cobaltstrike | cd7bcaaa615625f009c81d5ab4a4814ed266fb2caa149481a938c00dc9eab00d

Analysis

max time kernel
146s
max time network
151s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f1385ec367f9bdae15a47ff6261fbe00
SHA1

d84a6707aae4a5708d9790d6594a53fa13b0596b
SHA256

cd7bcaaa615625f009c81d5ab4a4814ed266fb2caa149481a938c00dc9eab00d
SHA512

4d176038b3130afbabe3823b0e324654a56a886c8c3e10ddadd34cb3db2cd24761422b3d33d08d00ff0ba2296fb9f9bf2ea0d82da6ac600bb52e2010e8dab2a9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibf56utgpPFotBER/mQ32lUR

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b0000000122cf-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000193e8-10.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001949e-19.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194c4-24.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194cd-33.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001933b-36.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019524-45.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000194d2-49.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41e-84.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a48b-113.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a48d-118.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4af-136.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a49a-128.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4a9-133.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a499-124.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a46f-108.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a42d-99.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a427-91.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41d-77.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a359-59.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a41b-68.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral1/memory/2748-28-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/1888-53-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/1960-41-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2680-140-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/1960-141-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2656-142-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/1960-106-0x0000000002250000-0x00000000025A1000-memory.dmp	xmrig
behavioral1/memory/1960-105-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2660-100-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/1960-97-0x0000000002250000-0x00000000025A1000-memory.dmp	xmrig
behavioral1/memory/2336-92-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/1488-143-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2724-78-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2868-73-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/1964-60-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1440-57-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/288-146-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1960-145-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/1960-151-0x0000000002250000-0x00000000025A1000-memory.dmp	xmrig
behavioral1/memory/2692-158-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1728-154-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2964-165-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2876-164-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2144-169-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/1868-170-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2672-168-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/1244-167-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/1204-171-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/1960-172-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/1728-179-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/1888-222-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/1440-224-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/1964-226-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2748-228-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2868-234-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	xmrig
behavioral1/memory/2724-236-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2336-245-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2660-246-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2680-248-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2656-250-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/1488-252-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/288-254-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2692-263-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/1728-274-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1888	xayPQOR.exe
1440	PxeUIEx.exe
1964	CySTfRc.exe
2748	XTckojW.exe
2868	pOCDiJZ.exe
2724	TNJWtBJ.exe
1728	KehSfpU.exe
2336	DWDwlsi.exe
2660	wIaRljg.exe
2680	zYuqmHI.exe
2656	xIDTACS.exe
1488	zvMZuzo.exe
288	ukZGttd.exe
2692	AMUFAHK.exe
2876	rPLvpcx.exe
2964	LIOZKYw.exe
1244	NQkmaKc.exe
2672	SUbHqYu.exe
2144	UTzzYQn.exe
1868	fZROJpl.exe
1204	RicfhBE.exe

