cobaltstrike | 3bb19b9c626ed3dbf919bc1d90f1211009d085103dc615e4b085e73aa1c4bf02

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4d7d807b7bbbee79245a6e6b042c00d0
SHA1

edd9dec3a4c6def0e06be448137f8940b69f9c67
SHA256

3bb19b9c626ed3dbf919bc1d90f1211009d085103dc615e4b085e73aa1c4bf02
SHA512

35e8d789e519069eee5f0eecd55b6085bda3743dd78d15dd1383f3e88ea03e187188b615292f7300a2d9813f2b72b4727d6631d82d9ddaa68f5e27b850309664
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibd56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\qYpjJli.exe	cobalt_reflective_dll
\Windows\system\MQOSzZv.exe	cobalt_reflective_dll
C:\Windows\system\tHNSawS.exe	cobalt_reflective_dll
\Windows\system\EhDoZwg.exe	cobalt_reflective_dll
\Windows\system\oQPiUST.exe	cobalt_reflective_dll
C:\Windows\system\AnaKLyr.exe	cobalt_reflective_dll
C:\Windows\system\ewFrXWj.exe	cobalt_reflective_dll
C:\Windows\system\Bluajfe.exe	cobalt_reflective_dll
\Windows\system\mAebfiF.exe	cobalt_reflective_dll
C:\Windows\system\eCYRqmC.exe	cobalt_reflective_dll
\Windows\system\FgZgYwB.exe	cobalt_reflective_dll
C:\Windows\system\vIfvceq.exe	cobalt_reflective_dll
C:\Windows\system\pkMgYSd.exe	cobalt_reflective_dll
\Windows\system\ZdGzqPy.exe	cobalt_reflective_dll
C:\Windows\system\bUTnCIs.exe	cobalt_reflective_dll
C:\Windows\system\HKcJzze.exe	cobalt_reflective_dll
C:\Windows\system\pYNzHAn.exe	cobalt_reflective_dll
C:\Windows\system\vndYLtz.exe	cobalt_reflective_dll
C:\Windows\system\xbUXQsp.exe	cobalt_reflective_dll
C:\Windows\system\kdHOpwd.exe	cobalt_reflective_dll
C:\Windows\system\UvrsgUT.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2692-35-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2104-62-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/3032-77-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/2388-16-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/1052-140-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2632-102-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2744-82-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2640-142-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2368-67-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2104-143-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2820-92-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2796-28-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2832-144-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2104-20-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2328-146-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2104-148-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/1232-157-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2868-167-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/1560-170-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2028-169-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/1724-168-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/536-165-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/852-164-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2188-162-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/792-166-0x000000013F180000-0x000000013F4D1000-memory.dmp	xmrig
behavioral1/memory/2104-172-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2388-231-0x000000013F370000-0x000000013F6C1000-memory.dmp	xmrig
behavioral1/memory/2796-233-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2368-236-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2692-237-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/3032-239-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	xmrig
behavioral1/memory/2744-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2820-243-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2632-245-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/1052-247-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2640-249-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2328-259-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2832-261-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/1232-264-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

qYpjJli.exeUvrsgUT.exetHNSawS.exeMQOSzZv.exexbUXQsp.exekdHOpwd.exepYNzHAn.exeEhDoZwg.exeHKcJzze.exeoQPiUST.exepkMgYSd.exeAnaKLyr.exevIfvceq.exevndYLtz.exeZdGzqPy.exeeCYRqmC.exebUTnCIs.exeFgZgYwB.exeewFrXWj.exemAebfiF.exeBluajfe.exe

