cobaltstrike | bc05b7c4a9a0e67e08c6361b510e6dcd8f70174ef107eee3165087896089b8f6

Analysis

max time kernel
124s
max time network
135s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

54d076db5f2f657d8a1a4f29582109b1
SHA1

6ae80d3c58ffe03a0c0aac6f1920692665636c4c
SHA256

bc05b7c4a9a0e67e08c6361b510e6dcd8f70174ef107eee3165087896089b8f6
SHA512

d0c3abba9c003d6e8f5bf0f85f50cbc07ad76bec5acc808c50d546d5f3d6db0b4555784b93f36541b3954d0b7a99eb819f09e83cb51282832e11317ac8926d3e
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUF:E+b56utgpPF8u/7F

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000012281-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c66-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c88-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd7-22.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016650-29.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cf5-41.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ecf-50.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017497-62.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017049-72.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001755b-87.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f1-117.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878e-142.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018744-137.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018739-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018704-127.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f4-122.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ed-112.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186e7-104.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018686-96.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001749c-80.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000016d2a-46.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2092-0-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/files/0x000d000000012281-3.dat	xmrig
behavioral1/files/0x0008000000016c66-11.dat	xmrig
behavioral1/memory/2064-15-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/756-10-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016c88-9.dat	xmrig
behavioral1/memory/2324-20-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016cd7-22.dat	xmrig
behavioral1/memory/2400-27-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2092-30-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/files/0x0009000000016650-29.dat	xmrig
behavioral1/memory/756-32-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016cf5-41.dat	xmrig
behavioral1/files/0x0008000000016ecf-50.dat	xmrig
behavioral1/files/0x0006000000017497-62.dat	xmrig
behavioral1/memory/2400-68-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2908-67-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/files/0x0006000000017049-72.dat	xmrig
behavioral1/memory/2680-88-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/files/0x000600000001755b-87.dat	xmrig
behavioral1/files/0x00050000000186f1-117.dat	xmrig
behavioral1/files/0x000500000001878e-142.dat	xmrig
behavioral1/files/0x0005000000018744-137.dat	xmrig
behavioral1/files/0x0005000000018739-132.dat	xmrig
behavioral1/files/0x0005000000018704-127.dat	xmrig
behavioral1/memory/2092-144-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/files/0x00050000000186f4-122.dat	xmrig
behavioral1/memory/2764-145-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/files/0x00050000000186ed-112.dat	xmrig
behavioral1/memory/2804-110-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2052-106-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2908-105-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/files/0x00050000000186e7-104.dat	xmrig
behavioral1/memory/2120-97-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2680-147-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/files/0x0005000000018686-96.dat	xmrig
behavioral1/memory/2784-93-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2092-148-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2764-81-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/files/0x000600000001749c-80.dat	xmrig
behavioral1/memory/2092-78-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2120-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/1156-76-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2324-57-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2800-48-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/files/0x000a000000016d2a-46.dat	xmrig
behavioral1/memory/2428-73-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2052-151-0x000000013F2E0000-0x000000013F634000-memory.dmp	xmrig
behavioral1/memory/2804-71-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2784-61-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2064-44-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/1156-40-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/756-153-0x000000013F590000-0x000000013F8E4000-memory.dmp	xmrig
behavioral1/memory/2064-154-0x000000013FC30000-0x000000013FF84000-memory.dmp	xmrig
behavioral1/memory/2324-155-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2400-156-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/1156-157-0x000000013F360000-0x000000013F6B4000-memory.dmp	xmrig
behavioral1/memory/2800-158-0x000000013F400000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2784-159-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2908-160-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/2804-161-0x000000013F850000-0x000000013FBA4000-memory.dmp	xmrig
behavioral1/memory/2764-162-0x000000013F380000-0x000000013F6D4000-memory.dmp	xmrig
behavioral1/memory/2680-163-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2120-164-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
756	dlSyduc.exe
2064	CPqsYaZ.exe
2324	xdyBTUC.exe
2400	ZEjrdGR.exe
1156	KYZZOcX.exe
2800	GmabCvA.exe
2784	WSJNloo.exe
2908	CpvaEnR.exe
2804	YoYWPvL.exe
2428	nRaSGvG.exe
2764	APCXDOw.exe
2680	yCMeJxO.exe
2120	wBVkPYU.exe
2052	sczbdFR.exe
1304	VxOCKvQ.exe
2460	tNhYSta.exe
1632	OPxGlAb.exe
828	VINaJgH.exe
2316	ZmcoAeM.exe
1972	LRAbNWX.exe
1148	EJqpvEG.exe

