cobaltstrike | 28e326c14bb04323f229b845acfe225be043a8ab535b5469afdfb3c65e1eac54

Analysis

max time kernel
140s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2bcd0bb42dda88160e4dcfe1f1550a01
SHA1

6ecbf2711a10a801779cab160730c8f34eed796a
SHA256

28e326c14bb04323f229b845acfe225be043a8ab535b5469afdfb3c65e1eac54
SHA512

d89c0ff2591f1ac7b9f91cc187d09ed09beb4c9d614dea794083a281e9638189a138fff2cd8fb63736c4bf266fe5e42368b6c4b72760b0e0bf1c3e5bfc24e281
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l0:RWWBibf56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012102-6.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d27-28.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d30-36.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d1f-20.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d0c-18.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d38-44.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000016d02-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d40-53.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001749c-57.dat	cobalt_reflective_dll
behavioral1/files/0x0028000000016ccb-65.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195d9-92.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960e-115.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019610-127.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960d-104.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960a-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019537-117.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960c-114.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194f3-112.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194bd-98.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019441-84.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019436-75.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral1/memory/2852-9-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2652-41-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2832-43-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2964-27-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/1988-19-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2756-63-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/264-62-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2756-64-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/1656-61-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/1040-71-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2852-70-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/2064-131-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2068-126-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2756-103-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2844-80-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/1988-78-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2216-137-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/2756-138-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2756-145-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2176-153-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2756-161-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/1740-159-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/1960-160-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2876-158-0x000000013FBF0000-0x000000013FF41000-memory.dmp	xmrig
behavioral1/memory/1884-156-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2360-154-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/2856-157-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2960-155-0x000000013F600000-0x000000013F951000-memory.dmp	xmrig
behavioral1/memory/2868-152-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2756-162-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2852-209-0x000000013F830000-0x000000013FB81000-memory.dmp	xmrig
behavioral1/memory/1988-219-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2844-223-0x000000013F560000-0x000000013F8B1000-memory.dmp	xmrig
behavioral1/memory/2964-221-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2832-225-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2652-227-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2216-229-0x000000013F140000-0x000000013F491000-memory.dmp	xmrig
behavioral1/memory/1656-231-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/264-233-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/1040-246-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/2068-250-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2064-249-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2852	SOLMHZr.exe
1988	PsWDhQT.exe
2844	blxsMYI.exe
2964	pzuOAdk.exe
2652	qmtNbAp.exe
2832	KXHkDgP.exe
2216	vmBxPOQ.exe
1656	EDZjIWP.exe
264	XyLQQOC.exe
1040	TlKSDnp.exe
2068	WMixKaY.exe
2064	pqiJnEU.exe
2868	gshLSpP.exe
2176	PUjopdw.exe
2960	liRpupF.exe
2856	fwmSHKK.exe
1740	cAKtSRN.exe
2360	nvAgqGq.exe
1884	AjSaARs.exe
2876	KYzFhtU.exe
1960	WAkZXul.exe

