cobaltstrike | dc76f09f3da7e0e011038ac2d9fd47a355e27376ef3d66228a56c6d0cb94cebf

Analysis

max time kernel
145s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14/12/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2044a8bb0d43de0b69f371d1f27ffc5a
SHA1

e4e9d3db039df36b9ccc28c06d66b020891617ab
SHA256

dc76f09f3da7e0e011038ac2d9fd47a355e27376ef3d66228a56c6d0cb94cebf
SHA512

e567328c1ff141edb801a937595b87a12d0260d7d9efeb84ce06e3f47447364097c56f0d70915f0fc0ddc2ca5c22a951ececde2bea9f19adf377f2ec4ad7902a
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibd56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012116-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d29-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d31-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d3a-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d5e-38.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019261-128.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019334-138.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019282-133.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925e-123.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019023-118.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187a5-113.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878f-105.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018784-97.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d06-90.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001873d-84.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186fd-66.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018728-72.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d6d-50.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ee-56.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d64-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4a-25.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2388-87-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2640-141-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/592-140-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2616-108-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2876-98-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/568-144-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2848-74-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/2508-59-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/592-58-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/1820-145-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2748-49-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2424-150-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/592-146-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/3000-33-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2772-31-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/532-28-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/284-164-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1184-163-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/1928-162-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2332-161-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2508-24-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/1808-168-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/1908-167-0x000000013F4D0000-0x000000013F821000-memory.dmp	xmrig
behavioral1/memory/1636-166-0x000000013FAD0000-0x000000013FE21000-memory.dmp	xmrig
behavioral1/memory/2932-178-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/592-170-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2508-228-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/532-230-0x000000013F7F0000-0x000000013FB41000-memory.dmp	xmrig
behavioral1/memory/3000-232-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2772-234-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2848-236-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/2748-238-0x000000013FBC0000-0x000000013FF11000-memory.dmp	xmrig
behavioral1/memory/2424-240-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/2876-244-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2640-242-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2616-246-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/2388-248-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/568-250-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/1820-260-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2932-271-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2508	OmEWasS.exe
3000	WVLnSaa.exe
532	PHfoJzk.exe
2772	uuRickV.exe
2424	sigcXuX.exe
2848	SSyqyuk.exe
2748	MZuCyzm.exe
2876	ASiKOxM.exe
2932	ifdoiEm.exe
2616	olrgZcg.exe
2640	OKeYBWx.exe
2388	ThgRhGz.exe
568	HrVxlYD.exe
1820	bcPDhaP.exe
2332	EPTsxVv.exe
1928	SfcQxFg.exe
1184	kvFGKnt.exe
284	vlotWrV.exe
1636	JPogHvc.exe
1908	XnqyZry.exe
1808	APSjGTr.exe

