cobaltstrike | 966bf2153454ac38d964b05edbcf92bcdfeaf3795093405986fcbb9554c4389e

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0cb672eaa35f77f9841998cdb3d16b23
SHA1

9f316a9b75072a6eff4e13a45efbb6058c2fdcc7
SHA256

966bf2153454ac38d964b05edbcf92bcdfeaf3795093405986fcbb9554c4389e
SHA512

9fb52256028956cab1c01ddd3cb965519e0ccd858c73aa679c8e42b556ec062f4486e8b8041b4c05a21d167b2634a90e3a5347557f2077fedad3fbc0aca1f3f0
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBib+56utgpPFotBER/mQ32lUH

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000012262-6.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000162e9-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016458-12.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001658d-25.dat	cobalt_reflective_dll
behavioral1/files/0x0014000000015e9a-28.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001660b-37.dat	cobalt_reflective_dll
behavioral1/files/0x00090000000167e3-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d2c-51.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019326-70.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001932a-77.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193a0-90.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193c7-109.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019470-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019490-134.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194a3-137.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001948c-129.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019489-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019480-119.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193b8-100.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019394-86.dat	cobalt_reflective_dll
behavioral1/files/0x0002000000018334-65.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2860-9-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2744-35-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2904-34-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2828-58-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/1740-60-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/2860-59-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2656-52-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2200-67-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2740-140-0x0000000002170000-0x00000000024C1000-memory.dmp	xmrig
behavioral1/memory/2128-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/548-116-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/1180-101-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2112-143-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/2756-66-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2740-144-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2740-42-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/1320-151-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2996-161-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2624-163-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/1140-164-0x000000013FEA0000-0x00000001401F1000-memory.dmp	xmrig
behavioral1/memory/1940-169-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2984-167-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2956-166-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/1948-168-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/1776-170-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2740-171-0x000000013F9C0000-0x000000013FD11000-memory.dmp	xmrig
behavioral1/memory/2860-219-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2756-221-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2200-227-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/2904-229-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2744-230-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2656-236-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2828-240-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/1740-239-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/1180-246-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/548-248-0x000000013FC30000-0x000000013FF81000-memory.dmp	xmrig
behavioral1/memory/2128-250-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2112-252-0x000000013F1F0000-0x000000013F541000-memory.dmp	xmrig
behavioral1/memory/1320-257-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/2996-259-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2860	rpIZKcY.exe
2756	sVrWPrY.exe
2200	KySJdJs.exe
2904	zVhLXpS.exe
2744	GQPUUfn.exe
2656	PECUTob.exe
2828	jfvtUMV.exe
1740	rDBoyZl.exe
1180	YBQYNPX.exe
548	PbzvosP.exe
2128	tSUJleg.exe
2112	SGucasa.exe
1320	SjNEgtU.exe
2996	MHxjCAk.exe
2624	NaZeZda.exe
1140	jxulYwq.exe
2956	xCHVzRl.exe
2984	aKzncbE.exe
1948	izyjjMI.exe
1940	KCNLQYZ.exe
1776	lYmrzrO.exe

