cobaltstrike | 58a53f3e1486d752148649875958dc7518404cc7d5f0d561ac191607773630f0

Analysis

max time kernel
138s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

a063af4c5e6422ef3900dd0de5e1548f
SHA1

176dfb210398368b52f90439e42434891ee71f6f
SHA256

58a53f3e1486d752148649875958dc7518404cc7d5f0d561ac191607773630f0
SHA512

190273d05600922f61cb9a8658eb7acdec10a7ebebd5bc69e7c243b9e751802ee535decee0909afde7d31dbe59fd98e48ac113cb9abe8a3f033816194d3a4d3a
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUv:E+b56utgpPF8u/7v

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c000000012268-3.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d03-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d0e-9.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d2a-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d59-36.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d41-33.dat	cobalt_reflective_dll
behavioral1/files/0x0035000000015cd1-54.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d81-46.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c56-61.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c73-66.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016c7b-75.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016cc5-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016ce7-92.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d1d-98.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d47-118.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d63-130.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d69-133.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d4f-125.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d36-115.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d3f-111.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000016d2e-104.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 59 IoCs

miner

resource	yara_rule
behavioral1/memory/1608-0-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/files/0x000c000000012268-3.dat	xmrig
behavioral1/memory/1888-15-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2988-14-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/files/0x0009000000015d03-6.dat	xmrig
behavioral1/files/0x0008000000015d0e-9.dat	xmrig
behavioral1/memory/2536-21-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d2a-22.dat	xmrig
behavioral1/memory/2584-26-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d59-36.dat	xmrig
behavioral1/files/0x0007000000015d41-33.dat	xmrig
behavioral1/memory/1608-42-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
behavioral1/memory/2672-41-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2700-40-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/1608-49-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/1608-48-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/files/0x0035000000015cd1-54.dat	xmrig
behavioral1/memory/2824-57-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/3024-50-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d81-46.dat	xmrig
behavioral1/files/0x0007000000016c56-61.dat	xmrig
behavioral1/files/0x0006000000016c73-66.dat	xmrig
behavioral1/memory/2456-73-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/2584-70-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2536-65-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/memory/2608-64-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c7b-75.dat	xmrig
behavioral1/files/0x0006000000016cc5-84.dat	xmrig
behavioral1/memory/1608-93-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ce7-92.dat	xmrig
behavioral1/memory/1236-96-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/1864-91-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/1756-90-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d1d-98.dat	xmrig
behavioral1/memory/1608-85-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
behavioral1/memory/2700-74-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d47-118.dat	xmrig
behavioral1/memory/2824-114-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016d63-130.dat	xmrig
behavioral1/files/0x0006000000016d69-133.dat	xmrig
behavioral1/files/0x0006000000016d4f-125.dat	xmrig
behavioral1/files/0x0006000000016d36-115.dat	xmrig
behavioral1/files/0x0006000000016d3f-111.dat	xmrig
behavioral1/files/0x0006000000016d2e-104.dat	xmrig
behavioral1/memory/2780-138-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig
behavioral1/memory/2988-142-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	xmrig
behavioral1/memory/1888-143-0x000000013F8F0000-0x000000013FC44000-memory.dmp	xmrig
behavioral1/memory/2536-144-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	xmrig
behavioral1/memory/2584-145-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2672-147-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2700-146-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/3024-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	xmrig
behavioral1/memory/2824-149-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	xmrig
behavioral1/memory/2608-150-0x000000013F5D0000-0x000000013F924000-memory.dmp	xmrig
behavioral1/memory/2456-151-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/1864-152-0x000000013F060000-0x000000013F3B4000-memory.dmp	xmrig
behavioral1/memory/1756-153-0x000000013F490000-0x000000013F7E4000-memory.dmp	xmrig
behavioral1/memory/1236-154-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2780-155-0x000000013F700000-0x000000013FA54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1888	zfsqKoX.exe
2988	UxilbEp.exe
2536	zcSawmP.exe
2584	UgYcmPy.exe
2700	eryaYBP.exe
2672	WqLkgIG.exe
3024	uRUVwoN.exe
2824	wqtauKh.exe
2608	FGTrWpz.exe
2456	ArPuglf.exe
1864	jhipkiY.exe
1756	HlBlhXW.exe
1236	tWCNFKj.exe
2780	srtwatn.exe
1660	IgITTWe.exe
1556	TxfKQUp.exe
1788	jBpVjuQ.exe
1716	gMfmjRC.exe
1176	FuxsoLP.exe
1628	RdklOEh.exe
2268	lOMOVPs.exe

