cobaltstrike | 1676ced20f9fa3e3a9a35af56d26055344cf81d5ce586a38eca931972562e1eb

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4a15e1781481dc27c90ed37d8df4b393
SHA1

a5345306f572153395e1b4072ff1b0912658c130
SHA256

1676ced20f9fa3e3a9a35af56d26055344cf81d5ce586a38eca931972562e1eb
SHA512

4fe2dc57a8f74e6742511455718d1496b062f150e1fd939b6546401ec46c22e6ee421e513af190f4729ee7e2cbceabb92fbc7848adb7f6edc8b7cfc89e2e3237
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lR:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000700000001941b-15.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001946b-25.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001938e-28.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019429-17.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019490-54.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019481-45.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a494-88.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001932a-102.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b1-122.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4ad-113.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4af-117.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4ab-107.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4a5-98.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a495-92.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a489-82.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a487-77.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a467-72.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000194c6-59.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a42d-66.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001939c-40.dat	cobalt_reflective_dll
behavioral1/files/0x000a00000001202c-6.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2712-18-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1528-46-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2332-67-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2352-68-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2368-39-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/2712-52-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2768-129-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/2264-124-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/1948-130-0x000000013F040000-0x000000013F391000-memory.dmp	xmrig
behavioral1/memory/2644-131-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1528-132-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/300-137-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2780-140-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2484-139-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/1488-143-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2824-141-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/2324-153-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/1676-154-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2972-152-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2292-150-0x000000013F860000-0x000000013FBB1000-memory.dmp	xmrig
behavioral1/memory/2708-148-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2936-151-0x000000013F420000-0x000000013F771000-memory.dmp	xmrig
behavioral1/memory/2216-149-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2888-144-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/1528-155-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/1528-158-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2712-212-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2332-214-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2352-217-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2368-218-0x000000013FEE0000-0x0000000140231000-memory.dmp	xmrig
behavioral1/memory/1488-220-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/300-222-0x000000013F390000-0x000000013F6E1000-memory.dmp	xmrig
behavioral1/memory/2484-232-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/2780-239-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2264-241-0x000000013FF30000-0x0000000140281000-memory.dmp	xmrig
behavioral1/memory/2768-243-0x000000013F280000-0x000000013F5D1000-memory.dmp	xmrig
behavioral1/memory/1948-245-0x000000013F040000-0x000000013F391000-memory.dmp	xmrig
behavioral1/memory/2644-247-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2888-257-0x000000013F3D0000-0x000000013F721000-memory.dmp	xmrig
behavioral1/memory/2824-258-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2712	lewsszq.exe
2332	txMkBSU.exe
2352	QJKWOHD.exe
2368	qjyAmVP.exe
1488	rrlMsBw.exe
300	KSoWITn.exe
2484	hMLYyuf.exe
2780	EeSdZwk.exe
2824	zIrOFHL.exe
2264	lwFpEqL.exe
2888	vlyyaMW.exe
2768	emiELzN.exe
1948	qHnyySr.exe
2644	CZFpciP.exe
2708	VvXuvnS.exe
2216	mAzcAjL.exe
2292	nmWSjai.exe
2936	bZRjXeV.exe
2972	QuiyTXb.exe
2324	oikEBGt.exe
1676	IbynjHn.exe

