cobaltstrike | 1db2892e336cb6cc05edd56624c908b3c5fac16fa911ec0c920865ed1b56e080

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1186d6539ffc3d6a0a829fc017e61925
SHA1

0c35522eee8f04e7eee57ea26fc7fcc16c10046c
SHA256

1db2892e336cb6cc05edd56624c908b3c5fac16fa911ec0c920865ed1b56e080
SHA512

96009a78993004a66076b4faa4a87cf4c9243d999f7378cd5625a6592db55a77b57b3a7f23b5d582841e6842add4b83cad633bebdbfc87519ca2a16274e7f707
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lw:RWWBibf56utgpPFotBER/mQ32lUM

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012118-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d41-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ec4-30.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001610d-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9f-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ecf-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016de8-117.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dea-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d77-109.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6f-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017049-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d67-85.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4b-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df3-121.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6b-94.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d54-74.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d43-62.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f7b-48.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f25-38.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d81-20.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d59-11.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2620-8-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/1716-52-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2628-68-0x0000000002340000-0x0000000002691000-memory.dmp	xmrig
behavioral1/memory/844-90-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2700-141-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2948-91-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2720-89-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/2628-88-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2768-87-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2680-144-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/316-146-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/2628-147-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2536-76-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2840-59-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2628-169-0x0000000002340000-0x0000000002691000-memory.dmp	xmrig
behavioral1/memory/808-168-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/468-167-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1700-166-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/840-165-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/320-164-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/1036-163-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1252-162-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/1108-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2632-64-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/2804-51-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2628-41-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2628-170-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2620-228-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/1716-230-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2632-232-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/2536-234-0x000000013F9F0000-0x000000013FD41000-memory.dmp	xmrig
behavioral1/memory/2948-236-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2768-238-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2804-240-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2840-242-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2700-244-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2720-248-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/844-250-0x000000013FFF0000-0x0000000140341000-memory.dmp	xmrig
behavioral1/memory/2680-246-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/316-252-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2620	fAJnIiA.exe
1716	lnlPSYH.exe
2632	kFHIdur.exe
2536	wytfNWY.exe
2768	wpSpmYc.exe
2948	tBHgyVV.exe
2804	rODOqTs.exe
2840	LpBnPeT.exe
2700	HDoXTfu.exe
2680	PmAFxhm.exe
2720	LINfpDO.exe
844	HwxUapY.exe
316	FNzKuNi.exe
1252	AWITRAT.exe
320	WLylXZD.exe
1700	QoqRLAc.exe
808	tQajpgz.exe
1108	nUvfIgQ.exe
1036	xIkJCQy.exe
840	NFlPCSN.exe
468	UznBarl.exe

