cobaltstrike | 0de457103c257aee82eda369ef68e751949ab834444895a4b52f3bddc408048b

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

04ab5afaba52c46331958eb944f8d798
SHA1

4869661a6025728a3a040c5b7fa62201b3496c7e
SHA256

0de457103c257aee82eda369ef68e751949ab834444895a4b52f3bddc408048b
SHA512

308f9fb945638c14a8bf3a1db65a965d7147a4b508fb93143bca685f98fd5fb386091543e249d851d0f74ab20babc991a6e292a0b40d1f62dd8b452829113bd4
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUx:E+b56utgpPF8u/7x

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120f9-6.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001868b-11.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000186f2-12.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000018669-23.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018781-40.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001878c-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018731-34.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018bf3-55.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001945c-70.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001925e-62.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d0-102.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194fc-118.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001952f-128.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195e6-141.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195a7-138.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001957e-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019506-123.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ef-113.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ad-98.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019467-80.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019496-90.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/288-0-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/files/0x00080000000120f9-6.dat	xmrig
behavioral1/memory/1444-8-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/files/0x000700000001868b-11.dat	xmrig
behavioral1/memory/2752-15-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/files/0x00070000000186f2-12.dat	xmrig
behavioral1/memory/2764-22-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/files/0x0035000000018669-23.dat	xmrig
behavioral1/memory/2224-28-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2544-36-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/files/0x0006000000018781-40.dat	xmrig
behavioral1/memory/2524-43-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2752-42-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/1444-41-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/files/0x000600000001878c-46.dat	xmrig
behavioral1/memory/1296-51-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/288-35-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/files/0x0007000000018731-34.dat	xmrig
behavioral1/files/0x0007000000018bf3-55.dat	xmrig
behavioral1/memory/288-60-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/2320-61-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/files/0x000600000001945c-70.dat	xmrig
behavioral1/memory/3012-75-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2544-74-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/1352-73-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2224-63-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/files/0x000700000001925e-62.dat	xmrig
behavioral1/memory/288-66-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/2060-91-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2084-82-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/files/0x00050000000194d0-102.dat	xmrig
behavioral1/memory/1228-99-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/files/0x00050000000194fc-118.dat	xmrig
behavioral1/files/0x000500000001952f-128.dat	xmrig
behavioral1/files/0x00050000000195e6-141.dat	xmrig
behavioral1/files/0x00050000000195a7-138.dat	xmrig
behavioral1/memory/3012-145-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/files/0x000500000001957e-133.dat	xmrig
behavioral1/files/0x0005000000019506-123.dat	xmrig
behavioral1/memory/2084-147-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/files/0x00050000000194ef-113.dat	xmrig
behavioral1/memory/2852-107-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/files/0x00050000000194ad-98.dat	xmrig
behavioral1/memory/2524-81-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/files/0x0005000000019467-80.dat	xmrig
behavioral1/memory/288-148-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/files/0x0005000000019496-90.dat	xmrig
behavioral1/memory/1296-87-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2060-149-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/1228-151-0x000000013F0D0000-0x000000013F424000-memory.dmp	xmrig
behavioral1/memory/288-152-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2852-153-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/1444-155-0x000000013FF10000-0x0000000140264000-memory.dmp	xmrig
behavioral1/memory/2752-156-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2764-157-0x000000013F500000-0x000000013F854000-memory.dmp	xmrig
behavioral1/memory/2224-158-0x000000013F520000-0x000000013F874000-memory.dmp	xmrig
behavioral1/memory/2524-159-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2544-160-0x000000013F470000-0x000000013F7C4000-memory.dmp	xmrig
behavioral1/memory/1296-161-0x000000013FF90000-0x00000001402E4000-memory.dmp	xmrig
behavioral1/memory/2320-162-0x000000013F820000-0x000000013FB74000-memory.dmp	xmrig
behavioral1/memory/1352-163-0x000000013FD50000-0x00000001400A4000-memory.dmp	xmrig
behavioral1/memory/3012-164-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2084-165-0x000000013F250000-0x000000013F5A4000-memory.dmp	xmrig
behavioral1/memory/2060-166-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1444	daaSdYA.exe
2752	FTGigKb.exe
2764	kXSzGeT.exe
2224	HsfKlrW.exe
2544	jNFSwVj.exe
2524	FWNBTmH.exe
1296	vKZyJXw.exe
2320	KoIFvXb.exe
1352	tvhWnTH.exe
3012	JLakdPB.exe
2084	GUWCsfb.exe
2060	APWNlyX.exe
1228	oRxKRcv.exe
2852	dPUXjwJ.exe
1104	DjFSEys.exe
2756	hTwhcCp.exe
2952	KMDJotc.exe
1308	zTWdRmw.exe
532	zUxmnZn.exe
1920	KyZrEHh.exe
2808	UgkYrKo.exe

