cobaltstrike | ff4be3eeba16b65e2dacd2200ac43e6c42a98ce073f8808e2af027f45360abdd

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

ae665ba6846dd0e599947205bc28b5fe
SHA1

52424a594a6ac5d12ee6a33521919d5df2c618ce
SHA256

ff4be3eeba16b65e2dacd2200ac43e6c42a98ce073f8808e2af027f45360abdd
SHA512

549433b93392026b7d812be4d429d70e205f196d3c7e9fbbda29c4c5b5b32dd774ec3874ec77164ba34b2bf30f358a4d3645d865b24deb0f26178696413f8282
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lY:RWWBib+56utgpPFotBER/mQ32lUU

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a00000001225c-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d46-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016dbe-19.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d3e-18.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-98.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ea4-94.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019244-91.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191ff-84.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190e0-70.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018f53-64.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018c1a-63.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016dd1-62.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001903b-57.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018c26-49.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018687-43.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016dd7-42.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018792-40.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019256-106.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001922c-105.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d4-80.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190ce-79.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 35 IoCs

miner

resource	yara_rule
behavioral1/memory/2772-23-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2732-111-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2824-61-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2504-45-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2664-113-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/2724-82-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2620-81-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2692-69-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2544-130-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2996-27-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2532-39-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/584-132-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2544-133-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/1648-153-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/1728-154-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1908-152-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/1852-151-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2044-150-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2208-148-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2792-146-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2612-144-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/3004-142-0x000000013F790000-0x000000013FAE1000-memory.dmp	xmrig
behavioral1/memory/3016-140-0x000000013F150000-0x000000013F4A1000-memory.dmp	xmrig
behavioral1/memory/2544-155-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2996-222-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/2532-226-0x000000013F4F0000-0x000000013F841000-memory.dmp	xmrig
behavioral1/memory/2772-225-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	xmrig
behavioral1/memory/2504-230-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2692-232-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2824-229-0x000000013FC70000-0x000000013FFC1000-memory.dmp	xmrig
behavioral1/memory/2620-236-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2732-238-0x000000013F8B0000-0x000000013FC01000-memory.dmp	xmrig
behavioral1/memory/2724-234-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/584-243-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/2664-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2996	WmXPcRL.exe
2532	tdJxojI.exe
2772	jpOQpah.exe
2504	docElJS.exe
2824	oPHwXjP.exe
2692	criZjBE.exe
2732	wCKuCSD.exe
2620	WCWkruP.exe
2724	PeussWW.exe
2664	MbxZaoV.exe
584	YWwfXKP.exe
3016	JQTIntM.exe
1852	fwnmcCN.exe
1648	AlIHDUb.exe
3004	nYMSLIA.exe
2612	bUaTUWR.exe
2792	jveszmN.exe
2208	jEnfKIa.exe
2044	NqnnPWb.exe
1908	hPjXDKf.exe
1728	uostkjR.exe