Loads dropped DLL 21 IoCs

pid	Process
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2756-0-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/files/0x0008000000012102-6.dat	upx
behavioral1/memory/2852-9-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/2844-25-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/files/0x0007000000016d27-28.dat	upx
behavioral1/files/0x0007000000016d30-36.dat	upx
behavioral1/memory/2652-41-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2832-43-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2964-27-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/files/0x0008000000016d1f-20.dat	upx
behavioral1/memory/1988-19-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/files/0x0008000000016d0c-18.dat	upx
behavioral1/files/0x0007000000016d38-44.dat	upx
behavioral1/memory/2216-48-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/files/0x000a000000016d02-13.dat	upx
behavioral1/files/0x0007000000016d40-53.dat	upx
behavioral1/files/0x000800000001749c-57.dat	upx
behavioral1/memory/2756-63-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/264-62-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/1656-61-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/files/0x0028000000016ccb-65.dat	upx
behavioral1/memory/1040-71-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2852-70-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/files/0x00050000000195d9-92.dat	upx
behavioral1/files/0x000500000001960e-115.dat	upx
behavioral1/files/0x0005000000019610-127.dat	upx
behavioral1/files/0x000500000001960d-104.dat	upx
behavioral1/memory/2064-131-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2068-126-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/files/0x000500000001960a-124.dat	upx
behavioral1/files/0x0005000000019537-117.dat	upx
behavioral1/files/0x000500000001960c-114.dat	upx
behavioral1/files/0x00050000000194f3-112.dat	upx
behavioral1/files/0x00050000000194bd-98.dat	upx
behavioral1/files/0x0005000000019441-84.dat	upx
behavioral1/memory/2844-80-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/1988-78-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/files/0x0005000000019436-75.dat	upx
behavioral1/memory/2216-137-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/2756-138-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2176-153-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/1740-159-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/memory/1960-160-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2876-158-0x000000013FBF0000-0x000000013FF41000-memory.dmp	upx
behavioral1/memory/1884-156-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2360-154-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/2856-157-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2960-155-0x000000013F600000-0x000000013F951000-memory.dmp	upx
behavioral1/memory/2868-152-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2756-162-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2852-209-0x000000013F830000-0x000000013FB81000-memory.dmp	upx
behavioral1/memory/1988-219-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2844-223-0x000000013F560000-0x000000013F8B1000-memory.dmp	upx
behavioral1/memory/2964-221-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2832-225-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2652-227-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2216-229-0x000000013F140000-0x000000013F491000-memory.dmp	upx
behavioral1/memory/1656-231-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/264-233-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/1040-246-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/2068-250-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2064-249-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gshLSpP.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nvAgqGq.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\liRpupF.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WAkZXul.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\blxsMYI.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XyLQQOC.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAKtSRN.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SOLMHZr.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vmBxPOQ.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EDZjIWP.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TlKSDnp.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WMixKaY.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pqiJnEU.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PUjopdw.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AjSaARs.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pzuOAdk.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYzFhtU.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qmtNbAp.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXHkDgP.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fwmSHKK.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PsWDhQT.exe	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2852	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2756 wrote to memory of 2852	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2756 wrote to memory of 2852	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2756 wrote to memory of 1988	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2756 wrote to memory of 1988	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2756 wrote to memory of 1988	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2756 wrote to memory of 2844	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2756 wrote to memory of 2844	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2756 wrote to memory of 2844	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2756 wrote to memory of 2964	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2756 wrote to memory of 2964	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2756 wrote to memory of 2964	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2756 wrote to memory of 2652	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2756 wrote to memory of 2652	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2756 wrote to memory of 2652	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2756 wrote to memory of 2832	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2756 wrote to memory of 2832	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2756 wrote to memory of 2832	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2756 wrote to memory of 2216	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2756 wrote to memory of 2216	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2756 wrote to memory of 2216	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2756 wrote to memory of 1656	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2756 wrote to memory of 1656	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2756 wrote to memory of 1656	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2756 wrote to memory of 264	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2756 wrote to memory of 264	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2756 wrote to memory of 264	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2756 wrote to memory of 1040	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2756 wrote to memory of 1040	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2756 wrote to memory of 1040	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2756 wrote to memory of 2068	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2756 wrote to memory of 2068	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2756 wrote to memory of 2068	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2756 wrote to memory of 2064	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2756 wrote to memory of 2064	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2756 wrote to memory of 2064	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2756 wrote to memory of 2868	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2756 wrote to memory of 2868	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2756 wrote to memory of 2868	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2756 wrote to memory of 2176	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2756 wrote to memory of 2176	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2756 wrote to memory of 2176	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2756 wrote to memory of 2360	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2756 wrote to memory of 2360	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2756 wrote to memory of 2360	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2756 wrote to memory of 2960	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2756 wrote to memory of 2960	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2756 wrote to memory of 2960	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2756 wrote to memory of 1884	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2756 wrote to memory of 1884	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2756 wrote to memory of 1884	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2756 wrote to memory of 2856	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2756 wrote to memory of 2856	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2756 wrote to memory of 2856	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2756 wrote to memory of 2876	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2756 wrote to memory of 2876	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2756 wrote to memory of 2876	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2756 wrote to memory of 1740	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2756 wrote to memory of 1740	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2756 wrote to memory of 1740	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2756 wrote to memory of 1960	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2756 wrote to memory of 1960	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2756 wrote to memory of 1960	2756	2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_2bcd0bb42dda88160e4dcfe1f1550a01_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\System\SOLMHZr.exe
  C:\Windows\System\SOLMHZr.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\PsWDhQT.exe
  C:\Windows\System\PsWDhQT.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\blxsMYI.exe
  C:\Windows\System\blxsMYI.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\pzuOAdk.exe
  C:\Windows\System\pzuOAdk.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\qmtNbAp.exe
  C:\Windows\System\qmtNbAp.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\KXHkDgP.exe
  C:\Windows\System\KXHkDgP.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\vmBxPOQ.exe
  C:\Windows\System\vmBxPOQ.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\EDZjIWP.exe
  C:\Windows\System\EDZjIWP.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\XyLQQOC.exe
  C:\Windows\System\XyLQQOC.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\TlKSDnp.exe
  C:\Windows\System\TlKSDnp.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\WMixKaY.exe
  C:\Windows\System\WMixKaY.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\pqiJnEU.exe
  C:\Windows\System\pqiJnEU.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\gshLSpP.exe
  C:\Windows\System\gshLSpP.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\PUjopdw.exe
  C:\Windows\System\PUjopdw.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\nvAgqGq.exe
  C:\Windows\System\nvAgqGq.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\liRpupF.exe
  C:\Windows\System\liRpupF.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\AjSaARs.exe
  C:\Windows\System\AjSaARs.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\fwmSHKK.exe
  C:\Windows\System\fwmSHKK.exe
  2⤵
  - Executes dropped EXE
  PID:2856
- C:\Windows\System\KYzFhtU.exe
  C:\Windows\System\KYzFhtU.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\cAKtSRN.exe
  C:\Windows\System\cAKtSRN.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\WAkZXul.exe
  C:\Windows\System\WAkZXul.exe
  2⤵
  - Executes dropped EXE
  PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AjSaARs.exe

