cobaltstrike | 033898614610168626e825638b8b42f5446c39736b4c084192b5f2c2865336de

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

525a1409c4ca2627c47eced46629d1ea
SHA1

591117ec6979701fc26c97ff89914781c9ef9558
SHA256

033898614610168626e825638b8b42f5446c39736b4c084192b5f2c2865336de
SHA512

08734caf1f8565db3b3956fd04c28ef9f776b097e16dccb2afbd91f4cb991ec8af1365f2188003fce43baa81cebfaa6b30027e543c72741a4e1cf2e4061e8ff8
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBib+56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000d0000000122de-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016b47-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c66-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c88-16.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ed-76.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018704-110.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001755b-99.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187a8-127.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018b4e-132.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878e-122.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018744-117.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f1-103.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186e7-101.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d43-96.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cf5-95.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186f4-79.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018739-108.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018686-75.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000017049-60.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d3a-44.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd7-32.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral1/memory/2468-135-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2600-134-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/2688-114-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2968-113-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig
behavioral1/memory/2544-112-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2600-90-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2792-89-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2704-87-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/2972-86-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/1792-136-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2820-138-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2808-137-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2520-40-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/3060-24-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2112-22-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2468-21-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/2600-140-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/2432-158-0x000000013FB60000-0x000000013FEB1000-memory.dmp	xmrig
behavioral1/memory/2028-160-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2572-159-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/1812-157-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2700-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2884-154-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/856-161-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2472-152-0x000000013FD40000-0x0000000140091000-memory.dmp	xmrig
behavioral1/memory/2600-162-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/2468-225-0x000000013FF00000-0x0000000140251000-memory.dmp	xmrig
behavioral1/memory/3060-227-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2112-229-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2520-231-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/1792-233-0x000000013FCE0000-0x0000000140031000-memory.dmp	xmrig
behavioral1/memory/2808-235-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2820-237-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2704-239-0x000000013F020000-0x000000013F371000-memory.dmp	xmrig
behavioral1/memory/2792-241-0x000000013F430000-0x000000013F781000-memory.dmp	xmrig
behavioral1/memory/2972-243-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2544-245-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2688-249-0x000000013F880000-0x000000013FBD1000-memory.dmp	xmrig
behavioral1/memory/2968-247-0x000000013F780000-0x000000013FAD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2468	tIcjPjk.exe
2112	EhpnrWz.exe
3060	ZVhoUVa.exe
1792	ktLrbOA.exe
2520	xgcnZaH.exe
2808	JTRCDWD.exe
2820	IPfNgJs.exe
2972	uvdGjpl.exe
2704	GSbZyQM.exe
2792	FEMsiuz.exe
2544	lPIfPHS.exe
2968	MBYpzWq.exe
2688	ZaxuLUj.exe
2472	FuyVETu.exe
2884	llKRjlW.exe
1812	bXwIUTT.exe
2700	rBsgHZP.exe
2432	kjxqpVb.exe
2572	oSZezNo.exe
2028	wbvzfCR.exe
856	gNhiROV.exe

