cobaltstrike | c1426d00121846e991343dc085502ab8e9bc7b5b70bc33bcaa8eea4e78b1036d

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b27ecb5bd0521d38709794b643ab8d9d
SHA1

0138a7883649f4ad97ebd024213addd8ac6237e1
SHA256

c1426d00121846e991343dc085502ab8e9bc7b5b70bc33bcaa8eea4e78b1036d
SHA512

f9e3c792e9ad51689ba9c274fee59743c17e25b3c8aa7eb39eae6814b4e96345ec59d3cbf441f2cd534247103c54bf63c47f145d4cf4de48423aa97845337521
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibd56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fe-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d4a-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4e-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d55-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d71-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016dc6-38.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d21-41.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016dc9-52.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd1-58.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194e3-68.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194e9-85.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ef-93.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194e7-79.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194f3-99.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019570-111.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195d6-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019605-135.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001956c-136.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001958e-138.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019604-122.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001954e-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral1/memory/1612-20-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2500-45-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/1684-50-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2500-49-0x0000000002300000-0x0000000002651000-memory.dmp	xmrig
behavioral1/memory/2892-48-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/2844-47-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/1932-59-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2812-67-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2044-65-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/2820-72-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2500-95-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2832-94-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2704-92-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2500-86-0x0000000002300000-0x0000000002651000-memory.dmp	xmrig
behavioral1/memory/2812-97-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2776-103-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2632-142-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2500-143-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2684-154-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2500-159-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2360-162-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2692-165-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/1944-167-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2912-166-0x000000013F0C0000-0x000000013F411000-memory.dmp	xmrig
behavioral1/memory/2032-164-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2968-163-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/1972-161-0x000000013F0B0000-0x000000013F401000-memory.dmp	xmrig
behavioral1/memory/2920-160-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2500-168-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/1684-218-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/1612-220-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2044-223-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/1932-227-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2820-229-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2844-231-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2892-233-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	xmrig
behavioral1/memory/2832-237-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2812-239-0x000000013FC00000-0x000000013FF51000-memory.dmp	xmrig
behavioral1/memory/2776-245-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2632-247-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2704-249-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2684-260-0x000000013F590000-0x000000013F8E1000-memory.dmp	xmrig
behavioral1/memory/2920-263-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1684	aztSEBC.exe
1612	GxmSdGc.exe
1932	ByWYqxT.exe
2044	YheQdvx.exe
2820	vCNiXCQ.exe
2844	bzVPCez.exe
2892	NOCiXKD.exe
2832	LQRmaeu.exe
2812	DitpZai.exe
2776	bpjqWfo.exe
2632	LHHrQcp.exe
2704	SzMaFyp.exe
2684	OrMDLOV.exe
2920	XfOtFdQ.exe
1972	OxzHmRO.exe
2968	GOcUGsj.exe
2692	vEfoeGC.exe
1944	qIPTQQe.exe
2360	nAfbTov.exe
2032	iuXGLHc.exe
2912	gHGZpWT.exe

