cobaltstrike | 7c48cf1e13b84ce5efadc12d074fcd2e770a7f53012ee2864eb213977c77a91b

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b691fcb000ac50a592aec0d1af30d8a8
SHA1

9c47b80ae8c4678bd0c0ecff88623b36ed902d12
SHA256

7c48cf1e13b84ce5efadc12d074fcd2e770a7f53012ee2864eb213977c77a91b
SHA512

db38b58c7f60d6943e068b21d52fdf6181694dee4ee199fd0ce7a86119fe06cbc9aed3efcee5c77ebb32023bf089421d71f47da1df7ee65f4cb74c0d8f0bcf2c
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lJ:RWWBibd56utgpPFotBER/mQ32lUF

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d000000012276-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000019227-13.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001922c-15.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019261-20.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019279-35.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001926a-28.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000019379-46.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000194ad-54.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194fc-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019623-119.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019622-135.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961f-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019621-125.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961d-124.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019625-123.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195e6-104.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001957e-93.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019506-76.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001952f-89.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195a7-85.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000018781-62.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2460-9-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1056-19-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/2712-32-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/352-47-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/1056-59-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/2568-58-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/3056-57-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2460-56-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2660-50-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/352-49-0x0000000002160000-0x00000000024B1000-memory.dmp	xmrig
behavioral1/memory/1972-66-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2536-81-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2196-96-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2736-122-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2152-127-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2184-97-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2156-73-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2596-142-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig
behavioral1/memory/352-143-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2784-165-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2836-166-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/1528-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/824-162-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2052-161-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/1152-164-0x000000013FF70000-0x00000001402C1000-memory.dmp	xmrig
behavioral1/memory/2892-160-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/352-167-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2460-219-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/1056-221-0x000000013F490000-0x000000013F7E1000-memory.dmp	xmrig
behavioral1/memory/3056-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2712-225-0x000000013F090000-0x000000013F3E1000-memory.dmp	xmrig
behavioral1/memory/2156-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp	xmrig
behavioral1/memory/2736-229-0x000000013FE60000-0x00000001401B1000-memory.dmp	xmrig
behavioral1/memory/2660-239-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2568-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/1972-243-0x000000013FC90000-0x000000013FFE1000-memory.dmp	xmrig
behavioral1/memory/2536-245-0x000000013F360000-0x000000013F6B1000-memory.dmp	xmrig
behavioral1/memory/2196-247-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2184-249-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2152-258-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2596-260-0x000000013F450000-0x000000013F7A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2460	ewTcnFP.exe
1056	XszTnbo.exe
3056	nVtvqCZ.exe
2712	mAaaCsR.exe
2156	woGuUVk.exe
2736	gGTOMOV.exe
2660	dWcJNfz.exe
2568	rWOOchB.exe
1972	dAhsVhJ.exe
2536	htaGJTs.exe
2596	EojLjOo.exe
2196	jnUdzRs.exe
2184	NAJKQnS.exe
2152	HFyRLOM.exe
2892	sWtwOEt.exe
2052	XzrKkne.exe
1528	gdFnyEC.exe
2784	OrrRlvG.exe
824	sOZuFXi.exe
1152	hMoKRHm.exe
2836	CwgRigX.exe