Loads dropped DLL 21 IoCs

pid	Process
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1528-0-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/files/0x000700000001941b-15.dat	upx
behavioral1/files/0x000600000001946b-25.dat	upx
behavioral1/files/0x000700000001938e-28.dat	upx
behavioral1/memory/2712-18-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/files/0x0006000000019429-17.dat	upx
behavioral1/files/0x0006000000019490-54.dat	upx
behavioral1/memory/2780-55-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/1528-46-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/files/0x0006000000019481-45.dat	upx
behavioral1/memory/300-43-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2332-67-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/files/0x000500000001a494-88.dat	upx
behavioral1/files/0x000800000001932a-102.dat	upx
behavioral1/files/0x000500000001a4b1-122.dat	upx
behavioral1/files/0x000500000001a4ad-113.dat	upx
behavioral1/files/0x000500000001a4af-117.dat	upx
behavioral1/files/0x000500000001a4ab-107.dat	upx
behavioral1/files/0x000500000001a4a5-98.dat	upx
behavioral1/files/0x000500000001a495-92.dat	upx
behavioral1/files/0x000500000001a489-82.dat	upx
behavioral1/files/0x000500000001a487-77.dat	upx
behavioral1/files/0x000500000001a467-72.dat	upx
behavioral1/memory/2352-68-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2824-60-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/files/0x00070000000194c6-59.dat	upx
behavioral1/files/0x000500000001a42d-66.dat	upx
behavioral1/memory/1488-41-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/files/0x000700000001939c-40.dat	upx
behavioral1/memory/2368-39-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/2352-35-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2332-34-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/memory/1528-13-0x0000000002360000-0x00000000026B1000-memory.dmp	upx
behavioral1/memory/2712-52-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2484-50-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-6.dat	upx
behavioral1/memory/2768-129-0x000000013F280000-0x000000013F5D1000-memory.dmp	upx
behavioral1/memory/2888-126-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/2264-124-0x000000013FF30000-0x0000000140281000-memory.dmp	upx
behavioral1/memory/1948-130-0x000000013F040000-0x000000013F391000-memory.dmp	upx
behavioral1/memory/2644-131-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/1528-132-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/300-137-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2780-140-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2484-139-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/1488-143-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2824-141-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/2324-153-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/1676-154-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2972-152-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/2292-150-0x000000013F860000-0x000000013FBB1000-memory.dmp	upx
behavioral1/memory/2708-148-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2936-151-0x000000013F420000-0x000000013F771000-memory.dmp	upx
behavioral1/memory/2216-149-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/2888-144-0x000000013F3D0000-0x000000013F721000-memory.dmp	upx
behavioral1/memory/1528-158-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2712-212-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2332-214-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/memory/2352-217-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2368-218-0x000000013FEE0000-0x0000000140231000-memory.dmp	upx
behavioral1/memory/1488-220-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/300-222-0x000000013F390000-0x000000013F6E1000-memory.dmp	upx
behavioral1/memory/2484-232-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/2780-239-0x000000013F920000-0x000000013FC71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\lewsszq.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QJKWOHD.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KSoWITn.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIrOFHL.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lwFpEqL.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CZFpciP.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bZRjXeV.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qjyAmVP.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMLYyuf.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EeSdZwk.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IbynjHn.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\txMkBSU.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\emiELzN.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VvXuvnS.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oikEBGt.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rrlMsBw.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vlyyaMW.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qHnyySr.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mAzcAjL.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nmWSjai.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QuiyTXb.exe	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2712	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1528 wrote to memory of 2712	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1528 wrote to memory of 2712	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1528 wrote to memory of 2332	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1528 wrote to memory of 2332	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1528 wrote to memory of 2332	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1528 wrote to memory of 1488	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1528 wrote to memory of 1488	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1528 wrote to memory of 1488	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1528 wrote to memory of 2352	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1528 wrote to memory of 2352	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1528 wrote to memory of 2352	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1528 wrote to memory of 300	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1528 wrote to memory of 300	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1528 wrote to memory of 300	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1528 wrote to memory of 2368	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1528 wrote to memory of 2368	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1528 wrote to memory of 2368	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1528 wrote to memory of 2484	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1528 wrote to memory of 2484	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1528 wrote to memory of 2484	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1528 wrote to memory of 2780	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1528 wrote to memory of 2780	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1528 wrote to memory of 2780	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1528 wrote to memory of 2824	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1528 wrote to memory of 2824	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1528 wrote to memory of 2824	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1528 wrote to memory of 2264	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1528 wrote to memory of 2264	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1528 wrote to memory of 2264	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1528 wrote to memory of 2888	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1528 wrote to memory of 2888	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1528 wrote to memory of 2888	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1528 wrote to memory of 2768	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1528 wrote to memory of 2768	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1528 wrote to memory of 2768	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1528 wrote to memory of 1948	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1528 wrote to memory of 1948	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1528 wrote to memory of 1948	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1528 wrote to memory of 2644	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1528 wrote to memory of 2644	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1528 wrote to memory of 2644	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1528 wrote to memory of 2708	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1528 wrote to memory of 2708	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1528 wrote to memory of 2708	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1528 wrote to memory of 2216	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1528 wrote to memory of 2216	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1528 wrote to memory of 2216	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1528 wrote to memory of 2292	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1528 wrote to memory of 2292	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1528 wrote to memory of 2292	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1528 wrote to memory of 2936	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1528 wrote to memory of 2936	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1528 wrote to memory of 2936	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1528 wrote to memory of 2972	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1528 wrote to memory of 2972	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1528 wrote to memory of 2972	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1528 wrote to memory of 2324	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1528 wrote to memory of 2324	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1528 wrote to memory of 2324	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1528 wrote to memory of 1676	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1528 wrote to memory of 1676	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1528 wrote to memory of 1676	1528	2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-31_4a15e1781481dc27c90ed37d8df4b393_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System\lewsszq.exe
  C:\Windows\System\lewsszq.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\txMkBSU.exe
  C:\Windows\System\txMkBSU.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\rrlMsBw.exe
  C:\Windows\System\rrlMsBw.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\QJKWOHD.exe
  C:\Windows\System\QJKWOHD.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\KSoWITn.exe
  C:\Windows\System\KSoWITn.exe
  2⤵
  - Executes dropped EXE
  PID:300
- C:\Windows\System\qjyAmVP.exe
  C:\Windows\System\qjyAmVP.exe
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\Windows\System\hMLYyuf.exe
  C:\Windows\System\hMLYyuf.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\EeSdZwk.exe
  C:\Windows\System\EeSdZwk.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\zIrOFHL.exe
  C:\Windows\System\zIrOFHL.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\lwFpEqL.exe
  C:\Windows\System\lwFpEqL.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\vlyyaMW.exe
  C:\Windows\System\vlyyaMW.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\emiELzN.exe
  C:\Windows\System\emiELzN.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\qHnyySr.exe
  C:\Windows\System\qHnyySr.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\CZFpciP.exe
  C:\Windows\System\CZFpciP.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\VvXuvnS.exe
  C:\Windows\System\VvXuvnS.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\mAzcAjL.exe
  C:\Windows\System\mAzcAjL.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\nmWSjai.exe
  C:\Windows\System\nmWSjai.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\bZRjXeV.exe
  C:\Windows\System\bZRjXeV.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\QuiyTXb.exe
  C:\Windows\System\QuiyTXb.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\oikEBGt.exe
  C:\Windows\System\oikEBGt.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\IbynjHn.exe
  C:\Windows\System\IbynjHn.exe
  2⤵
  - Executes dropped EXE
  PID:1676