Loads dropped DLL 21 IoCs

pid	Process
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2544-0-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-3.dat	upx
behavioral1/memory/2772-23-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/files/0x0008000000016d46-22.dat	upx
behavioral1/files/0x0007000000016dbe-19.dat	upx
behavioral1/files/0x0008000000016d3e-18.dat	upx
behavioral1/memory/2732-111-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2824-61-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/files/0x0005000000019259-98.dat	upx
behavioral1/files/0x0008000000016ea4-94.dat	upx
behavioral1/files/0x0005000000019244-91.dat	upx
behavioral1/files/0x00050000000191ff-84.dat	upx
behavioral1/files/0x00060000000190e0-70.dat	upx
behavioral1/files/0x0006000000018f53-64.dat	upx
behavioral1/files/0x0006000000018c1a-63.dat	upx
behavioral1/files/0x0007000000016dd1-62.dat	upx
behavioral1/files/0x000600000001903b-57.dat	upx
behavioral1/files/0x0006000000018c26-49.dat	upx
behavioral1/memory/2504-45-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/files/0x0006000000018687-43.dat	upx
behavioral1/files/0x0009000000016dd7-42.dat	upx
behavioral1/files/0x0005000000018792-40.dat	upx
behavioral1/memory/2664-113-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/files/0x0005000000019256-106.dat	upx
behavioral1/files/0x000500000001922c-105.dat	upx
behavioral1/memory/584-90-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2724-82-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/2620-81-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/files/0x00050000000191d4-80.dat	upx
behavioral1/files/0x00060000000190ce-79.dat	upx
behavioral1/memory/2692-69-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2544-130-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2996-27-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2532-39-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/584-132-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2544-133-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/1648-153-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/1728-154-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/1908-152-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/1852-151-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2044-150-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2208-148-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2792-146-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2612-144-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/3004-142-0x000000013F790000-0x000000013FAE1000-memory.dmp	upx
behavioral1/memory/3016-140-0x000000013F150000-0x000000013F4A1000-memory.dmp	upx
behavioral1/memory/2544-155-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2996-222-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/2532-226-0x000000013F4F0000-0x000000013F841000-memory.dmp	upx
behavioral1/memory/2772-225-0x000000013FBA0000-0x000000013FEF1000-memory.dmp	upx
behavioral1/memory/2504-230-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2692-232-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/2824-229-0x000000013FC70000-0x000000013FFC1000-memory.dmp	upx
behavioral1/memory/2620-236-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2732-238-0x000000013F8B0000-0x000000013FC01000-memory.dmp	upx
behavioral1/memory/2724-234-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/584-243-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/2664-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\jpOQpah.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wCKuCSD.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oPHwXjP.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nYMSLIA.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WCWkruP.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bUaTUWR.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jveszmN.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PeussWW.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MbxZaoV.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jEnfKIa.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YWwfXKP.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NqnnPWb.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AlIHDUb.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uostkjR.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WmXPcRL.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tdJxojI.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JQTIntM.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\criZjBE.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPjXDKf.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\docElJS.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fwnmcCN.exe	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2996	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2544 wrote to memory of 2996	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2544 wrote to memory of 2996	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2544 wrote to memory of 2532	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2544 wrote to memory of 2532	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2544 wrote to memory of 2532	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2544 wrote to memory of 2504	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2544 wrote to memory of 2504	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2544 wrote to memory of 2504	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2544 wrote to memory of 2772	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2544 wrote to memory of 2772	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2544 wrote to memory of 2772	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2544 wrote to memory of 2732	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2544 wrote to memory of 2732	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2544 wrote to memory of 2732	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2544 wrote to memory of 2824	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2544 wrote to memory of 2824	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2544 wrote to memory of 2824	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2544 wrote to memory of 3016	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2544 wrote to memory of 3016	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2544 wrote to memory of 3016	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2544 wrote to memory of 2692	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2544 wrote to memory of 2692	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2544 wrote to memory of 2692	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2544 wrote to memory of 3004	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2544 wrote to memory of 3004	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2544 wrote to memory of 3004	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2544 wrote to memory of 2620	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2544 wrote to memory of 2620	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2544 wrote to memory of 2620	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2544 wrote to memory of 2612	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2544 wrote to memory of 2612	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2544 wrote to memory of 2612	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2544 wrote to memory of 2724	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2544 wrote to memory of 2724	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2544 wrote to memory of 2724	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2544 wrote to memory of 2792	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2544 wrote to memory of 2792	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2544 wrote to memory of 2792	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2544 wrote to memory of 2664	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2544 wrote to memory of 2664	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2544 wrote to memory of 2664	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2544 wrote to memory of 2208	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2544 wrote to memory of 2208	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2544 wrote to memory of 2208	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2544 wrote to memory of 584	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2544 wrote to memory of 584	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2544 wrote to memory of 584	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2544 wrote to memory of 2044	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2544 wrote to memory of 2044	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2544 wrote to memory of 2044	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2544 wrote to memory of 1852	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2544 wrote to memory of 1852	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2544 wrote to memory of 1852	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2544 wrote to memory of 1908	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2544 wrote to memory of 1908	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2544 wrote to memory of 1908	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2544 wrote to memory of 1648	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2544 wrote to memory of 1648	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2544 wrote to memory of 1648	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2544 wrote to memory of 1728	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2544 wrote to memory of 1728	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2544 wrote to memory of 1728	2544	2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-17_ae665ba6846dd0e599947205bc28b5fe_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\System\WmXPcRL.exe
  C:\Windows\System\WmXPcRL.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\tdJxojI.exe
  C:\Windows\System\tdJxojI.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\docElJS.exe
  C:\Windows\System\docElJS.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\jpOQpah.exe
  C:\Windows\System\jpOQpah.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\wCKuCSD.exe
  C:\Windows\System\wCKuCSD.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\oPHwXjP.exe
  C:\Windows\System\oPHwXjP.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\JQTIntM.exe
  C:\Windows\System\JQTIntM.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\criZjBE.exe
  C:\Windows\System\criZjBE.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\nYMSLIA.exe
  C:\Windows\System\nYMSLIA.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\WCWkruP.exe
  C:\Windows\System\WCWkruP.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\bUaTUWR.exe
  C:\Windows\System\bUaTUWR.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\PeussWW.exe
  C:\Windows\System\PeussWW.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\jveszmN.exe
  C:\Windows\System\jveszmN.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\MbxZaoV.exe
  C:\Windows\System\MbxZaoV.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\jEnfKIa.exe
  C:\Windows\System\jEnfKIa.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\YWwfXKP.exe
  C:\Windows\System\YWwfXKP.exe
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Windows\System\NqnnPWb.exe
  C:\Windows\System\NqnnPWb.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\fwnmcCN.exe
  C:\Windows\System\fwnmcCN.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\hPjXDKf.exe
  C:\Windows\System\hPjXDKf.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\AlIHDUb.exe
  C:\Windows\System\AlIHDUb.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\uostkjR.exe
  C:\Windows\System\uostkjR.exe
  2⤵
  - Executes dropped EXE
  PID:1728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AlIHDUb.exe