Loads dropped DLL 21 IoCs

pid	Process
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/288-0-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/files/0x00080000000120f9-6.dat	upx
behavioral1/memory/1444-8-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/files/0x000700000001868b-11.dat	upx
behavioral1/memory/2752-15-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/files/0x00070000000186f2-12.dat	upx
behavioral1/memory/2764-22-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/files/0x0035000000018669-23.dat	upx
behavioral1/memory/2224-28-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2544-36-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/files/0x0006000000018781-40.dat	upx
behavioral1/memory/2524-43-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2752-42-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/1444-41-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/files/0x000600000001878c-46.dat	upx
behavioral1/memory/1296-51-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/288-35-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/files/0x0007000000018731-34.dat	upx
behavioral1/files/0x0007000000018bf3-55.dat	upx
behavioral1/memory/2320-61-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/files/0x000600000001945c-70.dat	upx
behavioral1/memory/3012-75-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2544-74-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/1352-73-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/2224-63-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/files/0x000700000001925e-62.dat	upx
behavioral1/memory/2060-91-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2084-82-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/files/0x00050000000194d0-102.dat	upx
behavioral1/memory/1228-99-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/files/0x00050000000194fc-118.dat	upx
behavioral1/files/0x000500000001952f-128.dat	upx
behavioral1/files/0x00050000000195e6-141.dat	upx
behavioral1/files/0x00050000000195a7-138.dat	upx
behavioral1/memory/3012-145-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/files/0x000500000001957e-133.dat	upx
behavioral1/files/0x0005000000019506-123.dat	upx
behavioral1/memory/2084-147-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/files/0x00050000000194ef-113.dat	upx
behavioral1/memory/2852-107-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/files/0x00050000000194ad-98.dat	upx
behavioral1/memory/2524-81-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/files/0x0005000000019467-80.dat	upx
behavioral1/files/0x0005000000019496-90.dat	upx
behavioral1/memory/1296-87-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2060-149-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/1228-151-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2852-153-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/1444-155-0x000000013FF10000-0x0000000140264000-memory.dmp	upx
behavioral1/memory/2752-156-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2764-157-0x000000013F500000-0x000000013F854000-memory.dmp	upx
behavioral1/memory/2224-158-0x000000013F520000-0x000000013F874000-memory.dmp	upx
behavioral1/memory/2524-159-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2544-160-0x000000013F470000-0x000000013F7C4000-memory.dmp	upx
behavioral1/memory/1296-161-0x000000013FF90000-0x00000001402E4000-memory.dmp	upx
behavioral1/memory/2320-162-0x000000013F820000-0x000000013FB74000-memory.dmp	upx
behavioral1/memory/1352-163-0x000000013FD50000-0x00000001400A4000-memory.dmp	upx
behavioral1/memory/3012-164-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2084-165-0x000000013F250000-0x000000013F5A4000-memory.dmp	upx
behavioral1/memory/2060-166-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/1228-167-0x000000013F0D0000-0x000000013F424000-memory.dmp	upx
behavioral1/memory/2852-168-0x000000013FD40000-0x0000000140094000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dPUXjwJ.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zTWdRmw.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zUxmnZn.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KyZrEHh.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kXSzGeT.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KoIFvXb.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JLakdPB.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GUWCsfb.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HsfKlrW.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vKZyJXw.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\APWNlyX.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjFSEys.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgkYrKo.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jNFSwVj.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FWNBTmH.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvhWnTH.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KMDJotc.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\daaSdYA.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FTGigKb.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oRxKRcv.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hTwhcCp.exe	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 288 wrote to memory of 1444	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 288 wrote to memory of 1444	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 288 wrote to memory of 1444	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 288 wrote to memory of 2752	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 288 wrote to memory of 2752	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 288 wrote to memory of 2752	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 288 wrote to memory of 2764	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 288 wrote to memory of 2764	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 288 wrote to memory of 2764	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 288 wrote to memory of 2224	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 288 wrote to memory of 2224	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 288 wrote to memory of 2224	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 288 wrote to memory of 2544	