Loads dropped DLL 21 IoCs

pid	Process
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/592-0-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/files/0x0007000000012116-6.dat	upx
behavioral1/files/0x0008000000016d29-11.dat	upx
behavioral1/files/0x0008000000016d31-12.dat	upx
behavioral1/files/0x0008000000016d3a-16.dat	upx
behavioral1/memory/2424-35-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/files/0x0007000000016d5e-38.dat	upx
behavioral1/memory/2848-40-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/2932-63-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2640-76-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2388-87-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/568-93-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2932-100-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/files/0x0005000000019261-128.dat	upx
behavioral1/files/0x0005000000019334-138.dat	upx
behavioral1/files/0x0005000000019282-133.dat	upx
behavioral1/files/0x000500000001925e-123.dat	upx
behavioral1/files/0x0006000000019023-118.dat	upx
behavioral1/memory/2640-141-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x00050000000187a5-113.dat	upx
behavioral1/memory/2616-108-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/files/0x000500000001878f-105.dat	upx
behavioral1/memory/1820-99-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2876-98-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/files/0x0005000000018784-97.dat	upx
behavioral1/files/0x0008000000016d06-90.dat	upx
behavioral1/files/0x000500000001873d-84.dat	upx
behavioral1/memory/568-144-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2848-74-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/2616-69-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/files/0x00050000000186fd-66.dat	upx
behavioral1/files/0x0005000000018728-72.dat	upx
behavioral1/files/0x0008000000016d6d-50.dat	upx
behavioral1/memory/2876-60-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2508-59-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/592-58-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/1820-145-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/files/0x00050000000186ee-56.dat	upx
behavioral1/memory/2748-49-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/files/0x0007000000016d64-46.dat	upx
behavioral1/memory/2424-150-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/592-146-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/3000-33-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/2772-31-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/532-28-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/284-164-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/1184-163-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/memory/1928-162-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2332-161-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/files/0x0007000000016d4a-25.dat	upx
behavioral1/memory/2508-24-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/1808-168-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/1908-167-0x000000013F4D0000-0x000000013F821000-memory.dmp	upx
behavioral1/memory/1636-166-0x000000013FAD0000-0x000000013FE21000-memory.dmp	upx
behavioral1/memory/2932-178-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/592-170-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/2508-228-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/532-230-0x000000013F7F0000-0x000000013FB41000-memory.dmp	upx
behavioral1/memory/3000-232-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/2772-234-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2848-236-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/2748-238-0x000000013FBC0000-0x000000013FF11000-memory.dmp	upx
behavioral1/memory/2424-240-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/2876-244-0x000000013F140000-0x000000013F491000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\MZuCyzm.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ifdoiEm.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ASiKOxM.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OKeYBWx.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ThgRhGz.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PHfoJzk.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sigcXuX.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SSyqyuk.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HrVxlYD.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SfcQxFg.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vlotWrV.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JPogHvc.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WVLnSaa.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bcPDhaP.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kvFGKnt.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XnqyZry.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\olrgZcg.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uuRickV.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EPTsxVv.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\APSjGTr.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OmEWasS.exe	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2508	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 592 wrote to memory of 2508	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 592 wrote to memory of 2508	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 592 wrote to memory of 3000	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 592 wrote to memory of 3000	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 592 wrote to memory of 3000	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 592 wrote to memory of 532	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 592 wrote to memory of 532	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 592 wrote to memory of 532	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 592 wrote to memory of 2424	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 592 wrote to memory of 2424	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 592 wrote to memory of 2424	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 592 wrote to memory of 2772	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 592 wrote to memory of 2772	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 592 wrote to memory of 2772	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 592 wrote to memory of 2848	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 592 wrote to memory of 2848	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 592 wrote to memory of 2848	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 592 wrote to memory of 2748	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 592 wrote to memory of 2748	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 592 wrote to memory of 2748	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 592 wrote to memory of 2932	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 592 wrote to memory of 2932	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 592 wrote to memory of 2932	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 592 wrote to memory of 2876	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 592 wrote to memory of 2876	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 592 wrote to memory of 2876	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 592 wrote to memory of 2616	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 592 wrote to memory of 2616	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 592 wrote to memory of 2616	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 592 wrote to memory of 2640	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 592 wrote to memory of 2640	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 592 wrote to memory of 2640	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 592 wrote to memory of 2388	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 592 wrote to memory of 2388	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 592 wrote to memory of 2388	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 592 wrote to memory of 568	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 592 wrote to memory of 568	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 592 wrote to memory of 568	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 592 wrote to memory of 1820	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 592 wrote to memory of 1820	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 592 wrote to memory of 1820	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 592 wrote to memory of 2332	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 592 wrote to memory of 2332	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 592 wrote to memory of 2332	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 592 wrote to memory of 1928	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 592 wrote to memory of 1928	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 592 wrote to memory of 1928	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 592 wrote to memory of 1184	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 592 wrote to memory of 1184	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 592 wrote to memory of 1184	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 592 wrote to memory of 284	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 592 wrote to memory of 284	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 592 wrote to memory of 284	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 592 wrote to memory of 1636	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 592 wrote to memory of 1636	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 592 wrote to memory of 1636	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 592 wrote to memory of 1908	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 592 wrote to memory of 1908	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 592 wrote to memory of 1908	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 592 wrote to memory of 1808	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 592 wrote to memory of 1808	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 592 wrote to memory of 1808	592	2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-14_2044a8bb0d43de0b69f371d1f27ffc5a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\System\OmEWasS.exe
  C:\Windows\System\OmEWasS.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\WVLnSaa.exe
  C:\Windows\System\WVLnSaa.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\PHfoJzk.exe
  C:\Windows\System\PHfoJzk.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\sigcXuX.exe
  C:\Windows\System\sigcXuX.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\uuRickV.exe
  C:\Windows\System\uuRickV.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\SSyqyuk.exe
  C:\Windows\System\SSyqyuk.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\MZuCyzm.exe
  C:\Windows\System\MZuCyzm.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\ifdoiEm.exe
  C:\Windows\System\ifdoiEm.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\ASiKOxM.exe
  C:\Windows\System\ASiKOxM.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\olrgZcg.exe
  C:\Windows\System\olrgZcg.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\OKeYBWx.exe
  C:\Windows\System\OKeYBWx.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\ThgRhGz.exe
  C:\Windows\System\ThgRhGz.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\HrVxlYD.exe
  C:\Windows\System\HrVxlYD.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\bcPDhaP.exe
  C:\Windows\System\bcPDhaP.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\EPTsxVv.exe
  C:\Windows\System\EPTsxVv.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\SfcQxFg.exe
  C:\Windows\System\SfcQxFg.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\kvFGKnt.exe
  C:\Windows\System\kvFGKnt.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\vlotWrV.exe
  C:\Windows\System\vlotWrV.exe
  2⤵
  - Executes dropped EXE
  PID:284
- C:\Windows\System\JPogHvc.exe
  C:\Windows\System\JPogHvc.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\XnqyZry.exe
  C:\Windows\System\XnqyZry.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\APSjGTr.exe
  C:\Windows\System\APSjGTr.exe
  2⤵
  - Executes dropped EXE
  PID:1808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\APSjGTr.exe