Loads dropped DLL 21 IoCs

pid	Process
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2628-0-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/files/0x0007000000012118-3.dat	upx
behavioral1/memory/2620-8-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/files/0x0008000000015d41-12.dat	upx
behavioral1/memory/1716-14-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/files/0x0007000000015ec4-30.dat	upx
behavioral1/memory/2536-33-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2768-35-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/1716-52-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/files/0x000900000001610d-56.dat	upx
behavioral1/memory/844-90-0x000000013FFF0000-0x0000000140341000-memory.dmp	upx
behavioral1/files/0x0006000000016d9f-106.dat	upx
behavioral1/files/0x0006000000016ecf-123.dat	upx
behavioral1/files/0x0006000000016de8-117.dat	upx
behavioral1/files/0x0006000000016dea-114.dat	upx
behavioral1/files/0x0006000000016d77-109.dat	upx
behavioral1/memory/2700-141-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/files/0x0006000000016d6f-99.dat	upx
behavioral1/memory/2948-91-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/files/0x0006000000017049-130.dat	upx
behavioral1/memory/2720-89-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/2768-87-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2680-144-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/files/0x0006000000016d67-85.dat	upx
behavioral1/files/0x0006000000016d4b-83.dat	upx
behavioral1/files/0x0006000000016df3-121.dat	upx
behavioral1/memory/316-97-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/316-146-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/files/0x0006000000016d6b-94.dat	upx
behavioral1/memory/2628-147-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2680-77-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2536-76-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2840-59-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/808-168-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/468-167-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/1700-166-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/840-165-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/320-164-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/1036-163-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/1252-162-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/1108-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/files/0x0006000000016d54-74.dat	upx
behavioral1/memory/2700-72-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2632-64-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/files/0x0008000000016d43-62.dat	upx
behavioral1/memory/2804-51-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2628-41-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2948-40-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/files/0x0007000000015f7b-48.dat	upx
behavioral1/files/0x0007000000015f25-38.dat	upx
behavioral1/files/0x0008000000015d81-20.dat	upx
behavioral1/files/0x0008000000015d59-11.dat	upx
behavioral1/memory/2632-28-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2628-170-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2620-228-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/1716-230-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2632-232-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2536-234-0x000000013F9F0000-0x000000013FD41000-memory.dmp	upx
behavioral1/memory/2948-236-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2768-238-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2804-240-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2840-242-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2700-244-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2720-248-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\QoqRLAc.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBHgyVV.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HwxUapY.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WLylXZD.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AWITRAT.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HDoXTfu.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PmAFxhm.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNzKuNi.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nUvfIgQ.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xIkJCQy.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lnlPSYH.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kFHIdur.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wpSpmYc.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LpBnPeT.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LINfpDO.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NFlPCSN.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UznBarl.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tQajpgz.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fAJnIiA.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wytfNWY.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rODOqTs.exe	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2620	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2628 wrote to memory of 2620	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2628 wrote to memory of 2620	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2628 wrote to memory of 1716	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2628 wrote to memory of 1716	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2628 wrote to memory of 1716	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2628 wrote to memory of 2632	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2628 wrote to memory of 2632	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2628 wrote to memory of 2632	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2628 wrote to memory of 2768	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2628 wrote to memory of 2768	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2628 wrote to memory of 2768	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2628 wrote to memory of 2536	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2628 wrote to memory of 2536	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2628 wrote to memory of 2536	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2628 wrote to memory of 2948	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2628 wrote to memory of 2948	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2628 wrote to memory of 2948	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2628 wrote to memory of 2804	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2628 wrote to memory of 2804	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2628 wrote to memory of 2804	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2628 wrote to memory of 2840	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2628 wrote to memory of 2840	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2628 wrote to memory of 2840	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2628 wrote to memory of 2700	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2628 wrote to memory of 2700	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2628 wrote to memory of 2700	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2628 wrote to memory of 2720	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2628 wrote to memory of 2720	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2628 wrote to memory of 2720	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2628 wrote to memory of 2680	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2628 wrote to memory of 2680	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2628 wrote to memory of 2680	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2628 wrote to memory of 844	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2628 wrote to memory of 844	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2628 wrote to memory of 844	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2628 wrote to memory of 316	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2628 wrote to memory of 316	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2628 wrote to memory of 316	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2628 wrote to memory of 1108	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2628 wrote to memory of 1108	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2628 wrote to memory of 1108	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2628 wrote to memory of 1252	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2628 wrote to memory of 1252	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2628 wrote to memory of 1252	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2628 wrote to memory of 1036	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2628 wrote to memory of 1036	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2628 wrote to memory of 1036	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2628 wrote to memory of 320	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2628 wrote to memory of 320	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2628 wrote to memory of 320	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2628 wrote to memory of 840	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2628 wrote to memory of 840	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2628 wrote to memory of 840	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2628 wrote to memory of 1700	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2628 wrote to memory of 1700	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2628 wrote to memory of 1700	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2628 wrote to memory of 468	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2628 wrote to memory of 468	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2628 wrote to memory of 468	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2628 wrote to memory of 808	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2628 wrote to memory of 808	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2628 wrote to memory of 808	2628	2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_1186d6539ffc3d6a0a829fc017e61925_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\System\fAJnIiA.exe
  C:\Windows\System\fAJnIiA.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\lnlPSYH.exe
  C:\Windows\System\lnlPSYH.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\kFHIdur.exe
  C:\Windows\System\kFHIdur.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\wpSpmYc.exe
  C:\Windows\System\wpSpmYc.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\wytfNWY.exe
  C:\Windows\System\wytfNWY.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\tBHgyVV.exe
  C:\Windows\System\tBHgyVV.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\rODOqTs.exe
  C:\Windows\System\rODOqTs.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\LpBnPeT.exe
  C:\Windows\System\LpBnPeT.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\HDoXTfu.exe
  C:\Windows\System\HDoXTfu.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\LINfpDO.exe
  C:\Windows\System\LINfpDO.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\PmAFxhm.exe
  C:\Windows\System\PmAFxhm.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\HwxUapY.exe
  C:\Windows\System\HwxUapY.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\FNzKuNi.exe
  C:\Windows\System\FNzKuNi.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\nUvfIgQ.exe
  C:\Windows\System\nUvfIgQ.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\AWITRAT.exe
  C:\Windows\System\AWITRAT.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\xIkJCQy.exe
  C:\Windows\System\xIkJCQy.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\WLylXZD.exe
  C:\Windows\System\WLylXZD.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\NFlPCSN.exe
  C:\Windows\System\NFlPCSN.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\QoqRLAc.exe
  C:\Windows\System\QoqRLAc.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\UznBarl.exe
  C:\Windows\System\UznBarl.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\tQajpgz.exe
  C:\Windows\System\tQajpgz.exe
  2⤵
  - Executes dropped EXE
  PID:808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AWITRAT.exe