Loads dropped DLL 21 IoCs

pid	Process
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2500-0-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/files/0x00080000000120fe-3.dat	upx
behavioral1/files/0x0008000000016d4a-15.dat	upx
behavioral1/memory/1612-20-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/files/0x0007000000016d4e-21.dat	upx
behavioral1/memory/1932-22-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2044-26-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/files/0x0007000000016d55-25.dat	upx
behavioral1/files/0x0007000000016d71-27.dat	upx
behavioral1/memory/1684-14-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2820-32-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/files/0x0007000000016dc6-38.dat	upx
behavioral1/files/0x0009000000016d21-41.dat	upx
behavioral1/memory/2500-45-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/1684-50-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2892-48-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/2844-47-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/files/0x0009000000016dc9-52.dat	upx
behavioral1/memory/2832-57-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/files/0x0008000000016dd1-58.dat	upx
behavioral1/memory/1932-59-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2812-67-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/memory/2044-65-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/files/0x00050000000194e3-68.dat	upx
behavioral1/memory/2820-72-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2776-73-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/files/0x00050000000194e9-85.dat	upx
behavioral1/memory/2632-80-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2684-96-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2832-94-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/files/0x00050000000194ef-93.dat	upx
behavioral1/memory/2704-92-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/files/0x00050000000194e7-79.dat	upx
behavioral1/memory/2812-97-0x000000013FC00000-0x000000013FF51000-memory.dmp	upx
behavioral1/files/0x00050000000194f3-99.dat	upx
behavioral1/files/0x0005000000019570-111.dat	upx
behavioral1/files/0x00050000000195d6-133.dat	upx
behavioral1/files/0x0005000000019605-135.dat	upx
behavioral1/files/0x000500000001956c-136.dat	upx
behavioral1/files/0x000500000001958e-138.dat	upx
behavioral1/files/0x0005000000019604-122.dat	upx
behavioral1/memory/2776-103-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2920-130-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/files/0x000500000001954e-118.dat	upx
behavioral1/memory/2632-142-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2500-143-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2684-154-0x000000013F590000-0x000000013F8E1000-memory.dmp	upx
behavioral1/memory/2360-162-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2692-165-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/1944-167-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/2912-166-0x000000013F0C0000-0x000000013F411000-memory.dmp	upx
behavioral1/memory/2032-164-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2968-163-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/1972-161-0x000000013F0B0000-0x000000013F401000-memory.dmp	upx
behavioral1/memory/2920-160-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2500-168-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/1684-218-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/1612-220-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2044-223-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/1932-227-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2820-229-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2844-231-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2892-233-0x000000013F2A0000-0x000000013F5F1000-memory.dmp	upx
behavioral1/memory/2832-237-0x000000013F030000-0x000000013F381000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\iuXGLHc.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vEfoeGC.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DitpZai.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzMaFyp.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LQRmaeu.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YheQdvx.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vCNiXCQ.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bzVPCez.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NOCiXKD.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bpjqWfo.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LHHrQcp.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OrMDLOV.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aztSEBC.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GOcUGsj.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gHGZpWT.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XfOtFdQ.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ByWYqxT.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OxzHmRO.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nAfbTov.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIPTQQe.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GxmSdGc.exe	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1684	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2500 wrote to memory of 1684	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2500 wrote to memory of 1684	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2500 wrote to memory of 1612	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2500 wrote to memory of 1612	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2500 wrote to memory of 1612	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2500 wrote to memory of 1932	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2500 wrote to memory of 1932	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2500 wrote to memory of 1932	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2500 wrote to memory of 2044	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2500 wrote to memory of 2044	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2500 wrote to memory of 2044	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2500 wrote to memory of 2820	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2500 wrote to memory of 2820	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2500 wrote to memory of 2820	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2500 wrote to memory of 2844	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2500 wrote to memory of 2844	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2500 wrote to memory of 2844	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2500 wrote to memory of 2892	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2500 wrote to memory of 2892	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2500 wrote to memory of 2892	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2500 wrote to memory of 2832	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2500 wrote to memory of 2832	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2500 wrote to memory of 2832	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2500 wrote to memory of 2812	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2500 wrote to memory of 2812	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2500 wrote to memory of 2812	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2500 wrote to memory of 2776	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2500 wrote to memory of 2776	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2500 wrote to memory of 2776	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2500 wrote to memory of 2632	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2500 wrote to memory of 2632	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2500 wrote to memory of 2632	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2500 wrote to memory of 2704	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2500 wrote to memory of 2704	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2500 wrote to memory of 2704	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2500 wrote to memory of 2684	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2500 wrote to memory of 2684	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2500 wrote to memory of 2684	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2500 wrote to memory of 2920	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2500 wrote to memory of 2920	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2500 wrote to memory of 2920	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2500 wrote to memory of 1972	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2500 wrote to memory of 1972	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2500 wrote to memory of 1972	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2500 wrote to memory of 2360	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2500 wrote to memory of 2360	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2500 wrote to memory of 2360	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2500 wrote to memory of 2968	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2500 wrote to memory of 2968	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2500 wrote to memory of 2968	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2500 wrote to memory of 2032	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2500 wrote to memory of 2032	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2500 wrote to memory of 2032	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2500 wrote to memory of 2692	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2500 wrote to memory of 2692	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2500 wrote to memory of 2692	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2500 wrote to memory of 2912	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2500 wrote to memory of 2912	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2500 wrote to memory of 2912	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2500 wrote to memory of 1944	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2500 wrote to memory of 1944	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2500 wrote to memory of 1944	2500	2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-10_b27ecb5bd0521d38709794b643ab8d9d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\System\aztSEBC.exe
  C:\Windows\System\aztSEBC.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\GxmSdGc.exe
  C:\Windows\System\GxmSdGc.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\ByWYqxT.exe
  C:\Windows\System\ByWYqxT.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\YheQdvx.exe
  C:\Windows\System\YheQdvx.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\vCNiXCQ.exe
  C:\Windows\System\vCNiXCQ.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\bzVPCez.exe
  C:\Windows\System\bzVPCez.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\NOCiXKD.exe
  C:\Windows\System\NOCiXKD.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\LQRmaeu.exe
  C:\Windows\System\LQRmaeu.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\DitpZai.exe
  C:\Windows\System\DitpZai.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\bpjqWfo.exe
  C:\Windows\System\bpjqWfo.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\LHHrQcp.exe
  C:\Windows\System\LHHrQcp.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\SzMaFyp.exe
  C:\Windows\System\SzMaFyp.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\OrMDLOV.exe
  C:\Windows\System\OrMDLOV.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\XfOtFdQ.exe
  C:\Windows\System\XfOtFdQ.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\OxzHmRO.exe
  C:\Windows\System\OxzHmRO.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\nAfbTov.exe
  C:\Windows\System\nAfbTov.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\GOcUGsj.exe
  C:\Windows\System\GOcUGsj.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\iuXGLHc.exe
  C:\Windows\System\iuXGLHc.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\vEfoeGC.exe
  C:\Windows\System\vEfoeGC.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\gHGZpWT.exe
  C:\Windows\System\gHGZpWT.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\qIPTQQe.exe
  C:\Windows\System\qIPTQQe.exe
  2⤵
  - Executes dropped EXE
  PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ByWYqxT.exe

