cobaltstrike | f91c63cc8fc909b9c5c1f6be964114d69f34062b5efa651ac00f72215b2020f2

Analysis

max time kernel
126s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

11f1e5ddaf503603cb3a53e557d8e416
SHA1

c234a0ee342654fc90c7bdef29e8b16da5713bcd
SHA256

f91c63cc8fc909b9c5c1f6be964114d69f34062b5efa651ac00f72215b2020f2
SHA512

2e6a6095f86411078d2b9bda4ce6e7ba0a5276d7037d0ab1516dee30a6bfd1a3d72e79d8fb2cfd1b5dbc9ef7d98ac7ab433a0be86b6fd95a460bbf3b8fcc6994
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lU9:E+b56utgpPF8u/79

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a00000001225c-6.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018b05-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b54-24.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b59-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b50-11.dat	cobalt_reflective_dll
behavioral1/files/0x0003000000018334-55.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000197fd-77.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019820-86.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019bf6-111.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d61-128.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d6d-137.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019e92-143.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019d62-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3c-122.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019bf9-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019bf5-102.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001998d-93.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019761-72.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018b71-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b89-45.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001975a-59.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 63 IoCs

miner

resource	yara_rule
behavioral1/memory/1356-0-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/files/0x000a00000001225c-6.dat	xmrig
behavioral1/files/0x0009000000018b05-12.dat	xmrig
behavioral1/memory/1356-16-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2316-23-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/files/0x0007000000018b54-24.dat	xmrig
behavioral1/memory/2872-29-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000018b59-30.dat	xmrig
behavioral1/memory/2860-14-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2296-13-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/files/0x0007000000018b50-11.dat	xmrig
behavioral1/memory/1356-39-0x000000013F310000-0x000000013F664000-memory.dmp	xmrig
behavioral1/files/0x0003000000018334-55.dat	xmrig
behavioral1/memory/2812-73-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/files/0x00050000000197fd-77.dat	xmrig
behavioral1/memory/2416-80-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/files/0x0005000000019820-86.dat	xmrig
behavioral1/files/0x0005000000019bf6-111.dat	xmrig
behavioral1/files/0x0005000000019d61-128.dat	xmrig
behavioral1/files/0x0005000000019d6d-137.dat	xmrig
behavioral1/files/0x0005000000019e92-143.dat	xmrig
behavioral1/memory/2812-140-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2416-146-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/files/0x0005000000019d62-132.dat	xmrig
behavioral1/files/0x0005000000019c3c-122.dat	xmrig
behavioral1/files/0x0005000000019bf9-117.dat	xmrig
behavioral1/memory/1020-107-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/1356-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/1356-104-0x00000000024D0000-0x0000000002824000-memory.dmp	xmrig
behavioral1/files/0x0005000000019bf5-102.dat	xmrig
behavioral1/memory/1356-112-0x00000000024D0000-0x0000000002824000-memory.dmp	xmrig
behavioral1/memory/2776-98-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/1584-97-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2116-90-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/files/0x000500000001998d-93.dat	xmrig
behavioral1/memory/2872-78-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/files/0x0005000000019761-72.dat	xmrig
behavioral1/memory/1356-71-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2716-70-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1356-54-0x00000000024D0000-0x0000000002824000-memory.dmp	xmrig
behavioral1/memory/2860-53-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2776-52-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/3024-49-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/files/0x0009000000018b71-47.dat	xmrig
behavioral1/files/0x0007000000018b89-45.dat	xmrig
behavioral1/memory/2588-67-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/1356-66-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2976-65-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/files/0x000500000001975a-59.dat	xmrig
behavioral1/memory/2296-150-0x000000013FF00000-0x0000000140254000-memory.dmp	xmrig
behavioral1/memory/2860-152-0x000000013FDF0000-0x0000000140144000-memory.dmp	xmrig
behavioral1/memory/2316-151-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	xmrig
behavioral1/memory/2872-153-0x000000013F970000-0x000000013FCC4000-memory.dmp	xmrig
behavioral1/memory/2776-154-0x000000013F4B0000-0x000000013F804000-memory.dmp	xmrig
behavioral1/memory/3024-155-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2588-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2716-158-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2976-157-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/2812-160-0x000000013FCE0000-0x0000000140034000-memory.dmp	xmrig
behavioral1/memory/2416-159-0x000000013FCF0000-0x0000000140044000-memory.dmp	xmrig
behavioral1/memory/1584-161-0x000000013F6B0000-0x000000013FA04000-memory.dmp	xmrig
behavioral1/memory/2116-162-0x000000013F2B0000-0x000000013F604000-memory.dmp	xmrig
behavioral1/memory/1020-163-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2296	kxVxSUX.exe
2860	UiASbqY.exe
2316	FZBKUqh.exe
2872	FwLZRbm.exe
3024	YbFfqzC.exe
2776	YSrtvgD.exe
2976	bnpJrem.exe
2588	EaYUCAo.exe
2716	gLQAIcN.exe
2812	QaDuGhB.exe
2416	UMVCHOn.exe
2116	sKSgMPG.exe
1584	kZSdUcJ.exe
1020	JAcPwKj.exe
3044	sNKVtyv.exe
2300	xuNRDYC.exe
2952	sSfgOmH.exe
2004	XCCRwEt.exe
2540	uCVWSAo.exe
2896	CLTnapw.exe
1148	dbjhRep.exe

