cobaltstrike | 5b2ff3d35d1840383524e2cf1ea932e1154dac81d56e948a4df3442c90fc429d

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 04:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

6b644b34cb4dace4ab654aec2d112036
SHA1

c30895f800c0a211d6a151db64c361022d755da2
SHA256

5b2ff3d35d1840383524e2cf1ea932e1154dac81d56e948a4df3442c90fc429d
SHA512

3a0434db696574299d1746fb02d393ba0aa8f5a03fca6aefa21ed5b962323e142f936852c1f1f48ef36c3d05ba6b89f16ae1efdf5cffce3a2e444b36c5a5bc29
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBibd56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b000000012280-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d59-8.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015ec4-21.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d79-15.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d81-26.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d18-136.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016df3-132.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016de8-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d77-128.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d67-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6b-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d54-74.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d43-63.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d2a-53.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016dea-114.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d9f-100.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d6f-90.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4b-73.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3a-60.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f7b-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015f25-39.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/1260-138-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2924-106-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1736-141-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2740-142-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig
behavioral1/memory/1736-140-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2700-139-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/3068-77-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2172-66-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/1736-91-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2484-71-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/1736-61-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2788-50-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/1736-144-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2720-151-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1736-152-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2256-36-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/2172-19-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/3068-33-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2748-30-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2684-158-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/1000-165-0x000000013FE40000-0x0000000140191000-memory.dmp	xmrig
behavioral1/memory/1156-167-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/1976-166-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/1752-163-0x000000013FAB0000-0x000000013FE01000-memory.dmp	xmrig
behavioral1/memory/2504-161-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/760-156-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/3004-164-0x000000013FEF0000-0x0000000140241000-memory.dmp	xmrig
behavioral1/memory/1092-162-0x000000013FFB0000-0x0000000140301000-memory.dmp	xmrig
behavioral1/memory/2512-160-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/1736-168-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2172-217-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2748-233-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2484-235-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2256-237-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/3068-239-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/2924-241-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2788-243-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2700-251-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2504-255-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2720-250-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/1260-260-0x000000013F1C0000-0x000000013F511000-memory.dmp	xmrig
behavioral1/memory/2740-253-0x000000013FB10000-0x000000013FE61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2172	QJaHvcS.exe
2484	XADxgAw.exe
2748	DcRaBcl.exe
2256	CckkPGp.exe
3068	SanvVbZ.exe
2924	lFVwqQB.exe
2788	CkidDuO.exe
1260	LDonKrz.exe
2700	eQJjpfS.exe
2720	yCyqJSn.exe
2740	RkxwqJw.exe
2504	rYVlesz.exe
1752	cwvTBvL.exe
1000	hJMUKSG.exe
760	wwayYBp.exe
2684	AQzVGcj.exe
2512	ErDXsJM.exe
1092	IKyoTrJ.exe
3004	qLdHsWk.exe
1976	bPwgFkl.exe
1156	qIfQrdX.exe

