cobaltstrike | 4232c892a082a112d2781646a6d03c45c458cf989f5ba12081a92fb7b7a217c3

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4e86ca03af626d463b0d53bb6b606176
SHA1

9566d577023a402c4d6dbb3977a8b3ab79f61129
SHA256

4232c892a082a112d2781646a6d03c45c458cf989f5ba12081a92fb7b7a217c3
SHA512

b02edcd0ed91139f73a70dc54f3d6bc5ee39feb37ea8ede727cd89d614ff99db584a0c7d9699905291db6eff607d0f6936afb565d8f20b42233446cce5077ff4
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lq:RWWBibf56utgpPFotBER/mQ32lU+

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000012257-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019490-12.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000194e6-30.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194d0-37.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a495-56.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4ad-79.dat	cobalt_reflective_dll
behavioral1/files/0x000800000001941b-64.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4af-90.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4bd-123.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4bb-119.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b9-116.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b7-111.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b5-108.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b3-103.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4b1-97.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4ab-74.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001a4a5-67.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019551-44.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194e4-43.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001949d-40.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194da-41.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2872-55-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/2788-54-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2848-126-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/1868-125-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/1356-124-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2716-129-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2632-128-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2588-99-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2944-86-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/576-85-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/576-130-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/576-144-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/1752-29-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2544-24-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/576-155-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2664-164-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2472-167-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2940-170-0x000000013F030000-0x000000013F381000-memory.dmp	xmrig
behavioral1/memory/2700-175-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/800-176-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2708-174-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2896-173-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/2984-171-0x000000013F480000-0x000000013F7D1000-memory.dmp	xmrig
behavioral1/memory/3036-169-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/3068-172-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/576-177-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2544-209-0x000000013F4C0000-0x000000013F811000-memory.dmp	xmrig
behavioral1/memory/1752-211-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2588-213-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/1356-216-0x000000013F080000-0x000000013F3D1000-memory.dmp	xmrig
behavioral1/memory/2788-217-0x000000013F570000-0x000000013F8C1000-memory.dmp	xmrig
behavioral1/memory/2848-223-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2872-221-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/1868-220-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2716-231-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2632-233-0x000000013F960000-0x000000013FCB1000-memory.dmp	xmrig
behavioral1/memory/2944-235-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2664-256-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2472-259-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/3036-257-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2544	lsOLEkF.exe
1752	nAoMKIY.exe
2588	RNWnYos.exe
1356	TwIsDem.exe
1868	gMZYMTU.exe
2848	zMhglSQ.exe
2788	RxFQjBU.exe
2872	QkWINIP.exe
2664	WdmQosw.exe
2632	WmulBhh.exe
2716	JnZhnFJ.exe
2944	goPCRNf.exe
2472	RobRFTL.exe
3036	scUzWCg.exe
2940	FRlNnHM.exe
2984	xUxJcPC.exe
3068	LfLJdOL.exe
2896	SzaPBAo.exe
2708	EmgUPhb.exe
2700	DGNprYQ.exe
800	rUxLrYg.exe

