cobaltstrike | 8c4f5acf8ca15b6737531b6571db71e5780dbc4593cf884228cfc285094baaaf

Analysis

max time kernel
135s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

873565007998c3a95a3e12bbca689002
SHA1

d05af4adbe1c1b9b962509a77c3b8d9180cf323b
SHA256

8c4f5acf8ca15b6737531b6571db71e5780dbc4593cf884228cfc285094baaaf
SHA512

e27caa83fc106b2c5c724083c0e9e72007df25bb0446e73edfdd4e1a1971087a03707bf7ca39e8fd558957ee75c0587a58031293aaa4a11e297d2aebe169d6c4
SSDEEP

98304:oemTLkNdfE0pZrD56utgpPFotBER/mQ32lUL:T+q56utgpPF8u/7L

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\dUTkATI.exe	cobalt_reflective_dll
C:\Windows\system\wboWgRZ.exe	cobalt_reflective_dll
\Windows\system\dQWNSFB.exe	cobalt_reflective_dll
C:\Windows\system\QHCHbwW.exe	cobalt_reflective_dll
\Windows\system\STvpnJT.exe	cobalt_reflective_dll
C:\Windows\system\sTwbLmX.exe	cobalt_reflective_dll
\Windows\system\AdUcraC.exe	cobalt_reflective_dll
\Windows\system\CvgetYz.exe	cobalt_reflective_dll
\Windows\system\YwMCcFL.exe	cobalt_reflective_dll
\Windows\system\UqzmZeT.exe	cobalt_reflective_dll
C:\Windows\system\oZHPImU.exe	cobalt_reflective_dll
\Windows\system\apUkdoz.exe	cobalt_reflective_dll
\Windows\system\ZfHxpHG.exe	cobalt_reflective_dll
C:\Windows\system\sLeRbkK.exe	cobalt_reflective_dll
C:\Windows\system\SYyAbIU.exe	cobalt_reflective_dll
C:\Windows\system\ejSaORh.exe	cobalt_reflective_dll
C:\Windows\system\MeRMnXW.exe	cobalt_reflective_dll
C:\Windows\system\RdTklmc.exe	cobalt_reflective_dll
C:\Windows\system\qCqUIIg.exe	cobalt_reflective_dll
C:\Windows\system\yThYHPR.exe	cobalt_reflective_dll
C:\Windows\system\CigvITV.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 55 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2576-0-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
C:\Windows\system\dUTkATI.exe	xmrig
C:\Windows\system\wboWgRZ.exe	xmrig
\Windows\system\dQWNSFB.exe	xmrig
behavioral1/memory/1872-21-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
behavioral1/memory/2576-22-0x0000000002370000-0x00000000026C4000-memory.dmp	xmrig
C:\Windows\system\QHCHbwW.exe	xmrig
behavioral1/memory/2840-36-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
\Windows\system\STvpnJT.exe	xmrig
C:\Windows\system\sTwbLmX.exe	xmrig
behavioral1/memory/2720-28-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2768-41-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2576-122-0x000000013F750000-0x000000013FAA4000-memory.dmp	xmrig
\Windows\system\AdUcraC.exe	xmrig
\Windows\system\CvgetYz.exe	xmrig
\Windows\system\YwMCcFL.exe	xmrig
behavioral1/memory/2800-74-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
\Windows\system\UqzmZeT.exe	xmrig
C:\Windows\system\oZHPImU.exe	xmrig
\Windows\system\apUkdoz.exe	xmrig
\Windows\system\ZfHxpHG.exe	xmrig
behavioral1/memory/2640-121-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2720-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2576-120-0x000000013F960000-0x000000013FCB4000-memory.dmp	xmrig
behavioral1/memory/2272-119-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2664-118-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
behavioral1/memory/1316-116-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig
behavioral1/memory/2660-115-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
C:\Windows\system\sLeRbkK.exe	xmrig
C:\Windows\system\SYyAbIU.exe	xmrig
behavioral1/memory/1984-107-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
C:\Windows\system\ejSaORh.exe	xmrig
C:\Windows\system\MeRMnXW.exe	xmrig
C:\Windows\system\RdTklmc.exe	xmrig
C:\Windows\system\qCqUIIg.exe	xmrig
behavioral1/memory/2768-137-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2576-57-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
C:\Windows\system\yThYHPR.exe	xmrig
behavioral1/memory/2576-138-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2576-54-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
C:\Windows\system\CigvITV.exe	xmrig
behavioral1/memory/2124-19-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/2272-18-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2272-140-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/2124-141-0x000000013FAC0000-0x000000013FE14000-memory.dmp	xmrig
behavioral1/memory/1872-142-0x000000013F5C0000-0x000000013F914000-memory.dmp	xmrig
behavioral1/memory/2720-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp	xmrig
behavioral1/memory/2840-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	xmrig
behavioral1/memory/2768-145-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2800-146-0x000000013F5B0000-0x000000013F904000-memory.dmp	xmrig
behavioral1/memory/2664-147-0x000000013F600000-0x000000013F954000-memory.dmp	xmrig
behavioral1/memory/1984-148-0x000000013F340000-0x000000013F694000-memory.dmp	xmrig
behavioral1/memory/2640-149-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2660-151-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	xmrig
behavioral1/memory/1316-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