Loads dropped DLL 21 IoCs

pid	Process
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 56 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1356-0-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/files/0x000a00000001225c-6.dat	upx
behavioral1/files/0x0009000000018b05-12.dat	upx
behavioral1/memory/2316-23-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/files/0x0007000000018b54-24.dat	upx
behavioral1/memory/2872-29-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x0007000000018b59-30.dat	upx
behavioral1/memory/2860-14-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2296-13-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/files/0x0007000000018b50-11.dat	upx
behavioral1/memory/1356-39-0x000000013F310000-0x000000013F664000-memory.dmp	upx
behavioral1/files/0x0003000000018334-55.dat	upx
behavioral1/memory/2812-73-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/files/0x00050000000197fd-77.dat	upx
behavioral1/memory/2416-80-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/files/0x0005000000019820-86.dat	upx
behavioral1/files/0x0005000000019bf6-111.dat	upx
behavioral1/files/0x0005000000019d61-128.dat	upx
behavioral1/files/0x0005000000019d6d-137.dat	upx
behavioral1/files/0x0005000000019e92-143.dat	upx
behavioral1/memory/2812-140-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2416-146-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/files/0x0005000000019d62-132.dat	upx
behavioral1/files/0x0005000000019c3c-122.dat	upx
behavioral1/files/0x0005000000019bf9-117.dat	upx
behavioral1/memory/1020-107-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/files/0x0005000000019bf5-102.dat	upx
behavioral1/memory/2776-98-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/1584-97-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2116-90-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/files/0x000500000001998d-93.dat	upx
behavioral1/memory/2872-78-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/files/0x0005000000019761-72.dat	upx
behavioral1/memory/2716-70-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2860-53-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2776-52-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/3024-49-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/files/0x0009000000018b71-47.dat	upx
behavioral1/files/0x0007000000018b89-45.dat	upx
behavioral1/memory/2588-67-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2976-65-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/files/0x000500000001975a-59.dat	upx
behavioral1/memory/2296-150-0x000000013FF00000-0x0000000140254000-memory.dmp	upx
behavioral1/memory/2860-152-0x000000013FDF0000-0x0000000140144000-memory.dmp	upx
behavioral1/memory/2316-151-0x000000013FBA0000-0x000000013FEF4000-memory.dmp	upx
behavioral1/memory/2872-153-0x000000013F970000-0x000000013FCC4000-memory.dmp	upx
behavioral1/memory/2776-154-0x000000013F4B0000-0x000000013F804000-memory.dmp	upx
behavioral1/memory/3024-155-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2588-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2716-158-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2976-157-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/2812-160-0x000000013FCE0000-0x0000000140034000-memory.dmp	upx
behavioral1/memory/2416-159-0x000000013FCF0000-0x0000000140044000-memory.dmp	upx
behavioral1/memory/1584-161-0x000000013F6B0000-0x000000013FA04000-memory.dmp	upx
behavioral1/memory/2116-162-0x000000013F2B0000-0x000000013F604000-memory.dmp	upx
behavioral1/memory/1020-163-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\FwLZRbm.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UMVCHOn.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JAcPwKj.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CLTnapw.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dbjhRep.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FZBKUqh.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YbFfqzC.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bnpJrem.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gLQAIcN.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QaDuGhB.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UiASbqY.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaYUCAo.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSfgOmH.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xuNRDYC.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XCCRwEt.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uCVWSAo.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kxVxSUX.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YSrtvgD.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKSgMPG.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kZSdUcJ.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sNKVtyv.exe	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 2296	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1356 wrote to memory of 2296	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1356 wrote to memory of 2296	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1356 wrote to memory of 2860	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1356 wrote to memory of 2860	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1356 wrote to memory of 2860	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1356 wrote to memory of 2316	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1356 wrote to memory of 2316	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1356 wrote to memory of 2316	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1356 wrote to memory of 2872	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1356 wrote to memory of 2872	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1356 wrote to memory of 2872	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1356 wrote to memory of 3024	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1356 wrote to memory of 3024	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1356 wrote to memory of 3024	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1356 