cobaltstrike | 17a7537f6b044c0bfa4c4ceb8b22aceeaf12d07f62fb5f10adec232cfe350ee6

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

730bf266126f0d6d419d4663b60a3741
SHA1

6aa4cab50da2af4f90ce9eef07809ee2870e8ae3
SHA256

17a7537f6b044c0bfa4c4ceb8b22aceeaf12d07f62fb5f10adec232cfe350ee6
SHA512

ed04b0a698d134e22376429c5de8f19e6aec09b2b5286269e56c3ddd7207b7ab9f582b64cfaa59900a7d48942aa28b02712aaec407a36d006a4343e01544ee9f
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lu:RWWBibd56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\arBdmMG.exe	cobalt_reflective_dll
\Windows\system\kjdLwQG.exe	cobalt_reflective_dll
C:\Windows\system\opPfKuI.exe	cobalt_reflective_dll
C:\Windows\system\qCNbwfU.exe	cobalt_reflective_dll
\Windows\system\uWICMdB.exe	cobalt_reflective_dll
\Windows\system\WXxFEiJ.exe	cobalt_reflective_dll
\Windows\system\AwLtzmP.exe	cobalt_reflective_dll
C:\Windows\system\kzkmFWf.exe	cobalt_reflective_dll
\Windows\system\mgZsPBn.exe	cobalt_reflective_dll
C:\Windows\system\LQTSPPK.exe	cobalt_reflective_dll
\Windows\system\aRafJBF.exe	cobalt_reflective_dll
C:\Windows\system\kLwHJaz.exe	cobalt_reflective_dll
C:\Windows\system\lqXCNyd.exe	cobalt_reflective_dll
C:\Windows\system\crBAlqB.exe	cobalt_reflective_dll
\Windows\system\lrDBiYz.exe	cobalt_reflective_dll
\Windows\system\klZBhxi.exe	cobalt_reflective_dll
C:\Windows\system\QpudCMg.exe	cobalt_reflective_dll
C:\Windows\system\oJHTtJj.exe	cobalt_reflective_dll
C:\Windows\system\fHCPmhd.exe	cobalt_reflective_dll
C:\Windows\system\hpLOQFr.exe	cobalt_reflective_dll
C:\Windows\system\alntbZo.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1784-30-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2760-31-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2344-59-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2752-61-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/932-60-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2640-51-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2896-48-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2760-64-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2868-63-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/2676-80-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/1820-98-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/924-106-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/2200-114-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2796-118-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/2000-156-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/1052-162-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2760-164-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2588-171-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2108-176-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/1780-177-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1488-175-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2928-172-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/1600-174-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2296-173-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2760-188-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2896-215-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2752-217-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2868-225-0x000000013F1E0000-0x000000013F531000-memory.dmp	xmrig
behavioral1/memory/1784-228-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2676-234-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2640-236-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/932-241-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2344-242-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/1820-246-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/924-250-0x000000013FAC0000-0x000000013FE11000-memory.dmp	xmrig
behavioral1/memory/2200-251-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2000-254-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/1052-258-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2796-266-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

arBdmMG.exekjdLwQG.exeopPfKuI.exeqCNbwfU.exeuWICMdB.exeWXxFEiJ.exekzkmFWf.exeAwLtzmP.exeLQTSPPK.exemgZsPBn.exeaRafJBF.exekLwHJaz.exelqXCNyd.execrBAlqB.exelrDBiYz.exeklZBhxi.exeQpudCMg.exeoJHTtJj.exealntbZo.exefHCPmhd.exehpLOQFr.exe