Loads dropped DLL 21 IoCs

pid	Process
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/576-0-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/files/0x000d000000012257-3.dat	upx
behavioral1/files/0x0007000000019490-12.dat	upx
behavioral1/files/0x00080000000194e6-30.dat	upx
behavioral1/files/0x00060000000194d0-37.dat	upx
behavioral1/files/0x000500000001a495-56.dat	upx
behavioral1/memory/2872-55-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/2788-54-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2848-53-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/1868-49-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/1356-45-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/files/0x000500000001a4ad-79.dat	upx
behavioral1/files/0x000800000001941b-64.dat	upx
behavioral1/files/0x000500000001a4af-90.dat	upx
behavioral1/files/0x000500000001a4bd-123.dat	upx
behavioral1/files/0x000500000001a4bb-119.dat	upx
behavioral1/memory/2848-126-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/1868-125-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/1356-124-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/files/0x000500000001a4b9-116.dat	upx
behavioral1/files/0x000500000001a4b7-111.dat	upx
behavioral1/files/0x000500000001a4b5-108.dat	upx
behavioral1/files/0x000500000001a4b3-103.dat	upx
behavioral1/memory/2716-129-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2632-128-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2664-127-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/2588-99-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/files/0x000500000001a4b1-97.dat	upx
behavioral1/memory/3036-93-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2472-87-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2944-86-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/576-85-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/files/0x000500000001a4ab-74.dat	upx
behavioral1/memory/2716-72-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/576-130-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2632-70-0x000000013F960000-0x000000013FCB1000-memory.dmp	upx
behavioral1/memory/2664-69-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/files/0x000500000001a4a5-67.dat	upx
behavioral1/files/0x0007000000019551-44.dat	upx
behavioral1/files/0x00060000000194e4-43.dat	upx
behavioral1/files/0x000700000001949d-40.dat	upx
behavioral1/memory/2588-39-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/1752-29-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/files/0x00060000000194da-41.dat	upx
behavioral1/memory/2544-24-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/576-155-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2664-164-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/2472-167-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2940-170-0x000000013F030000-0x000000013F381000-memory.dmp	upx
behavioral1/memory/2700-175-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/800-176-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/2708-174-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2896-173-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/2984-171-0x000000013F480000-0x000000013F7D1000-memory.dmp	upx
behavioral1/memory/3036-169-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/3068-172-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/576-177-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/memory/2544-209-0x000000013F4C0000-0x000000013F811000-memory.dmp	upx
behavioral1/memory/1752-211-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2588-213-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/1356-216-0x000000013F080000-0x000000013F3D1000-memory.dmp	upx
behavioral1/memory/2788-217-0x000000013F570000-0x000000013F8C1000-memory.dmp	upx
behavioral1/memory/2848-223-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/memory/2872-221-0x000000013FD20000-0x0000000140071000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\nAoMKIY.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RNWnYos.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WdmQosw.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JnZhnFJ.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\scUzWCg.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EmgUPhb.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzaPBAo.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rUxLrYg.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lsOLEkF.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zMhglSQ.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QkWINIP.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WmulBhh.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\goPCRNf.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUxJcPC.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxFQjBU.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RobRFTL.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FRlNnHM.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LfLJdOL.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DGNprYQ.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TwIsDem.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gMZYMTU.exe	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 2544	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 576 wrote to memory of 2544	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 576 wrote to memory of 2544	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 576 wrote to memory of 1752	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 576 wrote to memory of 1752	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 576 wrote to memory of 1752	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 576 wrote to memory of 1356	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 576 wrote to memory of 1356	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 576 wrote to memory of 1356	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 576 wrote to memory of 2588	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 576 wrote to memory of 2588	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 576 wrote to memory of 2588	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 576 wrote to memory of 1868	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 576 wrote to memory of 1868	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 576 wrote to memory of 1868	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 576 wrote to memory of 2788	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 576 wrote to memory of 2788	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 576 wrote to memory of 2788	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 576 wrote to memory of 2848	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 576 wrote to memory of 2848	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 576 wrote to memory of 2848	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 576 wrote to memory of 2872	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 576 wrote to memory of 2872	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 576 wrote to memory of 2872	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 576 wrote to memory of 2664	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 576 wrote to memory of 2664	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 576 wrote to memory of 2664	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 576 wrote to memory of 2632	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 576 wrote to memory of 2632	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 576 wrote to memory of 2632	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 576 wrote to memory of 2716	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 576 wrote to memory of 2716	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 576 wrote to memory of 2716	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 576 wrote to memory of 2472	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 576 wrote to memory of 2472	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 576 wrote to memory of 2472	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 576 wrote to memory of 2944	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 576 wrote to memory of 2944	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 576 wrote to memory of 2944	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 576 wrote to memory of 3036	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 576 wrote to memory of 3036	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 576 wrote to memory of 3036	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 576 wrote to memory of 2940	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 576 wrote to memory of 2940	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 576 wrote to memory of 2940	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 576 wrote to memory of 2984	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 576 wrote to memory of 2984	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 576 wrote to memory of 2984	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 576 wrote to memory of 3068	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 576 wrote to memory of 3068	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 576 wrote to memory of 3068	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 576 wrote to memory of 2896	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 576 wrote to memory of 2896	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 576 wrote to memory of 2896	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 576 wrote to memory of 2708	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 576 wrote to memory of 2708	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 576 wrote to memory of 2708	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 576 wrote to memory of 2700	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 576 wrote to memory of 2700	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 576 wrote to memory of 2700	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 576 wrote to memory of 800	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 576 wrote to memory of 800	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 576 wrote to memory of 800	576	2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_4e86ca03af626d463b0d53bb6b606176_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\System\lsOLEkF.exe
  C:\Windows\System\lsOLEkF.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\nAoMKIY.exe
  C:\Windows\System\nAoMKIY.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\TwIsDem.exe
  C:\Windows\System\TwIsDem.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\RNWnYos.exe
  C:\Windows\System\RNWnYos.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\gMZYMTU.exe
  C:\Windows\System\gMZYMTU.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\RxFQjBU.exe
  C:\Windows\System\RxFQjBU.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\zMhglSQ.exe
  C:\Windows\System\zMhglSQ.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\QkWINIP.exe
  C:\Windows\System\QkWINIP.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\WdmQosw.exe
  C:\Windows\System\WdmQosw.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\WmulBhh.exe
  C:\Windows\System\WmulBhh.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\JnZhnFJ.exe
  C:\Windows\System\JnZhnFJ.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\RobRFTL.exe
  C:\Windows\System\RobRFTL.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\goPCRNf.exe
  C:\Windows\System\goPCRNf.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\scUzWCg.exe
  C:\Windows\System\scUzWCg.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\FRlNnHM.exe
  C:\Windows\System\FRlNnHM.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\xUxJcPC.exe
  C:\Windows\System\xUxJcPC.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\LfLJdOL.exe
  C:\Windows\System\LfLJdOL.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\SzaPBAo.exe
  C:\Windows\System\SzaPBAo.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\EmgUPhb.exe
  C:\Windows\System\EmgUPhb.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\DGNprYQ.exe
  C:\Windows\System\DGNprYQ.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\rUxLrYg.exe
  C:\Windows\System\rUxLrYg.exe
  2⤵
  - Executes dropped EXE
  PID:800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DGNprYQ.exe