dUTkATI.exewboWgRZ.exedQWNSFB.exeQHCHbwW.exesTwbLmX.exeSTvpnJT.exeCigvITV.exeyThYHPR.exeoZHPImU.exeqCqUIIg.exeRdTklmc.exeMeRMnXW.exeejSaORh.exeSYyAbIU.exesLeRbkK.exeZfHxpHG.exeapUkdoz.exeUqzmZeT.exeYwMCcFL.exeCvgetYz.exeAdUcraC.exe

pid	process
2272	dUTkATI.exe
2124	wboWgRZ.exe
1872	dQWNSFB.exe
2720	QHCHbwW.exe
2840	sTwbLmX.exe
2768	STvpnJT.exe
2800	CigvITV.exe
2664	yThYHPR.exe
1984	oZHPImU.exe
2640	qCqUIIg.exe
2660	RdTklmc.exe
1316	MeRMnXW.exe
2968	ejSaORh.exe
848	SYyAbIU.exe
1896	sLeRbkK.exe
2604	ZfHxpHG.exe
2732	apUkdoz.exe
1972	UqzmZeT.exe
748	YwMCcFL.exe
2016	CvgetYz.exe
1340	AdUcraC.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2576-0-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
C:\Windows\system\dUTkATI.exe	upx
C:\Windows\system\wboWgRZ.exe	upx
\Windows\system\dQWNSFB.exe	upx
behavioral1/memory/1872-21-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
C:\Windows\system\QHCHbwW.exe	upx
behavioral1/memory/2840-36-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
\Windows\system\STvpnJT.exe	upx
C:\Windows\system\sTwbLmX.exe	upx
behavioral1/memory/2720-28-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2768-41-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
\Windows\system\AdUcraC.exe	upx
\Windows\system\CvgetYz.exe	upx
\Windows\system\YwMCcFL.exe	upx
behavioral1/memory/2800-74-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
\Windows\system\UqzmZeT.exe	upx
C:\Windows\system\oZHPImU.exe	upx
\Windows\system\apUkdoz.exe	upx
\Windows\system\ZfHxpHG.exe	upx
behavioral1/memory/2640-121-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2720-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2272-119-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2664-118-0x000000013F600000-0x000000013F954000-memory.dmp	upx
behavioral1/memory/1316-116-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx
behavioral1/memory/2660-115-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
C:\Windows\system\sLeRbkK.exe	upx
C:\Windows\system\SYyAbIU.exe	upx
behavioral1/memory/1984-107-0x000000013F340000-0x000000013F694000-memory.dmp	upx
C:\Windows\system\ejSaORh.exe	upx
C:\Windows\system\MeRMnXW.exe	upx
C:\Windows\system\RdTklmc.exe	upx
C:\Windows\system\qCqUIIg.exe	upx
behavioral1/memory/2768-137-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
C:\Windows\system\yThYHPR.exe	upx
behavioral1/memory/2576-54-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
C:\Windows\system\CigvITV.exe	upx
behavioral1/memory/2124-19-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/2272-18-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2272-140-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/2124-141-0x000000013FAC0000-0x000000013FE14000-memory.dmp	upx
behavioral1/memory/1872-142-0x000000013F5C0000-0x000000013F914000-memory.dmp	upx
behavioral1/memory/2720-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp	upx
behavioral1/memory/2840-144-0x000000013FF70000-0x00000001402C4000-memory.dmp	upx
behavioral1/memory/2768-145-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2800-146-0x000000013F5B0000-0x000000013F904000-memory.dmp	upx
behavioral1/memory/2664-147-0x000000013F600000-0x000000013F954000-memory.dmp	upx
behavioral1/memory/1984-148-0x000000013F340000-0x000000013F694000-memory.dmp	upx
behavioral1/memory/2640-149-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2660-151-0x000000013FCA0000-0x000000013FFF4000-memory.dmp	upx
behavioral1/memory/1316-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\sLeRbkK.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\STvpnJT.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yThYHPR.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RdTklmc.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ejSaORh.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZfHxpHG.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCqUIIg.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SYyAbIU.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oZHPImU.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MeRMnXW.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dUTkATI.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wboWgRZ.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sTwbLmX.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CigvITV.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YwMCcFL.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CvgetYz.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AdUcraC.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dQWNSFB.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QHCHbwW.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\apUkdoz.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqzmZeT.exe	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2576 wrote to memory of 2272	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	dUTkATI.exe
PID 2576 wrote to memory of 2272	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	dUTkATI.exe
PID 2576 wrote to memory of 2272	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	dUTkATI.exe
PID 2576 wrote to memory of 2124	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	wboWgRZ.exe
PID 2576 wrote to memory of 2124	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	wboWgRZ.exe
PID 2576 wrote to memory of 2124	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	wboWgRZ.exe
PID 2576 wrote to memory of 1872	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	dQWNSFB.exe
PID 2576 wrote to memory of 1872	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	dQWNSFB.exe
PID 2576 wrote to memory of 1872	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	dQWNSFB.exe
PID 2576 wrote to memory of 2720	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	QHCHbwW.exe