Loads dropped DLL 21 IoCs

pid	Process
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1608-0-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/files/0x000c000000012268-3.dat	upx
behavioral1/memory/1888-15-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2988-14-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/files/0x0009000000015d03-6.dat	upx
behavioral1/files/0x0008000000015d0e-9.dat	upx
behavioral1/memory/2536-21-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/files/0x0007000000015d2a-22.dat	upx
behavioral1/memory/2584-26-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/files/0x0007000000015d59-36.dat	upx
behavioral1/files/0x0007000000015d41-33.dat	upx
behavioral1/memory/2672-41-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2700-40-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/1608-48-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/files/0x0035000000015cd1-54.dat	upx
behavioral1/memory/2824-57-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/3024-50-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/files/0x0008000000015d81-46.dat	upx
behavioral1/files/0x0007000000016c56-61.dat	upx
behavioral1/files/0x0006000000016c73-66.dat	upx
behavioral1/memory/2456-73-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/2584-70-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2536-65-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/memory/2608-64-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/files/0x0006000000016c7b-75.dat	upx
behavioral1/files/0x0006000000016cc5-84.dat	upx
behavioral1/files/0x0006000000016ce7-92.dat	upx
behavioral1/memory/1236-96-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/1864-91-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/1756-90-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/files/0x0006000000016d1d-98.dat	upx
behavioral1/memory/2700-74-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/files/0x0006000000016d47-118.dat	upx
behavioral1/memory/2824-114-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/files/0x0006000000016d63-130.dat	upx
behavioral1/files/0x0006000000016d69-133.dat	upx
behavioral1/files/0x0006000000016d4f-125.dat	upx
behavioral1/files/0x0006000000016d36-115.dat	upx
behavioral1/files/0x0006000000016d3f-111.dat	upx
behavioral1/files/0x0006000000016d2e-104.dat	upx
behavioral1/memory/2780-138-0x000000013F700000-0x000000013FA54000-memory.dmp	upx
behavioral1/memory/2988-142-0x000000013FAA0000-0x000000013FDF4000-memory.dmp	upx
behavioral1/memory/1888-143-0x000000013F8F0000-0x000000013FC44000-memory.dmp	upx
behavioral1/memory/2536-144-0x000000013F5A0000-0x000000013F8F4000-memory.dmp	upx
behavioral1/memory/2584-145-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2672-147-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2700-146-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/3024-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp	upx
behavioral1/memory/2824-149-0x000000013F0A0000-0x000000013F3F4000-memory.dmp	upx
behavioral1/memory/2608-150-0x000000013F5D0000-0x000000013F924000-memory.dmp	upx
behavioral1/memory/2456-151-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/1864-152-0x000000013F060000-0x000000013F3B4000-memory.dmp	upx
behavioral1/memory/1756-153-0x000000013F490000-0x000000013F7E4000-memory.dmp	upx
behavioral1/memory/1236-154-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2780-155-0x000000013F700000-0x000000013FA54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gMfmjRC.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zcSawmP.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgYcmPy.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eryaYBP.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\srtwatn.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IgITTWe.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wqtauKh.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGTrWpz.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOMOVPs.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zfsqKoX.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WqLkgIG.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HlBlhXW.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TxfKQUp.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuxsoLP.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jBpVjuQ.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RdklOEh.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UxilbEp.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uRUVwoN.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ArPuglf.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhipkiY.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tWCNFKj.exe	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 1888	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1608 wrote to memory of 1888	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1608 wrote to memory of 1888	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	29
PID 1608 wrote to memory of 2988	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1608 wrote to memory of 2988	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1608 wrote to memory of 2988	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1608 wrote to memory of 2536	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1608 wrote to memory of 2536	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1608 wrote to memory of 2536	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1608 wrote to memory of 2584	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1608 wrote to memory of 2584	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1608 wrote to memory of 2584	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1608 wrote to memory of 2700	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1608 wrote to memory of 2700	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1608 wrote to memory of 2700	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1608 wrote to memory of 2672	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1608 wrote to memory of 2672	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1608 wrote to memory of 2672	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1608 wrote to memory of 3024	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1608 wrote to memory of 3024	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1608 wrote to memory of 3024	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1608 wrote to memory of 2824	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1608 wrote to memory of 2824	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1608 wrote to memory of 2824	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1608 wrote to memory of 2608	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1608 wrote to memory of 2608	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1608 wrote to memory of 2608	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1608 wrote to memory of 2456	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1608 wrote to memory of 2456	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1608 wrote to memory of 2456	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1608 wrote to memory of 1864	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1608 wrote to memory of 1864	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1608 wrote to memory of 1864	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1608 wrote to memory of 1756	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1608 wrote to memory of 1756	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1608 wrote to memory of 1756	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1608 wrote to memory of 1236	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1608 wrote to memory of 1236	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1608 wrote to memory of 1236	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1608 wrote to memory of 2780	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1608 wrote to memory of 2780	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1608 wrote to memory of 2780	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1608 wrote to memory of 1660	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1608 wrote to memory of 1660	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1608 wrote to memory of 1660	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1608 wrote to memory of 1556	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1608 wrote to memory of 1556	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1608 wrote to memory of 1556	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1608 wrote to memory of 1716	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1608 wrote to memory of 1716	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1608 wrote to memory of 1716	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1608 wrote to memory of 1788	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1608 wrote to memory of 1788	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1608 wrote to memory of 1788	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1608 wrote to memory of 1176	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1608 wrote to memory of 1176	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1608 wrote to memory of 1176	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1608 wrote to memory of 1628	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1608 wrote to memory of 1628	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1608 wrote to memory of 1628	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1608 wrote to memory of 2268	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1608 wrote to memory of 2268	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1608 wrote to memory of 2268	1608	2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe	49