Loads dropped DLL 21 IoCs

pid	Process
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2740-0-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/files/0x000c000000012262-6.dat	upx
behavioral1/memory/2860-9-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/files/0x00080000000162e9-10.dat	upx
behavioral1/memory/2756-15-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x0007000000016458-12.dat	upx
behavioral1/memory/2200-24-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/files/0x000700000001658d-25.dat	upx
behavioral1/files/0x0014000000015e9a-28.dat	upx
behavioral1/memory/2744-35-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2904-34-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/files/0x000900000001660b-37.dat	upx
behavioral1/files/0x00090000000167e3-44.dat	upx
behavioral1/files/0x0007000000016d2c-51.dat	upx
behavioral1/memory/2828-58-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/1740-60-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/2860-59-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2656-52-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/files/0x0005000000019326-70.dat	upx
behavioral1/memory/1180-68-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2200-67-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/files/0x000500000001932a-77.dat	upx
behavioral1/memory/2112-87-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/memory/2128-81-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2996-102-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/files/0x00050000000193a0-90.dat	upx
behavioral1/files/0x00050000000193c7-109.dat	upx
behavioral1/files/0x0005000000019470-113.dat	upx
behavioral1/files/0x0005000000019490-134.dat	upx
behavioral1/files/0x00050000000194a3-137.dat	upx
behavioral1/files/0x000500000001948c-129.dat	upx
behavioral1/memory/2128-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/files/0x0005000000019489-124.dat	upx
behavioral1/files/0x0005000000019480-119.dat	upx
behavioral1/memory/548-116-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/1320-95-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/1180-101-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/files/0x00050000000193b8-100.dat	upx
behavioral1/memory/2112-143-0x000000013F1F0000-0x000000013F541000-memory.dmp	upx
behavioral1/files/0x0005000000019394-86.dat	upx
behavioral1/memory/2756-66-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/files/0x0002000000018334-65.dat	upx
behavioral1/memory/2740-144-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/548-74-0x000000013FC30000-0x000000013FF81000-memory.dmp	upx
behavioral1/memory/2740-42-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/1320-151-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/2996-161-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2624-163-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/1140-164-0x000000013FEA0000-0x00000001401F1000-memory.dmp	upx
behavioral1/memory/1940-169-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2984-167-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2956-166-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/1948-168-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/1776-170-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2740-171-0x000000013F9C0000-0x000000013FD11000-memory.dmp	upx
behavioral1/memory/2860-219-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2756-221-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2200-227-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/2904-229-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2744-230-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2656-236-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2828-240-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/1740-239-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/1180-246-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\KCNLQYZ.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lYmrzrO.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jfvtUMV.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YBQYNPX.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MHxjCAk.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NaZeZda.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xCHVzRl.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\izyjjMI.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rpIZKcY.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KySJdJs.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rDBoyZl.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SGucasa.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sVrWPrY.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GQPUUfn.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PECUTob.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SjNEgtU.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jxulYwq.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aKzncbE.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zVhLXpS.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PbzvosP.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tSUJleg.exe	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2860	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2740 wrote to memory of 2860	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2740 wrote to memory of 2860	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2740 wrote to memory of 2756	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2740 wrote to memory of 2756	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2740 wrote to memory of 2756	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2740 wrote to memory of 2200	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2740 wrote to memory of 2200	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2740 wrote to memory of 2200	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2740 wrote to memory of 2904	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2740 wrote to memory of 2904	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2740 wrote to memory of 2904	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2740 wrote to memory of 2744	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2740 wrote to memory of 2744	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2740 wrote to memory of 2744	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2740 wrote to memory of 2656	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2740 wrote to memory of 2656	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2740 wrote to memory of 2656	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2740 wrote to memory of 1740	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2740 wrote to memory of 1740	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2740 wrote to memory of 1740	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2740 wrote to memory of 2828	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2740 wrote to memory of 2828	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2740 wrote to memory of 2828	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2740 wrote to memory of 1180	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2740 wrote to memory of 1180	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2740 wrote to memory of 1180	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2740 wrote to memory of 548	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2740 wrote to memory of 548	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2740 wrote to memory of 548	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2740 wrote to memory of 2128	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2740 wrote to memory of 2128	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2740 wrote to memory of 2128	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2740 wrote to memory of 2112	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2740 wrote to memory of 2112	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2740 wrote to memory of 2112	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2740 wrote to memory of 1320	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2740 wrote to memory of 1320	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2740 wrote to memory of 1320	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2740 wrote to memory of 2996	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2740 wrote to memory of 2996	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2740 wrote to memory of 2996	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2740 wrote to memory of 2624	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2740 wrote to memory of 2624	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2740 wrote to memory of 2624	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2740 wrote to memory of 1140	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2740 wrote to memory of 1140	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2740 wrote to memory of 1140	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2740 wrote to memory of 2956	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2740 wrote to memory of 2956	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2740 wrote to memory of 2956	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2740 wrote to memory of 2984	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2740 wrote to memory of 2984	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2740 wrote to memory of 2984	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2740 wrote to memory of 1948	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2740 wrote to memory of 1948	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2740 wrote to memory of 1948	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2740 wrote to memory of 1940	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2740 wrote to memory of 1940	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2740 wrote to memory of 1940	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2740 wrote to memory of 1776	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2740 wrote to memory of 1776	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2740 wrote to memory of 1776	2740	2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_0cb672eaa35f77f9841998cdb3d16b23_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\System\rpIZKcY.exe
  C:\Windows\System\rpIZKcY.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\sVrWPrY.exe
  C:\Windows\System\sVrWPrY.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\KySJdJs.exe
  C:\Windows\System\KySJdJs.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\zVhLXpS.exe
  C:\Windows\System\zVhLXpS.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\GQPUUfn.exe
  C:\Windows\System\GQPUUfn.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\PECUTob.exe
  C:\Windows\System\PECUTob.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\rDBoyZl.exe
  C:\Windows\System\rDBoyZl.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\jfvtUMV.exe
  C:\Windows\System\jfvtUMV.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\YBQYNPX.exe
  C:\Windows\System\YBQYNPX.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\PbzvosP.exe
  C:\Windows\System\PbzvosP.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\tSUJleg.exe
  C:\Windows\System\tSUJleg.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\SGucasa.exe
  C:\Windows\System\SGucasa.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\SjNEgtU.exe
  C:\Windows\System\SjNEgtU.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\MHxjCAk.exe
  C:\Windows\System\MHxjCAk.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\NaZeZda.exe
  C:\Windows\System\NaZeZda.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\jxulYwq.exe
  C:\Windows\System\jxulYwq.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\xCHVzRl.exe
  C:\Windows\System\xCHVzRl.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\aKzncbE.exe
  C:\Windows\System\aKzncbE.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\izyjjMI.exe
  C:\Windows\System\izyjjMI.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\KCNLQYZ.exe
  C:\Windows\System\KCNLQYZ.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\lYmrzrO.exe
  C:\Windows\System\lYmrzrO.exe
  2⤵
  - Executes dropped EXE
  PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\KCNLQYZ.exe