Loads dropped DLL 21 IoCs

pid	Process
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/files/0x000b000000012280-6.dat	upx
behavioral1/files/0x0008000000015d59-8.dat	upx
behavioral1/files/0x0007000000015ec4-21.dat	upx
behavioral1/files/0x0008000000015d79-15.dat	upx
behavioral1/memory/2484-27-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/files/0x0008000000015d81-26.dat	upx
behavioral1/memory/1260-138-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/files/0x0009000000015d18-136.dat	upx
behavioral1/files/0x0006000000016df3-132.dat	upx
behavioral1/files/0x0006000000016de8-130.dat	upx
behavioral1/files/0x0006000000016d77-128.dat	upx
behavioral1/memory/2924-106-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2740-86-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/files/0x0006000000016d67-84.dat	upx
behavioral1/files/0x0006000000016d6b-82.dat	upx
behavioral1/memory/2740-142-0x000000013FB10000-0x000000013FE61000-memory.dmp	upx
behavioral1/memory/2700-139-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/3068-77-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/files/0x0006000000016d54-74.dat	upx
behavioral1/memory/2700-67-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2172-66-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/files/0x0006000000016d43-63.dat	upx
behavioral1/memory/1260-56-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx
behavioral1/files/0x0008000000016d2a-53.dat	upx
behavioral1/files/0x0006000000016dea-114.dat	upx
behavioral1/files/0x0006000000016d9f-100.dat	upx
behavioral1/files/0x0006000000016d6f-90.dat	upx
behavioral1/files/0x0006000000016d4b-73.dat	upx
behavioral1/memory/2484-71-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/1736-61-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/files/0x0006000000016d3a-60.dat	upx
behavioral1/memory/2788-50-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/1736-144-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2720-151-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/files/0x0007000000015f7b-47.dat	upx
behavioral1/memory/2924-42-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/files/0x0007000000015f25-39.dat	upx
behavioral1/memory/2256-36-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/2172-19-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/3068-33-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2748-30-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2684-158-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/1000-165-0x000000013FE40000-0x0000000140191000-memory.dmp	upx
behavioral1/memory/1156-167-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/1976-166-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1752-163-0x000000013FAB0000-0x000000013FE01000-memory.dmp	upx
behavioral1/memory/2504-161-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/760-156-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/3004-164-0x000000013FEF0000-0x0000000140241000-memory.dmp	upx
behavioral1/memory/1092-162-0x000000013FFB0000-0x0000000140301000-memory.dmp	upx
behavioral1/memory/2512-160-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/1736-168-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2172-217-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2748-233-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2484-235-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2256-237-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/3068-239-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/2924-241-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2788-243-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2700-251-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2504-255-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2720-250-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/1260-260-0x000000013F1C0000-0x000000013F511000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\yCyqJSn.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ErDXsJM.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cwvTBvL.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wwayYBp.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XADxgAw.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CckkPGp.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lFVwqQB.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CkidDuO.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDonKrz.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AQzVGcj.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RkxwqJw.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IKyoTrJ.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hJMUKSG.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIfQrdX.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qLdHsWk.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bPwgFkl.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QJaHvcS.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DcRaBcl.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SanvVbZ.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eQJjpfS.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYVlesz.exe	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2172	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1736 wrote to memory of 2172	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1736 wrote to memory of 2172	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1736 wrote to memory of 2484	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1736 wrote to memory of 2484	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1736 wrote to memory of 2484	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1736 wrote to memory of 2748	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1736 wrote to memory of 2748	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1736 wrote to memory of 2748	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1736 wrote to memory of 3068	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1736 wrote to memory of 3068	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1736 wrote to memory of 3068	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1736 wrote to memory of 2256	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1736 wrote to memory of 2256	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1736 wrote to memory of 2256	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1736 wrote to memory of 2924	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1736 wrote to memory of 2924	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1736 wrote to memory of 2924	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1736 wrote to memory of 2788	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1736 wrote to memory of 2788	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1736 wrote to memory of 2788	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1736 wrote to memory of 1260	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1736 wrote to memory of 1260	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1736 wrote to memory of 1260	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1736 wrote to memory of 2700	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1736 wrote to memory of 2700	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1736 wrote to memory of 2700	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1736 wrote to memory of 760	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1736 wrote to memory of 760	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1736 wrote to memory of 760	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1736 wrote to memory of 2720	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1736 wrote to memory of 2720	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1736 wrote to memory of 2720	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1736 wrote to memory of 2684	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1736 wrote to memory of 2684	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1736 wrote to memory of 2684	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1736 wrote to memory of 2740	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1736 wrote to memory of 2740	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1736 wrote to memory of 2740	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1736 wrote to memory of 2512	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1736 wrote to memory of 2512	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1736 wrote to memory of 2512	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1736 wrote to memory of 2504	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1736 wrote to memory of 2504	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1736 wrote to memory of 2504	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1736 wrote to memory of 1092	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1736 wrote to memory of 1092	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1736 wrote to memory of 1092	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1736 wrote to memory of 1752	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1736 wrote to memory of 1752	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1736 wrote to memory of 1752	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1736 wrote to memory of 3004	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1736 wrote to memory of 3004	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1736 wrote to memory of 3004	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1736 wrote to memory of 1000	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1736 wrote to memory of 1000	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1736 wrote to memory of 1000	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1736 wrote to memory of 1976	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1736 wrote to memory of 1976	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1736 wrote to memory of 1976	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1736 wrote to memory of 1156	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1736 wrote to memory of 1156	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1736 wrote to memory of 1156	1736	2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_6b644b34cb4dace4ab654aec2d112036_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\System\QJaHvcS.exe
  C:\Windows\System\QJaHvcS.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\XADxgAw.exe
  C:\Windows\System\XADxgAw.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\DcRaBcl.exe
  C:\Windows\System\DcRaBcl.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\SanvVbZ.exe
  C:\Windows\System\SanvVbZ.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\CckkPGp.exe
  C:\Windows\System\CckkPGp.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\lFVwqQB.exe
  C:\Windows\System\lFVwqQB.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\CkidDuO.exe
  C:\Windows\System\CkidDuO.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\LDonKrz.exe
  C:\Windows\System\LDonKrz.exe
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Windows\System\eQJjpfS.exe
  C:\Windows\System\eQJjpfS.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\wwayYBp.exe
  C:\Windows\System\wwayYBp.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\yCyqJSn.exe
  C:\Windows\System\yCyqJSn.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\AQzVGcj.exe
  C:\Windows\System\AQzVGcj.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\RkxwqJw.exe
  C:\Windows\System\RkxwqJw.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\ErDXsJM.exe
  C:\Windows\System\ErDXsJM.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\rYVlesz.exe
  C:\Windows\System\rYVlesz.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\IKyoTrJ.exe
  C:\Windows\System\IKyoTrJ.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\cwvTBvL.exe
  C:\Windows\System\cwvTBvL.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\qLdHsWk.exe
  C:\Windows\System\qLdHsWk.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\hJMUKSG.exe
  C:\Windows\System\hJMUKSG.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\bPwgFkl.exe
  C:\Windows\System\bPwgFkl.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\qIfQrdX.exe
  C:\Windows\System\qIfQrdX.exe
  2⤵
  - Executes dropped EXE
  PID:1156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CkidDuO.exe

