cobaltstrike | 60b57b4b161faa5bdde560756c8855a6a1bcae122fd1859131b9c93acce8c7f1

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

64bd96235d45e802567ae4a24a0641ee
SHA1

720781fe0b4581cc94f4059430edb2df4741276f
SHA256

60b57b4b161faa5bdde560756c8855a6a1bcae122fd1859131b9c93acce8c7f1
SHA512

184a6bf927ad1bd097bd84ef5998bf5af9d5ca3635d5aa3b0a758a2fe3ca34d9145798cad336210044bb729016fd502b60d640fce53d22a17ead8ffe829b6229
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibf56utgpPFotBER/mQ32lU4

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fb-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017342-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018741-40.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d1-62.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019219-91.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191cf-110.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019329-130.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019369-123.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191df-115.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001921d-103.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000017355-87.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019214-84.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191ad-58.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001919c-48.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019345-120.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019232-109.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f8-77.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016f45-23.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017349-39.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d71-29.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d49-12.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2560-73-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2632-35-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/1672-67-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/1300-134-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2732-49-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2336-136-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/1540-101-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1540-74-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2492-139-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/1932-47-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2636-21-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2664-141-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/1592-142-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/1540-143-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2144-147-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2672-159-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/480-165-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2676-166-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/1896-164-0x000000013F640000-0x000000013F991000-memory.dmp	xmrig
behavioral1/memory/2844-163-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/944-161-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2784-157-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2824-155-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/352-162-0x000000013FFB0000-0x0000000140301000-memory.dmp	xmrig
behavioral1/memory/1540-167-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1300-231-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2636-230-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2632-233-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2732-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/1932-239-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/1672-241-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2336-236-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2560-243-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2492-245-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2664-250-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2144-248-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/1592-256-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/2676-258-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1300	bzohpDJ.exe
2636	HmeQpNi.exe
2632	LdbkHSF.exe
2336	sOUdduI.exe
1932	uDKGSqa.exe
2732	tDjEtCX.exe
1672	MYJihaU.exe
2560	jxmVDvU.exe
2492	VFTrEMt.exe
2664	mfEHWoA.exe
1592	pijXNYh.exe
2144	oSLqdjN.exe
2676	SZWkLur.exe
352	WQxROdT.exe
2824	sKAdlap.exe
2784	mKmvWNR.exe
1896	nKxyTSm.exe
2672	UGMIEFS.exe
944	cbIgRsm.exe
2844	loHqYpi.exe
480	GCEXwoc.exe

