cobaltstrike | 398edf7ec3ed8691b5d8a930706b87b18d5da1b50a0457164647acfe1fc1f204

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ad10e3a08a8f10d7a6ceaea9881fa24e
SHA1

b703df52275e6a6f9de6fdf6e06f0c6fc43ec7df
SHA256

398edf7ec3ed8691b5d8a930706b87b18d5da1b50a0457164647acfe1fc1f204
SHA512

b40cc323251eaa6b99be104390dc3ffdab9193d6bac5dad8444e23040252afcae80650f14d478c84eea41be5319b79016b4f00069bbb6876ce6ef3b786b369dc
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibd56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a00000001225c-5.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019394-8.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000193b8-17.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019470-27.dat	cobalt_reflective_dll
behavioral1/files/0x002f000000018bd7-38.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001948c-52.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a309-76.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a0b6-71.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a3f8-91.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a400-101.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a438-111.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a44d-116.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a404-106.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a3fd-97.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a3ab-82.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a3f6-85.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a049-66.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000195b3-61.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019490-56.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019489-43.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019480-33.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2224-25-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2260-16-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/3028-15-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2152-118-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2940-123-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2152-125-0x0000000002190000-0x00000000024E1000-memory.dmp	xmrig
behavioral1/memory/2096-122-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/2768-128-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2356-130-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2832-129-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/1816-131-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/2928-127-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2492-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2564-134-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/1060-136-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/1520-138-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/2540-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2152-137-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/1652-146-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2396-145-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1624-144-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2236-143-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2504-142-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/1136-141-0x000000013F840000-0x000000013FB91000-memory.dmp	xmrig
behavioral1/memory/2152-149-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2152-151-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2260-203-0x000000013F0E0000-0x000000013F431000-memory.dmp	xmrig
behavioral1/memory/3028-205-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2224-207-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2096-209-0x000000013F760000-0x000000013FAB1000-memory.dmp	xmrig
behavioral1/memory/2928-222-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2940-225-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2768-224-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2356-229-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2832-228-0x000000013FD10000-0x0000000140061000-memory.dmp	xmrig
behavioral1/memory/1816-231-0x000000013FCD0000-0x0000000140021000-memory.dmp	xmrig
behavioral1/memory/2492-233-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2564-235-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/1060-237-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/1520-246-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2260	zPnZaVO.exe
3028	NZoQtFS.exe
2224	mfzwwZI.exe
2096	lrTHshj.exe
2940	AXrpCie.exe
2928	wqoBDDc.exe
2768	BTXpWGO.exe
2832	dkPQWhc.exe
2356	sqTydvN.exe
1816	vuQesRg.exe
2492	NztqHrR.exe
2564	PRQqXAb.exe
1060	WWHqmDo.exe
1520	rVqLWoV.exe
2540	pgHnCga.exe
1136	UYdNtaz.exe
2504	OSPeaQM.exe
2236	tjNnaKK.exe
1624	tVUZCWX.exe
2396	ueynadO.exe
1652	apnhukI.exe