Filesize
5.2MB

MD5
ed60d3eb17e9d0ca4b5f14a79059f176

SHA1
fcdc1c36ae45c5b3630766f0da59f12d596de3c6

SHA256
4b42d5755c9235471d0a2dbfaf85c0b7bc3ee43f87574fcd34c5b2f439c60e67

SHA512
bcca2da6af4a1f1664bed88d9202ad950f02b9ac982440852b3b62c46d3ab66089bf461852c7e697af8175dbb5a41b5788d57220b083dc2cffda7334390a329f

Download Submit
C:\Windows\system\DcRaBcl.exe

Filesize
5.2MB

MD5
6484b9534aa17257b38a73a17a20a8e9

SHA1
e3aa6866c61dff1053143f38ec9a9b97436c12d1

SHA256
eca01bcbfc86a47db7bbbe6ff8d14538ab58a7fda31cd8e2308453e823402670

SHA512
4fbcfdf0d814f5e8625f4fb4235b96e665f5ba07acd8b4f203746c3da39f8281c1ae12e4c8c7a410cf257715d3ba1520de9a680ce6242d9eb3cf1c62d4889ad1

Download Submit
C:\Windows\system\IKyoTrJ.exe

Filesize
5.2MB

MD5
9727d98e3addc982e02eeccb417695dc

SHA1
33c1c4079dffedccb9d77e7e568e28e27d2f7a2b

SHA256
63017e5200ecedb9ce9dac5cad6323d30602927867e999778faffc642631c00a

SHA512
7e23eb6aa4f212f124292d9f140f6e9a875f18d594f398340cdf6ba0fd3ae770da584de39a88763f517eb2ff47c33b78ab190eaa70e9aa7069e4d2c8c629c4b3