Loads dropped DLL 21 IoCs

pid	Process
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1540-0-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/files/0x00080000000120fb-3.dat	upx
behavioral1/memory/1300-10-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/files/0x0007000000017342-22.dat	upx
behavioral1/files/0x0007000000018741-40.dat	upx
behavioral1/files/0x00050000000191d1-62.dat	upx
behavioral1/memory/2560-73-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2492-78-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2664-83-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/files/0x0005000000019219-91.dat	upx
behavioral1/memory/2144-95-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2676-102-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/files/0x00050000000191cf-110.dat	upx
behavioral1/memory/2632-35-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/files/0x0005000000019329-130.dat	upx
behavioral1/files/0x0005000000019369-123.dat	upx
behavioral1/files/0x00050000000191df-115.dat	upx
behavioral1/files/0x000500000001921d-103.dat	upx
behavioral1/memory/1592-88-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/files/0x0009000000017355-87.dat	upx
behavioral1/files/0x0005000000019214-84.dat	upx
behavioral1/memory/1672-67-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/1300-134-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/files/0x00050000000191ad-58.dat	upx
behavioral1/memory/2732-49-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/files/0x000500000001919c-48.dat	upx
behavioral1/files/0x0005000000019345-120.dat	upx
behavioral1/files/0x0005000000019232-109.dat	upx
behavioral1/memory/2336-136-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/1540-101-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/files/0x00050000000191f8-77.dat	upx
behavioral1/memory/2492-139-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/files/0x0007000000016f45-23.dat	upx
behavioral1/memory/1932-47-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2336-41-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/files/0x0007000000017349-39.dat	upx
behavioral1/files/0x0008000000016d71-29.dat	upx
behavioral1/files/0x0008000000016d49-12.dat	upx
behavioral1/memory/2636-21-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2664-141-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/1592-142-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/1540-143-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2144-147-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2672-159-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/480-165-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2676-166-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/1896-164-0x000000013F640000-0x000000013F991000-memory.dmp	upx
behavioral1/memory/2844-163-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/944-161-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2784-157-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2824-155-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/352-162-0x000000013FFB0000-0x0000000140301000-memory.dmp	upx
behavioral1/memory/1540-167-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/1300-231-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/memory/2636-230-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2632-233-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2732-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/1932-239-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/1672-241-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2336-236-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2560-243-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2492-245-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2664-250-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2144-248-0x000000013F320000-0x000000013F671000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\mfEHWoA.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cbIgRsm.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bzohpDJ.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HmeQpNi.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MYJihaU.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VFTrEMt.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mKmvWNR.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sOUdduI.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pijXNYh.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tDjEtCX.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nKxyTSm.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSLqdjN.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WQxROdT.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GCEXwoc.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LdbkHSF.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uDKGSqa.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxmVDvU.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKAdlap.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UGMIEFS.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SZWkLur.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loHqYpi.exe	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 1300	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1540 wrote to memory of 1300	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1540 wrote to memory of 1300	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1540 wrote to memory of 2636	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1540 wrote to memory of 2636	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1540 wrote to memory of 2636	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1540 wrote to memory of 2336	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1540 wrote to memory of 2336	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1540 wrote to memory of 2336	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1540 wrote to memory of 2632	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1540 wrote to memory of 2632	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1540 wrote to memory of 2632	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1540 wrote to memory of 1672	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1540 wrote to memory of 1672	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1540 wrote to memory of 1672	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1540 wrote to memory of 1932	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1540 wrote to memory of 1932	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1540 wrote to memory of 1932	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1540 wrote to memory of 1592	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1540 wrote to memory of 1592	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1540 wrote to memory of 1592	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1540 wrote to memory of 2732	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1540 wrote to memory of 2732	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1540 wrote to memory of 2732	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1540 wrote to memory of 2676	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1540 wrote to memory of 2676	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1540 wrote to memory of 2676	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1540 wrote to memory of 2560	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1540 wrote to memory of 2560	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1540 wrote to memory of 2560	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1540 wrote to memory of 2824	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1540 wrote to memory of 2824	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1540 wrote to memory of 2824	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1540 wrote to memory of 2492	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1540 wrote to memory of 2492	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1540 wrote to memory of 2492	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1540 wrote to memory of 2784	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1540 wrote to memory of 2784	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1540 wrote to memory of 2784	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1540 wrote to memory of 2664	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1540 wrote to memory of 2664	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1540 wrote to memory of 2664	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1540 wrote to memory of 2672	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1540 wrote to memory of 2672	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1540 wrote to memory of 2672	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1540 wrote to memory of 2144	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1540 wrote to memory of 2144	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1540 wrote to memory of 2144	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1540 wrote to memory of 944	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1540 wrote to memory of 944	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1540 wrote to memory of 944	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1540 wrote to memory of 352	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1540 wrote to memory of 352	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1540 wrote to memory of 352	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1540 wrote to memory of 2844	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1540 wrote to memory of 2844	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1540 wrote to memory of 2844	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1540 wrote to memory of 1896	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1540 wrote to memory of 1896	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1540 wrote to memory of 1896	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1540 wrote to memory of 480	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1540 wrote to memory of 480	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1540 wrote to memory of 480	1540	2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-11_64bd96235d45e802567ae4a24a0641ee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\System\bzohpDJ.exe
  C:\Windows\System\bzohpDJ.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\HmeQpNi.exe
  C:\Windows\System\HmeQpNi.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\sOUdduI.exe
  C:\Windows\System\sOUdduI.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\LdbkHSF.exe
  C:\Windows\System\LdbkHSF.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\MYJihaU.exe
  C:\Windows\System\MYJihaU.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\uDKGSqa.exe
  C:\Windows\System\uDKGSqa.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\pijXNYh.exe
  C:\Windows\System\pijXNYh.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\tDjEtCX.exe
  C:\Windows\System\tDjEtCX.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\SZWkLur.exe
  C:\Windows\System\SZWkLur.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\jxmVDvU.exe
  C:\Windows\System\jxmVDvU.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\sKAdlap.exe
  C:\Windows\System\sKAdlap.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\VFTrEMt.exe
  C:\Windows\System\VFTrEMt.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\mKmvWNR.exe
  C:\Windows\System\mKmvWNR.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\mfEHWoA.exe
  C:\Windows\System\mfEHWoA.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\UGMIEFS.exe
  C:\Windows\System\UGMIEFS.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\oSLqdjN.exe
  C:\Windows\System\oSLqdjN.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\cbIgRsm.exe
  C:\Windows\System\cbIgRsm.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\WQxROdT.exe
  C:\Windows\System\WQxROdT.exe
  2⤵
  - Executes dropped EXE
  PID:352
- C:\Windows\System\loHqYpi.exe
  C:\Windows\System\loHqYpi.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\nKxyTSm.exe
  C:\Windows\System\nKxyTSm.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\GCEXwoc.exe
  C:\Windows\System\GCEXwoc.exe
  2⤵
  - Executes dropped EXE
  PID:480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HmeQpNi.exe