Loads dropped DLL 21 IoCs

pid	Process
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-0-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/files/0x000b0000000122cf-3.dat	upx
behavioral1/files/0x00070000000193e8-10.dat	upx
behavioral1/memory/1440-14-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/1888-12-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/files/0x000600000001949e-19.dat	upx
behavioral1/memory/1964-27-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2748-28-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/files/0x00060000000194c4-24.dat	upx
behavioral1/files/0x00060000000194cd-33.dat	upx
behavioral1/files/0x000800000001933b-36.dat	upx
behavioral1/memory/2868-34-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/files/0x0006000000019524-45.dat	upx
behavioral1/memory/2724-46-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/files/0x00080000000194d2-49.dat	upx
behavioral1/memory/1888-53-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/2336-55-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/1960-41-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2660-61-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/memory/2680-69-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/files/0x000500000001a41e-84.dat	upx
behavioral1/memory/2692-101-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/files/0x000500000001a48b-113.dat	upx
behavioral1/files/0x000500000001a48d-118.dat	upx
behavioral1/files/0x000500000001a4af-136.dat	upx
behavioral1/files/0x000500000001a49a-128.dat	upx
behavioral1/memory/2680-140-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/files/0x000500000001a4a9-133.dat	upx
behavioral1/files/0x000500000001a499-124.dat	upx
behavioral1/memory/2656-142-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/files/0x000500000001a46f-108.dat	upx
behavioral1/memory/2660-100-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/files/0x000500000001a42d-99.dat	upx
behavioral1/memory/288-93-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2336-92-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/files/0x000500000001a427-91.dat	upx
behavioral1/memory/1488-85-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2656-79-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/1488-143-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2724-78-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/files/0x000500000001a41d-77.dat	upx
behavioral1/memory/2868-73-0x000000013F0A0000-0x000000013F3F1000-memory.dmp	upx
behavioral1/memory/1964-60-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/files/0x000500000001a359-59.dat	upx
behavioral1/files/0x000500000001a41b-68.dat	upx
behavioral1/memory/1440-57-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/1728-50-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/288-146-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/1960-145-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2692-158-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/1728-154-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2964-165-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2876-164-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2144-169-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/1868-170-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2672-168-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
behavioral1/memory/1244-167-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/1204-171-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/memory/1960-172-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/1728-179-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/1888-222-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/1440-224-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/1964-226-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2748-228-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\xayPQOR.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pOCDiJZ.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AMUFAHK.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SUbHqYu.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RicfhBE.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PxeUIEx.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wIaRljg.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rPLvpcx.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LIOZKYw.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CySTfRc.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zYuqmHI.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xIDTACS.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zvMZuzo.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NQkmaKc.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fZROJpl.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TNJWtBJ.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KehSfpU.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DWDwlsi.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ukZGttd.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UTzzYQn.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XTckojW.exe	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1440	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1960 wrote to memory of 1440	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1960 wrote to memory of 1440	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1960 wrote to memory of 1888	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1960 wrote to memory of 1888	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1960 wrote to memory of 1888	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1960 wrote to memory of 1964	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1960 wrote to memory of 1964	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1960 wrote to memory of 1964	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1960 wrote to memory of 2748	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1960 wrote to memory of 2748	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1960 wrote to memory of 2748	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1960 wrote to memory of 2868	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1960 wrote to memory of 2868	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1960 wrote to memory of 2868	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1960 wrote to memory of 2724	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1960 wrote to memory of 2724	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1960 wrote to memory of 2724	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1960 wrote to memory of 1728	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1960 wrote to memory of 1728	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1960 wrote to memory of 1728	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1960 wrote to memory of 2336	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1960 wrote to memory of 2336	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1960 wrote to memory of 2336	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1960 wrote to memory of 2660	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1960 wrote to memory of 2660	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1960 wrote to memory of 2660	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1960 wrote to memory of 2680	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1960 wrote to memory of 2680	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1960 wrote to memory of 2680	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1960 wrote to memory of 2656	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1960 wrote to memory of 2656	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1960 wrote to memory of 2656	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1960 wrote to memory of 1488	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1960 wrote to memory of 1488	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1960 wrote to memory of 1488	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1960 wrote to memory of 288	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1960 wrote to memory of 288	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1960 wrote to memory of 288	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1960 wrote to memory of 2692	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1960 wrote to memory of 2692	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1960 wrote to memory of 2692	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1960 wrote to memory of 2876	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1960 wrote to memory of 2876	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1960 wrote to memory of 2876	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1960 wrote to memory of 2964	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1960 wrote to memory of 2964	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1960 wrote to memory of 2964	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1960 wrote to memory of 1244	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1960 wrote to memory of 1244	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1960 wrote to memory of 1244	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1960 wrote to memory of 2672	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1960 wrote to memory of 2672	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1960 wrote to memory of 2672	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1960 wrote to memory of 2144	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1960 wrote to memory of 2144	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1960 wrote to memory of 2144	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1960 wrote to memory of 1868	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1960 wrote to memory of 1868	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1960 wrote to memory of 1868	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1960 wrote to memory of 1204	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 1960 wrote to memory of 1204	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 1960 wrote to memory of 1204	1960	2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_f1385ec367f9bdae15a47ff6261fbe00_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\System\PxeUIEx.exe
  C:\Windows\System\PxeUIEx.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\xayPQOR.exe
  C:\Windows\System\xayPQOR.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\CySTfRc.exe
  C:\Windows\System\CySTfRc.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\XTckojW.exe
  C:\Windows\System\XTckojW.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\pOCDiJZ.exe
  C:\Windows\System\pOCDiJZ.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\TNJWtBJ.exe
  C:\Windows\System\TNJWtBJ.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\KehSfpU.exe
  C:\Windows\System\KehSfpU.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\DWDwlsi.exe
  C:\Windows\System\DWDwlsi.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\wIaRljg.exe
  C:\Windows\System\wIaRljg.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\zYuqmHI.exe
  C:\Windows\System\zYuqmHI.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\xIDTACS.exe
  C:\Windows\System\xIDTACS.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\zvMZuzo.exe
  C:\Windows\System\zvMZuzo.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\ukZGttd.exe
  C:\Windows\System\ukZGttd.exe
  2⤵
  - Executes dropped EXE
  PID:288
- C:\Windows\System\AMUFAHK.exe
  C:\Windows\System\AMUFAHK.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\rPLvpcx.exe
  C:\Windows\System\rPLvpcx.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\LIOZKYw.exe
  C:\Windows\System\LIOZKYw.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\NQkmaKc.exe
  C:\Windows\System\NQkmaKc.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\SUbHqYu.exe
  C:\Windows\System\SUbHqYu.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\UTzzYQn.exe
  C:\Windows\System\UTzzYQn.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\fZROJpl.exe
  C:\Windows\System\fZROJpl.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\RicfhBE.exe
  C:\Windows\System\RicfhBE.exe
  2⤵
  - Executes dropped EXE
  PID:1204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AMUFAHK.exe