pid	process
2388	qYpjJli.exe
2368	UvrsgUT.exe
2796	tHNSawS.exe
2692	MQOSzZv.exe
3032	xbUXQsp.exe
2744	kdHOpwd.exe
2820	pYNzHAn.exe
2632	EhDoZwg.exe
1052	HKcJzze.exe
2640	oQPiUST.exe
2832	pkMgYSd.exe
2328	AnaKLyr.exe
1232	vIfvceq.exe
536	vndYLtz.exe
2188	ZdGzqPy.exe
852	eCYRqmC.exe
2868	bUTnCIs.exe
792	FgZgYwB.exe
2028	ewFrXWj.exe
1724	mAebfiF.exe
1560	Bluajfe.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2104-0-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
\Windows\system\qYpjJli.exe	upx
\Windows\system\MQOSzZv.exe	upx
C:\Windows\system\tHNSawS.exe	upx
behavioral1/memory/2692-35-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/3032-46-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/memory/2744-48-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
\Windows\system\EhDoZwg.exe	upx
behavioral1/memory/2104-62-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2632-63-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
\Windows\system\oQPiUST.exe	upx
behavioral1/memory/3032-77-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/memory/2640-78-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
C:\Windows\system\AnaKLyr.exe	upx
behavioral1/memory/2388-16-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
C:\Windows\system\ewFrXWj.exe	upx
C:\Windows\system\Bluajfe.exe	upx
\Windows\system\mAebfiF.exe	upx
C:\Windows\system\eCYRqmC.exe	upx
\Windows\system\FgZgYwB.exe	upx
behavioral1/memory/1232-103-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/1052-140-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/2632-102-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
C:\Windows\system\vIfvceq.exe	upx
behavioral1/memory/2832-87-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
C:\Windows\system\pkMgYSd.exe	upx
behavioral1/memory/2744-82-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
\Windows\system\ZdGzqPy.exe	upx
behavioral1/memory/1052-70-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
C:\Windows\system\bUTnCIs.exe	upx
C:\Windows\system\HKcJzze.exe	upx
behavioral1/memory/2640-142-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/2368-67-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2820-54-0x000000013F430000-0x000000013F781000-memory.dmp	upx
C:\Windows\system\pYNzHAn.exe	upx
C:\Windows\system\vndYLtz.exe	upx
C:\Windows\system\xbUXQsp.exe	upx
behavioral1/memory/2328-93-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2820-92-0x000000013F430000-0x000000013F781000-memory.dmp	upx
C:\Windows\system\kdHOpwd.exe	upx
behavioral1/memory/2796-28-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2368-26-0x000000013F240000-0x000000013F591000-memory.dmp	upx
C:\Windows\system\UvrsgUT.exe	upx
behavioral1/memory/2832-144-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2104-9-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/2328-146-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2104-148-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/1232-157-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2868-167-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/1560-170-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2028-169-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/1724-168-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/536-165-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/852-164-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/2188-162-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/792-166-0x000000013F180000-0x000000013F4D1000-memory.dmp	upx
behavioral1/memory/2104-172-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2388-231-0x000000013F370000-0x000000013F6C1000-memory.dmp	upx
behavioral1/memory/2796-233-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2368-236-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2692-237-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/3032-239-0x000000013F9A0000-0x000000013FCF1000-memory.dmp	upx
behavioral1/memory/2744-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2820-243-0x000000013F430000-0x000000013F781000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\FgZgYwB.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUTnCIs.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HKcJzze.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pkMgYSd.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AnaKLyr.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xbUXQsp.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oQPiUST.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vndYLtz.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mAebfiF.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UvrsgUT.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHNSawS.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pYNzHAn.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ewFrXWj.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qYpjJli.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kdHOpwd.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eCYRqmC.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZdGzqPy.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Bluajfe.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MQOSzZv.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhDoZwg.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vIfvceq.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2104 wrote to memory of 2388	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	qYpjJli.exe
PID 2104 wrote to memory of 2388	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	qYpjJli.exe
PID 2104 wrote to memory of 2388	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	qYpjJli.exe
PID 2104 wrote to memory of 2368	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	UvrsgUT.exe
PID 2104 wrote to memory of 2368	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	UvrsgUT.exe
PID 2104 wrote to memory of 2368	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	UvrsgUT.exe
PID 2104 wrote to memory of 2692	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	MQOSzZv.exe
PID 2104 wrote to memory of 2692	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	MQOSzZv.exe
PID 2104 wrote to memory of 2692	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	MQOSzZv.exe
PID 2104 wrote to memory of 2796	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	tHNSawS.exe
PID 2104 wrote to memory of 2796	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	tHNSawS.exe
PID 2104 wrote to memory of 2796	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	tHNSawS.exe
PID 2104 wrote to memory of 2820	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	pYNzHAn.exe
PID 2104 wrote to memory of 2820	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	pYNzHAn.exe
PID 2104 wrote to memory of 2820	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	pYNzHAn.exe