Filesize
5.2MB

MD5
dcedb1f048c19b2fb46d573606cb89b4

SHA1
d5284777f4e244d39836ee880aacd08a224a385c

SHA256
36625b384bb574aa2cef8ee2ab2523b5e1c158c8a813d5e4966d9d03d2eb543b

SHA512
876945b29c01c6579e9694a6963636a8161bfe80801153dfec6c7f6922a165bb2b3ab013366980ba3fec738051f2814ab8cdb7e9e50e41ec70f09372491a63c7

Download Submit
C:\Windows\system\GxmSdGc.exe

Filesize
5.2MB

MD5
2efca3a501e4d30898f106598bbb1957

SHA1
a97bbb869464fb3faae3ee88785fb359ff740a52

SHA256
2b0be9ab6a899f943fe43b9302704cbba13da8e20820d3d8740e03d93d8ad511

SHA512
a951204dec67b0a8515ef4c9ff0dfbc8402336f3c859a9bcd4366b3d71357f2e45ab78a20be0d1b3a71923569ce9d9a1e4ee894891f45a87ee42c80382122892

Download Submit
C:\Windows\system\LHHrQcp.exe

Filesize
5.2MB

MD5
a05f1547a2d4fbd1d9a99ea85cc5da27

SHA1
de14d6fb8bad809e97dc58443d495c899df05fc7

SHA256
05d9f71462e78d667a5c71f8bfaef4f399f5983ee032d4f10bb39e40121dec84

SHA512
6c07dbca6d9589cc69419bbf26dd7f3bec24bb15b0d92f3711d6915bced7fc92d10d24b730e042a6a8253c7ce21d3d18a78dd86573a45976e094653686e2afcc