Filesize
5.2MB

MD5
9d16a0480c21f84a6bf1076d86f67b0b

SHA1
6b1f1157ae8395c9e2144b066d5336fcc11e3d7f

SHA256
4ffa5b6d5f02589d2a6e9220048805bf2aab8e87e5add27bc461091bf7c41b45

SHA512
56a6b4387a48543341c8356dc7372977595d611820016d609531e2a27321ceb42c2831b62c44ae93568505418bd66bbb524f841656f076a8037912f0c7e0f6fe

Download Submit
C:\Windows\system\JQTIntM.exe

Filesize
5.2MB

MD5
1839b27f68ac91983e22bf75773f2704

SHA1
3223d0783447f84b9c68a5276940a776371542a0

SHA256
a55b494e64a530d4a4b83e5296af5120d80068bd681bc5338c3ec623566a5e8d

SHA512
1f472e606be2cac7378d725c944c293c1f0202c340f93f30d29fa4266ae3a0f87e372d4eb11af185dec4dcd9cb4ebd179043f2466e8f329db1efc4d9314915e1

Download Submit
C:\Windows\system\MbxZaoV.exe

Filesize
5.2MB

MD5
d72da5d55e36d267d6e2e69c41cf937e

SHA1
78842f8c8b994be8494a5486f3b756abaf3fe640

SHA256
2fc1d370ab87a7f6957bfeb987d1384e1c9144128788b6f2d70a3243d6397240

SHA512
e7c9768c9cbe24cb5cad08190d9eb9a500e3727562f111d3dd8bc397ba7f38448d35b75657088a169bd3b310398172160eb9466c96557ac399e77602ef3f036d

