81f30e4b62

SHA256
e35687a05de31d1bd458276fdc6b7858b6f1f0c723e2e4794f47f7ab26c9a5e0

SHA512
ace7f11ba51854266c107ee136d70686763f9a9c831912a13124c5ca99e81735d64dc15fa45d69f3ff4f09e44cff62dbf33ccc05086ccb0144ee6f1626f6ad87

Download Submit
C:\Windows\system\UcjgjLe.exe

Filesize
5.2MB

MD5
6edc7d352217884238eb2b667e1a7951

SHA1
c4e50b3736b2031520572c4007b7f2d3b5d6017d

SHA256
78801e1a97f9afc29cc938f5599bc2d0110e23aa3ea642e43ff842d62d8b801c

SHA512
ea09df468b969ed7408cdb6ea585f6867a03f21aaf3aa919bba7b878f7f3650af2ca133c9aedbedf5042cbdba703784424e72b14252a3745d8dc31f0315e6cd3

Download Submit
C:\Windows\system\VJvXoeT.exe

Filesize
5.2MB

MD5
27156b648d32139098dfd8d9b0ebe33f

SHA1
f3cb4e431f5ab26ace366db2bea3597278fdfd81

SHA256
e9c97e7fc70712f6daf10ef9fa49965ea57c04d1a0ab5b7a124d77c12cc40453

SHA512
1170a991bb5f705ca72e6e301162c979381a6ff01e2c8905ccb5d664e7448c197a1e9371087c9b15a99b0108e2bcd41a22a4bdead1c4102f5a5a5f4ba15aefec

Download Submit
C:\Windows\system\XzdAUFq.exe

Filesize
5.2MB

MD5
2a837d144effabc4425986cfb4f4a264

SHA1
b2f0bec259465d9ee4bfa6672dea2656c776878d

SHA256
65ba38c2419b4e05b67c0980885132556c115828c743fa4640ea0f07473b0168

SHA512
a89f35cf9eaabe15fc36050ebc4d054fd02304fa2bda48ded04fda0fa45215a2fbf44f09e8279eb1ad82b3891c3218513bfa5acf030df9473fafbcb59d6ad40b

Download Submit
C:\Windows\system\brpAREK.exe

Filesize
5.2MB

MD5
f075cd069c0399460556b35e19a94bc3

SHA1
eb668cf6e18b1015c74d9fef473a88ef0c6c9e9b

SHA256
ba41e80e6e53d5cbfb1896db72d77f6e66dc6044476fd8452ad13952cdc43f43

SHA512
d8bed67cbbc874aab8bb9b2d36c92c9aac474b036218bb4410bbb02e6fd8defd01abf25eb37e7804f723866985b2df0305c5db82244f2e1ba965992f619e8666

Download Submit
C:\Windows\system\eYCpVzp.exe

Filesize
5.2MB

MD5
e92111c83aa7805d1c92646e0b5890df

SHA1
63cae2389cd2a287938cb702651d767f17791dea

SHA256
4e8786456395b441f65d8bc173a67ed7450ea9d1da1617c2f8778b85b3ec6b73

SHA512
984dba4d80c806f34345b7899362a0ba19d552a07b6498759180fdb432016eb934df64382b5d0c8ec242cb9c87022f63732cc45fdfd8837d0836d759eef31d6c

Download Submit
C:\Windows\system\fhLgfFk.exe

Filesize
5.2MB

MD5
fb622be7a668db03b1281c725dc4261b

SHA1
441991e78c99d480b9e14906c237ce9b0cf3fe76

SHA256
d07da7f5f219807db70f0004c9fe07297100ccf95e6df48372e2002f4b7f8b9c

SHA512
90960c116adf3805a8ae2e4ff9c3388eadc633a97dccfaac13056fc1d66d19e0a984ac64f06f146e79afec9d5d0c1fce84034fc42c151354f2fa5bedff66e8b8

Download Submit
C:\Windows\system\jySvRbC.exe

Filesize
5.2MB

MD5
10d78b3ea1bc0390ec19f2cc584877a8

SHA1
305e1b1af575c7fd0fc4af70b926a55e45e62139

SHA256
14b3c3cfd9d8e8ff2c7dc7857f01bd904c40cb4e7117c356d988b3ac0e4e5408

SHA512
957e2bd52726e072732e4e50bb4b7feae346d64dc6b908d676530ca7a827ddb7feef92ada8f9446028920ba1d92f865b580a31eb64de9335450017b72e50147d

Download Submit
C:\Windows\system\lHEsWIS.exe

Filesize
5.2MB

MD5
33f15719c51e063600759f93ea7c84b2

SHA1
4b7ce1a88ffca5d504d10680f600d1bee73ccd4d

SHA256
f409c2609706717de1e0abe265e85f02b3b8dcf598871b3f6c881cc4c677305b

SHA512
cc0be12229965074bbda9d3149a00d3358b6e8edd358142ed0bc50cb50a16e409e2f39725d45e4f874e0560a7b81a294032e1c3a444efbf29374b8670622c234

Download Submit
C:\Windows\system\mYzStUe.exe

Filesize
5.2MB

MD5
bc9f695fe972378fbe15efac8a310988

SHA1
fba426c96fbfbe8e4013fc07e24bc1446ac055b2

SHA256
d40f7642d97ef481c5874b17750dee86947fbbc809dd99ae5e02e94714814483

SHA512
9d7b41956e2ce106bc7241edfa17f2f5e091c6a5fffcaa9b01ff42fe3826554a5becea38dde58b8d08992cee11caef1a90ee84689697e8366cfff4d12620c8be