wrote to memory of 2976	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1356 wrote to memory of 2976	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1356 wrote to memory of 2976	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1356 wrote to memory of 2776	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1356 wrote to memory of 2776	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1356 wrote to memory of 2776	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1356 wrote to memory of 2716	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1356 wrote to memory of 2716	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1356 wrote to memory of 2716	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1356 wrote to memory of 2588	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1356 wrote to memory of 2588	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1356 wrote to memory of 2588	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1356 wrote to memory of 2812	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1356 wrote to memory of 2812	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1356 wrote to memory of 2812	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1356 wrote to memory of 2416	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1356 wrote to memory of 2416	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1356 wrote to memory of 2416	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1356 wrote to memory of 2116	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1356 wrote to memory of 2116	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1356 wrote to memory of 2116	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1356 wrote to memory of 1584	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1356 wrote to memory of 1584	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1356 wrote to memory of 1584	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1356 wrote to memory of 1020	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1356 wrote to memory of 1020	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1356 wrote to memory of 1020	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1356 wrote to memory of 3044	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1356 wrote to memory of 3044	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1356 wrote to memory of 3044	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1356 wrote to memory of 2300	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1356 wrote to memory of 2300	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1356 wrote to memory of 2300	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1356 wrote to memory of 2952	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1356 wrote to memory of 2952	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1356 wrote to memory of 2952	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1356 wrote to memory of 2004	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1356 wrote to memory of 2004	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1356 wrote to memory of 2004	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1356 wrote to memory of 2540	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1356 wrote to memory of 2540	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1356 wrote to memory of 2540	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1356 wrote to memory of 2896	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1356 wrote to memory of 2896	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1356 wrote to memory of 2896	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1356 wrote to memory of 1148	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1356 wrote to memory of 1148	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1356 wrote to memory of 1148	1356	2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-21_11f1e5ddaf503603cb3a53e557d8e416_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\System\kxVxSUX.exe
  C:\Windows\System\kxVxSUX.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\UiASbqY.exe
  C:\Windows\System\UiASbqY.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\FZBKUqh.exe
  C:\Windows\System\FZBKUqh.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\FwLZRbm.exe
  C:\Windows\System\FwLZRbm.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\YbFfqzC.exe
  C:\Windows\System\YbFfqzC.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\bnpJrem.exe
  C:\Windows\System\bnpJrem.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\YSrtvgD.exe
  C:\Windows\System\YSrtvgD.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\gLQAIcN.exe
  C:\Windows\System\gLQAIcN.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\EaYUCAo.exe
  C:\Windows\System\EaYUCAo.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\QaDuGhB.exe
  C:\Windows\System\QaDuGhB.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\UMVCHOn.exe
  C:\Windows\System\UMVCHOn.exe
  2⤵
  - Executes dropped EXE
  PID:2416
- C:\Windows\System\sKSgMPG.exe
  C:\Windows\System\sKSgMPG.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System\kZSdUcJ.exe
  C:\Windows\System\kZSdUcJ.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\JAcPwKj.exe
  C:\Windows\System\JAcPwKj.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\sNKVtyv.exe
  C:\Windows\System\sNKVtyv.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\xuNRDYC.exe
  C:\Windows\System\xuNRDYC.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\sSfgOmH.exe
  C:\Windows\System\sSfgOmH.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Windows\System\XCCRwEt.exe
  C:\Windows\System\XCCRwEt.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\uCVWSAo.exe
  C:\Windows\System\uCVWSAo.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\CLTnapw.exe
  C:\Windows\System\CLTnapw.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\dbjhRep.exe
  C:\Windows\System\dbjhRep.exe
  2⤵
  - Executes dropped EXE
  PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CLTnapw.exe