Filesize
5.2MB

MD5
9b9bee37eadf1c50f6169fb244a9a04c

SHA1
fb10a1d0d05511a7a94bbf7d5cc5e8b8f274a6de

SHA256
7afdfe70ef6f08ddb224b3478142e4aa3b876ee5604051de2e4afd887e6728a2

SHA512
01a32135f06efcbb702bcf8c4711bc3bf01d65501128d7f9e260a2da4fa796ccf4c32264ce0f6cc56e24a39f4dd806a4230f473a01e357d652072f9496dba126

Download Submit
C:\Windows\system\ASiKOxM.exe

Filesize
5.2MB

MD5
f56b277427ba70019ba52c17767148d0

SHA1
60b3f8a3f7679dc22d189d22a243406a5afc3bb3

SHA256
f12498955244c23248c20098d0a33a3afa1a8abfd35445693d3e0cd4f05ada7a

SHA512
964712f3356cc97487cefb273afe5f2b5709dc9179592c5a692842b80a11d2aa6662aeabc87595afbe9f9a70f87fa76a42b1be1e432a122f4d2f773f3d9b4b50

Download Submit
C:\Windows\system\EPTsxVv.exe

Filesize
5.2MB

MD5
37b4ddd063ac208edb4e6ff79d703f8d

SHA1
6cf78f82db72e0545836e9ed4c7c363e5396594e

SHA256
7ee6c230f6545effba96263ff744b7cf972eabba247d0160e7ccda92d8d2fdd2

SHA512
84bc3ea6bb98b16604898138f03c721e9a9efa5e10b3e2ffb5438596f2501abc71a1474fa16a2b2ffdf720c1e228602d7b31889ba39ade096b55af30f19fecdb