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 288 wrote to memory of 2544	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 288 wrote to memory of 2544	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 288 wrote to memory of 2524	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 288 wrote to memory of 2524	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 288 wrote to memory of 2524	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 288 wrote to memory of 1296	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 288 wrote to memory of 1296	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 288 wrote to memory of 1296	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 288 wrote to memory of 2320	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 288 wrote to memory of 2320	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 288 wrote to memory of 2320	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 288 wrote to memory of 1352	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 288 wrote to memory of 1352	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 288 wrote to memory of 1352	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 288 wrote to memory of 3012	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 288 wrote to memory of 3012	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 288 wrote to memory of 3012	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 288 wrote to memory of 2084	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 288 wrote to memory of 2084	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 288 wrote to memory of 2084	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 288 wrote to memory of 2060	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 288 wrote to memory of 2060	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 288 wrote to memory of 2060	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 288 wrote to memory of 1228	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 288 wrote to memory of 1228	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 288 wrote to memory of 1228	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 288 wrote to memory of 2852	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 288 wrote to memory of 2852	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 288 wrote to memory of 2852	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 288 wrote to memory of 1104	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 288 wrote to memory of 1104	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 288 wrote to memory of 1104	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 288 wrote to memory of 2756	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 288 wrote to memory of 2756	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 288 wrote to memory of 2756	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 288 wrote to memory of 2952	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 288 wrote to memory of 2952	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 288 wrote to memory of 2952	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 288 wrote to memory of 1308	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 288 wrote to memory of 1308	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 288 wrote to memory of 1308	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 288 wrote to memory of 532	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 288 wrote to memory of 532	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 288 wrote to memory of 532	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 288 wrote to memory of 1920	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 288 wrote to memory of 1920	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 288 wrote to memory of 1920	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 288 wrote to memory of 2808	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 288 wrote to memory of 2808	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 288 wrote to memory of 2808	288	2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-11_04ab5afaba52c46331958eb944f8d798_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:288
- C:\Windows\System\daaSdYA.exe
  C:\Windows\System\daaSdYA.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\FTGigKb.exe
  C:\Windows\System\FTGigKb.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\kXSzGeT.exe
  C:\Windows\System\kXSzGeT.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\HsfKlrW.exe
  C:\Windows\System\HsfKlrW.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\jNFSwVj.exe
  C:\Windows\System\jNFSwVj.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\FWNBTmH.exe
  C:\Windows\System\FWNBTmH.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\vKZyJXw.exe
  C:\Windows\System\vKZyJXw.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\KoIFvXb.exe
  C:\Windows\System\KoIFvXb.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\tvhWnTH.exe
  C:\Windows\System\tvhWnTH.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\JLakdPB.exe
  C:\Windows\System\JLakdPB.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\GUWCsfb.exe
  C:\Windows\System\GUWCsfb.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\APWNlyX.exe
  C:\Windows\System\APWNlyX.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\oRxKRcv.exe
  C:\Windows\System\oRxKRcv.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\dPUXjwJ.exe
  C:\Windows\System\dPUXjwJ.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\DjFSEys.exe
  C:\Windows\System\DjFSEys.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\hTwhcCp.exe
  C:\Windows\System\hTwhcCp.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\KMDJotc.exe
  C:\Windows\System\KMDJotc.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\zTWdRmw.exe
  C:\Windows\System\zTWdRmw.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\zUxmnZn.exe
  C:\Windows\System\zUxmnZn.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\KyZrEHh.exe
  C:\Windows\System\KyZrEHh.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\UgkYrKo.exe
  C:\Windows\System\UgkYrKo.exe
  2⤵
  - Executes dropped EXE
  PID:2808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\APWNlyX.exe