pid	process
2896	arBdmMG.exe
2752	kjdLwQG.exe
2868	opPfKuI.exe
1784	qCNbwfU.exe
2676	uWICMdB.exe
2640	WXxFEiJ.exe
932	kzkmFWf.exe
2344	AwLtzmP.exe
1820	LQTSPPK.exe
924	mgZsPBn.exe
2200	aRafJBF.exe
2000	kLwHJaz.exe
1052	lqXCNyd.exe
2796	crBAlqB.exe
2928	lrDBiYz.exe
2588	klZBhxi.exe
2296	QpudCMg.exe
1600	oJHTtJj.exe
1488	alntbZo.exe
2108	fHCPmhd.exe
1780	hpLOQFr.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2760-0-0x000000013F630000-0x000000013F981000-memory.dmp	upx
\Windows\system\arBdmMG.exe	upx
behavioral1/memory/2896-9-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
\Windows\system\kjdLwQG.exe	upx
behavioral1/memory/2752-16-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
C:\Windows\system\opPfKuI.exe	upx
behavioral1/memory/2868-23-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
C:\Windows\system\qCNbwfU.exe	upx
behavioral1/memory/1784-30-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2760-31-0x000000013F630000-0x000000013F981000-memory.dmp	upx
\Windows\system\uWICMdB.exe	upx
\Windows\system\WXxFEiJ.exe	upx
\Windows\system\AwLtzmP.exe	upx
C:\Windows\system\kzkmFWf.exe	upx
behavioral1/memory/2344-59-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2752-61-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/932-60-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2640-51-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2896-48-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/2676-44-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
\Windows\system\mgZsPBn.exe	upx
behavioral1/memory/1820-67-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/924-75-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
C:\Windows\system\LQTSPPK.exe	upx
\Windows\system\aRafJBF.exe	upx
behavioral1/memory/2868-63-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/2200-83-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2676-80-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
C:\Windows\system\kLwHJaz.exe	upx
behavioral1/memory/2000-92-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/1052-99-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/1820-98-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
C:\Windows\system\lqXCNyd.exe	upx
behavioral1/memory/924-106-0x000000013FAC0000-0x000000013FE11000-memory.dmp	upx
C:\Windows\system\crBAlqB.exe	upx
behavioral1/memory/2200-114-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
\Windows\system\lrDBiYz.exe	upx
\Windows\system\klZBhxi.exe	upx
behavioral1/memory/2796-118-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
C:\Windows\system\QpudCMg.exe	upx
C:\Windows\system\oJHTtJj.exe	upx
C:\Windows\system\fHCPmhd.exe	upx
C:\Windows\system\hpLOQFr.exe	upx
C:\Windows\system\alntbZo.exe	upx
behavioral1/memory/2000-156-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/1052-162-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2760-164-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2588-171-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/2108-176-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/1780-177-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/1488-175-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2928-172-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/1600-174-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2296-173-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2760-188-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2896-215-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/2752-217-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2868-225-0x000000013F1E0000-0x000000013F531000-memory.dmp	upx
behavioral1/memory/1784-228-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2676-234-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2640-236-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/932-241-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2344-242-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/1820-246-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\fHCPmhd.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\arBdmMG.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aRafJBF.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oJHTtJj.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\alntbZo.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hpLOQFr.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\opPfKuI.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uWICMdB.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kLwHJaz.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\klZBhxi.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lqXCNyd.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\crBAlqB.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lrDBiYz.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QpudCMg.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjdLwQG.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kzkmFWf.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AwLtzmP.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mgZsPBn.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qCNbwfU.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WXxFEiJ.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQTSPPK.exe	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2760 wrote to memory of 2896	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	arBdmMG.exe
PID 2760 wrote to memory of 2896	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	arBdmMG.exe
PID 2760 wrote to memory of 2896	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	arBdmMG.exe
PID 2760 wrote to memory of 2752	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kjdLwQG.exe
PID 2760 wrote to memory of 2752	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kjdLwQG.exe
PID 2760 wrote to memory of 2752	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kjdLwQG.exe
PID 2760 wrote to memory of 2868	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	opPfKuI.exe
PID 2760 wrote to memory of 2868	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	opPfKuI.exe
PID 2760 wrote to memory of 2868	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	opPfKuI.exe
PID 2760 wrote to memory of 1784	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	qCNbwfU.exe
PID 2760 wrote to memory of 1784	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	qCNbwfU.exe
PID 2760 wrote to memory of 1784	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	qCNbwfU.exe
PID 2760 wrote to memory of 2676	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	uWICMdB.exe
PID 2760 wrote to memory of 2676	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	uWICMdB.exe
PID 2760 wrote to memory of 2676	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	uWICMdB.exe