Filesize
5.9MB

MD5
8f2a21188077c48de546a669890e4b92

SHA1
dd62d2bb62e202f1aaf4e27b758d1b120c666fd4

SHA256
c3c7262df5ef70146bf1f56f1cfee2f1978a96c6d2dbc7f294cd386116619ae4

SHA512
01a8066b9269321e85f673a3514c14e7d03fd2f4cb4c3b2af59ae47933a143253ddd1418b8ca238735c66754af1a8e2454cfaefdd2f9dd213c435fb803896bd9

Download Submit
C:\Windows\system\EaYUCAo.exe

Filesize
5.9MB

MD5
962947df7fac39cac396afa750a918fd

SHA1
c1798590c68002f7e677f4c4686fcb584f0e5fdd

SHA256
bb828d0006751886a45c3ac815a33b543ba628d220d40f56cdde9cc06a7746c4

SHA512
43b65e3d67a2258664cd3608a18bb2369e40e3fb03051d9bea52fd50d26ab90af8bcda9c40befae60ec7576341b7088ff81040ffcb79f53fd7a7667a5b3c38be

Download Submit
C:\Windows\system\FZBKUqh.exe

Filesize
5.9MB

MD5
6bdf130f5a1a0e248de11dc56d49f142

SHA1
777f21f340d659a06b85a5477b5cdefef6173538

SHA256
ca3a9e24b6e502f6feb6a8f5ca9a999238399f50a37e563afaa225a75dd8d733

SHA512
9ad3abed9a120b2c251f0b7894bf4da2f31b9a3ab0daed182e85d5c14c9a85c2c2941b1b5b441d31ef82ea050e5ca280ad1ec1ccb58ebc0f64f2844061911253

Download Submit
C:\Windows\system\JAcPwKj.exe

Filesize
5.9MB

MD5
1eb823dd77f525dbf16ec788c1591fa5

SHA1
c9440a90bd066778418d84dde8ba4ecdac1c77e5

SHA256
532fcc9d84417133ea7e577383a94788df72ea41ca438a729e0b6b095c7f2bdd

SHA512
fe01dd0bcdcff2db665b95973df7679247664517ee4185b81fb9af2cdb816704060eb34e3aa8ea8a31f594f12b07ec45f152dfe77af51a5274549ff3ebc66e81