Loads dropped DLL 21 IoCs

pid	Process
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/352-0-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/files/0x000d000000012276-6.dat	upx
behavioral1/memory/2460-9-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/files/0x0008000000019227-13.dat	upx
behavioral1/files/0x000700000001922c-15.dat	upx
behavioral1/memory/1056-19-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/files/0x0006000000019261-20.dat	upx
behavioral1/memory/2156-34-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2712-32-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/files/0x0006000000019279-35.dat	upx
behavioral1/memory/2736-42-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/3056-23-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/files/0x000600000001926a-28.dat	upx
behavioral1/memory/352-47-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/files/0x0007000000019379-46.dat	upx
behavioral1/files/0x00060000000194ad-54.dat	upx
behavioral1/memory/1056-59-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/memory/2568-58-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/3056-57-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2460-56-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2660-50-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/1972-66-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/files/0x00050000000194fc-71.dat	upx
behavioral1/memory/2536-81-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2196-96-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2736-122-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/files/0x0005000000019623-119.dat	upx
behavioral1/files/0x0005000000019622-135.dat	upx
behavioral1/files/0x000500000001961f-133.dat	upx
behavioral1/memory/2152-127-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/files/0x0005000000019621-125.dat	upx
behavioral1/files/0x000500000001961d-124.dat	upx
behavioral1/files/0x0005000000019625-123.dat	upx
behavioral1/files/0x00050000000195e6-104.dat	upx
behavioral1/memory/2184-97-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/files/0x000500000001957e-93.dat	upx
behavioral1/files/0x0005000000019506-76.dat	upx
behavioral1/files/0x000500000001952f-89.dat	upx
behavioral1/memory/2596-87-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/files/0x00050000000195a7-85.dat	upx
behavioral1/memory/2156-73-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/files/0x0008000000018781-62.dat	upx
behavioral1/memory/2596-142-0x000000013F450000-0x000000013F7A1000-memory.dmp	upx
behavioral1/memory/352-143-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2784-165-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2836-166-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/1528-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/824-162-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2052-161-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/1152-164-0x000000013FF70000-0x00000001402C1000-memory.dmp	upx
behavioral1/memory/2892-160-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/352-167-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2460-219-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/1056-221-0x000000013F490000-0x000000013F7E1000-memory.dmp	upx
behavioral1/memory/3056-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2712-225-0x000000013F090000-0x000000013F3E1000-memory.dmp	upx
behavioral1/memory/2156-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp	upx
behavioral1/memory/2736-229-0x000000013FE60000-0x00000001401B1000-memory.dmp	upx
behavioral1/memory/2660-239-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2568-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/1972-243-0x000000013FC90000-0x000000013FFE1000-memory.dmp	upx
behavioral1/memory/2536-245-0x000000013F360000-0x000000013F6B1000-memory.dmp	upx
behavioral1/memory/2196-247-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2184-249-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OrrRlvG.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XszTnbo.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jnUdzRs.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hMoKRHm.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rWOOchB.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\htaGJTs.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XzrKkne.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gdFnyEC.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nVtvqCZ.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\woGuUVk.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gGTOMOV.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HFyRLOM.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NAJKQnS.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sOZuFXi.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CwgRigX.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mAaaCsR.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dAhsVhJ.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EojLjOo.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ewTcnFP.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dWcJNfz.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sWtwOEt.exe	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 352 wrote to memory of 2460	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 352 wrote to memory of 2460	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 352 wrote to memory of 2460	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 352 wrote to memory of 1056	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 352 wrote to memory of 1056	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 352 wrote to memory of 1056	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 352 wrote to memory of 3056	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 352 wrote to memory of 3056	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 352 wrote to memory of 3056	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 352 wrote to memory of 2156	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 352 wrote to memory of 2156	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 352 wrote to memory of 2156	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 352 wrote to memory of 2712	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 352 wrote to memory of 2712	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 352 wrote to memory of 2712	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 352 wrote to memory of 2736	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 352 wrote to memory of 2736	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 352 wrote to memory of 2736	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 352 wrote to memory of 2660	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 352 wrote to memory of 2660	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 352 wrote to memory of 2660	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 352 wrote to memory of 2568	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 352 wrote to memory of 2568	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 352 wrote to memory of 2568	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 352 wrote to memory of 1972	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 352 wrote to memory of 1972	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 352 wrote to memory of 1972	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 352 wrote to memory of 2536	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 352 wrote to memory of 2536	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 352 wrote to memory of 2536	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 352 wrote to memory of 2596	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 352 wrote to memory of 2596	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 352 wrote to memory of 2596	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 352 wrote to memory of 2196	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 352 wrote to memory of 2196	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 352 wrote to memory of 2196	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 352 wrote to memory of 2152	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 352 wrote to memory of 2152	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 352 wrote to memory of 2152	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 352 wrote to memory of 2184	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 352 wrote to memory of 2184	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 352 wrote to memory of 2184	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 352 wrote to memory of 2892	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 352 wrote to memory of 2892	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 352 wrote to memory of 2892	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 352 wrote to memory of 2052	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 352 wrote to memory of 2052	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 352 wrote to memory of 2052	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 352 wrote to memory of 824	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 352 wrote to memory of 824	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 352 wrote to memory of 824	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 352 wrote to memory of 1528	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 352 wrote to memory of 1528	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 352 wrote to memory of 1528	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 352 wrote to memory of 1152	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 352 wrote to memory of 1152	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 352 wrote to memory of 1152	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 352 wrote to memory of 2784	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 352 wrote to memory of 2784	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 352 wrote to memory of 2784	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 352 wrote to memory of 2836	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 352 wrote to memory of 2836	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 352 wrote to memory of 2836	352	2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_b691fcb000ac50a592aec0d1af30d8a8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:352
- C:\Windows\System\ewTcnFP.exe
  C:\Windows\System\ewTcnFP.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\XszTnbo.exe
  C:\Windows\System\XszTnbo.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\nVtvqCZ.exe
  C:\Windows\System\nVtvqCZ.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\woGuUVk.exe
  C:\Windows\System\woGuUVk.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\mAaaCsR.exe
  C:\Windows\System\mAaaCsR.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\gGTOMOV.exe
  C:\Windows\System\gGTOMOV.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\dWcJNfz.exe
  C:\Windows\System\dWcJNfz.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\rWOOchB.exe
  C:\Windows\System\rWOOchB.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\dAhsVhJ.exe
  C:\Windows\System\dAhsVhJ.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\htaGJTs.exe
  C:\Windows\System\htaGJTs.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\EojLjOo.exe
  C:\Windows\System\EojLjOo.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\jnUdzRs.exe
  C:\Windows\System\jnUdzRs.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\HFyRLOM.exe
  C:\Windows\System\HFyRLOM.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\NAJKQnS.exe
  C:\Windows\System\NAJKQnS.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\sWtwOEt.exe
  C:\Windows\System\sWtwOEt.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\XzrKkne.exe
  C:\Windows\System\XzrKkne.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\sOZuFXi.exe
  C:\Windows\System\sOZuFXi.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\gdFnyEC.exe
  C:\Windows\System\gdFnyEC.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\hMoKRHm.exe
  C:\Windows\System\hMoKRHm.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\OrrRlvG.exe
  C:\Windows\System\OrrRlvG.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\CwgRigX.exe
  C:\Windows\System\CwgRigX.exe
  2⤵
  - Executes dropped EXE
  PID:2836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EojLjOo.exe

