cobaltstrike | 4c24948b40b15034fca368feaefb8b6c1961e23e1090c96c6741e24766185815

Analysis

max time kernel
144s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 03:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0028406f196dfcb13e649aab0b0cbe64
SHA1

91fe35a31f21e417d3938bd83c59a7da06898e74
SHA256

4c24948b40b15034fca368feaefb8b6c1961e23e1090c96c6741e24766185815
SHA512

e550846db114c77a872d575ac49d38c4db1812bb3615e7625d05cdb22766b6f6aecf07707a69591ef2b48524eab9125b022255d2dc598fe26a1a1a04d934893b
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lF:RWWBibd56utgpPFotBER/mQ32lUZ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012118-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016da7-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016db5-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016eb8-28.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016edb-33.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001707c-37.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-64.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019319-98.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f6-75.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001929a-92.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019275-82.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019268-72.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019240-61.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190e1-42.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019278-90.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001926c-81.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-59.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d2-48.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000173f3-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016de8-25.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016dd0-21.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 38 IoCs

miner

resource	yara_rule
behavioral1/memory/2308-16-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/264-110-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/276-108-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2240-112-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig
behavioral1/memory/2820-124-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2056-122-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2620-125-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/1676-128-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2864-129-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2876-120-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2804-118-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2708-116-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/568-114-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2308-133-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/2832-153-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1476-152-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2568-151-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2272-150-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2332-149-0x000000013F7C0000-0x000000013FB11000-memory.dmp	xmrig
behavioral1/memory/2668-148-0x000000013F7E0000-0x000000013FB31000-memory.dmp	xmrig
behavioral1/memory/2768-146-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2912-144-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2384-132-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2384-154-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2384-155-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/2308-219-0x000000013F740000-0x000000013FA91000-memory.dmp	xmrig
behavioral1/memory/264-221-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/568-223-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2804-225-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2056-227-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2820-229-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/2620-231-0x000000013FFA0000-0x00000001402F1000-memory.dmp	xmrig
behavioral1/memory/1676-237-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2876-241-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2864-244-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2708-239-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/276-235-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2240-233-0x000000013F950000-0x000000013FCA1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2308	itDWeFg.exe
276	REpfSJL.exe
264	wuyVohw.exe
2240	cUExBPm.exe
568	XWjsAbp.exe
2708	mgsWhmv.exe
2804	vgXlrBB.exe
2876	wAoWXFi.exe
2056	jtWdYNE.exe
2820	aRJqZBX.exe
2620	BqCeUmk.exe
1676	rLqFxYU.exe
2864	YMyEiAu.exe
2912	jIHZtWn.exe
2332	ZSpbjGr.exe
2568	qffgfZx.exe
2832	KYMsYng.exe
2768	hsNjoKL.exe
2668	oxfWyLz.exe
2272	QXFptiE.exe
1476	XcPiRmU.exe