Loads dropped DLL 21 IoCs

pid	Process
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2152-0-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-5.dat	upx
behavioral1/files/0x0008000000019394-8.dat	upx
behavioral1/files/0x00070000000193b8-17.dat	upx
behavioral1/files/0x0006000000019470-27.dat	upx
behavioral1/memory/2940-35-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2928-44-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/files/0x002f000000018bd7-38.dat	upx
behavioral1/files/0x000800000001948c-52.dat	upx
behavioral1/files/0x000500000001a309-76.dat	upx
behavioral1/files/0x000500000001a0b6-71.dat	upx
behavioral1/files/0x000500000001a3f8-91.dat	upx
behavioral1/files/0x000500000001a400-101.dat	upx
behavioral1/files/0x000500000001a438-111.dat	upx
behavioral1/files/0x000500000001a44d-116.dat	upx
behavioral1/files/0x000500000001a404-106.dat	upx
behavioral1/files/0x000500000001a3fd-97.dat	upx
behavioral1/files/0x000500000001a3ab-82.dat	upx
behavioral1/files/0x000500000001a3f6-85.dat	upx
behavioral1/files/0x000500000001a049-66.dat	upx
behavioral1/files/0x00070000000195b3-61.dat	upx
behavioral1/memory/2768-46-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/files/0x0007000000019490-56.dat	upx
behavioral1/files/0x0006000000019489-43.dat	upx
behavioral1/files/0x0006000000019480-33.dat	upx
behavioral1/memory/2096-28-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2224-25-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2260-16-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/3028-15-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2152-118-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2940-123-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2096-122-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2768-128-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2356-130-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2832-129-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/1816-131-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/2928-127-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/2492-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2564-134-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/1060-136-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/1520-138-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/memory/2540-139-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1652-146-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/2396-145-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1624-144-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2236-143-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2504-142-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1136-141-0x000000013F840000-0x000000013FB91000-memory.dmp	upx
behavioral1/memory/2152-149-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2152-151-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2260-203-0x000000013F0E0000-0x000000013F431000-memory.dmp	upx
behavioral1/memory/3028-205-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2224-207-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2096-209-0x000000013F760000-0x000000013FAB1000-memory.dmp	upx
behavioral1/memory/2928-222-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/2940-225-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2768-224-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2356-229-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2832-228-0x000000013FD10000-0x0000000140061000-memory.dmp	upx
behavioral1/memory/1816-231-0x000000013FCD0000-0x0000000140021000-memory.dmp	upx
behavioral1/memory/2492-233-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2564-235-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/1060-237-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/1520-246-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lrTHshj.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dkPQWhc.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vuQesRg.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WWHqmDo.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mfzwwZI.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sqTydvN.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NztqHrR.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rVqLWoV.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OSPeaQM.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVUZCWX.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ueynadO.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\apnhukI.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zPnZaVO.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AXrpCie.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqoBDDc.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PRQqXAb.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pgHnCga.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UYdNtaz.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tjNnaKK.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NZoQtFS.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BTXpWGO.exe	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2260	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2152 wrote to memory of 2260	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2152 wrote to memory of 2260	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2152 wrote to memory of 3028	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2152 wrote to memory of 3028	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2152 wrote to memory of 3028	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2152 wrote to memory of 2224	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2152 wrote to memory of 2224	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2152 wrote to memory of 2224	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2152 wrote to memory of 2096	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2152 wrote to memory of 2096	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2152 wrote to memory of 2096	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2152 wrote to memory of 2940	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2152 wrote to memory of 2940	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2152 wrote to memory of 2940	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2152 wrote to memory of 2928	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2152 wrote to memory of 2928	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2152 wrote to memory of 2928	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2152 wrote to memory of 2768	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2152 wrote to memory of 2768	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2152 wrote to memory of 2768	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2152 wrote to memory of 2832	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2152 wrote to memory of 2832	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2152 wrote to memory of 2832	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2152 wrote to memory of 2356	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2152 wrote to memory of 2356	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2152 wrote to memory of 2356	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2152 wrote to memory of 1816	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2152 wrote to memory of 1816	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2152 wrote to memory of 1816	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2152 wrote to memory of 2492	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2152 wrote to memory of 2492	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2152 wrote to memory of 2492	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2152 wrote to memory of 2564	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2152 wrote to memory of 2564	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2152 wrote to memory of 2564	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2152 wrote to memory of 1060	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2152 wrote to memory of 1060	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2152 wrote to memory of 1060	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2152 wrote to memory of 1520	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2152 wrote to memory of 1520	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2152 wrote to memory of 1520	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2152 wrote to memory of 2540	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2152 wrote to memory of 2540	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2152 wrote to memory of 2540	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2152 wrote to memory of 1136	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2152 wrote to memory of 1136	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2152 wrote to memory of 1136	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2152 wrote to memory of 2504	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2152 wrote to memory of 2504	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2152 wrote to memory of 2504	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2152 wrote to memory of 2236	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2152 wrote to memory of 2236	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2152 wrote to memory of 2236	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2152 wrote to memory of 1624	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2152 wrote to memory of 1624	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2152 wrote to memory of 1624	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2152 wrote to memory of 2396	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2152 wrote to memory of 2396	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2152 wrote to memory of 2396	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2152 wrote to memory of 1652	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2152 wrote to memory of 1652	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2152 wrote to memory of 1652	2152	2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_ad10e3a08a8f10d7a6ceaea9881fa24e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\System\zPnZaVO.exe
  C:\Windows\System\zPnZaVO.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\NZoQtFS.exe
  C:\Windows\System\NZoQtFS.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\mfzwwZI.exe
  C:\Windows\System\mfzwwZI.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\lrTHshj.exe
  C:\Windows\System\lrTHshj.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\AXrpCie.exe
  C:\Windows\System\AXrpCie.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\wqoBDDc.exe
  C:\Windows\System\wqoBDDc.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\BTXpWGO.exe
  C:\Windows\System\BTXpWGO.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\dkPQWhc.exe
  C:\Windows\System\dkPQWhc.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\sqTydvN.exe
  C:\Windows\System\sqTydvN.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\vuQesRg.exe
  C:\Windows\System\vuQesRg.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\NztqHrR.exe
  C:\Windows\System\NztqHrR.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\PRQqXAb.exe
  C:\Windows\System\PRQqXAb.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\WWHqmDo.exe
  C:\Windows\System\WWHqmDo.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\rVqLWoV.exe
  C:\Windows\System\rVqLWoV.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\pgHnCga.exe
  C:\Windows\System\pgHnCga.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\UYdNtaz.exe
  C:\Windows\System\UYdNtaz.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\OSPeaQM.exe
  C:\Windows\System\OSPeaQM.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\tjNnaKK.exe
  C:\Windows\System\tjNnaKK.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\tVUZCWX.exe
  C:\Windows\System\tVUZCWX.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\ueynadO.exe
  C:\Windows\System\ueynadO.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\apnhukI.exe
  C:\Windows\System\apnhukI.exe
  2⤵
  - Executes dropped EXE
  PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AXrpCie.exe