Loads dropped DLL 21 IoCs

pid	Process
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2092-0-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/files/0x000d000000012281-3.dat	upx
behavioral1/files/0x0008000000016c66-11.dat	upx
behavioral1/memory/2064-15-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/756-10-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/files/0x0007000000016c88-9.dat	upx
behavioral1/memory/2324-20-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/files/0x0007000000016cd7-22.dat	upx
behavioral1/memory/2400-27-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2092-30-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/files/0x0009000000016650-29.dat	upx
behavioral1/memory/756-32-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/files/0x0007000000016cf5-41.dat	upx
behavioral1/files/0x0008000000016ecf-50.dat	upx
behavioral1/files/0x0006000000017497-62.dat	upx
behavioral1/memory/2400-68-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2908-67-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/files/0x0006000000017049-72.dat	upx
behavioral1/memory/2680-88-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x000600000001755b-87.dat	upx
behavioral1/files/0x00050000000186f1-117.dat	upx
behavioral1/files/0x000500000001878e-142.dat	upx
behavioral1/files/0x0005000000018744-137.dat	upx
behavioral1/files/0x0005000000018739-132.dat	upx
behavioral1/files/0x0005000000018704-127.dat	upx
behavioral1/files/0x00050000000186f4-122.dat	upx
behavioral1/memory/2764-145-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/files/0x00050000000186ed-112.dat	upx
behavioral1/memory/2804-110-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2052-106-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2908-105-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/files/0x00050000000186e7-104.dat	upx
behavioral1/memory/2120-97-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2680-147-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/files/0x0005000000018686-96.dat	upx
behavioral1/memory/2784-93-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2764-81-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/files/0x000600000001749c-80.dat	upx
behavioral1/memory/2120-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/1156-76-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2324-57-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2800-48-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/files/0x000a000000016d2a-46.dat	upx
behavioral1/memory/2428-73-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2052-151-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2804-71-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2784-61-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2064-44-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/1156-40-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/756-153-0x000000013F590000-0x000000013F8E4000-memory.dmp	upx
behavioral1/memory/2064-154-0x000000013FC30000-0x000000013FF84000-memory.dmp	upx
behavioral1/memory/2324-155-0x000000013F3A0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2400-156-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/1156-157-0x000000013F360000-0x000000013F6B4000-memory.dmp	upx
behavioral1/memory/2800-158-0x000000013F400000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2784-159-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2908-160-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/memory/2804-161-0x000000013F850000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2764-162-0x000000013F380000-0x000000013F6D4000-memory.dmp	upx
behavioral1/memory/2680-163-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2120-164-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2052-165-0x000000013F2E0000-0x000000013F634000-memory.dmp	upx
behavioral1/memory/2428-166-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZEjrdGR.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LRAbNWX.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dlSyduc.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPqsYaZ.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xdyBTUC.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nRaSGvG.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VxOCKvQ.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CpvaEnR.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sczbdFR.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmcoAeM.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EJqpvEG.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yCMeJxO.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wBVkPYU.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tNhYSta.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYZZOcX.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GmabCvA.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YoYWPvL.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WSJNloo.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\APCXDOw.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OPxGlAb.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VINaJgH.exe	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 756	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2092 wrote to memory of 756	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2092 wrote to memory of 756	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2092 wrote to memory of 2064	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2092 wrote to memory of 2064	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2092 wrote to memory of 2064	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2092 wrote to memory of 2324	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2092 wrote to memory of 2324	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2092 wrote to memory of 2324	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2092 wrote to memory of 2400	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2092 wrote to memory of 2400	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2092 wrote to memory of 2400	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2092 wrote to memory of 1156	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2092 