Download Submit
C:\Windows\system\wuPOvjx.exe

Filesize
5.2MB

MD5
c0533a98aae2e5734bf8111f66ec0bd3

SHA1
1eee96390ae099ba1b7d1dfd34351afbc788f6f6

SHA256
648c32a401a5948be56d6069b42948e168c9bfffa26d3b1eb07533898fa2b5ed

SHA512
5ce80bd28c5ba4c984ff96ccac861aa4e0ccb414cdbebc3c829c0d382704bb13aa32f48c6a599383ad5e5ceb99c8614054cda4bf8b3cb18e23315425df166f99

Download Submit
C:\Windows\system\yQMlAzT.exe

Filesize
5.2MB

MD5
2741c711f69df5f2dc2b9a79d9819b2f

SHA1
f835d8edcaa41ee541f42cd1aacafc9e0e785de8

SHA256
0e5de7799fd6299499c86bce633dc3fb381c990a96c395d07381c8c7bd392b18

SHA512
35e237e75f5d5a6aea92675d931117667d6c1c372bf4d9d5307f811cb0618438f24d10e36684022cbed2a74422cb76f7da4e0b4087fd1613717fac2789e3bab1

Download Submit
C:\Windows\system\zBnNqei.exe

Filesize
5.2MB

MD5
3eefbb9653ddaaaf962e470ec4bdcb11

SHA1
c68535e1d5e112fe321b2acc885eacbccbe47a43

SHA256
0a257728b5f2f311ff024ce2186a99a970e5ece397e4716c29c70372587d7ad5

SHA512
eb879acf79d65247ae5bc32a788c8c90118106b651aa33c5ad32f3e63741e888629607ebdf2cd034be8eef2a3ba8251826da00f93ecc76b26f06d464d2761e23

Download Submit
C:\Windows\system\zEilnUQ.exe

Filesize
5.2MB

MD5
9dc7974dc7b25e99ca48917eab0d8108

SHA1
30e0f00318570e4847c88ea330e2586cbba4e3dd

SHA256
254fa8ebe99bff9cf588cad5c7198e524d6b1c04a0914cd3fa3a4ba883381670

SHA512
734d7a6ccfb4028fa2ae8e4d96be2dd488c145aea82258f50a647e3c22d5a36b3d8c3cc95aaaf681d59ce27144c921e6ec38712b3985824c0181d0558cd12d97

Download Submit
\Windows\system\ADivqcQ.exe

Filesize
5.2MB

MD5
7766fa54e5fbe0d8c5bc7c19e37d9942

SHA1
7706db1f24b33bd865f91900643361e69d12156d

SHA256
aa94ef592f322410ac53a6998146c4e79e7ff7dffc751bac56c15e746ff41139

SHA512
c1cbb4bd11f6c88a9919a5780117d4cce47ca6f5bf9cde5b9155975a34f024feb2f8e18d46c1861238579599312a3d5ecbc42ceac8b4bcc24a05142948dcc452

Download Submit
\Windows\system\PDoICtQ.exe

Filesize
5.2MB

MD5
39c00ca11dac7176bc7084e18384a74e

SHA1
d2cccc14bc53fc5f3a43ef0241d3f649208060e9

SHA256
2ed9c14a0f8c59962e24554b95cd7fb52b52613d705b29d42688d5f5c5adb44d

SHA512
7af0649ecf843fd435d30fb63e16321c11ad7041a43951c1d92170d0403ce71434ca6c66b9fa0fdc68d39f551e35f765d934d6d18970b3214150f8e6feedd66a

Download Submit
\Windows\system\XlqluQb.exe

Filesize
5.2MB

MD5
342b0055e9e4fce7a31f31a19d4ed582

SHA1
8c2cee83f8970b2c333abb8c3ddd92093fd99515

SHA256
117afe0f6ad67b420c49cb1e04ac45e447b154e4016476472b9aa35c7c3f1ff1

SHA512
27846a6935137c79b7b85ee70807f5eab546b3ea6b3c912fd21f89e2c00ca80cde2c76ade99542b7dd782f9222deb5eb942c1332a43a45fbcb95db220b8ade5d

Download Submit
memory/1216-123-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/1216-260-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/1408-164-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/1724-163-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1892-166-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1936-162-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2104-69-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-120-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/2104-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2104-167-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-90-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2104-142-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-87-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-39-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-40-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-79-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-152-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-141-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-144-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-70-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-0-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-119-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-32-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-63-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-55-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2104-16-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-88-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-49-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-27-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-258-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2332-118-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2344-159-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2380-165-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2388-72-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-233-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-31-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2456-42-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2456-235-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2456-81-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2496-161-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-140-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2624-71-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2624-243-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2640-143-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-89-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-256-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-245-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2644-80-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2712-64-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2712-239-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2728-56-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2728-111-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2728-241-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2780-231-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-34-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-237-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2820-50-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2968-225-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-37-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2988-38-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2988-229-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/3044-227-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download
memory/3044-28-0x000000013FE80000-0x00000001401D1000-memory.dmp

Filesize
3.3MB

Download