Filesize
5.2MB

MD5
a5d6763a1d0d0e34bca24861c61c7991

SHA1
67121625d2026828ad52b652b1e6c69ce1b3d451

SHA256
2f56739d054dbd99cc4652a8558ebb3b55f758e6e27fa5254b33f36823553475

SHA512
7beba63aa2ead48af254f95375f448a267b39821bc17259b3d81b82e97d0ab2ed87382ad881dc9465dfe5b8cf00f94e02355e8e0b6e4ad046ff7ceeaa7567c4a

Download Submit
C:\Windows\system\BTXpWGO.exe

Filesize
5.2MB

MD5
61a892aee4e4dee00b7bd86b01dea0e0

SHA1
efd0a302bfff60bc9462824edc495572c0c9501f

SHA256
6cac13102e9792a31b31d09369270c4d7f85b83ff4db6c291ac6742a5ccbc774

SHA512
543f33a60614256cfb7a3f77c2a642e5a57466a0fc08f8c0a9c64704931b5f82316cbffa868fd287ed72fd0143cf873ffeba35332b5e7e8ebabfc87f267e28f2

Download Submit
C:\Windows\system\NztqHrR.exe

Filesize
5.2MB

MD5
2f0b4966ff09a94f5d21be7e5462582e

SHA1
cf4ef1c64bdb4c5f34baba17d43aa19526935eb7

SHA256
1dacd8736c289387356d610bd4f2a58a4a163e0d01de469179c411878ff2aca9

SHA512
5d2ae004e9df286b225cb2dc0364e0b8d5e1ade3d13c0fba05ca817a708c8fd7057eaf9348d75ea68800443bc2101d3465e82baff9b889d10dbb14063b391fbb