Filesize
5.2MB

MD5
826349ef4bf9c37fc8a1bf0a77818379

SHA1
9db0208abc77cc5463e912a7023d41d91d78f12c

SHA256
8147e5fa0481364b272d536011b69eff493d466c78fcd6a00045ec6c975de1d1

SHA512
bc967658dffd18e9584dfa2b537b384182e12abd80a970e976eebbca2908deb4a22eacae734ecdfce14fb9f45b82a5779774dd8088045ddc497cb54d5f8a4fb6

Download Submit
C:\Windows\system\CySTfRc.exe

Filesize
5.2MB

MD5
b2a492a6952cff1c827e5515a8e78b9c

SHA1
11165d0cafced12b41c9e2d4d4a3090490ef5161

SHA256
7aeae66a29dbe0da67c69dbfcfeb0c33df471f938a93575bf292ae9e370d92ea

SHA512
592d4cdfd54f6312827fd34a3ecc459553bb86b1d5a6234daebdbbe466535f49cb02ba5b49314939b9f6327f4e911f24638ebbdbeea1c25fecea91fd68df4b7b

Download Submit
C:\Windows\system\KehSfpU.exe

Filesize
5.2MB

MD5
d7f87730cc28e1ca8e22160284962926

SHA1
54aac9f1f28dc50043ba9bd22fb29620481d43fb

SHA256
2b2973e2fad868de82b1ba6dd9a1d892462e3749da76e57d628e1b534bdc1bec

SHA512
21bf192bfe41928b1082cfb52ea85c4b94ce91a6a57706483f3f77b64d43200db9fff4741ca3cea1bc2ab100dce626f01f592042904e20e5a034c19fc0044711

Download Submit
C:\Windows\system\LIOZKYw.exe

Filesize
5.2MB

MD5
cf3cb68a9f93691822508a1725ba687e

SHA1
8b30630817e9ef8d77a749c93d10c3b34ab222b0

SHA256
7293ee137fed965e385d6b995989ce832cddd3ee9ac0274bd0e45b08325a558f

SHA512
43c1b1d56b6a95b5700d7fd4d27675c8f5745fa9a15c6ef88712e9b453da252eb8f98e1af9648a66ed7ced4d79c427fac25939ee96f3531b2c5f288ac9896832

Download Submit
C:\Windows\system\NQkmaKc.exe

Filesize
5.2MB

MD5
bf8211943d6675a251e36612ae2f6722

SHA1
b9634c1b4d5181d09df196e0adcafd0b1a348d66

SHA256
33362e7335b8898c50985c3306fe408cfe6221edcbf600bf71a6a17f2ae256de

SHA512
f5b332e73a99bb48beec46d5ad05a57cc836b379e125a5325fb76a41853effcdf50825efef5dcd399730aaa40d96786d79f97d519d6fab825073d0ee7542323d

Download Submit
C:\Windows\system\SUbHqYu.exe

Filesize
5.2MB

MD5
21e122f59c57ff059b818601f4b6987b

SHA1
1fabb9beee24eeb2357f457a9d2c9ef994861d41

SHA256
b9d68fb52509b627ac33e432fcf3a8d9c6b6d5732132c39c64bc9fb099f0c868

SHA512
31606cd162d4f4075805d2f4bfa53dd9c495380cb56ac0cb5f5bfb489447936bfe98be030062337f769641e8f376de6f911ea5089ab18fa439819ab533581bf7

Download Submit
C:\Windows\system\UTzzYQn.exe

Filesize
5.2MB

MD5
be60463ee80fc3b52c2ce0774f00aa25

SHA1
378e46d812f2e878183a202f70e2831b76ef8046

SHA256
a25e5b02054c48e12050006004511441a9497f5a4e5f672ca49c7d260d964e3c

SHA512
155006d82ccd6f5e8040af1619464556cd75d6c9b66739407509164de85f26497377443f8aedb54a10a5ef6af594d85700602faecbfff7e7bf5680d828de699b