Filesize
5.9MB

MD5
7574b813ceef6086ca78811bd9e07024

SHA1
61cafc1548ca252d9dab8eb54d068e0b128291a1

SHA256
5dd9d894fdee2cc39b7bac38e7d18764aeea533611b383377524d0606522141b

SHA512
d4758b4c513982b8998e8f05b7bdef26953012b4ff6b337f2fc865d86edb0242cb8f95c5413ad40f79edeeecc5f063fee999af1dcc8077e64f1c612c97cc8a85

Download Submit
C:\Windows\system\DjFSEys.exe

Filesize
5.9MB

MD5
924b0b9e34633dd8a1f3be8c87e2bbad

SHA1
0869eea681c07b5fb351ea7c44d45d5f5b7cb4ad

SHA256
5944060acdff4f3760e30c598018e2e595f95c387df2c26a5758ea8eaefad3ef

SHA512
9376d96a8b2f7f9d5b680b22fcce12e525f0185344b7157e73c49941ac5055734375631798fc347fd6174e0f68755a774ad2c85b287a2e5ac00588e160b5b0de

Download Submit
C:\Windows\system\FTGigKb.exe

Filesize
5.9MB

MD5
a2edddcec060e0de69ea4341ffa36bd1

SHA1
08e9bb4071c0d059abec25bc0434bb09f0efcc0e

SHA256
8032c96f03d4479c7febfa6bfa91c32defcdea3d9f260e98c79d0928bf408912

SHA512
498173b53f10193eb0983bbf9302ffe825b576dda5823e3a547455846968cc66468ead64d7df2fd31cd36243749dc8ab7ac6b18e42978d69ec4c72563a7938b4

Download Submit
C:\Windows\system\FWNBTmH.exe

Filesize
5.9MB

MD5
5682dcfc21dc924e1692cd4ad219c613

SHA1
f42877446aeb78e2f0cb1515def6e6507f50c4d1

SHA256
8679a828369ca9eb8b7295c97cb1d289f6d31141198c24404e6a4c86590aec5d

SHA512
bdb6167ff96bb58b0c19cfa9e8897fdb83410647d72aa1b8a3f7cabcbb2d004ba18cc41e367a220fb09f063f12759e3a8d3a95638dd090b61ea5226efe061a1a

Download Submit
C:\Windows\system\GUWCsfb.exe

Filesize
5.9MB

MD5
c8e5adf4de7a552d6c5eba0ca56ca68c

SHA1
f74e80d360e860cef722816298dad78ee105546f

SHA256
c4ee2d8fdce39e98b9fe9ee5381d8dd3eeff23051c0abb02c86e7892fdc3091f

SHA512
131393eaff1c589c0a32871bb6c78da2d3698cfeb8d0d4005550450969f9fea89bdf7370e1eebf460045fef0105597b63db56f91b8d383c65726c56f0c4817be

Download Submit
C:\Windows\system\JLakdPB.exe

Filesize
5.9MB

MD5
88e1ad0eff472e2b74c2e5da24e7bb58

SHA1
35d76b56a5c2481252410560495053bd44d905dc

SHA256
53c088364427913fd619311934c14af5eb8cc96e86bb41cdaa42fdf8b1e90a30

SHA512
3c52844015f74a704448aeed20e8ceff1f0e223f409a74232f958bd57ded08478ae8fe9bfd167bd3f79eb39a0126df12c4482818e6940af0f037f3d75ea3d2b8

Download Submit
C:\Windows\system\KMDJotc.exe

Filesize
5.9MB

MD5
28438b7fbb305de72da19b115ab49f05

SHA1
52241d6902ab616340da8fe63a5c62d080388fb7

SHA256
acf7c1f0af3067b15f522015e8d6806c52c9da621077d45e9ed5983cbe68cc17

SHA512
db4c39a7b95c65a7560ca148593a54d6d70881c772b9927a8d57fafbe7cb6c73aee383b740fa58aeca594bc865599dc5cc2081a4ebf23d65db10511dff059468

Download Submit
C:\Windows\system\KyZrEHh.exe

Filesize
5.9MB

MD5
ad758777ffb45703aa66d64b95ae381f

SHA1
a3934f78d1ba724658cb8d0290cb789394b52c00

SHA256
7d938fc424612eb2f35a50670894ab335db83344d6e4c97705d8e0003c749618

SHA512
a19ce8e0637bb0589a772bdb52083276c7466f6f9bd39bb7bf47f50dfe6b485da27de38b20a916a6a5d6742d37dd1cf8c3f7d7a29fae8810ae018c0fee6a90f4

Download Submit
C:\Windows\system\daaSdYA.exe

Filesize
5.9MB

MD5
f829e5e5d38e20835a9e1226b225f943

SHA1
00b28dde74252fa2ea4115a57a37e3a87638bbeb

SHA256
867cb6241b9d737c695f400369cf84626d7fb75bec354c959957e656d83db8b9

SHA512
f0582a44b43c2f65f1e0cbbaf7a92696d300af328d5b05d2cf4881c88fdf08ca929329c44ffadde8893789c61d68d744a1d223c172feb73148d69bf6b7dc1ff0