Loads dropped DLL 21 IoCs

pid	Process
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 60 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/files/0x0007000000012118-6.dat	upx
behavioral1/files/0x0008000000016da7-11.dat	upx
behavioral1/memory/2308-16-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/files/0x0008000000016db5-15.dat	upx
behavioral1/files/0x0007000000016eb8-28.dat	upx
behavioral1/files/0x0007000000016edb-33.dat	upx
behavioral1/files/0x000800000001707c-37.dat	upx
behavioral1/files/0x0005000000019259-64.dat	upx
behavioral1/files/0x0005000000019319-98.dat	upx
behavioral1/files/0x00050000000191f6-75.dat	upx
behavioral1/files/0x000500000001929a-92.dat	upx
behavioral1/files/0x0005000000019275-82.dat	upx
behavioral1/files/0x0005000000019268-72.dat	upx
behavioral1/files/0x0005000000019240-61.dat	upx
behavioral1/files/0x00060000000190e1-42.dat	upx
behavioral1/files/0x0005000000019278-90.dat	upx
behavioral1/files/0x000500000001926c-81.dat	upx
behavioral1/files/0x0005000000019217-59.dat	upx
behavioral1/files/0x00050000000191d2-48.dat	upx
behavioral1/files/0x00080000000173f3-40.dat	upx
behavioral1/files/0x0007000000016de8-25.dat	upx
behavioral1/files/0x0008000000016dd0-21.dat	upx
behavioral1/memory/264-110-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/276-108-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2240-112-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx
behavioral1/memory/2820-124-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2056-122-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2620-125-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/1676-128-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2864-129-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2876-120-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2804-118-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/2708-116-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/568-114-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2308-133-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/2832-153-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/1476-152-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/2568-151-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2272-150-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2332-149-0x000000013F7C0000-0x000000013FB11000-memory.dmp	upx
behavioral1/memory/2668-148-0x000000013F7E0000-0x000000013FB31000-memory.dmp	upx
behavioral1/memory/2768-146-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/2912-144-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2384-132-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2384-154-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2384-155-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/2308-219-0x000000013F740000-0x000000013FA91000-memory.dmp	upx
behavioral1/memory/264-221-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/568-223-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2804-225-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/2056-227-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2820-229-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/2620-231-0x000000013FFA0000-0x00000001402F1000-memory.dmp	upx
behavioral1/memory/1676-237-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2876-241-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2864-244-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2708-239-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/276-235-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2240-233-0x000000013F950000-0x000000013FCA1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aRJqZBX.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oxfWyLz.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QXFptiE.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\REpfSJL.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cUExBPm.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mgsWhmv.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jtWdYNE.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XcPiRmU.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itDWeFg.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wuyVohw.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wAoWXFi.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qffgfZx.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYMsYng.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XWjsAbp.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vgXlrBB.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BqCeUmk.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZSpbjGr.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YMyEiAu.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jIHZtWn.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hsNjoKL.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rLqFxYU.exe	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2308	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2384 wrote to memory of 2308	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2384 wrote to memory of 2308	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2384 wrote to memory of 276	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2384 wrote to memory of 276	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2384 wrote to memory of 276	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2384 wrote to memory of 264	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2384 wrote to memory of 264	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2384 wrote to memory of 264	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2384 wrote to memory of 2240	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2384 wrote to memory of 2240	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2384 wrote to memory of 2240	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2384 wrote to memory of 568	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2384 wrote to memory of 568	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2384 wrote to memory of 568	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2384 wrote to memory of 2708	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2384 wrote to memory of 2708	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2384 wrote to memory of 2708	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2384 wrote to memory of 2804	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2384 wrote to memory of 2804	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2384 wrote to memory of 2804	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2384 wrote to memory of 2876	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2384 wrote to memory of 2876	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2384 wrote to memory of 2876	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2384 wrote to memory of 2056	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2384 wrote to memory of 2056	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2384 wrote to memory of 2056	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2384 wrote to memory of 2864	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2384 wrote to memory of 2864	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2384 wrote to memory of 2864	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2384 wrote to memory of 2820	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2384 wrote to memory of 2820	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2384 wrote to memory of 2820	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2384 wrote to memory of 2912	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2384 wrote to memory of 2912	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2384 wrote to memory of 2912	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2384 wrote to memory of 2620	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2384 wrote to memory of 2620	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2384 wrote to memory of 2620	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2384 wrote to memory of 2768	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2384 wrote to memory of 2768	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2384 wrote to memory of 2768	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2384 wrote to memory of 1676	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2384 wrote to memory of 1676	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2384 wrote to memory of 1676	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2384 wrote to memory of 2668	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2384 wrote to memory of 2668	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2384 wrote to memory of 2668	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2384 wrote to memory of 2332	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2384 wrote to memory of 2332	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2384 wrote to memory of 2332	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2384 wrote to memory of 2272	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2384 wrote to memory of 2272	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2384 wrote to memory of 2272	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2384 wrote to memory of 2568	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2384 wrote to memory of 2568	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2384 wrote to memory of 2568	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2384 wrote to memory of 1476	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2384 wrote to memory of 1476	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2384 wrote to memory of 1476	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2384 wrote to memory of 2832	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2384 wrote to memory of 2832	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2384 wrote to memory of 2832	2384	2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_0028406f196dfcb13e649aab0b0cbe64_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\System\itDWeFg.exe
  C:\Windows\System\itDWeFg.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\REpfSJL.exe
  C:\Windows\System\REpfSJL.exe
  2⤵
  - Executes dropped EXE
  PID:276
- C:\Windows\System\wuyVohw.exe
  C:\Windows\System\wuyVohw.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\cUExBPm.exe
  C:\Windows\System\cUExBPm.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\XWjsAbp.exe
  C:\Windows\System\XWjsAbp.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\mgsWhmv.exe
  C:\Windows\System\mgsWhmv.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\vgXlrBB.exe
  C:\Windows\System\vgXlrBB.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\wAoWXFi.exe
  C:\Windows\System\wAoWXFi.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\jtWdYNE.exe
  C:\Windows\System\jtWdYNE.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\YMyEiAu.exe
  C:\Windows\System\YMyEiAu.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\aRJqZBX.exe
  C:\Windows\System\aRJqZBX.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\jIHZtWn.exe
  C:\Windows\System\jIHZtWn.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\BqCeUmk.exe
  C:\Windows\System\BqCeUmk.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\hsNjoKL.exe
  C:\Windows\System\hsNjoKL.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\rLqFxYU.exe
  C:\Windows\System\rLqFxYU.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\oxfWyLz.exe
  C:\Windows\System\oxfWyLz.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\ZSpbjGr.exe
  C:\Windows\System\ZSpbjGr.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\QXFptiE.exe
  C:\Windows\System\QXFptiE.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\qffgfZx.exe
  C:\Windows\System\qffgfZx.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\XcPiRmU.exe
  C:\Windows\System\XcPiRmU.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\KYMsYng.exe
  C:\Windows\System\KYMsYng.exe
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BqCeUmk.exe