Download Submit
C:\Windows\system\HrVxlYD.exe

Filesize
5.2MB

MD5
36b9110895816ba3d94d2445403b1ebc

SHA1
71ea15c97db38b77ea2028c850172aa4bc48ce6c

SHA256
82aa3100b40a77181ba263ac269999c553d107e623de34d67dcf11bf78574d75

SHA512
92fac5e295caba59dac9ba6ea6e197ccd035838cb6c03ee5651ccd2b2985cb7b9143b05ca715b30ac881aaf12663fa085c5dd261444cc2d01a8a7419c7c8f365

Download Submit
C:\Windows\system\JPogHvc.exe

Filesize
5.2MB

MD5
f86dd21439e898ef49b15cb4e8b6ed53

SHA1
ede57a8b74ba9a4c88d0c788ee559579278bcc84

SHA256
e6149741f90cf65a49a54e836652d3829ce4d9857da30b1a6f6678687da9cc0f

SHA512
ea60f54be3f158224691eac778d5e73df7497037262166ca929c88f478156c0e9546dafe271636794b7a403444e2e3e3758eeb51b7165c91cf0a9127af7fed67

Download Submit
C:\Windows\system\MZuCyzm.exe

Filesize
5.2MB

MD5
c0decf581963c05e9070653631b7c502

SHA1
db58c284f8e857640769524acf61c4f1b321ec7a

SHA256
a46309f33fe2458c713d5798fd103f1ba4918f093ef76ac5f7481c83cde36d18

SHA512
58379188d8a04f7edc7a471755fe5fbe7ac03e87a9ec8dfe4099cc4af39a4c534e25ea89dc4b4ff5c631a4a3927eaf6b009fc51adeddd87045a50ae0fc0c974c

Download Submit
C:\Windows\system\OKeYBWx.exe

Filesize
5.2MB

MD5
8c6dfb26c213a3da1b4ee0a0861e2166

SHA1
a79d04d6fbf82468af782688ba36f0006b163a7a

SHA256
b15922bc1d74e9159aeb6d8aed146c51a15c6ad2cd878be6eb41c608d87f1b3c

SHA512
bd8a0bfaf9dbfa450b3f7ee6ec519986c77bdc8391bf6470d2c9e41b6e26828eb65164aae21506c0f60b51c72cad558593d7bf70a510433d8e582df33b00472b

Download Submit
C:\Windows\system\OmEWasS.exe

Filesize
5.2MB

MD5
d6a09c972a3dc16cb4d29826470656f1

SHA1
cd7b854ca3e985cace06c982fd271b724e840a5c

SHA256
802f66fb03c0c979084b844742aaf0fa898855e332eeaab87234196988498b22

SHA512
9f190713a0c183476b00104443013fe79f08471615495c826e462a728268fe3c01c1b0c9671e97f08904b79e29aff2e692cf5566737195a5906dc06ae1f7ce4a

Download Submit
C:\Windows\system\SSyqyuk.exe

Filesize
5.2MB

MD5
06d28fc080dcca535d46afd3d56665aa

SHA1
de036263238ca0ae35e843f1554c75e5be1da649

SHA256
f05277a7a2b8c320fbfb2a032d18b2a749b31d7d7cc038c7bb7b196b17a2f03f

SHA512
1d0744cbd242751c8c9017e74da2b80f8148a927ff29c076e8a16f9dc44e6bdd0c830b78fc937850f328adcebbd44f727a4eb785162acff039a26103098b5e1b

Download Submit
C:\Windows\system\SfcQxFg.exe

Filesize
5.2MB

MD5
d69dbd5fb09eb045edd42954f53c8d89

SHA1
13fecc44ee65d366d9d6bd677f077152f013be5e

SHA256
8d2d860c1b56643bc18013b0a1ee3bda29946bca02ad138094229780b50571a9

SHA512
73533035960186e74f6e328bdeee4958ce818a8d88a86047682627f33283991ebca07ab7d89baa2e017ff96d8da765439aafaad4bc11a84461338823fe285a27