Loads dropped DLL 21 IoCs

pid	Process
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2600-0-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/files/0x000d0000000122de-3.dat	upx
behavioral1/files/0x0008000000016b47-11.dat	upx
behavioral1/files/0x0008000000016c66-12.dat	upx
behavioral1/files/0x0007000000016c88-16.dat	upx
behavioral1/memory/1792-28-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/files/0x00050000000186ed-76.dat	upx
behavioral1/files/0x0005000000018704-110.dat	upx
behavioral1/files/0x000600000001755b-99.dat	upx
behavioral1/files/0x00050000000187a8-127.dat	upx
behavioral1/files/0x0006000000018b4e-132.dat	upx
behavioral1/files/0x000500000001878e-122.dat	upx
behavioral1/memory/2468-135-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2600-134-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/files/0x0005000000018744-117.dat	upx
behavioral1/files/0x00050000000186f1-103.dat	upx
behavioral1/files/0x00050000000186e7-101.dat	upx
behavioral1/files/0x0008000000016d43-96.dat	upx
behavioral1/memory/2688-114-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2968-113-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx
behavioral1/memory/2544-112-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/files/0x0007000000016cf5-95.dat	upx
behavioral1/memory/2792-89-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2704-87-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/2972-86-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/files/0x00050000000186f4-79.dat	upx
behavioral1/files/0x0005000000018739-108.dat	upx
behavioral1/memory/1792-136-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/files/0x0005000000018686-75.dat	upx
behavioral1/memory/2820-67-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/files/0x0008000000017049-60.dat	upx
behavioral1/memory/2808-52-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/files/0x0009000000016d3a-44.dat	upx
behavioral1/memory/2820-138-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2808-137-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2520-40-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/files/0x0007000000016cd7-32.dat	upx
behavioral1/memory/3060-24-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2112-22-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2468-21-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/2600-140-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/2432-158-0x000000013FB60000-0x000000013FEB1000-memory.dmp	upx
behavioral1/memory/2028-160-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2572-159-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1812-157-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2700-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/2884-154-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/856-161-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2472-152-0x000000013FD40000-0x0000000140091000-memory.dmp	upx
behavioral1/memory/2600-162-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/2468-225-0x000000013FF00000-0x0000000140251000-memory.dmp	upx
behavioral1/memory/3060-227-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2112-229-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2520-231-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/1792-233-0x000000013FCE0000-0x0000000140031000-memory.dmp	upx
behavioral1/memory/2808-235-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2820-237-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2704-239-0x000000013F020000-0x000000013F371000-memory.dmp	upx
behavioral1/memory/2792-241-0x000000013F430000-0x000000013F781000-memory.dmp	upx
behavioral1/memory/2972-243-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2544-245-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2688-249-0x000000013F880000-0x000000013FBD1000-memory.dmp	upx
behavioral1/memory/2968-247-0x000000013F780000-0x000000013FAD1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\wbvzfCR.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MBYpzWq.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\llKRjlW.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSZezNo.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ktLrbOA.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GSbZyQM.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXwIUTT.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lPIfPHS.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IPfNgJs.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZaxuLUj.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rBsgHZP.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjxqpVb.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tIcjPjk.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZVhoUVa.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xgcnZaH.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gNhiROV.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FuyVETu.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FEMsiuz.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EhpnrWz.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JTRCDWD.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uvdGjpl.exe	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2468	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2600 wrote to memory of 2468	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2600 wrote to memory of 2468	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2600 wrote to memory of 2112	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2600 wrote to memory of 2112	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2600 wrote to memory of 2112	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2600 wrote to memory of 3060	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2600 wrote to memory of 3060	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2600 wrote to memory of 3060	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2600 wrote to memory of 1792	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2600 wrote to memory of 1792	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2600 wrote to memory of 1792	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2600 wrote to memory of 2520	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2600 wrote to memory of 2520	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2600 wrote to memory of 2520	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2600 wrote to memory of 2544	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2600 wrote to memory of 2544	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2600 wrote to memory of 2544	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2600 wrote to memory of 2808	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2600 wrote to memory of 2808	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2600 wrote to memory of 2808	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2600 wrote to memory of 2968	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2600 wrote to memory of 2968	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2600 wrote to memory of 2968	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2600 wrote to memory of 2820	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2600 wrote to memory of 2820	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2600 wrote to memory of 2820	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2600 wrote to memory of 2688	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2600 wrote to memory of 2688	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2600 wrote to memory of 2688	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2600 wrote to memory of 2972	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2600 wrote to memory of 2972	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2600 wrote to memory of 2972	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2600 wrote to memory of 2472	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2600 wrote to memory of 2472	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2600 wrote to memory of 2472	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2600 wrote to memory of 2704	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2600 wrote to memory of 2704	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2600 wrote to memory of 2704	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2600 wrote to memory of 2884	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2600 wrote to memory of 2884	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2600 wrote to memory of 2884	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2600 wrote to memory of 2792	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2600 wrote to memory of 2792	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2600 wrote to memory of 2792	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2600 wrote to memory of 2700	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2600 wrote to memory of 2700	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2600 wrote to memory of 2700	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2600 wrote to memory of 1812	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2600 wrote to memory of 1812	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2600 wrote to memory of 1812	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2600 wrote to memory of 2432	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2600 wrote to memory of 2432	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2600 wrote to memory of 2432	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2600 wrote to memory of 2572	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2600 wrote to memory of 2572	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2600 wrote to memory of 2572	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2600 wrote to memory of 2028	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2600 wrote to memory of 2028	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2600 wrote to memory of 2028	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2600 wrote to memory of 856	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2600 wrote to memory of 856	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2600 wrote to memory of 856	2600	2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-22_525a1409c4ca2627c47eced46629d1ea_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System\tIcjPjk.exe
  C:\Windows\System\tIcjPjk.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\EhpnrWz.exe
  C:\Windows\System\EhpnrWz.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\ZVhoUVa.exe
  C:\Windows\System\ZVhoUVa.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\ktLrbOA.exe
  C:\Windows\System\ktLrbOA.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\xgcnZaH.exe
  C:\Windows\System\xgcnZaH.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\lPIfPHS.exe
  C:\Windows\System\lPIfPHS.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\JTRCDWD.exe
  C:\Windows\System\JTRCDWD.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\MBYpzWq.exe
  C:\Windows\System\MBYpzWq.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\IPfNgJs.exe
  C:\Windows\System\IPfNgJs.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\ZaxuLUj.exe
  C:\Windows\System\ZaxuLUj.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\uvdGjpl.exe
  C:\Windows\System\uvdGjpl.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\FuyVETu.exe
  C:\Windows\System\FuyVETu.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\GSbZyQM.exe
  C:\Windows\System\GSbZyQM.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\llKRjlW.exe
  C:\Windows\System\llKRjlW.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\FEMsiuz.exe
  C:\Windows\System\FEMsiuz.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\rBsgHZP.exe
  C:\Windows\System\rBsgHZP.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\bXwIUTT.exe
  C:\Windows\System\bXwIUTT.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\kjxqpVb.exe
  C:\Windows\System\kjxqpVb.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\oSZezNo.exe
  C:\Windows\System\oSZezNo.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\wbvzfCR.exe
  C:\Windows\System\wbvzfCR.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\gNhiROV.exe
  C:\Windows\System\gNhiROV.exe
  2⤵
  - Executes dropped EXE
  PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\EhpnrWz.exe