Filesize
5.2MB

MD5
6e184b58c834588cf299279e72cbe8df

SHA1
35317ad00e1df4c5cf723bba2de4527d83fd32e6

SHA256
bb5e21b9756b74f15421d46c36a9fb6b6acbad5a1d2f9cf1bcf51f6ceba765af

SHA512
720f5853c5f669c9ed1b87fc45e53417ccd1180096d3e416c1a2f801c6b06a393dfc60fca0f891de38e46571d45e1c4686e1f0b24ef329b80ba16c715fef2731

Download Submit
C:\Windows\system\KySJdJs.exe

Filesize
5.2MB

MD5
5c06d77c8f28c8960fe0812cd864957f

SHA1
054f8b601c08cd181fa9c923d00596a5b5049689

SHA256
968342e6fad6e8a6f5b95327fd9f9cac604810bc5f4d2c7ef1858c79d37d7bfe

SHA512
dee76c560401c0b871d1730d8e3cd662ea606473d9cb87c6c9ad274cb62b7321b99d5e3924424fd446166a926366bdacd3f0607e673168c1a6ae2e584e258e7a

Download Submit
C:\Windows\system\MHxjCAk.exe

Filesize
5.2MB

MD5
035af2581c997843c60096d765497fa4

SHA1
55ccae6aee4aa3aed159814e87022d623aa8df54

SHA256
c69aa59a73957358e9995608e9877c3ca62b29f6c1faad94d7cad17d466842ee

SHA512
88bee20d5a0056d49eeb069e78b97a7709240da535ced8c6109d7b978b9e39999de810339ba4adc0911c413ebd29876021ffbc141a48b9a34739059f832ec861