C:\Users\Admin\AppData\Local\Temp\2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-21_a063af4c5e6422ef3900dd0de5e1548f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\System\zfsqKoX.exe
  C:\Windows\System\zfsqKoX.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\UxilbEp.exe
  C:\Windows\System\UxilbEp.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\zcSawmP.exe
  C:\Windows\System\zcSawmP.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\UgYcmPy.exe
  C:\Windows\System\UgYcmPy.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\eryaYBP.exe
  C:\Windows\System\eryaYBP.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\WqLkgIG.exe
  C:\Windows\System\WqLkgIG.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\uRUVwoN.exe
  C:\Windows\System\uRUVwoN.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\wqtauKh.exe
  C:\Windows\System\wqtauKh.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\FGTrWpz.exe
  C:\Windows\System\FGTrWpz.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\ArPuglf.exe
  C:\Windows\System\ArPuglf.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\jhipkiY.exe
  C:\Windows\System\jhipkiY.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\HlBlhXW.exe
  C:\Windows\System\HlBlhXW.exe
  2⤵
  - Executes dropped EXE
  PID:1756
- C:\Windows\System\tWCNFKj.exe
  C:\Windows\System\tWCNFKj.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\srtwatn.exe
  C:\Windows\System\srtwatn.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\IgITTWe.exe
  C:\Windows\System\IgITTWe.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\TxfKQUp.exe
  C:\Windows\System\TxfKQUp.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\gMfmjRC.exe
  C:\Windows\System\gMfmjRC.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\jBpVjuQ.exe
  C:\Windows\System\jBpVjuQ.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\FuxsoLP.exe
  C:\Windows\System\FuxsoLP.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\RdklOEh.exe
  C:\Windows\System\RdklOEh.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\lOMOVPs.exe
  C:\Windows\System\lOMOVPs.exe
  2⤵
  - Executes dropped EXE
  PID:2268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\FGTrWpz.exe

Filesize
5.9MB

MD5
0fbb24404d80ac6d74bf2d0ba2fbf311

SHA1
8e732835863b9dfcc652210abe60e61d9c05ebf1

SHA256
2531be9fab02b40e11ad6493c323b8590db20b6bf40b0b926a768a90cf91e88a

SHA512
660cb199dbdef3c736513c2b657778812bc7d2d59f83951cddeb5ba966bbbf7670a1765a87ff6be8c9dc2be61ee00c5159a7d250981e644356fafc7e9144ecbe