Filesize
5.2MB

MD5
b6919cf9bb4f8b256127e5387bcc7262

SHA1
6189686eb40d2f10d1557ce27b958ab9dca9ec7f

SHA256
0b97c5bff361b98577e457db7a2981ed35eca9dd954fd498ef591a9853061013

SHA512
8f90a183bdaefbe7875787b53dadaf6b0030801709ca2df634e6c751d96c56c98b16f12950ba2abcb23c400c134e8cf022ee05474116bab1b1593703a635a21d

Download Submit
C:\Windows\system\LdbkHSF.exe

Filesize
5.2MB

MD5
07144d0c731063bfb86039c2c002392c

SHA1
8a03a8483525bd3f144050c2c314c94b47104c89

SHA256
04a5539cf16c373c57a8ba7a2e2e26fa987ebaa1122800d537afce03347a6f4a

SHA512
f568e40262e9100ded03ab1a8690c10787696459119c567804f8929b75d3ce182804406bcad757273b9354b555106067ceb9cad3bf04bbae0d452dd6f0a18231

Download Submit
C:\Windows\system\WQxROdT.exe

Filesize
5.2MB

MD5
5089daa9d7012c2efc4420a97182f46f

SHA1
78b738ab75b7be098259cd0eae5bd3ef1b349a8f

SHA256
f6b0fbbb24af281bc54e392d5acb17d49501b19a2ff8abcd1ff54ef4d49fe59b

SHA512
5ab6b7c1c0f58fc6300cee56c30e57953486f22a9ea951bfb7a5104673264c0bd2bb984fc6e58e55e001b090e0789c3fcddd7da2ca20f6818846cddd93c4e829

Download Submit
C:\Windows\system\jxmVDvU.exe

Filesize
5.2MB

MD5
f8f5d288cacee44c9c9731387c7b0ffe

SHA1
5dca3c146657735cc14464c497af0a08f1c185d1

SHA256
f14031e86fbfcf9c5d25ba5adc6c3d5b85c9bbb02264fa465bf39d75e7980d2b

SHA512
1a4c981808b46f986b7a03ed2dc2b6ac7012ca24d634973890604a75bd9cbff80af6f073489b459a9eb4e837dd888b38a615c5758e12de2ce6a9c7bf0d031faa

Download Submit
C:\Windows\system\loHqYpi.exe

Filesize
5.2MB

MD5
a14b6ad5ce7d6da76bab2a877414ff97

SHA1
c5a169a95e739d787ba1b3144ec124caeb964d44

SHA256
dc30356105f3f6f8abd196e3f3d847cccc9cec5b6004c32e691e458788b23e2b

SHA512
e475f6cd55cb767264728d56145d28d9e1d3e170d2c5c0dea4e4b34439edbe89354057ea511638400e9287b1d37366cb23fe883f394ca8ef5c6251d37945c69e

Download Submit
C:\Windows\system\mKmvWNR.exe

Filesize
5.2MB

MD5
ea38a44514d6231e444030aaa5630744

SHA1
f347f45fba3a7377c6bc454d11330663fa36a21b

SHA256
f50c08398b7e3f239643dbca432bfd697a33e515ce53f6b90305deaad1c204a7

SHA512
8c1e428b05e7585861188c81b46d9035f07981af537c0c8ce519d794912d24a67f501b9c201da56e10747817df839d4592d3e0593d72fd7a0561f28d3678039b

Download Submit
C:\Windows\system\mfEHWoA.exe

Filesize
5.2MB

MD5
ebf8f540f1bee80aac9e6ee42304552e

SHA1
39053fdebff7fe37c1d0b7abdd91ceb746d4e482

SHA256
b01974fb7f8fe8c37ce56ad88d6d2268676f34d51ff95160c8f4e2789831b0f4

SHA512
8cb79e4449aace6a118cf7958390c73ba2e4304b704e07425fcca364aa02946adad31634a069620ba4d324eeb0663acf38a5dd204863650c871560aba2cdc4ab