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CZFpciP.exe

Filesize
5.2MB

MD5
f98e1e6b926f3ae3137be2301f5fb075

SHA1
1a23137cd4fe537a4e516e2d874358711fbeeed4

SHA256
01ae5cb4bd3d489c1298df5143d1c54f8486b4c761765f4470c125d86e23de8e

SHA512
5b42199511f5b7537874f21325c1b72e6f3e004552d7fa7d28d4b3025852dfb8522c5aead7e060579614eb14259046d3886ff804b6253cfe4dcfaf8b202176c2

Download Submit
C:\Windows\system\EeSdZwk.exe

Filesize
5.2MB

MD5
a9f2bcc125a456ed51c3d0e039ebacd7

SHA1
416b3db8557054870abe0892f44d270ac4e8893f

SHA256
fba72ef8911f4248455202e1399196e83564410e57ab66b5a4cc453db4bf2b6f

SHA512
3da07dce2e7472191fa03b26e441f30bc3cdfd69ae9d41942e95e37341851f43810115390e81ba3dc8dc87a6112e6a0cc140766f26db76c76eb4793cc5b09761

Download Submit
C:\Windows\system\IbynjHn.exe

Filesize
5.2MB

MD5
f8cc5e081628390093f19fbe2e4de8cb

SHA1
e58588a530ab337d3b26b052e0617c2abd4c8ef6

SHA256
dac4543d519c7845e7a674aec46ae19a10a5a6541770978661e880c99a4d42a8

SHA512
064739f42b9a9bd9cf57051114ad410619ec4cf8e63200c46e32f42b5beca77e7fa674c7faca12d3f3d0028134b66fa4e8e4b8cc6b88e27ee9100b780ce3e9f7