PID 2576 wrote to memory of 2720	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	QHCHbwW.exe
PID 2576 wrote to memory of 2720	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	QHCHbwW.exe
PID 2576 wrote to memory of 2840	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	sTwbLmX.exe
PID 2576 wrote to memory of 2840	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	sTwbLmX.exe
PID 2576 wrote to memory of 2840	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	sTwbLmX.exe
PID 2576 wrote to memory of 2768	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	STvpnJT.exe
PID 2576 wrote to memory of 2768	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	STvpnJT.exe
PID 2576 wrote to memory of 2768	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	STvpnJT.exe
PID 2576 wrote to memory of 2800	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	CigvITV.exe
PID 2576 wrote to memory of 2800	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	CigvITV.exe
PID 2576 wrote to memory of 2800	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	CigvITV.exe
PID 2576 wrote to memory of 1984	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	oZHPImU.exe
PID 2576 wrote to memory of 1984	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	oZHPImU.exe
PID 2576 wrote to memory of 1984	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	oZHPImU.exe
PID 2576 wrote to memory of 2664	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	yThYHPR.exe
PID 2576 wrote to memory of 2664	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	yThYHPR.exe
PID 2576 wrote to memory of 2664	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	yThYHPR.exe
PID 2576 wrote to memory of 2604	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ZfHxpHG.exe
PID 2576 wrote to memory of 2604	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ZfHxpHG.exe
PID 2576 wrote to memory of 2604	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ZfHxpHG.exe
PID 2576 wrote to memory of 2640	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	qCqUIIg.exe
PID 2576 wrote to memory of 2640	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	qCqUIIg.exe
PID 2576 wrote to memory of 2640	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	qCqUIIg.exe
PID 2576 wrote to memory of 2732	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	apUkdoz.exe
PID 2576 wrote to memory of 2732	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	apUkdoz.exe
PID 2576 wrote to memory of 2732	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	apUkdoz.exe
PID 2576 wrote to memory of 2660	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	RdTklmc.exe
PID 2576 wrote to memory of 2660	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	RdTklmc.exe
PID 2576 wrote to memory of 2660	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	RdTklmc.exe
PID 2576 wrote to memory of 1972	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	UqzmZeT.exe
PID 2576 wrote to memory of 1972	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	UqzmZeT.exe
PID 2576 wrote to memory of 1972	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	UqzmZeT.exe
PID 2576 wrote to memory of 1316	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	MeRMnXW.exe
PID 2576 wrote to memory of 1316	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	MeRMnXW.exe
PID 2576 wrote to memory of 1316	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	MeRMnXW.exe
PID 2576 wrote to memory of 748	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	YwMCcFL.exe
PID 2576 wrote to memory of 748	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	YwMCcFL.exe
PID 2576 wrote to memory of 748	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	YwMCcFL.exe
PID 2576 wrote to memory of 2968	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ejSaORh.exe
PID 2576 wrote to memory of 2968	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ejSaORh.exe
PID 2576 wrote to memory of 2968	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	ejSaORh.exe
PID 2576 wrote to memory of 2016	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	CvgetYz.exe
PID 2576 wrote to memory of 2016	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	CvgetYz.exe
PID 2576 wrote to memory of 2016	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	CvgetYz.exe
PID 2576 wrote to memory of 848	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	SYyAbIU.exe
PID 2576 wrote to memory of 848	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	SYyAbIU.exe
PID 2576 wrote to memory of 848	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	SYyAbIU.exe
PID 2576 wrote to memory of 1340	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	AdUcraC.exe
PID 2576 wrote to memory of 1340	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	AdUcraC.exe
PID 2576 wrote to memory of 1340	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	AdUcraC.exe
PID 2576 wrote to memory of 1896	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	sLeRbkK.exe
PID 2576 wrote to memory of 1896	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	sLeRbkK.exe
PID 2576 wrote to memory of 1896	2576	2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe	sLeRbkK.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-01_873565007998c3a95a3e12bbca689002_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\System\dUTkATI.exe
C:\Windows\System\dUTkATI.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\wboWgRZ.exe
C:\Windows\System\wboWgRZ.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\System\dQWNSFB.exe
C:\Windows\System\dQWNSFB.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\QHCHbwW.exe
C:\Windows\System\QHCHbwW.exe
2⤵
- Executes dropped EXE
PID:2720