PID 2760 wrote to memory of 2640	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	WXxFEiJ.exe
PID 2760 wrote to memory of 2640	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	WXxFEiJ.exe
PID 2760 wrote to memory of 2640	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	WXxFEiJ.exe
PID 2760 wrote to memory of 932	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kzkmFWf.exe
PID 2760 wrote to memory of 932	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kzkmFWf.exe
PID 2760 wrote to memory of 932	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kzkmFWf.exe
PID 2760 wrote to memory of 2344	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	AwLtzmP.exe
PID 2760 wrote to memory of 2344	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	AwLtzmP.exe
PID 2760 wrote to memory of 2344	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	AwLtzmP.exe
PID 2760 wrote to memory of 1820	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	LQTSPPK.exe
PID 2760 wrote to memory of 1820	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	LQTSPPK.exe
PID 2760 wrote to memory of 1820	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	LQTSPPK.exe
PID 2760 wrote to memory of 924	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	mgZsPBn.exe
PID 2760 wrote to memory of 924	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	mgZsPBn.exe
PID 2760 wrote to memory of 924	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	mgZsPBn.exe
PID 2760 wrote to memory of 2200	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	aRafJBF.exe
PID 2760 wrote to memory of 2200	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	aRafJBF.exe
PID 2760 wrote to memory of 2200	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	aRafJBF.exe
PID 2760 wrote to memory of 2000	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kLwHJaz.exe
PID 2760 wrote to memory of 2000	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kLwHJaz.exe
PID 2760 wrote to memory of 2000	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	kLwHJaz.exe
PID 2760 wrote to memory of 1052	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	lqXCNyd.exe
PID 2760 wrote to memory of 1052	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	lqXCNyd.exe
PID 2760 wrote to memory of 1052	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	lqXCNyd.exe
PID 2760 wrote to memory of 2796	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	crBAlqB.exe
PID 2760 wrote to memory of 2796	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	crBAlqB.exe
PID 2760 wrote to memory of 2796	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	crBAlqB.exe
PID 2760 wrote to memory of 2588	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	klZBhxi.exe
PID 2760 wrote to memory of 2588	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	klZBhxi.exe
PID 2760 wrote to memory of 2588	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	klZBhxi.exe
PID 2760 wrote to memory of 2928	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	lrDBiYz.exe
PID 2760 wrote to memory of 2928	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	lrDBiYz.exe
PID 2760 wrote to memory of 2928	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	lrDBiYz.exe
PID 2760 wrote to memory of 2296	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	QpudCMg.exe
PID 2760 wrote to memory of 2296	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	QpudCMg.exe
PID 2760 wrote to memory of 2296	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	QpudCMg.exe
PID 2760 wrote to memory of 1600	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	oJHTtJj.exe
PID 2760 wrote to memory of 1600	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	oJHTtJj.exe
PID 2760 wrote to memory of 1600	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	oJHTtJj.exe
PID 2760 wrote to memory of 1488	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	alntbZo.exe
PID 2760 wrote to memory of 1488	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	alntbZo.exe
PID 2760 wrote to memory of 1488	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	alntbZo.exe
PID 2760 wrote to memory of 2108	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	fHCPmhd.exe
PID 2760 wrote to memory of 2108	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	fHCPmhd.exe
PID 2760 wrote to memory of 2108	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	fHCPmhd.exe
PID 2760 wrote to memory of 1780	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	hpLOQFr.exe
PID 2760 wrote to memory of 1780	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	hpLOQFr.exe
PID 2760 wrote to memory of 1780	2760	2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe	hpLOQFr.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_730bf266126f0d6d419d4663b60a3741_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\System\arBdmMG.exe
  C:\Windows\System\arBdmMG.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\kjdLwQG.exe
  C:\Windows\System\kjdLwQG.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\opPfKuI.exe
  C:\Windows\System\opPfKuI.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\qCNbwfU.exe
  C:\Windows\System\qCNbwfU.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\uWICMdB.exe
  C:\Windows\System\uWICMdB.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\WXxFEiJ.exe
  C:\Windows\System\WXxFEiJ.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\kzkmFWf.exe
  C:\Windows\System\kzkmFWf.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\AwLtzmP.exe
  C:\Windows\System\AwLtzmP.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\LQTSPPK.exe
  C:\Windows\System\LQTSPPK.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\mgZsPBn.exe
  C:\Windows\System\mgZsPBn.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\aRafJBF.exe
  C:\Windows\System\aRafJBF.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\kLwHJaz.exe
  C:\Windows\System\kLwHJaz.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\lqXCNyd.exe
  C:\Windows\System\lqXCNyd.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\crBAlqB.exe
  C:\Windows\System\crBAlqB.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\klZBhxi.exe
  C:\Windows\System\klZBhxi.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\lrDBiYz.exe
  C:\Windows\System\lrDBiYz.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\QpudCMg.exe
  C:\Windows\System\QpudCMg.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\oJHTtJj.exe
  C:\Windows\System\oJHTtJj.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\alntbZo.exe
  C:\Windows\System\alntbZo.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\fHCPmhd.exe
  C:\Windows\System\fHCPmhd.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\hpLOQFr.exe
  C:\Windows\System\hpLOQFr.exe
  2⤵
  - Executes dropped EXE
  PID:1780