PID 2104 wrote to memory of 3032	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	xbUXQsp.exe
PID 2104 wrote to memory of 3032	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	xbUXQsp.exe
PID 2104 wrote to memory of 3032	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	xbUXQsp.exe
PID 2104 wrote to memory of 1052	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	HKcJzze.exe
PID 2104 wrote to memory of 1052	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	HKcJzze.exe
PID 2104 wrote to memory of 1052	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	HKcJzze.exe
PID 2104 wrote to memory of 2744	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	kdHOpwd.exe
PID 2104 wrote to memory of 2744	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	kdHOpwd.exe
PID 2104 wrote to memory of 2744	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	kdHOpwd.exe
PID 2104 wrote to memory of 2832	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	pkMgYSd.exe
PID 2104 wrote to memory of 2832	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	pkMgYSd.exe
PID 2104 wrote to memory of 2832	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	pkMgYSd.exe
PID 2104 wrote to memory of 2632	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	EhDoZwg.exe
PID 2104 wrote to memory of 2632	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	EhDoZwg.exe
PID 2104 wrote to memory of 2632	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	EhDoZwg.exe
PID 2104 wrote to memory of 1232	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vIfvceq.exe
PID 2104 wrote to memory of 1232	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vIfvceq.exe
PID 2104 wrote to memory of 1232	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vIfvceq.exe
PID 2104 wrote to memory of 2640	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	oQPiUST.exe
PID 2104 wrote to memory of 2640	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	oQPiUST.exe
PID 2104 wrote to memory of 2640	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	oQPiUST.exe
PID 2104 wrote to memory of 2188	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ZdGzqPy.exe
PID 2104 wrote to memory of 2188	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ZdGzqPy.exe
PID 2104 wrote to memory of 2188	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ZdGzqPy.exe
PID 2104 wrote to memory of 2328	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	AnaKLyr.exe
PID 2104 wrote to memory of 2328	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	AnaKLyr.exe
PID 2104 wrote to memory of 2328	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	AnaKLyr.exe
PID 2104 wrote to memory of 852	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	eCYRqmC.exe
PID 2104 wrote to memory of 852	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	eCYRqmC.exe
PID 2104 wrote to memory of 852	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	eCYRqmC.exe
PID 2104 wrote to memory of 536	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vndYLtz.exe
PID 2104 wrote to memory of 536	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vndYLtz.exe
PID 2104 wrote to memory of 536	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vndYLtz.exe
PID 2104 wrote to memory of 792	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FgZgYwB.exe
PID 2104 wrote to memory of 792	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FgZgYwB.exe
PID 2104 wrote to memory of 792	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FgZgYwB.exe
PID 2104 wrote to memory of 2868	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	bUTnCIs.exe
PID 2104 wrote to memory of 2868	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	bUTnCIs.exe
PID 2104 wrote to memory of 2868	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	bUTnCIs.exe
PID 2104 wrote to memory of 1724	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	mAebfiF.exe
PID 2104 wrote to memory of 1724	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	mAebfiF.exe
PID 2104 wrote to memory of 1724	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	mAebfiF.exe
PID 2104 wrote to memory of 2028	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ewFrXWj.exe
PID 2104 wrote to memory of 2028	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ewFrXWj.exe
PID 2104 wrote to memory of 2028	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ewFrXWj.exe
PID 2104 wrote to memory of 1560	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	Bluajfe.exe
PID 2104 wrote to memory of 1560	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	Bluajfe.exe
PID 2104 wrote to memory of 1560	2104	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	Bluajfe.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System\qYpjJli.exe
  C:\Windows\System\qYpjJli.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\UvrsgUT.exe
  C:\Windows\System\UvrsgUT.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\MQOSzZv.exe
  C:\Windows\System\MQOSzZv.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\tHNSawS.exe
  C:\Windows\System\tHNSawS.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\pYNzHAn.exe
  C:\Windows\System\pYNzHAn.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\xbUXQsp.exe
  C:\Windows\System\xbUXQsp.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\HKcJzze.exe
  C:\Windows\System\HKcJzze.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\kdHOpwd.exe
  C:\Windows\System\kdHOpwd.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\pkMgYSd.exe
  C:\Windows\System\pkMgYSd.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\EhDoZwg.exe
  C:\Windows\System\EhDoZwg.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\vIfvceq.exe
  C:\Windows\System\vIfvceq.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\oQPiUST.exe
  C:\Windows\System\oQPiUST.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\ZdGzqPy.exe
  C:\Windows\System\ZdGzqPy.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\AnaKLyr.exe
  C:\Windows\System\AnaKLyr.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\eCYRqmC.exe
  C:\Windows\System\eCYRqmC.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\vndYLtz.exe
  C:\Windows\System\vndYLtz.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\FgZgYwB.exe
  C:\Windows\System\FgZgYwB.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Windows\System\bUTnCIs.exe
  C:\Windows\System\bUTnCIs.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\mAebfiF.exe
  C:\Windows\System\mAebfiF.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\ewFrXWj.exe
  C:\Windows\System\ewFrXWj.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\Bluajfe.exe
  C:\Windows\System\Bluajfe.exe
  2⤵
  - Executes dropped EXE
  PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AnaKLyr.exe