Filesize
5.2MB

MD5
61757e778d4e7a120249d537f3642437

SHA1
87986a84ff0b78b9ad800fa764a435ce0671e31d

SHA256
45879aa998bc77fbbb2e0f9a94162222856edc627bfcc945c7ac2c1c890f78c4

SHA512
8b185eb5cf7204fb662280fb654c6f66a52ee67c2f02ba9ce82529ae67fca2f3a75d1d685e41c06443ddf328206650d97af0febe786a67d4ac2e1798de89ecca

Download Submit
C:\Windows\system\KYMsYng.exe

Filesize
5.2MB

MD5
8b9cca11ed006a3d43caeb672395e5b9

SHA1
b1e0eb00ea2ab529355bbe2a76b649f34610b949

SHA256
44d6687a8aee6ccac79ca5ae8f0aaf86e34084505b004a749af7c3e0813deadb

SHA512
f9c8b1773a0b77d7cc6462a9ecde7d86be120396e8c7aada0038062af33b1d414a775cd449911c2a880dbd6b5ddacae601b60e25bf3b2153dae8ba7c1ca7bdce

Download Submit
C:\Windows\system\REpfSJL.exe

Filesize
5.2MB

MD5
4b7c70b0a1e4b681de371fdaca298776

SHA1
5100f188b8daf71614f6709c1d51010b68b8219e

SHA256
6af2158326a69d48c385e8930c6e9752f9a4e927e59bb576c1e3c22d74f10cdf

SHA512
6eb1a5a458ffbb5c4fbaee3f026b3c2cdefbd7b0f8840020c9d41dfcf74ce0540036c6a869148a19bf7ce3685ee1884ad5013b3f40f6f861e44070227e285044