Filesize
5.2MB

MD5
731264b30ea3aa1265c8ddbe7b5ac512

SHA1
058f3f34a56895f2eaabdd547df894a1a1ecaa77

SHA256
9b8fbc10db04576067a018c29e84b5f9a690c544e3156a5bd28e965518b5a585

SHA512
5d6a7ba471602ea692443467751582d16c7b921011139b1de1db5db6ae9e7d5acbe83496c28b3049484b44a107d1e02174fa2ebcaa69ef3bc19b3c20d3bf20bf

Download Submit
C:\Windows\system\EDZjIWP.exe

Filesize
5.2MB

MD5
39d1b99ced94288499fef497fedafa69

SHA1
f1361b374f24d2286a9b4bc06eabe6b1c9a7ef2d

SHA256
2c1d9ee9b9bb39f70ed78639d35671ef74fbdf619d1f7b86f81e09a0a07054e1

SHA512
dfe007bd2189ce6fd4fc35dba604eaa2541227250b3f55723ab48d575811ac178efb38f7119f54f9ad998e989b5d44842744a3e484ffe4b69c21800e76cfd8c9

Download Submit
C:\Windows\system\KXHkDgP.exe

Filesize
5.2MB

MD5
b5fcb9264c2fb9db73bd09c461f10fcd

SHA1
275b785ea9181e29a349e065c44ab964cb6c62d4

SHA256
4abf0c1bb76725927f85974e62ce1845494d3487fd12d346cec53e3a2a2b295b

SHA512
e026eb096b8dc7ab2ff2ef53c4deabe17b77d326c21d015e29ac3ec59a49d4b6de6d5d20dfe90c2826686d4ea698b84d91bd10173ab1424bf858969db0c8576e