Filesize
5.2MB

MD5
095909ddc5c8ac11cdc8b0b99f15aef9

SHA1
3ab33c1ce13c0ad101c04f36b24de7a0fc0b0aaa

SHA256
83f44100d911bb045a84e7e87b7fc522c5a0e4e94b9182d67f49bdf84851e5e5

SHA512
be766785a9125cf2f183e5ab0ebb5fdbc9f30b4525c0d8abce58997674b58962f6452538c2e2ad903b19d7f123e7c8cd62f37145eca570b70d9f6298a71a4458

Download Submit
C:\Windows\system\HFyRLOM.exe

Filesize
5.2MB

MD5
a5a79ace218ff794728897d2453acd40

SHA1
8ec210f2f76838c8908ee835ceb5a15c60acf900

SHA256
05b6624bd1c73c9193dbbb6f626c6421da8d603eced7912c27092c6b5c34a2cd

SHA512
aa6dbc1697fb6d4e88435e3a306ea514082a9d9bb9450158261ef6711fd9d9b56cd1026d9ec953eed94544ada8aa230357dd68fdca57888a720591c4cae9c5bc

Download Submit
C:\Windows\system\XszTnbo.exe

Filesize
5.2MB

MD5
f6c51e219b2aef4768a213b59339b57b

SHA1
373bba8f0cfd038cb821173ad8bee3ea286e3ceb

SHA256
5b29995d037ec58ba4debb14a543f3f7eebb0a35d1ed0ab21fff187c13192057

SHA512
04cecb44ee839fdaba2b767b37a6963b2bd6a0b47417dfd396f666fdbdc0ccc199498aff35a4813c838e88901a64642fc16c1d873be6f3336a9048bae2875f3a