Download Submit
C:\Windows\system\OSPeaQM.exe

Filesize
5.2MB

MD5
9d761ad222860502c8c7c7c23d82a4d7

SHA1
af03eaf5f51d3b6f84abcc23d07c4448b7dc6110

SHA256
2d4e2688eda62c59680d3bc6d089602a94e1ce981132db880e3dc5c5888e1cef

SHA512
84d2c512b2358c8d6eaf805839b1b07229c3a4cd54e34196aa60da13404b2b24d9cc9987452eb2762cecbba57062523fe3081c3c7bacac62db7f3975597ab375

Download Submit
C:\Windows\system\PRQqXAb.exe

Filesize
5.2MB

MD5
77adb4d9995136532157eb01a171d4d8

SHA1
a36b7002427f97eb7aa2eef4328113b411628f3e

SHA256
7698da3676d64e942800bcace6bd59f85b36c2fdeaf73d4307ed3c32db1db78e

SHA512
ac6a94f6a179ff406bd76439a4916ce47a413117fa2bdcbf14b9e6349d022d86bbabde0454d05e7e6577ba3362ce223d3354423c6a5dc073372abdfc30c68696

Download Submit
C:\Windows\system\UYdNtaz.exe

Filesize
5.2MB

MD5
8537c88ad8e166fb36be72c0e117670f

SHA1
bffd8d052b29f91ba3653fd65ee454f4a8f2c77b

SHA256
0634982ff85ef3b95f6db8f632a3d116939d0195c44f712be62457ad1095fb72

SHA512
5ee8fac44e22cd850c98edd2ed5c02a60eb051016372c897313690a746b1426e9501a3aede566b3e1428c92e6c67dce688a450726098dad66904ca9a0d865341

Download Submit
C:\Windows\system\WWHqmDo.exe

Filesize
5.2MB

MD5
809db30539d23955a451424fba5e6f33

SHA1
84aeeefb40b039f7b791a8d2e2cf3684871fcf0d

SHA256
dbbcbc5ef8915886c0e096512489d7d37d6d6de97d6ddcbb747edcfb2de31b35

SHA512
69b88236394c4ba1f154477fdf7a7eb94a69ef05ac4cb49e9892af1b6631309c79a8150bf77287a9471c85629d7b90c66150989f0171ac54288523faeb2987a1

Download Submit
C:\Windows\system\apnhukI.exe

Filesize
5.2MB

MD5
13aa499277327151e07bd58d9e678e0e

SHA1
82b83dfa579477c245d0ba53c8b8bcd0ab5b035e

SHA256
fc2d006bca52bd41dfb0e0ab8cd541d1972b2c4a13ef9751a241cc390601c3eb

SHA512
96ba3b02523bac2917780d12c633c356b97cd504908c3694814a5891d217622a5dca566c92ee2a4e0c05beb06fc43fea1af5ee63072c0d8aa580085fe4857978

Download Submit
C:\Windows\system\dkPQWhc.exe

Filesize
5.2MB

MD5
aad7cd14e49d656e6172d32d716a3e5d

SHA1
dc48e33fb2fd1b5757b4616446aff94716167e6b

SHA256
4204205362b135412c946420f8c023711c18d9c235b9290542ece6759edace69

SHA512
8161d61205ae6288e7a0afd8b88c8a75fe5b40cca6a0882906e52b1852942c16d312d1703dce8c5917323a1914689d003b1c6835f829f1dddfaf19b88d990a19

Download Submit
C:\Windows\system\lrTHshj.exe

Filesize
5.2MB

MD5
6a5117e0c5bf1cadc420da3bf5ffd708

SHA1
4d747bc4753a5b45dda42648bd0e874995808745

SHA256
272925f4b8027825375970a95dc77ddc018a344cde1f3b26eb9e450edd48f35e

SHA512
f6eddaa8e7534a839dbfbd3d1a2051661082dd2aacefa2f340ff82e7e4ddca8d90f0af6695e4bd011da53ef5f0bed2eef3c7e04d9ef385eb950ad1e28a6fbfa0