Download Submit
C:\Windows\system\LDonKrz.exe

Filesize
5.2MB

MD5
0e8039264fcba54858c7e1fd40e8544f

SHA1
ac9da04dc3a4d154b41afa9dbaf09d5aecb94c5e

SHA256
93e2e84ff3a241260686342caa0d02b212f58cf381c13b21a21e81ec4e62993e

SHA512
862019b686e7bf77ef652facea6ceac348161b42d993c5363d745d83fadad062ccc1947a903dbe4ec8e8b6c2342d61d2f8bd561423825bcae4ce706b5edf9a6e

Download Submit
C:\Windows\system\QJaHvcS.exe

Filesize
5.2MB

MD5
075b7c2c615da05c3140a59a9cf743a5

SHA1
7f70c006542118d56193c19949d60350afc60c0e

SHA256
e3aecfaef510b0180f9af4a29742ad2f6f6dc9e6bea5c98cce214fda02acd7ec

SHA512
e4c8f4673ba4890345eac71aac18a0021b50464da021a4451a2b9fed65b40d72a29df9f819d6f52d77f8d010d84ddc4a5aba97c67aaa53a2442b2dd6e2de1b2c

Download Submit
C:\Windows\system\RkxwqJw.exe

Filesize
5.2MB

MD5
6f382c609fcef6c2fc188757f3959973

SHA1
94cb754537e088c412aff2ac74b29852eff0aac4

SHA256
f8a95fd1a0509d754200cb496ef72bb5ab6a4f17a727200c2069f22a39a2f4bf

SHA512
fddaacfba6f02e62e667b00fb72ee4ef59aba9aca32c62202bf46bde5ea74fccc7121f549304c66ce371eee97d00f7aeba91be19c2b9683b3c44b3b6168d3f62

Download Submit
C:\Windows\system\SanvVbZ.exe

Filesize
5.2MB

MD5
49d30891682ea6fb2f211e51b84779f3

SHA1
f0b2c04525e999925fd78b8fa0adc8e3e73f9390

SHA256
0833867fcc475dbdbd5ceff1b023a83477a35e803bd1ef933f4b5144b41d24cb

SHA512
d65abacf84108f846f92525246b6569bba1c23363c9df6ab80c58b6d50130563cbf2f18ec29e3c07a252f22ebecf779f8030082a3d8a8c7ed24f3e5769046a38

Download Submit
C:\Windows\system\bPwgFkl.exe

Filesize
5.2MB

MD5
0349a9fbca5350886a2e92341cdd7ce7

SHA1
971260209cc5d4e8d344256bc801887f4ea873ce

SHA256
396987e6f4d400aa9b196eb4ef09c67c9ad6bc0c1256c6d2d29b41a8fdfcb5fd

SHA512
a74ed209e1014045b59f1dfdce8972ad737220680674a9fd538ac7d72d9e1bff2cbb99a17d68c19e3b9fb5b3827fc3f20174b4cd889ef6fe3ae5d29f45851d01

Download Submit
C:\Windows\system\cwvTBvL.exe

Filesize
5.2MB

MD5
9eb5649d6eba2dc15bab43d97b327c2f

SHA1
4c63aa709a1cdcec647fff91c317e63601448860

SHA256
6df91d90d3d2a0197041a9d4c59eb7304dbabf4a22bf41762635a5f05b3496bb

SHA512
40b3c3e870c5dd59bd5b6f637a01458bca07936c542da74eead1c2804574b5061324f998b0f97cba4a6d5ed9489a421e3b8ea5655e1276b1509830598a29d5bc

Download Submit
C:\Windows\system\eQJjpfS.exe

Filesize
5.2MB

MD5
3a270e155e9c99b75637a805e7834dac

SHA1
d7f54de8d414054597d9f61801e79d372aeadcc7

SHA256
4d38426235f5b1d70ba3ec08aa4ad2f6a0b5373854f37fe29d13f5e0447b1f03

SHA512
12a5f4e3c1377c19839cef19b84c35b6efc79e00b266f12fcf91a5afb6e54118cd39fec927d60737531e00f790c40d0c61ccd371068b461c1576df1f7371c25a