Download Submit
C:\Windows\system\XzrKkne.exe

Filesize
5.2MB

MD5
188bffea0b0fb7513895a15ee06a52b4

SHA1
e2787bb9db6c609b1d4ca2100537356a37aa9366

SHA256
c3b5f8b5da513c1914fbdd1d3f029229f2dcbf1073626435c0f168ef282b0dec

SHA512
1edb9a4a7399549b691143ee73b15443653c3c537eaa5fd531035139477965ae4d0881a64396ebdaf1b6d9701ed9ccf9f969b486e0f3bcf0d6248b43e23c2ecb

Download Submit
C:\Windows\system\dAhsVhJ.exe

Filesize
5.2MB

MD5
5b39628ff6ff6c7d2d3fa1b756c7696c

SHA1
c01329cb7f9051ed12389922a5ea3a83d5f78c63

SHA256
4c450b9a4ce5b10fcc5770c22b172faab64b75fa6196f164fd95cce6937da89a

SHA512
2220b4ec6cde32a23050ce3e9e62581cb76f822deeb581d7dfbd40e5f0e86a3aa33bc0eabb76f4081b627cc382dc257202c8e8d92007fb544aae1b83c485c4b2

Download Submit
C:\Windows\system\dWcJNfz.exe

Filesize
5.2MB

MD5
c9c1755a63d7043de1440070eb8428cc

SHA1
cdc5c7af8c492633a23a24fdb6de5317ff5306c1

SHA256
314be91e2f8ea6e841c079677dd4f7b9204635118b350d2d6a1548b7d2074d8d

SHA512
082709c93d9feb06c060c715d765cc6617695dc5d01cf6cfcfc9993f2d7e9b79470b290548e5cd72f7d5c1f0fc4f2ee17af02b6ff07399aab10d930387368f86

Download Submit
C:\Windows\system\ewTcnFP.exe

Filesize
5.2MB

MD5
f3910903b45cd10604b8a402bd3f39d0

SHA1
cdf280e33d0d298e346538167108151e056f4af4

SHA256
bb5f91622fc5223be7fa1c5dcf7ac5346346d2248e6ff9a0c0bd1e1fdb7b3c14

SHA512
026ab77aee7559b81f0ecbf84b74996d464d481f50ac8087d2dc7ecd3a1d9e28259f169bc2b8c0e74c428d2ebfcb54abd9f171f95283e66b509d4c182de7bb4c

Download Submit
C:\Windows\system\gdFnyEC.exe

Filesize
5.2MB

MD5
ee056354e9d8136795923116262ba3ea

SHA1
905895dde343057916e74e562f7cdf236c0fd03b

SHA256
0cc5f48ac30d1e4470e2da678acb7b41c07d1ed2a1e138811647943a2337b86e

SHA512
8d4747a3a1376824660f9b6c8c09789980439a5e4ef238b4782b93e045adad8495381b9ad2ab6ac207019c1494d35c52d632072a3e23ab4c42183fd99e391c05

Download Submit
C:\Windows\system\hMoKRHm.exe

Filesize
5.2MB

MD5
42518d23acf0c1b486596fa3f6bfbac3

SHA1
2154c62ae0e936cbad3c0c8ed5dce11a795b842a

SHA256
d3d3f11ed3c8e2ad3b1a52be245c6feff6ea5c10c73eab7f8f86d84d9bf1f646

SHA512
eacab2221b2dbbd822ae102bbef6156208f8d0d07d517e92ff972afda39924f5a6ba54a3d0c0ad290ff44733973c86e2962a8b8916bc88de9b9e83a1795c71f8

Download Submit
C:\Windows\system\htaGJTs.exe

Filesize
5.2MB

MD5
91862c426214dd89f45e59b3f75c45e5

SHA1
edb069c1547534f0e2269567ada02025fafd069a

SHA256
c4bb6220d69cb2c0abb6bcbe491ea25f03e7d6461c384d127289bb5c9bf4be02

SHA512
a827fbd5b30807cc941051b82d34211d924d7c2e8babbf1cdede6e7b6158cc4e74ab85f60fe127523909f499ba47db6dce63b2f0b37b9d59168c222ee48c7967