Filesize
5.2MB

MD5
954de1fcddac7d8dd818ef5c83b2870b

SHA1
3e016fa15b2e61939d5c1be5f3bde0b9c37a93e8

SHA256
055796e75cac17ba3c2bf5601871a466d684ad725f181cd098db843993c27fe0

SHA512
ae52daa3ce315d62dce3ef75801203cd945b98076f42c68834676ba52b127da9c47e2e840146a4c3875a9c2293994aaa2b607adbd8ff1e0734cd23f0f43e5b68

Download Submit
C:\Windows\system\Bluajfe.exe

Filesize
5.2MB

MD5
c2ede6f85085988417fe26d0e69f845d

SHA1
d181953043d9c44dddc957ea071235168f6dd02e

SHA256
78b206c43a900ccf2f7b2e036dbcdf4daa9998ef4ae3297ecea9410d3b01ce1d

SHA512
b5278d8c643143962413e171ccba6b754ac8b493b083b91668ebedf12b3826a0a13cade878db69032120e24371686dcafa22048570140dae03b22235d284327e

Download Submit
C:\Windows\system\HKcJzze.exe

Filesize
5.2MB

MD5
97af97050afe66f26dd99ba1b2b8ff06

SHA1
ddc786b26731f8e0d7d84c7c29960725d1e37518

SHA256
e295109f626c330cb23bec428144d4215399828f9277a204c6ba36351e3f95c1

SHA512
bcdf792ccc9370c95a3cccb79e49a018f601192109b6b38ad16cf87d7735be11453d46dc7db467cb0e5992c9c453b449674ce2c06deb9b2f4b34b40710d87877

Download Submit
C:\Windows\system\UvrsgUT.exe

Filesize
5.2MB

MD5
102b4d54a15d14cd388a3caff39bfea2

SHA1
26a897d4b7b721d91df758e10a3d496071d407e1

SHA256
4d94f1418c197468b32f88a6098fe6f8451faff0adba600e115eadd2ace6d10f

SHA512
d6b20c75dd7b1af49598ff113907bf6cf87e6fc5e02f6e424d8680c2bee171e25bad4e519649077e194fd9f8d61c2cd167c99f224c9fe1d4527a18ae53f8b99d

Download Submit
C:\Windows\system\bUTnCIs.exe

Filesize
5.2MB

MD5
a024271f8e0a9e862766409d78652176

SHA1
594e04c3f9b9ca08dd455a4f56720288d113fa5d

SHA256
ca3b87df59350c0995502a54975ef7b900c2a54e0a416eb1f917d43da23788eb

SHA512
e43885b613d8e51f500447fec0e2442285ec491944b129a53bd2198c14777a5297fe254b379e2299f263de987294f48e6fbfb7b1d21f49759158857a256b27d0

Download Submit
C:\Windows\system\eCYRqmC.exe

Filesize
5.2MB

MD5
4c838b127959c5ffe49d4427439035b0

SHA1
615f84090f139d7aa901335fc2580fd6f8cd1ae9

SHA256
5b87fe27cc45ed5fc6f20e6b8005f0df8c6e99d351da9fa4da7882031fb6d671

SHA512
8bcf9c512909a3df34b165d54aac825929c3593d1a85490aba0180854d8a9338b52bc345e10da7de46164d32a9d4b3c4269c8220f099a42b256dbe3722fefd00

Download Submit
C:\Windows\system\ewFrXWj.exe

Filesize
5.2MB

MD5
9ffcdb0e0cf09dbd6b053c2943c4c5b4

SHA1
40a810e76f14256088c249ac0cd3af7042c29d3e

SHA256
12084728e851cd30c9053f5ec3af9f9bca626573c7c8eaa4eacf6c218dee86ca

SHA512
dc9ce81e167baec13a092fa6cb64b1ee7d1e4464a36ca6fbac4bf0906da881955c8a16382045453334b84dfc1f02ac78f73e05f5e6c7481677c1a7121aafad7b