wrote to memory of 1156	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2092 wrote to memory of 1156	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2092 wrote to memory of 2800	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2092 wrote to memory of 2800	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2092 wrote to memory of 2800	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2092 wrote to memory of 2804	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2092 wrote to memory of 2804	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2092 wrote to memory of 2804	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2092 wrote to memory of 2784	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2092 wrote to memory of 2784	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2092 wrote to memory of 2784	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2092 wrote to memory of 2428	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2092 wrote to memory of 2428	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2092 wrote to memory of 2428	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2092 wrote to memory of 2908	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2092 wrote to memory of 2908	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2092 wrote to memory of 2908	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2092 wrote to memory of 2764	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2092 wrote to memory of 2764	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2092 wrote to memory of 2764	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2092 wrote to memory of 2680	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2092 wrote to memory of 2680	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2092 wrote to memory of 2680	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2092 wrote to memory of 2120	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2092 wrote to memory of 2120	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2092 wrote to memory of 2120	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2092 wrote to memory of 2052	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2092 wrote to memory of 2052	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2092 wrote to memory of 2052	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2092 wrote to memory of 1304	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2092 wrote to memory of 1304	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2092 wrote to memory of 1304	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2092 wrote to memory of 2460	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2092 wrote to memory of 2460	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2092 wrote to memory of 2460	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2092 wrote to memory of 1632	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2092 wrote to memory of 1632	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2092 wrote to memory of 1632	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2092 wrote to memory of 828	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2092 wrote to memory of 828	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2092 wrote to memory of 828	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2092 wrote to memory of 2316	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2092 wrote to memory of 2316	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2092 wrote to memory of 2316	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2092 wrote to memory of 1972	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2092 wrote to memory of 1972	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2092 wrote to memory of 1972	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2092 wrote to memory of 1148	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2092 wrote to memory of 1148	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2092 wrote to memory of 1148	2092	2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_54d076db5f2f657d8a1a4f29582109b1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\System\dlSyduc.exe
  C:\Windows\System\dlSyduc.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\CPqsYaZ.exe
  C:\Windows\System\CPqsYaZ.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\xdyBTUC.exe
  C:\Windows\System\xdyBTUC.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\ZEjrdGR.exe
  C:\Windows\System\ZEjrdGR.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\KYZZOcX.exe
  C:\Windows\System\KYZZOcX.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\GmabCvA.exe
  C:\Windows\System\GmabCvA.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\YoYWPvL.exe
  C:\Windows\System\YoYWPvL.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\WSJNloo.exe
  C:\Windows\System\WSJNloo.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\nRaSGvG.exe
  C:\Windows\System\nRaSGvG.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\CpvaEnR.exe
  C:\Windows\System\CpvaEnR.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\APCXDOw.exe
  C:\Windows\System\APCXDOw.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\yCMeJxO.exe
  C:\Windows\System\yCMeJxO.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\wBVkPYU.exe
  C:\Windows\System\wBVkPYU.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\sczbdFR.exe
  C:\Windows\System\sczbdFR.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\VxOCKvQ.exe
  C:\Windows\System\VxOCKvQ.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\tNhYSta.exe
  C:\Windows\System\tNhYSta.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\OPxGlAb.exe
  C:\Windows\System\OPxGlAb.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\VINaJgH.exe
  C:\Windows\System\VINaJgH.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\System\ZmcoAeM.exe
  C:\Windows\System\ZmcoAeM.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\LRAbNWX.exe
  C:\Windows\System\LRAbNWX.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\EJqpvEG.exe
  C:\Windows\System\EJqpvEG.exe
  2⤵
  - Executes dropped EXE
  PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\APCXDOw.exe