Download Submit
C:\Windows\system\jnUdzRs.exe

Filesize
5.2MB

MD5
e6491efa96052acc87c76bb013337875

SHA1
28012a5723a5eb9d805c3db5958ebb227abbcf65

SHA256
54bb5ab66518c8aa819d99a6eb12de798bd9165b7f83edc65f37b4933ddfc5a9

SHA512
dc0a978f257e96bf02191dc779d811a61bd1b9a4a4a35b1bd5c73a296f684959d908ac1d3b0bd7b6e6c31611739d9ddb1f5b2a335ee813e3e34d0fc21a501e0e

Download Submit
C:\Windows\system\mAaaCsR.exe

Filesize
5.2MB

MD5
6e8567626311a0843836d494093571a8

SHA1
4bedbfe788d89f7242f2f53fa7824b9127b60cd9

SHA256
31ee0b3c75350db41f1ab4b554162440b94d7733ad7c36b6094191e9f806477a

SHA512
10e53112f8a60658079aeebe6ca6198f9163fe2ec161a66fccd2ab7e16ee2b52a7de474092392d91f49970ab67cf04cd0c9697bc05c87f784d54e9fb2f249a99

Download Submit
C:\Windows\system\rWOOchB.exe

Filesize
5.2MB

MD5
3c4b65f25c2af482fe8f9ed2509a06b9

SHA1
f7902a1d92bbc6339237b2ac9eb7114c1e032ab4

SHA256
8722d1c9ffafa4db9fd6d1f1d1688a64b88eb56734b403d7e34b867d0db969c2

SHA512
1e5cb3dc09823e17a7dc078ce24c97de8ca39517de68d0a02b26f5d9cc6ce69ce11229de79b7740e9638ef373b6dcdf53bac6e2e8ff8b50ba0992a811e55d8be

Download Submit
C:\Windows\system\sOZuFXi.exe

Filesize
5.2MB

MD5
ccca9e30b0ebd1285f2bff4094f65605

SHA1
9052b97edd1396ce3b1bf66fe5c5b32b3c5927c7

SHA256
9282509971668dc3f781925668fb838002356fd4f94386a90072099b7a7a2fd6

SHA512
0d8df2416026aeb76060248ebce06de215b81b4ed3c2245370b77aeb8c14e804fdb9dcbf2314eed1c3db82ddca53665067fb654e30d6957a73babb72b8e88496

Download Submit
C:\Windows\system\sWtwOEt.exe

Filesize
5.2MB

MD5
540723aad7c499df13307d5afdeb71c1

SHA1
e98213dd81c0f8b598e36901c990f7b7ed07d610

SHA256
db6e5994d24e04da97baee421cacf58ed43b144f8d13fecb8fd5ae33ea2ea10d

SHA512
57c95c1ff7e2fb83c0a70d0900825ecf1209f89d639c76799ec7e881ea775c729944a1a9b8e2461db2e53e5d870fee89884a24b4396e9d91dda4860786386688

Download Submit
\Windows\system\CwgRigX.exe

Filesize
5.2MB

MD5
a2091222bb4cdc084adc03984efa04c6

SHA1
c048a8ff2bbb0cccb4254f8cda8daa868e664764

SHA256
545c3b7d8c890355224ae975a1e6089dacd8c148334b205aaeda01044f371d1c

SHA512
f9e388c93abc939361ca435db62dd366bdbed6b96112a97800cfe796e957c75104f4c2df02a5fd2d2983c0d67e5467c6f57807b2dc8782a49c0bf1b26370a6bc

Download Submit
\Windows\system\NAJKQnS.exe

Filesize
5.2MB

MD5
69ab765102cfd6aaf5351f81f1bcc5d3

SHA1
4ea3b2169cfdf779e1e99e1586b5954832ef6303

SHA256
138fd8bc7706fbec03eb252a8ddc668abbea158abae3300a37b5a6cd40e837f4

SHA512
6890c6a5b5a3cb6e83673ce88338b7f8c470d9a435682afb7d517fc93e47c608172008cb89a099c157a01a518446ac863322ccade59900589339aa1d95967505