Download Submit
C:\Windows\system\NaZeZda.exe

Filesize
5.2MB

MD5
bd30773237cf5521be4ab1c606a6be92

SHA1
b4d0c48be55a4b55b95afd452ca45a58504ba701

SHA256
840940cfd9d3aeaeb5f652ff10967f3983888cd8e835ae8616f95204a3608850

SHA512
6a8a237ec1eff68393452ec07753ce815ab924a369e85a8a1ec36df55c0f0aa694a4ac6c03e4c95c277f53a3ff245fe79f3fd45ea13b19a03347638d6861baae

Download Submit
C:\Windows\system\SGucasa.exe

Filesize
5.2MB

MD5
b4cb28e1429d3a5fe5b72591804d551b

SHA1
1131bafc7cf2c20ce3dac0c45dff1c4f18ed293d

SHA256
d70ce18714b9fb2755ee85ec8d37f0496067818f505b47b07f0e6c882ce5f193

SHA512
d6ba51cdd0acc0f06bbc5a1adf051b40ad8cbbe9108542184baf9b1a62ed819fdaaa5178a406d5680c089ebdcb86c7e3b7be16b681fab394e4f396696e50f0a6

Download Submit
C:\Windows\system\YBQYNPX.exe

Filesize
5.2MB

MD5
3e092949c70597c7bc7db89d69433393

SHA1
025da7868df954f601b83a6f83e85ae6158c86b7

SHA256
d45c36c7c59fbd4333dbba0dac86d29e9281dae65f0ff3c752809705b065075e

SHA512
b4d9964af775de576b3322ded8312a74cef41239012f4a6fac856417f8c61a1337a43436b839ea1e938e24309519d204314b630bff70b6e1e082641b866765f4

Download Submit
C:\Windows\system\aKzncbE.exe

Filesize
5.2MB

MD5
a0baf96fa5d2134339338d4878b208b7

SHA1
bf582d8b97ca572eb8162c8a13b8c8ddadb85ea9

SHA256
b7b5e04913e7b052b03dfe43e0df33385e23bf324f716fa2fc301d35bf0dbbdc

SHA512
004ae1570fc1c4b281460d4ca32792da3dda995409e75ac412aa0e8288b02af8a3f1f076cfa9585758d5e3582f720efc92ba04598f6af79687634e2cd1f1c9fa

Download Submit
C:\Windows\system\izyjjMI.exe

Filesize
5.2MB

MD5
eac14afcfd025da3468df12093f015c5

SHA1
c6b02325054a97aad0b20ab9d0db9bd8dad7b16e

SHA256
8688bfbcd6b9b71dcde7d4d38ad78b54d32322ec05e50aa1e58492884e9a0201

SHA512
ca3c77cf211b11a7e408fa3c57bb558da59899e95b03d94662a3d7695ab83a6ee86b9b116c814f5fd48506d1a57fae2e32e06641b89a255a1584887065f2b0ef

Download Submit
C:\Windows\system\jfvtUMV.exe

Filesize
5.2MB

MD5
fb3dbf5c9b469927c7e2638cb2747afa

SHA1
6365432fd8ef4f41c2c8edb4c0afb40637027a20

SHA256
9ab0fda73f97156e8a6953707b52ac3b628bdfaae0d493665e4b4db8e0850e44

SHA512
d31e1cb9e25dd5066483a9ad0f695bc80f211fa2f6b879ed5bee00a2c031300ba1ad2521f2db7ed170ac80460fa456aa61d4ab80530ad346c99d89c58424883d

Download Submit
C:\Windows\system\jxulYwq.exe

Filesize
5.2MB

MD5
8fc4969a33e404bac013b83d960746b2

SHA1
0bfd33fef9e8a4068d709d5d530dddf09ad04c6f

SHA256
ad061b33fb16b3a2bcf17d1288ac466957b35b2fa52a76c9b798e1c3c971db3c

SHA512
d29926d07fbdfb34c0daa6898a1e359a4148b1ad3c6f7a32aa6bca1a2280880de8fa5c1ee91d44069ecdbed10e588aed63b0fa4a4611678d1417840073d446cf