Download Submit
C:\Windows\system\nKxyTSm.exe

Filesize
5.2MB

MD5
9cf9090e1bb9f7f57ebc71c0b0d3ef1e

SHA1
0f1545a8922c722e92cae37a63aaed07a1062287

SHA256
d6940509ee4bd8473ea8c21143554982bc039c715a8b2960fd3f7baac4c10cbd

SHA512
ca68bedd16930ced60a9165bcea43331c48addaf1d9c44c8db7839ac3950d42f6f5472806800084f0f274c1b6bf78a14e423af6e067ff301d64381caea87844b

Download Submit
C:\Windows\system\pijXNYh.exe

Filesize
5.2MB

MD5
ea71b70dcb38c4270288af4bcb40ac10

SHA1
92258a2cf27d22089a75efc2ec2847eedee80f74

SHA256
71d73fe7da0475cedc8bda656ac5486b1f4c63603119ad2bc1d0ea52497e7e86

SHA512
2870eceb2af72868d8a9836156861897ecffba135dad5ed9f7b3cc04d37f2b34e3bd153f6500fc2beedfe991a7dadbcfda3fead99f3413013ddac2f27ceade4c

Download Submit
C:\Windows\system\sKAdlap.exe

Filesize
5.2MB

MD5
ac988934051c9cc24b988bfef79f1a81

SHA1
321fee44d931ac796bf0b31532dd85f6e22ea31b

SHA256
db9c0e6d4d7cf2e44f7a4c77498186e37cfd69480f7bde29c4b8f30595a079f4

SHA512
073d928f7d1cfc38fd94a96c70ac1e4b90707241cdc7db32c5c0f117819b1e49c9642cff0e1a1b5aad57b5f771f2898d95015a28843a86a6798662780ceff757

Download Submit
C:\Windows\system\sOUdduI.exe

Filesize
5.2MB

MD5
251aba54dcec2ac08306fa40931c8218

SHA1
067d438cd9da20111905736797dc8263bf4753b4

SHA256
39e34e7cb66be3debd64d3d2abfab66f624b1b6daa14a78771058307d342f2a1

SHA512
6a493fc9c3d83b8ba931ac43015841e7a351dfdf7a17b3df479d0f2896aaf3957bf23105492ec5567c48ee571f73f28e86b197d43b3a32471c4d2b528cb9a774

Download Submit
C:\Windows\system\tDjEtCX.exe

Filesize
5.2MB

MD5
f37103424d71204aadd5f8676f8c242c

SHA1
901ac1de15aaf292aca63606dc15767b9fc96331

SHA256
a4eb5bc97a9e539aa20dbb34cfe7231af51bbe8c656394fad8fe6e8038e3d0fd

SHA512
58cb868ca43649ac3483becb607f014b4c9d08064c61d488a6a14aca2f4bd0464fa009e7124f4addc34614027c6935574fbd9cfb6d040cd56fc34fa0caa13739

Download Submit
C:\Windows\system\uDKGSqa.exe

Filesize
5.2MB

MD5
92520b0b1104c937c77a78a8f99e6d91

SHA1
4746de89623560357a5449c199722a615e51a9c7

SHA256
a33935f434e34a3f0701d4759d0f7b59208ebdc2369ff754508335a17333b50a

SHA512
afa0595c9863e8e62e23fb64457ee407d2ffa1b7bf82ecf5dcf092663513bd5d515902de4680fc0d5f8282bb7203a2a8c450684b074d5c54aac3ed25aa9dd5af

Download Submit
\Windows\system\GCEXwoc.exe

Filesize
5.2MB

MD5
9cf9ca7bf59040df44cfe38e05884a47

SHA1
bf335dce89d72dac9e8cf6fd17c4fe541f5b1786

SHA256
106b9e65ec23ac341222b134a45f35dc3684ada8160ff794425696f4dd6d4986

SHA512
2db6e263b0baaadc2e22966d2ef1334414f6b6c64e0d72bb9f8358d670243c2e698a31e479d865c501fe1a8db5e0d173668a3eaf843d626c835f648d6d8890d5

Download Submit
\Windows\system\MYJihaU.exe

Filesize
5.2MB

MD5
50ce01095ef268a4b4c220a2694cb37d

SHA1
6f4ceae106deb494cf5ec81ca1b884528abdb255

SHA256
32f80a4d5fb7adfb0806ad2ebeb753e6275fe0015f65d008720dec268471763e

SHA512
a970a1fba9fa9a6f1c71f9246d22fc48569c5b4431346a089324bb762e889b537b4c695981d5e898b10ec4aed28757db471148088e38c1a63f07b50b395ea163