Download Submit
C:\Windows\system\XTckojW.exe

Filesize
5.2MB

MD5
08d8b96a5a9a1828061ebf92419cd35a

SHA1
f9e721a3a1d349b6ce7ae3803c53aedec7fc8533

SHA256
3ef808efe30c226ee8963925a7050d84e895cf01d244049e6fa3fdd61d20afd2

SHA512
49a716dbbdad97dcb864997c88a27c2e416ff90295ebac8069285d43a1c2817e77e7763f48883593a3198d4530bb1b1ecb724c01212ce5ff140473e2501297f4

Download Submit
C:\Windows\system\fZROJpl.exe

Filesize
5.2MB

MD5
e331e3780cba3918f592511de81ffeab

SHA1
67d54ec840be735ed37cbb1b66cc1fb7939efda8

SHA256
38cff9dcb00e79f9f09c5514227e9ed4a8fe04f31f66c8035abfbed334211fca

SHA512
7e38c109b3d4f3507cfbdb8327fa31e13663e79d7fd98bbd20958c475fc5eed3b8845413eba3f6a8f85e082f9f49bb47150f3723882f55fde6bb8c3e2b0cb3bd

Download Submit
C:\Windows\system\pOCDiJZ.exe

Filesize
5.2MB

MD5
ccf3f58e351e588c2df3c7af8d12b10d

SHA1
dab0cc6660d3a3d798c08cf623393249db5e24aa

SHA256
16eaf27109d89f834c2fdb34eb733b58bc56c846c1c353363204a9dbc89f68cb

SHA512
60f879482fb46d70d877fc61b5e861da5a068d12b430056256c810b9ef49f03f84aca3761f92c5bea0275ae994701fa0c0efeef297417527fd73cd0318b63c9a

Download Submit
C:\Windows\system\rPLvpcx.exe

Filesize
5.2MB

MD5
101326476684b78e01bf4d625a6f04a3

SHA1
38cff17bcaf558408da53e05825649869fb8337d

SHA256
352b87700d76cfd60befcecb31307a48d008c26d98b47ace4eee6e1edee3ef73

SHA512
101ea50f1b8ccfa649b4312d537a80d48884da5454ca0f03cf3f69cc1b45690d911df6eda7a7adbf4433134a245ede74b4fc7d4a33eea34eb9edbf9444c3b81b

Download Submit
C:\Windows\system\ukZGttd.exe

Filesize
5.2MB

MD5
b924cc7a8c4b331da589073d72d4782f

SHA1
a07529b2ac310b666e852b3d0153254861bfb0dc

SHA256
a5399113d193986e7915c4c33c5b98df8806fe88d998a792d9d04863d04a7812

SHA512
1cb8e09607bc3dda7ee54ef93a9e8f472665d7b460d51a769f79502ed5f2105bc9feeaaaa5532c8c818e9f40a21e6542df7345b5a0c215ae0205bee9686116b3

Download Submit
C:\Windows\system\wIaRljg.exe

Filesize
5.2MB

MD5
53c1ea902d88144f7334f3ce45693fe9

SHA1
293bbc5c129f31c9bb1b5cef4f569a2013f31b59

SHA256
ad82ec549a8906c549b8451a0b9a23587d7cbe3a8fb8c4c8abfd749606a753f7

SHA512
e4fb11fd131655f4be85356259970c34fb1419d64d1842eea7c521c1ec822fcc34ae27f0a9fe4b65aaf7fb3975b105d20bdf5a516a74224f297f3a626d36b908

Download Submit
C:\Windows\system\xIDTACS.exe

Filesize
5.2MB

MD5
d5e6ca94608d7de86c30e15504c139db

SHA1
45370b6dc650917d079ea9ba63a26eae8ebc5391

SHA256
fd83bd1a23303df48dd246b255775cef8fa1ae711f80ef7638895018ff612d28

SHA512
97d329e171a84faf78d48b0ac364adf0c1d4597e3475945f116090338525e64ce59d8b88de017a38ac999f8f69d0832476067b0ee4c4002a9f1cb5e0cbabe780

Download Submit
C:\Windows\system\xayPQOR.exe

Filesize
5.2MB

MD5
d6115888a381d6d72f336eb85ee02c9d

SHA1
593304eee3328518bd2dd4840ac2f7158bffaf39

SHA256
403b1a604860a2ebd97374fb695958b84ff8ac772cacf484ec8ad4b36aa1d3cd

SHA512
5e9d33d78d6e85b67cec2160e1a3c738a0b3531d84b6118a4418226c9971d41dd44d8e6932b1dd1d8e1ebbba5e50193e2c6634240abdc56427da032d704109e9