Download Submit
C:\Windows\system\ThgRhGz.exe

Filesize
5.2MB

MD5
460c045093dcbc0e096cb3d1a07004a7

SHA1
0d5c2062d412e125c678c3ceeb07e221ee20e7b3

SHA256
124fe0929b63de895f23d88bfc36a1900713169aa5e1ba7111eab4ea044c27f2

SHA512
844186c506b3538160bf7580877e6a50818575e49eb134ff721f0319105a2e2fc7bf3b24120604b34a7eb4150d248ace0557f6d937b5993694dd7873fa5e4040

Download Submit
C:\Windows\system\WVLnSaa.exe

Filesize
5.2MB

MD5
e451b48b685fdbc69a7db8e0f9551fac

SHA1
88358435128ccd411fb7be7eea8c86189b29b3b7

SHA256
74cda285697e38c720501c708a5a6ef13335badee8ce1875b0a0996e53e836b9

SHA512
3a6e2ced18dcf0ad6e79f11f512cb747cf57a1e6a89f17b17d079b6ccda0eee71e0efa57c751c0292c97bc630b40e2bbb2fb394e2b7bd0c1055faa6bf1b72c06

Download Submit
C:\Windows\system\XnqyZry.exe

Filesize
5.2MB

MD5
3f3c7085a0cbc7a388a7c470dd0626d3

SHA1
9c9ec31ff8d60f8fecd2cc0a59a61d707ffcf316

SHA256
c529eed13992884de13c7be6bd10b2e2553cd559b3c55ce38de7f110963c8735

SHA512
8a1ebf72c74e18e5251bcb0d603e2ab632026c76ba2e5d8593c18e197d5656946b23f1ba42a1460fe563200efa370280bf20ee7d11b9ef6cebbc7bf07170672a

Download Submit
C:\Windows\system\bcPDhaP.exe

Filesize
5.2MB

MD5
14fc5051dd6e3ca9042ae844f9975d9f

SHA1
d513e4d2b06bfec3afae0f730406ac23ccae0254

SHA256
5b0c61532063d05296d4b3051e59d737c0037b7b146e3a4643f702c7f209169b

SHA512
c4788fe963773efe1dbce1e9ce483c6e3edd8aec50e198eaff3482b27c216c33c308ec82af2c2cb1be99e3a1255ac8275cd32fef1870092d10360961aa9256e6

Download Submit
C:\Windows\system\kvFGKnt.exe

Filesize
5.2MB

MD5
ff85fee0938beefba68ab2bb4e0f7531

SHA1
df64876c0c4f61f8730bff5ef613b2d7b4f781f3

SHA256
5537a135015b5a542719408b8b3ee73a89065a725276a23b27ddf140ed06af00

SHA512
d43f987ce629e0e539795bedd9a8dc7b8d9a996203f6b514b563c8f36c1b04c42fe313ccadc8e94c31f81be310ff9c4b17fa7cb3fbca012e55c9feb1189b13d3

Download Submit
C:\Windows\system\olrgZcg.exe

Filesize
5.2MB

MD5
bd1059b02ee08c8614c773c8c81b7597

SHA1
34d44f78ddb5622569deb017a6a6285906e1f0eb

SHA256
dd0c76de6c17fc719f2d0fc558943f571f0ccf92c69a2022bb458c7510ea317f

SHA512
815629ad431d264998d7ec86d05fd6ca450e342e2dd32c79aaa1e0ef8ee58deaafe8cf8be1cc04ace5dc7edecb5103532ff154f49f6eaacee5f88667efc88ef2

Download Submit
C:\Windows\system\uuRickV.exe

Filesize
5.2MB

MD5
b0f31b537b3b4a5c622e4370a2e206fd

SHA1
159c2106c8c32e98e64ea9106e908819aeac958b

SHA256
f31d5003836f4bbc61d23495c876a5785e0c6e37ddbb4611d0a93be1307e2d3f

SHA512
0058c2da94c793d30e8370341074744d6df903a9ffe37c267194a6542493594933aa02248147221a848d40ebe35ff0ec5cfc23c1b30552e0e083f326206b6ef4