Download Submit
C:\Windows\system\pgHnCga.exe

Filesize
5.2MB

MD5
d1b8b81c92ee4b91ca5a132bb5439a77

SHA1
2812cc749e9d376cb87d6029db56fb888bd1a50d

SHA256
6ee6b70c84a5553908f3a32b63a65eff9721dde92f876ec22422d71d24a5d76d

SHA512
11aae8f2223e7c585fee6cab37549ed0a5b88167b79b4b8264d8977571c10c8002a93ffb0e3a80573626f77bfa11915ea9289d034bd46d60575c23007803a835

Download Submit
C:\Windows\system\rVqLWoV.exe

Filesize
5.2MB

MD5
c12a238a1523b5064d9e2328abe4c5fb

SHA1
c7e954c32087f15dbd82817d49993a66daa472ba

SHA256
5e14b725ff7edb277bb885a850daf1c025436a6c7563989c2d63adc164b41575

SHA512
2523181e40b6fe6888ec6880da7d2d97890039007bba513868634332f969a73009c3777ecc6e1b64416c2dfb665bc9a30c9bc4e6a53256eb08793e8f17c632f8

Download Submit
C:\Windows\system\sqTydvN.exe

Filesize
5.2MB

MD5
2a75b7f7597cfa21b71680a7a69155f4

SHA1
6cfc8dd0b2e7e22399a3ab0c122a878341f8bada

SHA256
d3d1214e9c322c1632407448e65932153c191aad8706f6c2267dd65de9d08d00

SHA512
5c74702cf9222ab82d84a02e3f74f0cbd4e8e299d5e719f19343b9b3bfc1169e8445b8a1946d5a9e0f429589da12ad1e64f7697c7a1aff71c8ea9bfdac3fed1d

Download Submit
C:\Windows\system\tVUZCWX.exe

Filesize
5.2MB

MD5
0756e1a58ab7c4051080130d5f7d47ab

SHA1
98a011417c4d2b51022b4a85d0fe9f5406a56ec0

SHA256
6b5bc8a97e32a9a340f763da49ad653b74b100a0fd24ffde262eef13cbca49bd

SHA512
606190118a4a09855c2de1be3d3e2be48b1a671f14db60a420987ef05cc728b0a0f1fa845f706a6a3482059939210065cfafb50fdd25074ebb7ee613435ae111

Download Submit
C:\Windows\system\tjNnaKK.exe

Filesize
5.2MB

MD5
2ebb3430b0f128b502ec6beb4267ec64

SHA1
850de033163fe64d4c4236079ff5bf228eb54cc1

SHA256
71b0f82e402254f4cb7ee6a9f306eb127d51a96a986b572297f3960d67750562

SHA512
ccd109675c5c2249b0424c933bfa1c92fea982b7e8eaf5ddd746b2d0365248635115e7a875467ec346f143a3f0575ac6346a9ba137f8f899ad3f698a33d362a2

Download Submit
C:\Windows\system\ueynadO.exe

Filesize
5.2MB

MD5
dec6e2415b455fa9616e0bcbbb733e52

SHA1
b248dc66c654ace4e997e83d800442a61e1b77e4

SHA256
9a98182edcffff99485a2f7cd1621a484cb6b6dd8bc6368aed07681fb164c26a

SHA512
6d42c550fe139cca6995463f957a31ec8c18edd35a873adaf20c6b48ff464758587b957cf6d4c28e7c9d71f5f4e8ebf25ca83e4c6778199a8f1600a59e7a0dbc

Download Submit
C:\Windows\system\vuQesRg.exe

Filesize
5.2MB

MD5
ef40684b87e3d39de866e292351efc10

SHA1
d10d5a78d5a202277f305fd7cf09e775fd26d03b

SHA256
43df8c749cd4b1849d7897cc06fc4debbdbf25e9bd3c85a1fa2babd22434df68

SHA512
ad73ec8ae26c907292e7fae5a297b90bf16501de36bb1ffac495ce9c6251e497e4deaa1dd4f1e956fcbe6f288e3ad8464b799443a95c3b6b262241a7c7e4035a