C:\Windows\System\sTwbLmX.exe
C:\Windows\System\sTwbLmX.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\System\STvpnJT.exe
C:\Windows\System\STvpnJT.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\CigvITV.exe
C:\Windows\System\CigvITV.exe
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\System\oZHPImU.exe
C:\Windows\System\oZHPImU.exe
2⤵
- Executes dropped EXE
PID:1984

C:\Windows\System\yThYHPR.exe
C:\Windows\System\yThYHPR.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\ZfHxpHG.exe
C:\Windows\System\ZfHxpHG.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\qCqUIIg.exe
C:\Windows\System\qCqUIIg.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\apUkdoz.exe
C:\Windows\System\apUkdoz.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Windows\System\RdTklmc.exe
C:\Windows\System\RdTklmc.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\UqzmZeT.exe
C:\Windows\System\UqzmZeT.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System\MeRMnXW.exe
C:\Windows\System\MeRMnXW.exe
2⤵
- Executes dropped EXE
PID:1316

C:\Windows\System\YwMCcFL.exe
C:\Windows\System\YwMCcFL.exe
2⤵
- Executes dropped EXE
PID:748

C:\Windows\System\ejSaORh.exe
C:\Windows\System\ejSaORh.exe
2⤵
- Executes dropped EXE
PID:2968

C:\Windows\System\CvgetYz.exe
C:\Windows\System\CvgetYz.exe
2⤵
- Executes dropped EXE
PID:2016

C:\Windows\System\SYyAbIU.exe
C:\Windows\System\SYyAbIU.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System\AdUcraC.exe
C:\Windows\System\AdUcraC.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Windows\System\sLeRbkK.exe
C:\Windows\System\sLeRbkK.exe
2⤵
- Executes dropped EXE
PID:1896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CigvITV.exe

Filesize
5.9MB

MD5
530095030cab2652ff67af24747d3578

SHA1
7da68ee20c187689295696a161d83a94f7c165a0

SHA256
bac2810b25dec511d195cc808cf109180ef88f2fa85ac357c025bd2f87e22271

SHA512
c9b0a18757de241423ec22fea6a2d161dc6627d9240f0b6bb85f7ffa855c9026b5817bdf903f350e8a5b2dcd50a5c681c21984d8e39ed5f3eef5b3fbfce76519