Filesize
5.2MB

MD5
05bf22c05b6659e4ae52a619c89f55c7

SHA1
77205d5f92fc7b848577c02ff05456de6b9571fa

SHA256
2ff454a72baa6d17ceffa3b0c332556df2a6b0967ccf61052f1b3ac1d3a5b879

SHA512
2b738e52fac40137bb95c233078f47e494136a37ff9982a86525a81ec2adcc52b234fb1a2fd6a9084e968ceb36b49b03d609b85ae1aabbbebae5e5c2c6102cab

Download Submit
C:\Windows\system\FNzKuNi.exe

Filesize
5.2MB

MD5
d30bc1becb77cfa6505c3160e4562e0a

SHA1
941a7132a16a52e08a4f53dd3f6edbe724f9a21f

SHA256
2b6dbd174a4ecfb277efd547e85893067ec49ee6238d798054c90bd157cae5cc

SHA512
65fb80755a697e4887133b716cfee48c25a5d0a1b58472fd6a005a07209e00d7c9263af06385722b1d4c77ef828e5bd79f606aa6443fcdd308e8b57d202cb78a

Download Submit
C:\Windows\system\HDoXTfu.exe

Filesize
5.2MB

MD5
4f1bb2d795fd6ba64ef40affcfb05044

SHA1
510693b37544e0f8c081487fa7406ecea38a580a

SHA256
6afb876655557eaac1ed0a2075581b9218a1029441ad13cb52a3ef8d9979b957

SHA512
a0928329925b1e330b18c69582da64fe070765943741eedc6856ab6e058a4c3db0c5f59b88cd07f8c0c4a975942086c367bff277a70204372c793a2e5ab3f739

Download Submit
C:\Windows\system\HwxUapY.exe

Filesize
5.2MB

MD5
863b228a27406a0c5b75a72f18ef6693

SHA1
ad1dc767c0c2cbc0645630effabc2de493a647e9

SHA256
65480e7b143c7574115c038abe31564db7b1b355d79152801406042911ede820

SHA512
cae926e28defbba81b063100420a21a2dbb331b7cdcdc379659f59dc9ec4ef7794ea9a68f935e2c7515dff177fb3c14dae19962a941178c0cc78aeb66fd80b11

Download Submit
C:\Windows\system\LINfpDO.exe

Filesize
5.2MB

MD5
609a4fa93bb2427a9eb26de8bc852efc

SHA1
93d177f9309f6b1a42f6c7eb920132872ff338c2

SHA256
3be656a57d872ce8bca28c51167a09b698a6fb70168bbf847abf0b830bd46397

SHA512
337abbb28dcbe9a7144645ceff2e5e502823bcab538b6fec5f0ab284e289e39bc17e6e51b178e9a358e09eddbd7c14bd2df2674727a296f47164387a43fff08d

Download Submit
C:\Windows\system\LpBnPeT.exe

Filesize
5.2MB

MD5
acc224846936b1cfad0f282fe721b424

SHA1
d13c345ad054379778c47d47dee17380876a4b94

SHA256
f8f6408f5ee4271ffd96855e4a9d5240bb2f7155840b85e30eaa56f242a8e76f

SHA512
059b1d86a0f1d039eca585dc316f73d718cef3631be04a05ea2832e0b934ca3e155e4bd870ff98d21f2efd2e23b4c77440fbd3f3589a07fba15affba5a105458

Download Submit
C:\Windows\system\PmAFxhm.exe

Filesize
5.2MB

MD5
730ae65015b2f9b2f18f35d2465c798b

SHA1
445f5e786ecb3b0f4f0507c330757926edaac394

SHA256
6191046fabd37cc7c2edffdc78247ec0c128c45563c69dd9f49f1e61821fb052

SHA512
c16fba05acb1ebe4151417724e698da348d2c929e7960cd0516e410221b5380cb1eabdffdad976b9d4fb8aa416860c02d52e63db85b0695dddce0c20f12b1a38