Filesize
5.2MB

MD5
731cc1713ef21f3a22402237597e2948

SHA1
8de0e692b9d35d3ca1c80185e93fd142682ed5b2

SHA256
97d3e6409d22596c5e12b1e2f72f6ba93a12c272490ab3f336f068da9ec88c95

SHA512
91b15125a97a7de23b2989f017d7a7a867e26e89d3cdd132ec7e269b248a12ee87835ef402c857cb309071c186aa6721a2f279389ccfe9cec5c22f206081d974

Download Submit
C:\Windows\system\FEMsiuz.exe

Filesize
5.2MB

MD5
29c78513dea399081e542ba32c41cefa

SHA1
a0072d18d9ecc630b707300a8f87b9a04f8e4579

SHA256
6bc9198883e7b1813816243c905137315b9e9811ebd6878c9323bc9455ba5462

SHA512
71d07377a9be0877a7e550f80b25b7ec006b06382565a22f5375ce3fa5910c74bfebff1b627c8c25cdba8d34a182f33da0f5e9b3ff0f450797dc772424918d20

Download Submit
C:\Windows\system\FuyVETu.exe

Filesize
5.2MB

MD5
3b51a88b5224cd5fa63bec297e6446be

SHA1
8ed16aca1da911c0ccd6c84c28760c463fff9498

SHA256
76ea89d13066115567673f4323e8e179bb68b5bb54487f6650981483a18116e8

SHA512
228d59542a44595ae4d5cc98e0527ae853f8033a49fd7a3c1d16f30b9c1781a7a6afc4292ecf8043f54ed1ad01fc6462ee081085b04e2523f390fb426e5eea4d