Download Submit
C:\Windows\system\MeRMnXW.exe

Filesize
5.9MB

MD5
b14f6b26308095651d9dca9a9a770f2d

SHA1
fd2987bf56fef309e8d755818cf2686353c94724

SHA256
d6a1506e7e19e3a5551ef2614a06f1a7b21bbfd73e064637ef517cbd1afe617c

SHA512
be7920cf3d4f6a8b838f8eabd9e1e7891e930668c2412fa4f4b1f472e9fa7f3f0b5e80e159bc7b9450ab6ab6fd7075ca37cd7a98a06d757720a5d77b2e60254f

Download Submit
C:\Windows\system\QHCHbwW.exe

Filesize
5.9MB

MD5
07e8ce40ee510d754abd83db7e64eedd

SHA1
001170af8e1954f10be56021f724b4b341223df4

SHA256
3d579e178fd3cfdbf7fe4bbe5e7ad0913b7d8b3b309e6a640d7d36702e976c8b

SHA512
4f868890e2eb352e9ff13eefb4a2e840549da3501c7d73780f9117da32ee2d4a12f729471452a9649e8dffdf48f771fb010a097bfa5fa350cb092ae5cc22c89d

Download Submit
C:\Windows\system\RdTklmc.exe

Filesize
5.9MB

MD5
4f211332e0f212ce7d4a605e080eaf5b

SHA1
69cc439222de9573345f58310dad2042c35cfe44

SHA256
32db2a414b500861e3309195e9602d0b88f8a260952c6e175badab62860a835b

SHA512
81a43dc617d692b9db3c863de7fa16a26323a43cf427e8162505e4a12d375530abdbcff29308cdf094176cf88cf24dcfc84851be4b01cf70f134983c95ad2988

Download Submit
C:\Windows\system\SYyAbIU.exe

Filesize
5.9MB

MD5
8d309787fdba1806a9870830c2d5b792

SHA1
010e33de18b39f4ac1356fa3ed70b9f863b3ae7c

SHA256
4f5d7553a38e5787c46859776bd2e65d0591b2ff0f0c8c110b85219de55cbd93

SHA512
571cb8f300739f00cc3a158bb01e2bb25c86398bc2a6f3c09dcb1542632c8a3b05714a225103f8e52d68bf9dd50788ca92d5e7bd4348f0782b854caaf1fe7ea1

Download Submit
C:\Windows\system\dUTkATI.exe

Filesize
5.9MB

MD5
6dac81ae63c391eb200378f2bd14413a

SHA1
88f52c42f105132573052f98aa04114b13478235

SHA256
076579ab4e16e563a12313de6afef1dd1a55cfabedb0409ba53824034230548b

SHA512
906e443e19e9fb4bbf1920a5fbbdf8b77c450730ae33799f7ce0aba4ef884bdf8c4e611b1c5bc0792d53a46ab3f60decd099a6082a69c0f14cf9e7c30c66f69d

Download Submit
C:\Windows\system\ejSaORh.exe

Filesize
5.9MB

MD5
8c1ece2d745bc4ddbd4aa3ec3d6dd692

SHA1
7145a9b20759e2596e8f472ebd677d1b534d9301

SHA256
af84d4922e3d333321ce6ad885cb126dfe43a17da33bc5a3b752f3efa82c6887

SHA512
19b49322c51903637a07b4ba70812f2a550b6cdca3dca7a7af484dff2e56377fcac50b98f612b3061024c2ab07c247236df41542227a813da9713a3fa514e6ef

Download Submit
C:\Windows\system\oZHPImU.exe

Filesize
5.9MB

MD5
b426ab02cc2b0963820db43aefa436f0

SHA1
a7ffafb080cae5d07bdead943ea27410a3d1d785

SHA256
3cbdd509803c86904ab70fbeaec235a6cb755ba61280077ff382206b025293a2

SHA512
ebce341a69e85020f99b11e2cb1ca84202044bc999033aaa8eb754849ba8c926284184ede3831325698928d98c2e08dc73c48884d98a04e7b64f1af99905d061

Download Submit
C:\Windows\system\qCqUIIg.exe

Filesize
5.9MB

MD5
9ce7282381363c3309411082f702a4f9

SHA1
dcb38569d0e62a73adbae836c75b4b2d23a444ef

SHA256
d6c9e9c6e4b8d80daab394fe020577ce359511595b2361bbd2f81e94f4c379eb

SHA512
2a8d1675414bba1058fbba1fd1d7eb01587cd59397f92c379440e3a15f064a58d52b86ad39a248120c1491fb0877a99d1c51de9c69d43295b2504b5e2b5842a1