Filesize
5.9MB

MD5
4f68a9db94d1c8bee5a7bf9c27eab0fb

SHA1
5bcd5cdd6f1b84a21e83d2b8ca9f445dced3b4c7

SHA256
0deda69b8be2110d74d2a03ae3bf7484e036b2c6c264d6ff0a8b65ac7b9f7609

SHA512
f4722391e82118df93b452771be6fd2c9874ed60e163cc88547bdd17dc9f004249711c08c25171bd491e27403f4f3f01de3cd2b64dc99477a3e774f5b162397b

Download Submit
C:\Windows\system\CPqsYaZ.exe

Filesize
5.9MB

MD5
1227abdb6788279cc5b5dca562660d9e

SHA1
f53d0f6101059b5dcf89854ad00f95a774116b2a

SHA256
a1f10c2d88630678cbbaf67ba3aa1048719f58e970e7c12aa73e2be9b93b2b29

SHA512
dbb64472139b25697d1246c978bf6720ea0fec5f13a9bc723ad1bb6e248f15bddf7ca2de22e468612f23fb5612603ef857e1df7144d0be78a9f2a1c00954527b

Download Submit
C:\Windows\system\CpvaEnR.exe

Filesize
5.9MB

MD5
117133702093301ca67e05ce7caf17b2

SHA1
0b6328315f1ee16a7dbb8d7ca61f48e0b2fd62dd

SHA256
f1f618107fcceb52d669a8b0cbf4032e929ac27222ed0339356d909d5d1b34ae

SHA512
a3a12a06578f4f7fdfb4bbc6c718d2539cbda3de9881bcf91e698d885813c99d342ad2104b80f077e39684e8d2734dc4e95fb2caf324ff5b53366b464955a747

Download Submit
C:\Windows\system\EJqpvEG.exe

Filesize
5.9MB

MD5
38734a4d8ce2809b69a3643452e63941

SHA1
11b090894a82c4ffd66271eea0949bc0419cee46

SHA256
41257bc78221cc8705660aa726814c8d392856f216f363c344460acd0a9f87e9

SHA512
139c4d615df73e3b22a9286370bd650064c31761364a08de659fc8c52df637a706b35e2bd63e290968b036f3d4e536fe8e9b09e44f921e702c3e24a208b32dff

Download Submit
C:\Windows\system\GmabCvA.exe

Filesize
5.9MB

MD5
e6dce7a248debfce020991c99446889a

SHA1
53e1706ee242626cd4a29a47bb042406ac1c314e

SHA256
33cd74f0c10ee0e9f97fd03f21be39afe8b2418fa3f950fa967095284cb146c8

SHA512
cc3f2e874cfa99e3710ef08fd6828a94846ea2e06de2ae6ec61249b0ae757c4d477308dc5245be29d466961eca5070b146e3d9bb3fbe751b81381f408d6cc1d8

Download Submit
C:\Windows\system\LRAbNWX.exe

Filesize
5.9MB

MD5
25708ea413bc6a183ada6fbfc29674b0

SHA1
83bf60a9fc42a6bac2a452ff747c537875eb682b

SHA256
96e9ff3aa127d0cb96e127bce87ffc3248d14bf4049c158ad3e48d24f8251561

SHA512
3bbd4c8c0af65a2ba4f4f40db4f385c00ad4fd295f8488249892f661205ff356d1d50d97288828bd9665e32a37da870a6fd4d1f1e0593ccf5345a2fddde4616e

Download Submit
C:\Windows\system\OPxGlAb.exe

Filesize
5.9MB

MD5
d58ee370e499ee221093d7c263016ae3

SHA1
5c9e0d5b645958958c528803822e45ea4b955dec

SHA256
df05da19186d21d4aaa8dd3e0507a804eabb08ff7a40645e4353549d857370e6

SHA512
a502bd2a6b937dc06192c8c65ed1d2291d2d80237196b262799dd196c19ac94f927d4d669ee1c4589d214baa98fd4ea8f0704a2fef3b4747a65b622a76be2dfb

Download Submit
C:\Windows\system\VINaJgH.exe

Filesize
5.9MB

MD5
957267365e1ed0bbc97275cc960fbf08

SHA1
559a4cdd691de39000aedcfe2cf9aedb4e42ed9a

SHA256
c1e1194e17b2e8e54b608e9d29e2867402f59f49e31e79d7ec452a6e7e4ed0ce

SHA512
efeecf870e5f5c058f52950c8eb0687a3cf9933c6bebfa20c8ba3567738735f84e645b68868317863c06070143218d233dbed3b518dc9ba46d4df07d06def7fa

Download Submit
C:\Windows\system\VxOCKvQ.exe

Filesize
5.9MB

MD5
69cac6fae127fba5a55b3ab7c2bd4c45

SHA1
54cbf34166340b0aa0820f111e60b3bd649ac12b

SHA256
09da2a739b9352519cb8d8b95ed9ee8694056d252b855f0bc16ec5447248b426

SHA512
053493d26b5be6c96dd7dcb101baf3fd1a23805686ced6e352273535868f14556f214c4f63a8d61185ae75023ffa9d5227f4f245763576dffe9cb83b165ed37f