Download Submit
C:\Windows\system\QaDuGhB.exe

Filesize
5.9MB

MD5
da94ebe9a831819564ef7c65c133ab72

SHA1
936baa7e9098ae8fcd31d42467815be89334b642

SHA256
0d3ef421b34aef9c26788437ed57972c41e3ed04c09293b381b61551825f53e5

SHA512
5eff040540346aae3b645227c8c7a2136556ccef1876aabb23c40a72ada63d6bc32490c1cd087249de5d46e9a32cc1bd0fa6b62788b48802dd6a378cfda2b9f4

Download Submit
C:\Windows\system\UMVCHOn.exe

Filesize
5.9MB

MD5
24cfed38c24a9f9918ebc2ab49a080d3

SHA1
d0ff4023d3876f04a6f4bbcbe15a8987a8c7ed79

SHA256
8b2f4ffc22ad1276f85a4e81d95b0f20d8320ed5ddabfd29f40fe7b3b8c406a0

SHA512
f49062031f6a06d1b6ad4fcbb24da55dac5ca4ba2c76c389a312589335b60cd4cf08197761bfd8272b600ba06846d1254d98732150c7fcad4c4a989d8545897b

Download Submit
C:\Windows\system\UiASbqY.exe

Filesize
5.9MB

MD5
0c28dbb52a772810904fe58c2bf0250d

SHA1
1b0c55290a4fdde27b9b278adc03ddba4102eb12

SHA256
5af124f84820668f82d01c4f5641271fde0528066c9319c133e6b6a0b96f85b1

SHA512
6b8df5ee14198b6f49a111f21b95c616f7242b22d76617f7a4cea421d1378ac314edbcf8cd35f8780249bb13508757fecd7f585f65e7c1aa423230fea2c69319

Download Submit
C:\Windows\system\XCCRwEt.exe

Filesize
5.9MB

MD5
388014feb3e43fac0ef5a3beff3dcb91

SHA1
2ccee7719ea7fb837293680908fd0c0b6c21bb0a

SHA256
fc4ebc4f697a7a5679373aab5681fe4571ac1e0985eaf14b950ba2d747d07d2d

SHA512
1154f174f6f229a2957ebf04f57db806af61107956cfa071c6c14bf812eece2e2981c0d05637f6adf94f1cc9876cc83a023a9befb04af4758274b49d8dca9b53

Download Submit
C:\Windows\system\YSrtvgD.exe

Filesize
5.9MB

MD5
2ee8082b63938bd125ba9ae07e602041

SHA1
2db9331de8ee77d2067c57bb9748e285ced6836d

SHA256
b38cfe04e9ddc316a4ac178defdbb6be9a32304e60924adc0797efd9a55c547b

SHA512
9f5a6e01de9125bcee577ba3142de461b120610fbcf1ae3e51a0796515b31db9500a9736485f3e921d87329b072e40b485b9fdca7fa111f6be955350675e5cd9

Download Submit
C:\Windows\system\bnpJrem.exe

Filesize
5.9MB

MD5
30ee04a34a4358895590053707b00b5f

SHA1
511ba6e81cc6296075311def0696e2a196715f7a

SHA256
2e79b4af7a43bccb155217b0b20fff727b42ce0af10a665dd6fa893768eed00e

SHA512
77eff6fc420e9f9610ad934a5f4400b1626ee4b093aba696f872acc52b40ff08a1975972a965a91bd3b3ed6f399f5af8e5940468b43299c08d4ef8049b5d37de

Download Submit
C:\Windows\system\dbjhRep.exe

Filesize
5.9MB

MD5
bc6bbe250446f8da185b06bbcaf33969

SHA1
c9e540fcae989506b7ccb2f3315e86853f955722

SHA256
685fcb8bfb4ab629707694bd73a941f2a756f1130421ec325259152257a2a3a7

SHA512
c298374caccf5ac283294ed82a370b298f9ab5c7e4a6e1d28f02b30cfad565f8240d69b6cd1356d79be268809699ddcaff9f788fda9d199e99682c069acdd37c