Download Submit
C:\Windows\system\PeussWW.exe

Filesize
5.2MB

MD5
7552721ab0a2fccbd0548f2d003fc835

SHA1
fe4a02d93cac98bbf876133dc2ee528f5cf875cb

SHA256
8d9a043c55d433b97e59cb2deeba4f214d9a547e16cf99ef5fbf73b60ac9a3ec

SHA512
0592b0d3ae67d595cfc0e3b1d33bf2a7ee46df928d094b847093597c6fea3f96a7914bde09edc0909d9195c0b6c98b46c6ba168b688b6270f6dbc5758e994ea1

Download Submit
C:\Windows\system\WCWkruP.exe

Filesize
5.2MB

MD5
5cdd51a2f275378ef5cef4326016cd88

SHA1
b3c7ff972d10710a5c9ab3624c33f2a234227aab

SHA256
69683952e777a6aad81a1e2f927ef39311ab26519db0fb220190eaaaaa187c38

SHA512
2d0bda3d0ab3b0e6ef1a465c00b8426cf388566f39b0d775e636cee83d858ba3b2d6ab3334d4dcff2bdab5dd3bd03d71f189d08cb8ce1b015eeb1891695216e9

Download Submit
C:\Windows\system\YWwfXKP.exe

Filesize
5.2MB

MD5
33ac7115864f3a59973267bb6da245ca

SHA1
bb93f7e7680c4fa70647f89abaa9cc71d4dce268

SHA256
f82943c570ed828470815ebb09c15586173d0a3d6d8c025ff8d340c30851e0e3

SHA512
2da41cb31fe0c6da9b01d41ec6a0960fdbdf5eee673b4d0dffca068e0cbf1c1ebec27d814e6c1ac0e961e2fef73f95ae9be7f99254d6c4942ada4381ea962ab9

Download Submit
C:\Windows\system\criZjBE.exe

Filesize
5.2MB

MD5
8a51b3efdcef6c5aec78e66237727510

SHA1
2206b134a1598c2927e51145c7c466a4ae3d9a5f

SHA256
15933d49ff4e6567026a2e318468e45a83e86d21b1934021940a5e8a9315a54b

SHA512
3cb789d9e337b19229a83432694d8940b55830318774fada6eb196db4334a70044010c7fd030b29380030e7503e08723e643c58cfa11c85d845111ff83b4557c

Download Submit
C:\Windows\system\docElJS.exe

Filesize
5.2MB

MD5
613e595e25c80f0d08503d424d88ef6b

SHA1
65733bd6d8c9be85ff8205664acbe185424fc6f2

SHA256
fb90f70e41712864e3400983b7ae71fe4a3284e3e2089e53c1d1bd9ea82efb35

SHA512
96a950b170e9a018ec31770b01a1f1e125d4f1dd019fd605f52bbc66ad8275da00ae2b72461fa8a5e498fbe4ca05fe097f4d6e3448f640f05059384d324b7dc5

Download Submit
C:\Windows\system\fwnmcCN.exe

Filesize
5.2MB

MD5
ebf370261c700f6f9718dcd1d80af776

SHA1
4cf33a7dadb90c0fa5bdcab5356fd67bdf7e9bc8

SHA256
e97ecb286e9daf32571374b7872c0abbda1a1d68cc683fbee11a48a42444b55e

SHA512
16649b95a4aeb281a8159587db20e0393984a6b1266e87c59df7627bc0dbcff5a8c8e7090e71c4b45d28f8300fd3e89e19f4c5d1c8ff3467a253039a3d91237b

Download Submit
C:\Windows\system\jpOQpah.exe

Filesize
5.2MB

MD5
0ee5f6af5503ab685ad9062f822f152d

SHA1
bfeb49942309d45436f8abfcde5f224fefcb0a75

SHA256
8b7bafb8eb305a5aaf1cfcb1ec7a49f202183a2538153a08b55f62abf3b8b80d

SHA512
85e112928414ed86adb183a50b42c1e14b331d6db0d7c502538881daf3fe1c89342cbd50dbf382ae9061365b43c5f7bb6200d4b19c6d5ade6b6a723337fd9641