Download Submit
C:\Windows\system\zYuqmHI.exe

Filesize
5.2MB

MD5
85111fe8e2e0cfcddec964c97797d2c3

SHA1
0cb31dedca93f1a608005e1371d26a2e9f015859

SHA256
b3943702ef623a35fb2efe1742d5e628b2c1010548e4ce31812dc46ce33e242f

SHA512
fdd9015e6debad638928be313e2e475b02b3b873bc458cba947b5db8f32921a03f49a508b258d4a6bee38065860adf5f6cf552c5b370f7e1efe0722f18034084

Download Submit
C:\Windows\system\zvMZuzo.exe

Filesize
5.2MB

MD5
fa3889ef84f6aa0804ac19baa1cbd1b6

SHA1
3ea5cfcb10ac31692b9ade2d0c712b98f4105172

SHA256
05e86713b5eb4236ea92e170c6474f49555e88f4963474a94d67d2f3543e972e

SHA512
708202fa6aa63a9bf08f9e367f1c4bb7eddef9583fdd6476154a743eb2bfdc18ed04616089365d5d30d6a0052fca7c7b1dd704c1c17ab2aa73693eeabe181e85

Download Submit
\Windows\system\DWDwlsi.exe

Filesize
5.2MB

MD5
844a6068cc17df7964c110b85c858919

SHA1
a06db72c537077f452f074746016928322cf9eb3

SHA256
46e1c067cf68be31ff9f0e1362ff49b7ba3f6ba9a1b96a60871924508b7e4f9c

SHA512
c39a292c8319978377948e78bf4c4d3b153b0a8f4ce895c0302d615dc5f37c03a6c1f9e6c3693a6f52f3879c44a0a5f65956e66e015693849a9ea5983571a05e

Download Submit
\Windows\system\PxeUIEx.exe

Filesize
5.2MB

MD5
5030827c6c5f3a9e49026536964761be

SHA1
957a0c968cef626621207891b9e5447b2803ef48

SHA256
9debfd1c6bc83c03d2a02f72099d15028464894c0179a23cf9151454fcbd1bd4

SHA512
6fa4baa7c86d125041f26b5cab1c638aac0b7c96fb0843b663ce4b01ad4a991b8d3e0d1b142622d4961022e549dbee4228cb460c7a3c1ca54229ca75c679ddbc

Download Submit
\Windows\system\RicfhBE.exe

Filesize
5.2MB

MD5
fa113710e90d78e43567cb5b9ae85f32

SHA1
c577315b2b5a35bce9d403ed670122f224e80217

SHA256
df75058189346836108f7116131f0d5f611b5fab149f36d5900718fda0c671a7

SHA512
fa696bde577dd6b36ec765012fa8d781b94057954ff2fbac9806e9ab6b069d50181ebf442ab3869f091a9bfd1740fd5a4f1662b6fda79f5731e6c7816543a5d5

Download Submit
\Windows\system\TNJWtBJ.exe

Filesize
5.2MB

MD5
7e603bbe44815cc0c9114746633981fe

SHA1
3555e10f26a0224b033fb523538d7b9a425e2a8b

SHA256
1ef584ad68c1705331e8d7b847f1e9531091b1ed6e4202d6dd35b11fa0c07948

SHA512
b707b30ba29826934566c584a346baf0df53a3a81a9f84fe1eec799426fcff186a351abbd4aa6efadc3bb343f5d6d7694ab60e97307e4eb2a32e09bd706cf640

Download Submit
memory/288-93-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/288-146-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/288-254-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1204-171-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/1244-167-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1440-224-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/1440-57-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/1440-14-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/1488-143-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/1488-85-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/1488-252-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/1728-50-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-154-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-179-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-274-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-170-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/1888-222-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-53-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1888-12-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-166-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-30-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-1-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/1960-8-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/1960-105-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-89-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1960-106-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-82-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/1960-22-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1960-97-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-39-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-141-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1960-74-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/1960-172-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1960-48-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-0-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1960-151-0x0000000002250000-0x00000000025A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-145-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1960-144-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1960-66-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-41-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1964-27-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1964-226-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/1964-60-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2144-169-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2336-55-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2336-245-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2336-92-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2656-79-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2656-142-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2656-250-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2660-246-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-100-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-61-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2672-168-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-248-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-69-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2680-140-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-101-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2692-158-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2692-263-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2724-78-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-236-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-46-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-228-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-28-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-234-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-73-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2868-34-0x000000013F0A0000-0x000000013F3F1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-164-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2964-165-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download