Download Submit
C:\Windows\system\GSbZyQM.exe

Filesize
5.2MB

MD5
137404d922145d0340dec9e3d882f3db

SHA1
3cf7dfd4b553fdf581e4dd9be6fb389e92b839fb

SHA256
e7f214ef58d6103d54be1587fe0307c08ec883b3a29769b2d1f01ba1a15ed3a8

SHA512
06ba06c454f8ff2d83f0c414dbf8ab60688c7f5660c871022070ce47189967abc3a21c0e19b6a550cb5509d2db7e3046c6e3bca1740b1f3f940749fb31fb6894

Download Submit
C:\Windows\system\IPfNgJs.exe

Filesize
5.2MB

MD5
d984e0958230b179b2e6309af9781e8f

SHA1
a675d08a52114217b2fc40b76a623d152f76f13e

SHA256
4c1ca9ab4eca0b21fdf5db0de8c8b146c375bc1f20b146273c09e88d2ac5f1bf

SHA512
ff7f3593dc023bf58c8ad50bfdf1b878074ebbbb547d893e825c31de72dbfd7906e11b87175cc3eb4bf69c1ad98015ff3cb3fd8dd13e88073b40066a62e9669a

Download Submit
C:\Windows\system\JTRCDWD.exe

Filesize
5.2MB

MD5
3e4702d524a1a3941cab4e70d76368ff

SHA1
d31d2a0b007dcbe38e55dae3f0178502a16215da

SHA256
32c1f5b9a6603085fcb4945878656d034c0d5418cff5a1947eef72a1651dcac7

SHA512
53102d1a3248f9d5283dec65575b843f5c047699f3d4692309ec1d43b770403c9c9ba7d6ff2612771a2ff9b8cf8f938c956efb6343bc7d9c90147cb22f5266af

Download Submit
C:\Windows\system\MBYpzWq.exe

Filesize
5.2MB

MD5
33bc2d794a7eb31e9d5c13063e98e1af

SHA1
d37f3d6bbc3fb4195cb1b69e4d4d65f4eb23d866

SHA256
129d5415e70f5010ce9678c369127e711002a210450f31f961a1c7d1f195304e

SHA512
b8330e02cb47bbcc0da29516ddff10cf748ae2f7de4f03b80bbc2b36e25f86ddfd03fb3a0bb1e858e7a8d196598ec8d12fd723af51306de84d33e26b12138231

Download Submit
C:\Windows\system\ZaxuLUj.exe

Filesize
5.2MB

MD5
821741aafab65791dc7513d31a2bc249

SHA1
8f583821ec55af68da083dde3391c368b44f4f30

SHA256
1ef28ece565a1090098dca06465eb376ea174f6c7e35f714bc162c422f1a4e08

SHA512
ad1db0405b1405568d5c6e582fa09dca909f9b7ce15cdce1a31a185d1480cbc817d5e355cd7bb6373afaae030070f9322b82731e4bcc04dec17e115b9c2ccf8d

Download Submit
C:\Windows\system\bXwIUTT.exe

Filesize
5.2MB

MD5
14eb638bbb62031621a42517999aa192

SHA1
805c09aa80245cb753630070f625244945cd0998

SHA256
847268b5b6fb4fd25fae88ec742eda19cfa7c2c83f69db5d0c8ae25eb8a39f18

SHA512
0357882cce7c005a9ccb00df121b7fd6f34e276941ffbbfbce52e8740e2d782ef2c938b68798a3067a23e8bf31131a63bc2376a820a3280144820e01c4ab70d8

Download Submit
C:\Windows\system\gNhiROV.exe

Filesize
5.2MB

MD5
b6fe1c90e8d7c8f3fdbc32efa594cbaa

SHA1
7e79ada91872428414cb30f4e8a790bb184c8c15

SHA256
87adef19f26330fdc239e9488ef1d5766cd50fd9e3451ffd9abf09a534d11810

SHA512
1960614f2c647dc10dc347615c5dfafcaefbe737b794eb669e7fa0870149a8fbf652eb7f1cb76c66f17e642ba54ebdbc6f5610f26abe5aee94482ab366779171