Filesize
5.2MB

MD5
9eb4df648980e002e2bd191a8129a060

SHA1
5c4525cdf01df94b7f37d581cd623f9825d2051b

SHA256
1d54f2e40f2ed48024b8f97ddcee5b6071c84168b9feb08cf7895f3643c6f875

SHA512
e08c6959dbbf8caf660836c6074c9a117bd8d7fdbd700858c7d36eb79308440a57be7e37bb1758be076dbab1764c49c2a0b12526c2d2726339dee7004ab1fc75

Download Submit
C:\Windows\system\EmgUPhb.exe

Filesize
5.2MB

MD5
d3d98c78bae174e4970adc9fac2ef38d

SHA1
985dde924de84fd88d1f39c2828e58024f17b004

SHA256
cc07415a73b8e2f841f9503305eac150df30016fce4f8e3cb34e52ee23ade39b

SHA512
a566b37f6c15a848da43859005893c9a8bc726401650d0f5cd080445d4b8cce1b8b7d73fa964ee5ac7afbf7192df1304804a01a71599b8c30ae3acb4e786227e

Download Submit
C:\Windows\system\FRlNnHM.exe

Filesize
5.2MB

MD5
9a41ff6f5f569c5230b203639440e745

SHA1
20ea31b8e1a7c47be4d68657e249e5f2576370bd

SHA256
181c44ae6c73687c83c18850eefed8c990faddfb540f587b7664fa07ee0235e4

SHA512
849451dcfda1d5d15b4cd4affe22808c4b5b826ac0aca98ec294b4844d1da64c2dc2450c4b6b6eaf6fb59f874d112443beca5aba2119aa7fe1c55e4d68fb003b