Download Submit
C:\Windows\system\kdHOpwd.exe

Filesize
5.2MB

MD5
f17efa167a80c29cb59ac03b91b08c10

SHA1
39b54124399fbfb06a21211594e64848d02f9f22

SHA256
a8d018403f898187cd4eb284d0847ebd05981aafed026b1bb0728341927d62e0

SHA512
b4e1b4445243bf075cddb6e87a99e2a0d5458ea034a2bcf1821a57ea2bfeb36c758f0e60b55b8fe9ee846a17f8367d9d70ce134e40677990941d9a285efebd94

Download Submit
C:\Windows\system\pYNzHAn.exe

Filesize
5.2MB

MD5
8b8c940606f3399daa4d2a611b91e0fd

SHA1
9bc0c3322b425bf509c84b0f78e6bd96436d7575

SHA256
a627b8299992a4ab3046596e4c65d41249b6f21aea0c104024c987f2f7fb6128

SHA512
1fd71d67af133bcb61c22029feb399f8a17c5755b46af8e7ba27a3f182959531dd1a09a05180de11be4f61daa6d9eb057dae3bca11a663634d549bb62f0104b0

Download Submit
C:\Windows\system\pkMgYSd.exe

Filesize
5.2MB

MD5
a03f7d6595c9aeb9edcc23a1b2464a58

SHA1
8d6fd91550c40ae7af9409e737c66edc4cebd7ce

SHA256
afa44083f9410113a99390639e6a4e9532575b3434644c4933c4a8ab3b4ce065

SHA512
0eb54779a168c0ac9addeeb0d78b8c033bc22c2c44d0a6aa65866c0b43d9453f250f5b92f84cdb005c98d43302feada400a3bfb4dddb50fdb0127a4f6c89b9b0

Download Submit
C:\Windows\system\tHNSawS.exe

Filesize
5.2MB

MD5
9f73b7bb480e233ac9ea2d582f9f872e

SHA1
5fada0599cbeb043f147b87224ead3fc0fcc6ace

SHA256
2bd9afa86dac6259590000637e3968ffd690d5e3892b5b45e214024c1ccda53e

SHA512
d6c7cb987c62f2b5056ceb5da99e33d44e0cf2e710c31a9cf846b4e20491f7565130e0bde0ea3fbaff39c67c753233239e644b0fd90baaeb404e7095085f98fe

Download Submit
C:\Windows\system\vIfvceq.exe

Filesize
5.2MB

MD5
a4e5c195cc4d8a0d5306bc840cee9fe3

SHA1
2d08a74c3d161bac6cb15eac774dc1172b7ca964

SHA256
7f1413f0814cc25774c699c1034f33fea446babb82bf445db178bbfa9e23a363

SHA512
5c5724b7987d41f70315479c0908507754938a885ebd1d1d54a07a2b76ed2ac9e35ae713f488be0738c7ebd50c25dfc46bd893610203d66ff86328956705b9ef

Download Submit
C:\Windows\system\vndYLtz.exe

Filesize
5.2MB

MD5
e1d1c504e91c95d297934048858ee24f

SHA1
b704df1161dbbcbc11fbaaf5986654ea426c3bf5

SHA256
e1fc7da409b5253495dc311820d7674c45b41e41df7463c8291a1c5d80a00c63

SHA512
c7c21affa9a8286bd74b352c8c536f62d960eaa5fec19d7f2b31c162ed75010bdfe0658ecc498b2fd768e47b19ea4fa4cf1ed063c96c56a2b0ffea7e89af2c6e

Download Submit
C:\Windows\system\xbUXQsp.exe

Filesize
5.2MB

MD5
a148baad6b2c837306190965084d168f

SHA1
31719a567ee1c9a5b39c6ce6811fa53968bdc728

SHA256
09021b4e34d47f17cfb089a20573474759d1aff36f10f4387e7fe7c8c4333218

SHA512
e444f0ded2ac950774c0a2b62b901e313a450446cc80bdad47ee8a7158d91582d3d36ecd692678bdb5b04c9d9f204b76b64f64e0f007c231ccc4c993157c2e5f

Download Submit
\Windows\system\EhDoZwg.exe

Filesize
5.2MB

MD5
2008016ec631d137ca5a33fa11a0f091

SHA1
9b247255ee7ee78b12872c07b3feda82eb0e118b

SHA256
22097580e40458b5a97356a281fdb0032b710babe0672a39edec9b99de1c7743

SHA512
9cda97c971bb5e63dc28f340a508479dd80f23f681ee1dbfc523401d32a9474af6b174c61436ff3bdc5d858a31b2f4450f38e08f913b89c455e3bc39a9345651