Download Submit
C:\Windows\system\PUjopdw.exe

Filesize
5.2MB

MD5
0aa3a124a39c01c9b6c81b6ff3d5e53a

SHA1
ac20c5b206e82b860d28b4806f3be1de603a2cf5

SHA256
ee7d25f944c13f037ae10ef20f3eafc858ceb5b616ed8c1ce9e542a53d81f9fa

SHA512
0c1982429705378c9c543fb257c0f8bb129b430fb4bd15b4dea168344116bcd3feb8996fd34221536f034fdd4d2daf2aaa397052c208d618a415ad9358904397

Download Submit
C:\Windows\system\PsWDhQT.exe

Filesize
5.2MB

MD5
de82f996801b47f580dc2c60b80c0170

SHA1
900bc78cb95aadb6e99b3bcb016a8181ca7e52e2

SHA256
8d517d7d939a91af16e4f64550d2e92a42bad4485e0e24c6a82d07298b3845d7

SHA512
ae9704c19335e39509772317e4470c8458c127e0f151c9d0f8727351cefb5f73324b34bd8da055383ed5c983cca86fb9369e042d2ac8758c88de2dc008a61099

Download Submit
C:\Windows\system\SOLMHZr.exe

Filesize
5.2MB

MD5
f881cd079fdcfd75e8615cea2a5e12d3

SHA1
e2b091dd4718cab52c40e8befe7f9fac4bba3c1f

SHA256
4bfdd0583ec4d6b85e137496283e23921f027d28072c9f05ea800887d15a8b9b

SHA512
e72907f45c7b2e3efdcf60c1d34859364afe87b9a4d27e709b691deaf0fef9a922e7b9aaf2077949c95abfe87821b988f00cd6351a509bf52d31c2f1f035839e

Download Submit
C:\Windows\system\WMixKaY.exe

Filesize
5.2MB

MD5
f44442a715bcb309bf03a3fac2368a44

SHA1
dce010a6d4318d9aa1f1fc3a13599b4ba8301361

SHA256
9d5e4e41d56f7dde1876a426b4979dbcaf4eff5574864309bffa51ec036dfe34

SHA512
dc2634bde8853ee870b6bf9b26c7401f097e3bee88704030d5d651fa3870b7abfd89533547e38a2583f9eaacd2592681265219a5e54a034cea1f39cf96ddc202

Download Submit
C:\Windows\system\XyLQQOC.exe

Filesize
5.2MB

MD5
c6d4db0c9ff3017e8bc648d3122dae34

SHA1
002d3fed68b861b6fa5ffa4a48b3ae80ec29f6fb

SHA256
a8bdb6ee46ba4a6dfe5c4cbc859b5384744f404327f92dd51199ae321f479ca9

SHA512
ecdb0e9d9bca49cbb6af3e10eb0df695046431fd364154e35971c117c93fbe246c1a75e65a650f1ed9a44ef42287cddf82b71e7668db36989cbfb3c8991cbede

Download Submit
C:\Windows\system\blxsMYI.exe

Filesize
5.2MB

MD5
1280f2029bfdb45b51bb03c8faec7147

SHA1
7120e73cd9f20c01a4cd5a341c0d6196c15c893f

SHA256
0088d34522cd6a6939e97f3e314cd0467c87a4806be2b24688fe30575a082715

SHA512
f433cec08292ef60efec5429bf38e085fe52177b7ce9798c319bc112ceaa379aff2c47c24a41c965a1c71f3baffd8be27be854b0643ad6b772bbc8fa03fb003c

Download Submit
C:\Windows\system\cAKtSRN.exe

Filesize
5.2MB

MD5
6dc87838606bda92f4636aa87077c174

SHA1
6bc6691ba616ba149aff31f651ed0f1fbf0ddafa

SHA256
a43f3d7e2826dcbbcd6d9346b64992988eddd722f056b316c87d8b17e80c1f54

SHA512
2d6de60fe1e26dd0e9dd790491f4d8ffa656f84dcc733a7a28afe9d27eb261130400610151f6402bf78bf14d2570fde71b12727f756ecf982569fc359c58ce02