Download Submit
C:\Windows\system\kjxqpVb.exe

Filesize
5.2MB

MD5
626e8a7649f01900d127cb2b0361f6da

SHA1
25b5d1af5801047e32d22f249c31d02aa929819a

SHA256
881f62c55faa238d5c2371d6471b6933645e1098354d3c306a563d92b78b06fe

SHA512
6363a11b0229592496232cfcd954ac365f06b52fa390065a59318eb518177fd59348fef25473ac7d11e410a98ae91249f61cd38786f3082d7e0a0bd5fab2acd9

Download Submit
C:\Windows\system\lPIfPHS.exe

Filesize
5.2MB

MD5
13042d10cbdc90d79760b5b6987261e9

SHA1
d96d54a44c6f7a2ed943646084e745d66ffca458

SHA256
5e2f7112e25c60ee0c3a1f6a518bcef7077f8f137fd3e886e235dd979a9ba0f5

SHA512
8b9edf6ff3d557e6a6b30c62c212f7061c0c143d66c10dcef760f1028ae51d86548eb7c48574b8857518c5384ba8144731a30c08ba6741849537643260a313d1

Download Submit
C:\Windows\system\llKRjlW.exe

Filesize
5.2MB

MD5
fbfa98ce9b6c0046e736cc2ba7eef80b

SHA1
1abc25cf0b430fe595978fb423c9d1070ccadb93

SHA256
174a02d024dbaf2f28f764fe2af2273b91479f4014c9217dff79d5c7a5c3ff1c

SHA512
e68039988f406aed8b84db5e43d12607532627d9984168d7b91a81724327c2c3e7d92c0d76d138a3ff539a22e5787dbafddcf5ec590cab70ef88dbc9fc8375e7

Download Submit
C:\Windows\system\oSZezNo.exe

Filesize
5.2MB

MD5
d004b6410c345e423dc0b0d36b32681e

SHA1
993727ef80b6e5cc7a8d7b5cc61d0797d77ca468

SHA256
741423f31d0e0cae7e4ff9a76dc9408c7d1663e3fe65f0fa9935b87a47cf61dd

SHA512
a1aaebfd092ebeca7bd0d669d8464e831f287c530c038b98524cf7594eb4b9bf0033983c86e2355ba34debc06fb2fd297e7836c00ee2af40869c78b0697019b3

Download Submit
C:\Windows\system\rBsgHZP.exe

Filesize
5.2MB

MD5
c34d2d92a2870f32bbdca8d07b6f561c

SHA1
9eba59ce6e1cf975acbee293b69ac5bdef306936

SHA256
6db1893c71b37e864e8aa779602ad8842da4a744045de9b791368fd58c0d14b7

SHA512
d3134065b5760deb1cee312a5ad639302e31cf30e85eae6ab21ba1e1df25c402fbba62f6c2a3bfb3512e265419a59211208fd167e7ce0328864b07a674409a28

Download Submit
C:\Windows\system\uvdGjpl.exe

Filesize
5.2MB

MD5
fff5125c1d2fcc6f07b6642e9ff5e78d

SHA1
2b89d41775ded481273c1cf0a7a42486eac978a9

SHA256
d83b87f8f501ddf19f1d303fa4ddcfcc9d5f53192ae3231bc397bee7bdee1bbc

SHA512
7c2fa74715963fa767c769e62f23c94de7d6a7062ba17730bd094af61090b2a1b71da3dd70824ac5941fdeda85d15b5b08266cf10e8f088aede9e8000b8c5623

Download Submit
C:\Windows\system\wbvzfCR.exe

Filesize
5.2MB

MD5
0997962bd3a12159822298d5521980bf

SHA1
f9caa3b3f220229f0a4a02f2dc369eefca7128c9

SHA256
8e3557abfc4926755cc11114cb6bb4b90eebc0e868e306e46c8f76371c91b96a

SHA512
085f1b53c1c46ccc3a0133c60091d51d97b78d55664b8a03e4375c9d4481e95263cf786072c5f3ea29488045105f95858affecb7c131262b5fb3e14e72ab60ba