Download Submit
C:\Windows\system\ZmcoAeM.exe

Filesize
5.9MB

MD5
3f6f371507de8ac40ec45bdf9270e193

SHA1
ec6182e623cc03cdf36703fa7eebe9347e14a436

SHA256
6e92963ea4bc5d30b93791d2ee8c2166cb60918ca46a4cc446edad2bff1a1ee1

SHA512
b0a15afb7791db35c656c03060f55843fafb69703ad03670497f7c99544d03f68d98e6cc3a45dd9d6dfd759991318575dfbf4631f020d1429b240e6ccd66523b

Download Submit
C:\Windows\system\nRaSGvG.exe

Filesize
5.9MB

MD5
8f12cb70bfac0011cea70d849224892b

SHA1
a1985de9045854152fb5d0d94c82df042ebc1660

SHA256
1712cf0bb4f72ffcf2fc9ede6a9d485dc019cdf550087eda1126483a6bc68d7b

SHA512
7c576ba5a9c098747451870a69c93df2f96845874fde65e94aca8542223a00a794c0c9f5752ae0ef5519ba20e068860bbce4f0ea8f66eb656a66d265abf9d74d

Download Submit
C:\Windows\system\sczbdFR.exe

Filesize
5.9MB

MD5
ef1e7c23ab5c68849ee4eca3fd4e8334

SHA1
15d6dc47e3e9e52f0cfca0bfe926b1fdba9234de

SHA256
bad121b4c639b020bcafc1635ead68fbf336dc7418c32ef69755f715fd7940df

SHA512
af6c699c07701ef99f02bc2a88d1adf4e1007487df67711898013b0258ddd3dff4c52957c3f75caa52e8b6926ef6513ee78c57638d0f802d058e2e239c083905

Download Submit
C:\Windows\system\tNhYSta.exe

Filesize
5.9MB

MD5
2d682690284a629e67ea873f76bebc02

SHA1
ea371a49631175c4dd50ceb960ebda9af0d268d8

SHA256
db706a12836268b97936662714327cdf0e704133af7b035e367ef7830daaa1ef

SHA512
c14525006066315264ca7d61c5f1dac9725234430ca33eb2f3234b092daccac588857aceebc1159730ae87383d26edcf6ea3643c79e5d8610c86c72a9c08180a

Download Submit
C:\Windows\system\wBVkPYU.exe

Filesize
5.9MB

MD5
6f3628823ccc62f9f2115ddcdbeb73a4

SHA1
758a8f64d4c0016c028e8f2c9b240228233b0bc0

SHA256
0d2165ccb8ccee58b2894ec9c9c33a7b2b826e39f125cc55e87681a435ff4ee7

SHA512
1be4cfbc0c4e97cdd84d7a292a22725b2e1afbc96525e0bb29faeadda19e27842aa64f3882da8339b147331ddf95261006435340c5239d6eef252a2e2588f499

Download Submit
C:\Windows\system\xdyBTUC.exe

Filesize
5.9MB

MD5
9afebe167a2ad0f913baa6007a1a7c62

SHA1
1f28f8c58f818555454b315dac3b8bc9bb93fb83

SHA256
300214bc3058868be7ab3e25f278e938002a000e1a55e796c0bbc366aef60370

SHA512
167b476d3d7f1fdc965c6028d77714df6f121e177e0ea82bccc24094ab5c15379fc8cbfecc88f43e5a5cfb48289141fb2f67fc5695c4f3e605511c8723d8e2c3

Download Submit
C:\Windows\system\yCMeJxO.exe

Filesize
5.9MB

MD5
143c1acdd33b68fcbaead92f4ceb5857

SHA1
bcdc7fd6901f65328203b96f50b93b7ed7ac6415

SHA256
961e708fa15ad15212ae22311be01a9612e9a213f3665cc1ebf16bc58bb80a69

SHA512
37bc48ed78a38e6218f2e64f0fe943d86342a51af437c9e8ca832cd7f76f9e47b238ea4b790325daf0906fd0606364838f82cf3da8b35bdf4afadc7630f68531