Download Submit
C:\Windows\system\JnZhnFJ.exe

Filesize
5.2MB

MD5
2cf007ff02700e07ae8a337075a078c7

SHA1
5d35337facf220a0a65091c66f62f1b2af6b4ae0

SHA256
4943c2f0da8f8bc18cd3b48884c44ffb0274d2153df33ee0157829135ee932f4

SHA512
7315accd0f157ecf3a0c4249624ddd6a370b51a35a0c6efce101d2054328df31aa9c5d4fa11c426c9c47bba9594da516069d9d1e9ac809dfceb4335592c61eb0

Download Submit
C:\Windows\system\LfLJdOL.exe

Filesize
5.2MB

MD5
9f0875061bad4bfb17c8481882566a73

SHA1
57a888131820d39b18ba468a596fa2a6dead99ac

SHA256
630554af148f0ffcad99e2c530cf73ab4ab9a9925b60c7f8684d2c0283eef965

SHA512
5da0dacdbe7698e364c1f54bdbe8cc8d2e3fc75d3c0c8f867b710e3c4067f06b4ad8d518405796afa1be44f9d088f2dc716b8536c8c10451f8839cbf98cc78a0

Download Submit
C:\Windows\system\QkWINIP.exe

Filesize
5.2MB

MD5
fdecc0b9b365e110b2a909d9969287fb

SHA1
95c6d7b25437412a44260aa14503ff46da7f0668

SHA256
c64cbabd59c4b526494071bfa20acdd531ddbadc4655d8d6eb497d9c7b29896e

SHA512
b460467b91231b536d61c16d82b640126e3eddc5a549766e22886f345418c7f6295de574a62e7d9896685497e00e9dd2c236bbdcbac73033fd653083beb54f80

Download Submit
C:\Windows\system\RNWnYos.exe

Filesize
5.2MB

MD5
6953c87903108bb2cd57049c29c02a0b

SHA1
823115c90fa7e68c9c0334cba9415a95693ad389

SHA256
3ff96063b017bc49513820907b73891f9e56e24d63440edb8db460e41ccea440

SHA512
88a7e3b01cb97cc00b3aa9289c4f1410fed0b2ede16824296d0fc0baed35cda098b1a8a969dcdcb61f11657fefbb50d62e9b703e1ddd9581ff4f2606d0fc35d6

Download Submit
C:\Windows\system\RxFQjBU.exe

Filesize
5.2MB

MD5
b10748e163b186dcef10e3c187bb20e1

SHA1
bf07f4ceacce00a340e63e66b6bcd5ece405cb6c

SHA256
c1a52cf321eac80cdb75c565d65414bbd8cd0e921221f70497aec4dc1b75c8dc

SHA512
f1d7bd6f0f099353d69b0539f324e8a4eaaf9f55f9abbd7e259334f892349ef7db6f8fc489fbecbb45b4de89102625e1b782607999fe10c1518848ea9d7b3ede

Download Submit
C:\Windows\system\SzaPBAo.exe

Filesize
5.2MB

MD5
1992b4d0f119e5828adbeb9f63da32cc

SHA1
dee6298c7e39b439bde92bc48e9de5524537b99b

SHA256
ab69ba9e478fe049a0f5906bcf102e3a1ca409ddaa86b2aa37272fb7b63774e7

SHA512
bb493f10644f1d3e025745a771cd57a1b2bc1ee7bddace5ebbbe31cab672a903ad695b7c85d718d1c188d67955af327503f05b63e16f71407d71f6c28ad51540

Download Submit
C:\Windows\system\TwIsDem.exe

Filesize
5.2MB

MD5
6df75ea1202428b5094369e4bc189cc7

SHA1
adfa81ded398b4b1a856e58cc633962e3c30967a

SHA256
c896fecfde644d77ddcff82ed2aa785a165b7070f435dbc63b5e08fae38a9d1e

SHA512
0e5f5e63afadfad1000d283f81e1c6b1ed2d2cab700ec746cdbfded62081acc07b554b9007dcfcc8ea0fcd7c675e11bab9739ecefcbf787baa710b61668756b6