Download Submit
C:\Windows\system\XWjsAbp.exe

Filesize
5.2MB

MD5
8065482988a1a8ffb69853beb0dc68f8

SHA1
981a641712773989f04e6d244400ac6cfdc9df3f

SHA256
ce70a5c9185cd37e9e1c7b99d76763f1dd453d2abe684af7648994b04eff4a80

SHA512
d03d0cf3d00e427900e3de416c3924434be831faec331a9084b9e046d002740a3a8b1facf2daa55c44b1b1371e1548436a4736cf0301e4dbdc197379c953d222

Download Submit
C:\Windows\system\ZSpbjGr.exe

Filesize
5.2MB

MD5
b0a8692341a59efb42ff635813cec711

SHA1
ffbdea7b6f7fc5f6ec14020ca593c553ee54d0cb

SHA256
383d5c58b5b41308486a1a3bc1b8843c8075ae0f70c0dc661417a7130b878e77

SHA512
537597d8c5e248bf8228cd7089499a0f4a0e5d01633914052d423da963d140d13748f28cef50f378d39a0ab8be55287c4c19e624414ca3e69c70e26c2c234f4b

Download Submit
C:\Windows\system\aRJqZBX.exe

Filesize
5.2MB

MD5
06daad9ab71c836e2e677dd01656f2b0

SHA1
fc4d1f8ea91136b46e66fc713d49fc5c2d4add86

SHA256
692d2e9ad23d134eb60a3133ce4dc139588a3d38e6dc32e2c901ae9efebf136f

SHA512
b13583e100818037e857b546abb526679d38a4c5465ea42da1e227e78890e93888c117ff2d6d4ea3f43b1d34089277b4b24c9f9bce235dbd47892969aae06435

Download Submit
C:\Windows\system\cUExBPm.exe

Filesize
5.2MB

MD5
6823fc5141a7d86fcf1794fd50066a7f

SHA1
5a1ca5fff7357d05cbc8ce75265744aa4fd9b5cc

SHA256
8e9f62ed959d3524c9c58c6ceff558f356039a0222e153535caa30ba5e57295c

SHA512
89da96e9977418d8b447dec74b7f0b9147ecc6790a06cd8817b6384cc29f1074ee0c6a9644b86f82a2c17987c60bf9c226febe3ab790e84779acb6ea2214552b

Download Submit
C:\Windows\system\itDWeFg.exe

Filesize
5.2MB

MD5
6a97d79e72a8400c676c03233de98438

SHA1
dbda5446d73af7ee430b09acb97d7382d45d3bae

SHA256
52dd72aaa689e6da7aa8f48ddd3fbfa129080e273350f1854d2c4b627a54f77c

SHA512
439395def83d2dba76f483a98b9a456d8f69424f41fe76a3f781ba1d13110effdef9e65675a7943d537b946acfe14cf089517824e43412e5d6c6442e8e3805b2

Download Submit
C:\Windows\system\jIHZtWn.exe

Filesize
5.2MB

MD5
5f462a0910fe2c67c8bbda27dc337ab4

SHA1
47f70292e95e864a89fcddff1aab4313d62f6e66

SHA256
5e4dcf0d41564c7f79f3f649a8acd6625a2765cbf59e74527807274b436e3df7

SHA512
7548053e38f54d397d57d98a2965d3dcb8a877f49a6437321ccbae2ea9a208c52a393c086e1f57712bc1283c535cc6b60e50a4681ae4e20b077daaa11b7c055e

Download Submit
C:\Windows\system\jtWdYNE.exe

Filesize
5.2MB

MD5
eafc22dc567ab1dcbd62d179d51ada55

SHA1
c6d44de6f143637ff5b0d22a8bff85c36cba71a9

SHA256
785d6eea3e19299e1972bde4866d244ee7c6525088a9c52779b224bf9dfab1d7

SHA512
2124d1ee72d077040a85aa90ca4f49059b6e96aba625c311a6ee7404c679a9447e52b2753ebea4e5f0f1ed000a7892a9a1292c24cf25253ab5493ec8a22f2bcf