Download Submit
C:\Windows\system\wqoBDDc.exe

Filesize
5.2MB

MD5
fa5eace31908a09981e3c1aff3ed72fd

SHA1
5e188823a441cf1ca8e79a7116c45d19f0d76fd0

SHA256
7db3d4fdad37d69efce28aae18651cc69f8afeda39377f3f80d862e922fe5f1e

SHA512
96c28cfa453442e4c2d5fd5d3bdeb7db2452c14705b01ecca438c398cc14d6315faae1e26c2824aef1aa3491a8b0d610505862e8239720f7528a362dc9549151

Download Submit
C:\Windows\system\zPnZaVO.exe

Filesize
5.2MB

MD5
fb374b547675807526b70d19b4400d6c

SHA1
8cb980feb3494fdcf23b926bb257d7c60ae71f77

SHA256
44ee86f228ac87cf26c36847c4238c793d96e47f1ab79d5b3a7d984b4cf050d0

SHA512
29736f39d1ed143be6b0dbdbf3f53fc037a4560f6d26f1171807307c6cf57f9fc4459477d3ffa2d871717cc6214bcc17a63ad74514399b490fe8a41b116ad250

Download Submit
\Windows\system\NZoQtFS.exe

Filesize
5.2MB

MD5
ef47f3326405a71ee1b52ef34a81d946

SHA1
26d6e3458f80ed90279a96f21390ef501dc502dd

SHA256
ce04ef5df70bc4e82ddeaad203b1824779412575a2f6bae768c7d1edd9888265

SHA512
ee83f5bb6a289bf05c131b5fbcb9bdc39a6b7da898f12132046406e26b3ac478199279c8f5836fd9576c317dd2ac29464baf93448c3a4a84678d116263135979

Download Submit
\Windows\system\mfzwwZI.exe

Filesize
5.2MB

MD5
4928391cf89d8cddd882c769d14bc1dd

SHA1
7640987c8c26edf793de13130356094d9c56ff51

SHA256
e7262b922774b02f00733c76af5b792f31d7c5ec67eef893a6254492dfb69fe6

SHA512
07ea2edb1a8354ddd10933ad0fc718e8b30cbc624e1ed1262af89d5a3375020a91e81846b6d14fe49ef9d52f4faee9347f53135b9b6eac7fc534dea85fe668b9

Download Submit
memory/1060-136-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/1060-237-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/1136-141-0x000000013F840000-0x000000013FB91000-memory.dmp

Filesize
3.3MB

Download
memory/1520-138-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/1520-246-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/1624-144-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/1652-146-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-231-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/1816-131-0x000000013FCD0000-0x0000000140021000-memory.dmp

Filesize
3.3MB

Download
memory/2096-28-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-122-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2096-209-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-148-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2152-135-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2152-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2152-125-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-124-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2152-13-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2152-126-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2152-34-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-173-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-151-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-132-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-14-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-118-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-150-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-149-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-0-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-26-0x000000013F760000-0x000000013FAB1000-memory.dmp

Filesize
3.3MB

Download
memory/2152-147-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2152-137-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2152-140-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2224-25-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2224-207-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2236-143-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2260-203-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2260-16-0x000000013F0E0000-0x000000013F431000-memory.dmp

Filesize
3.3MB

Download
memory/2356-130-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2356-229-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2396-145-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2492-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2492-233-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2504-142-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2540-139-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2564-134-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2564-235-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2768-224-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2768-128-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2768-46-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2832-129-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2832-228-0x000000013FD10000-0x0000000140061000-memory.dmp

Filesize
3.3MB

Download
memory/2928-127-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2928-222-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2928-44-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2940-225-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-35-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-123-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-205-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/3028-15-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download