Download Submit
C:\Windows\system\QoqRLAc.exe

Filesize
5.2MB

MD5
1228ece728f93a03ff85eda1c1097022

SHA1
8b35d2b8d83a2bc0a5174484711c0a9f33b613b8

SHA256
344703073666c49a414736dae26c05724632bd07a25d191cbda13b3ee980e4aa

SHA512
1c14291791bf8ac4aee38b6ee16c1f86fe1156e7dbdc39717582cdce3b8daf8d7e0fda53feb0c377e6ee2ebd7741727222ff0b0960f05725b5b0e98d4562cd4d

Download Submit
C:\Windows\system\WLylXZD.exe

Filesize
5.2MB

MD5
b88b777914f9d82f83316a6fdb4d4a4f

SHA1
e2ed94194764797697d4e10a869119937b17a172

SHA256
b21963cbab1e745949b5d696027903d5a6366300371b37102dced5dd3759d292

SHA512
e8465bf277ccdfd660eb63b0ec297d6bab6a7bffe2013fd81cbc19ec11cf339bbb0674c7bd4c079f2ed971d748dfc48fbc34a96f97549aba1649002e9ba4b785

Download Submit
C:\Windows\system\kFHIdur.exe

Filesize
5.2MB

MD5
b07bb5a9fa2c21a21df3404c7e6a1584

SHA1
67a039ecf52a685bd3ad1ee6706e440e5d00368a

SHA256
ea1178137b3d3bc94db65acde88603683f03f4cf6514ef6c097090e856d5f6b1

SHA512
daa078fbad6064df727c6b317f80531aaf699a8d20de3290911b7cfff79cd7bb7c600b6b64020c6ee8b22cb38aca7754b5fca3b46f13413a0d62664dd1994725

Download Submit
C:\Windows\system\lnlPSYH.exe

Filesize
5.2MB

MD5
f777338764346b184595901f895d8135

SHA1
0668da30395e0c1f7fac094f0b26c34b60d2c2d3

SHA256
9d12fe95447f4ad56be25d3a5cbb20669cfbb894f181f9b62b51950a18e750eb

SHA512
009bd33679ce5921547a7b4e936e0f32a465fd9e112c19a87d356699f52c5bd0897e204f9e1cf91871c9e937fd446b17288651122d3dafc7ea5a94341f4c4c89

Download Submit
C:\Windows\system\rODOqTs.exe

Filesize
5.2MB

MD5
6142ff6b8526f2b15e5820e39c07c302

SHA1
63acede2ff05ba12d5d49a383578bb4432316cdb

SHA256
db0fe316eec73e9476ef571251a5d10a6db85eb9043fdf21a96062438ae06f73

SHA512
98ac0047fbfad191e09623a7ef574deb1855908b0f2eb519c53094576685fbef313d48ebe51ac72ed1fd1f78de177a79dd1bc111c2ee786dd8de73c9072e9c65

Download Submit
C:\Windows\system\tBHgyVV.exe

Filesize
5.2MB

MD5
aab5e6ab008a62049894868d5e1addeb

SHA1
fd9a8fb16417c5ef460b7affbaf45af761aecd0e

SHA256
ac4e67ea3f123c03de62992d428b978227e6c5c4794af060c39a62d9694804b2

SHA512
7e342a7098f8210d9e177467da063e6146c6bc8ed2c05f04735f006db81aa776339f595984cb3e75a9ad7be8ee049bcce140dbe65982de734699f61ea733dc15

Download Submit
C:\Windows\system\tQajpgz.exe

Filesize
5.2MB

MD5
7e11f0cef1ce0574573ad8299be462d4

SHA1
15af1b7152c5f4f69db4a4e55c08bd941564a3a5

SHA256
35ac473f3657722b95e1d3064beac7f0e441f6300e9b42c568794015d5e9df50

SHA512
51d8413ed50027b9a67ae882c21accff19ae411a69390521c6c555b981950bb0e44809b6cb4618f8723639193a2baebdf97ebff2f8be813a67ffc57ba765323a

Download Submit
C:\Windows\system\wytfNWY.exe

Filesize
5.2MB

MD5
1677225b96f2e6c0cd7d3dbf1a8ab940

SHA1
3cbedd1bfad44d23c3284c119c032a3ab97694b5

SHA256
6aae1ee7e9bd8322eec5617f71dae27fd62f8a40037408316592b2247a68b899

SHA512
13215c3bb94086f861c98af046f4e4f3cc26dec0da825b6a3c2af2729ddae41422e8ba82ee5ba260598bdaf3c66452523d2a9d4924e919d0a46f549cc760f229