Download Submit
C:\Windows\system\sLeRbkK.exe

Filesize
5.9MB

MD5
ba0b70016e23c26b4ed7730c5448b229

SHA1
4f04592ae212cf9084a8488c5e65bd7a2ccb56bc

SHA256
240972ae67ef3a138bb11ab65a0fb036faa62a57f16264d7ad507e3bb4b915f8

SHA512
467f170f69bd504f944ce83f46e919b46317a3cab2f58b51a9789bec8bcc9765eb9f912149fd11d3a69b7ecb93b30ed3e644bee47a7adf3beaef307964d27a7e

Download Submit
C:\Windows\system\sTwbLmX.exe

Filesize
5.9MB

MD5
76d7501da80f4b83e7b6331f76096840

SHA1
ab6f6af1f979b665123fcfc3c0f9b0428fddb666

SHA256
09830ffba3411f2b32e15c41e0b7b25389caee23cf37f99ef526ff30e1c4ca0a

SHA512
7b98aa59651d3b60d64c87696cc69107c2b776291f7b610b10a12ad07c33808fd7de5d113566ae2b447ac77584817c4f68dd6afdce3e8724851ada9c349645e4

Download Submit
C:\Windows\system\wboWgRZ.exe

Filesize
5.9MB

MD5
ed972d3a2d4799d657b92443f827edf8

SHA1
13a4dc3c6c70b34ff06c867816e1efb8cffed1f6

SHA256
21a3ec49cb75336f07475a0b16ffb4cd194387e02ee69a691925a0d6182462d5

SHA512
a8551a005243c6e14238b5ef90013ce46f8744976de9109ce6ecf5862fce39fddb8a9bd02820c15223d7d51050c83519dfaa62b653cf9fe8b0bfea3f3287762a

Download Submit
C:\Windows\system\yThYHPR.exe

Filesize
5.9MB

MD5
bff194c56b7ab54dabc875c4766133ac

SHA1
e84fbef6a9ea98975d34ef67f7556844a593e9c8

SHA256
ba258e80e807c40886969ad25d96c92b4091f639ad2c3fd49d7742ec207c564f

SHA512
8114367fbba95882ed6996711279bc6cb0feef491c2f1b9ce3dd0024c4d3f010f01a404276602ec2d6ba03482d925bdaffde826b3ec4946e8d3104bfca6dbc4a

Download Submit
\Windows\system\AdUcraC.exe

Filesize
5.9MB

MD5
70889304287465973f28599f5e9a4e53

SHA1
6a08403c94d6f4d29c63babf4b7772e244eda919

SHA256
15bd7cb7227e1749bc66a1c59718359f18a4b41e64d2a590356424d640e2a817

SHA512
eccea4d034b5596b0407d94dbf1bf42783d0ab7fec6d3ce2c750b4f8d3685386f16aa2f046fc9e5ddd44a1ff2fe7c4471dfb9533fddb4eab5906649459ef2009

Download Submit
\Windows\system\CvgetYz.exe

Filesize
5.9MB

MD5
657a7a646cf2b93dac3cdfa8c92bd37c

SHA1
2c2dc00e8c40365a912d9d7f743310d53b4b42a3

SHA256
6a474aa395987531a86967d1c61aab028808e36055471c5722ec40d7f11638bf

SHA512
f01156ef2f78a74c97d955aaaed849d9e63a6888a29c4ed02af8743df90cbb7c1a14806e03423df4e01031e2b194dba7f491624c4f6abc70f084f792f0af9c56

Download Submit
\Windows\system\STvpnJT.exe

Filesize
5.9MB

MD5
6ed47874804411dfb701fbce24672ab2

SHA1
6cc06e61ac7e89e764daf910583478c8878a28a3

SHA256
437cbbeca14df934e90a4f579b2797405cff4d6141d99ce082bfcd769b653325

SHA512
443d892d54632e8548bcfe01d3bb94732272505321f70262d16b37181b48cbf1e2ad959c1a9014d11478941915e8822e23c2fed9a0cf679eedd15600904c1e5e