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\LQTSPPK.exe

Filesize
5.2MB

MD5
929ca4bbe871726141636d7a2ab850e4

SHA1
b3781bf022037d8b0e74ea78e097d792e53e7384

SHA256
7d6c6fe99e86b31e55e440d521b6bb75f3409b931228849b56fdc3ee6d6a0adf

SHA512
b78c20aabc563c24fcc9199a723ab00cc88e8c317279fd7c6f23b7a6d864f8b662e9f37e6f828b4fdc6a32951ed220bcfef2fd12cba06990c6f65f4b92fdb53d

Download Submit
C:\Windows\system\QpudCMg.exe

Filesize
5.2MB

MD5
0514663464de2a339c96f257960f8bd0

SHA1
0a0cfca922af4c8bfe0b4153bd9d649771f13ced

SHA256
38b7b2156e39a50ad3d6e530f9f4386f6b369631c6bc4c10b6420668eef4853b

SHA512
e11f867697c8b1079a1b6995494fea779e4e755ff9e5048959541a8621d53b1e973514d00fe6db13a87e425e6ecadb91146835ab342d8c299387aaf1e12fc2f7

Download Submit
C:\Windows\system\alntbZo.exe

Filesize
5.2MB

MD5
4ba07a1d3d2b816a7fe2ee830cb8b320

SHA1
0b9494a16b509a9c2be0ba668fec49251dfeae13

SHA256
ceae48435c03f5da5277e2934f16e8c7b1a459fb588a7fbf3ba8f8b93f29e159

SHA512
4a8f73363512f25bd62517dd68092ecf3fa17c45469ee24a0bb12d5c19d928f036dc9e93af31ec75d31d2a1122e433d86e8252f0a8c61147cfa96f6f0f82d65d

Download Submit
C:\Windows\system\crBAlqB.exe

Filesize
5.2MB

MD5
6cc4163c16c3013d4156672724021ef8

SHA1
527add3d43193950d8beddae5a2edf47c6fd74b5

SHA256
5ab93c231dc4ba25f0b918b5d92b16a37b3f39e7c2a50252221e92f4a3a87287

SHA512
c76d7d794644a701138510103698636ea88620b1c679b11d835e3806e6552e60b68f384dc61e0577fe8a88939b68b16f706d86d25055897c3b62d1d6ba77643b

Download Submit
C:\Windows\system\fHCPmhd.exe

Filesize
5.2MB

MD5
905274309833625f4fd907b2613a4cb4

SHA1
dcd70ee40499a6c039a01da0522f44a218db1e3c

SHA256
b62085cbf4e0ba9463474e0db6f97a37e63f6262d1be58ef61fccd581fc42741

SHA512
1ccfe73a9018d649bc3cd6024cb0914e297343b5a056891663849bb4d78322661bb0e20c24bf530df6dc8a17fad5d57ee3abe45467f37b2299085ee292917022

Download Submit
C:\Windows\system\hpLOQFr.exe

Filesize
5.2MB

MD5
e882f47aee82d197389cf1a636de6612

SHA1
02d283f1f5a371e913e7d72f299920b8f10eb913

SHA256
df84a1bdae28e45676d186907bf05c228bda1a85069e81a5eb066516a3c08763

SHA512
f3a14fc88ca00ba603db03fd6b8233d991cd0d00a284dbecab33a15867664b08f9f6a27e0a220cd260a81a6a91d6eb516331fbfcc4e94eb1f3fb56000a071a4a

Download Submit
C:\Windows\system\kLwHJaz.exe

Filesize
5.2MB

MD5
d782bbe5d2bca4bc5cbe628d00723def

SHA1
213f22e2d669c3cee8cfca29145cd3ff0898c37a

SHA256
0ec8ab6158bf536f46187b9aa64f42c05d534712fe90b3cd384b8362fd5f667b

SHA512
899362cd2d82983463332aeebe02014f01a527cec1f23db38255eafee2bc8914cb96cbff21d6a92c79da63798d2bef5adc94994c87955a67ade26327f7996654

Download Submit
C:\Windows\system\kzkmFWf.exe

Filesize
5.2MB

MD5
a01c47f632a04f26a730222c0263877a

SHA1
0391ef102a1ff6cc2bcc94af2dd23785c96052a0

SHA256
45a7ca5684d2304a26f8b5e6cfef5a5b73f990c37d1cdae360dde6b20ebb7cf6

SHA512
99db7b0d41f7295572af79360e5beb81797acadae8002218090c7b1c2b8b618b88b46dab35d24c1708c2e747f9f8adbdc08ba365d73720e578cac6f9f1a1627c