Download Submit
C:\Windows\system\kZSdUcJ.exe

Filesize
5.9MB

MD5
01cf7599aae281ac81bff441e5e6441e

SHA1
ae8473a9b391cdccdf36a855a7f7bdad2691d92f

SHA256
28b4451a98949c41d14211a3d3fdbd7813f602bb46b7f3c128190d63d62fada7

SHA512
e7eb4fb7bf797472fc87884fc3eedbb98103cdfa5d62fdd31687eba35732a2868b74010f19c964dcc1f694f10a7491eafa2fad7d4023c6961a4704fae9d74093

Download Submit
C:\Windows\system\kxVxSUX.exe

Filesize
5.9MB

MD5
96f8c9279dd8b16e84da4302c77fdcda

SHA1
f61776a6c85975c665bc7a4e42a7bbf28779bd9c

SHA256
096e55a4196cb8ed9bd0332dc59f765f6c3fa0f9b9a151b116794bacd40850c0

SHA512
892de83e0a3b0cfb031f8e115aab2ce8e0e15c11928852edf0b663e0f5a8f83882dcdbc913774d8d1e200379287a9eac49082addcc1048ebd1aafd03789a331b

Download Submit
C:\Windows\system\sKSgMPG.exe

Filesize
5.9MB

MD5
b0adbf7879586adec838095cf1099ec6

SHA1
3684df352983542d6e0e08bf78db4c0937ccd018

SHA256
1eb13a7f5a3f3a00e5ae056512964cfe33c097824bc78e41c74450ac7da4a8e5

SHA512
b7b67a955601b2907bac6a255248632014b760691409fded0c7df7a03176658e780ffa4120cee599c1787c5b8a73832d42031599dc78abb76db7d4d80ae59ae1

Download Submit
C:\Windows\system\sNKVtyv.exe

Filesize
5.9MB

MD5
8b98a40190e613f7638e91d7bf3324dc

SHA1
b04b6a624b4a58adb08cbec7aac91f6abf1c96bf

SHA256
672376432fe3e55a82ea447ec1e2683bba62312a8fa0c7519e7b510a7f95021f

SHA512
759906ef5c4052e463af198f5a5d2d177cc7a650eb3e8f5be49cb2ce79d2b93318547dce04e0585eb870411bf86281b841c75decd4be7f5463566bc8a3303c80

Download Submit
C:\Windows\system\sSfgOmH.exe

Filesize
5.9MB

MD5
02edfa99b2984fdbf748c9387ef05aaf

SHA1
978f77309dea06c4a69fd2c724a30e2e1afb4124

SHA256
d34691c0356a14313af9bd16e59c2f8f9b3c5eb6cd824b65495c6a2c7bde6f60

SHA512
fd7d4725651cf226e5c626b07b8f764292a32408493656e348a5b465daca443786a3678654527ae1960b464e854b503013fcb0d56c971102e81cfe6749294c46

Download Submit
C:\Windows\system\uCVWSAo.exe

Filesize
5.9MB

MD5
82151e897df13a8576cbcac7325a7275

SHA1
142f02f87937fa7e03225ac72b4bf593b1a2fc6f

SHA256
883de12f8416f98b41d173a69080f049c15d8d6f67b91e48dfab581eaeabdd34

SHA512
324874986759bdc8f62546376fd9d059abea2bfd7bd2aca779a80381bc66649e9636d35787f22f0101b5c4b8460131716aa54b22724dda6192128077fe1e8d0a

Download Submit
C:\Windows\system\xuNRDYC.exe

Filesize
5.9MB

MD5
4d1b8067ae7c434ca6da187099877428

SHA1
199f9e7a8085f8a44f1d42b85d8a574564cb8ffc

SHA256
c56eb6b65a3f92b638560033a1ed185f6ac9bbcf15f18bec7840ff534c1b2570

SHA512
c06023ba883cc136ea3e4a7965e76bc3df4658357f6093a8591b1e2343627f7876de4509e6c445b5d4a6a3657e882c8d814fda799b56f3173dc6be229a7f9689