Download Submit
C:\Windows\system\hJMUKSG.exe

Filesize
5.2MB

MD5
d5ef696ca865546a9db8adc3d82f92ed

SHA1
f927ff4b5ebb3308a8234da6cb2fd85b14251915

SHA256
906e368b7bb3a914ac3ae05f0f6df45f93f6de451a5ac57e779b08e91c05a2cf

SHA512
0282685bb982666c60d59859b5c4622c232b0032560b4bec066870480089798ae9319f3b704c666428918083d1997aed6a5952a212c20d521bb75df652ce2d54

Download Submit
C:\Windows\system\lFVwqQB.exe

Filesize
5.2MB

MD5
7fcb9be658864162585678e6fa8f905d

SHA1
4ba1d0a0ea3a8bc9b93fea565c3b85c633bfe048

SHA256
5a3b31db4e6e315d02f32f28764a24c7f3e06a5b5f94d6f72635f20b9ae9253a

SHA512
e9d51dde10a2b0121605b3df6e8644c49a8d8bcb5e67120c81129e1c62619227d8f62b77338261031c650a032488fcf896edf4513e25d35cb6042a3345b468b3

Download Submit
C:\Windows\system\qIfQrdX.exe

Filesize
5.2MB

MD5
631c3703fc196cbbd028bc7591ec7dc7

SHA1
3d4fc78d9c0ba77a1843acd412dec46ff55f1be8

SHA256
750ff48cd1c74b1fab5f6e4158f5b39b2ac1cfecb2d102a74cfa495d040416b1

SHA512
9b5d946e3db2c1bc386d5ff3db44cb2377ce3f50e3727ff41109a206b811af383f8910d17c7fab7ff9a195b0f62884766ac4804910f6d14647d27f6a3ff48a5f

Download Submit
C:\Windows\system\qLdHsWk.exe

Filesize
5.2MB

MD5
212b10a59a88dcb64ee155d7e4d4c078

SHA1
5b74ec5138bec2733854aa82b0a2134524107d70

SHA256
13aeb05b8ae163378b1c9b0a0f8594939655602cc851e6fc234257dfafc6ad92

SHA512
0189005891c5f6a73d2429f9d2a0b7b6c87c72756bf9b768d55423949057fbda8e344e63a133bccb67c56ebe2be62bb7561a212357574e5c1406a4c2dd50d557

Download Submit
C:\Windows\system\rYVlesz.exe

Filesize
5.2MB

MD5
92940ecb98bfd4131d9042d23a29a1a8

SHA1
58f3afd554875851ddd1cbc9d04d3b63be0d96aa

SHA256
5c2ceb0c95535b30daee60667a91937dc89cdfb8b346c32da7bbb72c829f1d85

SHA512
39e73c43e76967d845e5a670221bdbb33897df8f25161852e6d71f88d42aac26a236d023413ce184e8b4ce9d33a09e5ea9d9828e41533f27c460ed61c2212f3a

Download Submit
C:\Windows\system\yCyqJSn.exe

Filesize
5.2MB

MD5
828de78ee81b11e72265cea89b6ba682

SHA1
cfe5e765b3fc0c80c327f3712e1575b93a01bd7e

SHA256
5a5df670c84e67b61d595370d80fdd6895ffe4361a5c22a8b4ce15c2c9b92334

SHA512
cbb81987dac7a5cf80679f751a54daf64646949702370503b1cea7d58b924642bc7fed8087e935ee3100e762e56dbd3e8a6b9418354555a5455428eed242bf7e

Download Submit
\Windows\system\AQzVGcj.exe

Filesize
5.2MB

MD5
6e65baa41b997b61f9e841d846bf4541

SHA1
793d95161f7843721b69b057cf32966f027d9894

SHA256
a92ab09aa48525b65df973a544a97e41963114678bc44c3565a2aa2e58673fd4

SHA512
039d5960366427322404269e518e9fcac4a2355e33bc61f9ed7fb0ae84a9f2c9fe37bc702eeb949e24a0108cbec6ceccba12d96ac163a99efba587b4185ae153