Download Submit
C:\Windows\system\WmulBhh.exe

Filesize
5.2MB

MD5
f36a5b276920461a7a4333f40baec922

SHA1
256d5d13b9cb7b8b7de3c07ed4646ac7db6e2979

SHA256
c88a3c9444c0c940017e58c05f9120e2780c1497fa97212ea334577a5b5adfce

SHA512
b79a9db7c65e371e0aa60f25cd9e080e6bcfa76400a3ba74580915da979951681430cee1efa6b1bb4cc501d8ff80c681631f3b403b434989c08cff273a9f2487

Download Submit
C:\Windows\system\gMZYMTU.exe

Filesize
5.2MB

MD5
bf22a43ea7dcc6a2c70ea4c3060c9ec8

SHA1
73b530f28963846743a84aa3a0bb0b057af017b7

SHA256
bf7a4335e1a12d9c873fa6df6551a4cecb21be06fa7e5613db3c494995a57263

SHA512
11e12a34359b3d34308ab0dcb7ed2776cd6fc68b1e0a07d25b28df749747aa98c89c89f457798cb236fe176b2c299ee40d535f765de702d5d66437725a256d9d

Download Submit
C:\Windows\system\nAoMKIY.exe

Filesize
5.2MB

MD5
7f3d209dcf935f7bfdad021b750770a3

SHA1
4d00dd825552b483565dad69f835ebcbe69dac29

SHA256
9faf69b7ed9e4260cbec2604c3f2513bbe52ccdbb82384cc597e814037113e05

SHA512
afda5c2a9fdab2e02488f5541426296643949a92f38560cb5f8e8073fe3746b3973fbe97d19d2fd98209e48fac91281fa32472f5d221c249f7ade988f02ef04b

Download Submit
C:\Windows\system\rUxLrYg.exe

Filesize
5.2MB

MD5
84bc6e1f5591a5d3ae1212b9161622dd

SHA1
312f3a30ae215befd0352640c0bfaf5fb72397ce

SHA256
f1292f7bc7ad5e0e7b915756cf21448c47bee28372853dab409d3ef74d5e72b2

SHA512
037fa802f3d73d24e53eba321e097f8637746af6b4d5aaf1172d0157750b5db2b6d7e794e992516541fd638c948b5e1373ecb561966c6bef7426f675b24d8892

Download Submit
C:\Windows\system\scUzWCg.exe

Filesize
5.2MB

MD5
ec0698c2a221a3b7cb1871ad9e29d238

SHA1
c86030bf540c3f9ef18fdfaa88e442f32ab60d5a

SHA256
f5d794a5b2b85e49c497a19c78476b2b2297a7dad157196f95358b9d5c135bb1

SHA512
4b73c841c51f1369e77c2266d1395455f5fa6a0de741fde34d05d047e36638a55b7754fca21c3acbda5657b8cb1048662a6a9c1b15c65d201a00cc5aafe7bd8d

Download Submit
C:\Windows\system\xUxJcPC.exe

Filesize
5.2MB

MD5
05dad1137a66234d60fd6204c5fa6e72

SHA1
bd3d75ae64a1915c1232cb6f3b7a496e8dfb1bc9

SHA256
3fa751efb26052263a4a4570715d301bad24d8a8f22c9b2752c0bb369640a056

SHA512
516fd004f526a7814f7133605caad0ec11af8b7d12f7c0fbc719f7fca8e157e56739e0ade5c6b8d38c46a8a3baa71d0d2d91c0ddd6394a399fb329e61b464826