Download Submit
\Windows\system\OrrRlvG.exe

Filesize
5.2MB

MD5
192b7eb0b4153e8871afb2dfc3c9af3d

SHA1
944ddd35a31dcb4256718505193fc20eb431d36c

SHA256
ec44cb390d01f80a86a691e6e8cd1a4be7697853a1885d0f65bf1cb85c972ed0

SHA512
25ec200b7cad4f521d74ef6a606617642866b691f55b3fde789b94c87af564a5f7c639b16ae4edf783ed326b63ea57093e9fa8d9ae2149f1cc422fc9a52659c9

Download Submit
\Windows\system\gGTOMOV.exe

Filesize
5.2MB

MD5
1f684d923566443e4d5184ee5840ca38

SHA1
328276fa193bd29f436f89970bc5ca2c2099fd07

SHA256
1a83e3f2cd182e8f8017534b47c68e008f3f9a9c6df784c598db0f4e654a8071

SHA512
9d358c9155a45af1d2820b7a19b44174d77c73efb3a5165910986d5f4a48f047d050cc0179f15761959d9291cbf4f161c7289c4dedcc38494f0a32a5150dcb61

Download Submit
\Windows\system\nVtvqCZ.exe

Filesize
5.2MB

MD5
8ad1e5aadd034cfb9ce906253239156f

SHA1
755dd48d4a87ac897c7eb6f5b1a4844652c25bfa

SHA256
322d300e75080d422cbd05468d703a46bf3655cac86f0576a9c93cc274428562

SHA512
d7ed3820e05ada4d989d9832e84b53a8e372d2fddd983be9cd07a68a52be10dcf488271f23abdd2d3d087fb60a1ad394649eadd6e147bbfecd6f33363f49df13

Download Submit
\Windows\system\woGuUVk.exe

Filesize
5.2MB

MD5
0017d660d886c1b6d78c3e1bee10c44c

SHA1
f5e9fbb7aec50d2c9600d1814550240d0271abd5

SHA256
fa6dcbe5c7323196a2e7afdbd43bf034469d7b46320982a2397dc0c5bc9e267f

SHA512
fe10f9fed8eefa9a3ce7a4c5a6107e18ea46797ffd635a8c3ffa8cf348b1249f624304982b8f673dc390d4eef2772f5af6da846128ab793646a4cffec6537526

Download Submit
memory/352-140-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/352-146-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/352-0-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/352-47-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/352-141-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/352-49-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/352-65-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/352-67-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/352-31-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/352-38-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/352-92-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/352-118-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/352-100-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/352-99-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/352-143-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/352-114-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/352-153-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/352-29-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/352-128-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/352-1-0x0000000000100000-0x0000000000110000-memory.dmp

Filesize
64KB

Download
memory/352-7-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/352-167-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/824-162-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-59-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-19-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1056-221-0x000000013F490000-0x000000013F7E1000-memory.dmp

Filesize
3.3MB

Download
memory/1152-164-0x000000013FF70000-0x00000001402C1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-163-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/1972-243-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-66-0x000000013FC90000-0x000000013FFE1000-memory.dmp

Filesize
3.3MB

Download
memory/2052-161-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2152-127-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2152-258-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/2156-227-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-73-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-34-0x000000013FA80000-0x000000013FDD1000-memory.dmp

Filesize
3.3MB

Download
memory/2184-249-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2184-97-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2196-247-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2196-96-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2460-56-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2460-9-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2460-219-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2536-81-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2536-245-0x000000013F360000-0x000000013F6B1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-58-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2568-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-87-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-142-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2596-260-0x000000013F450000-0x000000013F7A1000-memory.dmp

Filesize
3.3MB

Download
memory/2660-50-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2660-239-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2712-32-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-225-0x000000013F090000-0x000000013F3E1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-42-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-229-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2736-122-0x000000013FE60000-0x00000001401B1000-memory.dmp

Filesize
3.3MB

Download
memory/2784-165-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2836-166-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2892-160-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/3056-223-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-23-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/3056-57-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download