Download Submit
\Windows\system\UqzmZeT.exe

Filesize
5.9MB

MD5
f87a883dc2a9b72970bf22396049e0ba

SHA1
acb3a5cafc7eb3d8032cb5b01fe47865a9fdb1cb

SHA256
5ca31a1842b3909091f2b0ef2f20fa5ac0d623233265cbe23a35dbeaf74cdcfc

SHA512
6f446bc28f7d73fbe77756193a6110266e5b16fb3c59515ff4a59a8affed80eeee6ff689f41e96a44fca70324d3cb77c648041dd1d5130900a10c51fcd7d5360

Download Submit
\Windows\system\YwMCcFL.exe

Filesize
5.9MB

MD5
4d3733824a7d4c7df1b7b38a07d485d5

SHA1
ab86e8e03119a04bb41ede317e49a9a7107ae72b

SHA256
5d8e35adf42c47c9e528c834fd57ebc827b405da31959894894b44d55dfb8fcf

SHA512
11aa95f28b5ffe1983e29766c89931f1cc8b816a392c01cb255b85bd2c0cdc769f0b3d04a56ee49fd0c52ca5e4b6706073eabb5c2295fca9267ab59c9f5ddd57

Download Submit
\Windows\system\ZfHxpHG.exe

Filesize
5.9MB

MD5
86f4a1c52c8699adee78ba430eafebd1

SHA1
59ef40f935a883ba290ecbcde4b6f6082aa1285b

SHA256
3a6a4d1c28070a9f7eaab142527ac68fba782141c0730c4c78e2df041dff06e3

SHA512
41bdb53f1736cdfafd76f3f44c8992920445967b8570295e19d1c2ae2d36db785e72f8a21917ccbd49920238529c9b45a7153753f08a4fa5a7c852e7103f3da9

Download Submit
\Windows\system\apUkdoz.exe

Filesize
5.9MB

MD5
9bd29b6a6fac96e1c1a2ca1dc6f5a88d

SHA1
9bd582e183505e12bd3dc6ade77108243625f8f7

SHA256
16d7a14568263d1b7fda6b677ef7593e076ab6e1285902daba48a894f1c19abe

SHA512
b8c9178395d1038eb7b40004b512dc64b5517682786b074e89e3e982019946530fb16d76272efe7a8773dbada7487a30751f0a0a58cc4327939dbf5d2985e03e

Download Submit
\Windows\system\dQWNSFB.exe

Filesize
5.9MB

MD5
85c1ed299e45e647691a14249a2d3e92

SHA1
bdab500fa13059e8d0d32f1da4ba2a889d6f0108

SHA256
e9d588a4cce4a0d56628a1cc73f4198cfabe9dbd467eabc771736efeeccf539f

SHA512
26b3dd1c6e763b4056266fa6abd75f626e318654fd9f3521e48f4c7c20f311d8b1b9d37ad96b3bf7d219f4f1f7451fa1ec91c8b84d7e0ca7c0b63d37be24e01e

Download Submit
memory/1316-116-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/1316-150-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-142-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/1872-21-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/1984-107-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/1984-148-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2124-141-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2124-19-0x000000013FAC0000-0x000000013FE14000-memory.dmp

Filesize
3.3MB

Download
memory/2272-119-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-140-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2272-18-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-113-0x000000013F2C0000-0x000000013F614000-memory.dmp

Filesize
3.3MB

Download
memory/2576-138-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2576-0-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2576-112-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2576-117-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2576-22-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-93-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-120-0x000000013F960000-0x000000013FCB4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-89-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2576-83-0x000000013F340000-0x000000013F694000-memory.dmp

Filesize
3.3MB

Download
memory/2576-38-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-35-0x0000000002370000-0x00000000026C4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-27-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-20-0x000000013F5C0000-0x000000013F914000-memory.dmp

Filesize
3.3MB

Download
memory/2576-57-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2576-122-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-114-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/2576-54-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2576-139-0x000000013F750000-0x000000013FAA4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-121-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2640-149-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2660-115-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-151-0x000000013FCA0000-0x000000013FFF4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-118-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2664-147-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2720-136-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-143-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2720-28-0x000000013FA80000-0x000000013FDD4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-145-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-41-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2768-137-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2800-146-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2800-74-0x000000013F5B0000-0x000000013F904000-memory.dmp

Filesize
3.3MB

Download
memory/2840-36-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download
memory/2840-144-0x000000013FF70000-0x00000001402C4000-memory.dmp

Filesize
3.3MB

Download