Download Submit
\Windows\system\FwLZRbm.exe

Filesize
5.9MB

MD5
dec4fd352f2715dc5d7b0ae28c11bb03

SHA1
b21493f9051a72403ea69b1523676194f2641748

SHA256
4137cab9ba7265180d4a64ce13b94e30a874b423e137edd376ecd4dca6b445dd

SHA512
011453aab548dc17ce579fe9c716d6ccac95d2d0a310d9f964354a7281ad5dae34c7eab6c0215725f4d90b14d143664238dc13d6cd4958fe5969065cf675ebba

Download Submit
\Windows\system\YbFfqzC.exe

Filesize
5.9MB

MD5
ea6da23d1aab0e6c039cc6df30d63152

SHA1
0b56158728f77db380691e8d48cd6dda896a085b

SHA256
f0e872005876f99d83dd80f0a971f4f502d2e5e1c78bb2f76be0c6d46b950664

SHA512
32ae5b7b0102e8908db0aad629aef4181a03d42fad41de1a42ef893f4479b052939d98edefae6a4a222da0c8119d2a10a5425b65d92aa108187f8fa360963828

Download Submit
\Windows\system\gLQAIcN.exe

Filesize
5.9MB

MD5
d6fe9abcdbfee86d027bd56916a9484b

SHA1
f97b5ab20fdf89e50a19f90bb412b2e77ec8b32a

SHA256
03a824f7ff0194af3cc1cba1f3017690cbf905f8ec112812e53635829a8870b4

SHA512
2b9a7501966b17f7e9bc2028bcf9d5718fe08722b033e5a6d7d673ba71356c61817da4f7754a3a7f36ff913f9ce7bd977a96d727e744a75a357f0fc86b58d60e

Download Submit
memory/1020-107-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1020-163-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1356-149-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-54-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1356-44-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/1356-10-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/1356-64-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/1356-145-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1356-39-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1356-147-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-22-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-66-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/1356-16-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/1356-148-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1356-106-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/1356-104-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-28-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-113-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/1356-0-0x000000013F310000-0x000000013F664000-memory.dmp

Filesize
3.3MB

Download
memory/1356-112-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-50-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/1356-105-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-96-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/1356-71-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/1356-89-0x00000000024D0000-0x0000000002824000-memory.dmp

Filesize
3.3MB

Download
memory/1356-31-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/1356-79-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/1584-161-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/1584-97-0x000000013F6B0000-0x000000013FA04000-memory.dmp

Filesize
3.3MB

Download
memory/2116-90-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2116-162-0x000000013F2B0000-0x000000013F604000-memory.dmp

Filesize
3.3MB

Download
memory/2296-13-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2296-150-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/2316-23-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2316-151-0x000000013FBA0000-0x000000013FEF4000-memory.dmp

Filesize
3.3MB

Download
memory/2416-159-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2416-80-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2416-146-0x000000013FCF0000-0x0000000140044000-memory.dmp

Filesize
3.3MB

Download
memory/2588-156-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2588-67-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2716-158-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2716-70-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2776-98-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2776-154-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2776-52-0x000000013F4B0000-0x000000013F804000-memory.dmp

Filesize
3.3MB

Download
memory/2812-140-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2812-73-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2812-160-0x000000013FCE0000-0x0000000140034000-memory.dmp

Filesize
3.3MB

Download
memory/2860-152-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2860-53-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2860-14-0x000000013FDF0000-0x0000000140144000-memory.dmp

Filesize
3.3MB

Download
memory/2872-78-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-29-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2872-153-0x000000013F970000-0x000000013FCC4000-memory.dmp

Filesize
3.3MB

Download
memory/2976-157-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2976-65-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-49-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/3024-155-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download