Download Submit
C:\Windows\system\rpIZKcY.exe

Filesize
5.2MB

MD5
19419a07baf0a6f77329d68ae45166f1

SHA1
a36b06f91868f381525cb1cd9cf03ee76dca9bea

SHA256
b24f5a8fc4aee549d61cd5a54a8873dadbdb0642a0f9b55d8bb00bba4f71fd6b

SHA512
3d97724abdb3115eca16655709d1c62b3c873525f918715ae1e5103f58d448f2a191332d0ffbeb2f6664a8d0f6dcead4d791d3cb26f8c9620f2b53a8dbaabda4

Download Submit
C:\Windows\system\xCHVzRl.exe

Filesize
5.2MB

MD5
3c847838e7905a96f7bba38127490cf3

SHA1
f9597c1d86d233e26c595bdf93498391f2d70da3

SHA256
e8d0abd46078ec795765a194cad09a637cfafdb8a01fafe1b60357920f10c325

SHA512
02ff478fc5a412d94febb2fad5708ecb81ccd16487b05003b6a3b7373939b6496f367ec990afcf33a8914c4603e67796f0f1d104e4895c5e1c818f3f7dac7bc5

Download Submit
C:\Windows\system\zVhLXpS.exe

Filesize
5.2MB

MD5
980a4000a87db093a2cc8c836744a6b2

SHA1
daf46a820602faf229b9925d38a0f42b42197f37

SHA256
d3c871d83c00e27b7e5e0ddaaede733b4620a0bbc79d4d95e9389c9278d43209

SHA512
f87e42dcaf9ed53a108c078c5d4ac103a1d7abd35b206100fb37cc5df53aa2757163f5dbe8e038b345629d146b5be002c52d5bfbd7dc35c8debacbc2d200dd0b

Download Submit
\Windows\system\GQPUUfn.exe

Filesize
5.2MB

MD5
34e3362af357e94df03f28a929bdf5b1

SHA1
5b2c181bbaaf6cac2f8ebacd9eb302cd6adf0e9d

SHA256
e1f895b6866757af62b3b0eb8df6db6265241e835fd85d07116eedfbc232beed

SHA512
cfb490a784565f072fb74a3ddaee99f55c7079354cfa456fbbfd4009d8436b374329ce99ef99cde2c274cb815c2264fd4b1a80329f5204763fab811282090a0f

Download Submit
\Windows\system\PECUTob.exe

Filesize
5.2MB

MD5
365d7d98670bd17552da4e386be2d852

SHA1
c51a9d424287f55c3891986d5c59be351623fdd6

SHA256
aa7fd93b1939e94770596e72e991b2da2a69dbca3d196bc7772e1e319c10e665

SHA512
ba3c5d674ac2dd4f0bc1f2544722f06c145d8f8e3f6a8deea78527579c8029081a4adb3281e7881b466e38af9bffec4195ae0ab6a8c0c2b0c0004ccb0db035b3

Download Submit
\Windows\system\PbzvosP.exe

Filesize
5.2MB

MD5
1c99461ba0ff3093a0945b3bc39999dc

SHA1
496fd709e3fcf08f9177b723edc534cc947d42e1

SHA256
d2dbc7b7a4924d526382dcbb7588a3b3909b51549bc395bfcd1effeb9a59acce

SHA512
8a3070243ce57e08de13f681e7f7a598199a1e134e3c4ef8e15d5342aa3aea5c0668e3dc988f5a671a3d0148796418cdd86e865d0b4794d884f36f9235f761ce

Download Submit
\Windows\system\SjNEgtU.exe

Filesize
5.2MB

MD5
81a80f6eea2dfbbed1f65d92fbe48faf

SHA1
fad703cf26e402ad717889e82f1ae9a4131e96f1

SHA256
66857bc611f178a5fc060b4e5abc26af1467784474c0493cfdb735b9b80957bd

SHA512
217b3bc6d672b28e1fc2dbb5aa9093d376fb092ab801b79bdd0767f3a74731eccca385d22c88574baadaf91ce0bc7818e3ce542c227752f83f13c2e85b750086