Download Submit
C:\Windows\system\mgsWhmv.exe

Filesize
5.2MB

MD5
4825f073d7f9dd62b0a1599e6142218b

SHA1
2f4cdea33e8cf587aa506b255ed430cb9abce4aa

SHA256
48bb63851197a5cce003d37b67dc26507d836c0dc9a6db18e0180f26dce2fbbb

SHA512
a72a194fb32908f27d573f3ea170967e1ecd32e19bff1b8ea590d373cfe554962812640bf108971b37fb3511a80b38e3e5ad7fdcb62df545286772ff45f00028

Download Submit
C:\Windows\system\qffgfZx.exe

Filesize
5.2MB

MD5
44a4db0a7e1846253e25bd0a4479b68d

SHA1
6451f529dba57c4f41fd4754eff4d2e3a54a0ad8

SHA256
2216e0afa6fd846291fd398d65bbd02610824b86eedd1a95f11312b39ef5d995

SHA512
f8674dec670c67a8198f8efd1989d4618e52c7b94fb8ce1a3af354cc0e4e2ea027cc6f3a25193c04f6701499ff46a145e7ad9d666f8f483543e4d59a323f7f42

Download Submit
C:\Windows\system\vgXlrBB.exe

Filesize
5.2MB

MD5
fc3bacdc0adf5f408e345d0e93224668

SHA1
efe3362403d919d80c7773678c91fe0fd31cbf5c

SHA256
8eaf838249c9913b3ff279f8692723a91f5c8e4ed2dde709d67e242724b96b2f

SHA512
08a036be5791a48d13401194212507389d9531d5fa1af155c04c138ff5c1d72634f6be8778d1a58cb1aa52e699f50da506baf9e953257081abcb298f01e87048

Download Submit
C:\Windows\system\wAoWXFi.exe

Filesize
5.2MB

MD5
febb4a8ac5f28b36b2c95bd54c16c966

SHA1
908a39ad09d3b8363893b2f24632b3b2433f938e

SHA256
034046c2d6707ce5a5e7685584b1049105cae92f874166eb764f673927d905f2

SHA512
e202be43c9f4b14607095280491f3c4662d4e48cced4e895474da81fe100c270cfe9952b79bfb52663ff956ca1140cdfebf3b02dc2f6043bb11d46c2111e5ade

Download Submit
C:\Windows\system\wuyVohw.exe

Filesize
5.2MB

MD5
4deb3c0b11dde60b096ceb29af03e475

SHA1
7434d3ef666d9665c1e8a23f7afa79e5666aa208

SHA256
291fe05ae6a0605d64827e83d6acb53e2f8617fd3c8905d49eb406266b21062a

SHA512
e3b103a09209f8652bb94bc3aa6c47ef969efb0db67f33385de8640069f290dd190f96d09bbba84868e6184b2fde44b0d6ce11b5841d967dd7378d250d848eeb

Download Submit
\Windows\system\QXFptiE.exe

Filesize
5.2MB

MD5
302c10b2681f5a219d988d242b749d87

SHA1
86d86530855e1d23d8e606c77b18183c41439667

SHA256
78bcf3bbb43d85b2cd9a193a63e59e99d6a3f8e699abcfe192069e00be50d205

SHA512
43fdcad26182b386f78674adbe2dc7a91034209e5090e0be6ff5f9fd94fbc921255fdd5083802410d28a6e5a7776288295cdf0f4cd70c522384ec971333051b1