Download Submit
C:\Windows\system\FuxsoLP.exe

Filesize
5.9MB

MD5
11c44e355f1c60150467a5d49cd31966

SHA1
02e5afa01488461c285c799dfbe7dfdecd381e80

SHA256
3a46d0e11843afe44c39aa598666fb3c72893a92c59e2b68ded92dcd70229971

SHA512
dca821576271dddc52cb5413fcd6988e0381f2db3dfd8cdd0b99fb9182c84a1b6c4fff9530694f752ded8da46a9b15bdf4371b5973f47df07a1993388a13a236

Download Submit
C:\Windows\system\HlBlhXW.exe

Filesize
5.9MB

MD5
c2a81d3fdedac4b2e58f27d959d80ae7

SHA1
cc84fccdc6cab3321940755857830a61cc3f12ed

SHA256
c144252545e3d03d11aa1df9f124f28f85ef5cf0db79e0a33b1861328e91a0d5

SHA512
8ec3fa952ca17b5e8f390c36b0c8fe038de49b99f520f181788a13c41f2397515e40e89c360c328f22f26f8c866420adcf256781f76f07db8b00f63af9d77ead

Download Submit
C:\Windows\system\IgITTWe.exe

Filesize
5.9MB

MD5
50663ccd15082c1d22ec1a30e95b608f

SHA1
ed6fe307a0210da1d5430d6bae34d1955e73c0bd

SHA256
8a533f1550e662c1b12f0138615c89a00fd1485914a3d6d31de7c0adacdbfde9

SHA512
916dd8bcd6b752a7c3c54778093f8db7ab0541f93796d42edf22c8414c6fef72974db6ca9990b8e88ac183c2e14339d16fa0a30ee9935848980bd730d90c0057

Download Submit
C:\Windows\system\RdklOEh.exe

Filesize
5.9MB

MD5
f408d2ca70b5c8044cab48cfecf3ec57

SHA1
51e17e2f8272124db5b2faed4edb70ee5d0fe401

SHA256
99a0a466fd532b48be0bbcd91fa5df019ff8846d903e8da9f283186ff471d73c

SHA512
e9aad93082015138d917eff96e4f9b76aa8ccd5abf8a6d93c818fafdc90f7f5081657bb4f076dc827d2245b9c554c34d335204d3346b330816e634696061f88b

Download Submit
C:\Windows\system\TxfKQUp.exe

Filesize
5.9MB

MD5
a3961908c26cb601abf859d6271b9731

SHA1
1d987ad61f59211cd37b43f00b2ea5bb45f63f88

SHA256
73fd4cc18ddae5b299490f738587f95c96a2395f2f9c329dcc6eb6bfcd4b6198

SHA512
1a8436ac4bc4644fb73cb532ebe80c44c261e9cedf51639ce0efd7275714aabd91efc65a1a5f750cb8d1a3eb92659e5647ef81ab931db71e60a2f422c096a676

Download Submit
C:\Windows\system\WqLkgIG.exe

Filesize
5.9MB

MD5
e57a35da7e53745451d76e75f6e54641

SHA1
5cf4a5b242ac0019a2548e6523cacf3020bd9128

SHA256
d4867b4537378292b79e432aad2bce0f17616b6b1e43ee5b594d0e8105f3b251

SHA512
53ae0a3ac5a83f4ee2cd57e5f5e6f9dbbd0ff91f4f20a8c60815c6fee13c604afa1a971c03b11358b7892ae309a45cc759aa52f4038705bd96909e75e88509f1

Download Submit
C:\Windows\system\eryaYBP.exe

Filesize
5.9MB

MD5
cc49f266d442c9a02410d7f4e7357b31

SHA1
1c11f1f5a062ae379c83b4a75dabc106d49cd131

SHA256
827e01ba8217cdc90e05103acaac4e446910dd729c5a84db5d74161f591f5494

SHA512
c937976e741f5da980355fa5ab928aaf779c4f68270ffd15d24aa92ee2087cc8d6d97efcbf11202b7ef81b4c440874df1b0cb4b00ecce07217f58a9b783fbc76

Download Submit
C:\Windows\system\jBpVjuQ.exe

Filesize
5.9MB

MD5
6edf4d82a74c069a4cdc7e74cd8bf130

SHA1
b7200032a926d4d0d980cf5c318f17bb1e093c3b

SHA256
8566f448e48bbf6e26a634168978be353de7c0ed85acbbe0e430aa73abf7bb89

SHA512
c2470dde29d7429e90282463fd763e860ed2314524cf59f6c8892311603260335ac6f757ed95e64b9f2deffc10239b4066ffc458a049a2254210d2dce3f76d4b