Download Submit
C:\Windows\system\xgcnZaH.exe

Filesize
5.2MB

MD5
44be558084061f20835d645e1b218c90

SHA1
83b0e901bdb96a20ee7a533edb5773edb9840cd8

SHA256
5535753322dab8d3a5236a5ae5d77ad06ce6bc5df5a5014b9eaa489272df2452

SHA512
e4b633a983e0ec73356c708b011915f92bd01d9c8142590d0bbe5e8251bcdfba1c5d17565a6e4d6d2de683c4fde3e33d66fddb75025227bfc95af51412d78dd7

Download Submit
\Windows\system\ZVhoUVa.exe

Filesize
5.2MB

MD5
a72e564737b8757c574d4036b1724f4e

SHA1
d0ec461717ccf4ea1943a8ec262c9ff35af96c16

SHA256
a1501b105a98269d0ef73508bef1e313398be8326764ffc72d8e501b2cb0c4ac

SHA512
39e0d4c7af008e26eba49a2a2ab0792b0301123edb5691a169ad547b5af734f03bd31eb6e4f9c6d535e8af8bba714d9d751811acb9e51c7fcd4c2a238a48582b

Download Submit
\Windows\system\ktLrbOA.exe

Filesize
5.2MB

MD5
f9b142e3732b2a6723aef327c941606b

SHA1
de5263ef2a7740dca636ad111ed7efb8c6a42d39

SHA256
0ddc9d1fc751d7332fff7166a35d59eef816098a6a8111c2bb9bd4a817ccae9f

SHA512
e0afbe3bbc2cdb6f10af5286743875d110f87767ca9729d703a55dbf13811604bc0feceda23892de280befb6f41303dca8b97942722554c73227824ba55bc81f

Download Submit
\Windows\system\tIcjPjk.exe

Filesize
5.2MB

MD5
908024527cd61d45747d7dcc9f1e3f46

SHA1
6ca24425696ef1d37f5055c553716f7ab1f8a419

SHA256
1fcc0a127ee08aa0950d6f9c94d681d7a09967e5aaca871515e1fcbd57bef4a8

SHA512
13fc997ddc8b0b9efe467b929692df23a02e35aa917879d8595e5f6c61cef30d0d5c3ea1d1c85d2755bbcb960915cd0539eb278e697da3fde4f736675e114a3f

Download Submit
memory/856-161-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/1792-28-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/1792-136-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/1792-233-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/1812-157-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2028-160-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2112-22-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2112-229-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2432-158-0x000000013FB60000-0x000000013FEB1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-225-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2468-135-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2468-21-0x000000013FF00000-0x0000000140251000-memory.dmp

Filesize
3.3MB

Download
memory/2472-152-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2520-231-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2520-40-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-245-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2544-112-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2572-159-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2600-23-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2600-91-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-140-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2600-93-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2600-92-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2600-162-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2600-41-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-85-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-39-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-94-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-26-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2600-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2600-139-0x0000000002390000-0x00000000026E1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-134-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2600-88-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-25-0x000000013FCE0000-0x0000000140031000-memory.dmp

Filesize
3.3MB

Download
memory/2600-90-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-45-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2600-0-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2600-80-0x000000013FD40000-0x0000000140091000-memory.dmp

Filesize
3.3MB

Download
memory/2688-249-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2688-114-0x000000013F880000-0x000000013FBD1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-156-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2704-239-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2704-87-0x000000013F020000-0x000000013F371000-memory.dmp

Filesize
3.3MB

Download
memory/2792-241-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2792-89-0x000000013F430000-0x000000013F781000-memory.dmp

Filesize
3.3MB

Download
memory/2808-235-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2808-137-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2808-52-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2820-138-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-237-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2820-67-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2884-154-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2968-113-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2968-247-0x000000013F780000-0x000000013FAD1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-243-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2972-86-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/3060-227-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/3060-24-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download