Download Submit
C:\Windows\system\fwmSHKK.exe

Filesize
5.2MB

MD5
77c67b08a3186e20fb2b8312399785d8

SHA1
835404267135c91479a60708dcb73f20145add87

SHA256
7fff6eb1b12e5823a5a440fda560425c4c3c56f1920f53b08515e0151391dc8e

SHA512
b1b5a8aad226fa33b4a2e72ccc009d24a2c3c7338fbc220b18de74833f3e4f18793798dd6359614cae43e9738171f9b74e0a26fbae95e7e932ac8df4bbd84269

Download Submit
C:\Windows\system\gshLSpP.exe

Filesize
5.2MB

MD5
b60f12c5f8ff55adba512950ad4ff9f6

SHA1
6a15c6cb7d521f9dbfeaeaf4759c783c50c4c1f5

SHA256
b349f3e994d0240855f403044c40293e59363d7dc9e9d2c7fdf443d9a6fba386

SHA512
bee139940b46adb063c3750b7968c2ec14893b39ac1a37b7c56d9082459aded12dd90e587d853ae8838beda40b92a9e2895d33d616fc6c762e55094df85289de

Download Submit
C:\Windows\system\nvAgqGq.exe

Filesize
5.2MB

MD5
7c5354e94db6beef98a41a39a0b36386

SHA1
e84d9004a0e4824008caeacdf87060a7095c1302

SHA256
f19a15fdf0e9570ddd136a3786284c32207f3fec29faecfcff2b6a344dc6083a

SHA512
ec213a2d96d13c2339e4d4e7a2c87c5653230a19827660b0e0a55f25b7be510409deecc8d90032b642d2b97046bb8ba56baa55db7743594a693f38fa49013cdd

Download Submit
C:\Windows\system\pqiJnEU.exe

Filesize
5.2MB

MD5
3f2268d7b1a80d3a48f40f0277f8247b

SHA1
cb155030ec0075d9604db3da20660fc54470aaac

SHA256
a66828147df4abe29a08c8456c0f5e801219e41c7abe218931dd76a54549c500

SHA512
5c490ed3dadf702ef2429cf71841e2969ec79eaa87902a4506bd872eef7a5ddc9b4d10741f8fab5038371334566c1057fd1eeb5b2b5db895ec8d3e7db85c1713

Download Submit
\Windows\system\KYzFhtU.exe

Filesize
5.2MB

MD5
e8c77dca5f3262371e4c40d38ae3d0c5

SHA1
304bbf5d964dec4df46601a2d40e8f8249a63f42

SHA256
d167a52007779e74ac79682d9465f38b87180069724665b96a41225b87faec40

SHA512
7c9504f3fdb76bf6d2c5a2f9bb6e67f205714f8b62a553e415a3f8a746bf442d7a15260b8e388492956dd19c1a86e5d3bb38438d495f9d84b5ac6d86ab45aeab

Download Submit
\Windows\system\TlKSDnp.exe

Filesize
5.2MB

MD5
704bc32ad405236b1e8f5bbb3758dce7

SHA1
73563479d6cf0d8f212095a64d795edbefcc4e18

SHA256
c0eb28ae9bd64dc1dc246795896015ded5df230d7ad994c6ce1a23ee72618368

SHA512
4fd2cf14727a2f0a6785cb2c71d4f71924524576e88f3317e01272b419bb61bea27c9ba9db0a5d3299cb9779428b4f771b08ac7a2f63d11e801231264d2a6b5c

Download Submit
\Windows\system\WAkZXul.exe

Filesize
5.2MB

MD5
ada9c614a4507ad39e37a668eaa9bca7

SHA1
7e78c75518ab452453919da2fa1d198ef4385437

SHA256
2e078ee21f885b86c6537c18840e1935ea7e08a6176f5315e8a738c0e179cbc1

SHA512
472f7d8712f1457fefd391be40a31279c8d562348be8b49ded947e9ccafc5a8cfde67bb3546c707eb6bbe00159af194a5e87b58eac873b3d59adf46bf72528cf