Download Submit
\Windows\system\KYZZOcX.exe

Filesize
5.9MB

MD5
8160312885ddc66e65a46619f75c1841

SHA1
47b23b3d2f828628d52038e1c70be30d9fe21b09

SHA256
99de6a146496fa58bc23ce3c6a5aff3418b9d57e8b3eaf50bc6b0680511f0e9f

SHA512
28646a5f9734b460072259ee813ddbafbadcc10c1443e4b2fe941f3f1d271fa9400358ccf79a53a0843c0d8508eea8441ee679d19e27dec88382d8c0c4cc6400

Download Submit
\Windows\system\WSJNloo.exe

Filesize
5.9MB

MD5
4362210fdb4f010c4630a627b7f0ac03

SHA1
cfe0f6791afc337a0de9b8e9e786cf4a918e6596

SHA256
0e24981c20b1ee42cca94969a129ed6d8c85538a32be956c1882948290839599

SHA512
99a3ef6e9f3002df9f9d297aa014bf43aa7890fef1063d41f2dee658b8f8a6ace8e562ff3f4547b5c60dc4df1ac8e8823907a7fb53ca32b2fc07d9dad25caff0

Download Submit
\Windows\system\YoYWPvL.exe

Filesize
5.9MB

MD5
d5d6aa45603c0d6862000f4f7d57ebe4

SHA1
4ca784a4ddbc9c42718dc735bd9709f3351dafc4

SHA256
f415d44fe63ffa079b56a752b889c1a36ae4fc5f60d595058487e53bb1edd8e0

SHA512
f88fb62a6532ff70300c01f5e8b01c11d04aca1925c32c2bbdade38c9713aef21c30a3100282ac91c1f713f1677e4d303f8d3b67d1482aec48b539e1f8779717

Download Submit
\Windows\system\ZEjrdGR.exe

Filesize
5.9MB

MD5
db8d3bb0be75c9942980802df92847c5

SHA1
d513c29160be0025deb7a7c3420caaa34b95ebe4

SHA256
de1ed5db732a1b7e10b16b4cf670cbdd624877f31936088506cf74ae0a6c0b71

SHA512
b92e0686f71a865c46c165f265798c0b0fcc1bfffad979af546445b748da95a22195ab4e094065b599c9340c428d4f6a981f5efa469c0cc54d40c187eae1e46b

Download Submit
\Windows\system\dlSyduc.exe

Filesize
5.9MB

MD5
8d0f3bc272ba13bec8243e0548f153f2

SHA1
dffd26a03d075cccb9d3e2d7766bc3ab09863c68

SHA256
c44edc99e1797179b7966e434006c7aadcabeb1fc271e46eee956853bea2bae3

SHA512
dbfd070864e00edb4edd238aca83bdfdbec71c228a70600d646737933d6ec26cb6337c9b35f9730132465119e9f601ea8b3911da54dd9f906a3c871ee72febe3

Download Submit
memory/756-153-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/756-10-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/756-32-0x000000013F590000-0x000000013F8E4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-40-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-157-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/1156-76-0x000000013F360000-0x000000013F6B4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-106-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2052-151-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2052-165-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2064-44-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2064-154-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2064-15-0x000000013FC30000-0x000000013FF84000-memory.dmp

Filesize
3.3MB

Download
memory/2092-102-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2092-23-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2092-144-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-18-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-101-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-146-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2092-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2092-42-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2092-0-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-43-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2092-30-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-84-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2092-94-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-13-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2092-92-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2092-148-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-85-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2092-66-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-63-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2092-78-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-55-0x00000000023D0000-0x0000000002724000-memory.dmp

Filesize
3.3MB

Download
memory/2092-150-0x000000013F2E0000-0x000000013F634000-memory.dmp

Filesize
3.3MB

Download
memory/2120-97-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-149-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2120-164-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-155-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-20-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2324-57-0x000000013F3A0000-0x000000013F6F4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-68-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2400-156-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2400-27-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/2428-73-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2428-166-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2680-88-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2680-147-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2680-163-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/2764-145-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-81-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2764-162-0x000000013F380000-0x000000013F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2784-93-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2784-61-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2784-159-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2800-158-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2800-48-0x000000013F400000-0x000000013F754000-memory.dmp

Filesize
3.3MB

Download
memory/2804-161-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-71-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-110-0x000000013F850000-0x000000013FBA4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-160-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-67-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2908-105-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download