Download Submit
C:\Windows\system\lqXCNyd.exe

Filesize
5.2MB

MD5
38b4a9ce680ca400f55b08f945e68c95

SHA1
c0af3afc0c2060f81ce69c0863e9ff84acdf572c

SHA256
935d1d08bd8d2ab750fc7ae16266be294984702ec989562333542dbf9c9f0518

SHA512
1c5ffe65b7388496c634a2046e6cdfefd5d0acdedc377dbdc6e077e336594d711b12aaaaac2b565351cd78d4a2db210e63dda327d72078312240eb0874b9dcc7

Download Submit
C:\Windows\system\oJHTtJj.exe

Filesize
5.2MB

MD5
c7fb138e63b7c8438aaeb2165fc2bb73

SHA1
a0134cc466434bd5df063d29788ac8915fb4bf22

SHA256
de6e653a62c6eef8b3224019e927d3d85c753c4840e8883ff33191011885f151

SHA512
2f31f437a9650d835210cdde80384cbd06c11341583d4d1c6dc01a8973a53fc2b8869cd66eab65c7e50a5f2eac3deb33bf1631d64396317a14b3642722afe4a1

Download Submit
C:\Windows\system\opPfKuI.exe

Filesize
5.2MB

MD5
70866ea2ea694ea3fd60928bf1c0afa4

SHA1
7af77636b8e91f8dad003f6ce63eba8f0d9f2ff4

SHA256
3e37d4be936024d820440b408e4a7a0c55e0d87cf573941d6514fe3beb5d0a3b

SHA512
ec8a504c1841c8dfd0f9c078da7538022f033be453f4607bb91f9ff20bb82ccd927dd2eb0a68cb910f2aa1d4af6f2ef3e8fdef096869e9e153d0d78919b2ad0d

Download Submit
C:\Windows\system\qCNbwfU.exe

Filesize
5.2MB

MD5
18a6c0a5364b22368e7a8c1fa73f813a

SHA1
44ca202a9ad029da3ded36b3308b7f0f74a09939

SHA256
5b701170495fd5df69f7e1dc6651733440d2bb2a95b0884c84ff9965d7f21a8a

SHA512
bb921fe9f17ee878cc84bbde3d025e1089b34d22ca25bac9057267e62d39df19386eaeccc8858a42f2f5f0cf26143ac585cafdbf58be189915c810f765f0cec1

Download Submit
\Windows\system\AwLtzmP.exe

Filesize
5.2MB

MD5
05224193cb633034973f41b7696936df

SHA1
a8221c33f7af69e56d422cf5a3b916d80cd3ed33

SHA256
48ca9399d7898a6ca438c1334c17286c963fd6efe59776c0e0e10c55337fea45

SHA512
4314b961fdb9acd009f6082ebf6e73876c3d58a112a99be839cca6694ab31833c8e76fb9b7ad14c1c4a61ecba46d3e69c48d52cc9b2a737b580eaf0357d99f4f

Download Submit
\Windows\system\WXxFEiJ.exe

Filesize
5.2MB

MD5
2b3086bd73a2654d103ac7cb3e6a070a

SHA1
8429a3621053438c7a6be2d0159f0c38df4d8764

SHA256
5c58f898f567b45f2d512f459f44b4f15f2ac78fd1227184137c86f46be8e976

SHA512
4551021e8629cad5739dfb9c72626127e7f105fd2132e8b5d125841f68a742ea2f9470be6c24e079ebceccdb4c14c0529aa2d3623d2d7c068ad443572b875219

Download Submit
\Windows\system\aRafJBF.exe

Filesize
5.2MB

MD5
60b6df75f1036db4712a937650d2578f

SHA1
3909cb6fff7d5f3f8ab7327f486ebd935332ed82

SHA256
60ab45d7e952b633a8b7e5e09b4923f9c976aa2f0589d14d9880bd1f57e5c3f0

SHA512
8d652ea438d00b406610658fbcd18384a7032fb9f4946eb693e8aa11ffd19468d65bcd1730a1c7c77a7ba77570e8192c3972f7e7b3d2dacc2c59643a887a2586