Download Submit
\Windows\system\FgZgYwB.exe

Filesize
5.2MB

MD5
9516532ada245f8ae5af278429129acf

SHA1
9962e3e4463939a1b55368fafd2586d9a9fb4291

SHA256
5f7c4a5d739c4a09c109054f31e19847880364b9f993d5708a6e0940593e0e50

SHA512
f439bf6388c528d1c0c7b095a9e761a31f07325c112d12a70771168c2ca33290c3692d173219330e62c87f6abbd4fd78edfba349911889f1fb3ccacf46a875f5

Download Submit
\Windows\system\MQOSzZv.exe

Filesize
5.2MB

MD5
a0e036adfbc1caa0440d53e566d9c176

SHA1
6cfdcea12435c52acb04faba929269d3836ac485

SHA256
46623b638dc2cc181ab4c8e0b79187b51389c429ba9d89e32f6e23d4f6af3e83

SHA512
9ce20f645326b58b5bb6e9f5fb5524d6ac2f8fcd28befc99ceb2bced1ed55e44d79881c426ae90705264f775314f1596356805c065cf0de68b59368a8143ead3

Download Submit
\Windows\system\ZdGzqPy.exe

Filesize
5.2MB

MD5
7d25a1f960d0d403b92e2371cdc78e0e

SHA1
f17a7140eeb85058b5d2f1150b9c3c002a5c21cf

SHA256
14fc16e4fd27f88a312d9cf3721e15c5df161a9113d742bf2820f26928165e72

SHA512
64c23d343baa1932f8aa0f2aa9414bb7d7c9bd8df3beec4b923a5c27e7757059872a7d60637b00b13a529fca3f8ce88aeae320514dfc2c3ac18f9c0e3c29ca15

Download Submit
\Windows\system\mAebfiF.exe

Filesize
5.2MB

MD5
4825c4f874803229eaf0a04ca70ca134

SHA1
9f75a9782394b93d07befbb1758dd63949535d45

SHA256
d9e558fc4158139354a9a216feaf216f488367011f254e06b0a46924dc2f7ba1

SHA512
6c639354be4f61ea9a5c69e54a796ec85b79e95c00d788f5e496305a2faa486aa8fa960438af028c5c2e9baa32d13874dfe95cdcd380638160c6058411663f4e

Download Submit
\Windows\system\oQPiUST.exe

Filesize
5.2MB

MD5
b0515b42f14f2616d3fa988832607573

SHA1
9d9c629d44b4379c3d5df000599b2c1ac8cdf227

SHA256
78110264b200dd2549a79b6c33bcdcd4bd18c2c1e8576b50cd21ddbcaff772fc

SHA512
5de53a7d01714c39df970e9b5549c3f240549ada42e8fcee4a595c72d7c08561525f474b42680fb9ebf2222a60112adee91204e598dbea59bc77f84a0b6ef685

Download Submit
\Windows\system\qYpjJli.exe

Filesize
5.2MB

MD5
ce347d557196d82c7004270b9b847f01

SHA1
fcee641804559f12c298aa897872ce8091feb456

SHA256
893d216aaeedfc89aa5449da4674884d43570fcb5c96961e34da703ed7cf7bac

SHA512
c0234e137fda99eaa49b0c74159b99d48c36d479a4e6aadd11f89dce749571382664ad972145d528c41c220c11b0aa1fcc2d839c4a67ba31adf2c9276355bb66

Download Submit
memory/536-165-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/792-166-0x000000013F180000-0x000000013F4D1000-memory.dmp

Filesize
3.3MB

Download
memory/852-164-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1052-140-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/1052-247-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/1052-70-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/1232-157-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-103-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1232-264-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1560-170-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/1724-168-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2028-169-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-106-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2104-9-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-83-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2104-141-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/2104-172-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2104-49-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-62-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2104-52-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2104-97-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-0-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2104-171-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2104-32-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-105-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-143-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2104-148-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2104-147-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-89-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-74-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-59-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2104-39-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2104-145-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2104-12-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2104-20-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2188-162-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2328-259-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-146-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-93-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2368-26-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2368-236-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2368-67-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2388-16-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-231-0x000000013F370000-0x000000013F6C1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-63-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2632-245-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2632-102-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2640-78-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-142-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2640-249-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-237-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2692-35-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/2744-48-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-82-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-28-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-233-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-243-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2820-92-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2820-54-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2832-87-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2832-144-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2832-261-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2868-167-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/3032-239-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-46-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download
memory/3032-77-0x000000013F9A0000-0x000000013FCF1000-memory.dmp

Filesize
3.3MB

Download