Download Submit
C:\Windows\system\tWCNFKj.exe

Filesize
5.9MB

MD5
32c98c7a3f80aefc2670cc85c6a2726d

SHA1
25542e63401e1075f0fe268302999ca3c66b92b7

SHA256
ec021b15b477239caf2f69f7485531de178806fdb6aedce67eb51936f4429af2

SHA512
8edfea5b143851704a327330bc5d4d83f8782cd3d13648cc486c4e273fa6e59fb78b9ff615766b34d7f0b8589ed7fa365094b649098bccebf037f390c179699b

Download Submit
C:\Windows\system\uRUVwoN.exe

Filesize
5.9MB

MD5
64fecdc2a94904da82510a0fd2eef214

SHA1
e4258a9744f5a962c8f949fc3666bdc34ca48e57

SHA256
af665cace632361c3e835318a226867e5ea43fb595a1b25c9f2164593533fad9

SHA512
d0bc88a2a4d57210d853032544dfe682f2cefee79f16dbd05d0cb88230f51c8b7e1e79adfdce812909f4385819aa95bb16befc72b7b02b5b80824b54a91f76c3

Download Submit
C:\Windows\system\wqtauKh.exe

Filesize
5.9MB

MD5
27ecf5070bb3b518083f8b7d37b9d44b

SHA1
952b3abf58194fd38e2f40e1024e0a044e756ca0

SHA256
a29129bb96e86b27eb1ee1fa902f48328b286aa6d9438af2a119a4723e78fe81

SHA512
ba3388e3deda5a14779e54a8a2fa3127b9273a75ddd405de87bbcad1306fe8e80d83930aebb15d9d22f37359bc31c26f59fa2264ff3964db24e220ef18185f2c

Download Submit
C:\Windows\system\zcSawmP.exe

Filesize
5.9MB

MD5
31dd4cf7358ca4dcaf2d12405f7bb7b3

SHA1
90547923c87abbfec95284b78884de6ed27ebe41

SHA256
7e03a8af01107b8f766f92fade9311001c75141dd9b4847939f4bbfe3755c532

SHA512
8fe7da9aa2970ee02760dfe2ecfb012bb6fb628e51115d3ca6dde16ed00c628838cf73bf538fe44cac73079689e9e2432b8d7ee986569ac8a2fe0539b43a1639

Download Submit
\Windows\system\ArPuglf.exe

Filesize
5.9MB

MD5
e90523b92a0443579e738df17d8aec26

SHA1
10d99ad092c0303bad2e924874fb6b6bd677cabc

SHA256
566a4e9628704150f9849ba613c762762cee0dcc4aef2caf4b853edc19a8ab00

SHA512
af0e1f49d6138a877c718800ceb539e7f43d9359bc6a8c2f9aa554116eebf3e15a4230d25767849b7eccca4447388be04ba4a1728e04ee8e3750e365917f892f

Download Submit
\Windows\system\UgYcmPy.exe

Filesize
5.9MB

MD5
10ba508db24da38d8a7c05f937c28c72

SHA1
f31235ebf7cfbb043addb537a29cbe1c82518732

SHA256
a6e470285e83edb83b26c9a7d50e45d560215b8381e21129515980169cb87ceb

SHA512
49c8c4705926adebaa7f8fe0358ca6c10d9c5b2ab544bf97599782a1c2d9959e809d7bd8b1036017bbcc89bc094f862bbe1569a4f59ebe03a0e59aa0670aafa2

Download Submit
\Windows\system\UxilbEp.exe

Filesize
5.9MB

MD5
2f456c38d8c229c67293678056cc425d

SHA1
cca611a9fc3cad077873ee6e379aab6c924f229b

SHA256
8ea6a7adf89ad97a69fe20ec2a2572ee7bec489bb7693b15a6910055872371f0

SHA512
5ba8530668ac88dd5a7ab8810f5fd96b738bf92f56152c5c56f655e24015e31a1e1944abdff1b079035d868a1f4b940dc32cf2b76b6706f226632d353b280733