Download Submit
C:\Windows\system\oPHwXjP.exe

Filesize
5.2MB

MD5
b886567ad06a0915c52a1a01ce1d3e9b

SHA1
fcfaac1897a355e96ec4f94a034d5f1908dff8e4

SHA256
0b50229451cbf4abe1e8334d29f6433b3c250ab42c32866ebf28579d381d922c

SHA512
c8fb0554b175e9ec40bd4f3ad6c314dbbed037105665e503013367de1e3672f79bb10f1e625138e010b7190c3e8a4eac7443ea69c81ff9c833013e23456fb5f0

Download Submit
C:\Windows\system\tdJxojI.exe

Filesize
5.2MB

MD5
df0980fa9575f04ede91d32990335cdf

SHA1
17b6d7097424bcc5446a5cd77c943401f1a92d68

SHA256
fc97d36e771187f59861f89406a625c4b44392274d167479707cdf02c0b418cb

SHA512
e65faa136f98f63d3afe538c53df679286fa3399c5a2f16f187105ef211e1d40b8629005fc288a0baa7935b8574a7a73dcce369782373fa8566bc1c29ef9d0f1

Download Submit
C:\Windows\system\wCKuCSD.exe

Filesize
5.2MB

MD5
6c37a1450ace6bbef49e4c134616ac4f

SHA1
5c1a525e757c9537dc7f706426b9c283bc62232d

SHA256
199e0c045b6530addc8cfd6403e0ecdd2ef05d5282b313430cca0d68d8a543db

SHA512
ef59e10c8329881596155fae823e34a4ff237e30143cec1fe24ce0fdea687fd39fbf3eaf99318ba6e4c40b92a19fcd860a9a0714dc33f9edb788c1c83036b6e9

Download Submit
\Windows\system\NqnnPWb.exe

Filesize
5.2MB

MD5
b4e3f1e3fb065b357468866accc2471d

SHA1
f2faaf9b8a938d986eed6ae080fdae36479bf7ac

SHA256
f59a225d12206cfcab8130bb0762db71873af7595042770219ac8c1681dfb1b1

SHA512
0e148dc4d8fda8cc33977c5e3616c0a74c458adaf01c44fb8f7cc045bcbab6b734ad162356e1e1fbf22008592ed38333fb9516f49215d2f3a916815461e0c9da

Download Submit
\Windows\system\WmXPcRL.exe

Filesize
5.2MB

MD5
8ad754ab8d3f8ca48f4947a73ed5ce69

SHA1
7486bbe5ce68ec7266b0d50c4eb2bf1887cc116b

SHA256
cc36f5404335ba487ad36dde0f21001a1b5f14547212a1a56c9b382dfa4cd168

SHA512
e9c1faa8e0f9bed414670eebfa74ccf609ba619861b5a3217b8e4ba6d75841d512f8ec406995be18b5c99fcf7d7e710ab37bcc1ca28057c61a06175d85e640c6

Download Submit
\Windows\system\bUaTUWR.exe

Filesize
5.2MB

MD5
e98411ed3073b9b59af1a8c2f493cb8f

SHA1
1ec3a1c89deef5f219bf8a2f4b292f5da694e755

SHA256
ba4d7c73b1e04e551bf63ca5038d121af9511215b8f21b72cf7412510721a5a6

SHA512
f46eb5555c4954019e38639ab816aa1d57f4c510af75ffdd3efd0fb2f83350b45614924b50cad42efa3b25ed0c8ac762348e40c435a33e6f82f84efea3123bf9