Download Submit
\Windows\system\arBdmMG.exe

Filesize
5.2MB

MD5
c6861cb94522ae4a84f46ffb33d746ed

SHA1
48f3b40cc4ed7c6e5c983962ac1e68fec96e95a8

SHA256
b78f33c008e54b5843c216a684ced29589050aa85e016050fa66fc02260ffa6f

SHA512
819e9ec25f1e98eb6c32d69ac30113cdbb4352c0ef48ad48c6f4b6c7a99b319562d376402aab1db90394856281c4ae03e2a29aba285bcd4af6893f17d4db9172

Download Submit
\Windows\system\kjdLwQG.exe

Filesize
5.2MB

MD5
c6d98a5245d3cfc944c29a19d966748b

SHA1
8f89c7380e05c6dd37401fff8afd5856a556b760

SHA256
468bf4c89e0c3ef509e4d6a14e30bb92718f93d655ccc0aebf4d6f3930c53e75

SHA512
c92582f43e72f3a4898882c66f07c31330458c0bdfeb345c759d4d9cb490a12f5806521101e699377184a6a829491621281a756ed5c4ec78d8ae13b4f03195d1

Download Submit
\Windows\system\klZBhxi.exe

Filesize
5.2MB

MD5
700ddcf5f943476ae20c08b8afa3c686

SHA1
89283cdffe6638dd61e48d77bc0144d4318055fe

SHA256
c0cdf9cf7b9e3c8355840d48bd37ee1fc73ebb998395655c3acfb86e733182eb

SHA512
7898763574748503c115236e25f6da91d82a9d8d605ab39bafc5decd72015371781d292e508799af3dff6d4ce97c245f6cb3ed7badb541c7c199395e012ec774

Download Submit
\Windows\system\lrDBiYz.exe

Filesize
5.2MB

MD5
393ac6b8d380520c47adcee23a4cf7b4

SHA1
10262fd47455b4a2b1617478d674a68aeb306f30

SHA256
53c28c5f72994ca2707c6a7270064f789fd9322bb05db84f3fb67cc60ef64e89

SHA512
ab92b9446c3a00d93f709205b171f512dcc35b5a19592e759f6aafe7464fc08d3b1135455cd71059f383f2650a22656efc75886d52d1deb80606e750376c861c

Download Submit
\Windows\system\mgZsPBn.exe

Filesize
5.2MB

MD5
cf2d7bffe36f9129089182da9e783027

SHA1
c7df31eafec4b36500bdcdfccf75297cb3d688d8

SHA256
89d77cb9324aed22886b7838b8b268d8691fe31ce69a0efe01471b9fe30f29e4

SHA512
7811c7aa7b1c3d0dbf42d80cc712453cadecadccd121ee58c2048ae960e97b265ef936f17c480f5ca9dc6c5e0d4b79ebfd0b7d3b6d2471c6f9622d6ccca291a7

Download Submit
\Windows\system\uWICMdB.exe

Filesize
5.2MB

MD5
0d73391c826ff0157d1ba38a52d79ac3

SHA1
f0f19d46a8ca06faf7676ecf3647e2047a63c65d

SHA256
5c6dda2333f1d567a6c4356fd801255a1d8b0d462f98f7e1aea752af9c4e3058

SHA512
c7358be45e59bc9ce6f846182b532c20b74614b71882f7cf7bd5176b834c18361e74d79f6f364cfa614665e66f40343dc705109b6d991efd257889515ab84f46

Download Submit
memory/924-250-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/924-106-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/924-75-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/932-60-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/932-241-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/1052-99-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1052-258-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1052-162-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1488-175-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/1600-174-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/1780-177-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1784-228-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1784-30-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1820-246-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/1820-67-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/1820-98-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2000-254-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-156-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-92-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-176-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-251-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2200-83-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2200-114-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2296-173-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-59-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-242-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-171-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-236-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-51-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2676-44-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2676-234-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2676-80-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2752-16-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2752-217-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2752-61-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2760-35-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2760-87-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-40-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-64-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2760-151-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-1-0x0000000000090000-0x00000000000A0000-memory.dmp

Filesize
64KB

Download
memory/2760-109-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2760-6-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-160-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-71-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2760-165-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-164-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2760-86-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-0-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2760-178-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-58-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-45-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-13-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2760-29-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-31-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2760-188-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2760-94-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2760-77-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/2760-19-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2760-100-0x000000013FAC0000-0x000000013FE11000-memory.dmp

Filesize
3.3MB

Download
memory/2760-95-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-118-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2796-266-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2868-23-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2868-225-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2868-63-0x000000013F1E0000-0x000000013F531000-memory.dmp

Filesize
3.3MB

Download
memory/2896-215-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-9-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2896-48-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2928-172-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download