Download Submit
C:\Windows\system\hTwhcCp.exe

Filesize
5.9MB

MD5
d19c3e6d4673e7140c300e00e6f61d66

SHA1
104f89bf25425cbc92f1b7db368da7401854746c

SHA256
a0472153bfbac4b3cf034c19bfa7458cce1dfe9f8ef4fa4639fb92a5946468d8

SHA512
a8a1be43171767c87cea29fa752007b2d4b03258ce7df19e297c56b602bae86da0b3d344ff3c71125e09f128d1caf98f73b60808cd3e5136f4033da033bbdd22

Download Submit
C:\Windows\system\jNFSwVj.exe

Filesize
5.9MB

MD5
53037016ca2e223d278c7a24c1d95cf3

SHA1
85db63e88850a45227027e18b9b07c3e54e8815d

SHA256
078e5924a71d8a70453d509980e95a47f763e1593c244447eb6ddd02a683db60

SHA512
0260fae1241fba4a93458f74d27a5ab2db3d105eeb59862603bfc28627c3536f3d6212febb2f903454631e7bf03ae9c596f0adc2ca52d63276856b1c2d210899

Download Submit
C:\Windows\system\kXSzGeT.exe

Filesize
5.9MB

MD5
bc4bec1631020c07dfa8365bdc070467

SHA1
ab0142ab514c4437ed2efba90f4bfb666ab5918c

SHA256
74d69c067d6b02fbe8afc50c8f5aa0261f7ef28904f90959b86df4a35e7db18d

SHA512
f7d409f4fecc2d200a6e89e25a2ae5c94212ae4d205088563f5f5a1497b5c66c10d259b2b051f2d2ff7181e865cdc12c592865279b899402a8886a22769928fa

Download Submit
C:\Windows\system\oRxKRcv.exe

Filesize
5.9MB

MD5
2b49f71f08ab015c78bdcb2da480533e

SHA1
7f2921d0b26b25d3f3a140c3d32fbb089ac2a1d1

SHA256
611b0762de6b5851f95b2bf7326a323fa970b701ccfc12c263bb4a143428ea4e

SHA512
885edd2d64aca13dbb747ea851a2a6f3cf1eee6803e0523a7ed49d73fdd5b8b2b37ff3e6f981fbae1e3904b2e3c5897f63ce93c568e5caac7427b31d7653b42f

Download Submit
C:\Windows\system\zTWdRmw.exe

Filesize
5.9MB

MD5
b88b21e3c1f9af4caf0cba9d53b27048

SHA1
bd86a31768afd14f4794be386032c33971baa8e9

SHA256
e0ebc9af210715a10f5b829836fc8055bed309021022384a0cbaf0929a4629ff

SHA512
557bc87cf5eee28413e4c5078e2dfdda58c98ebcad7262dc3d89961dd5f0ad9f9fa47636d9b801f83a2a3ff58ce13d4a132ef8f649254ea0c3585b7ec018319d

Download Submit
C:\Windows\system\zUxmnZn.exe

Filesize
5.9MB

MD5
d46af8a0243cc07dd7321aaedee8cdad

SHA1
35dbd5a1588a1ebcf4a99aacbb43b7eed45331ef

SHA256
c7c368c0bc9e73dd02e05e37ff7458e40b41ad7c4d72a97277c4dc403114c12c

SHA512
5e4b0402215f9e2e32ccd0917f782b6b57eb7ac3baf5d5bdfd6e669719445344c6bd052a044e49d479c20b822749eede79389d8adb9e4cf9e9f667ec4a142ba5

Download Submit
\Windows\system\HsfKlrW.exe

Filesize
5.9MB

MD5
73f0e3417bb05ae202b7482ba5ed3fa8

SHA1
44bb9820a52c3a349be27ec49a7a4bd3c6b1c7a4

SHA256
b7e07205a0b93a2cbc76a0789db343d3983b04c5a4602eca1a8daf7e800a744b

SHA512
dc8f972ac95cc4504043d2f0c59f2521ee2d6800d5f04abb843fcd0dd7683647d7509b902e0927cc769ba587ee9eae7225b6b3605c95bea493961a4db6367f97