Download Submit
C:\Windows\system\KSoWITn.exe

Filesize
5.2MB

MD5
3c6d87a52412ee2ed09a1aadb451e8ba

SHA1
fa663ffba095fc9fc50a5eb96d919d3dcdd0bb8c

SHA256
1e8e72a5c258dc371cf7adbd6068605e5e20bd6f5bb48322d442a2e39459ccae

SHA512
c906cc9c52794d46b92e6a23590d4164cf766f2eaed72d0999e9a182c4cbcf9d92ea8f52666c78ace8fde644a12267b71b8f7f3e93bdd58c0d1c15ef8a794411

Download Submit
C:\Windows\system\QuiyTXb.exe

Filesize
5.2MB

MD5
4a99eb71defec7e2af0694638dc281ca

SHA1
6494ea99700fc04e652cfd14d707e1e9c7a3e1f8

SHA256
d1aea3cbee52cb5e2f4b26b159adbd403103572d25f3adc02250b5d9090c0624

SHA512
46f492b13ea7a2de7bd1ccfa60cc0bf5f434122f290f682ff75f45270d5b45265025e8fe6391d2b46f2e1b39e7a69f4901ae9640db87f09dd58301e0ff3add49

Download Submit
C:\Windows\system\VvXuvnS.exe

Filesize
5.2MB

MD5
36075cc007c3e03090c23015ad0bc1cc

SHA1
8b51356b0459437ffab63a5d7a2388bad665cbfa

SHA256
a38aade0d5f73901e1cf2621294478b42d905ed0b8da03b65281f2494fd8537d

SHA512
ecb2d63688ac92f7a5024701b080e99fe76e27420b1ec14d8eefe864674722432f06b2993b12033e33277a5486fe6457b2489d4047fb1fd5525d62c7994063a2

Download Submit
C:\Windows\system\bZRjXeV.exe

Filesize
5.2MB

MD5
e9e98441ae662a83170e201c15f5b51c

SHA1
25304cc966a3f2f45a34d8a1a522500088f9bb4f

SHA256
78e87119eb4622653d472640c70084c14de02c943dd11f5044393bf19e0ea2cb

SHA512
7640d7e8164c65de196d52cec1144a68c8821003959ba0abf23f6511fbf309b50e2df4e7553dac56350a6d3ff1d11df399c1fca002f77f2a1451fe5af7e6d99d

Download Submit
C:\Windows\system\emiELzN.exe

Filesize
5.2MB

MD5
a114572eb042acb4942cb8d8c982c822

SHA1
7658ffefeefdf690d8c53fb373bce4a746e819fd

SHA256
0cf71972e5b00ed78af2ab3e19662a7e1200ce1de617d89ed190655b2c04bd00

SHA512
d287751c52d6c0e2de94b82255a098ea0b6d4f4e958fc3876889342c382a95bbec446a7c522b90191418b14bfc194883158d3574881863d4abd42bb918717148

Download Submit
C:\Windows\system\hMLYyuf.exe

Filesize
5.2MB

MD5
e232ae80e7ba107311d43c0733edd205

SHA1
f3df45c8654c3a78fdb88a02f345ff42c448f895

SHA256
7796d185d4f4c754f6ebe20124b14f9337c8978ed14ed7e8d9f09feeb14b331a

SHA512
c059a688e282c7077d9cc5f9860c0972c67892931069036bdeab4f17ca4927301be43ebdbf9f635254c445a688411d99224b0eea5c5411e85b9d4549299581d5

Download Submit
C:\Windows\system\lewsszq.exe

Filesize
5.2MB

MD5
550ea695be1fb5f11c7768f896acc73d

SHA1
3fa0bb93c9b123fd60e32bbc476928928d7c795a

SHA256
6c2d086cd31f14307c415ac185abb53fb105606548b33ce6ce9c0527a5857d96

SHA512
f6094b1a4840d0bab8597aeace37916245d45f82909823c3e516ae6d1f8dccfef7f23dcea4cf085f5b53cf80eed22c76a5ae456bf8c444443cfd7e06503417e1