Download Submit
\Windows\system\SZWkLur.exe

Filesize
5.2MB

MD5
5d9aeb6558144671fac1ba107cc7c705

SHA1
51af6f9e5052b6ab23aa4ff44c49614caee3ba3c

SHA256
767a583d2b3e12df0b15fb496cbe78fb4bd9ed182101c5ffa4e05bb153604f31

SHA512
8d925f191ba02112f610d0a345cf5e0ee8c39d99d1de6232bc7141a03d10128f376274a803b68590d6bf95dcf3cdedbe0e4763c543d515cdf5f4b601e451c7fa

Download Submit
\Windows\system\UGMIEFS.exe

Filesize
5.2MB

MD5
f51bd4339460f407d19a8477bf30a892

SHA1
da28847e5167eefc0d59c6016cbe31c4a2d22d62

SHA256
d2b1c5f0b468db81524e720979c8482948bc9a9edcb15be29c9bd6b35c2a4cf1

SHA512
9bb82d41e47bef81448016ccb1b2f2f1353c433df152b1302317b7f3598739368eeb2be39214de43465d0052f32534982b2f56660e3ad44b9443215bdf63fe60

Download Submit
\Windows\system\VFTrEMt.exe

Filesize
5.2MB

MD5
0d47535cd4aab9fbc8fe1ca54082fbde

SHA1
e3996dcdd2f307c672cd981790287f477d399ea0

SHA256
0004571da5543207941b6002eb15165154fad4363e32909386580e8f30cbf214

SHA512
bf2dac6c17cb9e8adcf5578ccb2616b83e37d7dd680061685a6fa356b10f8fa001ad90036a22aa6e507ef3523e5e829d25e6170ba08a2f08321501c562bbdd8c

Download Submit
\Windows\system\bzohpDJ.exe

Filesize
5.2MB

MD5
8eb39b39ddd5a24537bdf71b83f4fb95

SHA1
5b5745127644bf885e98b71f862346a39ebf4030

SHA256
88133db5ead860ae6fb03fe96a72537c487193669d841ab840bcab68f146c32b

SHA512
582fbbedb4f7f104fc1ff8064a76144701377e51511241ead80047ff8388a611556fccffca6695236a1d486ee839449310ba3a1c70d32e8037c66fb889cdc224

Download Submit
\Windows\system\cbIgRsm.exe

Filesize
5.2MB

MD5
5ef704a01f0721bdf77d0f1724f24bc2

SHA1
374228855a9b4f231fadda1b5422fcbb4bf49505

SHA256
f4dd06846917824f05e6ad482809da4f0564f8c7c465f77c3b08eeed41b18eb1

SHA512
abbad3d0705b4871a97b3b2ac02f56adf171c0456ac525c46963df1d4caf11737b1ea8810b0156b590f5ed558f043e8b89ce5ff8c183f030c9a511f7bcbd0488

Download Submit
\Windows\system\oSLqdjN.exe

Filesize
5.2MB

MD5
fe38fbb637147cb2b608e2e2aa31247f

SHA1
e9f011b951fdd35159fdae126253615d0b18f617

SHA256
8408c9a1bb3a54f3d13f58bf30ef41b9fd29a1811cbea0937cff26b52ddd1f91

SHA512
6b967aff28cd197670c4efe60a1b725d7fb4ce6d64da6ae57bf7ddc70564b674b11090fd3152de98eedf143e37e62aa8638a410f446b75c9bd27cb31f80366c7

Download Submit
memory/352-162-0x000000013FFB0000-0x0000000140301000-memory.dmp

Filesize
3.3MB

Download
memory/480-165-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/944-161-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/1300-10-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-134-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/1300-231-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-53-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1540-60-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-167-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-70-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1540-135-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/1540-143-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-101-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-92-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/1540-82-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-81-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-80-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1540-79-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1540-85-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-74-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/1540-0-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-24-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1540-138-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-140-0x00000000021B0000-0x0000000002501000-memory.dmp

Filesize
3.3MB

Download
memory/1540-137-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1540-17-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/1540-45-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/1592-256-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/1592-88-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/1592-142-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/1672-67-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1672-241-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1896-164-0x000000013F640000-0x000000013F991000-memory.dmp

Filesize
3.3MB

Download
memory/1932-239-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1932-47-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-147-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2144-95-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2144-248-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2336-136-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2336-236-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2336-41-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2492-245-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-78-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2492-139-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-243-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2560-73-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2632-35-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-233-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2636-230-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2636-21-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2664-141-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-83-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-250-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2672-159-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-166-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-102-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-258-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-49-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-237-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-157-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2824-155-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-163-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download