Download Submit
C:\Windows\system\OrMDLOV.exe

Filesize
5.2MB

MD5
15e5065ec7bcba27e58ab01ee4993758

SHA1
c676a3bf09ef102267a39eeec30aa1bf723256fe

SHA256
b6cd5e9704b11559c88fc49845ca470eae7992d25062c9183f0d6541725b4d3b

SHA512
1cfc4dc251b001305e100a810995af59833e017a215b2a78c9edea55069ec5cdce6f66d1dec8335e682dc5bbdd374a8a2d164a5a030c501c7717ccf1b946711a

Download Submit
C:\Windows\system\OxzHmRO.exe

Filesize
5.2MB

MD5
afdaa74c66cf627d14430d6c6ae453ab

SHA1
64beb426963fe23e7cf244637d6532c7f639276f

SHA256
2d84e6a9ca4ac8cc6d4db50e6e0da256db1243a318833564c006ccaa4e5eb306

SHA512
2b22b0362ac957f61f88e0a81a41abc694028ce96149f75cce8b0fac7ddeab4a67ef612ab7c9e91c6740b6e0162dfcf990b5ed6fe3ad7e6d433a26b4ebc8b2f9

Download Submit
C:\Windows\system\SzMaFyp.exe

Filesize
5.2MB

MD5
ddc3efa2a7652802ad0c11a7925c8ba6

SHA1
d72b269c1e8a5b572ee106a9ebcee30730fe435f

SHA256
b33d9f0e50ba4f2fba454a903b2d57768d90f0226745ac86cfba61c5be0346c6

SHA512
a0d145f306afb248439c9d196fa02789ae626b1858010f85ead21d22b19c5a0d2b61ada9efcbc89520fa2af10f0b804af35e699de820d554f6b2ae69384a04f2

Download Submit
C:\Windows\system\YheQdvx.exe

Filesize
5.2MB

MD5
11594f777a42fe26ff397f09c52f75ad

SHA1
85e7e3b0022d2753bdb7227d88bc48195d38f1cc

SHA256
058e020c69783db3b3ee79dd4b013af6dddd72cf71d181d3a560dc9e98555eb0

SHA512
54dee67cd00fd83fc88c98611f072bb4f761c03d88e9f6568d6ecdddf52237007307cd472424beedc5f48ac3fe2414b13169a936dcf9d07e056dcc37d76f7841

Download Submit
C:\Windows\system\bzVPCez.exe

Filesize
5.2MB

MD5
99f830ccb0c9488acdb97be23da1d021

SHA1
2aff481861fe439a1e6ac0266d505b52c41a4b75

SHA256
3fa5ee0a45183a1435fe6595160c6bfcbf61272c491c80b957e0e2e64e714f4f

SHA512
4a541d034b77f2d1e360651e70f5c62e775b8cacb5c57a37ccb945f0e212a9bba0b3fad1888671fd03a79b1b9d2af963b6459c24b766738288b7dd03ab95b076

Download Submit
C:\Windows\system\iuXGLHc.exe

Filesize
5.2MB

MD5
33afe84c9a17bd4b941517641f1d67a4

SHA1
064fc552b42e19cba96f48a6a5f73425fe938b42

SHA256
dab1470ed70c995c566c689a8f60ef28b30874e3308351fb1ad463c105bce9bf

SHA512
c6cb015a02e78e47dfbff199bbdf352ddea1a861bd975055ab9aac2365a4958b8cab0807eb7740f289237392bee6d2477dd58def1b9d7624484b64caf03e9ac9

Download Submit
C:\Windows\system\nAfbTov.exe

Filesize
5.2MB

MD5
105e44f03137e1f58adb0d94cfc48922

SHA1
7e10aadef1075cdb0417ef786fc71ebca9eed728

SHA256
8667284cae1a19b7c3085867fca56e88fb5cf09954805cf72c1ed8861abcc140

SHA512
67445c2e0e11e9350af72fd6a9317ed90132e0cd13adc2fa228955935bf77d202c5e9f491267644c3bce25d13699130607163a442bc1709d908efa45902322bf