Download Submit
\Windows\system\gMfmjRC.exe

Filesize
5.9MB

MD5
2e4f5f96ee2540b415aa93fe8bd41be2

SHA1
eaa1c2af745e5aa20472fdddc2f288cba2af9ef8

SHA256
8946e270fe756aed7aaa30bfc29e216ba58ca462241c6d6fd1084660338a1f81

SHA512
0317fb6607b5ee7f63f88462b0b1fc369eebde6fbd57f47198b3d6aab23ef87108eef872372a9a7785eb6ab875d0e26f9d103ea3e18056b4659ac737863f66ac

Download Submit
\Windows\system\jhipkiY.exe

Filesize
5.9MB

MD5
d080c47aaa42f8840da920cc32c8643d

SHA1
b216be36c8091c8058dd2377db2fb7fa4f836598

SHA256
1e36d1dc792dd2c939e418b2ee5c3e377f0bcdf438f65903e5f0dba3e19a1298

SHA512
803d8af15c9377fb586eee62e1ece9fc703e83cd6543d9d38a37489ad363ef590be3d337ae64f0902c2115ba221fc5a831ebf93b62503b665bf6f2f1a3f2f0c0

Download Submit
\Windows\system\lOMOVPs.exe

Filesize
5.9MB

MD5
ba98ed8e779026c81a466ed1d8b6e77c

SHA1
a2ae88b2b0c2c41205d08e743007aadc5ceb7d3c

SHA256
a88346c65ebbfc3f5ec10b1e61d2b1b28b658adfbce0cf182faedea576fdf56c

SHA512
ff9c89f1e61460b061c0d219c052dcc6c935f88c5af01cb099bf8cda66d4e44cca38d5e78e5f7221d6bb5357e9ad6c8ceff0b5d22e9e8cba422784eea456baf5

Download Submit
\Windows\system\srtwatn.exe

Filesize
5.9MB

MD5
05717091c5fef1482ba70256aa3020c9

SHA1
33e4bca0d4acfcfe57fd9a013de1c8a92c165849

SHA256
dc883a3349410dc635fd1f86f29e9f47f0e47485b80c987946362ad381e073fd

SHA512
ac099d5e14f35d0bdffbabd0afdebd9a434e56f512fe55b8ab9f2b33fbe420108d1fe029ec70566175b97eb9fb1f13c3c1988713e19e42cb122fb0e1a6af3f66

Download Submit
\Windows\system\zfsqKoX.exe

Filesize
5.9MB

MD5
b3ac2fc0900cc3344051a034460fd60d

SHA1
310a6bf9a5d88ea1c0fc6b9e97dbf069c4f733d9

SHA256
f138809d1be7b4dd5fc9bb9df9607d9b632ecf8e0fedcb1f93bf7fb204e981a3

SHA512
020740053c0577dc5b25118ca9812a8b5cbc98356d0fde3e0580ec8e27cf85cffb6658fed0024947f7b6a7d5addf6f62b1d4ec76c53cfd2d805d976a18c209d1

Download Submit
memory/1236-96-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/1236-154-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/1608-94-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/1608-24-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/1608-55-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1608-71-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-141-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-139-0x000000013FD00000-0x0000000140054000-memory.dmp

Filesize
3.3MB

Download
memory/1608-140-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-7-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/1608-63-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-48-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1608-49-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/1608-0-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1608-93-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-19-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-97-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-85-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-42-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1608-89-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1756-153-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-90-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-91-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/1864-152-0x000000013F060000-0x000000013F3B4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-143-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/1888-15-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2456-151-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2456-73-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-65-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-144-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-21-0x000000013F5A0000-0x000000013F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2584-70-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2584-145-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2584-26-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2608-64-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2608-150-0x000000013F5D0000-0x000000013F924000-memory.dmp

Filesize
3.3MB

Download
memory/2672-147-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2672-41-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2700-146-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2700-74-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2700-40-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2780-138-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2780-155-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/2824-149-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2824-114-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2824-57-0x000000013F0A0000-0x000000013F3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-14-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/2988-142-0x000000013FAA0000-0x000000013FDF4000-memory.dmp

Filesize
3.3MB

Download
memory/3024-148-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download
memory/3024-50-0x000000013FBD0000-0x000000013FF24000-memory.dmp

Filesize
3.3MB

Download