Download Submit
\Windows\system\RobRFTL.exe

Filesize
5.2MB

MD5
41969437ab0b5e7e3568f95c267c437d

SHA1
63b81b263d06774bc079cda7ba545d80da28e3bd

SHA256
691ac38fd31f83f73a0f70c16a1236eec5ee2d1849a1b5b59254f60957836b63

SHA512
6091bfa0a9bea3a70962b8025f5fd9c03cb5197185a929c112b037b786d4ccfd7f70fc37a6f6a9562cd7ece5af378b38f6fe9129f44c8fc746eebf2048e21d4d

Download Submit
\Windows\system\WdmQosw.exe

Filesize
5.2MB

MD5
8cadc80ca479f905cb685fdf6f08a64c

SHA1
05c5760dfefd233d32148c550a4c064ed839f44f

SHA256
1dc39fb294f13fa1661a2748c80579736873dd104d50cab63427c4f76828e48f

SHA512
037455b3f81f998a583c3777dd0075e716dd8e23384b401a2698e7a1c1b2d882bf30afa7e228376d670435ad2118f37cdae6e92d7ebb491cc5398684a63cb50c

Download Submit
\Windows\system\goPCRNf.exe

Filesize
5.2MB

MD5
591b7bf4f16d33aab886947b26bc3cda

SHA1
a4ca349bb19d072fd632ec910a57e6917061bdc5

SHA256
48dc32a7f05571b09bf9faaf698c53c6cd93a5367a88190374687276912378b0

SHA512
94e28e6ac051caaa8c6ddca3d34e16c5febc29ff4b30f1ae0000b32ee41e2d395e401d9d687b39e7a8b2744a39f54cbaa21962df6532b6a335e7854910e3e440

Download Submit
\Windows\system\lsOLEkF.exe

Filesize
5.2MB

MD5
edb019d6d4865031ebfff0c698ef6a66

SHA1
58592ae22940e58270d14381c27289437bab2a43

SHA256
344ee4be7edb724e376ef3cba6e3edcbdf3d51edfa8c8152680b2ceb7eaeb7f3

SHA512
97c6e2f9b52839a4ee1078d65f82313a01ac90962fe358f0a1efc46caa38a01e2d7e14822d6bcd2a32bed7be7e078c5813929ebd0b8eb27ad9b0fbfbb1c074f5

Download Submit
\Windows\system\zMhglSQ.exe

Filesize
5.2MB

MD5
fdfe79c3c43c3b50f04beeaa033c7c8f

SHA1
b55f0382c24ee4c9bd0767bdc465fe40b43f4ba0

SHA256
c92584662fd4ae1d1b54b2e9cec1cb7fe380daf81163f28fde6bdfcd569e2cef

SHA512
71fb40064449883275a770b5904631bc708307514a7b9d900d9dcdc2f6e0b94a92119b211fc9321c05a3ce803f2926dae7f04ca5a88990a34ebe96dcd486ae14

Download Submit
memory/576-0-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/576-155-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/576-1-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/576-20-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/576-100-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/576-36-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/576-38-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/576-177-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/576-57-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/576-98-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/576-144-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/576-68-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/576-92-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/576-8-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/576-16-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/576-85-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/576-71-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/576-130-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/576-131-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/800-176-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-124-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-45-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1356-216-0x000000013F080000-0x000000013F3D1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-211-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-29-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-220-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-49-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1868-125-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-87-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-167-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2472-259-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-209-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2544-24-0x000000013F4C0000-0x000000013F811000-memory.dmp

Filesize
3.3MB

Download
memory/2588-99-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-39-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-213-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-70-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-233-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2632-128-0x000000013F960000-0x000000013FCB1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-69-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-256-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-164-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-127-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-175-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2708-174-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2716-231-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2716-72-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2716-129-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2788-54-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2788-217-0x000000013F570000-0x000000013F8C1000-memory.dmp

Filesize
3.3MB

Download
memory/2848-223-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2848-126-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2848-53-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2872-55-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2872-221-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2896-173-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2940-170-0x000000013F030000-0x000000013F381000-memory.dmp

Filesize
3.3MB

Download
memory/2944-235-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2944-86-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2984-171-0x000000013F480000-0x000000013F7D1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-93-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-169-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/3036-257-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/3068-172-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download