Download Submit
\Windows\system\hPjXDKf.exe

Filesize
5.2MB

MD5
1fa5b902dfbdec784843e0a59a0ca120

SHA1
d84f7e31bfe6b1e06aa0490d1ad00397829887b6

SHA256
fb6a5914c2b1ee1decc35e596388fa5a9a2b78b73dd787fae23512b524389b37

SHA512
cb28a24cb47516392cb11bce01f5b9d011db3b0764e6cd1e90fe72117faa48843d5720e7cccf45f428a2b67c96754ca3c60b5a1d77d5a8f492c2c41f87fda2d3

Download Submit
\Windows\system\jEnfKIa.exe

Filesize
5.2MB

MD5
c75852e4281e9c633de002cdf5a7f6fa

SHA1
2df79c797c0278e671bdb0daff2a2fcd17757737

SHA256
26863d7faa3a7b339a64543c2f3601ae9a517209a76cd8d85a68676406fe8ca6

SHA512
bdc46954cb201b4d07949e8f4ee483502e6370361b4d89a8928f2d7395c018b829edd1e17929b661ed9b286440c1f2dcf01bf635020b7d3dab2b9d171f716614

Download Submit
\Windows\system\jveszmN.exe

Filesize
5.2MB

MD5
213062ab18897ebdaca6893363672b6b

SHA1
86b180faae0752afca6d7238b99523fa0ddb3bcf

SHA256
10c7bff2517bd4acb7fb90123c20a3462903dbccc46b0dbb92fb584bee90de97

SHA512
f32d677f72d33f82c1437459a38c2ae4369d5d3f337ab375b571a07e75ca3065d9e3b19a1f890ad7941c3f6946cf02c98e90b05eacce07c77a4dd8bc5496127b

Download Submit
\Windows\system\nYMSLIA.exe

Filesize
5.2MB

MD5
9b8decbf21df46fa12fa3fe9f1eef9da

SHA1
eb075afdeba7a4ef52d1a8140cbacf0cf1dcaac8

SHA256
c0536ccee975646cf2e64c1c5ed4adefe0f60615563fe3b8e0345b440c9d0b1b

SHA512
e1852202b97475b132f70def57a3310a61ba860357faa758759e1f682763bade48effd86e2db3764df6e0483e22b27bb369298999bcc824c5190226e42ebb8b2

Download Submit
\Windows\system\uostkjR.exe

Filesize
5.2MB

MD5
8180f8b08c47ee7a3d562a517c108b96

SHA1
d52fc84a8abc5f1723bb01e4c6ee314f1e5a11ba

SHA256
2d1cb5bb936d0f375e02b48376c55cfcfd21f34fd1ba14c6b009ce1fbfe25eb2

SHA512
1694d23a568caadb4fcf49e34d431902e29a3ffa6d0129769eedbd2622d8806a92f8233f7a171d9c803fe24744528c84296d1695d1d439faea89411b21bc8487

Download Submit
memory/584-132-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/584-90-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/584-243-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1648-153-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/1728-154-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1852-151-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-152-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-150-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2208-148-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2504-230-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-45-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2532-39-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2532-226-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2544-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2544-112-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/2544-35-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-83-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2544-102-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-109-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-114-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2544-104-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2544-78-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-0-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2544-130-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2544-155-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2544-110-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-60-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-131-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-133-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2544-13-0x000000013F4F0000-0x000000013F841000-memory.dmp

Filesize
3.3MB

Download
memory/2544-108-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2612-144-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2620-81-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2620-236-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2664-240-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2664-113-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2692-69-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2692-232-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2724-234-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-82-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2732-111-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2732-238-0x000000013F8B0000-0x000000013FC01000-memory.dmp

Filesize
3.3MB

Download
memory/2772-23-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2772-225-0x000000013FBA0000-0x000000013FEF1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-146-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2824-229-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2824-61-0x000000013FC70000-0x000000013FFC1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-222-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2996-27-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/3004-142-0x000000013F790000-0x000000013FAE1000-memory.dmp

Filesize
3.3MB

Download
memory/3016-140-0x000000013F150000-0x000000013F4A1000-memory.dmp

Filesize
3.3MB

Download