Download Submit
C:\Windows\system\lwFpEqL.exe

Filesize
5.2MB

MD5
d1cc820558bfceb85541b4b63f8362f2

SHA1
cfd9676dde67ddddcbf9322bdcec5e05032b5228

SHA256
375fd5a979aa606ef3b1fcfe0f009d08615f17c085970c9dc8a9812e1e7ea0d6

SHA512
c3bb0f67db6d6b0f4e32013d3ba7ee53c16003abb002d115911438fac98f06d7acadd0be200b1576f9995a592517ae117a02591089fae487a677a351d7a89c49

Download Submit
C:\Windows\system\mAzcAjL.exe

Filesize
5.2MB

MD5
58cb91170a3b510ea9a45ceb0d83c622

SHA1
075fa627b61ae84a7e911a0bcfb152dcb8cacd71

SHA256
e7c31ae778cbdd00d36e8e9d5157faecc5c94c9d43ddb9bb1582ed180e80cde2

SHA512
aff2a4a662923f8af7e002a2f0a9b57aeeac17c78a0253d1aa6f4f06fbac2b449dbc14e56679d73dc61f4d2be7ce741f97976dc87cf629a6bd4f89a1babb4df9

Download Submit
C:\Windows\system\nmWSjai.exe

Filesize
5.2MB

MD5
ea8db494c327b225770074af33a4ab52

SHA1
4f3e52a8219a48e05c4490026fe04e55bbf69104

SHA256
8f2e29f1fe3c955e603507c93bcb7267bd9428d995cb4ee8f62f2538d44f6aeb

SHA512
57f76e618a2dfdbc4a6ae9fbd4350e984cb394969745ccde15952a361f0610aa5623d884b1744197d93691dfe6ce0729b679d042294325112afd604ccb3fd9c0

Download Submit
C:\Windows\system\oikEBGt.exe

Filesize
5.2MB

MD5
c3cc78975857ae542d88a809f11e298a

SHA1
0fa321716eaed2b219228e756dd5d7e1fdac8c08

SHA256
34cfba3445f70e1044d9c1648ff5120f2cdbd63c018a5c7562e08dcaf37bbdac

SHA512
39aff3b29a0b5200d20897ff09ac81960979e339da867433bbb67eb744b5b6d57efbe7165541199460411117147c8895ece3f00e5ad97df2e331ad7dac6b32c8

Download Submit
C:\Windows\system\qHnyySr.exe

Filesize
5.2MB

MD5
19d385a58452b47f2c3780b248f5d100

SHA1
114b1baac1cca3061903ff3cf5687a3d5ad0bc47

SHA256
305d8515b21dc21a6a35cde1bcce7990e24040d2b16d2ddde90d5fc1b072998f

SHA512
2f3b73b7c891ec88cf2d0cccf549a56a89c6cbd15d48ffe8ea3c66f46a7803d2ecf0f72d64b66358eecba23cbcd5af4f3eeb172262f83fc8f1ecac6c1a7187a4

Download Submit
C:\Windows\system\rrlMsBw.exe

Filesize
5.2MB

MD5
d1aee5ab611b0fb0eabbe1a7ec5e070c

SHA1
d56143cc6ca72ace4f24fe2e4818683be555658d

SHA256
9d9e7b6fa7caea44a48f20f18b4617a10f4492404bdb8581676a48b11d050eca

SHA512
6259f1532ae315952106d453e7cee41d5f413333ad90a9b1b731ac520325c85d578a85327ff4432179fe1500c531037e60594ec799c28a1b46ceae5b02da2582

Download Submit
C:\Windows\system\txMkBSU.exe

Filesize
5.2MB

MD5
72ab6a4aa57ec5b6a526e0f1f15b1ae8

SHA1
1bbe7358fe5c8ccc2023d8a51356a26480e06fb3

SHA256
2b4ffec587c4a7cbd1eb7a30154bb4b5363f98d7b33fb84c985f73903aafd6bd

SHA512
7b3b83bd9d7d630132f81c8d77ab2430973c3470f90311aff0ab8f49859e47ec278eff6235da8fce8a983feb30ab6bbbaa6ed52f060f3df64d9fa60260a18db8