Download Submit
\Windows\system\CckkPGp.exe

Filesize
5.2MB

MD5
d196946fa8bd417407e4d8428502aa13

SHA1
5afb4b1f5fa320917c13e691a271a3ecedc54eed

SHA256
7b528875cf4c5884b63adb4be80585de1e2ee623787ebc346723d332de372f5a

SHA512
8a687c079626419bce10c88613cef6e45a633a4fee97318c82ac2dcebbfc4e2198d2debafaac17fd4fb40fc32f97cdfd615b7d47e8f74ae7a5c846c2c70cb41f

Download Submit
\Windows\system\ErDXsJM.exe

Filesize
5.2MB

MD5
b9b49a32b113a74bcaea9ca039f9ef06

SHA1
b54734733c3a9677a298d9d1f7772eee8297c99c

SHA256
fba4f9c914c498d0eb412925f2b82446cd44579a4244afcfed3a7fcf252ca5b2

SHA512
56e6a22094b4c352874710cc6151d182af51ec77cb9352d1c3df442afe53f814bccbdcb137c498b32a519d67b96fbd62a0debd7f018c5f1d835fb3cf998c7b41

Download Submit
\Windows\system\XADxgAw.exe

Filesize
5.2MB

MD5
c0f68038d0c940a372478dbb4cf40371

SHA1
e15bcc0879bc7602057762014c9ccc9ef3d7cb5c

SHA256
9a3d3891d6e648ca37301ecd9a5fba0748698cf13a205e6d96d438c134c03bbd

SHA512
7648c3f5b3aa3a69fade363431fafbf54378c049832023a976f0d3f79da3830a66bbe5f0485a284181f64a64a193917d117b6dbd1674496b16980777287bf2c8

Download Submit
\Windows\system\wwayYBp.exe

Filesize
5.2MB

MD5
c368ccc1d7993ad760b158290ce71282

SHA1
c62f9c5ddfebc9e1154f9405eb0b73f77ede3a10

SHA256
2bdd7cb4aa478f3bc674c559ec5a8d45e1cfeba68f1db8c27756eddc050b7432

SHA512
692a9096bb62a8da86a341fcb7fba7381cc90a8c3847ba4c3cbe9c0142602cea21ecb79cbe9bd618c8188c7062088801ffd24bd819d850bc61efed8202bc8575

Download Submit
memory/760-156-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1000-165-0x000000013FE40000-0x0000000140191000-memory.dmp

Filesize
3.3MB

Download
memory/1092-162-0x000000013FFB0000-0x0000000140301000-memory.dmp

Filesize
3.3MB

Download
memory/1156-167-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/1260-138-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1260-260-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1260-56-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1736-72-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1736-141-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1736-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/1736-54-0x000000013F1C0000-0x000000013F511000-memory.dmp

Filesize
3.3MB

Download
memory/1736-168-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1736-28-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-102-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-101-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1736-140-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1736-143-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-91-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1736-41-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1736-81-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/1736-96-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/1736-0-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1736-35-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/1736-62-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1736-61-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1736-107-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-31-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-49-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/1736-144-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/1736-32-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/1736-152-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/1736-95-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-163-0x000000013FAB0000-0x000000013FE01000-memory.dmp

Filesize
3.3MB

Download
memory/1976-166-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2172-19-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2172-66-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2172-217-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2256-237-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2256-36-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-71-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2484-235-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2484-27-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2504-255-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2504-161-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2512-160-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/2684-158-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2700-67-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2700-139-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2700-251-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2720-250-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2720-151-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2740-142-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2740-86-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2740-253-0x000000013FB10000-0x000000013FE61000-memory.dmp

Filesize
3.3MB

Download
memory/2748-233-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-30-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-50-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2788-243-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2924-241-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2924-42-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2924-106-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/3004-164-0x000000013FEF0000-0x0000000140241000-memory.dmp

Filesize
3.3MB

Download
memory/3068-33-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-239-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-77-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download