Download Submit
\Windows\system\liRpupF.exe

Filesize
5.2MB

MD5
ae66a98baf7f8d84632faf874d63305b

SHA1
1a381dd8758e130bb7bc4f63990ba9be3d0bae74

SHA256
19e559d87be4a695e0071567ff0b860fd95095cece8343d8bb86a5db9807c5b8

SHA512
dc6bda1b36c66f11221773bb550082507bfd9e0d29a5565bec9cabe8d0a00b6428a74e8d706f6a413778404516b3789e4ec74a4fa3bfc1aa0c7e48f3315ab80f

Download Submit
\Windows\system\pzuOAdk.exe

Filesize
5.2MB

MD5
1c1c3f273d9ab7aa58b16d7d18849fdb

SHA1
8ba478171cf1976fc1f87b628b9d42b4c5794457

SHA256
ee1ac4e2d14a0fa8c0fff50977972dbb6bd89527ef70f28632dc7e6f32709569

SHA512
e1fef6cd091b6b0a62ecfb2dd0d5f3eea132086e5785060976368d6f58811d8c0d186f9b9451093c570af38b9a910a028f02669710c0ae63400c201d44dd2911

Download Submit
\Windows\system\qmtNbAp.exe

Filesize
5.2MB

MD5
1376025697e80c6e68d693105dbfb65b

SHA1
a444b9567c610cb47951666e99cd94ce33b91985

SHA256
2b5f858f9b11977ce472628ccd4a177f666db2231c131a572b0ae4c096783c3e

SHA512
9e1968e0fd1d223e00a3160f906dfa3d2492f3122962d3917c6c5088cdb43b9f017f4206c7bd93bda5c1bcda4f4add202caf029be8b5209e961ac2692c09f78e

Download Submit
\Windows\system\vmBxPOQ.exe

Filesize
5.2MB

MD5
020c07cc4c98f2ae89a47b7877afe4f0

SHA1
0d36f0a4b4eea259238d59bb6d89e387f39eacd6

SHA256
536d737c83f176d1b669a3804114d2dfda8b06a054dd1dac1a5eccf4668f9cbd

SHA512
10efb76739686e9cccd1756c06a9d91237ae7a606aff8a8fd50546eba3c4fac8dac075909833c427873d54ff5bcf4ad2a410d8dbe289fa75c148724548019f55

Download Submit
memory/264-62-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/264-233-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/1040-246-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1040-71-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1656-231-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1656-61-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1740-159-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-156-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/1960-160-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1988-219-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1988-19-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1988-78-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2064-131-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2064-249-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2068-126-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2068-250-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2176-153-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-48-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2216-229-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2216-137-0x000000013F140000-0x000000013F491000-memory.dmp

Filesize
3.3MB

Download
memory/2360-154-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2652-227-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2652-41-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2756-111-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-145-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2756-106-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-103-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2756-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2756-125-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2756-34-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2756-37-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2756-135-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2756-64-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2756-138-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2756-162-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2756-59-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2756-161-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-40-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2756-42-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2756-7-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2756-63-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2756-123-0x00000000023B0000-0x0000000002701000-memory.dmp

Filesize
3.3MB

Download
memory/2756-129-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2756-0-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2832-43-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2832-225-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2844-223-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-80-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-25-0x000000013F560000-0x000000013F8B1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-209-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2852-70-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2852-9-0x000000013F830000-0x000000013FB81000-memory.dmp

Filesize
3.3MB

Download
memory/2856-157-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2868-152-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2876-158-0x000000013FBF0000-0x000000013FF41000-memory.dmp

Filesize
3.3MB

Download
memory/2960-155-0x000000013F600000-0x000000013F951000-memory.dmp

Filesize
3.3MB

Download
memory/2964-221-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2964-27-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download