Download Submit
\Windows\system\lYmrzrO.exe

Filesize
5.2MB

MD5
8a5ce3d3054e32e8c3aab1b65aa1d1bb

SHA1
108f6d70c9eb9d65cfd38bc38da5097cf75adcdc

SHA256
1c29f8a4c7adf33205320246083c434c235995bfec3eef8d06b8f05f1a15dfe4

SHA512
63887a96ad4fff152d12b4782f0c12330f3767a1dc19eab9089b5c0a8da41cb719aef67af301c40c4260dc611edc1a02f4ad6f966cd69f71ad2a2ea1047ee64a

Download Submit
\Windows\system\rDBoyZl.exe

Filesize
5.2MB

MD5
7f121d27f08e9911178201bc7821a66f

SHA1
07207ce8a3c7a7d2972a0fdff0e0a8d5a1b07bf5

SHA256
31df2498cf6955bccfd0d29e665835ad6ddb798fb72b6c16b5d65bc694b69e39

SHA512
752d1d86f6f37f6e423cc2e7c6e8f12f975a4cd17e544471b5d299b16db1dc49b35b26bf39b053825ee46f7f67fdb63515a404ce88b50456bacb63552dc9da56

Download Submit
\Windows\system\sVrWPrY.exe

Filesize
5.2MB

MD5
3316699c490a34989d69154100733a1d

SHA1
16027d859db3699d3ad772acdf82ca446964a08c

SHA256
59df15ce6fafb650b4f6f56b14b7e5a14f98408654dd63cba7d547258fb16970

SHA512
c42817355fb9a2849de914a5c13cf3440c97cc88d305e76c46b246087ac9e96ac234d44355d6d54a838bedeee168c9ba178f44af4f2af69027482f0ed2d94219

Download Submit
\Windows\system\tSUJleg.exe

Filesize
5.2MB

MD5
be6c41c7596ddf092c11ba8cce790fef

SHA1
fff2067bee827f66ffebd822381cb79865ba8d1c

SHA256
5c26131a1600805b09f784e3726768591d35f317a4a3b96ec92f8408e366791b

SHA512
60b89958d895276d6df9e215f81c61ba2d59ad731a3cb1560631f21cf1cfe80fa5e5a3d38ffbd683f95c63cd85478aeeb78297c8a1913e1e30b2d0b50af33b25

Download Submit
memory/548-116-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/548-248-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/548-74-0x000000013FC30000-0x000000013FF81000-memory.dmp

Filesize
3.3MB

Download
memory/1140-164-0x000000013FEA0000-0x00000001401F1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-68-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-246-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-101-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/1320-95-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/1320-257-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/1320-151-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/1740-60-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/1740-239-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/1776-170-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-169-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/1948-168-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2112-143-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/2112-252-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/2112-87-0x000000013F1F0000-0x000000013F541000-memory.dmp

Filesize
3.3MB

Download
memory/2128-250-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2128-81-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2128-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2200-24-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-227-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2200-67-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/2624-163-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2656-52-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-236-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-165-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2740-36-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2740-98-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-47-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-78-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-91-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-140-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-57-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2740-144-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2740-147-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-62-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2740-71-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-42-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2740-7-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-156-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-14-0x0000000002170000-0x00000000024C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-41-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-56-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-32-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2740-0-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2740-106-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2740-171-0x000000013F9C0000-0x000000013FD11000-memory.dmp

Filesize
3.3MB

Download
memory/2744-35-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2744-230-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2756-221-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2756-15-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2756-66-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/2828-58-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2828-240-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/2860-59-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2860-9-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2860-219-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2904-34-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2904-229-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-166-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/2984-167-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-161-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-259-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-102-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download