Download Submit
\Windows\system\KoIFvXb.exe

Filesize
5.9MB

MD5
ccfa807980e349ac2251f62246c25117

SHA1
ed88a597e7bc84328c3fa7a239be31b9df879b95

SHA256
7fce3279d8d4c173383a137e83b16d3176270a992f2dd7ca18307d97d8af8126

SHA512
27c4ae2f9bdcaa20f5940ef4bbd54da397035f2b243e5066d8e01831ce8f45ec9a9888b96c992b3eaddab9c9288137a575e3da3e898ec821273f9d48a8f3f846

Download Submit
\Windows\system\UgkYrKo.exe

Filesize
5.9MB

MD5
59d84220e1b5a1bfca0ba0ec1c711ee1

SHA1
65205cf4add3ab3ec50fedd409f146e1e1055076

SHA256
d81bebfedfbafc798d0fd32bd2600b90b71ae5d65349e6ff58aab0e886d159fe

SHA512
d847fa3f9c5c4d76ef95006eb05e8fe70da731f4156d7180f7cf370e0a97ca03cf2d6b3d00de7edaab49381c560401081ab8ab89d12ff582780ee187367d356b

Download Submit
\Windows\system\dPUXjwJ.exe

Filesize
5.9MB

MD5
38f27e27469d9ed6c75e80640ee304ae

SHA1
9c1eb2bd751400bbe4ce09794bab23fccd35b225

SHA256
c6184fe172294ffbaed5c6922a225ffdffa05bb0a761657e9e65787895e387d7

SHA512
31f3ff54c9154ff902c127be6953e226e696608535ebcb24a917a4ef4ff7a2f24430f82f395cc9f47e717c4dcd5bd46d8dc8542c8b8aefefcbb722998ebc0601

Download Submit
\Windows\system\tvhWnTH.exe

Filesize
5.9MB

MD5
e680ffc3334bc388699b11fe472cabb7

SHA1
0e57e47e95887faaa20d9cfb3c872cb6ef90a777

SHA256
6bd4af0a75e34ff4a519855a40b8ffd375d49d9696f576eeba9e48cfadda1c68

SHA512
fd3574ba96c1d112157dd8fc2af5667862874039f771296ac852f1e3c92dc6781376ed288e028470029833a328c7007883d8ec851c3591a9ba8c27dbb78df4d5

Download Submit
\Windows\system\vKZyJXw.exe

Filesize
5.9MB

MD5
acbf8cfc70929ab492c2274ad56fe061

SHA1
a3420a6dccc588bc2612b98c244cb47326a571a6

SHA256
e2616a5891a6fe909904382e79fd10f9303a792015853a5b3798de1db91f6859

SHA512
e00303ba49850c79a5ed0018ea1f9e0d281c9e7a8d0c4e9577d678e8759f9efff9f2ea59bdd7e08dcb4333d86a3b4a2aa500d4c306049753035f2f0c8aaaa1a9

Download Submit
memory/288-35-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/288-152-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/288-48-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/288-33-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-54-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-154-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-60-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/288-0-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/288-38-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/288-150-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-88-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/288-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/288-148-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/288-78-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-66-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/288-86-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/288-103-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/288-106-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/288-95-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/288-96-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-13-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/288-111-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-24-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-146-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/288-21-0x0000000002530000-0x0000000002884000-memory.dmp

Filesize
3.3MB

Download
memory/1228-99-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1228-167-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1228-151-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1296-51-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1296-161-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1296-87-0x000000013FF90000-0x00000001402E4000-memory.dmp

Filesize
3.3MB

Download
memory/1352-73-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1352-163-0x000000013FD50000-0x00000001400A4000-memory.dmp

Filesize
3.3MB

Download
memory/1444-41-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/1444-8-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/1444-155-0x000000013FF10000-0x0000000140264000-memory.dmp

Filesize
3.3MB

Download
memory/2060-166-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-149-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2060-91-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-82-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-147-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2084-165-0x000000013F250000-0x000000013F5A4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-28-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2224-63-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2224-158-0x000000013F520000-0x000000013F874000-memory.dmp

Filesize
3.3MB

Download
memory/2320-162-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2320-61-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/2524-43-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2524-81-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2524-159-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2544-36-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2544-74-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2544-160-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/2752-42-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2752-156-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2752-15-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2764-157-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2764-22-0x000000013F500000-0x000000013F854000-memory.dmp

Filesize
3.3MB

Download
memory/2852-153-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2852-107-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2852-168-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/3012-75-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/3012-145-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/3012-164-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download