Download Submit
C:\Windows\system\vlyyaMW.exe

Filesize
5.2MB

MD5
0d7e061331c1e09edca54f317ae91501

SHA1
fc22515a6d8144cd7c99edc8f457d5d88c924c92

SHA256
5169112d2e6e2b290308b697399f24b4e0b97c77c0b4bed2e9856ff6129a8e29

SHA512
a1001d6ae12a940fc479be417fc2c410eded20c9fa6f06cb678e11bcca7fc055749d6b02cc748c511b921d7813b356b32f5588d3c011e8295ffc542fb4f6cda8

Download Submit
C:\Windows\system\zIrOFHL.exe

Filesize
5.2MB

MD5
c2736416661e9506179d3282320ef5ee

SHA1
4fb4215c2b3e60d9722b5de3a417a74f87865d59

SHA256
5f9d3e34772413cc96288e2170e0e420be3bccb421172aac93b6f7112df3e6a9

SHA512
3e68f1040c83d765964d26e7c28f72eef733ef92d41d11afd07ca7f62ac9a75a955aade875608a45271c548d46dea511fe22e5bb75b2835d2194d7da8a8354a5

Download Submit
\Windows\system\QJKWOHD.exe

Filesize
5.2MB

MD5
88c2c34dada68781ac32704d1edf8209

SHA1
489540875a9d3560858b14dd408cb01a15c5abc8

SHA256
b40fa85ede92b25818a650342df970d47bd215c126afe643feb20c7a53a250e4

SHA512
df6b9d1cd5dc4225a4c6eda49685f95af60df6c812da210acad61489421a219b78b5fa8b6685f6bbf29c48ead0baf89b9c119a36b5a3ba58ddaa2544e277c8cd

Download Submit
\Windows\system\qjyAmVP.exe

Filesize
5.2MB

MD5
ece9e3144b10be20a26a18d1c83618bd

SHA1
edd1c69fc254c04ebfd8d2b3dac59f8c69d15504

SHA256
a968b2580471e6229c560a4cd0975746526f687b07d3a23d6c1396fee75a98f0

SHA512
5535d3ab995abb407236a7c4835ea37e37c27498be33987005f19e9bcba789cb054b1cd730cbbf4f5a9f0b26160c76fd3369e624db28ef40aaa04f76f0904a98

Download Submit
memory/300-43-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/300-137-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/300-222-0x000000013F390000-0x000000013F6E1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-143-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-220-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1488-41-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-7-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-156-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/1528-132-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1528-64-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1528-128-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1528-20-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-158-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1528-157-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/1528-24-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1528-13-0x0000000002360000-0x00000000026B1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-57-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/1528-155-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/1528-0-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1528-46-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/1676-154-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/1948-130-0x000000013F040000-0x000000013F391000-memory.dmp

Filesize
3.3MB

Download
memory/1948-245-0x000000013F040000-0x000000013F391000-memory.dmp

Filesize
3.3MB

Download
memory/2216-149-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2264-241-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2264-124-0x000000013FF30000-0x0000000140281000-memory.dmp

Filesize
3.3MB

Download
memory/2292-150-0x000000013F860000-0x000000013FBB1000-memory.dmp

Filesize
3.3MB

Download
memory/2324-153-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-67-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-214-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2332-34-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/2352-35-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-68-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2352-217-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2368-39-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2368-218-0x000000013FEE0000-0x0000000140231000-memory.dmp

Filesize
3.3MB

Download
memory/2484-232-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-139-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2484-50-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-247-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2644-131-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2708-148-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-18-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2712-212-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2712-52-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2768-243-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2768-129-0x000000013F280000-0x000000013F5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-140-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2780-55-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2780-239-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/2824-258-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2824-141-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2824-60-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2888-144-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2888-126-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2888-257-0x000000013F3D0000-0x000000013F721000-memory.dmp

Filesize
3.3MB

Download
memory/2936-151-0x000000013F420000-0x000000013F771000-memory.dmp

Filesize
3.3MB

Download
memory/2972-152-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download