Download Submit
C:\Windows\system\vlotWrV.exe

Filesize
5.2MB

MD5
1c746f6dfa55f1ae23f106c6e6100b4c

SHA1
6a4f63b1168b97d4de8149ba8f1265d9b523ba21

SHA256
e8dbf7cf7b6219af9b9901ad1f46d74cf70f4d5f1debd1400c9ad7341577c363

SHA512
548280b14e89cbe7c9500e9cb89c99d730a139d061be31fbdad148867df6ebbeeeb27ad3f89f46070c4ce95fedd38a57ce1ea5eb1170f5d0aad43afd8358ae7b

Download Submit
\Windows\system\PHfoJzk.exe

Filesize
5.2MB

MD5
b22bd94093942f280cf7de967cf9e622

SHA1
61d51e77de9cdc186138322d2595ddaa70797672

SHA256
78d78f658be5eee003f27e86a37f057946fd00774a52f762ed5bc38530935d62

SHA512
d06eb6a9d8bc734031b280b9fdf72660176d4d91c98e968be1a6d3e2aa5f2f7412be2cbefe4e54dbccbd6741c6ab32439abe4056452c13fa6c9f19b77e3fca93

Download Submit
\Windows\system\ifdoiEm.exe

Filesize
5.2MB

MD5
06c0a8c27b9da9239cf9d41b677b73fd

SHA1
dc4c8a63f1737e7db95c24e8018c9a413c10f477

SHA256
1ad2da5ace6e50ff4523083e52577e2330b3e0eeaa02e87200f2011409d55eee

SHA512
5d62175b0125cc068278dd6e7f692c37584e13e2e03a56431847dacb3ed0d02b5d84af5a00be683097b0f99e2648b6d914c8440757807f595bcef21f0dece48b

Download Submit
\Windows\system\sigcXuX.exe

Filesize
5.2MB

MD5
429f3054c549ff074f4820fced55717c

SHA1
a5242738c981677572063ea6297f9204c7393d6e

SHA256
9e37ef7b61efd73676df08faa766edc48c0ce6c49da074bc1ec038eac53b6657

SHA512
1f0ec21ac88f5e787bf78b5558ecccedc42ac5b8d579aa5c02fdc00ab004d2ea9b14952e5807d15c839b4c383577d9024cea20369cb2beb301cfea1a40f57b08

Download Submit
memory/284-164-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/532-28-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/532-230-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/568-250-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/568-144-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/568-93-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/592-142-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/592-170-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/592-32-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/592-0-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/592-107-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/592-92-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-109-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-86-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/592-140-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/592-30-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-143-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-75-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/592-39-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/592-146-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/592-29-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/592-68-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/592-165-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-27-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/592-58-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/592-48-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/592-57-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/592-62-0x000000013F7F0000-0x000000013FB41000-memory.dmp

Filesize
3.3MB

Download
memory/1184-163-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1636-166-0x000000013FAD0000-0x000000013FE21000-memory.dmp

Filesize
3.3MB

Download
memory/1808-168-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1820-260-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/1820-145-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/1820-99-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/1908-167-0x000000013F4D0000-0x000000013F821000-memory.dmp

Filesize
3.3MB

Download
memory/1928-162-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2332-161-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2388-248-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2388-87-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2424-35-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2424-150-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2424-240-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2508-228-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-59-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2508-24-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2616-246-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2616-108-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2616-69-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/2640-141-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2640-242-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2640-76-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2748-49-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2748-238-0x000000013FBC0000-0x000000013FF11000-memory.dmp

Filesize
3.3MB

Download
memory/2772-234-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2772-31-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2848-74-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2848-236-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2848-40-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2876-244-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2876-98-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2876-60-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2932-63-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2932-178-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2932-100-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2932-271-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/3000-232-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-33-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download