Download Submit
C:\Windows\system\qIPTQQe.exe

Filesize
5.2MB

MD5
df9cd5167ec1f22376a27c364dd27c63

SHA1
aabbca86aa6be26d74b9f3925673b7511cc43900

SHA256
1c8b22c184ebaab32acf5def02beb08485b1b16967b75749a422423605aea60a

SHA512
36ec6239ee82b26e7da148d292304a827f8a1b1e0d46af4c7733d367277adb96bfc364f952d9bff5867cff75526891b86655cfa1fa3f2cce8dc1b8986ce76260

Download Submit
C:\Windows\system\vEfoeGC.exe

Filesize
5.2MB

MD5
130438713ecadd97d432d222e7afe06f

SHA1
217577378ea07c80950a5f8a249ecfb752be1d4d

SHA256
b22738bee44390921ad1c0c0a3eee24ad56048f38f5c19b48279dd57d2964bf9

SHA512
2dd842148ee41b2b8208aac1a80907bee0bff346befa8e0436c36a438b019e7a0b22cda4626c0aa0b328c9802159a1c851109395c3b5b854c9c615655854be36

Download Submit
\Windows\system\DitpZai.exe

Filesize
5.2MB

MD5
6971a52d83399e9d5bb35b6f8c02197f

SHA1
7036a92464824c34529479d592bdb146a41ae42d

SHA256
9673d3f0a7e9bb73f958220ea3f66b5952f88e63731713fa0163b84c4d86ccb0

SHA512
dcdb80d5b30f4fea4fd43d1dc2a11c79ba8c4245a3159cd942bb4423b43f9183651f621ed1bd37f0b6b31842cb8de43e00fccc2ffe5b7904ebfae4aae2fae4eb

Download Submit
\Windows\system\GOcUGsj.exe

Filesize
5.2MB

MD5
935aefc282750074c583072c65e3d293

SHA1
45ed9e0cd6bbe0073bde488c1db9c64516c6db6b

SHA256
29daf07994e475610bb0376c0d719b3f85430cf6f4316e72b7ceff1001f2ce4c

SHA512
9c73d516b21671fc9e0cd4f664aa2f7678fdfc56b956be310c5f636677cc3a3c37fe7e413a08fa009aeea49d3848ee23297317c92ecf58781a1b8cfcce96eeb4

Download Submit
\Windows\system\LQRmaeu.exe

Filesize
5.2MB

MD5
0c8f64e22f0a17757132cf164d9f0e8a

SHA1
b2be33a3df759a889f380adf0c136ae00eb744d7

SHA256
49ef73e869865151c6e9a04fdc415caa2f620595222d93141bd2a0fd309d08df

SHA512
3c35cb3afc6321501f58947281830ed6a1f5f9898f0581a007ac4006683e4d83958d7ad52d859d2ce40ab11e0bb71d7c32882e889ebb131cd73fab51352e12f9

Download Submit
\Windows\system\NOCiXKD.exe

Filesize
5.2MB

MD5
ee6f103858017e2812cbd85d31b08f25

SHA1
81654fa485661d36a45962e8b24ef92977f09450

SHA256
1603f99bcfc392b242d179a76858c8d0ea5716c638851ee71be69829b4af0c38

SHA512
1e0f3c26634254b59f6fffc1e346d79eac931147687399633dc9b92706685a7a3298fe7751e4fdd853ed96368636dc36f7dcf68deaa0735ca6def74d8d3215d0

Download Submit
\Windows\system\XfOtFdQ.exe

Filesize
5.2MB

MD5
5e9fdde63f01641089b0928566ea4e75

SHA1
8df0b7d5d8434d142f456220c58e992a1df9dea0

SHA256
6f332529e356432a9ef943ec82f5720380a3138b3479d8c841aa312908f1fb8c

SHA512
bb6b96e9520da1539ebb16135b7eb6e40fe4376f271b6618fd8c9970b8871c36ba0be9293834a2a4cbd7d08dcfaef3f62f864c8d61ea4df27f5e85c573f0a5df