Download Submit
\Windows\system\NFlPCSN.exe

Filesize
5.2MB

MD5
ea85e98749997fa158e487c064dbfcd8

SHA1
120a199024644938c360d75f2901bc4d0bcb9130

SHA256
5e2971e99fce3f402b8f39add3dd7f46489ae999063e06f0c1f0a19c1bff6331

SHA512
b32fe4df91ef5b5a5a7672ea372cc1a4c74e87462de38596ddc6c35ed40ccd475d815d28d83c4447e2c64e298e1e08192bcff5b896fafac81018336bf29c4e48

Download Submit
\Windows\system\UznBarl.exe

Filesize
5.2MB

MD5
d1548a5a1ed32fb601ec816e1cdb5d32

SHA1
418fd16cd3ba729a92e6081b003967014621bb42

SHA256
1e96cfcb16502d1b89ae34646902f4cb300d849f49dc094dbf29e0aaeb44b31b

SHA512
2a717e6aab34b900af022c0af0c8d2c578832167bfea3be6812c95991174c30f1bdf0b6c7e6749103121bff2bc980958653a5868cb0137f89959285d6fe81891

Download Submit
\Windows\system\fAJnIiA.exe

Filesize
5.2MB

MD5
81566a349baa7b135ce7967c79be8228

SHA1
da4eea1dde77817ba59ee6745395edc3d1b1aee1

SHA256
0fdb2ce5de4d05c849953af27ef7fdf8a21c79e356d16ac60bbba64426f87a09

SHA512
650e8700f1775a52f0ff8e7ba6d5e8e19cea66306c915c04f79a3edf3dd6033cd1851f583f93bd3d6c3d7994d5163f8f9f946663b96b8c705c3c1f8695102522

Download Submit
\Windows\system\nUvfIgQ.exe

Filesize
5.2MB

MD5
5b12959c768fa423ec3f4dc417e07a15

SHA1
1aaccc0987addf62fc3d51df931f5a74bad173d5

SHA256
3cc9083e1cd7f2eb1260ac77cabb895b8a3c7d55e241a20e8acfbd4b1bcae0d8

SHA512
81856d4b96114cee685ec5e0adac71c902dc9bf65987a96349710b6331b197bdd9cd9ccc42d46bce3d33458c669000d2decef4a4dc8c7f6ec679b6705a9b0887

Download Submit
\Windows\system\wpSpmYc.exe

Filesize
5.2MB

MD5
7dd5996c795bd3f375bf000fa656563d

SHA1
9829f697b5f86e6760d490782b85ac1d01e15e2d

SHA256
9084bad23cc9d1d86f72a72120ce0e9b4293edf8cab9578e40ca84d3c780fd94

SHA512
a3369001e57e476491afa148d07e6d3b146748994282b3fa773cdbf9cc4e1625f6d5060db559559bb624acf93ef6742d79c9879f96867033b1321d29fa28d397

Download Submit
\Windows\system\xIkJCQy.exe

Filesize
5.2MB

MD5
4b63ec367458010d5d1df4c684da7f1e

SHA1
2afb1c04a6c7e145693c30706feeed3dd0115c2b

SHA256
4891390b0441c4401b182e5a27541b76993d4945da09d84c4d4d2d1aa87bbb9f

SHA512
f6aeb4adfe31cc6cb2c98b9991fd9fc4a7904a7546d70b3744eb34176ba5427a14a1bfa390b21c90f9b9a90724fba531bcc81c0fd39a459d91af81d1db75e547

Download Submit
memory/316-97-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/316-146-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/316-252-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/320-164-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/468-167-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/808-168-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/840-165-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/844-90-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/844-250-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/1036-163-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-161-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1252-162-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/1700-166-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/1716-52-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1716-230-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1716-14-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2536-76-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2536-234-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2536-33-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2620-228-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2620-8-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2628-147-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-88-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2628-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2628-169-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-0-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-96-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/2628-98-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-105-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-145-0x000000013FFF0000-0x0000000140341000-memory.dmp

Filesize
3.3MB

Download
memory/2628-13-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2628-39-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2628-142-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-58-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2628-75-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-68-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-73-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2628-170-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-26-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-143-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2628-29-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-50-0x0000000002340000-0x0000000002691000-memory.dmp

Filesize
3.3MB

Download
memory/2628-41-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-110-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2628-31-0x000000013F9F0000-0x000000013FD41000-memory.dmp

Filesize
3.3MB

Download
memory/2632-232-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-64-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-28-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-246-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-144-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-77-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-244-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-72-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-141-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-89-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2720-248-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2768-238-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-35-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-87-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-240-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2804-51-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2840-242-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-59-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2948-236-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2948-40-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/2948-91-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download