Download Submit
\Windows\system\XcPiRmU.exe

Filesize
5.2MB

MD5
f14e1b76530bfe52043d04594b7928d6

SHA1
ae8e15c3e3b69725e0c6dd669328a974f88d4436

SHA256
d9a560e31b66363034dcbfc777ebd8d008e6b77b845d6561159f32fce03d3fa4

SHA512
55820c4fae55e4feef09b285f404a372aeeb0ed16e424f2a301709c22c5215ab25e333eef5f176d47632680c0136cbeb5c635ae38c30c8048dda67f7ce66fcf2

Download Submit
\Windows\system\YMyEiAu.exe

Filesize
5.2MB

MD5
542d5adedac79297624bece0ce66d5c9

SHA1
b9d7c36efba54298ffb4b14d72b76e28e8207721

SHA256
7e4437a8aa2932f5cc7851688b921438ab53ad15c227854f508da5bb9a07280c

SHA512
6959cac53e2819f3cd5a5fad84b17019f8ca86f3859a15dfd1cc953c5912fce9db94b8131a6ede382a09f4d469224d65a92a0b24044198842aee499083f3ffed

Download Submit
\Windows\system\hsNjoKL.exe

Filesize
5.2MB

MD5
1faa1d444eefc6cb1072c6529ba2b18f

SHA1
4b6a6038d17fb804794689cd72554d4d562c0011

SHA256
73d661b59e8fd79ed6cf00fd329c82a74a5ff694a38ae3bb37447527e1b8658b

SHA512
ccc3211e722a46ec5f8902b1bd5452468a3a599a3eb33087d472649a1309bda65d321a33f49d1a149f9ad29b53fb8293ce5f2c11b46621fbb4300f7418a18e3f

Download Submit
\Windows\system\oxfWyLz.exe

Filesize
5.2MB

MD5
fdb6966ad8703a2c321ca8d0310bfdad

SHA1
9c871636efe0876236d83aebf7e03637d361f811

SHA256
a8405ba99f4fed2921c5537a32563418f461e97a0da6550b429ff2a7b606f212

SHA512
5c566fe49489f737c9b7e07a8408140896e96b92aaaa2d5a1cccbe5fee1e333cecb86d1cd720347459ed0c8f47063b02b558e31246f07c6289105b54b03ea426

Download Submit
\Windows\system\rLqFxYU.exe

Filesize
5.2MB

MD5
34d21afdd9802a23bbbc1535c29ce2ac

SHA1
884415f2464d64d4f96fd7a6fe3af9a033e7c3ed

SHA256
0bd59e41d7fed351102605b6053190705fdf6db1509975a4ddf38129fd7bc41d

SHA512
4916bbae65780b97bc84aad9f724646579d808ed9b0da9668b82147dd7b102a017de5c60e9f59706baa29239af950d1745bd27e9cb836d7d6ce794ed217d87dd

Download Submit
memory/264-110-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/264-221-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/276-235-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/276-108-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/568-223-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/568-114-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1476-152-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1676-128-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1676-237-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2056-227-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2056-122-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-112-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2240-233-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-150-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/2308-219-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2308-16-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2308-133-0x000000013F740000-0x000000013FA91000-memory.dmp

Filesize
3.3MB

Download
memory/2332-149-0x000000013F7C0000-0x000000013FB11000-memory.dmp

Filesize
3.3MB

Download
memory/2384-131-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-126-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-121-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2384-119-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-113-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-154-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2384-115-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-127-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2384-155-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2384-111-0x000000013F950000-0x000000013FCA1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-130-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2384-132-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2384-0-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2384-109-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2384-117-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2384-123-0x0000000002190000-0x00000000024E1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-151-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-125-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-231-0x000000013FFA0000-0x00000001402F1000-memory.dmp

Filesize
3.3MB

Download
memory/2668-148-0x000000013F7E0000-0x000000013FB31000-memory.dmp

Filesize
3.3MB

Download
memory/2708-239-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-116-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-146-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-225-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2804-118-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-124-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2820-229-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/2832-153-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2864-129-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2864-244-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2876-241-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-120-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2912-144-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download