Download Submit
\Windows\system\aztSEBC.exe

Filesize
5.2MB

MD5
f2a47f83a603b381115e15131984dd23

SHA1
1bccd6d69212aad70075f3ec62c469313b701665

SHA256
cdacd4240ab5a0039b39835755514cd7e1401ccef9af51888907ad9520176ca7

SHA512
a680af8523460fcb4c7b9211c45fec4014ac467c3acdda87bb30518108070ff8e0f78c9f15645f5c44e149a480ae8a81741fbac32487c02d0fa8883090c887f4

Download Submit
\Windows\system\bpjqWfo.exe

Filesize
5.2MB

MD5
d1aa7ab2184d78c5bb7a2167e648754e

SHA1
e766d3c5278f25780d64f69ad81db189f784c6f4

SHA256
0aabf89a4cb267a585f91b51d8de56060161a57300e5ec5451d6f4a9e7a1ec09

SHA512
c5bfacf67dee2f0789f88490757ac1acf2776d9f1cc0c4af12cbca34e4fbc3c6a824cee36ea832d8f64ab8975844a4a05a2ab8f30d5e8ab1f7bd7b689acb9bb1

Download Submit
\Windows\system\gHGZpWT.exe

Filesize
5.2MB

MD5
9d28c5c572cfe2cb35a2cac9840e5343

SHA1
f43f91ff49f492b7afbacbdb2372b7940cbcd2ae

SHA256
056eb0eeecd96880d6a28c82e4fc9b9d2a780e7e26aa2cd1d5a85b79ea958bb2

SHA512
fcd59f82e8b7a9b7746d04a69c8487aa91bd8be0cb435f60adc91cf723d7e34e4e34206b0dea2716f602dc6da8b09b9538628c3993a10cde57d77ce1b7c39539

Download Submit
\Windows\system\vCNiXCQ.exe

Filesize
5.2MB

MD5
ca2b9acb5615353a13d47e7efa987d2c

SHA1
2886c1d1b5262ca4bb786e1c548229f9ca35b386

SHA256
0c1e361ffe15c09af7f2fa396c49903aae3a5fac49f0860137a133234780cdde

SHA512
81fad9cf66ea9050316fc863a80f78bbfb4a70237e787c3fe776fa16a03798d3de7022204c04c81e03d76f8b163e1f4777c3a827a78087cd59bf9a520604d311

Download Submit
memory/1612-220-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1612-20-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/1684-14-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/1684-50-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/1684-218-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/1932-59-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1932-22-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1932-227-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1944-167-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-161-0x000000013F0B0000-0x000000013F401000-memory.dmp

Filesize
3.3MB

Download
memory/2032-164-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-65-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-26-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-223-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2360-162-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2500-159-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2500-18-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2500-95-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2500-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2500-19-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2500-28-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-77-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/2500-86-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/2500-69-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2500-168-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2500-98-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2500-45-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2500-51-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2500-64-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2500-49-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/2500-0-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2500-55-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/2500-109-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2500-143-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2500-132-0x0000000002300000-0x0000000002651000-memory.dmp

Filesize
3.3MB

Download
memory/2632-142-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2632-247-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2632-80-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2684-260-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-154-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2684-96-0x000000013F590000-0x000000013F8E1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-165-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/2704-92-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2704-249-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2776-245-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2776-103-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2776-73-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2812-239-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2812-97-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2812-67-0x000000013FC00000-0x000000013FF51000-memory.dmp

Filesize
3.3MB

Download
memory/2820-32-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-72-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-229-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2832-237-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2832-57-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2832-94-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2844-231-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2844-47-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2892-233-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-48-0x000000013F2A0000-0x000000013F5F1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-166-0x000000013F0C0000-0x000000013F411000-memory.dmp

Filesize
3.3MB

Download
memory/2920-160-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2920-130-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2920-263-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2968-163-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download